Contain Unauthorized Systems
ESP Case study: Contain Unauthorized Systems
A key problem facing network and security administrators is the threat posed by the introduction of unauthorized computers into their networks. These hosts can carry worms and viruses not mitigated by security countermeasures and can leave critical networked assets vulnerable to intrusion or attack.
A fundamental evolution in the dynamic way networks are used has resulted in nearly all enterprise computing assets being connected within very few degrees of separation to public wide area networks. The proliferation of wireless-capable networking devices only compounds this problem. As a result, the distributed perimeter, combined with the continuing challenge of keeping employees and guests from bringing unauthorized devices onto the network, have made it a top security priority to identify rogue machines and to protect business-critical computing assets.
The Elemental Security Platform provides a unique approach to identify and contain unauthorized machines. Using passive detection processes and adaptive host-level access controls, the Elemental system empowers security managers to use a policy-based approach to secure network communications and to contain or quarantine machines that are either unknown or non-compliant with the organization’s computer security policies.
Discovering and Profiling New Hosts
The Elemental Security Platform is an agent-server security software system that provides a comprehensive policy-based solution for managing host-level security. In addition to configuration management policies, the Elemental agent also provides a policy-based packet filter. This capability supports the implementation of multi-layer security policies that not only govern the security of the host and its resident applications, but can grant or deny access to other hosts on the network. These unified multi-layer policies enable an unprecedented holistic approach to managing host security.
In addition, the Elemental agent provides a passive listening capability to identify new hosts that appear on the network. By monitoring all broadcast traffic, and by monitoring network connections involving machines not running the agent, new computers on the network are quickly discovered. Additionally, the Elemental agents perform numerous discovery operations such as passive fingerprinting and signature matching on networking activity to profile the configuration and networked application activity of new hosts. With agents deployed over the network, the Elemental system essentially provides a distributed “passive sonar” net that rapidly sees every host connecting to the network.
All Elemental agents are assigned a unique identifier, eliminating the traditional complexity of managing security using identities based on IP addresses in dynamic computing environments. The IP address of a managed host at any given time is known, as well as all the IPs that host has used on any of its network interfaces over time. New machines not running the agent are identified by a previously unseen MAC and IP address pairing being detected by an agent. All discovery activity is reported to the Elemental server, which then updates the agent population about the presence and security posture of discovered hosts.
The Elemental Security Platform's unique and powerful dynamic grouping capability is key to addressing the problem of identifying and containing unauthorized hosts. All hosts, managed and unmanaged, are assigned attributes based on their observed configuration and networking activity. Using these attributes, the server continuously computes and dynamically updates host groupings. By matching hosts to various criteria–such as “when first discovered,” “geographic location,” “not running an agent,” “wireless capable,” or “not compliant with AV policy”–the server assigns hosts to groups that provide both a security posture and business context to the way that administrators view the hosts on their networks. Additionally, the Elemental system tracks which users are logged into each computer, similarly enabling hosts to be grouped dynamically based on their current usage posture.
The Elemental Security Platform supports policies to limit or prevent communications between host groups. The traditional complexity of specifying these policies in terms of IP addresses, ports and protocols has been abstracted to simplify the process. Instead, the Elemental system uses host groups and applications as arguments to define network access policies. For managed hosts, this means for example, that a policy may say, “‘HR Windows Desktops’ cannot connect to ‘PeopleSoft ERP Servers’,” or “Only ‘Engineering Workstations’ may connect to ‘Test and Production Servers’.” These are implemented on all managed machines enabling the Elemental agent to limit inbound and outbound traffic accordingly.
These policies can also be written about unmanaged hosts. To contain new machines, policies such as “Deny all traffic from ‘Newly Discovered Hosts’” can be implemented on specified groups of managed hosts. A policy like this could be applied to critical file or application server groups to protect them from rogue hosts. More restrictive quarantine policies may apply a rule of this type to managed infrastructure such as DHCP, DNS, and domain authentication servers to disable the ability of new hosts to function effectively on the network.
How does Adaptive Micro-Segmentation differ from Network Admission Control?
The key differences in the Elemental approach are:
- Discovery and grouping of hosts and workloads is continuous and adapts to change.
- Access control policies are enforced at the host or workload level, not on network infrastructure devices like routers or switches.
The continuous nature of the Elemental solution enables host-level access controls that adapt to changes on the network. Consider for instance a group whose network activity is limited by policy. As the membership of this group changes, all managed hosts are updated and the agents apply network traffic controls accordingly. Also, by enforcing policies at the host level, access to critical resources can still be protected even after machines gain access to the network.
The Elemental Security Platform enables security and IT administrative personnel to keep up with the ongoing changes that are a normal part of the evolution and usage of IP networks. The dynamic and continuous nature of the discovery, profiling and containment capabilities enables anomalous activity to be identified and stopped. The highly flexible network access policy framework allows administrators to implement policies that contain unauthorized users without disrupting key networking services or disrupting the normal ebb and flow of managing assets in dynamic computing environments.