Crime Branch Advisory
The Nigerian Scam
Security and Application Networks
Would your organization benefit from
application security and the Application Network?
Consider your answer to the following
hypothetical question from a line of business or the CIO:
"Our business demands that we
use [insert any application here]; can we allow our [remote or internal]
users access to it?"
"No, those users aren't trusted."
"No, traffic is not encrypted." "No, we can't extend
a VPN because of security." "No, we don't want to put
that database server in the DMZ." "No, we can't route
the traffic because of NAT and private IP addresses." "No,
we'd have to open non-standard ports and we can't do that."
"No, that application is not webified." "No, our
firewall can't handle dynamic port requests." "No, we
don't allow any direct touch between networks." "No…"
If any of these answers sound familiar,
then application security and the Application Network can help.
The Access and security trade-off
Today, extending access to applications
for the users who need them is no longer a "nice to have"
- but a key determinant of who will win and who will lose. Legacy
applications and databases, for example, contain invaluable customer
information and provide a great resource for partners and other
trusted third parties; email and other messaging applications are
indispensable for seemingly instantaneous communication; and 'emerging'
applications, such as audio and video conferencing, are now the
critical enabler of 'real-time business,' resulting in huge gains
in both productivity and profitability. Facilitating the rollout
and accessibility of these applications, IP networks - both private
and public, wired and wireless - make access to applications possible
for any user from any corner of the globe. Why, then, are CIOs constantly
refereeing a tug-of-war between the lines of business who want to
realize the value of their applications by extending them to the
users who need them and the network administrators who want to insulate
their network from attack by increasingly limiting access for untrusted
What is driving this zero sum game
where any access gained by the business results in a corresponding
decrease in network security? The answer lies in the use of network
security to deploy applications. That is, network security, which
by its design disrupts and limits connectivity between networks,
is also used to enable connectivity. These products - while critical
for protecting the physical network - were not intended to protect
and extend applications and consequently using them to deploy applications
inevitably results in the access and security trade off.
The solution, however, is not to
increase the IT budget to buy more point solutions or deploy an
army of network administrators to provide the highly-oxymoronic
'brute force flexibility,' but to deploy a new conceptual network
called the Application Network. The Application Network is a logical
network that overlays the physical IP network and leverages its
communications infrastructure while not undermining its physical
security. The Application Network also underlies the applications
that need the physical network for connectivity, providing robust
and extensible application-layer security. When deployed, the Application
Networks allow enterprises to use the applications their businesses
require and securely extend those to the users who need them - while
taking advantage of, not compromising, the network security infrastructure.
A Little History
Thirty years have passed since the
U.S. Defense Advanced Research Projects Agency (DARPA) initiated
the project to determine a method of linking together many disparate
packet networks to enable cross-network communication. According
to history, the initiative was referred to as the Internetworking
project and the resulting mesh of linked packet networks was called
the Internet. The Internet at that time was an aggregation of packet
networks funded and hosted by government and educational enterprises
throughout the United States. Enabling this inter-communication
was the development of the Internet Protocol (IP), which defined
how data packets are routed across the various networks. Until the
1980's the Internet was a combination of public networks that allowed
primarily academic and government to communicate freely and openly.
Applications utilizing the TCP/IP protocol suite could be extended
to users with routable IP addresses, a requirement of the early
Internet. Soon, however, and by design, the Internet and its obvious
business benefits began to get the attention of commercial enterprises
as well as foreign governments and soon these organizations began
to adhere to the IP protocol and connect their local networks to
this public communications infrastructure. Now, users were diverse,
unknown and not necessarily trusted while the information accessible
was no longer academic, but sensitive business and governmental
intelligence. Network security was born.
Purpose of Network Security
Necessity certainly bred invention
with the advent of network security. At a very high level, organizations
needed to protect their physical networks from this 'untrusted'
Internet and were eager to find solutions that allowed them limited
access to the public networks while insulating their networks from
potential attack and information theft. Answering this demand, firewalls
were developed to protect the physical network. Firewalls, often
utilizing Network Address Translation (NAT) for non-routable addresses
that are hidden from the outside,were designed to limit network
access by breaking the two fundamental rules of IP routing - that
is that all network nodes must know of other nodes and all addresses
of devices must be known. From the outset, the purpose of basic
network security was to protect the physical network from attack
by limiting connectivity between the two networks.
Emergence of the Security
and Access Trade Off
The unfortunate downside of physical
security that limits connectivity for untrusted users is that it
also limits connectivity for trusted users. To provide access for
trusted users,network administrators were forced to start 'fixing'
the networking rules broken by the physical security as required
by the users and the access they required. Opening holes in the
perimeter security, however, to allow ingress and egress is exactly
that: opening holes. Network administrators quickly realized that
the amount of access granted to users was inversely proportional
to the security of their network. A seemingly zero sum game, this
network security and application access trade off is now a common
dilemma within organizations large and small, domestic and international.