Until now, network security has acted mainly as a device to police the system, with only the power to announce that the intruder is in the building, but lacking the ability to respond dynamically to turf them out and repair any damage they may have done without manual intervention.
But how close are we to achieving the Nirvana of the self-healing network? Like any good vaccine, a proven solution must be able to eliminate the spread of disastrous security events impacting the business such as worms, viruses or DDoS attacks.
A self-healing system, with the capability to maintain the availability of network services while retaining the intelligent ability to respond to events that have taken place within the network through learning mechanisms, has been revered in network design circles as a 'dream'.
From a hardware perspective, all components must provide the highest level of availability using multiple power supplies and dual switch fabrics so that no component can act as a single point of failure.
It is possible to create improved network availability by utilising the embedded logical controls within the switch and router firmware, providing a level of protection at both layer two and layer three of the operating system, using net generation spanning tree and virtual router redundancy protocols. However, this does not give much, if any, protection from viruses, worms, malware or denial of service attacks.
In recent years, the use of intrusion detection/prevention technology has been one of the great leaps forward. Today it is possible to provide a solutions-based approach; integrating IDS/IPS with intelligent network infrastructure and powerful command and control applications truly enables a closed loop approach to security and networking. This holistic solution has been described as dynamic intrusion response (DIR).
DIR is based upon an architectural approach; IDS sees any vulnerabilities on the network and will alert the network management applications. In turn, the management applications will carry out a search across the network and locate the source of the vulnerability or attack in seconds, whether the network is 10 devices or 10,000.
Automated action against the source of the security event to mitigate its impact on the network must be dynamic in order to ensure the quickest possible defence against a security breach. The response must also be granular and multifaceted.
For example, you may want to turn off the actual ethernet port, or, if this is too draconian, the action may be to simply 'rate limit' the amount of bandwidth available to that port. Both of these actions could have a time stamp next to them, that is, they only happen for, say, fifteen minutes after which time the port reverts to its previous status.
At the same time you may want to log a problem with the helpdesk on their trouble ticketing solution so that everyone is aware of what is happening and why. This means the network has the ability to detect, react and respond automatically without human intervention.
Many of today's viruses and worms are simply extensions of old viruses, so IDS can pattern match and protect immediately, stopping proliferation; this is key to network security, as you may not have the bandwidth to turn off any affected ports.
The use of network behavioural anomaly (NBAD) technology in conjunction with IDS solutions provides complementary capabilities that help to protect against vulnerabilities and attacks that would not be identified by traditional IDS solutions helping to protect against zero day attacks. If both of these technologies can be harnessed to effectively communicate with the network switches and routers, you can provide DIR capabilities.
Although the problem has been around for a few years, protective systems have only begun to appear over the last 12 months. To most people reading this, it may well sound as though this is the nirvana that they’ve been waiting for, but there is still a great deal of caution among network managers surrounding the myths of self-healing networks.
In the past, draconian steps taken as a direct response to false positives that were not necessary, has created an air of 'the boy who cried wolf' when it comes to threats to the network.
Simply adjusting the granularity of DIR according to the level of risk will eliminate the issue and will allow resources to be allocated accordingly, such as; logging the incident with the helpdesk, paging the support team to investigate or shutting down the port where the intrusion has originated.
The net result has been that the business value of the dynamic intrusion response solutions are overlooked and often ignored.
It means that IT decision makers are not taking advantage of the capabilities available today to minimise the time to isolate a threat, and eliminate or diffuse the effect the threat is having on the infrastructure automatically without requiring the intervention of expensive IT resources.
The self-healing network is here, it can detect, it can react and respond, all without human intervention, but what is needed is for network managers to do the same.
Mark Pearce is product manager at Enterasys Networks.
Enterasys Networks
