The Importance of a Self-Defending Network
By Giovanni Prinetti, Solutions Marketing Manager
Network security is a leading concern for every business owner, CIO and network administrator. Considering its importance, it's surprising that most Enterprise security models still rely so heavily on manual intervention when things do go wrong.
It is widely accepted that the weakest link in network security is the human user, usually through inadvertent bad practice. Attackers use social engineering techniques to take advantage of this, defeating even the most secure networks by tricking users into disclosing sensitive information. In 2017, the University of Illinois ran a "baiting" experiment where USB drives were left near building entrances. Forty-five percent of those USB drives were inserted into network-connected devices.
In addition, security can be compromised via the unmanaged devices connected to a network, such as IoT sensors, printers or machine-programmable controllers used as "Trojan horses", since they cannot host any local threat protection agent.
Protecting the Edge
The conventional way to protect from threats is to use a firewall to inspect all traffic to and from the Internet. This common design focuses on protection from the Internet, leaving the network vulnerable to attacks from within the network itself.
A more secure approach is to force all traffic to pass through the firewall. This solution requires a very powerful and expensive firewall and creates communication delays, which are often simply unacceptable.
Another approach, widely used in Industrial Ethernet networks, is to split the network into subnetworks and place a firewall between the subnetworks and the core network. This approach limits threat spreading within the local subnetwork.
Independently from the architecture, a firewall can't control the device that is causing the problem and can't stop user terminals to spread threats. All it can do is alert the administrator to manually investigate and act, taking time and resources—time in which the threat can spread, and sensitive information can be lost. An infected network device should be immediately isolated from the network without waiting for the required human reaction time.
Enter Self-Defending Networks
Ideally, a network would defend itself based upon the threat detected and the device that caused the problem. The action taken would be immediate, and the device responsible would be automatically isolated from the network, regardless of whether it is connected to the network—either wired or wireless, the protection and response should be the same.
The major benefit of the Self-Defending Network is immediate and accurate threat response, without any manual intervention. Actions are configurable depending on the firewall event, so that inadvertent visits to questionable webpages can be distinguished from malicious attempts to steal data.
Suspect devices can be isolated or moved to a quarantine area to await remediation, ensuring there are no weaknesses anywhere on your network, and without the need for end-point agents or applications.
The Self-Defending Network also monitors and protects traffic moving within a corporate network without adding unacceptable latency, allowing the security appliance to monitor a copy of the traffic so no latency is introduced.