A Traffic Cop For Your Network

In the movie Men In Black, appearances often prove deceiving. Sometimes the most normal and innocent looking individuals turn out to be dangerous attackers.

Likewise, in any enterprise, it isn’t always easy to spot the ‘bad guys’. The person sitting directly across from you could pose a serious threat to the company, even without meaning to. It could be simply someone who is curious about the salaries of the organization’s top executives, a curiosity that compels him or her to try to gain access to the corporate financial systems.

CIOs have the daunting responsibility of planning against every type of digital attack, whether its origin is from a malicious entity outside the organization or from Pat in accounting. This challenge is compounded by the fact that many CIOs are so focused on how technology is helping run business operations that they are not aware of chinks in their network access-control armor.

While ensuring that employees have access to the critical information that enables them to do their jobs, are CIOs inadvertently allowing them to access information not meant for their eyes? That’s a difficult question to answer. Each day, an organization can log thousands of transactions – a recording of every single transaction that takes place between the company and its constituents and the resources within its network. For IT to track each transaction to determine if it is malicious or legitimate would slow network traffic to a crawl and impact productivity.

A prudent way for CIOs to monitor risks is for them to intimately understand the nature of traffic that typically flows through their networks on a day-to-day basis and create a profile or baseline of good traffic.

By monitoring traffic against this profile and taking an anomaly-based approach to flag abnormal traffic, a CIO can lower the risk of anything “out of the ordinary” going undetected on the network – e.g. Tony in Shipping and Receiving attempting to gain access to the Research and Development database.

A CIO has a few conventional signature-based options to help protect the network from malicious attacks. These include:

1. Setting limits on the amount of traffic that can pass through a network’s routers. While this throttling back of traffic can mitigate malicious attacks, it significantly slows down the network, and therefore productivity. And worse, because it can’t tell good traffic from bad, it runs the risk of blocking out legitimate requests. If you run an online retail site and it’s the day after Thanksgiving, traditionally one of the busiest shopping days of the year, you don’t want to lock anybody out of your online store or even make them wait too long in line.

2. Setting generic parameters using filters from your router. Because routers were designed to route traffic their access control lists are not very effective as filters.

By using an inappropriate method to enforce security policies, the CIO may get neither an acceptable measure of security nor the most bang for the IT buck. In the first case above, given lower network speeds, the company will need to pay for additional bandwidth, and in the second case, overtaxing router devices may create the need for spending on additional devices.

At the end of the day, the CIO’s task is to allow traffic to pass quickly and safely through a network, maximizing productivity and minimizing risks to crucial infrastructure. In an era of tighter budgets for resources, it is as impractical to thoroughly examine every transaction as it is to download every security patch to stop the latest version of the Melissa worm.

Anomaly-based detection allows normal traffic to pass through to its intended destination and, through profiling what normal traffic looks like, helps the CIO and his staff to stop alien attacks at both the internal and external gates.

Jim Melvin is CEO of Mazu Networks, Inc, a company that supplies network traffic security products to commercial and government organizations to achieve greater enterprise service availability and information protection. Mazu’s Web address is http://www.mazunetworks.com.