What is layered security and what is the best approach?

What is layered security and what is the best approach?


These questions, and more about layered security, are discussed by Rudie Egberink, Thomas Calf, Bert Janssen and Tim de Gier from Contec B.V. in a roundtable discussion:


There are no longer any clearly defined boundaries in the IT landscape. The company network is connected to the large, open internet. People no longer only work with applications that the company itself bought and installed on its own servers in a data center, but with web applications from various providers in the cloud. The work no longer only takes place on a desktop computer that is directly connected to its own data center, but with all kinds of mobile devices that are wirelessly connected to the company network. This calls for layered security, according to a roundtable discussion at IT distributor Contec.


As a result of these developments, internal traffic within a company network becomes infinitely wide and external traffic is unprecedentedly deep. The security of the network requires a series of solutions that protect all traffic flows, devices, applications and users. That is called a layered security and none of the individual solutions that are active in it can realize 100% security. That is why a layered security is sometimes compared with slices of cheese. Each slice covers the holes in the underlying slice. Nobody can see through the pile of slices from above. "In a layered security, different components detect whether there are risks at the same time," says Tim de Gier, security consultant at Contec. "If one of the security solutions has missed something, the other will find it."


In other words, if cyber criminals go through the holes in one layer, layered security prevents them from being able to move freely through the IT  network to create their evil.


Thomas Calf, Bert Janssen, Rudie Egberink, Tim de Gier Contec BV


What role does Hillstone Networks play in layered security?


Cyber ​​criminals work in a very sophisticated way. They use targeted, persistent, hidden and phased attacks that easily escape the sight of traditional security measures. Therefore, Hillstone's intelligent next generation firewalls (iNGFW)  look beyond just the traffic flows at the network entrance. "It is very important to see as many traffic flows as possible," says Bert Janssen, security consultant at Contec. "Not only at the edges of the network, but also in different zones within your network. Hillstone makes that possible. It is not only a matter of opening gates, but also of analyzing traffic behavior. So are there suddenly many more connections from a certain application to a server? Or are many more connections established in the standard processes? Another example may be that a user normally opens a few documents per hour and that suddenly thousands are opened in a minute. Something like that is very detectable with Hillstone. "


In addition, Hillstone uses the threat information that the company gathers from all devices that it has implemented worldwide. This allows the iNGFWs to recognize unknown malware, conduct behavioral analyzes to recognize deviant network use and establish links between threats. "The firewalls can optionally exchange data with Hillstone," says Janssen. "If the firewall detects suspicious patterns, it can also be reported automatically to the supplier."


Hillstone also provides layered security by combining various security solutions such as Antivirus (AV), Intrusion Prevention System (IPS), Advanced Threat Detection (ATD), Abnormal Behavior Detection (ABD) and Reputation Detection (RPD). This enables Hillstone's iNGWs to detect and stop even the most advanced and rapidly changing malware variants. "Hillstone fits very well in a segmented network, in which the firewall itself is the central point," says De Gier. "This is because of the fact that the device has a very high throughput, at relatively low costs. As a result, you are able to separate each network segment and apply restrictions to each segment and carry out analyzes. This can be done for forensic purposes as well as for detection and prevention. "


According to Thomas Calf, account manager at Contec, this means that intelligent security measures are required that continuously monitor and check users and applications. "The firewall is constantly looking at what a user is doing within the network. That intelligent piece makes Hillstone really an enrichment. "


"I believe that this is also the essence of security," says De Gier. "You want to be able to see what has happened on the network and keep a grip on this. This is also important in relation to privacy legislation such as the obligation to report data leaks and the upcoming GDPR. For this it must be demonstrable which data has been stolen or leaked. It is precisely that kind of information that can be traced with Hillstone's forensic data. "


How does Hillstone deal with virtual environments?


Many companies no longer have their own data centers. They use the data centers of cloud providers. It contains a lot of physical servers,  each divided into several virtual servers. This requires solutions that ensure the security of traffic within the virtual machines. Hillstone achieves this through micro segmentation with CloudHive, says Janssen: "Micro segmentation means that you secure every virtual machine with its own virtual firewall. This firewall also provides insight in the whole environment. In a dashboard you see the servers and all connections between those servers. CloudHive even learns from what happens within that environment and gives advice on the rules that the firewalls use based on the knowledge gained. The administrator can choose to have these proposals with a single check in the dashboard and then a new virtual firewall is configured immediately. "


Each virtual machine gets its own secure environment. Therefore, cyber criminals cannot hack into it from the outside, but it also prevents malware from 'jumping' from one virtual machine to another. "With CloudHive we have a solution specifically developed for this micro segmentation," says Rudie Egberink, technical account manager at Contec. "This allows us to regulate what the traffic may be from A to B between the virtual machines for each individual system."


This means, that Hillstone not only regulates the 'north-south' traffic, so what comes in from the outside, but also the 'east-west' traffic that takes place within the network, adds Calf. "We keep an eye on that per virtual machine. We create a shell around that and link policy rules to it. For example, the virtual machines that are on one physical server cannot infect each other. "


This is an important benefit of Hillstone for customers, says De Gier. "Because of attacks such as the WannaCry ransomware, organizations see that an internal spread can have serious consequences. That is just something against which organizations can very well protect themselves with micro segmentation. "


Thomas Calf, Bert Janssen, Rudie Egberink, Tim de Gier Contec BV


What role does Mojo Networks play in layered security?


Mojo Networks secures wireless networks by using Mojo AirTight, its Wireless Intrusion Protection System (WIPS). Mojo not only focuses on threats from the outside, but also from within the organization. Mojo solutions ensure that all wireless attacks, threats and devices are automatically detected and classified.

This automatic classification allows Mojo to separate the real threats from the false and stop the attacks before they can cause damage to the network. "A good example is that an employee or an external party decides to connect their own access point to your network," says Egberink. "Mojo sees that as a malicious access point and warns the administrator. In addition, Mojo ensures that the company devices can not connect to that access point. For example, third parties can not intercept traffic through an access point that is not yours. "


Mojo is so good at scanning the environment because the access points have a third radio on board besides the 2.4 and 5 GHz radios, says Calf. "This is just an extra radio to constantly scan the spectrum. This provides insight into what devices are used and how the access points perform. As Hillstone continuously monitors network traffic, Mojo can monitor the entire wireless spectrum. That is clearly illustrated by means of a management console. "


Hillstone uses 'intelligence' to strengthen his products. Does Mojo Networks do that too?


Mojo Aware provides direct and real-time insight into Wi-Fi usage. It lets you know when and why clients can not connect to the network, tracks delays of network services and examines current and historical connection reports. Mojo can proactively intervene if a vulnerability of a device is abused and actively counteract it, says De Gier. "The moment an Android system is not patched correctly, for example, Mojo Networks can still put a protective layer between them. This active protection module prevents the attack on that vulnerability. "


Another example of security with Mojo is that it is possible to automatically learn the system that a device belongs to a specific network. Janssen: "Once a device is connected to a corporate WiFi, it is automatically linked to it. If the user still manually switches to another network in the neighborhood, perhaps even in the same building, to circumvent a security measure and still wants to connect to the guest WiFi, the system will block that. "


In addition, Mojo can test the performance of applications via the wireless network, Janssen continues. "For example, you can see how Office 365 or Salesforce performs. This makes it clear whether the user experience originates from the wireless network or from the endpoint, ie the end user's device. "


"They want to continue doing this so that they can start to simulate VoIP calls, too," adds Egberink. "Mojo emphatically wants to profile itself not only as a security supplier, but as a supplier of a platform with which the entire wireless network infrastructure can be secured, tested and managed."


What role does Webroot play in layered security?


"Contec has always delivered products for endpoint security," Calf says. "We started with Webroot because we were dealing with a change in malware." This change meant that antivirus software worked on the basis of the characteristic properties of malicious code in the past. This code was recognizable by the so-called 'signature', or signature of the creator. By checking incoming traffic for these signatures antivirus software could recognize and stop many malware. "That signature database was the basis of endpoint security a few years ago," says Calf. "As long as users installed updates with new signatures, they were safe against the latest variant of malware. However, there were more variants that were only active briefly. "


Cyber criminals have made great steps forward and nowadays create 'polymorphic' malware. This automatically adjusts itself as soon as security products arm themselves against it. This leads to a malware code that is unique for one attack and escapes the traditional antivirus software. "We therefore no longer see malware with a recognizable signature," says De Gier. "Everything is polymorphic nowadays. In research, I almost always have to deal with a unique piece of malware. It is true that it has the same basis, but if you look at the piece of code on machine A and a piece of code on machine B, there is just enough difference that to make a sign-based solution not work properly anymore. 


Antivirus software updates are no longer resistant against that, according to Calf: "An update will be just too late to deal with new malware. We therefore looked for a solution for endpoint security that fits this new situation. Webroot ended up to be the best because they do not look at the signature, but at the content of the traffic. They inspect the data themselves and establish the correlation between that data and what they know about malware. "


Does Webroot also use intelligence?


The Webroot Intelligence Network (WIN) continuously collects, analyzes and correlates threat data and that ensures that the protection remains optimal. WIN shares its knowledge with Webroot's BrightCloud Threat Intelligence Services. With this, Webroot builds a reputation for all kinds of documents and files, as well as the content of all internet traffic, says Janssen. "So, when a process begins to communicate with an IP address or a domain name on the internet, Webroot immediately knows the reputation of that IP address. Based on this, the software decides whether traffic is allowed on the system. "


This way, Webroot continues to stay ahead of the latest forms of polymorphic malware and stops infections before they can spread. This works both ways: on the one hand the software stops malicious incoming traffic already at the borders of the network and on the other hand prevents users from gaining access to unwanted and unreliable websites.


The endpoints, the devices that one uses to access the network, connect to BrightCloud and WIN from Webroot in the cloud. So no heavy files or processes are needed on the endpoints themselves. That benefits the performance of the endpoints, according to Egberink. "Virtually no computing capacity is needed at the endpoint. With this, Webroot achieves a large profit on performance and that is reflected in all customers we were able to welcome on the Webroot platform. For them, that is one of the most important reasons for choosing Webroot. "


One-stop-shop or best-of-breed?


The solutions from Hillstone Networks, Mojo Networks and Webroot protect the different layers within the network. To cover the protection, such as slices of cheese, organizations have to work with the solutions of different suppliers. Is that clever? De Gier: "For a layered security strategy, you want to deal with multiple suppliers because you have the best available product on every level. It seems easier to work with one vendor for all solutions, but in practice it is often fragmented because other teams work with it. Then you are still working on different products. "


Moreover, the choice for one supplier means that organizations become dependent on that supplier, adds Calf. "That would not be our advice, to put everything together with one vendor. You also see it less and less in large environments. "If organizations want real integration, that's possible too, Janssen assures. "Most suppliers work with so-called APIs that enables them to link their products to those of others. For example, if you want Webroot to do endpoint detection and you want to make sure that it also works over the Mojo wireless network, or have the Hillstone firewall automatically createsa rule, then that's just possible. "


All solutions add something to each other in the area of security, says Egberink. "Because there is not a lot of overlap in the products, in terms of functionality, they reinforce each other. There are also technical possibilities to let them talk to each other. We have especially chosen for these suppliers because not every product has the same engine and works in a different way. None of the solutions alone offers 100% security and merging these suppliers ensures that you can build a layered security. "


If you have any questions in repsonse to this article please contact our sales department.