The Importance of a Self-Defending Network

By Giovanni Prinetti

Network security is a leading concern for every business owner, CIO and network administrator. Considering its importance, it’s surprising that most Enterprise security models still rely so heavily on manual intervention when things do go wrong.

It is widely accepted that the weakest link in network security is the human user, usually through inadvertent bad practice. Attackers use social engineering techniques to take advantage of this, defeating even the most secure networks by tricking users into disclosing sensitive information. In 2017, the University of Illinois ran a “baiting” experiment where USB drives were left near building entrances. Forty-five percent of those USB drives were inserted into network-connected devices. Therein lies the proof—users can inadvertently attack at any time.

In addition to user behavior, security can be compromised via the unmanaged devices connected to a network, such as IoT sensors, printers or machine-programmable controllers. These can be used as “Trojan horses”, since they cannot host any local threat protection agent.

Protecting the Edge

The conventional way to protect from attackers and threats is to use a firewall to inspect all traffic to and from the Internet. This is a very common design, which focuses on protection from the Internet, but which still leaves the network vulnerable to attacks from within the network itself, from connected devices and external media.

A more secure approach is to force all traffic to pass through the firewall, including internal traffic. But this solution requires a very powerful and expensive firewall. It also creates communication delays, which are often simply unacceptable.

Another approach, widely used in Industrial Ethernet networks, is to split the network into subnetworks and place a firewall between the subnetworks and the core network. This approach stops a malware threat spreading any further than the local subnetwork.

Independently from the architecture, even the very best firewall can’t protect against threats coming from user terminals, because firewalls can only block the traffic they see.

A firewall can't control the device that is causing the problem. Once a firewall detects this kind of attack, all it can do is alert the administrator to manually investigate and act. This takes time and resources—time in which the threat can spread, and sensitive information can be lost. If a network device is copying infected files or uploading sensitive material, then that device should be immediately isolated from the network to prevent any further damage, and this simply cannot wait for the required human reaction time.

Enter Self-Defending Networks

Ideally, a network would defend itself based upon the threat detected and the device that caused the problem. The action taken would be immediate, and the device responsible would be automatically isolated from the network to prevent further damage. Further, it should not matter how that device is connected to the network—either wired or wireless, the protection and response should be the same.

Enter the Allied Telesis Self-Defending Network solution. We created this solution to work with your existing firewall to instantly respond to threats. The AMF-Sec controller at the heart of our AMF Security solution uses our innovative Isolation Adapter technology, adding autonomous intelligence to the network to automatically decide the appropriate reaction for any detected attack. The AMF-Sec controller integrates with most common firewall products, to centralize your security policies on one device and save you the expense and inconvenience of changing your primary security device.

The major benefits of the Self-Defending Network is immediate and accurate threat response, without any manual intervention. Actions are configurable depending on the firewall event, so that inadvertent visits to questionable webpages can be distinguished from malicious attempts to steal data. Suspect devices can be isolated from the network completely, or moved to a quarantine area to await remediation.

Suspect user devices can be automatically isolated whether they are wired or wireless, ensuring there are no weaknesses anywhere on your network, and without the need for end-point agents or applications. The Allied Telesis Self-Defending Network does not require any special software to be installed on the end-point. Instead of shutting down the device, we control the network to restrict access until remediation can be applied. We can block a threat emanating from a data center server just as easily as one from a mobile device.

The Self-Defending Network also monitors and protects traffic moving within a corporate network without adding unacceptable latency. Our solution allows the security appliance to monitor a copy of the traffic (I.e. one-armed) so no latency is introduced, and blocks any threats instantly and automatically.