When Security Is Too Much of a Good Thing
October 29, 2009
Security "experts" will no doubt disagree that you can have too much security, but I disagree. Two-factor authentication, RSA IDs, local machine logins, domain logins, retina scans (Thanks a lot, Star Trek), NIS+, data encryption, hotfixes, security patches, virus signature updates, local firewalls, network firewalls, router rules it's enough to make me totally meshugenah. I know security is necessary because of those naughty 17-year-old East Mongotanians who constantly scan the Internet waiting for my financial records to traverse the abyss from my computer to my bank's database and back again, but there must be a better way. How about single sign-on (SSO) and virtual LANs (VLANs) for securing your internal environment?
Yes, I know we'll still need anti-spyware and anti-virus software for our computers. We'll also need the regular security updates to prevent malicious junk from entering our computers from unsavory web sites. Let's simplify things for internal networks into some SSO and VLAN segments. That way you still maintain domain authentication without having to remember 30 different passwords and have VLANs to protect the greater network from a single errant one.
SSO is a boon to users and administrators, since users must manage only one password instead of dozens for services and systems. For administrators, SSO provides an efficient and secure method of managing password authentication to services and systems. SSO is a real money saver, too, since your employees won't need to call the help desk and wait in a queue for a half hour or more to request a 10 second fix. Sure, SSO costs money, but it's money well spent when you tally up the costs of wasted and unproductive hours of having password problems, help desk calls and frustrated employees whose morale during these episodes is tied directly to productivity.
VLANs segment and isolate network traffic among systems that don't necessarily share close physical proximity as they do in traditional LAN segments. The entire network has knowledge of each VLAN and its restrictions. Why is this a money saver? Let's say someone on VLAN01 downloads a virus and it attacks through a vulnerable port or service on your computer and all other computers in your segment (VLAN). The virus would affect only those computers within that VLAN, since chances are very good that the network administrator uses a deny all rule and allows only those protocols that users depend on for productivity. A great example of such an exploit is the Sasser worm from a few years ago.
If you've ever tried to troubleshoot a network problem with 10 layers of internal security, you know how difficult it is. It's like trying to find a single pothole on a 2,500-mile stretch of road when your only clue is a call from someone who reports, "There's a pothole on Route 66." You cleverly ask the caller to be more specific, to which you are answered, "Illinois." Troubleshooting network slowness, loops and security breaches is no easy task for even the most experienced network administrator. Often it requires days of packet sniffing, performance tests and port scans to determine the offending protocol, switch port, network interface or user.
The takeaway here is to simplify access to systems and services with SSO and to prevent widespread breaches with the use of VLANs. Security is necessary. The threats to your data are real. You just have to be smart about implementing a secure but usable network. Otherwise, the next time someone calls you to say, "The network is slow"; you can say, "It's slow for everyone by design. You can thank the Mongotanians for that." "Mongotanians? asks the innocent caller" "Sorry, East Mongotanians."
Ken Hess is a freelance writer who writes on a variety of open source topics including Linux, databases, and virtualization. He is also the coauthor of Practical Virtualization Solutions, which is scheduled for publication in October 2009. You may reach him through his web site at http://www.kenhess.com.