<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=152771375339675&amp;ev=PageView&amp;noscript=1">

Security on the Wire

What the IPSec Hack Can Teach Us About One-Layer Cyber Protection

by Ben Haley

cyber-protection

Think one-layer cyber protection is enough to handle whatever threat comes your organization's way? Think again.

Even the most comprehensive cyber defense system can still be vulnerable when dependent on a single layer of security.

Don't believe me?

This month researchers at Opole University, and the Institute for IT Security, demonstrated a weakness in certain implementations of IPSec.

To be clear, this was not a failure of the IPSec protocol itself; rather the exploit was due to implementations by Clavister, Zyxel, Cisco and Huawei.

However, if your private data is stolen, it doesn’t matter whether the theft was due to a weakness in the hardware, software, protocol, or implementation.

All anyone cares about is whether information has been kept SECURE.

The Myth of "Jack-Of-All-Trades" Cyber Protection

We've talked to several companies who deployed state-of-the-art technology for cyber defense. They had top-notch firewalls, digital loss prevention (DLP), IPSec tunnels, or other tools in place. 

But they all had one potentially fatal flaw for each solution.

At a financial company we worked with, they were compartmentalizing their network into layers of isolated zones, with firewalls deployed to protect each zone. However, they were using the same brand of firewall at each tier of the architecture. A single vulnerability in the firewall could be exploited at each level of the network. Instead of seven layers of protection, they had one layer of protection, seven times.

At another firm they had deployed intelligent DLP devices to prevent private data from leaking. In their case the traffic was encrypted and exposed to the Internet. Since the DLP equipment could NOT decode the traffic, it was blind to the fact that data was escaping.

Another security team was securing all their traffic with IPSec tunnels. As the report indicates, those tunnels were VULNERABLE. Hopefully the “white hat” researchers found, and disclosed, the vulnerabilities to equipment providers before hackers spotted the weakness.

This is not to criticize those solutions. Each tool is powerful and together can be very effective. The problem comes when a single tool is thought to be THE solution.

Just as there is value in bringing diverse perspectives to a team of employees, we need diverse tools to protect our systems. Each tool brings a different perspective. Even firewalls from different vendors offer better security than using a single product line.

Even better, use different types of products. For example a proxy intercepts data that is allowed through the firewall. IDS and IPS provide behavioral or signature based analysis of traffic allowed through. Identity and access management (IAM) tools validate that users can only access appropriate systems and information. Multi-factor authentication validates the right person has the IAM credentials.

At HOPZERO we offer tools to limit data movement. This addresses some of the same issues as firewall, IDS, IPS, and DLP tools, but in an alternative way. Instead of looking from the outside to keep people out of the network and devices, HOPZERO examines information flow from the inside looking out. Limiting data travel provides a new ability to keep information in the network and detect anyone attempting to breach the travel limits.

What does your cyber protection mix look like? Does it have multiple layers of cyber defense to keep people out of your network? Do you have adequate defenses keeping information inside your network? The right product mix can make your organization more secure.

 Schedule Your FREE Cyber Hop Assessment Today

Topics: cyber protection, cyber defense

Ben Haley

Ben Haley is the senior vice president of Engineering and co-founder of HOPZERO. During his over 30 years’ experience in software engineering, Ben has led network and application efforts for high performance, reliability, and security programs at multiple firms. As founding development director for NetQoS/CA Technologies, Ben led all development work and formed a research team to review performance and security anomalies. Most recently, he served as a lead architect for several key projects at MaxPoint (now Valassis), a leading digital marketing technology company.

Privacy Policy