Bringing Security Proactively Into the Enterprise

Prevailing network architectures are designed for openness, collaboration, and sharing. The majority of viruses and worms use the network to spread rapidly through the enterprise network, enabling these cyber threats to reach their targets effortlessly. The most common solution available today for cyber security is hardening of systems via “patching” or keeping the operating systems, applications, and anti-virus software current. This option is reactive and time/labor intensive because security updates are available only after exploits are known and already in use. The currency of software does nothing to prevent cyber attacks from reaching their targets. We believe that policy-enabled network security complemented by system hardening, provides a proactive and more comprehensive strategy to deal with security by reducing the likelihood of cyber threats entering the network and by controlling their spread. Typical enterprise network architectures are developed to bring scalability, extensibility, and availability to the Intranet. Security capabilities have not been part of the enterprise network architecture and are typically implemented in reactive fashion. Additionally, current security capabilities require manual and labor-intensive efforts that negatively impact costs and take time to implement. Firstly, we propose a change to the enterprise network architecture by integrating security components such as packet filtering, stateful inspection, port-based access control, and super/sub Virtual Local Area Networks (VLANs). Secondly, we propose a fundamental change in the implementation of the enterprise network architecture by using a security management system referred to as PolicyEnabled Network Security (PENS) that leverages the new security capabilities in an integrated and proactive manner and reduces unstructured manual, labor-intensive, and error-prone activities.