Thwarting the enemy within

Reality plays havoc with the convenient fiction that the corporate firewall separates the safe zone it encloses from the dangerous world outside. Insiders with means, motive, and opportunity are always a major threat, and our survey shows that IT professionals are increasingly aware of it. The respondents to the 2003 InfoWorld Security Survey indicate that the possibility of damage from unintended employee errors and sabotage -- by former or current employees -- is keeping executives and security professionals up at night (for more on the top threats readers are facing, see chart below). The question is not whether to compartmentalize the internal network, but how.

VLANs (virtual LANs) and internal firewalls are part of the answer. As with external firewalls, these solutions are administratively costly but feasible when people and equipment exist in stable configurations over time. An agile enterprise, however, must be able to create new configurations at will, without requiring users to define them or IT administrators to implement them. It should be a no-brainer for a small group to form, to recruit members from inside or outside the organization, and to communicate securely. A few software-based solutions exist, although none is as well-known or widely used as it should be.

Interestingly, the possible threats that we asked survey respondents to rank scored in a similar fashion regardless of the respondents' role within their organizations. The overall sample and executives each ranked malicious code as the most likely threat -- 84 percent of all respondents and 89 percent of executives listed it as one of their top three concerns. Employee error came out second, at 77 percent and 76 percent respectively, with hackers scoring third, at 72 percent for both groups. Sabotage by former employees -- including those of business partners -- rang in at fourth, with 61 percent and 60 percent of the respective groups ranking it as a top concern.

Networking hardware offers several  ways to create internal compartments to help defend against the threats that worry our readers. Almost all managed switches offer customers the ability to create VLANs with minimal effort. Traditionally, VLANs have been used to segregate network protocols within a switch or a group of switches, for example, isolating AppleTalk traffic from TCP/IP to improve network throughput.

But network managers can also use VLANs to confine traffic flow within a department or even a workgroup. As long as each VLAN either contains such basic resources as file shares and printers or has a route to these resources on another internal network, VLANs provide a relatively well-understood means of corralling packets and minimizing the opportunities that hostile intruders or wandering employees have to disrupt operations.