TECHNOLOGY TRENDS: A Defence at every step

Comment

Digg

Del.icio.us

For 2005, network administrators have listed security as a major area of concern and included security enhancement tools among their top 10 technology priorities. From security of the local area network of the 80s to the viruses of the 90s and now the blended threats-the networks have always been vulnerable.

"Threats are becoming sophisticated by the day. The scope of network is increasing and so is the complexity and vulnerability, which has gone down," says Shantanu Dasgupta, industry analyst, Frost & Sullivan.

Frost & Sullivan projects that India's network security market will grow by 32.4 percent from an estimated
$45 million in 2004 to $59.5 million this year. HCL Comnet estimates the network security business in India to be around Rs 250 crore with security software segment constituting about 55 percent of the market, appliances about 30 percent and services 15 percent.

A Symantec study shows a sharp increase in the number of attacks per day. "Every two hours there is a new attack happening. Not only virus attacks but spam, phishing, worms, trojans, adwares, and spyware etc are going up every day," says Ambarish Deshpande, head (channels and consumer sales), Symantec India.

Though the level of awareness for security solutions has gone up in Indian enterprises, still issues like budgetary constraints, lack of proper training and strong laws have left them open to attacks. "The Indian enterprises should recognize that security is not just a cost, rather it is an investment for a smooth running business," says Sivarama Krishnan, associate director (business solutions), PriceWaterhouseCoopers.

Security is now a part of the network rollout rather than being looked at as a separate activity. With more networks migrating to IP and fiber becoming its backbone, new challenges are arising for the security managers. Though tools like firewalls, anti-viruses, anti-spam, intrusion detection and protection systems, and mechanisms like encryption and passwords still exist, emphasis is more on their intelligence and their place of deployment.

From just protecting the periphery of a network, things have now taken a layered and integrated approach. Not only that routers and servers are being made intelligent enough to protect themselves, but the access devices are also being secured to provide end-to-end protection.

How to Protect the Network
The dream for any network manager would be to have a self-defending and self-healing network. The scope of security has moved beyond the firewalls and intrusion detection systems at the periphery level to one of end-to-end security at all levels. It is important to have multiple levels of segregation between the Web, applications, and database tiers preferably using a policy enforcement device such as a firewall. Bare minimum, the enterprise should implement some form of zoning between external and internal users, applications, third-party access zones, etc.

"We prefer a layered security approach. Administrators today have to secure peripheral devices, remote sites, core network, and also look at disaster recovery. We advise to have different sets of solutions for each layer depending on the vulnerabilities and threats," says Girdhar Java, country manager, Juniper Networks.

Tips for a Secure Environment

� Create security policy and stick to it
� Assess the vulnerabilities
� Identify and audit what needs to be secured
� Security architecture should be in line with your needs
� Evaluate: bundled functionality and discreet solutions
� Service and support mechanisms of the vendor
� Technical capability and experience of support staff
� Consider a layered-security architecture
� Involve all stakeholders in security planning
� No complex designs and management rules
� Evaluate future needs and scalability of solutions
� Check compatibility and interoperability of solutions

Most organizations are spending on one or more technology options, depending on what they are trying to secure and what is the risk appetite of that organization. Many enterprises run parallel wired and wireless networks, which adds considerably to the existing administrative and cost burdens when it comes to securing them.

"It's important for network administrators to consider interoperability when selecting the solution; if a new technology requires the IT administrator to replace the entire network, it raises serious RoI issues," says Antony Chapman, senior director, Asia-Pacific, SonicWall.

It is not possible to contain an attack or intrusion with single-point filtering. With Internet usage on the rise, there is lot of hidden traffic under the HTTP. Firewalls have to look deeper into the application level and IDS cannot just detect but should be able to scan at the wire level and prevent the attack. "Firewalls intelligence has to be improved at every level. Virtualization of firewalls helps in better management and creation of specific firewalls in the same box," says Jagdish Mahapatra, business development manager, India and Saarc, Cisco Systems.

Security Solution Trends
Built-in security intelligence: Networking equipment like routers and switches to enforce security policies to any equipment connecting to the network.

Secure remote access: Solutions independent of access devices or location, such as SSL-VPN or IPSec.

End point control: These are integrated at various touch points within the network such as VPN, RAS, or wireless to check the network's security posture with respect to virus, trojans, key loggers, spyware, adware, malware, etc and permit authorized access to the network.

Two-factor authentication for network login and application access: This controls 'user weakness' of selecting weak passwords, and reduces efforts of trying out multiple passwords.

Vulnerability and patch management systems: This includes techniques for identifying vulnerabilities and using patch management solutions for ensuring that those vulnerabilities are capped.

Application vulnerability analysis: Periodic analysis for Web-facing applications to identify if any application layer exploits exist and then deploy remedy for the same.

Enterprise-wide, anti-virus solutions: A central control is recommended for anti-virus tools deployed throughout the network, right from perimeter (e-mail, HTTP and FTP scanning), to servers, and desktops.

Hype Cycle for Information Security, 2004

Each new wave of technology disrupts established security measures and introduces new vulnerabilities. New technologies in security, privacy, and risk follow a hype cycle. Determining when to adopt an emerging technology is critical for any enterprise. If an immature technology is adopted, it would incur pain and extra expenses. And, if it is adopted late there is a risk of being left behind by competitors that have made technology work to their advantage.

Desktop firewalls and anti-sypware components: These ensure security policy�based access for each desktop. The current rate and nature of attacks make deploying an anti-malware and anti-sypware component on each desktop highly desirable.

Framing the Right Policies
Having the right security policies and working according to the laid process and procedures in the policy is a primary requirement of any security mechanism. Without a security policy, no security architecture or tool can give the desired results. "Security is a process. If you look closer, apart from the technology that goes into security software, it is all to do with processes and polices," says Rajesh Sahore, country manager, Allied Telesyn.

The work for a good network security policy starts with assessment of the enterprise's requirements. This would include evaluating the present security threats as well as the future ones and from where these would come from. Also, creating a user profile and types of access to the network helps in drafting the policy better. Next are the devices and access points that need to be secured. The policy is an important document to define who does what on the network and how, and what kind of access does he have and above all, who controls polices and who has the rights to change them.

Most of the enterprises fumble at the policy stage itself. They make the policies but do not enforce them strictly, leading to lapses and compromise of information over the networks. Policies have to be consistent and relevant with the demands of the enterprise and the threats. It should be easy to use and understood by everyone and not just by the IT managers, and it should be updated regularly.

Integrated vs Multiple Security Boxes
In an era of convergence, various security tools are being packed into one box. The integrated boxes, by their very nature of having everything at one place, make it easier to manage. However, industry observers say these boxes cannot provide the same security efficiency as of the discreet tools installed across the network at different places. "Deployment of integrated solutions depends on the amount of information and data flowing through the network. If the flow is more, discreet solutions preferred," says Java.

Ideally the integrated, one-box solutions are best suited for the small and medium enterprises where budget is a constraint. However, the lower cost comes with lower efficiency levels. "Enterprises cannot afford a lowered throughput and save some money on integrated boxes. They prefer purpose-built devices for securing various parts of the network," says Kartik Shahani, sales director, McAfee India.

"One should start with the firewalls and move towards other tools. Just like a wall is built brick by brick, security should be built in blocks," says Deshpande.

However, Mahapatra says "Single vendor, single point solution is the way to go as it gives single-point manageable solutions."

The industry is definitely moving towards integrated solutions-not necessarily meaning in a single box-and security tools from different vendors are seen working together and not in silos. A mix of discreet solutions for the core network and integrated boxes for the branch offices is also a model being promoted by vendors.

Outsourcing Security Management
A PriceWaterhouseCoopers report says, the SMB segment would increasingly outsource security management of their first line of defense including: firewall, IDS, and incident reporting services. In countries like India, outsourcing of security is still a tough decision for the network managers. Slowly, the outlook is changing and there has been a rise in the management services space. Though the enterprises are shying away from completely handing over the security to a third party, remote management from a central location is all set to take off.

"Geographical spread of enterprises has become large and they are now demanding a uniform delivery of security services," says Shahani. According to Java, there are already tenders from the government and enterprises for managed security services. In future, the onus of policy and process would lay with the enterprises, but the execution part is likely to be outsourced.

Tough Job for Network Managers
A network security manager has to ensure the security of the network, make it free from bugs, and also work within the given budget. The management expects him to optimize the return on investment while pushing for latest upgrades. He has to plan his policies keeping long-term goals in mind and also deal with multiple vendors in the fast-changing technology environment.

The CIO tries to adopt best practices in the industry. However, he should keep his requirements in mind. Security solutions should be custom-built and be very specific to each business' needs and infrastructure. He has to assess his current requirement looking at future growth and also identify critical areas to be addressed. Preparing a roadmap with price escalations and scalability as key parameters is a good way to start.

Good Security, Bad Performance
At the end of the day, it is uptime and network performance that matters. The level of security posturing has a direct impact on performance of the network-more the security tools and checks, lower would be the network speed. The capacity of security needs to match the traffic on a network. Encryption-decryption procedures, authentication, and filtering introduces latency and chokes the network which can be removed only by deploying the right devices and solutions after a proper audit.

Bandwidth utilization goes up and network performance goes down if security tools are not upgraded along with the new threats and attacks. If security tools are not there, attacks could cause major revenue losses.

"There is a trade-off between security and performance. But there are technologies which link both and try to optimize performance levels," says Rakesh Singh, general manager, Asia operations, NetScaler.

Application-level content processing requires enormous computing resources as compared with network-level processing. As a result, it has not been possible to deploy content-processing applications at the network edge without severely degrading network performance.

"It is better to provide anti-virus and content-filtering services at the network edge, where they'd be most effective-just as with firewalls, VPN gateways, and intrusion detection systems," says Vishak Raman, country manager, Fortinet.

The overall security design should incorporate a careful analysis of the business requirements of a network in terms of peak and average user load. Once this information is collated, only then the selection and placement of security components within a network should commence.

"Techniques such as application load balancers, SSL terminators, and VPN acceleration devices should also be incorporated to ensure effective up time and application response times," emphasizes Sanjeev Nikore, COO, HCL Comnet.

Adhering to Standards, Getting Certified
Though India has the IT Act 2000, this act is silent on network security laws. RBI and SEBI have laid down certain guidelines for online financial transactions, but there are no concrete rules governing the security of networks or information flowing over them. It is advised that rather than looking for specific certifications or benchmarks, an organization should try to get information security assurance for its entire operation.

Third-party certifications and benchmarks are the only ways to determine security levels here. At the gateway level, ICSA certification is required for any product to be deployed in a customer network for firewall, anti-virus, VPN, IDS, or SSL. EAL 4+ is the bare minimum standards for government deployments. Now the AES has come as an answer to the conventional 3 DES encryptions.

The security controls of ISO 17799 and security certification from BIS namely BS7799 cover not only information security, but also physical and environmental security, access controls, operations and communications management, software development and maintenance, business continuity planning, and compliance with the laws of the land.

Back-up Plan
Any amount of security tools cannot ensure 100 percent protection of the networks. So it is important to have a back-up plan. Once security has been breached, the next step is to contain the damage and quickly get the network up and running. A good network administrator would review his back-up plan periodically and check the reaction time towards any contingency.

Thus, security is not just about deploying solutions and tools. It is the combination of policy, procedures, technologies, human resources, and their management that makes a network and information on it secure.

Anurag Prasad