Networks are expanding and they are running a plethora of applications that in turn drive many of the businesses of enterprises. This growth and expansion of enterprise networks, and increasing reliance of businesses on them, have given rise to new challenges of securing these networks. As the security environment worsens due to a complex set of threats and vulnerabilities, network security must be dealt with at different levels and in a much more comprehensive manner than it is being done today.

As the complexity and number of threats increases, the menace cannot be fought just with complex solutions that most enterprises don't understand. Network security can be best ensured by following a process, assessing and determining risks, designing a security policy, building a security architecture based on it and then looking for tools that are aligned with it. An enterprise must constantly change and monitor the security policy and system in accordance with the changes in the external environment and the business model it follows.

Key Threats
There is nothing called minor or major threats for enterprises. Seemingly minor threats turn out to be major ones only after attacks happen. There is no way that enterprises can afford to ignore any of them. For enterprises, security threats pour in from all directions. These threats could be in form of the following: physical threats, environmental threats, unauthorized access, malicious misuse, unintentional (Accidental) errors and omissions, intentional which includes insiders, virtual insiders (by planting a Trojan inside the infrastructure to obtain information) and outsiders; identity theft, virus, data leakage, online banking fraud (for banking industry, and includes phishing, farming and identity theft). Though the security threats remain almost the same year by year, they simply assume new avatars every time they appear.

But the biggest threats, the enterprises should consider are:

• Complacency: Many organizations fail to take threats to their security seriously, taking instead the view, "It won't happen to us". The first step towards safeguarding information from harm is recognizing that threats do exist and deciding that information warrants security measures

• Poor execution: Half-hearted security measures are worse than none at all. An inadequate security system not only fails to keep out threats, but also offers a false sense of security to the organization

• The naive employee: Human nature can be the weakest link in any security regime. Many users find security procedures a nuisance and skip them to get the job done. To combat this, nothing beats continued education and empowerment of users.

Due to these threats, the enterprises would be facing data loss, loss of service, negative publicity and loss of reputation.

New Challenges
The next big wave of network deployments is likely to come from VoIP networks. Currently these networks are relatively safe, as their numbers are small but as they grow in popularity, the hackers are also likely to be attracted to them. Thus, the current trend of dealing with VoIP like just another application will need to be refined and upgraded. With or without security, it is important to note that if the latency introduced by equipment is more than 120 milliseconds, the voice application will perhaps not be used for business applications.

While firewalls of today are doing a good job of protecting the networks, firewalls for VoIP will need application level gateways for protocols like SIP or H.323. These special requirements crop up due to issues like protocols using more than one port in a session, or the extremely small size of VoIP packets. A VoIP packet is one of the smallest packets in IP and presents some very unique challenges to the network security equipment.

Outsourcing Security Management
To outsource or not to outsource security management is a difficult call for CIOs. The promised benefits of outsourced security are attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore. In countries like Japan and South Korea, the security of the networks has moved towards an outsourced management kind of environment. A Pricewaterhouse Coopers report says that the SMB segment would increasingly look at use of outsourced security management of their first line of defense including firewall, IDS and incident reporting services. A recent survey by Forrester estimates that 30% of SMBs outsource their enterprise applications and 59% of those are concerned about the security of their data. In India, outsourcing of security is still a tough decision for network managers. Slowly the outlook is changing and there has been a rise in the management services space. Though the enterprises are shying from completely handing over the security to a third party, remote management from a central location is taking off.

Also, the potential risks of outsourcing are considerable. Again selecting a wrong vendor is a costly affair. There are stories of managed security companies going out of business, and bad experiences with outsourcing in other areas of IT. If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems nearly impossible. Over the past few years, we've seen many different companies offering different capabilities under the general category of "managed security services." The field is so confusing that even the industry analysts can't agree on how to categorize the services offered. One offers vulnerability scan, another managed security policies and someone else offers network monitoring services, etc.

Security management should be outsourced to a reliable Managed Security Service Providers (MSSPs). The business models that can be adopted include: Managing Security Infrastructure from the partner's location Security Operation Center (SOC), or building a captive Security Operation Center (SOC) within the customer's premises. However, the business model finally adopted needs to be chosen based on the customer's requirement and accepted service level agreements (SLA).