From the Publisher:
Growing
up on the east coast I used to love it when my folks
brought my siblings and I to Dairy Queen for ice cream
during the summer. I would always order a soft chocolate
ice cream cone with chocolate syrup poured on top
which, after a few seconds became a hard shell. After
breaking the shell you would be rewarded with the
soft cool taste of chocolate ice cream. Enterprise
network security is a lot like a Dairy Queen ice cream.
Network executives have been busy building a hard
shell around the perimeter of their enterprises and
leaving their internal networks soft and a delicious
place for some attacker. But attackers don't necessarily
come in through the perimeter. A consultant or a customer
with a laptop plugs into the network and spews a virus
into the soft core of your enterprise network, sending
operational personnel on a forensic hunt for clues
to what just caused all your systems to become polluted
with a productivity crippling security breach.
In
this Lippis Report we explore how the network perimeter
shell is getting harder thanks to a new class of device
called the Security Services Switch. In the next three
Lippis Reports, during this network security series,
we'll discuss strategies and options for making the
core more resistant to security threats and vulnerabilities.
At the end of this series on Oct 16th, at 11:00 AM
EST the Lippis Report will host a free webinar on
Strategies For Deploying Integrated Network Security.
I will moderate a session with CompUSA's
(www.compusa.com) Ken Monroe, Director of Networking
and Telecommunications; Brad McCormick of Ruder
Finn Interactive (www.ruderfinn.com), which developed
and secured the
Home Land Security web site www.ready.gov for
the federal government; and Cybergnostic
(www.cybergnostic.com), a managed service provider
offering hosting, networking and security solutions
for mid-sized firms and other network managers. The
panel will share their experiences on how they identified
security threats and what strategies they have employed
to close these vulnerabilities.
This
third Lippis Report in the enterprise network security
series provides our thinking on Perimeter Security,
the first tier of our four-tier network security model
discussed in Lippis
Report Volume 18. The next three Lippis Reports
will address Microsoft's impact on the network security
industry as it massively enters the market, a CompUSA
case study and an update on Wi-Fi security; see future
Lippis Reports below for abstracts on these Lippis
Reports. Chris Aronis, Principal of Synapse Strategies,
is co-author on this network security series. I've
worked with Chris for many years on multiple consulting
engagements. Over the past few years he's focused
on the network security space and provides insight
and perspective on its volatile dynamics. Chris can
be reached at caronis@synapsestrategies.com.
Interact
with Nick Lippis and special guests on the crucial
topics covered in the Lippis Report.
The Lippis Report comes "alive" with insightful content
from your peers and other leading authorities through
our new series, Enterprise Networks 2004. Enterprise
Networks 2004 gives you practical, eye-opening information
both online and face-to-face to help you make networks
more productive, more secure, and more efficient.
Plus you'll get candid analysis and wisdom from Nick
himself at every event. And that will make you more
productive, more secure, and more efficient.
Please
see the schedule of events at
the bottom of this email or for more information and
to register for Enterprise Networks 2004 visit www.en2004.com.
|
|
The New Perimeter: The Security Services Switch
Enterprise networking has long been a game of cyclical expansion and contraction:
network architectures and applications are centralized,
then distributed; connectivity is aggregated, then
segmented; equipment is aggregated, then separated;
you get the picture. There are several factors that
drive these cycles, including- new protocols, architectures
and product categories.
Network security is no exception to this trend, particularly
on the perimeter, where security architectures have
traditionally been anchored. The perimeter has become
the primary location to deploy security functionality,
including and in addition to the typical enterprise
firewall. Virtual Private Network (VPN) gateways,
content/URL/email filtering, and virus scanning are
all being concentrated on the perimeter, and with
good reason: if an attack penetrates the firewall
and breaches the LAN before it is addressed by these
systems, then you can count on your operational staff
spending days focused on forensics and cleaning up
the mess the attack caused. Fortifying the perimeter
significantly reduces the likelihood that an outside
attacker will ever reach the LAN and, by extension,
critical enterprise assets. In short, most network
executives are creating a hard shell around the perimeter
of their enterprise.
The Perimeter Expands
One of the biggest challenges faced by IT managers is
maintaining control over a constantly growing number
of security threats, devices and policies. It’s true
that deploying a multi-faceted, multi-tiered security
framework is paramount to ensuring network security,
but no one said it was going to be easy. Over the past
12-24 months, several new product categories have emerged
to fortify the network perimeter. Scanning and filtering
functions have moved off the desktop and up into the
perimeter, bringing a range of new devices with them.
Intrusion Detection Systems (IDS) and, more recently,
Intrusion Prevention Systems (IPS), have also appeared.
These systems focus on identifying “abnormal” behavior
on the network – operating under the premise that an
attacker’s behavior is notably different than typical
network activity.
While
the significant volume of data and false alarms (false
positives) generated by IDS are a common objection to
their deployment, perhaps the larger issue is that IDS
are passive: even if an actual breach is detected, the
IDS can do nothing but activate an alert and report
on the incident. This shortfall was the basis for the
development of IPS – platforms that not only identify
breaches, but actively close ports and LAN resources
to thwart the attack. Herein lies the rub: if I’m not
mistaken, this is the definition of a stateful firewall.
If so, why do enterprises need to purchase, configure
and manage another device with seemingly redundant functionality?
Network
Security Contraction: The Security Services Switch
Given that it increasingly makes sense to concentrate
multiple network security functions on the perimeter
and the corresponding increase in expense and management
overhead this creates, it was only a matter of time
before the vendor community addressed the situation
with an integrated solution. Enter the Security Services
Switch – a purpose-built, integrated security platform
designed to collapse security functions and management
into a single perimeter device. Most of these devices
utilize the foundation of perimeter security – the firewall
– as the core building block of the platform.
The premise of the Security Services Switch is simple:
reduce the number of moving parts on the network perimeter,
thus simplifying the security infrastructure and reducing
the capital and operational burden of securing the network.
In looking at how large enterprises traditionally scale
and harden their security infrastructure, this makes
good sense. As mentioned above, each new security application
has traditionally required a separate appliance. This
includes Firewall/VPN gateways, virus scanning, content
filtering, IDS/IPS, etc. In order to achieve redundancy
and high availability, multiple platforms for each security
function are often deployed, along with additional software
to manage outages and failover issues. Next, load balancers
and switches are deployed in front of these security
clusters, making both primary and backup platforms active
to load share and maximize performance.
Sound confusing and expensive? It is. And perhaps the
greatest challenge of this approach is managing this
environment. The sheer volume of devices deployed to
secure the enterprise is daunting enough, and these
platforms rarely come from one or even two vendors.
Often times when they do, it has been through acquisition,
and limited integration exists between the management
systems of each - meaning several separate proprietary
management systems must be mastered. This creates possibly
the most significant vulnerability of all: an understaffed
IT department attempting to manage and maintain a broad
and disparate security environment.
Security Services Switch vendors are mitigating this issue
by layering key security applications into a single, robust
platform with a common centralized management interface.
These platforms range from SMB-targeted bundling of firewall,
VPN, IDS, content filtering and virus scanning, such as
Symantec’s Gateway Security Appliance, to full-blown large
enterprise/carrier-class chassis-based platforms from
startups Crossbeam
Systems (www.crossbeamsystems.com),
Nauticus Networks (www.nauticusnetworks.com), and
Inkra Networks
(www.inkra.com). These platforms provide high- performance,
high-availability infrastructure for a combination of
firewall/VPN, IDS/IPS, and multiple scanning and filtering
functions – all of which can be added by the enterprise
through a variety of a la carte application modules. Cisco
has also thrown its hat into the ring by adding security
blades for its Catalyst 6500 line, as well as Nortel,
which is leveraging the load-balancing and webswitching
legacy of its Alteon acquisition to drive high-performance
security applications.
The Security Services Switch marks a new way of thinking
for enterprise network security. Crossbeam is a primary
example of this. First, enterprises have long believed
they needed to deploy several discreet devices to achieve
security and reliability – this is no longer the case
with Crossbeam’s high performance architecture and fully
redundant design. Next, until only recently, it was
thought that the processor-intensive nature of security
applications required custom ASICs to achieve the desired
performance metrics. With Moore’s Law humming along
as fast as ever, general-purpose network processors,
and even standard Intel-based platforms, provide more
than adequate performance. This is a key paradigm shift
in network security platforms; as vendors simply cannot
spin new ASICs fast enough to keep pace with software
development. Utilizing general-purpose network processors
such as Crossbeam has helped to control costs and accelerate
the pace of feature additions.
Stepping outside of the hardware, perhaps the most interesting
aspect of Crossbeam is that it has not fallen victim
to the common startup mistake of attempting to develop
every feature and application internally. Crossbeam
has focused on developing the underlying platform for
security services, a high-performance network-based
application server. It has turned to industry leaders
to provide security applications: Check
Point (www.checkpoint.com) and Secure
Computing (www.securecomputing.com) for VPN/firewall;
Enterasys
(www.enterasys.com) and ISS
(www.iss.net) for IDS/IPS; Trend
Micro (www.trendmicro.com) and F-Secure
(www.f-secure.com) for antivirus and content filtering;
and Websense
(www.websense.com) for monitoring and reporting. This
aggressive partnering strategy with major players is
key to Crossbeam’s success, as they have learned early
what many now-defunct security startups failed to understand:
given the critical and strategic nature of network security,
brand names matter. And, while Crossbeam may not yet
be a household name, its partner roster suggests otherwise.
Pulling
It All Together
What does the advent of the Security Services Switch mean
to your enterprise? Should you run out and replace your
multi-device, multi-tiered security infrastructure with
a Security Services Switch? Not just yet. The majority
of the robust, modular platforms in this space are still
very large and expensive, making them ideally suited for
enterprise data center and service provider implementations.
That said, if you have a data center security initiative
upcoming or already underway, you should absolutely add
these platforms to your due diligence list. On the lower
end and for branch and satellite sites, bundled security
appliances from Symantec, Network Associates and others,
which include VPN, firewall, IDS and virus scanning, are
a solid choice.
But what about the enterprise
that has already invested significantly in its perimeter
security infrastructure? The answer, simply put, is
go back to the beginning: the firewall. Stateful filtering
and blocking functions, such as those provided by IPS,
should not require a separate discreet device. Enterprises
should push their firewall vendors to integrate this
functionality into the firewall where it belongs. The
IDS/IPS space has grown on the premise that firewalls
are ineffective at keeping intruders out of the enterprise
network – the very reason for the firewall’s existence.
As new perimeter security functions come to market,
don’t run out to purchase the latest and greatest point
appliance solution, yet another device that needs to
be separately deployed, managed and maintained – instead,
look to your firewall vendor to tie these applications
up into a robust, integrated platform, as well as to
the evolving Security Services Switch.
Your
comments are always welcome. Send them to us at info@lippis.com.
See you on Oct 16th, 2003 at 11:00 am EST
Strategies For Deploying Integrated Network Security
webinar.
Your comments are always welcome. Either send them to
us at info@lippis.com
or post them at our Web Log www.lippis.com/community.html
|
|
Special
thanks to Barbara Thomsen barbarathomsen@peoplepc.com
for copy editing this Lippis Report.
The
Lippis Report is written by Nick Lippis, a world-renowned
authority on corporate computer networking and consultant
to CxOs of Global 2000 companies.
Please
feel free to forward The Lippis Report to your peers.
If you received The Lippis Report by it being forwarding
to you, you are welcome to a free subscription at the
www.lippis.com
site. To be removed from this list please reply with
"remove" in the subject field.
Reporters
are free to quote The Lippis Report with acknowledgement.
past
issues
|
|
Upcoming
Lippis Reports: Microsoft
& Security: A Sleeping Giant Awakens
Bill Gates made it very clear in early 2003: Microsoft
will be a player in enterprise security – and he’s got
$40B that says it will. Microsoft has been spending
significant time, money and resources in the development
of its Trustworthy Computing initiative, acquiring new
products like antivirus while revamping existing solutions
like its Internet Security & Acceleration (ISA) Server
platform. As Microsoft forays deeper and deeper into
enterprise security, how will its software-based security
solutions, closely tied to its OS, applications and
server platforms, impact the enterprise landscape? In
this Lippis Report, we probe into Microsoft’s security
initiatives and their effects on your current network
and vendors.
Case Study: CompUSA
Ken Monroe, Director of Networking and Telecommunications
for CompUSA, provides his insights into how he approached
CompUSA’s network security challenges. We’ll talk about
the four layers of network security and get Ken’s take
on securing corporate network assets against external
and internal threats.
WLAN Security: Taking Control of the Airwaves
It’s official: WLANs have penetrated the enterprise
and are here to stay. However, the freedom and flexibility
that WLANs offer comes at the expense of multiple security
vulnerabilities. The inadequacies of WEP are well known,
documented and exploited, leaving enterprise managers
scrambling for alternative means of securing the WLAN.
In this Lippis Report, we will explore secure WLAN architectures,
as well as new solutions that enterprises are employing
to securely extend the WLAN.
IP Telephony Economics
There are 1800 IP phones shipped each day with over
3 million IP Telephony connections made in the past
3 months. Who is buying IP Telephony solutions and why?
In this Lippis Report we'll explore the economics of
an IP Telephony implementation. IP Telephony Market
and Vendor Report, August
2002: Many of you have requested detailed information
on the IP Telephony market, particularly vendor/equipment
supplier information. Here is our response. If you're
serious about implementing IP Telephony then you need
to read The IP Telephony Market and Vendor Report, available
for immediate release at www.lippis.com. This report
is written by Nick Lippis, a world-renowned authority
on corporate computer networking, and Chris Aronis,
an experienced networking consultant and analyst at
Lippis Consulting.
IP Telephony
Market and Vendor Report, August 2002:
Many of you have requested detailed information on the
IP Telephony market, particularly vendor/equipment supplier
information. Here is our response. If you're serious
about implementing IP Telephony then you need to read
The IP Telephony Market and Vendor Report, available
for immediate release at www.lippis.com.
This report is written by Nick Lippis, a world-renowned
authority on corporate computer networking, and Chris
Aronis, an experienced networking consultant and analyst
at Lippis Consulting.
The IP Telephony Market and Vendor Report is written
with the insights that only Lippis and Aronis can provide.
They discuss the major changes that are occurring in
the voice market and how enterprise IT managers can
exploit these changes to increase your business productivity
and EBITDA. In this report Lippis Consulting profiles
and accesses all the major enterprise IP Telephony vendors
including Avaya, Nortel, Cisco, 3Com, Mitel, Vertical
Networks, Shoreline and Pingtel.
Think Cisco is leading the IP Telephony market? Think
again! Can Mitel's PBX business survive or will it end
up like Fujitsu's? Can Avaya and Nortel keep their customers?
Is Vertical Networks boxed in? Can 3Com and Shoreline
scale up? Can Pingtel execute on its open IP Telephony
model? Lippis and Aronis provide detailed answers to
these and other questions, as well as recommendations
that will guide you through the thought process of developing
an IP Telephony solution and, most importantly, present
what you may expect as you start implementation. They
draw upon their experience in assessing network architecture
with large enterprises for IP Telephony readiness, RFP
development and vendor selection to deliver the insights
others simply can't provide.
So if you're serious about implementing IP Telephony,
and you should be, get your copy of The IP Telephony
Market and Vendor Report at www.lippis.com.
Your company, customers and shareholders will be glad
you did.
Reporters can receive a free copy of The IP Telephony
Market and Vendor Report by sending mail to info@lippis.com.
Reporters are free to quote The Lippis Report with acknowledgement.
Entire
contents C 2003 Lippis Enterprises, Inc. All rights
reserved. Reproduction of this publication in any form
without prior written permission is forbidden. The information
contained herein has been obtained from sources believed
to be reliable. Lippis Enterprises, Inc. disclaims all
warranties as to the accuracy, completeness or adequacy
of such information. Lippis Enterprises shall have no
liability for errors, omissions or inadequacies in the
information contained herein or for interpretations
thereof. The reader assumes sole responsibility for
the selection of these materials to achieve its intended
results. The opinions expressed herein are subject to
change without notice.
|
|
|