The Lippis Report Volume 20: The New Perimeter: The Security Services Switch | back issues | advertising | contact us  

To print this page click here. To foward this to a friend click here.

From the Publisher:

Growing up on the east coast I used to love it when my folks brought my siblings and I to Dairy Queen for ice cream during the summer. I would always order a soft chocolate ice cream cone with chocolate syrup poured on top which, after a few seconds became a hard shell. After breaking the shell you would be rewarded with the soft cool taste of chocolate ice cream. Enterprise network security is a lot like a Dairy Queen ice cream. Network executives have been busy building a hard shell around the perimeter of their enterprises and leaving their internal networks soft and a delicious place for some attacker. But attackers don't necessarily come in through the perimeter. A consultant or a customer with a laptop plugs into the network and spews a virus into the soft core of your enterprise network, sending operational personnel on a forensic hunt for clues to what just caused all your systems to become polluted with a productivity crippling security breach.

In this Lippis Report we explore how the network perimeter shell is getting harder thanks to a new class of device called the Security Services Switch. In the next three Lippis Reports, during this network security series, we'll discuss strategies and options for making the core more resistant to security threats and vulnerabilities. At the end of this series on Oct 16th, at 11:00 AM EST the Lippis Report will host a free webinar on Strategies For Deploying Integrated Network Security. I will moderate a session with CompUSA's ( Ken Monroe, Director of Networking and Telecommunications; Brad McCormick of Ruder Finn Interactive (, which developed and secured the Home Land Security web site for the federal government; and Cybergnostic (, a managed service provider offering hosting, networking and security solutions for mid-sized firms and other network managers. The panel will share their experiences on how they identified security threats and what strategies they have employed to close these vulnerabilities.

This third Lippis Report in the enterprise network security series provides our thinking on Perimeter Security, the first tier of our four-tier network security model discussed in Lippis Report Volume 18. The next three Lippis Reports will address Microsoft's impact on the network security industry as it massively enters the market, a CompUSA case study and an update on Wi-Fi security; see future Lippis Reports below for abstracts on these Lippis Reports. Chris Aronis, Principal of Synapse Strategies, is co-author on this network security series. I've worked with Chris for many years on multiple consulting engagements. Over the past few years he's focused on the network security space and provides insight and perspective on its volatile dynamics. Chris can be reached at

Interact with Nick Lippis and special guests on the crucial topics covered in the Lippis Report. The Lippis Report comes "alive" with insightful content from your peers and other leading authorities through our new series, Enterprise Networks 2004. Enterprise Networks 2004 gives you practical, eye-opening information both online and face-to-face to help you make networks more productive, more secure, and more efficient. Plus you'll get candid analysis and wisdom from Nick himself at every event. And that will make you more productive, more secure, and more efficient.

Please see the schedule of events at the bottom of this email or for more information and to register for Enterprise Networks 2004 visit

The Lippis Report Volume 20:  The New Perimeter: The Security Services Switch
  In This Issue:
  The New Perimeter: The Security Services Switch
  The Perimeter Expands

Network Security Contraction: The Security Services Switch

  Pulling It All Together
  Special Announcement: The Enterprise Networks 2004 Program
  Upcoming Lippis Reports
  IP Telephony Market and Vendor Report

The New Perimeter: The Security Services Switch

Enterprise networking has long been a game of cyclical expansion and contraction: network architectures and applications are centralized, then distributed; connectivity is aggregated, then segmented; equipment is aggregated, then separated; you get the picture. There are several factors that drive these cycles, including- new protocols, architectures and product categories.

Network security is no exception to this trend, particularly on the perimeter, where security architectures have traditionally been anchored. The perimeter has become the primary location to deploy security functionality, including and in addition to the typical enterprise firewall. Virtual Private Network (VPN) gateways, content/URL/email filtering, and virus scanning are all being concentrated on the perimeter, and with good reason: if an attack penetrates the firewall and breaches the LAN before it is addressed by these systems, then you can count on your operational staff spending days focused on forensics and cleaning up the mess the attack caused. Fortifying the perimeter significantly reduces the likelihood that an outside attacker will ever reach the LAN and, by extension, critical enterprise assets. In short, most network executives are creating a hard shell around the perimeter of their enterprise.

The Perimeter Expands

One of the biggest challenges faced by IT managers is maintaining control over a constantly growing number of security threats, devices and policies. It’s true that deploying a multi-faceted, multi-tiered security framework is paramount to ensuring network security, but no one said it was going to be easy. Over the past 12-24 months, several new product categories have emerged to fortify the network perimeter. Scanning and filtering functions have moved off the desktop and up into the perimeter, bringing a range of new devices with them. Intrusion Detection Systems (IDS) and, more recently, Intrusion Prevention Systems (IPS), have also appeared. These systems focus on identifying “abnormal” behavior on the network – operating under the premise that an attacker’s behavior is notably different than typical network activity.

While the significant volume of data and false alarms (false positives) generated by IDS are a common objection to their deployment, perhaps the larger issue is that IDS are passive: even if an actual breach is detected, the IDS can do nothing but activate an alert and report on the incident. This shortfall was the basis for the development of IPS – platforms that not only identify breaches, but actively close ports and LAN resources to thwart the attack. Herein lies the rub: if I’m not mistaken, this is the definition of a stateful firewall. If so, why do enterprises need to purchase, configure and manage another device with seemingly redundant functionality?

Network Security Contraction: The Security Services Switch

Given that it increasingly makes sense to concentrate multiple network security functions on the perimeter and the corresponding increase in expense and management overhead this creates, it was only a matter of time before the vendor community addressed the situation with an integrated solution. Enter the Security Services Switch – a purpose-built, integrated security platform designed to collapse security functions and management into a single perimeter device. Most of these devices utilize the foundation of perimeter security – the firewall – as the core building block of the platform.

The premise of the Security Services Switch is simple: reduce the number of moving parts on the network perimeter, thus simplifying the security infrastructure and reducing the capital and operational burden of securing the network. In looking at how large enterprises traditionally scale and harden their security infrastructure, this makes good sense. As mentioned above, each new security application has traditionally required a separate appliance. This includes Firewall/VPN gateways, virus scanning, content filtering, IDS/IPS, etc. In order to achieve redundancy and high availability, multiple platforms for each security function are often deployed, along with additional software to manage outages and failover issues. Next, load balancers and switches are deployed in front of these security clusters, making both primary and backup platforms active to load share and maximize performance.

Sound confusing and expensive? It is. And perhaps the greatest challenge of this approach is managing this environment. The sheer volume of devices deployed to secure the enterprise is daunting enough, and these platforms rarely come from one or even two vendors. Often times when they do, it has been through acquisition, and limited integration exists between the management systems of each - meaning several separate proprietary management systems must be mastered. This creates possibly the most significant vulnerability of all: an understaffed IT department attempting to manage and maintain a broad and disparate security environment.

Security Services Switch vendors are mitigating this issue by layering key security applications into a single, robust platform with a common centralized management interface. These platforms range from SMB-targeted bundling of firewall, VPN, IDS, content filtering and virus scanning, such as Symantec’s Gateway Security Appliance, to full-blown large enterprise/carrier-class chassis-based platforms from startups Crossbeam Systems (, Nauticus Networks (, and Inkra Networks ( These platforms provide high- performance, high-availability infrastructure for a combination of firewall/VPN, IDS/IPS, and multiple scanning and filtering functions – all of which can be added by the enterprise through a variety of a la carte application modules. Cisco has also thrown its hat into the ring by adding security blades for its Catalyst 6500 line, as well as Nortel, which is leveraging the load-balancing and webswitching legacy of its Alteon acquisition to drive high-performance security applications.

The Security Services Switch marks a new way of thinking for enterprise network security. Crossbeam is a primary example of this. First, enterprises have long believed they needed to deploy several discreet devices to achieve security and reliability – this is no longer the case with Crossbeam’s high performance architecture and fully redundant design. Next, until only recently, it was thought that the processor-intensive nature of security applications required custom ASICs to achieve the desired performance metrics. With Moore’s Law humming along as fast as ever, general-purpose network processors, and even standard Intel-based platforms, provide more than adequate performance. This is a key paradigm shift in network security platforms; as vendors simply cannot spin new ASICs fast enough to keep pace with software development. Utilizing general-purpose network processors such as Crossbeam has helped to control costs and accelerate the pace of feature additions.

Stepping outside of the hardware, perhaps the most interesting aspect of Crossbeam is that it has not fallen victim to the common startup mistake of attempting to develop every feature and application internally. Crossbeam has focused on developing the underlying platform for security services, a high-performance network-based application server. It has turned to industry leaders to provide security applications: Check Point ( and Secure Computing ( for VPN/firewall; Enterasys ( and ISS ( for IDS/IPS; Trend Micro ( and F-Secure ( for antivirus and content filtering; and Websense ( for monitoring and reporting. This aggressive partnering strategy with major players is key to Crossbeam’s success, as they have learned early what many now-defunct security startups failed to understand: given the critical and strategic nature of network security, brand names matter. And, while Crossbeam may not yet be a household name, its partner roster suggests otherwise.

 Pulling It All Together

What does the advent of the Security Services Switch mean to your enterprise? Should you run out and replace your multi-device, multi-tiered security infrastructure with a Security Services Switch? Not just yet. The majority of the robust, modular platforms in this space are still very large and expensive, making them ideally suited for enterprise data center and service provider implementations. That said, if you have a data center security initiative upcoming or already underway, you should absolutely add these platforms to your due diligence list. On the lower end and for branch and satellite sites, bundled security appliances from Symantec, Network Associates and others, which include VPN, firewall, IDS and virus scanning, are a solid choice.

But what about the enterprise that has already invested significantly in its perimeter security infrastructure? The answer, simply put, is go back to the beginning: the firewall. Stateful filtering and blocking functions, such as those provided by IPS, should not require a separate discreet device. Enterprises should push their firewall vendors to integrate this functionality into the firewall where it belongs. The IDS/IPS space has grown on the premise that firewalls are ineffective at keeping intruders out of the enterprise network – the very reason for the firewall’s existence. As new perimeter security functions come to market, don’t run out to purchase the latest and greatest point appliance solution, yet another device that needs to be separately deployed, managed and maintained – instead, look to your firewall vendor to tie these applications up into a robust, integrated platform, as well as to the evolving Security Services Switch.

Your comments are always welcome. Send them to us at

See you on Oct 16th, 2003 at 11:00 am EST
Strategies For Deploying Integrated Network Security webinar

Your comments are always welcome. Either send them to us at or post them at our Web Log


Special thanks to Barbara Thomsen for copy editing this Lippis Report.

The Lippis Report is written by Nick Lippis, a world-renowned authority on corporate computer networking and consultant to CxOs of Global 2000 companies.

Please feel free to forward The Lippis Report to your peers. If you received The Lippis Report by it being forwarding to you, you are welcome to a free subscription at the site. To be removed from this list please reply with "remove" in the subject field.

Reporters are free to quote The Lippis Report with acknowledgement.

past issues

Upcoming Lippis Reports:

Microsoft & Security: A Sleeping Giant Awakens
Bill Gates made it very clear in early 2003: Microsoft will be a player in enterprise security – and he’s got $40B that says it will. Microsoft has been spending significant time, money and resources in the development of its Trustworthy Computing initiative, acquiring new products like antivirus while revamping existing solutions like its Internet Security & Acceleration (ISA) Server platform. As Microsoft forays deeper and deeper into enterprise security, how will its software-based security solutions, closely tied to its OS, applications and server platforms, impact the enterprise landscape? In this Lippis Report, we probe into Microsoft’s security initiatives and their effects on your current network and vendors.

Case Study: CompUSA
Ken Monroe, Director of Networking and Telecommunications for CompUSA, provides his insights into how he approached CompUSA’s network security challenges. We’ll talk about the four layers of network security and get Ken’s take on securing corporate network assets against external and internal threats.

WLAN Security: Taking Control of the Airwaves
It’s official: WLANs have penetrated the enterprise and are here to stay. However, the freedom and flexibility that WLANs offer comes at the expense of multiple security vulnerabilities. The inadequacies of WEP are well known, documented and exploited, leaving enterprise managers scrambling for alternative means of securing the WLAN. In this Lippis Report, we will explore secure WLAN architectures, as well as new solutions that enterprises are employing to securely extend the WLAN.

IP Telephony Economics
There are 1800 IP phones shipped each day with over 3 million IP Telephony connections made in the past 3 months. Who is buying IP Telephony solutions and why? In this Lippis Report we'll explore the economics of an IP Telephony implementation. IP Telephony Market and Vendor Report, August
2002: Many of you have requested detailed information on the IP Telephony market, particularly vendor/equipment supplier information. Here is our response. If you're serious about implementing IP Telephony then you need to read The IP Telephony Market and Vendor Report, available for immediate release at This report is written by Nick Lippis, a world-renowned authority on corporate computer networking, and Chris Aronis, an experienced networking consultant and analyst at Lippis Consulting.

IP Telephony Market and Vendor Report, August 2002:

Many of you have requested detailed information on the IP Telephony market, particularly vendor/equipment supplier information. Here is our response. If you're serious about implementing IP Telephony then you need to read The IP Telephony Market and Vendor Report, available for immediate release at This report is written by Nick Lippis, a world-renowned authority on corporate computer networking, and Chris Aronis, an experienced networking consultant and analyst at Lippis Consulting.

The IP Telephony Market and Vendor Report is written with the insights that only Lippis and Aronis can provide. They discuss the major changes that are occurring in the voice market and how enterprise IT managers can exploit these changes to increase your business productivity and EBITDA. In this report Lippis Consulting profiles and accesses all the major enterprise IP Telephony vendors including Avaya, Nortel, Cisco, 3Com, Mitel, Vertical Networks, Shoreline and Pingtel.

Think Cisco is leading the IP Telephony market? Think again! Can Mitel's PBX business survive or will it end up like Fujitsu's? Can Avaya and Nortel keep their customers? Is Vertical Networks boxed in? Can 3Com and Shoreline scale up? Can Pingtel execute on its open IP Telephony model? Lippis and Aronis provide detailed answers to these and other questions, as well as recommendations that will guide you through the thought process of developing an IP Telephony solution and, most importantly, present what you may expect as you start implementation. They draw upon their experience in assessing network architecture with large enterprises for IP Telephony readiness, RFP development and vendor selection to deliver the insights others simply can't provide.

So if you're serious about implementing IP Telephony, and you should be, get your copy of The IP Telephony Market and Vendor Report at Your company, customers and shareholders will be glad you did.

Reporters can receive a free copy of The IP Telephony Market and Vendor Report by sending mail to Reporters are free to quote The Lippis Report with acknowledgement.

Entire contents C 2003 Lippis Enterprises, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Lippis Enterprises, Inc. disclaims all warranties as to the accuracy, completeness or adequacy of such information. Lippis Enterprises shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.