A s the complexity and amount of threat increases, the menace cannot be
fought just with complex solutions that most enterprises don’t understand.
Network security can be best ensured by following a process, assessing and
determining risks, designing a security policy, building a security architecture
based on that policy and then looking for tools that are aligned with the
policy. An enterprise must constantly change and monitor the security policy and
system in accordance with the changes in the external environment and the
business model it follows.
Technology Options
n Integrated
Security Devices: On one hand, companies like NetScreen Technologies are
delivering highly integrated network security systems integrating various
security elements like firewall, IDS, DOS, VPN and QoS et al. On the other hand,
networking vendors such as Cisco Systems are integrating security modules into
their standard networking products. Having security measures embedded directly
into network elements will ensure a certain degree of inherent protection in any
communications network. From there, network managers can determine for
themselves how to balance their degree of vulnerability with openness, cost, and
administrative considerations by activating the security options that make sense
for their organizations. Then there are vendors like Avaya, who in order to
address the security needs of converged voice and data networks are promoting
the concept of converged security that delivers security as an integrated
component of multi-service networks. A number of semiconductor vendors are now
offering high-performance security processors, capable of handling multi-gigabit
streams–significantly increasing the options open to both network operators
and equipment vendors. Products range from simple security accelerators that are
used with external packet processors to fully integrated devices with clear
traffic on one side and encrypted traffic on the other.
n Emulating
the Human Immune System: Taking a cue from the human immune system’s
functioning, some companies have come out with solutions that block and
neutralize damaging attacks from viruses, worms, and other form of attacks,
while allowing legitimate system behavior for every application on every server
in the network. Take for example Sana Security’s Primary Response application
security platform named Sana Profile (SP). SP learns normal application behavior
by observing code paths in running programs. Vulnerabilities, in the form of
software bugs, misconfigurations, injected code and other forms of attack, force
applications down unexpected code paths. The SP technology immediately
identifies these anomalous code paths as being outside of normal application
behavior, and stops them by blocking system call executions. It effectively
protects all server applications, including custom applications. And, it
continually learns legitimate changes within applications, producing minimal
false positives.
n IDS versus
IPS: The days of intrusion detection systems (IDS) could be numbered.
Leading security vendors are working to replace IDS with intrusion detection and
prevention systems (IPS). As a proactive tool, IPS would not only help detect an
attack but also halt one in progress. In the current security environment, IDS
have been found to be inadequate as they are reactive tools. Security companies
are also positioning vulnerability assessment tools as successor to IDS, because
they scan a company’s networks and machines and suggest patches and fixes.
Typically, an organization will need firewalls, anti-virus software,
intrusion detection system (IDS) and a content-inspection solution to secure its
networks. Depending on the need and circumstances, it may also need virus
scanners, VPN clients and VPN routers, PKI and application software enabled with
socket-level security.
n Single-box
Solutions: If an organization is looking at deploying a minimum level of
security (and ready to live with some of the risks and threats), it could settle
for a box or two having multiple security functions. Even though a single
security appliance that would include all the above is still a year or two away,
there are, for example, firewall appliances that come bundled with several other
security functions like VPN, IDS, anti-virus, blocking, management and bandwidth
management. Similarly, there are other boxes, which will have other important
functions like content inspection. Notwithstanding the fact that an all-in-one
security box may not be effective for all enterprises, the approach could still
have benefits for some organizations. The single box approach would simplify
product selection, product integration, and ongoing support. As most enterprises
find it difficult to retain their security staff, single-box solutions are the
best way out as most of them can be easily installed and managed by even
nontechnical people. They can be easily managed remotely also. Another important
benefit that ‘all-in-one’ box solution could entail is that it could help
them overcome the problem of supporting too many different operating systems and
heterogeneous platforms. Today, firewall or VPN appliances come with embedded
operating systems. As such, users do not need to worry as to which operating
system they should use to maximize the performance of the appliance.
n Functions-oriented
approach: If organizations are looking at higher security levels that could
involve deployment of several security features, the one-in-all box approach won’t
work. First, there are no boxes available today, which could have all the key
security functions in them. A complete security solution would include elements
like proxy servers/firewalls, IDS, virus scanners, VPN clients and VPN routers,
PKI, and application software enabled with socket-level security. Of course, no
vendor offers all this in one box. Besides, there is still a strong opinion that
each device is specifically designed for a specific function, and does the job
optimally.
Security Best Practices
n Evaluate
Risks: Assess internal and external business and security environments.
Analyze all the available historical data to look for patterns and identify
vulnerabilities. What are the special features of your business? What is your
network architecture like? Is your current network security infrastructure
adequate? How critical is the role played by the network in your business?
n Come up with
a Security Policy: Based on risk evaluation, design and implement a security
policy, and link that policy to business risks. Involve business managers in
risk assessment: Involving business managers in identifying potential threats,
vulnerabilities and consequent impact on business operations could help them
better understand the imperatives of network security.
n Establish a
Central Management Focal Point: Designate a central group to carry out the
key activities. Provide the central group with ready and independent access to
senior management. Designate dedicated funding and staff. Enhance staff
professionalism and technical skills.
n Promote
Awareness: Continually educate users and others on risks and other related
policies, use attention-gaining and user-friendly techniques.
n Monitor and
Evaluate Policy and Control Effectiveness: Monitor factors that affect risk
and indicate security effectiveness. Use results to direct future efforts and
hold managers accountable. Stay alert to new monitoring tools and techniques.
n Distinguish
between policy and Guidelines: While the security policy should outline the
fundamental outline that the senior management considers imperative, guidelines
should provide more detailed rules for implementing broader policies. Guidelines
can also be designed as an educational tool that can help network users
understand and follow the desired security practices.
n Incident-handling
Mechanism for Security Breaches: A security systems investigation procedure
that addresses evidence preservation and forensic examination must be formulated
with a trained response team in place, so as to tackle emergency.
n Third-party
Assessment: External third-party audits should be regularly carried out to
get an independent assessment of network security effectiveness. Look for these
in one-in-all box: If you are looking for a complete security appliance then it
must have at least firewall, anti-virus, IDS and content-inspection functions.
However, look if too many features in one box are affecting its ability to
perform. In many cases, that is likely. So avoid asking for everything in one
box if your security requirements are complex.
n See that the
Box Goes with the Security Policy: This is the first important factor that
any enterprise should look for before buying any security appliance. One should
not buy a box just because it can perform umpteen security functions. Check if
the box is capable enough of meeting the stated objectives of the security
policy. Also, security appliance is deployed in an extremely dynamic environment
and requires constant evaluation to manage the threats posed. So check the box
for scalability.
n Have a Patch
Management System in Place: Such a system is needed to protect networks from
virus and worm attacks. Many attacks in past have happened because an enterprise
didn’t go for a patch update in time.
n Step-by-step
Buying: Organizations can have a diverse range of security needs ranging
from anti-virus protection to malicious content inspection and hacker attacks.
However, an organization may not need all the security features at one go.
Depending on the context, buy only what you need today, but keep the option of
upgrading always open.
|
|
Amit Kumar, national marketing manager, Tata Telecom |
Naresh Wadhwa, vice-president, Cisco Systems India & SAARC |
Paul Serrano, senior director of marketing, Asia-Pacific, NetScreen Technologies |
Swapan Johri, director (managed security services), HCL Comnet |
Vaidyanathan Iyer, national manager (eSecurity Business), Computer Associates |
Lt. Col. H S Bedi, managing director, Tulip IT Services |
If Networks Are All-pervasive, so Are the Threats too...
Speed, efficiency and productivity drive business. These drivers, however,
cannot be imagined without information and communications technologies. And
these technologies in turn ride on a maze of networks that have become all
pervasive and hence indispensable to our daily social and economic existence.
That’s one part of the story. The other part of the story is the fact that as
businesses become more and more dependent on networks, they become more and more
vulnerable to threats and attacks from hitherto unimagined sources.
Now just consider these findings of the recently released Symantec Internet
Security Threat Report that surveyed more than 400 companies in 30 countries:
- On an average, companies experienced 30 attacks per company per week
during the last six months of 2002. -
Approximately 85 percent of this activity was classified
as pre-attack reconnaissance, and the remaining 15 per cent were various
forms of attempted (or successful) exploitation. -
Despite the decline in the attack volume over the prior
six-month period, average attacks per company during the past six months
remained 20 per cent higher than the rate recorded during the same six-month
period in 2001.
The same report also had another set of warning for networked
companies:
-
In addition to exceeding external attacks in overall
volume, the customer self-assessments of damage were particularly high for
internal cases of abuse and misuse. -
High self-reported damage estimates, coupled with
relative simplicity with which the perpetrators acted, should be considered
a warning sign that protecting against the internal threat is extremely
important.
A Nascent Industry Prepares to Move up the Value Chain
Enterprises are yet to shed inhibitions and go whole hog for security
solutions. Almost all the big global players in the network security solutions
and product market are there in India either directly or through channel
partners. Every second network integrator claims to provide network
security-related services, be it consulting or network architecture design or
plain product deployment. Despite all this, the network security
solutions/products (and what is called security appliance market) could not
cross the Rs 150 crore in the year 2001-02. This figure has been arrived at by
putting together inputs from vendors, resellers and some of the leading network
integrators, and includes anti-virus software, firewalls (software and
hardware), IDS as well as some amount of authentication, encryption and digital
certification products.
It is our as well as the industry’s view that the network security market
in India has long been dominated by anti-virus software and firewalls. And it
was no different in 2001-02. This is largely because of the fact that network
security in India is still mostly anti-virus software and firewall-centric.
However, this does not mean that there was no market for advanced security
solutions like PKI. Some major deals in authentication solutions were also
reported. Moreover, following the growing international trend, security
appliances too became popular with enterprises in the Indian market, with
vendors like Nokia Internet Communications, Cisco, Symantec and Net Secure
making their presence felt in the security appliance market in a big way. PKI
and digital certificates made their presence felt after the government put in
the legal infrastructure for e-commerce transactions in place.
Banking, financial services companies and multinationals remained the biggest
buyers of security products in India. They were also the ones who looked beyond
anti-virus and firewall while securing their networks. Defense organizations
were one of the biggest buyers of network security products in the country. And
if we club them with the public sector banks, then government was easily the
largest vertical for network security products.
The main factors inhibiting the growth of network security market in India
were the unwillingness of most of the enterprises to invest in security beyond a
certain point, lack of trust on outside agencies, and lack of quality security
skills.
This year, with the increase in bandwidth availability and with more and more
organizations looking at remote office management, VPN could offer a large
opportunity. VPN could grow on account of service providers using abundant
bandwidth in shared mode with over provisioning because of the pressure on
bandwidth prices. Dial-up VPN is already picking up. Moreover, host-based
security systems like IDS and content inspection are also likely to pick up.
With VoIP getting a new push with Internet telephony, voice encryption could be
another opportunity. Growth in e-commerce transactions is also like to fuel
expansion.
Source: VOICE&DATA Networking Masters May 2002
Managed Security Service–What It Can Do for You...
More and more organizations are turning to managed security service providers
(MSSPs) for a range of security services.
Corporates are realizing that security is not a one-time issue. An attack can
happen any time of the day, any day of the week and there is an increasing need
to protect networks 24x7. The benefits accrued through MSSPs are multifold:
24x7 Monitoring: It is estimated that almost 60 percent of the attacks
happen during the graveyard shift–a period where availability of skilled
resources is always in question. To proactively detect and respond to attacks,
24x7 monitoring becomes an imperative. 24x7 monitoring involves a three-shift
operation. Even if just one security expert per shift is enough, (which is a
difficult presumption considering high domain specialization required in data
security) an organization will require at least three security experts for
round-the-clock monitoring which would be a huge cash outflow.
Powerful Event Correlation: In a corporate environment, event handling
tends to become people dependent. Given the inconsistency in event occurrence,
it becomes difficult to co-relate similar incidents to detect an attack.
Moreover, organizations do not work on of Standard Operating Procedures are
required to effectively diffuse an attack. Even after having an in-house expert
look at an event, one is not confident of the type of attack that has happened
and the effective method to resolve the same. MSSPs provide automated event
co-relation capabilities that list event with similar patterns and co-relate
them to detect an attack.
Managing False Alerts: False positives constitute 99 percent of total
security alerts, making it extremely difficult to segregate the 1 percent actual
alerts. A typical Firewall generates thousands of alerts a day while an IDS can
generate MBs of raw logs of data that becomes practically impossible to
interpret. MSSPs have automated tools that segregate the 1 percent actual
attacks from the false positives making security management a much easier task
Emergency Response: Emergency response becomes difficult if a
corporate is managing its security in-house. The security team is either not
available or doesn’t have adequate tools, processes, policies to respond to an
attack. MSSPs operate on Standard Operating Procedures that ensure near real
time response to all security incidents.
Reporting and Documenting Events: In-house reporting tools provide
limited or no visibility into the security infrastructure.
Either the organization tends to completely ignore the reporting aspect or
delegate it to lesser-qualified resources. Reporting becomes extremely crucial
for forensics and also to analyze the type of event and method to counter it.
MSSPs provide real time visibility into the security infrastructure letting a
CIO know the status of his network at any point of time.
Upgrades and Patches: Security vendors come out with new patches on a
regular basis. The high frequency of patch release and multiplicity of security
products makes it difficult for the organization to upgrade these patches time
to time.
Trained and Dedicated Professionals: Certified security professionals
at an MSSP undergo extensive security training and rigorous background checks
prior to managing or monitoring an organization’s equipment.
Guaranteed Responsiveness: An MSSP begins escalation the moment a
problem is detected identifying its source. The aggressive Service Level
Agreements (SLAs) ensure that an organization will be notified immediately.
Enhanced Internet Security: This is critical, if governments and
businesses are to move high-value transactions and sensitive information online.
For many organizations, a managed security service represents the most effective
approach to deploying enhanced Internet security.