While there will never be a simple answer to conquering the network security battle, dynamic technologies with built-in intelligence are turning it into a fair fight.
September 1, 2009
Itseems that keeping up to speed on security is an ongoing battle for network managers and installers. Just when you think your firewalls and intrusion detection devices are on point, new layers of complexity get added to the mix.
That complexity is demanding that security infrastructures be faster, smarter and more dynamic than ever before.
According to experts, there are a number of major shifts in the way network security is implemented and managed that are driving security strategies today.
Virtualization has thrown a major spanner in the works. “Virtualization isn’t so much introducing additional threats, but it’s certainly adding complexity to logging and monitoring services,” says Dave Stuart, director product management for Managed Security Services, Symantec Corp., in Cupertino, Cal.
It is also making things that need to be secured harder to find, says Scott Stevens, vice president Systems Engineering for Juniper Networks Inc. in Sunnyvale, Calif. “Now with virtualization and cloud computing, applications can move around a data centre real fast, so it’s harder for security applications to find what needs to be protected. A dynamic world requires a dynamic response.”
IP has also become “a big game changer” and forcing companies to re-evaluate how they deploy their (surveillance and access control) systems,” says Tom Boucino, security solutions manager, Intelligent Building Strategic Business Unit for CommScope Inc. in Claremont, N.C.
“We’re also seeing a lot of official requirements for wireless access,” Stuart adds. “It seems that everything demands an additional level of management attention.”
In talking to experts it seems that security can mean many things to many people. Following are some of the key security challenges that are creating headaches for network managers, and some approaches that are helping to make the job of securing networks easier.
Chasing the moving targets: Many agree that virtualization and cloud computing bring a new level of security challenges for network managers. “Applications are now moving around and the attacks are more interesting,” Stevens says. “Way back when you used to block port types, then firewalls came along that could look at applications and determine if they were legitimate. Then intrusion protection looked at packets to what was going on in layers 3 and 4. Now you have to look closer and closer at the packets at layer 7, including http traffic.”
To do that requires more sophisticated technologies that allow you to look deeper into packets and their trends over time, he adds. In addition, security has to become more dynamic to change what it is protecting, as applications move from one virtual server to another.
In this new dynamic approach, for example, a firewall needs to re-virtualize itself and redefine its security posture so it can “chase” the application, Stevens explains. “Typically firewalls, routers and switches can talk to each other, but not the applications. As security becomes more dynamic; however, that doesn’t work. You need your application to tell the firewall ‘I moved, come protect me over here’.”
A key element in the dynamic space is the decoupling of detection from blocking functions. Juniper for example is working on two technologies — SRC (session and resource control) for detection and UAC (unified access control) for endpoint defense. “Basically you have detection in one place, and the reaction and coordination points at another,” Stevens explains. “The real principle behind all this is decoupling detection from action but providing a means for them to talk to each other so that your network is smart enough to adapt dynamically to protect a server.”
Detection and correlation — Applying deep thinking: Sometimes security is all about looking at the big picture. At Symantec, they call it Deep Side Intelligence. This managed service offering “packages” security intelligence by combining a vulnerability database and event analysis. As Stuart explains, “the whole industry has been built around application proxies and firewalls. What has emerged is added layers of protection that can take alerts form devices, correlate that information with other devices, and apply intelligent thinking to the whole process so you can make smart decisions and determine when to assign actionable status.”
Symantec uses a plethora of tools to monitor network activity, profiles, hosts and end points. The activity of all these tools can be correlated to pinpoint active threats with accuracy. “We can assess events across different parts of a network, for example a firewall event with a host activity — through automated detection and correlation analysis to get a richer picture,” Stuart says.
He reports that in 2008 Symantec identified 1.6 million malicious code threats. Given that there have been a total of 2.6 million over the past decade, that means 60% of code threats have emerged in the past year, making “deep thinking” that much more valuable.
Identity and access: Who’s on first? Any networking security infrastructure needs to address all the challenges that go with identity and access issues.
Gijo Mathew, vice president of security management for CA in Toronto, says that is why managers are starting to look more closely at privileged user management and data loss prevention as part of their security planning.
“We’ve put a lot of effort into securing the infrastructure, but at the end of the day, what we want to protect is the data running on that infrastructure. In other words we never protected the information, rather, it was the technology around it. In most cases security stops after you’ve given someone access.”
Information-centric types of technologies, (e.g. CA AccessControl and CA Privileged User Management) are centralized server-based offerings that now allow organizations to manage accounts, change router configurations, check out user identification, and routinely change settings without adversely affecting the rest of the infrastructure.
“These can be implemented at many levels — the network, endpoints, or messaging services,” he notes.
IP thinking: Extending the boundaries: As more and more companies transition to IP, they are also moving to the outer boundaries of their infrastructure for their security initiatives. As Boucino explains, the prevalence of IP is driving network designers and installers to extend capabilities to strengthen physical security. “The enterprise market has established servers, switching, software platforms and applications that run on them. We’re now finding the same thing starting to happen and quickly on the video surveillance and access control side.”
Think of an IP camera as a PC with a lens, Boucino says. “It has an entire chipset at the front end and firmware, and talks to the network through a standard 10/100 network interface. We’re pushing IP all the way to the door, so security devices are literally a node on a network now.” As such, IP-based video surveillance and access control systems are allowing companies to migrate away from the traditional idea of physical security to the realm of business intelligence. “Once IP and security start working together, you can handle video information the same way you handle a data or voice packet, as well as use the same technicians to maintain and deploy [the cameras and access control systems].”
Boucino adds that “people do not realize how far traditional structured cabling has come, but if you look at what is happening in the security realm, you can see it brings a lot of scalability, adaptability, flexibility and economic advantages.”
Wireless: Putting it all together: No security discussion can be had without looking at the ever expanding wireless landscape. According to Corey Copping, product marketing manager for HP ProCurve in Toronto, “We like to think that we treat wired and wireless the same. You want the same authentication whether you are work
ing with a wired or wireless port. What you’re really talking about more and more is the software add-ons that enhance security.”
He notes that in previous years, people worried about wireless connections because “a lot of people were buying lower end wireless routers and access points and plopping them on a network. That’s not the case anymore.”
Now the trend is to allow chassis-based switches to put functionality into the fabric of the network. “You’re not holding firewall software on the server for it to push it out to the network,” he says. “Now you’re taking the software like IDM (identity driven management) and building that into the fabric of the switch and chassis for an extra level of speed and security,” says Copping.
Smart thinking — faster response: It is evident that the security picture has grown extremely complex in recent months as infrastructures evolve to new levels of efficiency. While there will never be a simple answer to conquering the network security battle, dynamic technologies with built-in intelligence are turning it into a fair fight.
Depending on your circumstances, security strategies can differ dramatically from enterprise to enterprise. For some it’s about bringing things closer to home. Others may be expanding into securing new technology realms like unified communications. Or it might be facing the large-scale security needs of a portable network at a global event. Here is what some network experts have to say about their security strategies:
Stan Yazhemsky, manager IT Operations and Security for Legal Aid Ontario in Toronto believes that protecting server activity has become an increasingly compelling challenge as cloud computing gains hold. “Cloud computing is a huge security threat if it’s not designed properly. The biggest challenge is finding the balance between service availability and security.”
A well laid out plan is one that considers your long term infrastructure needs and can adapt to changing methods of application delivery, he adds. “We’re getting back to thin client and virtualization more and more. If your infrastructure is not ready for that, you will be facing a lot of (security) challenges.”
Legal Aid Ontario recently sidestepped the issue by building a private network infrastructure to replace an existing outsourcing model. The design leverages firewall, VPN security, secure access and intrusion detection and prevention solutions from Juniper. Not only has this improved operational control over the network, the company has realized a savings of $500,000 a year in service provider costs.
“We redesigned our entire network,” Yazhemsky explains. “We have two vendors supplying DSL and cabling to each location for redundancy and applications are managed centrally.” Last year, Legal Aid Ontario also moved to a VoIP infrastructure and now plans to layer on
video in 2009. “It can all be run by two network administrators, and we have already included the necessary steps for security and availability in our design.”
Security through a unified front: At Sheridan College in Oakville, Ont., a new unified communications initiative with Cisco Systems Canada Co. and Unis Lumin has put security in the forefront –literally and figuratively. The move came about when a surveillance camera captured the image of a student carrying a camera tripod that was mistakenly thought to be a rifle.
The upshot of this major upheaval in the college’s day led to a system-wide overhaul based on a unified communications platform, explains Sumon Acharjee, IT director for Sheridan. The new communications system connects three campuses to a central data centre where the applications are based.
Jeff Seifert, CTO for Cisco Canada, notes that the new application engine allows the school to build interfaces to various systems from servers to IP phones to alarm systems and everything in between. The key to the success of the design, including the security piece, was using standards-based interfaces to interconnect the disparate elements of the network.
Mauro Lollo, chief technology officer of Unis Lumin Inc. based in Oakville, confirms that building the system on a Microsoft platform allowed it to be integrated into a Microsoft enterprise security environment to ensure that users have appropriate credentials “and all the things you normally need to function within such an environment. We just applied a few more tweaks.”
“Security is not a network appliance unto itself,” Seifert explains. “Rather it’s a multi-layered protection mechanism that encompasses everything from surveillance and notification to identity protection and access.”
He adds that a lot of focus was on content security, which is being managed by Cisco IronPort technology. “Web security is definitely a huge focus. So is authentication and making sure that only trusted devices are connected to the network. Clearly there has to be a lot of focus on certification, identity, and encryption at all levels. And once you merge IT and physical security such as access control and video proper integration is critical.”
A world-class portable network: At WorldSkills Calgary 2009, home of one of the world’s largest portable networks (see p. 12), security was front and centre when it came to designing the network. “Without a doubt, when you have 51 countries involved there are going to be some pretty savvy people trying to do malicious attacks on the networks,” says Roger Dery IT manager for WorldSkills Canada 2009. “A lot of thought and timing was spent on the routing on layers 2 and 3 to ensure network integrity.”
The entire park was connected over a Cisco backbone. Ninety-six fiber drops connected to Cisco switches and ASA firewalls. In addition, a Cisco MARS unit monitored Layer 2/3 activities on the network, while IronPort SL170 boxes scanned 5 billion Web pages to filter out any gaming, social networking and video steaming sites to ensure bandwidth wasn’t compromised. Two Internet cables — a 30 Mbps MTSL stream pipe and 100 Mbps Bell pipe provided redundancy and speed.
“By the time we were completed with all the devices, the configurations would fill up over 600 pages of a Word document,” says Dery. “We then utilized a network monitoring agent for the network nodes and desktops to detect failures or hardware issues, as well as various layers of Fluke Networks gear for scanning data transfer. There is also a lot of security in place on the other infrastructure side with virtualized HP Blade servers and SAN units.”
And to think, he says, the network design all started as a drawing on a napkin.
It is evident that the security picture has grown extremely complex in recent months.