As threats become increasingly ingenious and destructive, balancing protection and performance - and getting them both at the right price - is no easy task
January 1, 2004
Making networks as open and accessible as possible, while, at the same time, welding them shut to security threats is a major challenge for any IT manager, but it’s something Magma Communications Ltd. takes in stride.
A full-service Internet company, Ottawa-based Magma provides access, hosting, co-location, managed systems, managed security and Web design services to more than 5,000 Canadian and international companies. Many of these businesses have Web sites and other critical corporate data hosted at Magma’s Internet Data Centre in Ottawa.
“Our customers have high expectations,” says A.J. Byers, the firm’s chief operating officer. “They rely on us to keep their data and network connections as secure as possible. Having exceptional security solutions in place is essential to maintaining and growing our customer base.”
But securing customers’ networks is only one part of the equation. Providing flexible and open access to critical information on those networks is the other.
To some, these tasks may seem incompatible.
Not to Byers. There does not have to be a trade off between network security and network availability, he says.
He cites the example of a Magma customer to demonstrate just that. Headquartered in Ottawa, the company has regional offices at several other Canadian and central U.S. locations. For many years, security concerns prevented the firm from using the Internet for inter-office communication and led them to rely on a costly 56K Frame Relay network.
About two years ago — prompted by the need to control costs and improve access — the company started reviewing other options. It selected Magma to implement a firewall and virtual private network (VPN) between all their locations, and a remote VPN for their employees to connect back into the internal network.
Following the implementation, says Byers, inter-office communication became 20 times faster, while network security levels remained exceptionally high. Of note was that the entire project was implemented at a fraction of the cost of the previous network.
Not all initiatives that attempt to improve access while maintaining acceptable security levels have the same positive outcomes, however.
Today, as threats to network get increasingly ingenious and destructive, balancing protection and performance — and getting them both at the right price — is no easy task.
Spending soars, but …
One encouraging trend, analysts say, is that enterprises across the board are starting to take network security more seriously.
Research indicates security spending by North American businesses in every sector has increased significantly over the past few years.
The average enterprise channeled 5.4% of its IT budget on security in 2003, according to a recent survey by analyst firm Gartner Inc. in Stamford, Conn. That’s a 20% increase over 2002.
“But firms spending the most on security are not necessarily the most secure,” says John Pescatore, vice president of Internet Security at Gartner. He notes that when the Blaster worm struck “several of the really badly hit businesses had made significant investments on security.”
The fact that no obvious co-relation exists between security spending and threat levels also emerges in a survey by Cambridge, Mass.-based Forrester Research Inc. Nearly half of the 50 top security personnel at large global companies interviewed felt their security budgeting was flawed; 40% conceded they spend their security dollars on the wrong risks.
Forrester’s suggestion: focus resources on preventing high-probability, potentially damaging events and let insurance take care of low-probability risks.
But there is little consensus – even among experts – about which technologies are most effective in pre-empting “high probability risks.” Gartner, for instance, is advising clients not to expend limited IT resources on network intrusion detection systems (IDS), but to opt for application-level firewalls instead.
“We now have firewalls that can block the very same attacks that IDS systems merely alarm on,” says Pescatore. On the other hand, security service providers such as Magma say they have used IDS products very effectively in high profile projects.
New model emerging
Gartner predicts that over the next few years, many enterprises will adopt “containment technologies” as key element in their security strategy. “The network will shield itself against many vulnerabilities,” says Pescatore. “It will do this by shutting off certain segments to stem a viral attack, for instance.”
He said several excellent containment products are already on the market.
This concept of the network actively participating in the security paradigm is something Enterasys Networks Inc. in Andover, Mass. has been actively advocating.
“In the past,” says John Roese, the company’s chief technology officer, “network infrastructure was considered a neutral player with respect to security. Networks were about connectivity and security was the job of a bunch of purposeful devices like firewalls and IDS systems. Now, we’re witnessing the emergence of a new model where the network itself is an active player in the security architecture.”
Roese says two factors are accelerating the adoption of this model. “One is the morphing of the user community. People you don’t fully control — suppliers, partners, customers — are coming inside your infrastructure. And you cannot do business today unless you allow them in.”
The second driver, he adds, is the catastrophic nature of today’s security threats. “At a recent Interop conference event, where I was a speaker, someone in the audience wanted to know what keeps me up at night. My answer was: ‘when the network itself becomes an obvious vulnerability.’ Today, hackers can and have caused far more harm to enterprises by destroying connectivity itself than by simply knocking out one Web portal or shutting down one e-mail server.”
Roese says there is “an inverse relation between the sophistication of today’s hacking tools and the IQ required to use them. So today, relatively unsophisticated people are able to generate relatively damaging attacks on network infrastructure.”
He says point solutions cannot adequately respond to such pervasive threats. “When the network itself is a security element you are talking, potentially, about thousands or hundreds of thousands of individual points or connections. It’s too complex to deploy a new security layer each time you change your connectivity.”
The solution, he says, is an embedded function, at the infrastructure level, for managing user identity and authentication. “That way, when you buy a switch or a router, security is an inherent function of the device itself rather than a bolt on or an overlay.”
He points to the LAN authentication and authorization capabilities of the current breed of Enterasys’ networking products. “We’ve put a lot of silicon effort into adding a role-based authorization technology in our switches. And all our devices also come with 802.1x Web authentication capabilities.”
Roese says Enterasys has also focused on adding “precision” to intelligence provided by security products (IDS systems, virus scanners, firewalls). “These products tell us something bad is happening. Now, with our technology, they can also identify offending systems and change their behaviour on the network.”
People and processes
According to some industry insiders, however, “embedded security” is not the panacea it is made out to be.
“Security is not a magic bullet that can simply be built into all network devices,” says Byers. He notes that today’s network devices already come with several security features, but “most organizations just do not know how to implement and configure them.”
“Training, awareness and human interaction,” is his prescription for the success of network security projects.
Kent Kaufield, a senior manager with Ottawa-based Ernst & Young LLP, expresses a similar view. “A complete and truly effective network security plan covers not just technology vulnerabilities, but also process improvements
and people training,” says Kaufield, who is with the consulting firm’s technology and security risk services practice.
He says the sharp rise in security technology spending is not, by itself, a very heartening fact. “The biggest component of a security budget should be process and people spending. And that isn’t growing as fast as the technology spend. So we’re ending up with very small security groups handling (security) technology they aren’t properly equipped to use.”
According to Kaufield, failure to focus on “people training” can have serious consequences. “On the one hand enterprises have opened up their networks to external constituents with extranets and extended extranets. On the other, their CIOs aren’t sure what firewalls exist, how many network connections there are, and where they are. The concern about what they don’t know is very real.”
This concern, according Gartner research director Richard Steinnon, has led certain companies to take drastic — even unpopular — measures to protect their networks.
“Many (of our) customers are circling the wagons and going into blackdown mode,” said Steinnon in a recent Web cast on network security.
He cites the example of one of Gartner’s enterprise clients that wanted to prevent viruses from getting into the network through ‘rogue machines’ brought in from outside. “So they started stopping people at security and checking their laptops…loading software on them to make sure there were no worms on the machines.”
The approach, says Steinnon, just did not work. “(The company) would set up a meeting for 9 a.m. and nobody would show up until 10 a.m. because they were all waiting in line at security with their laptops.”
He says such severe measures besides being impractical are also at odds with the “enabling function” of network security. “Security should allow us to do more things, to be more productive…to expand the business, not shut it down.”
Many industry experts argue that wired networks are more susceptible to security breaches than their wireless counterparts.
“Given the obvious reliance of wired LANs on a wired physical plant,” says an Enterasys white paper, “anyone gaining access to that wire can damage the network or compromise the integrity and security of information on it.” It says without proper security measures in place, even registered users of the network may be able to access information that would otherwise be restricted.
The paper notes that LAN traffic can be intercepted and decoded with commonly available software tools once one has physical access to the LAN cabling.
For this reason, it strongly advocates physical security measures including site control and management in wired LAN environment. “Physical access to network wires needs to be protected.”
It further indicates that wired LANs have an unintended wireless component. “Many types of LAN cabling – particularly unshielded twisted pair – radiate significant energy…Anyone with strong motivation, the right radio equipment, and a good antenna (could) sit in the parking lot outside a building and actually intercept wired Ethernet data packets – without detection.”
Data encryption, the paper says, is the only line of defense against this kind of threat.
According to Roese, there’s a remarkable difference between wired and wireless environments on the issue of “embedded security.”
He cites the example of 802.1 – an authentication standard he co-authored. Though the standard was originally meant to provide authentication on a wired infrastructure, he says, in reality it has been more readily embraced by the wireless industry, and today leads the charge for wireless LAN (WLAN) security.
He notes that traditionally discrete security functions such as user authentication, key management and encryption are now highly integrated into Wi-Fi networks.
But Roese predicts that soon businesses will require those same security capabilities to be integrated into the wired network.
“Our customers are essentially saying if it is good enough for wireless it should be on the wireline infrastructure,” he says. “It ought to be any point where we offer connectivity to the user community.”
Joaquim Menezes is a freelance writer based in Mississauga, Ont. He can be reached at firstname.lastname@example.org.