Defending the Enterprise
May 17, 1999
By Greg Shipley
Although a few battles on the enterprise security front have been won, the war is far from over. General security awareness within organizations has been raised to the point that high-level executives are beginning to acknowledge the threat of electronic intrusion and firewalls have become standard, budgeted items. Unfortunately, this is just the tip of the security iceberg.
During the past year, Network Computing has evaluated numerous products vendors have presented to help in this battle. We've looked at firewalls, intrusion detection systems, security scanners and probes, single sign-on products, security policy managers, public key infrastructure (PKI) solutions, secure messaging products and biometric-based authentication devices.
Although the majority of corporate losses originate from internal abuse, most organizations have kept their focus on the perimeter. The first line of perimeter defense for most organizations is the firewall. This past year we've seen proxy-based and stateful inspection-based firewalls vie for the attention of network administrators. Check Point Software Technologies' FireWall-1 topped our stateful-inspection charts, while AXENT Technologies' Raptor firewall led the pack of application-proxy-based solutions (see "Seven Firewalls Fit for Your Enterprise," www.networkcomputing.com/921/921f2.html). Proxy-based firewalls arguably offer slightly more security, while the stateful-inspection approach delivers far better throughput--so much better, in fact, that our tests showed Cisco Systems' PIX firewall's overall throughput approaching wire speeds.
Backing Up the Firewall
Although firewalls are necessary, intruders were waltzing past firewalls almost as soon as they were introduced--usually by exploiting holes in the targeted hosts or infrastructure. To complement the firewall technology deployed on the perimeter, many organizations turned to intrusion detection systems (IDSes), which serve as informed observers of incoming network traffic. They attempt to detect reconnaissance and attack patterns as they occur, and subsequently react to them in real time based on predefined actions. Although most IDSes are capable of logging the offending traffic, e-mailing an administrator or sending out a page, some of the more advanced systems can take steps to stop the attack. Still, intrusion detection technology cannot solve your security woes, though it serves as supporting artillery. Our testing found ISS' RealSecure the most polished offering, with Cisco's NetRanger a close second (see "ISS RealSecure Pushes Past Newer IDS Players," page 95).
Moving past the perimeter to get a little closer to the root of most security problems--vulnerabilities found within the operating systems and configurations--organizations now have two primary options for auditing. Outsourcing the operation to hired security guns, such as Cisco's Security Consulting group, allows organizations to continue to focus on day-to-day activities while the experts hunt down the breaches. The more elite auditing teams can detail security risks with more accuracy than shrink-wrapped products. However, products such as ISS's Internet Security Scanner and Network Associates' Cybercop give the network administrator some powerful backup.
Virtually every month, new holes are discovered in base OSes, service add-ons, protocols and third-party applications. Security scanner products offer a single point of evaluation for remotely exploitable holes internal and external to the network. By automating the process of maintaining lists of known vulnerabilities and continuously searching for those holes, scanners put the technology used by security experts in the hands of network administrators. However, a scanner's ability to detect security flaws is only as current as its list of vulnerabilities, and vendors have yet to deliver on timely updates.
Past the Perimeter: Deploying VPNs
Beyond the perimeter, a growing array of high-bandwidth options available at "the last mile" is boosting telecommuting's popularity. Fortunately, virtual private networks (VPNs) can help administrators extend the walls of the fortress.
On the LAN-to-LAN front, VPN hardware and software solutions let networks tunnel traffic. During the past year we saw IPSec (IP Security) interoperability materialize, IKE (Internet Key Exchange) implemented across the board, and hardware acceleration decrease encryption overhead. Unfortunately, VPN management is still a little rough around the edges, and integration with PKI products is still a ways off. In our tests of IPSec-compliant VPN solutions (see "IPSec-Compliant VPN Solutions: Virtualizing Your Network,"www.networkcomputing.com/914/914r1.html), we found Nortel Networks and TimeStep Corp. leading the pack.
PKI products continued to mature in 1998. Entrust Technologies, one of the few PKI vendors to offer both application and back-end PKI products, shipped a new version of Entrust that continues to build on an integrated solution. A few more contenders, such as Valicert and Baltimore Technologies, popped onto the PKI radar screen. And after a long silence, Novell came to the table with NetWare 5, which is one of the few deployed directories that can offer a back end for a fully functional PKI--should Novell decide to clean up its PKI act. However, we've seen little earth-shattering change. The IETF's PKIX group is still sorting out proposed standards, certificate revocation is still a bit messy, and vendors have been slow to bring applications to market that can make full use of certificate technology. We still face an assortment of e-mail clients, smartcard plug-ins and applications.
While the security industry continues to grow at a tremendous pace, in the absence of more advanced tools, technology and skill sets, enterprise security is at best a truly challenging ideal. Single sign-on products and security framework products are only successful if they, too, are kept secure. Compromise the OS and the model still falls apart. Firewalls cannot protect organizations from poorly written CGI programs and third-party vendor flaws. Security scanners can alert administrators to known holes, but fail miserably when it comes to cutting-edge attacks and site-specific or custom intrusion attempts. IDSes can be useful tools, but they fall victim to the same problems that plague scanners. And while auditing firms can address many of these shortcomings, if policies and procedures aren't put in place and enforced, their services quickly depreciate.
As the security landscape evolves, there is still no substitute for in-house expertise and a well-planned strategy. At the root of any successful security deployment is policy. Without policy, there can be no structure. Without structure, there can be no enforcement. Without enforcement, there can be little security. And while there are now some tools to help manage policy (see "Finally! A Light at the End of the Tunnel," www.networkcomputing.com/922/922f1.html), without the marriage of policy, procedure and implementation, the front will be far from unified.
|
Here
Here
REPORTS
ANALYTICS
Follow 
