Security: Winners by Category Desktop Firewall PKI System Enterprise Firewall System Enterprise Security Framework Vulnerability Assessment Tool SSL Accelerator Enterprise VPN Solution

Protecting Yourself

To our surprise, the best tool we tested during the past year for guarding against such vulnerabilities wasn't the slickest commercial package; the Linux-based freeware Nessus took top honors. But such tools come with their own set of weaknesses. Like virus scanners, vulnerability scanners are only as accurate as the underlying signature database. If a new vulnerability crops up, you won't be able to scan for it until it gets incorporated into the database. Likewise, if a new permutation of an old vulnerability should crop up, it might also pass unnoticed. To keep abreast of new security threats, scanner vendors must constantly update their signature files.

Nearly all the vulnerability scanners we've tested lack integration with enterprise-management applications, such as helpdesk, asset-management and network-management stations. Sure, some of the vulnerability-assessment scanners can fire off an SNMP trap, but that is a far cry from true systems integration.

As attacks become more complex, so do the tools used to stop them. Several behavior-assessment tools are coming to market that track user behavior and send alerts on unusual and abnormal behavior and trends. The success of these products will lie in their ability to accurately baseline normal user behavior and to recognize abnormal behavior. Still a developing technology, behavior assessment is another approach to vulnerability assessment that bears watching.

Building the Framework

Integration is rapidly becoming the name of the game, and much of the security market is becoming commoditized. Firewalls, VPNs (virtual private networks), virus scanners and intrusion-detection systems are so common that it's hard to find an enterprise network that does not deploy at least one of them. More important, the feature sets are blending together, making product differentiation difficult at best. In addition, these security devices are becoming infrastructure that needs to be monitored and managed, just like your switches, routers and WAN connections. You don't need to be a router jockey to monitor a router and make sure it's behaving normally, nor must you be a security guru to monitor firewalls, VPNs and other security devices. Your bridge staff can do that. But security applications need to communicate with existing network management applications. Often the integration point revolves around SNMP traps and syslog logging. Once in the enterprise-management systems, the events can be acted upon.

Automated event management is not a trivial task, and with related events you're limited to alerting and reporting within the enterprise-management framework. Some integrated security suites, such as Check Point Software's Opsec, Computer Associates International's eTrust and Network Associates/PGP Security's Active Security, provide varying degrees of automation, but the coverage is far from standardized.

Computer Associates' eTrust and, to a lesser degree, PGP Security's Active Security let you build some complex event conditions on which to take action. However, neither product has the breadth or depth of Check Point's Opsec program. Until the best practices are worked out, automated security event management likely will be relegated to alerting and reporting. It's not yet feasible to perform automated measures, such as changing firewall rules, based on security events. There are too many unknown conditions -- an inaccurate intrusion detection, for example -- that could trigger an event. Such a condition would increase the risk of a rogue automated event cutting off users and processes.

Network Security Mainstays

As fancy new security gadgets hit the market, it's easy to become enamored of their flash and slideware. But when push comes to shove, network security is all about access control across borders, regardless of how those borders are defined for a particular enterprise. This means, among other things, firewalls and VPNs must guard the perimeter.

There has been little earth-shattering news about firewalls and VPN technologies this past year. The boxes are getting bigger in terms of bandwidth, and high availability is becoming more common. But a firewall is a firewall is a firewall.

Even in the VPN market, the biggest trend is the consolidation of the main players: Enterasys Networks bought Indus Rivers, and Avaya bought VPNet, and Microsoft Windows 2000 now incorporates IPsec (IP Security) VPN across all of its versions.

The exception is in multiunit management, especially given the proliferation of SOHO/ROBO (small office/home office and remote office/branch office) firewall and VPN devices hitting the market. You can't swing a dead cat without hitting one. While multiunit management typically has been aimed at service providers, large enterprises can benefit from it too. If you have home-based telecommuters or are moving your ROBO office off dial-up, leased or ISDN lines and connecting them to the Internet, you should have a firewall in place and a VPN back to the home office. It pays to stick to a single product line, so you can manage all devices from a single console without having to learn multiple consoles. Cisco Systems, NetScreen Technologies, Nokia and SonicWall have products that range from the SOHO to the central site. All can be managed from the same application.

Desktop firewalls for the enterprise are finally coming into their own, with centrally managed consoles, centralized logging, automatic policy and software updates, and in the case of a few products, integrated VPN. Products from F-Secure Corp., InfoExpress and Network ICE all protect the desktop regardless of where the actual machines are located. Mobile users are similarly protected behind your firewall or on the Internet. Yet desktop firewalls also have their problems. Network ICE's BlackICE Pro (now called BlackICE Agent), for example, sends alerts on every little event, which can quickly overwhelm support staff with phone calls about attempted break-ins over SNMP. Careful configuration and user education are critical to a successful rollout.

PKI What?

Was this the year of the PKI (public key infrastructure)? Or was that last year? We can't keep track. What we do know is that PKI is desperately in need of an application -- any application -- that will give this market a raison d'etre. Sure, SSL (Secure Sockets Layer) is important, but VeriSign has that market pretty well locked up. The dream of PKI and what will drive this market is user-based. But try to find a commonly used application that does more than request a certificate. It wasn't until Microsoft Internet Explorer 5.0 and Netscape Communications Navigator 6 that simple certificate validation was even possible. And wouldn't you know it? Microsoft and Netscape implemented validation differently.

Sure, you can use digital certificates with VPN, but that would be like hitting a very small nail with a very large hammer. You can get equivalent security assurance with a decent user-name/password policy. You can spend a year or two to design a PKI, roll it out and retrain users, and longer to begin to recoup the investment. So while the products are easy to use and manage, offer improved management functionality, and provide APIs to leverage PKI services, there doesn't seem to be much reason to use them.

Security products have matured at different rates. Firewalls and VPN technology are strong and fully developed; vulnerability products are technologically sound but need faster update mechanisms from vendors. And then there are relatively mature products, such as PKI, looking for a reason. Used wisely, these tools can only strengthen your network infrastructure.