ICSA Gang Rolls out Security Specs

At a time when users are becoming increasingly concerned about protecting their precious data center applications, help may be at hand from an alliance of security vendors (see Security Vendors Join Forces).

More accustomed to locking horns than joining arms, F5 Networks Inc. (Nasdaq: FFIV), Imperva, NetContinuum Inc., and Teros unveiled a new set of standards for security products at the Computer Security Institutes annual conference in Washington, D.C.

In a nutshell, the vendors have defined a core set of requirements for security products, which have in turn been ratified by testing company ICSA Labs. Key criteria include ability to protect server operating systems and underlying Web application infrastructures.

The vendors will now submit their own products to ICSA for testing (albeit to a set of standards they created themselves) and have invited some of the security industry’s big-hitters to do the same. This is where things get interesting.

Cisco Systems Inc. (Nasdaq: CSCO), Check Point Software Technologies Ltd. (Nasdaq: CHKP), Juniper Networks Inc. (Nasdaq: JNPR), McAfee , and Symantec Corp. (Nasdaq: SYMC) have all been invited to take part in the security challenge. Teros and its new buddies have given Cisco et al until November 22 to notify ICSA Labs of their intention to take part.Will they or won’t they? At this stage at least, they are playing their cards close to their respective chests. “We just got hold of their testing criteria and we’re looking at it now,” says a spokesman for Check Point. “We’re in the process of evaluating it and making a decision.”

Juniper was equally noncommittal. Its spokesman says, “We support standards-based approaches and we will be interested to see how the initiative evolves.” No decision has yet been made on whether Juniper will take part, he adds.

Cisco, McAfee, and Symantec did not respond to NDCF's requests for comment.

So, why is all this so important? Web applications which drill down into data center systems are widely regarded as being especially vulnerable to security threats (see Security Approaches Day Zero).

Pete Lindstrom, research director at Spire Security warns that protecting applications and their underlying IT infrastructure is easier said than done. “The nature of the beast is that there are many different pieces of security that need to be addressed.””There are a number of different ways to pass data back to the server, for example, through a cookie or URL extensions,” he adds.

Marc Bouchard, senior program director at Meta Group Inc. believes that the initiative will be useful for users, regardless of the outcome. “Just raising awareness that there is a unique set of requirements for the application firewall market is of benefit in itself,” he says.

Lindstrom agrees. “The whole purpose of this is to demonstrate the nature of the threats in the Web world.”

— James Rogers, Site Editor, Next-gen Data Center Forum