Survivor's Guide to 2005: Security

Get Active

Intrusion detection systems--the primary source of warnings that attacks are under way--are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

The mission of IDS is changing, however. Many IDS vendors are improving their products so that the IDS doesn't simply give you the details on an event that has occurred. Instead, the system will help prevent intrusions from happening in the first place. Even within the reporting realm, IDS is becoming more active as anomaly detection, vulnerability assessment and forensics come under the broad label of IDS's reportable events. The growing number of attacks and attack types makes it more important for the IDS to correlate with logs and reports from other network-security components for context and ease of interpretation. Schemes such as Cisco's Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.

Hype or Understatement?

Last year, the verdict on IPSs was "don't believe the hype." You should maintain a healthy skepticism, but IPS has improved to the point that it may be able to solve many critical problems for some networks. No IPS is going to stop every attack--at least not if you still want legitimate traffic to move in and out of the network. If you think of an IPS as a tool that might keep the noise level of attacks down, you're looking at it from the proper perspective.

If your Web site is the economic backbone of your organization and a DoS attack or serious worm intrusion could have major consequences, it's time to consider an IPS to deal with these problems. As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets.

For some, the blocking of even one piece of legitimate traffic is unacceptable. The IPS will remain a fringe player for these administrators. As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.The multilevel approach to intrusion detection and prevention is mirrored in a multilayered approach to firewalling. The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.

At the same time, network perimeter firewalls are joined by application firewalls (especially Web application firewalls) to protect the infrastructure and databases behind the Web app. The regulatory climate, combined with the performance requirements of looking at the application-layer contents of the network packets, make an application firewall mandatory to ensure that the application is protected from malicious commands, and that the data behind the application cannot move outside the enterprise.

2004 was the year in which client-based firewalls became an accepted part of enterprise security. In 2005, they will increasingly move from being accepted to being required as one of the policies enforced for enterprise network connectivity. Outside the conventional perimeter, software firewalls installed on mobile clients help move protection outside the bricks and mortar of the corporate boundaries, to slow the spread of mal-ware that can gain entry in Starbucks, traverse a VPN and run loose in the network core.

Access Control Using SwitchesCore infrastructure components are taking greater roles in their own protection as vendors move firewall blades to core switches. The intelligent integration of security functions, controlled by software that enforces intelligent policies, will be one of the great migrations of the year.

Policy-enforcement software isn't new, but tighter integration of that software into network infrastructure is. Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console.

The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems. Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year. Although Microsoft and Cisco have competing plans for controlling network security, they are partners in each other's visions and are building alliances among security and infrastructure vendors for products that will let them be interrogated and controlled by the central security application. These are long-term strategies, and anything that happens in 2005 will be but a first step.

At the same time, agencies and organizations have begun the work of building standards--the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.

If your network is built around the products from Cisco or Microsoft, this will be a good year to begin pilot projects with NAC or NAP. If your company has built its network on other vendors, wait and see which of the frameworks gains traction, or if they begin to grow toward one another by the end of the year.Ultimately, standards committees will deal with the specifics of how programs and infrastructure should communicate to create a single security entity. In the meantime, Microsoft and Cisco say that their customers can't wait for standards, so they'll move forward with products and wait for standards to catch up.

All these developments start with authentication. Although, in some ways, authentication is the boring brother-in-law of the security world, there is room for excitement as the world moves closer to the promised nirvana of single sign-on. SSO across a global enterprise and all its myriad applications isn't going to happen in 2005 and probably won't happen in 2006. The pieces aren't yet in place for genuine, universal, single sign-on, but authentication vendors are continuing to push in that direction at the insistence of their customers.

Data: The Critical Network Asset

All the discussion of infrastructure and components, while important, misses the basic point of the enterprise network: The most valuable ingredient in the enterprise is data, not infrastructure. This statement of the obvious needs to be reiterated, now that the growing number of laws and regulations taking effect enforce an understanding of just how valuable customer information can be.

HIPAA, GLB and a host of state laws have put government weight behind the common-sense notion that personal information needs to be protected. The basic protection itself is a key aspect, but the record-keeping and audit data to prove to inquiring auditors or attorneys that the law has been complied with have brought even more significant changes to the nature of network documentation. The old computer industry reluctance to document is giving way to a new diarist spirit to keep lawsuits at bay.To comply with regulations, data must be protected from external threats and even successful intrusions cannot result in the release of protected data. Therefore, IDS and IPS must look at traffic flowing in both directions in order to defend the database and its supporting applications from giving up critical data.

Portable Storage

Data walking away isn't the only problem with feet in the security manager's new year. Data storage devices that can take data away are also a significant concern. "Thumb drives," small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office. Some information security officers have banned the little drives, but similar storage capabilities in MP3 players, PDAs and camera phones make banning the hardware a losing battle from the beginning.

The more successful approach is through the operating system--disabling the USB, firewire or other external interfaces before a drive can be attached. A focus on host-side protection combined with a bit of social engineering is the right approach to making sure that that your critical data stays put.

Taking the RapAll the various migration paths have a similar basis--they're taking the conventionally reactive aspects of network security and making them increasingly proactive, protecting the network and its data as threats appear, rather than simply describing the attacks for future defense. The current scale and sheer number of attacks are requiring the network to become an active partner in defense, responding to many threats on its own so that network security personnel can concentrate on highly complex intrusions.

With all the migrating bands of functions, the undeniable result is a greater reliance on core network infrastructure to control access of both users and applications to the network's resources. Cisco, Enterasys and other vendors have been incorporating firewall and IDS functionality into core switches, to the point that you can hear some vendors talk about a day when security isn't a separate product area at all, but rather a set of features built into core infrastructure components. Moving bandwidth shaping, access control and command communications to other components in response to intrusion incidents to the basic infrastructure makes sense, and will continue at an increasing pace in 2005.

The last point for 2005 doesn't involve a specific product or technology, but encapsulates all the changes already discussed. It's a name change for what you do as you use the IDS, IPS, policy framework or application firewall. Instead of network security, more professionals are becoming involved in data assurance, network assurance or even business assurance, helping to protect the information against network intrusion, physical disaster or device theft. The move from security to assurance indicates that the professional is concerned about network performance, physical access and disaster response, in addition to the conventional focus on the IDS and firewall. In some ways, it marks a critical evolution as the security professional comes into the network administration team while security functions come into the network core. It's a pair of migrations that just makes sense for keeping the network secure and running for at least another year.

Curtis Franklin Jr. is a senior technology editor for Network Computing. He has been writing about the computer and network industries since 1985. Write to him at [email protected].

Security

1. How do you develop your security policies?

2. Which best describes your company's attitude towards network security?

3. How is your company dealing with mobile workforce security?

4. What authentication policies are enforced by your company?