With every new technology and threat, security becomes more complicated. Meanwhile, it becomes more important as organizations rely increasingly on their networks and data.
A growing number of tools, from intrusion detection to virtual private networks to patch management, have become essential
parts of the network security tool kit. “”There’s no end of new tools coming out to placate the concerns of the CIO,”” says Peter Hillier, senior consultant on information security at Montreal-based consulting firm CGI Group Inc.
As that tool kit grows, it is becoming essential to know how to manage the assortment of security resources, and use them together effectively.
And some say effective security requires co-operation and communication among the various security components. Some hold that combining two or more security functions in a single product is the best approach; others advocate standards allowing best-of-breed tools from multiple vendors to co-operate. Some say technology links among the products are not so important, but everything in the tool kit must fit into a carefully considered security strategy.
Examples of the integration trend include intrusion prevention systems. These are essentially firewalls combined with intrusion detection systems in one box. Jaclynn Anderson, research analyst at In-Stat/MDR in Scottsdale, Ariz., says that to qualify as intrusion prevention, a product must actually stop attacks and do so fast enough that it doesn’t unduly slow legitimate traffic. The idea of intrusion prevention is to deal with the attack rather than bombarding the network manager with mostly insignificant alarms, Anderson says.
Some say each asset should do one job well
Tom Slodichak, chief security officer for security reseller WhiteHat Inc. in Burlington, Ont., says intrusion prevention systems are a response to some problems with intrusion detection tools. Some can change network settings and drop sessions, while the makers of others say such capabilities give the technology too much power. “”That whole area to my mind is in a state of flux,”” Slodichak says.
In general, Slodichak doesn’t advocate combining security functions into one product, saying each asset should do one task very well. But he acknowledges there is a place for multi-function packages. While large organizations can afford to buy and manage a complete range of best-of-breed security tools, smaller organizations may find integrated products the only viable solution, and “”it’s much, much better than not doing anything at all,”” Slodichak says.
Richard Kagan, vice-president of marketing at Fortinet, a Sunnyvale, Calif., maker of software that combines anti-virus and firewall capabilities, says integration means better security. For instance, he says, if an intrusion detection system spots an attempt to penetrate the network, it should notify the firewall, which can block the port the intruder is using. But Kagan questions the ability of standards and interfaces among separate tools to provide this kind of co-operation.
“”It was a good idea before you needed six or eight or 10 systems.”” Now it’s too complex, and the better answer is to integrate multiple functions in one system.
Symantec Corp. takes this approach by combining multiple security functions into packages such as its Gateway Security product, which combines firewall, anti-virus, intrusion detection and other security functions. Kevin Krempulec, Symantec’s corporate manager for Canada, says such a bundle can offer better security through co-operation among the functions, plus convenient installation and management.
Another view is that an assortment of tools can share information and co-operate using standard interfaces.
“”Security vendors don’t like to play nice with each other,”” says John Roese, chief technology officer at Andover, Mass.-based Enterasys Networks Inc.
Roese gives the example of an unnamed Boston customer that had all the right perimeter security and anti-virus software in place and was unaffected by the SQL Slammer worm — until a contractor plugged an infected notebook directly into an Ethernet jack in a company conference room. “”The technology wasn’t in the right place at the right time, so it wasn’t able to share information or control quickly enough,”” Roese says. “”All the basic tools are there, but the co-ordination or interaction allows these gaping holes.””
Roese says Enterasys is trying to facilitate interaction by opening the interfaces in its network technology so security software can exchange information through the network infrastructure.
Check Point Software Technologies Ltd. of Tel Aviv has gone down the same road with its Open Platform for Security (OPSEC), a set of application program interfaces (APIs) that let hardware and software from other vendors work with Check Point’s products. Shankar Swamy, strategic marketing manager at Check Point, says OPSEC coupled with marketing partnerships lets Check Point offer small and medium-sized businesses an out-of-the-box solution without building everything itself.
In February, IBM and Cisco Systems Inc. said they would work together to integrate security-related products, helping customers avoid problems that come with piecing together disparate products and services. If vendors integrate their products, their customers don’t have to pay someone to do it for them, says Chris O’Connor, director of corporate security strategy at IBM. O’Connor adds that both IBM and Cisco have strategies of co-operation and open APIs.
It’s hard for one console to show all security issues
Slodichak at White Hat believes the industry will gradually move toward standards and interfaces that let disparate security tools co-operate. Today, he notes, there are log aggregation systems that can correlate alarm information from different tools in an effort to make sense of network security issues. Some day, he hopes to see security consoles, much like those used in network management, that will give a complete real-time view of what’s going on.
“”The problem there is that security is multidimensional and it’s hard to represent,”” he says.
Robert Reimer, a partner at PricewaterhouseCoopers LLP, Canada, and leader of the consulting firm’s information security practice, says some vendors are now building tools that pull together log information from assorted security products to build security “”dashboards.””
While there is much talk of integrating security tools, Michael Vien, chief information security strategist for Whole Security Inc. of Austin, Tex., argues integration can weaken the individual products.
“”When you attempt to amalgamate all these things into one, one vulnerability typically brings down the whole thing.”” Vien suggests that training users properly may matter more than building links between security tools.
While a good security tool kit is essential, skills are at least as important, says Sondra Schneider, chief executive of Security University, a security training firm based in Stamford, Conn. Schneider says it’s important that users know how to use the tools, not only separately but also together.
And users need education as much as IT people do, though in a different way. Hillier observes that the only reason the MyDoom virus spread was that people opened e-mail attachments they shouldn’t have opened. Well-intentioned user error is still one of the greatest threats to network security.
Physical security is also too often neglected. Osama Arafat, chief executive of Toronto-based Q9 Networks Inc., which provides outsourcing services from data centres in Toronto and Calgary, says too many organizations install security software on servers and then place them in rooms secured with cheap locks that are easily foiled. He recalls seeing one such server room where the combination was almost obvious from the amount of wear on some buttons of the push-button lock. Q9’s data centres use a biometric access-control system with security guards at the entrance.
A comprehensive security policy is critical
Assembling and managing a complete security tool kit can be a daunting task for network managers, particularly in smaller organizations. One alternative is to outsource the job. White Hat provides virus and spam screening services, for instance. Hillier adds that outsourcing security also has the desirable effect of separating security duties from infrastructure responsibilities. Outsourcing contractors like Q9 host customers’ equipment in their own facilities, providing strict physical security, redundant power and other facilities and 24-hour-a-day, seven-day-a-week support that smaller organizations can’t afford on their own, Arafat says.
Whether security tools are in-house or outsourced, integrated or distinct, one thing is clear: the pieces should fit into a broader security strategy. Reimer says security should start with a comprehensive policy, based on assessment of business needs and threats and backed by senior management, which then leads to policies and to the choice of specific tools — “”really starting off with that strategy and vision first, which is appropriate to the nature of the business.””