The Plug-in Gatekeeper

It’s hard to argue with the plug-and-play promise of the latest generation of network security appliances. For enterprises of any size, the idea that security could be as simple as dropping a small, relatively inexpensive, preconfigured box into the network is very attractive, indeed.“As far as buying security appliances went, that was a big consideration for us,” says Stephen Irish, executive vice-president and chief operating and information officer at Lowell, Mass.-based Enterprise Bank and Trust. “In many ways it’s much cleaner, and we don’t have to have teams of people deploying security systems.”
With that in mind, it’s no surprise that network security appliances, promising a heady combination of both data protection and ease of use, have become a hot commodity. Appliance vendors now find themselves responding to a market demand that simply didn’t exist two years ago.
“Security appliances with specific purposes are being gobbled up,” says Gary Miliesky, chief executive officer of PredatorWatch, a security monitoring appliance vendor. “Everybody is doing security software, but the idea behind appliances is to put it into a turnkey device. That means less configuration for the IT manager.”
It’s not like network appliances themselves are such a novel idea, however. Most of the equipment that populates our networks, like routers, gateways and firewalls, began life as server applications. It was only when the traffic demands outstripped the capacity of the servers that these functions were offloaded to discrete, stand-alone devices.
“In the early days, routing was done on Sun workstations,” Andy Salvo, director of product management at 3Com’s security appliance division TippingPoint. “You can’t do that when you scale up the network size and complexity, and the same thing holds true for security functions.”
The most common security appliance applications — network access control and monitoring and intrusion protection — could run quite comfortably on a server if you have a T1 connection and don’t have a high volume of traffic or a large number of IP addresses to watch. Raise the network bar a bit, however, and you’ll introduce a tight bottleneck.
Access control appliances typically scan the network for systems that might introduce security holes as they log into the network. PredatorWatch’s appliances watch for common vulnerabilities and exposures (CVEs) that account for the vast majority of security breaches. These have been documented by Mitre Corp., a non-profit security research company, for the U.S. government. The appliance logs all network connections by wired and wireless devices and can respond to threats automatically. When a CVE is detected, it notifies a network administrator and quarantines offending device.
Access control and monitoring is essential in this day of pervasive computing and mobility, says Victoria Sodale, a research analyst with the In-Stat Group.
“People go home with the company laptop on the weekend, where they have a broadband connection and unrestricted access to file-sharing and spyware,” Sodale says.
“You have to have some kind of process in place to deal with the vulnerabilities that they introduce to the corporate network when they come back on Monday morning.”
Even if the network doesn’t have wireless devices popping in and out, access control appliances can run quietly in the background, waiting for changes to the network environment. For Enterprise Bank and Trust, with 280 employees in 14 branches, each with at least one workstation, as well as 80 servers, switches and routers, that can make network maintenance and upgrades a whole lot easier, Irish says.
“We actually use it most heavily when we’re deploying new servers and when new vulnerabilities are discovered,” he says.
“We have one PredatorWatch Auditor that scans for vulnerabilities. If the remediation requires a patch, then we tread lightly and test it first, of course. But if it’s a question of configuration changes, then we can get to those right away.”
Rather than scanning for systems, intrusion protection systems (IPSs) are designed to check all incoming and outgoing network traffic. Inserted into your network, it inspects incoming packets to determine whether they are malicious or legitimate, protecting network hardware from targeted attacks and traffic anomalies.
“From an intrusion prevention perspective, the dilemma is that the things you’re looking for are like a needle in a haystack,” Salvo says.
“A firewall is simple; it blocks everything and only lets a few things through. An IPS is different; it lets through most traffic but blocks malicious code. The thing is that you need great throughput for that to work seamlessly.”
That is the whole idea behind offloading IPS functions to a stand-alone appliance. The device can be optimized for gigabit throughput and it can inspect incoming and outgoing packets without penalizing server or network performance. Ultimately, the appliance offers efficiency and turnkey functionality that simply isn’t available in a server application.
“You can run security on a network without an IPS,” Salvo says. “But 99 times out of 100, when companies first take an IPS and put it into their networks and see hundreds of thousands of blocked attacks, their eyes get wide, their hearts start pumping and the IPS quickly becomes an essential device. I thing the key term is ‘effective’ security.”
For all their promise, however, network security appliances are not a panacea. They might be plug-and-play, but they’re not fit-and-forget. They can enable effective security, but they are not effective in and of themselves unless you take the time to read the reports, perform the remediation and, above all, configure the devices so they actually work.
Security is still more complicated than dropping a new box into the network.
“If you have an intrusion prevention system, you need to turn your blocking protection on and know how to configure it,” Sodale says.
“The problem is that many organizations don’t, or they find that the default settings block everything and they turn it off. But if you’ve gone to the trouble of installing an IPS and you’re not using blocking protection, then why bother?”