IT Strategy Guide
Network
Security
inside
Introduction 2
NAC vs. NAP 3
Big Picture Security 5
The Great Intrusion Prevention Debate 10
Federation Takes Identity to the Next Level 13
Manage Network Access Without Cutting Productivity 14
Password Protection: A Constant State of Insecurity 15
Building the Intelligent Network 17
Compliments of:
Network Security
Introduction
how do you secure your downtown office? you task when it comes to locking down your network, and the
don’t let unauthorized people wander past the lobby with- answer will depend a lot on your company’s priorities and
out an escort or a ID badge. In other words, you quarantine policies.
people you don’t trust. Despite the typical emphasis on LAN security, your em-
How do you protect your network? Perhaps the same ap- ployees are also exposing your company to risk every time
proach would work: isolating traffic, even if it originates they use a password-protected Web portal, or log onto e-
inside the firewall, unless the user and network device are mail from a hotel room using a non-encrypted connection,
recognized and authorized. or even surf from a public WiFi hotspot. The enterprise is
While the devil can be in the details, a security scheme an a constant state of insecurity, largely due to bad pass-
requires looking at the forest as well as individual trees. Af- word policies – not just in choosing them, but in enforcing
ter all, robust protection needs more — a lot more — than policies that only allow the encrypted transmission of plain
just a firewall and anti-virus software. Today’s multifaceted text passwords. Bad, bad, bad… password sniffing is fast,
threatscape requires a carefully planned and coordinated easy, and dangerous. What are you going to do about it?
security event management and incident management ap- What it all comes down to is building an intelligent net-
proach. The big-picture answer to the big-picture security work that is proactive in regards to issues like reliability,
question: Integration. We’ll show you how, and why. scalability, performance and security. From application di-
We’ll also examine two of today’s most controversial rectories to intelligent switches to XML message brokers,
topics in network security: intrusion prevention systems there’s a lot that your network can do to help solve today’s
(IPS) and federated identity management. Is IPS technol- biggest IT problems. We’ll close out this IT Strategy Guide
ogy a point solution, or a central part of a security scheme? with a discussion of network intelligence, and how it can
Is federated identity management the best way to handle make you smarter. i
large-scale user authorization in an increasingly collabora- — Alan Zeichick
tive world, or is it a security loophole waiting to trap an un-
wary IT department? It’s a tough question.
More tough questions about security often come from
line-of-business managers and executive who want a se-
cure network but can’t afford any impact on employee pro-
ductivity. If technologies like NAP/NAC, IPS and federated
identity cut off users or LAN segments, what happens when
that goes wrong? While isolating users who might have a
virus might seem like a good idea, it might also prevent
people from getting their work done. Striking a balance
between productivity and security is a difficult but critical
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security NAC vs. NAP
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security Big Picture Security
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security Big Picture Security
ment to combine a number of distinct but closely related Taking the Long View
security technologies — such as patch management, vul- As it stands, products with that level of integration are still
nerability management, and incident management — that several years away. But companies are beginning to pull to-
have gained wide adoption in the enterprise in recent gether some key pieces — such as connecting the findings
years. of vulnerability scans with security alerts and intelligence
The drive for greater integration also stems from a range on software and hardware asset values — so that compa-
of new federal and state regulations covering data integrity nies can prioritize threats to critical systems.
and privacy, such as Sarbanes-Oxley and California’s SB1386. “Say you have a system in an area sensitive to the Sar-
“You have a number of regulations that have emerged that banes-Oxley regulations, like a general ledger,” ArcSight’s
say, ‘You have to be looking for bad things in your environ- Lunetta says. “If you’re in the last two weeks of the quar-
ment, and when you notice them, you
have to tell us about them and imple- Security Central
ment best practices,’ ” says John Sum- Security management platforms aggregate threat information from
mers, global director for managed se- myriad devices across the organization and consolidate it into reports
and real-time dashboardlike displays.
curity services at Unisys.
What’s needed is a fusion between
SEM or SIM products and data on asset External threat
criticality — coupled with integrated warning networks
functions such as identity and access
management, user provisioning, change Aggregation and
correlation engine
and configuration management, and
software patch management. IDS/IPS
One IDC report called for a higher de- Notifier
Agent data
gree of integration between system and manager
security management products, which
would help centralize control over net- Firewall
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security Big Picture Security
OpenService all offer SEM technology that performs asset For example, Symantec said its DeepSight Alert Ser-
correlation. vices and Incident Manager would integrate with BMC’s
As for the hoped-for union of systems management and Remedy Help Desk and Action Request system, as part of
SEM/SIM products, companies today can enjoy some of the BMC’s Business Service Management program. The union
benefits of converged systems and security management, would allow internal IT and security teams to communi-
depending on which technology vendors they choose. BMC cate more efficiently and to resolve security incidents and
Software and Hewlett-Packard have partnered with secu- vulnerabilities.
rity vendors in order to integrate security technology into In pursuing its partner approach to OpenView, HP looks
Remedy and OpenView, respectively. at the system management platform as “a framework where
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security Big Picture Security
many different types of information are collected,” says “If you’re a sys admin, you’re going to be territorial about
Tony Redmond, vice president and CTO of HP’s security the systems you manage,” Morgan Stanley’s Braunstein says.
program office. “We’re fully aware that there are companies “You don’t want lots of people with root or enable [privileg-
who have well-developed [software] suites, but we’ve said, es].” Although they might not be able to simply merge net-
‘Let’s go put our innovation elsewhere and reward the hard work security and network operations groups, companies
work that our partners have done.’ ” can improve the way these groups manage systems and the
Rather than add new SEM features and interface layers data they generate, making central control and automatic
to OpenView, HP is content to let third-party vendors be provisioning more than just a pipe dream.
sources of data to OpenView, which can digest the handful
of significant events that emerge from millions of alerts. Security From All Sides
Technology from vendors such as ArcSight, e-Security, Fiscal austerity is one of the main motivations for consoli-
and netForensics can exchange information with Open- dating security functions, as enterprises look for ways to
View through software plug-ins, allowing OpenView to ab- manage their network without adding head count. “Com-
sorb events generated by those SEM products and enabling panies just don’t have the budget to hire people at the rate
the SEM products to recognize network or system manage- that they’re adding new hardware,” netForensics’ Guay
ment events that originate in OpenView. Similarly, netFo- says. “The days of having separate IDS and firewall support
rensics’ products can send alarms that will be registered in teams are gone.”
OpenView systems. For companies interested in better network security man-
agement but wary about making a major IT investment
Inching Toward Interoperability amid so much change, MSSPs (managed security services
But the level of integration between SEM/SIM products providers) offer an appealing option. Such services offload
and systems management platforms is not uniform, lim- the difficult management and integration problem to secu-
iting customers’ choices. So, whereas ArcSight counts HP rity experts and allow companies to aggregate security in-
OpenView as a “platinum enterprise partner” and offers formation from hundreds or thousands of security devices,
some integration with that system management platform, providing better information on emerging security threats.
potential ArcSight customers who use Unicenter or Tivoli In the end, however, there’s no silver bullet for the se-
will have to travel a rougher road to integration, Lunetta curity management problem. All-encompassing SEM so-
says. lutions work for some organizations but not others. “To
CA’s Weiss says that his company has produced more than some extent, the multiplicity of answers is applicable to the
100 integration kits to link third-party technology products complex nature of the problem. Some people might see [se-
to its eTrust platform and offers a toolkit for customers to curity management] as a chaotic situation, but others just
integrate custom applications with eTrust. see multiple ways of getting to the same solution,” IDC’s
But organizational conflicts, rather than technical gaps, Christiansen says.
may be the biggest obstacle to greater integration of secu- For companies exploring SEM/SIM technology, IBM’s
rity management and systems management technology, Krishna advises a measured approach. “People try to do too
says Chris Christiansen, vice president of security products much,” he says. “It’s like trying to juggle 50 balls. We tell our
at IDC. “You’ve got lots of people who have based their en- customers, ‘You can do all these hundreds of things, but
tire careers in certain areas, and they’re not anxious to give let’s be focused and do two. We’ll get those under our belt,
that up,” he says. For example, systems management staff then do two more.’ ” i
are reluctant to give up control of automatic configuration — Paul Roberts
and patch deployment to systems run by security manage-
ment groups.
I N F OWO R L D I T S T R AT E G Y G U I D E
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E 10
Network Security The Great Intrusion Prevention Debate
complex conditions to detect both known and unknown their primary enforcement capability to bear, they are by
exploits. These filters go beyond legacy string-matching definition point solutions no matter how deeply into the
signatures and are sometimes referred to as anomaly filters network you deploy them, just as firewalls are point solu-
or vulnerability filters. They are designed to protect against tions even though they are typically deployed deeply into
any attack — known or unknown — that is crafted to ex- today’s networks.
ploit a particular vulnerability. True proactive security would be able to do more than
A key component to an IPS system is the filter-update just identify the conditions under which an attack is occur-
service that comes with it. The service, measured by the ring — it would be a pervasive layer of intelligence overlaid
timeliness, accuracy, and comprehensiveness of new fil- on the network that could understand the network com-
ters, provides automated protection against threats as they position and enforce policy by properly orchestrating the
emerge. This proactive security is unique to IPS and is a capabilities of multiple disparate technologies as well as
game-changing tool. its own native detection and blocking capability. Relying
Today’s IPS systems are deployed as an overlay architec- solely on the timely updating of a signature service in order
ture onto existing networks. Soon, however, IPSes will be to have coverage presupposes that all possible attack vec-
integrated within switch and router elements to provide tors can be intercepted and all variations of an attack can
the embedded infrastructure security you speak of. In ef- be defined and detected before a compromise results. Not
fect, networking and security are converging. The new net- to mention that the signature collection would have to be
work node will offer the same packet-routing/switching comprehensive enough to cover every device, platform and
functions of today’s networks but add a layer of intelligence application in your network.
that decides not only where a packet must go, but whether Practically speaking, this is a pretty thin layer of protec-
it should go at all. Networks will become much more dy- tion, because it has to handle client- and server-side attacks,
namic than they are today by continuously adapting to fil- random file formats and e-mail attachments, encryption,
ter out unwanted traffic based on old and new threats. segmentation, custom applications, and arbitrary proto-
MR: All marketing claims notwithstanding, IPS technolo- cols that your hardware-based protocol analyzers cannot
gy is not proactive. A “filtering language” exists to predefine know how to interpret beyond a simple regular-expression-
the conditions under which something is considered to be analysis capability. True proactive security means you must
suspicious or malicious, therefore it is deterministic and block identifiable threats as well as enforce security policy
based on foreknowledge of either how the protocol “should” so as to reduce exposure in the first place — in addition to
work or based on knowledge of existing exploits against detecting change that indicates compromise independent
that protocol. What “leading-edge IPS filter languages” do of threat detection. A proactive security solution should
is not substantively different than what we’ve been doing also be able to defeat a threat emerging from any point on
with the open source Snort engine (which can operate in the network, not just pre-identified ingress/egress points.
IDS or IPS mode) for years now; we are also capable of de- Most IPS companies ignore these points, leading end-us-
tecting unknown exploits via both our rules language and ers to believe that traditional, stand-alone IPS technology
protocol analyzers. is capable of proactively protecting assets throughout the
I’ll leave it for the reader to figure out if it’s a good idea network, even though they have no context about the sys-
to tear down network sessions automatically because a tems they are trying to protect. This positioning is not only
protocol decoder decided that a field size was larger than false; it’s unfair to the end-user.
a guy in a lab thought it “should” be based on his limited MWL: To be as polite and as succinct as possible: You are
understanding of the protocol and his limited exposure to simply misinformed. I would strongly recommend you take
the various clients and servers that implement it. Because a closer look at the state-of-the-art IPS. You’d be surprised
in-line network IPSes have one analysis/response method to find several significant differences from your perception
and one practical position of deployment in order to bring and reality.
I N F OWO R L D I T S T R AT E G Y G U I D E 11
Network Security The Great Intrusion Prevention Debate
Very accurate filters can be written based on vulner- ated equal, and indeed most of the shortcomings you high-
ability information, not exploit information. That is the light are true for the vast majority of these products, but
definition of proactive protection: customers are protected not all. Second, it is common practice for naysayers to pick
before the attack (exploit) exists in time and space. These a corner case scenario that cannot be caught by today’s IPS
filters precede the existence of an exploit and proactively products and to ignore the other 99 percent of cases that
protect against any exploit targeting that vulnerability. You are fully covered.
are, however, correct that writing good filters takes exten- MR: Misinformed? Please. Sourcefire, with the broader
sive research, requires very sophisticated skills and testing, Snort community, invented the techniques for identifying
and is an enormous differentiator between the various IPS threats targeting an underlying vulnerability — as opposed
solutions that exist today. to simple exploit signatures. Regarding the hardware-vs.-
It’s typical for software-solution vendors to misrepresent software debate, knowing the performance of our IPS prod-
a hardware solution as fixed and inflexible. Again, this is ucts on today’s advanced network platforms — near-zero
misinformation or, in the best case, laziness. Reality is that latency at up to 8 gigabits — while also knowing that we
any hardware design — for example, a CPU — consists of can adapt infinitely more quickly and cost-effectively than
hardware building blocks like the arithmetic control unit, hardware-based approaches certainly allows me to sleep
the floating point unit, or another component that special- much better at night.
izes in accelerating a particular operation. Specialization When Sourcefire questioned those who declared IDS
does not stop it from being programmable or flexible. A dead, it wasn’t because we saw no value in the blocking
common, simplistic, and naïve perspective of IPS imple- function. It was because we knew that the blocking func-
mentation would assume that each protocol is hard-coded tion could never be 100-percent effective. Your acknowl-
into the hardware. State-of-the-art systems don’t do that at edgement of the need for behavioral anomaly detection
all. They boil down the problem into building blocks that argues that exact point. Leveraging persistent awareness of
are much more general and serve to accelerate processing network assets — their composition, behaviors, vulnerabil-
for the specific task at hand. ities, and change — is at least as important as inspecting
Beyond vulnerability filters, IPSes use network profiling the traffic targeting those assets. So rather than simply fol-
to characterize a particular network environment to de- lowing the herd, Sourcefire has both embraced IPS — one
termine what is “normal” behavior in that environment. of our products won Best Intrusion Solution at this year’s
Deviations from what is normal (without any knowledge of RSA show — while also recognizing the limitations of any
an exploit or vulnerability) can be alerted on, blocked, or filtering technology in the broader landscape of network
throttled. Protection based on deep understanding of base- threat.
lines and changes in network behavior is proactive by any When the final chapter on this debate is written, I am
definition. confident that intrusion prevention will mean much more
Intrusion prevention has reached the point where the than just IPS. i
technology has been tested extensively and is now broadly
deployed by hundreds of Fortune 500 customers worldwide.
Talk to them. Start at the very top of the list.
When we pioneered IPS in 2002, IDS vendors unanimous-
ly claimed it was impossible. Most were quick to point out
that false positives and latency would adversely impact the
network. Ironically, these problems were created by inferior
implementations of IDS products. Today every single IDS
vendor offers an IPS. The problem is, not all IPSes are cre-
I N F OWO R L D I T S T R AT E G Y G U I D E 12
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E 13
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E 14
Network Security
Password Protection:
A Constant State of Insecurity
for the past few months an acquaintance of rity conferences and teaches security classes. She noted
mine has been sniffing various public wireless and wired that the number of passwords she collected in these venues
networks around the world, looking to see what plain text was higher on average than in non-security locations. The
passwords are visible. It was an eye-opening experiment. very people who are supposed to know more about security
She used a bunch of different tools, but mostly Cain. At than anyone appeared to have a higher-than-normal level
the moment, it collects 18 different passwords or password of remote access back to their companies, but weren’t using
representations, including plain text passwords sent over any type of password protection.
HTTP, FTP, ICQ, and SIP protocols, and will automatically At one conference, she listened to one of the world’s fore-
collect the user’s log-in name, password (or password rep- most Cisco security experts as his laptop broadcast 12 dif-
resentation), and access location. ferent log-in types and passwords during the presentation.
Other than a few simple validity reviews and summary Ouch!
counts, my friend doesn’t look at the log-in names or pass- The high prevalence of HTTP-based passwords can prob-
words, and she deletes any collected information after ob- ably be attributed to HTTP-based e-mail solutions. If you
taining the counts. She hasn’t used ARP (Address Resolu- have or use an HTTP-based mail system, sniff the traffic to
tion Protocol) poisoning or done anything other than to see if log-in credentials are sent in clear text. If you’re lucky,
count plain text passwords passing by her traveling laptop’s the e-mail system uses HTTPS for log-ins and authenti-
NIC when she’s in a hotel, airport, or other public network. cation, or uses password hashes or some other respected
Although some — including me — might question her technique. On a good note, many popular e-mail portals
ethics, the information she shared is useful in understand- such as Hotmail, Googlemail/Gmail, and Yahoo!Mail do
ing our true state of insecurity. not send plain text passwords by default.
She said about half the hotels use shared network me- Unfortunately, e-mail protocols such as POP3, IMAP, and
dia (i.e., a hub versus an Ethernet switch), so any plain text SMTP send plain text log-in names and passwords by de-
password you transmit is sniffable by any like-minded per- fault. Just like FTP, the user name is preceded by the identi-
son in the hotel. Most wireless access points are shared me- fier USER and the password is preceded by the word PASS.
dia as well; even networks requiring a WEP key often allow A password sniffer could define their capture filters to look
the common users to sniff each other’s passwords. only for packets with those identifiers, maximizing the
She said the average number of passwords collected in number of passwords captured.
an overnight hotel stay was 118, if you throw out the 50 per- Make sure your company is not a victim. Most e-mail
cent of connections that used an Ethernet switch and did clients and e-mail servers allow the plain text password
not broadcast passwords. option to be disabled. For instance, in Exchange/Outlook
The vast majority, 41 percent, were HTTP-based pass- combinations, simply enabling “Encrypt data between Mi-
words, followed by e-mail (SMTP, POP2, IMAP) at 40 per- crosoft Outlook client and Microsoft Exchange Server” in
cent. The last 19 percent were composed of FTP, ICQ, SNMP, Outlook 2003 or “Secured Protected Access (SPA)” in previ-
SIP, Telnet, and a few other types. ous Outlook versions will disable plain text password use.
As a security professional, my friend often attends secu- Another interesting issue my friend noticed was how
I N F OWO R L D I T S T R AT E G Y G U I D E 15
Network Security Password Protection
I N F OWO R L D I T S T R AT E G Y G U I D E 16
Network Security
I N F OWO R L D I T S T R AT E G Y G U I D E 17
Network Security Building the Intelligent Network
HP’s Brice Clark describes his company’s ProCurve Adap- transaction,” Clark says. “The network is good at packet
tive EDGE architecture as a two-pronged approach. “You processing. Servers and operating systems aren’t.”
start with intelligence at the edge, where it needs to be lo- Cisco, on the other hand, has a three- to five-year plan
cated to support mobility and next-generation applications. for what it calls Application-Oriented Networking. The
Command comes from the center, configuring the network company will provide AON blades for its Catalyst data-
continuously on the fly based on the identity of the user, the center switches, as well as branch office routers that can
application, the connection, and the device.” actually read application-to-application messages (such as
The ProCurve IDM (Identity Driven Manager) enables the purchase orders) and route them intelligently according to
application of security, access control, QoS, VLAN enroll- predefined policies. So, for example, a $50 order could be
ment, and performance settings based on the authenticat- routed to a different server or get a different quality of ser-
ed user or group of users, including their locations, the time vice than a multimillion-dollar order would.
of day, and other factors. HP has also incorporated optional AON blades will also be able to take on much of the inte-
intelligent capabilities for its ProCurve 5300 series switch- gration and translation normally performed by application
es, including WLAN client authentication, WLAN access- middleware, thanks to partnerships with integration play-
point-to-access-point connection handoff, virus throttling, ers like TIBCO Software and IBM, as well as integrated XML
and encryption — features that were formerly offered only processing, translation, and security functions.
in dedicated WLAN switches. Cisco’s Redford also points out that the ability to inspect
Clark says the next step will likely be deeper packet in- and route messages will lead to better visibility into trans-
spection to recognize applications and apply policies ac- actions, resulting in improved security, compliance, and
cordingly, even triggering packet-processing applications business-intelligence capabilities. AON will also offer load
hosted in the switch, based on the user, device, or applica- balancing, caching, and compression services. Although all
tion. these services could slow down network traffic to some ex-
“You can transcode a video stream for a PDA on the tent, Redford claims that the benefits would include much
switch, rather than at the server or encrypt a financial improved application performance and significantly lower
I N F OWO R L D I T S T R AT E G Y G U I D E 18
Network Security Building the Intelligent Network
integration costs (because any integration changes would about WAN optimization appliances in “Wide-area Slow-
be made on the switch, rather than across all the various down” (infoworld.com/2950).
interacting systems). Still another group of hardware and chip vendors are
concentrating on the XML and Web-services space, work-
Smaller Vendors, Specialized Gear ing to incorporate the XML processing capabilities cur-
The networking giants, however, aren’t the only game in rently available in specialized XML processing appliances
town. Smaller players in the load-balancing Layer 4 to 7 from such players as Reactivity and Sarvega.
switch market, which include F5, FineGround, NetScaler,
Radware, and Redline, offer products they call ADCs (ap- Multiple Strategies
plication-delivery controllers) or WOCs (WAN Optimiza- In fact, the range of product offerings from smaller ven-
tion Controllers). Many of these vendors have already been dors was compelling enough that the major networking
involved in application intelligence for several years and vendors launched a buying spree, with Cisco acquiring
claim to have the corner on that kind of expertise. FineGround, Juniper engulfing Redline Networks and
“We’re the only ones that can inspect the entire flow, head- Peribit Networks, and Citrix scooping up NetScaler. But
ers, and payload in both directions,” says F5’s Needham. there’s still plenty of room for innovation outside the tra-
ADC boxes sit in the data center in front of banks of serv- ditional networking vendors.
ers. Originally they provided application load balancing Whether network intelligence will eventually rest in
and health checking, but over time their capabilities have switches or as an overlay of specialized devices depends on
grown to include off-loading communications-specific to whom you talk. The appeal of incorporating these fea-
tasks, which general-purpose operating systems don’t do tures into existing switches is obvious, but networking ven-
well, according to Joe Skorupa, research director at Gart- dors have had trouble keeping up with the features offered
ner. Many ADCs off-load functions like SSL termination by specialized appliance vendors in the past.
and acceleration and TCP setup and shutdown, and they “Five years ago many people predicted that Packeteer
provide transaction security, application firewalls, caching, would die because Cisco would take over much of its func-
and compression. Often, these devices can be fine tuned to tionality,” says Gartner’s Willis. “But it is still very much
optimize the performance of specific back office applica- around. Changes in applications are faster than Moore’s
tions, such as SAP, and can monitor and troubleshoot indi- Law and the specialized box companies are often better
vidual transactions. at keeping up.”
“F5’s hardware has the ability to watch a request come in Gartner’s Skorupa agrees. “You can put a blade in a
and, if the transaction fails, it can trap the error, send the switch, but that alone is not compelling,” he says. “You
message to the server administrator saying, ‘This transac- have to ask yourself whether buying an integrated prod-
tion failed to this client from this server at this time, and uct gives you more benefit than a standalone solution
here’s the code,’” Skorupa says. “Then it replays the transac- with more features.”
tion with another server. The user never sees the error.” For now, it makes sense to take a targeted approach
Vendors such as Allot Communications, Expand Net- that solves the specific problems you’re trying to solve,
works, Packeteer, and Peribit Networks market WAN op- with an eye on how initiatives like HP’s Adaptive EDGE
timization controllers, which sit on the network at both and Cisco’s AON develop. Application-level standards are
the corporate headquarters and remote offices and use another piece missing from the puzzle. But despite the
compression and TCP-acceleration tricks to overcome la- hurdles yet to overcome, the intelligent network train is
tency and other problems on the WAN. Skorupa says that definitely out of the station. It’s just not clear what its
the functions of these boxes will eventually be incorporated final destination will be. i
into ADCs and branch office routers. You can read more — Leon Erlanger
I N F OWO R L D I T S T R AT E G Y G U I D E 19