network security: past, present & future - ?· network security: past, present & future by ......

Download Network Security: Past, Present & Future - ?· Network Security: Past, Present & Future By ... requirements…

Post on 14-Jun-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Market Overview

    Network Security: Past, Present & Future

    By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group

    March 2004

    Copyright 2004. The Enterprise Strategy Group, Inc. All Rights Reserved.

  • Network Security: Past, Present & Future

    By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group March 2004

    Table of Contents Table of Contents..........................................................................................................................1 List of Figures ...............................................................................................................................1 Introduction ...................................................................................................................................2 Network Security: Complex and Inefficient ..................................................................................2

    Network Security Woes Abound ...............................................................................................3 New Initiatives, New Security Risks ..........................................................................................4 The Next Challenge: Internal Networks ....................................................................................5 Interview Summary ...................................................................................................................6

    Enterprises Need End-to-End Network Security ...........................................................................6 Risk Management Should Guide Network Security Investment................................................6 Sound IT Governance And Security Policies Help Minimize Risks and Mistakes.....................8 A Business-Focused Incident Response (IR) Process that Minimizes Disruption ....................9 Network Security Technology Anchors the Infrastructure .......................................................11

    Network Security Will Become Part Of the Infrastructure............................................................12 Summary.....................................................................................................................................13

    List of Figures Figure 1: Network Security Problems............................................................................................3 Figure 2: Security Priorities...........................................................................................................7 Figure 3: Security Based Upon IT Governance and Security Standards ......................................9 Figure 4: Network Security Evolution ..........................................................................................13

    - 1 -

  • Introduction Current enterprise network security strategy is broken. In an effort to address the growing number of security threats, firms have upped their security budgets and purchased boatloads of point security products but this myopic plan creates costly security islands that dont protect critical business assets effectively. This report concludes:

    Network security is fraught with issues. Enterprises suffer through high operating costs, complex security infrastructure, and insufficient protection.

    The next step: Improved processes and technology aggregation. To meet business

    requirements security managers plan to improve long neglected processes and upgrade to next-generation security technologies offering aggregated functionality on perimeter and internal network platforms.

    Network security transitions will drive industry consolidation. M&A activity will accelerate as security companies look to supplement their portfolios by gobbling up startup companies or merging with other large players. During this transformational period networking and security companies large and small will be in play.

    For this report, Enterprise Strategy Group interviewed 12 senior information security managers from enterprise companies and government agencies as well as several thought leaders from academic and industry settings. We also spoke with leading security technology vendors and service providers including 3Com, Arbor Networks, BladeLogic, Borderware Technologies, Check Point Software, Cisco Systems, Computer Associates, Crossbeam Systems, Cyberguard Worldwide, Ecora, Ernst & Young, F5 Networks, Guardent, Hewlett-Packard, IBM, Inkra Networks, Intrusic, Internet Security Systems, KF Sensor, KaVaDo, Mazu Networks, Microsoft, Mirage Networks, NFR Security, NetContinuum, Netilla Networks, Netivity Solutions, NetSec, NetScreen Technologies, Network Associates, Network Engines, Nokia, Nortel Networks, Novell, Patchlink Corporation, Qualys, Riverhead Networks, Sanctum, Inc., SonicWall, Secure Computing, Shavlik, Sun Microsystems, Symantec Corporation, ThruPoint, TippingPoint Technologies, TopLayer Networks, Trend Micro, Unisys, and Watchguard Technologies.

    Network Security: Complex and Inefficient For years, network security was based upon three primary products: firewalls, VPNs and anti-virus software, but this security triad has reached its limit. Why? First, Internet applications are now widely deployed to help companies drive revenue, improve communications, and automate processes but todays security infrastructure protects network layer protocols leaving Internet applications virtually defenseless. At the same time, automated Internet worms, viruses, and Distributed Denial of Service (DDOS) attacks are more prevalent and virulent than ever before causing billions of dollars in worldwide damage and impacting companies like Bank of America, Continental Airlines, eBay, and Yahoo. Finally, new technologies like IP telephony, WLANs, and Instant Messaging are gaining rapid acceptance opening up another potential avenue for attacks.

    - 2 -

  • Figure 1: Network Security Problems

    Network Security Woes Abound Security executives exclaim that they are constantly playing a game of catch-up in addressing security management, business requirements, and growing threats (see Figure 1). They complain that:

    Intrusion Detection System (IDS) noise persists. Even sophisticated IT shops grumble that IDS systems are chatty and difficult to tune. Sorting the security wheat from the chaff takes a lot of time and requires skilled security technicians that are not available in all geographies.

    Automated attacks create a tremendous volume of IDS activity. We need to know the relevant data by gathering everything and filtering the security events. Our IDS system is as good as any but in spite of constant tuning, data mining and analysis is still a difficult manual process. (Hospitality Company)

    Application layer attacks avert traditional protection schemes. Two years ago many companies added the latest stateful inspection firewalls to protect against TCP attacks. This technology provided protection up to layer 4 but many of todays attacks, like buffer overflows, SQL injections, and cross-site scripting, are at the application layer. To combat this threat, security managers need added protection and help from application

    - 3 -

  • vendors and the development team.

    Its not that our firewalls are useless, they just dont catch the bad stuff up at Layer 7. We are evaluating our technology options, pushing back on software vendors, training our developers, and crossing our fingers. (Freight Company)

    Distributed Denial of Service (DDOS) attacks are becoming commonplace. The 2000 DDOS attacks against Amazon, Yahoo, and eBay were a wake up call to the industry but most companies thought they were immune to these high-profile attacks. No more. The security professionals we spoke believe that DDOS attacks may become the preferred weapon of organized criminals or state sponsored organization to disrupt business or take down an industry. They point to the January 2004 attacks on on-line gaming sites as a sign of things to come.

    Todays DDOS attacks are aimed at individual companies to extort money. In the near future they may target the entire financial industry in an attempt to disrupt our economy. We have to be prepared for this its going to happen! (Financial Services Company)

    Box fatigue is common. Its not the least bit unusual for an enterprise to have 4 or 5

    security boxes from different manufacturers at the network perimeter. These systems tend to be independent from one another creating an architecture with diverse management tools, log files, signature updates, and support contracts. Our interviewees claim that this situation has created an operations nightmare that ironically impacts security protection.

    In addition to our firewall and IDS, we added an application firewall and an anti-virus gateway to our perimeter as we deployed Internet applications and added bandwidth. Now my staff is overburdened and managing each system reactively. Id need two more people just to keep up. (Retail Company)

    New Initiatives, New Security Risks As if the security job wasnt difficult enough, new business and technical projects add constant work and increase security risks. Business needs require new applications, servers, and network architecture that need protection while innovations like Wireless LANs (WLAN), Instant Messaging, and IP Telephony add insecure network protocols making existing protection schemes moot. Finally, overburdened managers compare vulnerability scanning and system patching to Sisyphus pushing a rock up hill for all eternity.

    Were transitioning our network from a private hub and spoke to a mesh architecture using an MPLS-based VPN. This move w