Network Security: Past, Present & Future - ?· Network Security: Past, Present & Future By ... requirements…

Download Network Security: Past, Present & Future - ?· Network Security: Past, Present & Future By ... requirements…

Post on 14-Jun-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Market Overview

    Network Security: Past, Present & Future

    By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group

    March 2004

    Copyright 2004. The Enterprise Strategy Group, Inc. All Rights Reserved.

  • Network Security: Past, Present & Future

    By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group March 2004

    Table of Contents Table of Contents..........................................................................................................................1 List of Figures ...............................................................................................................................1 Introduction ...................................................................................................................................2 Network Security: Complex and Inefficient ..................................................................................2

    Network Security Woes Abound ...............................................................................................3 New Initiatives, New Security Risks ..........................................................................................4 The Next Challenge: Internal Networks ....................................................................................5 Interview Summary ...................................................................................................................6

    Enterprises Need End-to-End Network Security ...........................................................................6 Risk Management Should Guide Network Security Investment................................................6 Sound IT Governance And Security Policies Help Minimize Risks and Mistakes.....................8 A Business-Focused Incident Response (IR) Process that Minimizes Disruption ....................9 Network Security Technology Anchors the Infrastructure .......................................................11

    Network Security Will Become Part Of the Infrastructure............................................................12 Summary.....................................................................................................................................13

    List of Figures Figure 1: Network Security Problems............................................................................................3 Figure 2: Security Priorities...........................................................................................................7 Figure 3: Security Based Upon IT Governance and Security Standards ......................................9 Figure 4: Network Security Evolution ..........................................................................................13

    - 1 -

  • Introduction Current enterprise network security strategy is broken. In an effort to address the growing number of security threats, firms have upped their security budgets and purchased boatloads of point security products but this myopic plan creates costly security islands that dont protect critical business assets effectively. This report concludes:

    Network security is fraught with issues. Enterprises suffer through high operating costs, complex security infrastructure, and insufficient protection.

    The next step: Improved processes and technology aggregation. To meet business

    requirements security managers plan to improve long neglected processes and upgrade to next-generation security technologies offering aggregated functionality on perimeter and internal network platforms.

    Network security transitions will drive industry consolidation. M&A activity will accelerate as security companies look to supplement their portfolios by gobbling up startup companies or merging with other large players. During this transformational period networking and security companies large and small will be in play.

    For this report, Enterprise Strategy Group interviewed 12 senior information security managers from enterprise companies and government agencies as well as several thought leaders from academic and industry settings. We also spoke with leading security technology vendors and service providers including 3Com, Arbor Networks, BladeLogic, Borderware Technologies, Check Point Software, Cisco Systems, Computer Associates, Crossbeam Systems, Cyberguard Worldwide, Ecora, Ernst & Young, F5 Networks, Guardent, Hewlett-Packard, IBM, Inkra Networks, Intrusic, Internet Security Systems, KF Sensor, KaVaDo, Mazu Networks, Microsoft, Mirage Networks, NFR Security, NetContinuum, Netilla Networks, Netivity Solutions, NetSec, NetScreen Technologies, Network Associates, Network Engines, Nokia, Nortel Networks, Novell, Patchlink Corporation, Qualys, Riverhead Networks, Sanctum, Inc., SonicWall, Secure Computing, Shavlik, Sun Microsystems, Symantec Corporation, ThruPoint, TippingPoint Technologies, TopLayer Networks, Trend Micro, Unisys, and Watchguard Technologies.

    Network Security: Complex and Inefficient For years, network security was based upon three primary products: firewalls, VPNs and anti-virus software, but this security triad has reached its limit. Why? First, Internet applications are now widely deployed to help companies drive revenue, improve communications, and automate processes but todays security infrastructure protects network layer protocols leaving Internet applications virtually defenseless. At the same time, automated Internet worms, viruses, and Distributed Denial of Service (DDOS) attacks are more prevalent and virulent than ever before causing billions of dollars in worldwide damage and impacting companies like Bank of America, Continental Airlines, eBay, and Yahoo. Finally, new technologies like IP telephony, WLANs, and Instant Messaging are gaining rapid acceptance opening up another potential avenue for attacks.

    - 2 -

  • Figure 1: Network Security Problems

    Network Security Woes Abound Security executives exclaim that they are constantly playing a game of catch-up in addressing security management, business requirements, and growing threats (see Figure 1). They complain that:

    Intrusion Detection System (IDS) noise persists. Even sophisticated IT shops grumble that IDS systems are chatty and difficult to tune. Sorting the security wheat from the chaff takes a lot of time and requires skilled security technicians that are not available in all geographies.

    Automated attacks create a tremendous volume of IDS activity. We need to know the relevant data by gathering everything and filtering the security events. Our IDS system is as good as any but in spite of constant tuning, data mining and analysis is still a difficult manual process. (Hospitality Company)

    Application layer attacks avert traditional protection schemes. Two years ago many companies added the latest stateful inspection firewalls to protect against TCP attacks. This technology provided protection up to layer 4 but many of todays attacks, like buffer overflows, SQL injections, and cross-site scripting, are at the application layer. To combat this threat, security managers need added protection and help from application

    - 3 -

  • vendors and the development team.

    Its not that our firewalls are useless, they just dont catch the bad stuff up at Layer 7. We are evaluating our technology options, pushing back on software vendors, training our developers, and crossing our fingers. (Freight Company)

    Distributed Denial of Service (DDOS) attacks are becoming commonplace. The 2000 DDOS attacks against Amazon, Yahoo, and eBay were a wake up call to the industry but most companies thought they were immune to these high-profile attacks. No more. The security professionals we spoke believe that DDOS attacks may become the preferred weapon of organized criminals or state sponsored organization to disrupt business or take down an industry. They point to the January 2004 attacks on on-line gaming sites as a sign of things to come.

    Todays DDOS attacks are aimed at individual companies to extort money. In the near future they may target the entire financial industry in an attempt to disrupt our economy. We have to be prepared for this its going to happen! (Financial Services Company)

    Box fatigue is common. Its not the least bit unusual for an enterprise to have 4 or 5

    security boxes from different manufacturers at the network perimeter. These systems tend to be independent from one another creating an architecture with diverse management tools, log files, signature updates, and support contracts. Our interviewees claim that this situation has created an operations nightmare that ironically impacts security protection.

    In addition to our firewall and IDS, we added an application firewall and an anti-virus gateway to our perimeter as we deployed Internet applications and added bandwidth. Now my staff is overburdened and managing each system reactively. Id need two more people just to keep up. (Retail Company)

    New Initiatives, New Security Risks As if the security job wasnt difficult enough, new business and technical projects add constant work and increase security risks. Business needs require new applications, servers, and network architecture that need protection while innovations like Wireless LANs (WLAN), Instant Messaging, and IP Telephony add insecure network protocols making existing protection schemes moot. Finally, overburdened managers compare vulnerability scanning and system patching to Sisyphus pushing a rock up hill for all eternity.

    Were transitioning our network from a private hub and spoke to a mesh architecture using an MPLS-based VPN. This move will enable store-to-store communication, help with inventory management on a geographic basis, and improve customer service, but it will also extend our network security responsibility from the home office to all of our retail outlets. (Retail Company) I feel like we are fighting a new battle on a monthly basis. Just when we eliminated all rogue wireless access points, we now need to figure out how to

    - 4 -

  • restrict IM traffic. You cant simply block IM traffic at the firewall because AOLs IM is port agile it simply piggybacks over any open port. Im just waiting for this to create a major problem. (Federal Agency) Scanning and patch management is killing me! We dont even have an accurate picture of all of our assets. Now I have to find and fix our systems before the next Internet worm takes down the whole agency. My people are burning out! (State Agency)

    The Next Challenge: Internal Networks For the past 10 years, security managers have focused their efforts on the network perimeter with the belief that all external users are untrusted while internal users are trusted. Network security expert Bill Cheswick dubbed this the M&M security strategy hard and crunchy on the outside, soft and chewy on the inside. M&M security is no longer sufficient. Why? Three reasons: 1) The network perimeter is no longer static, remote users, contractors, partners, suppliers, even web services-based applications are all allowed network access regardless of physical location. 2) Automated attacks often enter the network through legal TCP ports before creating havoc on internal systems. 3) Many attacks come from disgruntled employees, not outside hackers. According to the CSI/FBI 2003 survey, 77% of companies claim that employees are the most likely to commit security crimes. As business requirements blur the line between internal and external users, network availability is more important than ever so worm and virus-driven interruptions must be minimized and restricted. To do so, security managers are beginning to apply new technologies to segment and protect internal networks including end-point security, network behavior modeling, IDS/IPS, and internal firewalls.

    When most security experts think about August 2003, they think of Blaster and Sobig. I think of laptops! It seemed like every time we thought we were in the clear, some road warrior would plug his laptop into the network and BOOM, wed be infected all over again. (Professional Services Company)

    When you have over 10,000 employees, you have to assume that you have a few bad apples. Ive experienced this first hand. At my last company we had an employee contact a competitor to try to sell our Intellectual Property. Im convinced that network behavior monitoring will help us identify unusual and potentially damaging activity. (Retail Company) Our network is business-critical so were integrating security everywhere. If we cant stop these automated attacks, at least we can minimize the damage. (Healthcare Company).

    - 5 -

  • Interview Summary Based upon our interviews with senior security managers, ESG concludes:

    Network security is piecemeal and immature. Most companies deal with security by bolstering the network perimeter forces with armies of boxes. These systems are difficult to operate, leave most of the IT infrastructure unprotected, and dont protect business assets.

    New initiatives create new challenges. Business and technical advancements require added security coverage stretching an already thin security infrastructure and staff.

    Internal networks need protection. Perimeter fences are only a first line of defense. Internal networks require supplemental coverage.

    Enterprises Need End-to-End Network Security Over the past few years, the rules of the network security game have changed radically. It is no longer adequate to rely on firewalls and other perimeter defenses; rather enterprise companies need a comprehensive defense-in-depth security infrastructure to protect high-value network-based assets. Technology alone is insufficient; network security needs to marry technology to the right policies, procedures, and priorities. ESG believes that appropriate end-to-end network security is dependent upon 4 interdependent factors:

    1. A risk management strategy that matches security protection with business needs 2. Sound IT governance and security policies 3. Business-focused Incident Response (IR) policies and staffing 4. Integrated network security technology.

    Risk Management Should Guide Network Security Investment Neighborhood banks protect themselves by placing monetary assets in a vault and an armed guard at the door. To date, network security has focused on the door but business requirements mandate more comprehensive and asset-based vaults. Risk management offers a solution by prioritizing security investment and resources based upon value. The more mission-critical the business asset, the greater network security protection it should receive. Risk management strategy begins with a value-based hierarchical assessment of network assets, from mission-critical application servers through user desktops. Many companies need not reinvent the wheel here, rather they can borr...

Recommended

View more >