Network Security - No Silver Bullet?

Business networks have become the lifeblood of commerce in the 21st Century, and there is more opportunity than ever for these vital but vulnerable systems to be disrupted by malicious intent, or for fraud or other crime to be perpetrated through them.

Communications capabilities have spread - phones, PDAs and all sorts of devices within your organisation or at your employees' homes are now routinely connected to your network – the opportunity for mischief has never been greater – and the penalties for non-compliance with emerging regulations are becoming ever-more severe.

NEXT GENERATION NETWORK SECURITY

Network security products are evolving to meet these challenges. The first generation of security products – firewalls, anti-virus and Intrusion Detection Systems (IDS) generated lots of alerts, many of which were false alarms.

High numbers of alerts meant high OPEX in the form of heavy operator burden – and often, threats were only identified, not prevented.

Second-generation security systems are much smarter – they gather intelligence about your network and make decisions on how to deal with threats based on the vulnerabilities your systems have.

Smart security systems reduce the number of false alarms, substantially reducing OPEX and paving the way for more comprehensive automatic response to threats.

Yet many of these smart systems have a fundamental weakness – they rely on network scanning to discover vulnerabilities.

SYSTEM SCANNING ISSUES

Scanners can destabilise the very hosts they are trying to discover – for example, one security consultancy recently scanned a hospital's medical imager, crashing the controlling computer and taking the imager off-line for hours.

Another problem with scanning is that it is not continuous and cannot respond to network change. This means that the map of the network is often out of date from the moment it was made until the moment of the next scan. Smart security can't be smart with old data.

Companies such as Sourcefire have pioneered the use of passive network discovery as a means of solving the scanning problem.

Passive devices listen to network traffic and can deduce everything they need to know about the network from the 'sound' of the traffic; much in the way passive sonar classifies submarine types from the sound of their movement through the water.

Passive discovery is a continuous process so the maps of your network are always up to date.

FINANCIAL IMPACT

But can smarter systems have a positive financial impact? The answer is a definite yes. The trick is to increase the capabilities of the network security system so that other, operationally expensive services can be streamlined into the security system framework.

An example is compliance enforcement. Many organisations are required to comply with various regulations, e.g. Sarbanes-Oxley, or PCI in the credit card payment industry.

These policies, when implemented, nearly always result in some constraints as to what equipment can be operated on business critical networks – traffic must always be encrypted for payment processing, for example. Most IT departments are involved in monitoring and enforcing these compliance policies and utilise an array of point-solutions to do so.

It would be much more cost-effective to pass the passively discovered assets to a system can take action when they are non-compliant with a defined standard. For example, if an employee brings their non-compliant laptop to work and plugs it in, they should automatically be denied access to the network. If non-compliant applications are installed, access to the internet should be denied.

THE FUTURE OF NETWORK SECURITY

The latest generation of network security systems combine the functionality of firewalls, intrusion management systems and virus protection. These are known collectively as Unified Threat Management (UTM) systems.

Whilst this is a step in the right direction, it does not really address compliance enforcement. Sourcefire Inc, has taken a different approach.

Instead of building a UTM, it has incorporated passive network discovery, intrusion detection and prevention, and network behaviour analysis with a policy and response system capable of communicating with any network access component. The combination is exactly the right mix for effective at compliance enforcement.

There are no silver bullets in network security because hackers, criminals and fraudulent employees aren't in the business of making the problem simple. However, vendors continue to make their products more powerful, easier to use and cheaper to run – no silver bullet, but perhaps a cloud with a silver lining.