Check Point Software Technologies Ltd. introduced InterSpect on Tuesday, a product that focuses on the security of an organization’s internal network as opposed to the network’s perimeter.
According to the Redwood City, Calif.-based company, perimeter and internal security have the same priorities — to be non-disruptive to traffic and to provide security — but they have more differences than they do similarities.
The perimeter is a well-defined boundary and because you are using applications on the Internet, they are strictly adhering to Internet protocols, explained Mark Kraynak, manager of product marketing at Check Point. And there is a central co-ordination, either person or group, for security and connectivity, so you have a lot more control.
Kraynak said that inside the network, the situation is “almost entirely flip-flopped.”
“Typically you have a lot of homegrown applications that maybe one department or a select set of departments use,” Kraynak said. “Internal applications don’t adhere as well to protocols as Internet applications do. Also, you don’t have centralized [management] of those applications.”
He added that it isn’t realistic to simply shut down a company’s internal applications (to prevent the spread of worms and viruses) because they are being used everyday and companies are being run on these programs. Instead, Kraynak said organizations need to make changes to their security.
“At the perimeter you would need a device that is going to start by blocking all traffic and you are going to numerate every single application you are going to use and every single behaviour that you want to allow and build up [a] policy,” Kraynak explained. “Internally you are going to do the opposite. You are going to put in a device that [allows] connectivity and then you are going to build-down explicitly disallowed behaviours and explicitly disallowed applications.”
InterSpect, Check Point’s internal security gateway, is built on five key features — Intelligent Worm Defender, Network Zone Segmentation, quarantine of suspicious computers, LAN protocol protection and pre-emptive attack protection.
According to Check Point, the Intelligent Worm Defender restricts the spread of worms and attacks inside the network while the Network Zone Segmentation contains attacks within a sub-segment of the network.
Additionally, InterSpect is able to quarantine suspicious computers by isolating unpatched servers and PCs and minimizing unrestricted employee access. The LAN protocol protection protects and supports protocols and applications that are used inside the network. The pre-emptive attack protection feature was designed to defend against vulnerabilities before they are exploited.
Internal security has always been desirable, but hard to enforce, explained Richard Stiennon, vice-president of research, network security at Gartner, Inc. in Detroit. He said that there has always been resistance to deploying firewalls everywhere because firewalls restrict access based on very specific elements including source, Internet protocol (IP) and destination IP address, but added that companies are starting to realize the benefits of deploying internal security measures.
“What we’re finding in what we call the intrusion prevention space, is that there is an immediate benefit from inline devices that filter out bad stuff and in particular, the goal would be to block [the] MS Blaster [worm] on the inside of a network but would still allow regular DCOM (Distributed Component Object Model) communications to proceed,” Stiennon said.
Stiennon said the MS Blaster worm is an ongoing issue because workers and students are continuously bringing in their computers and laptops from home, where they might not have good controls over antivirus deployments, and hooking them up to the network.
He added that although enterprises are getting to the point where perimeter security is becoming better, he agrees with Check Point that “it’s the worms that break through the perimeter and spread from the inside…that are now the big concern.”
Information Resources Inc. (IRI) — a sales and marketing research firm in the global consumer goods industry — is currently beta testing InterSpect and has implemented it in its lab environment and some of its production segments.
“Some of the reasons why we looked at it [was because] we looked around the market and we determined that this product has some unique features that we didn’t see in any of the other existing products…[including] automated identification and containment of different threats,” explained Greg Murray, vice-president of information security at Chicago-based IRI.
Murray added that he doesn’t differentiate between the importance of either internal or perimeter security. He said that “the threat portfolio has changed on the external environment” and it is up to individual corporations to protect their networks.
“Without the ability to automatically identify and contain specific [threats]…any company in the industry [wouldn’t] be able to defend themselves. That’s why we view this technology as very unique,” explained Murray. It gives companies the ability to have protection 24-hours-a-day, everyday, he added.
InterSpect is available in four models. InterSpect 210 provides protection for one workgroup for US$9,000. InterSpect 410 provides multiple workgroup protection for US$18,000 and InterSpect 610 and 610F both offer gigabit network protection for US$36,000 and US$39,000 respectively.
