Imagine you’re responsible for the IT operations of a company that relies on the Internet to sell products around the world. Now imagine that because of lax network security, someone has hacked into your company’s databases and stolen customer information.
In the past, such an event might lead to some red faces and a hit to sales, but it wouldn’t be anything some good public relations and time couldn’t repair. Now, though, with the Personal Information Protection and Electronic Documents Act (PIPEDA) in effect in Canada and the Health Insurance Portability and Accountability Act (HIPAA) coming into force south of the border, companies face legal repercussions if they don’t properly protect customer information.
“As we go forward I think we’re going to see people going to jail, companies being fined and reputations being damaged, because of the failure to meet the regulatory environments,” says John Roese, chief technology officer of network equipment maker Enterasys Networks Inc.
As a result of the more stringent privacy regulations and the threat posed by increasingly frequent and effective worm attacks, network infrastructure companies like Enterasys, Cisco, 3Com, Foundry, Extreme and Hewlett-Packard, are building more security smarts into their switches and network management wares. While each vendor offers a different menu of built-in security features, all have the same goal — making the network infrastructure part of the enterprise security strategy.
Today it might seem obvious that switches and network management systems should play a large role in enterprise security, but in the past, network vendors focused more on so-called “feeds and speeds” than they did on ensuring safe connections. People believed the actual network infrastructure should just be neutral pipes, Roese says, and if they wanted security, they could add standalone software or devices designed to meet specific threats.
Standalone products can’t ensure security, Roese notes. He used firewalls as an example of an incomplete security response.
“Firewalls assume good people are on the inside and bad people are on the outside, which is no longer true,” he says. Employees with infected laptops can plug in and infect the network, or people inside the company could be accessing information they’re not supposed to be accessing.
To run a truly secure network, Roese says, companies have to understand both the content of packets and their context — who sent the packet, where it’s going, when it got sent, how many packets preceded it and how many packets followed it.
“The bottom line is there are pieces of the infrastructure that are not participating in the security architecture,” he explains. “And if we’re going to go forward successfully we need to change the rules. My law is there is no neutral in security. You are either additive, or subtractive.”
Enterasys is attacking the security problem by using a combination of network management tools and security-centric Application Specific Integrated Circuits (ASICs) running proprietary algorithms to monitor network traffic flows, identify unusual patterns and isolate potential problems before those problems spread to other parts of the network.
For example, the company’s recently released Dynamic Intrusion Response is designed to allow customers to implement an automated system for intrusion detection and response. The product relies on a combination of Enterasys’s Dragon intrusion defence system, NetSight Atlas network management software and a network infrastructure that can read and monitor traffic.
Roese believes Enterasys’s security story sets the firm apart from its competitors in the network hardware market. But with every network vendor pitching a strong security story, customers are going to have to kick the tires of a variety of gear to find out which vendors live up to the hype, Roese says.
Beyond the firewall
Network infrastructure market leader Cisco Systems Inc.’s answer to customers seeking more secure networks is its Self-Defending Network strategy.
Cisco began building security into its networks by offering dedicated products, such as firewalls, then moving to integrate more security capabilities into the network switches and add capabilities to the dedicated security boxes, says Steve Collen, director of marketing for security at Cisco.
“If you look at a Cisco firewall, for example, it’s not just firewalling,” he explains. “It supports intrusion detection and VPN capabilities. A Cisco router or switch would have the same multi-function role.”
There are two approaches to integrating security into the network, Collen says. One is to integrate security directly into the network switches and routers. The second is to embed security into the network fabric from end to end, including the desktop, data center and branch office.
“We’re trying to pursue both axes,” he says. “We’re trying to build it into the product, but also trying to provide very comprehensive network coverage.”
For example, a customer with a Catalyst 6500 switch could buy acceleration cards for the box that offer firewalling, intrusion detection, VPN and content security, Collen said.
The customer could also protect the network at the desktop and server level by installing Cisco Security Agent software, which authenticates users and provides policy-based access. The software can detect whether a user has installed the latest antivirus software updates and if they haven’t, the CSA will quarantine the user’s machine, or restrict their access, until the latest updates are installed.
“You have to deploy security everywhere,” Collen says. “If you leave a gap, that’s where the threat is going to come from. You really have to deploy security everywhere in a multi-layered fashion.”
Every device on the network needs to be able to protect itself, says Scott Pope, manager of security platforms in Cisco’s VPN and security business unit. And switches need to protect the segments of the network they operate on.
Cisco has announced a wide range of security offerings in recent weeks, including VPN enhancements and new IOS features.
One of those new features is a firewall that allows customers to do access control and filter traffic based on Layer 2, Ethernet or MAC address information. So, for example, a company could have more stringent security requirements for someone accessing the network over a wireless LAN than it would for someone coming in over a wire connection.
Instead of having to know all the IP addresses for people using the wireless LAN, companies could now dictate that any traffic coming in over the MAC address or Ethernet address associated with the wireless LAN access point would have the tighter security applied to it.
People want security systems today that alert them to significant events, while removing any false positives, Collen says. He doesn’t believe most companies are yet ready to trust fully automated security response systems.
“They still want that element of human control,” he says. “And I think that’s mainly because they view security technology as still maturing and they want it to prove itself. When it has proved itself, the fully fledged vision of the self-defending network comes into play.”
Dan McLean, an analyst with IDC Canada Ltd. In Toronto, notes that every network infrastructure company now has a significant story to tell and every firm will say that their approach is the best approach.
Security may be a good hook for Enterasys in particular, McLean says, “because their reputation and their history is that of a company that’s really good on the technology side. Security is a good fit, because it’s a technology subject.”
Evaluating which vendor’s security approach is best might be tough at the moment, McLean adds, because there’s no established methodology for evaluating network security. If users want to find the security system that best suits their needs, they’re going to have to do a lot of poking under the hoods of the network gear.
Terrence Verity, CIO of Seneca College in Toronto, says he’s noticed the recent push by network infrastructure vendors to roll more security features into their products.
Verity, who runs a Cisco shop, likes some of the new features the company is introducing, such as offering embedded Secure Sockets Layer VPN authentication in its gear.
“We like that a lot, because it takes the processing overhead off of our application,” he says.
While Verity likes some of the new security features, he notes he isn’t about to ditch the existing gear he has in his network from standalone security vendors.
“We don’t mind the standalones,” he says. “The price/performance we get is good. And they’re focused on one need. They really get it.”
Verity also notes he’s not going to sit around and wait for network infrastructure vendors to come out with security features he requires.
“A lot of times, we can’t wait for them,” he says. “We need it now. I’m sure companies like Cisco and Nortel have plans for features down the road, but a lot of times we need those features sooner.”