Feature: The Survivor's Guide to 2004: Security

Bottom line, you have to find the right combination of products that will give you protection both inside and outside your network, from the host to the desktop to the perimeter. And you need a sound patching strategy that you can implement and maintain effectively. Above all, your security plan must never get in the way of the business. If the plan hinders the company's main function, it'll be an uphill battle getting security measures adopted.

You must comprehend security technology as it applies to your business' specific needs so that you can sell your security strategy internally, in 2004 and well into the future.

The Network's Soft, Chewy Center

Any traffic that traverses the internal network will pass unhindered. This year's worm attacks, such as SQL Slammer and Welchia, show just how vulnerable the internal network is. Even when the perimeter is locked down, all it takes is one infected laptop connected to the internal network to wreak havoc.

The coupling of multiple agents, such as firewall, antivirus, VPN, host IDS and host-vulnerability assessment products, may lead you to believe that integrated suites are necessary. In many cases, they're not. Yes, the desktop firewall has to let the VPN client function properly, and the HIDS has to see activity on the host without interruption by the firewall. But these are implementation issues for the most part, because the firewall, VPN and HIDS, for example, are all trying to monitor or shim the IP stack.

More important than integration is that the products are running and current when a mobile computer connects to the internal network over a VPN or is connected directly after being off the network. Worms that had no way to enter a network over the network firewall were carried in by mobile users. If your patched mobile systems were using current antivirus software and you had the proper desktop firewall controls, worm propagation would have been unlikely.

Be wary of products that claim to do it all. Standalone products tend to be more robust and thorough than general-purpose multifunction appliances. And with multiple standalones, you can choose and implement the solutions you need. In a recent reader survey conducted by our sister publication Secure Enterprise, only 11 percent of respondents said they standardize on a single vendor for security; the rest use best of breed.Although traditional network protection aims to keep intruders away from the perimeter, the host bears the brunt of most attacks. Firewalls are important, but they can't tell you anything about what's happening within the computer. HIP (host intrusion prevention) products, such as Cisco Security Agent, Network Associates Entercept and Computer Associates eTrust Access Control, go beyond firewall technologies by controlling access to system resources by applications or users.

Unfortunately, only Cisco Security Agent, which features a full set of configuration tools, is designed to run on the desktop. The other downside of this category is that few HIP products prevent applications from executing harmful actions such as stopping a database from executing a SQL query to drop a table or add a user. Entercept's database protection supports only Microsoft SQL Server 2000.Because HIP products lock down systems, you'll have to modify any change-control processes to include the modification of the HIP and the updating of the access-control policies when patching a protected system or application. Also, because everyday business applications are so complex, host security products must learn normal application behavior and how to enforce it.

Embrace the Desktop Firewall

The next line of defense is the desktop. If that's where the data is, shouldn't that be where the protection is concentrated? We lay out an asset-centric view in "Secure to the Core". If you don't have a desktop-firewall deployment for remote users, make it a priority. Properly configured desktop firewalls stop attacks from external users, and may be effective in combating the spread of worms by preventing the worm code from accessing network resources.

To be effective, a desktop firewall must keep intruders out and restrict the network access of the calling application and any loaded modules. An ACL (access-control list), for example can prevent all programs from listening on TCP Port 25, thus disabling one popular method for spreading e-mail-borne worms.

But network-access control isn't perfect. The dialog boxes that ask if an application can access the network don't always provide the user enough information to make a decision, and it's human nature to want to allow access. If you're thinking about deploying desktop firewalls, make sure you can configure and enforce policy centrally.

Clearly, the desktop battlefield is on the minds of the biggest companies' developers. At the 2003 Gartner Fall Symposium, Microsoft CEO Steve Ballmer described technologies, planned for inclusion in Windows XP and Windows 2003, that will allow the inspection of computers and shield vulnerable systems via a distributed firewall. But unless Microsoft plans on adding that protection to all the supported versions of Windows, the cottage industry of desktop firewalls from ISS, Sygate, ZoneAlarm and others will still be viable.Along with strong protection around your key data centers, perimeter protection plays a key role. But antivirus, content-inspection, intrusion-detection and intrusion-prevention remedies all employ reactive technologies: Unless a signature for the threat exists, they won't detect the problem. Organizations that rely solely on blocking unwelcome traffic at the perimeter are bound to lose--imagine protecting your king with nothing but pawns.

Still, the perimeter is the first point of attack, so you must have a strategy here, too. To choose the right product, determine where your traffic ends up once it traverses the perimeter. For a small network on which all traffic flows through a single network connection to the Internet, a multifunction firewall may be viable, especially in shops with little IT support. Such a product is easy to use, but limited. For instance, if you rely on the firewall to scan your e-mail for viruses and your e-mail server is on the trusted side of the network, e-mail sent from one internal user to another won't be scanned. Your e-mail server must have antivirus software.

For more complex networks, consider pushing perimeter protection like Web services filtering and network-intrusion prevention on to specialized devices. As attacks become data-driven and protocols such as SOAP (Simple Object Access Protocol) and XML-RPC (Extensible Markup Language Remote Procedure Call) become prevalent, the traditional perimeter devices are hard-pressed to keep up. Processing these protocols takes additional system resources, which can lead to performance bottlenecks. A dedicated security device will bring better performance, both at the perimeter and inside it.Network intrusion-prevention offerings are hot right now, but don't believe the hype. These perimeter products are only as good and as current as the signatures that drive them. They require even more care and feeding than intrusion-detection systems, as you have to figure out which attacks to block and how.

IPSs aren't fire and forget, either, because you have to make sure legitimate traffic isn't being blocked. Since many standards documents are vague about protocol specification, multiple developers may implement the same standards differently. So even with legitimate traffic, the products won't necessarily comply with a given specification or trigger IDS/IPS alerts. Moving to an IPS makes sense now only if your organization is doing an initial IDS deployment or is looking to replace an existing IDS deployment.Regardless of which products you install, it's critical to address software problems by applying patches and service packs. A patching system should support multiple versions of Windows, keep track of patch dependencies, ensure that files and registry keys conform to the current patch levels, and monitor new patches. Deployment strategies should be configurable based on whether the user is local or remote.

For 2004, Microsoft has promised some enhancements to Software Update Services that might relieve some of the patching burden, but we need more. Effective patch management means identifying systems that need patching, then installing and testing new patches and identifying new vulnerabilities.Patch-management products must be married with vulnerability-assessment tools. These products will produce a financial payoff. Centrally deploying and monitoring patches, thereby avoiding the cleanup from a worm attack, for instance, saves time and money.

Policy management goes hand in hand with patch management. This becomes particularly valuable in a cross-platform environment, where centralized management of all systems is important. If you're running an all-Windows environment and simply need to enforce a common desktop policy, use the Group Policy Object. If you want to audit and enforce policies outside the GPO's scope, a policy-management system such as Bindview bv-Control, ConfigureSoft Enterprise Configuration Manager or Pedestal Software Security Expressions is probably worth the time and money. Policy-management systems' main value comes from imposing order over chaos. If you document and enforce your organization's network configurations, however, you may not benefit from these systems. Compare your methods with the compliance checking these products offer.

The policy-management vendors are hawking compliance templates for the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act of 2002 and other regulations or initiatives. Although the policy templates may be useful, you still need to comb through them to ensure that they address your specific regulatory needs. Furthermore, these products come with support costs. Agents must be deployed or administrative accounts gathered up so the products can query the managed hosts. In light of other security-spending needs, you can accomplish the same thing with a few good books on network policy definition and Web resources.By now, you should have host, desktop and perimeter protection on your mind while you rethink your patching and policy-management strategies. Yet your network remains vulnerable: Remote users are traveling time bombs.

VPN technologies such as IPsec (IP security) and PPTP (Point-to-Point Tunneling Protocol) secure remote access. PPTP is used because it's simple to configure, but IPSec is more secure. Unfortunately, both technologies have serious deployment limitations. Neither one provides standardized NAT-T (network address translation traversal), and IPsec offers no remote IP address management without proprietary modifications by vendors.

IETF's IPsec Working Group is close to finalizing IKE (Internet Key Exchange) version 2, which addresses NAT detection and traversal, remote-node IP configuration, and support for legacy-authentication mechanisms. But client support and protocol access through firewalls remain thorny issues. Fat clients can be preinstalled and managed centrally, and can perform advanced protection tasks, such as configuration checking. However, remote users may be on a network that doesn't allow IPsec VPN connection, or at a kiosk with no way to install software. In many cases, an SSL VPN can replace IPsec VPN, providing equal or better protection.SSL VPNs are strong competitors to conventional VPNs for remote users because the browser is the client and, at a basic level, most modern browsers are supported. Also, SSL typically is allowed to pass through firewalls and has no trouble with NAT. For Web applications, little more than a browser is needed. However, support for non-HTTP applications requires either a fat client or an ActiveX or Java Applet downloaded and run locally along with other potential changes to the remote desktop. In any case, SSL VPN offerings let you securely connect remote users to internal networks and can enforce access controls centrally.

So Many Choices

With all the different security technologies available, making the purchase decision difficult. But whether you're flush or cash-starved, protecting your assets isn't about the coolest hardware or software. Effective product purchases start with knowing which assets you need to protect and the risks to those assets.Once you've done your homework, you can select the right product for the right purpose, match the product features to business needs, and leverage existing products and processes.

So do your homework: Read the vendors' glossies, review the analysts' reports, read product reviews, and when you sit down across the table from a vendor or integrator, demand technical details--and proof--on how a product will solve your IT security problems. If a vendor comes knocking with a silver bullet, run.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].

Post a comment or question on this story.

CoreStreet: This company's credential-verification system is useful for both connected and disconnected electronic locks as well as for digital certificates

Foundstone: Foundstone's FoundScan, which won the Editor's Choice award in our vulnerability-assessment review, is one of the first VA tools to integrate an intelligent approach to asset identification and classification with conventional VA technology.NetScreen Technologies: With the acquisition of Neoteris, the continued integration of the OneSecure intrusion-prevention product and NetScreen's new management platform, this company will have an attractive perimeter portfolio rivaled by few.

Nokia: The Nokia Secure Access System, an SSL VPN, will lead the pack in 2004.

Sourcefire: Often thought of as the Red Hat of the security market, the company that commercialized the open-source NIDS tool, Snort, is looking to make some big moves in 2004 by integrating IDS data and passive asset-identification methods.

Tenable Network Security: By coordinating Nessus alerts with intrusion-detection data from various vendors, Tenable shows an innovative approach to integrating IDS and VA data.

• Network Computing's security white papers and research reports• Network Computing's security books

• Secure Enterprise magazine

• Weekly Vulnerability and Patch newsletter

• Current Internet threat report

• "Secure to the Core"• Computer Security Research Center Common Criteria for IT Security Evaluation

• ICAT Metabase

• Open Security Evaluation Criteria