Imagine you’re responsible for the IT operations of a company that relies on the Internet to sell products around the world. Now imagine that because of lax network security, someone has hacked into your company’s databases and stolen customer information.
In the past, such an event might lead to some red faces and a hit to sales, but it wouldn’t be anything some good public relations and time couldn’t repair. Now, with many governments moving both to protect personal information and corporate governance, companies face legal repercussions if they don’t properly protect customer information.
“As we go forward I think we’re going to see people going to jail, companies being fined and reputations being damaged, because of the failure to meet the regulatory environments,” says John Roese, chief technology officer of network equipment maker Enterasys Networks.
As a result of the more stringent privacy regulations and the threat posed by increasingly frequent and effective worm attacks, network infrastructure companies like Enterasys, Cisco Systems, 3Com, Foundry Networks, Extreme Networks and Hewlett-Packard, are building more security smarts into their switches and network management wares. While each vendor offers a different menu of built-in security features, all have the same goal — making the network infrastructure part of the enterprise security strategy.
Today it might seem obvious that switches and network management systems should play a large role in enterprise security, but in the past, network vendors focused more on so-called “feeds and speeds” than they did on ensuring safe connections. People believed the actual network infrastructure should just be neutral pipes, Roese says, and if they wanted security, they could add stand-alone software or devices designed to meet specific threats.
Stand-alone products can’t ensure security, Roese notes. He used firewalls as an example of an incomplete security response.
“Firewalls assume good people are on the inside and bad people are on the outside, which is no longer true,” he says. Employees with infected laptops can plug in and infect the network, or people inside the company could be accessing information they’re not supposed to be accessing. To run a truly secure network, Roese says, companies have to understand both the content of packets and their context — who sent the packet, where it’s going, when it got sent, how many packets preceded it and how many packets followed it.
“The bottom line is there are pieces of the infrastructure that are not participating in the security architecture,” he explains. “And if we’re going to go forward successfully we need to change the rules. My law is there is no neutral in security. You are either additive, or subtractive.”
Enterasys is attacking the security problem by using a combination of network management tools and security-centric Application Specific Integrated Circuits (ASICs) running proprietary algorithms to monitor network traffic flows, identify unusual patterns and isolate potential problems before those problems spread to other parts of the network.
For example, the company’s recently released Dynamic Intrusion Response is designed to allow customers to implement an automated system for intrusion detection and response. The product relies on a combination of Enterasys’s Dragon intrusion defence system, NetSight Atlas network management software and a network infrastructure that can read and monitor traffic.
Roese believes Enterasys’s security story sets it apart from its competitors in the network hardware market. But with every network vendor pitching a strong security story, customers are going to have to kick the tyres of a variety of gear to find out which vendors live up to the hype, Roese says.
Beyond the firewall
Network infrastructure market leader Cisco’s answer to customers seeking more secure networks is its Self-Defending Network strategy. Cisco began building security into its networks by offering dedicated products, such as firewalls, then moving to integrate more security capabilities into the network switches and add capabilities to the dedicated security boxes, says Steve Collen, director of marketing for security at Cisco.
“If you look at a Cisco firewall, for example, it’s not just firewalling,” he explains. “It supports intrusion detection and VPN capabilities. A Cisco router or switch would have the same multifunction role.”
There are two approaches to integrating security into the network, Collen says. One is to integrate security directly into the network switches and routers. The second is to embed security into the network fabric from end to end, including the desktop, data centre and branch office. “We’re trying to pursue both axes,” he says. “We’re trying to build it into the product, but also trying to provide very comprehensive network coverage.”
Every device on the network needs to be able to protect itself, says Scott Pope, manager of security platforms in Cisco’s VPN and security business unit. And switches need to protect the segments of the network they operate on.
Cisco has announced a wide range of security offerings in recent weeks, including VPN enhancements and new IOS features. One of those new features is a firewall that allows customers to do access control and filter traffic based on Layer 2, Ethernet or MAC address information. So, for example, a company could have more stringent security requirements for someone accessing the network over a wireless LAN than it would for someone coming in over a wire connection.
Instead of having to know all the IP addresses for people using the wireless LAN, companies could now dictate that any traffic coming in over the MAC address or Ethernet address associated with the wireless LAN access point would have the tighter security applied to it.
People want security systems today that alert them to significant events, while removing any false positives, Collen says. He believes few companies are yet ready to trust fully automated security response systems.
“They still want that element of human control,” he says. “And I think that’s mainly because they view security technology as still maturing and they want it to prove itself. When it has proved itself, the fully fledged vision of the self-defending network comes into play.”
Dan McLean, an analyst with IDC, notes that every network infrastructure company now has a significant story to tell and each one will say that its approach is the best approach.
Security may be a good hook for Enterasys in particular, McLean says, “because its reputation and history is that of a company that’s really good on the technology side. Security is a good fit, because it’s a technology subject.”
Evaluating which vendor’s security approach is best might be tough at the moment, McLean adds, because there’s no established methodology for evaluating network security. If users want to find the security system that best suits their needs, they’re going to have to do a lot of poking under the hoods of the network gear.