The perimeter is dead – what next for the appliance?

The perimeter is dead – what next for the appliance?

FEATURE References 1. ‘NASA was hacked 13 times last year’. Reuters, 2 Mar 2002. www.reuters.com/article/2012/03/03/ us-nasa-cyberattackidUSTRE8211G32...

844KB Sizes 2 Downloads 42 Views

FEATURE References 1. ‘NASA was hacked 13 times last year’. Reuters, 2 Mar 2002. www.reuters.com/article/2012/03/03/ us-nasa-cyberattackidUSTRE8211G320120303. 2. Martin, Paul K. ‘NASA

Cybersecurity: An Examination of the Agency’s Information Security’. Testimony before the Subcommittee on Investigations and Oversight, House Committee on Science, Space and Technology, 29 Feb 2012.

The perimeter is dead – what next for the appliance?

3. The Cybersecurity Act of 2012. www.hsgac.senate.gov. 4. Lee, Martin. ‘Targeted Attacks and SMBs’. Symantec, July 20, 2011. www.symantec.com/connect/ blogs/targeted-attacks-and-smbs.

Tracey Caldwell

Tracey Caldwell, journalist For years there has been talk of ‘de-perimeterisation’. Now people talk of having multiple perimeters, or of bringing the perimeter further inside the organisation. The use of cloud services and mobile devices for enterprise use is also increasing in all sizes of organisation. Is there any place left in this changing world for the security appliance? It is clear that security appliances vendors have been fighting for a share of a rapidly changing market, as evidenced by the flurry of mergers and acquisitions in the appliances sector in 2012 alone. In March 2012, Trustwave bought M86 Security, which itself had previously snapped up Finjan, and in the same month Beyondtrust bought vulnerability management solution provider eEye and Dell acquired SonicWall.

in a virtual environment could pose a challenge to the growth of this market. Small and mid-size businesses are turning to Unified Threat Management (UTM) solutions as many experience

threats or attacks for the first time. Gartner found worldwide UTM revenue reached $1.2bn in 2011, a 19.6% increase from 2010 revenue of $972m.2 “The UTM market is in the midst of a transition of its customers from older technologies, such as stateful firewall inspection, to the latest next-generation firewall technology supporting application control capabilities,” says Lawrence Pingree, research director at Gartner.

“Security appliances vendors have been fighting for a share of a rapidly changing market as evidenced by the flurry of mergers and acquisitions in the appliances sector in 2012 alone” The traditional security appliance sector is seeing strong competition from the cloud. TechNavio’s analysts forecast the global virtual security appliance market would grow at a CAGR of 27.2% during 2011-2015.1 One of the key factors contributing to this market growth is increasing cloud adoption. However, TechNavio believes deployment of security for applications 8

Network Security

Top 10 worldwide Unified Threat Management (UTM) vendors in 2011. Source: Gartner, Match 2012.

August 2012

FEATURE According to Florian Malecki, Dell SonicWall EMEA senior product marketing manager: “Network de-perimeterisation is not a utopia and is really happening since the growth of web 2.0 applications, social media, hosted applications like SFDC, SAP, Youtube, Facebook and the rise in BYOD and mobility. Organisations are not in a closed silo anymore. The network can be accessed from anywhere, at any time, from any type of device and mission-critical apps are now also hosted in the cloud.” Malecki adds: “Modern business practices have extended users, endpoints, traffic and resources beyond the limits of the traditional network perimeter. With the rise in mobile working, mobile technology, consumerisation of IT and BYOD, there are no clear borders in terms of where the network starts and ends. Organisations must now address network security in a way that enables and extends business beyond the perimeter.”

Reasons for deployment According to Terry Greer-King, UK MD of Check Point, companies deploy appliances for three main reasons: their ease of management, low initial price and overall cost of ownership. In 2010, Check Point surveyed appliance users about the three most important functions they wanted from appliances. The most commonly cited were: intrusion prevention (64%); anti-virus (63%); anti-spyware (42%); web filtering (29%); remote access management (26%); and data encryption (21%). Greer-King believes enterprises are still very keen on the all-in-one functionality that appliances promise. “These functions deliver the critical layering of security that is needed to fight latestgeneration threats, which in turn means that appliances can still deliver the levels of security that organisations demand,” he says. “The all-in-one functionality of appliances also means that in some cases, they can offer more coherent and stronger security than a fragmented security architecture comprising point products from multiple vendors, simply because they remove complexity and

August 2012

The most important functions users want from a security appliance. Source: Check Point.

make for easier management. A complex architecture can lead to vulnerabilities, and appliances go a long way to cutting that complexity.”

Service provider security It has become more and more difficult to define a perimeter, but appliances still have their place, according to Stefano Maifreni, solutions marketing manager at Colt. “We are still seeing a role for security appliances in the network as we still have some well-defined access points such as the end point of a circuit. We are seeing a strong trend towards expanding this protection, pushing the perimeter towards the boundaries of a service provider’s network,” he says. He acknowledges that appliances cannot go beyond the boundary between the network perimeter and the service provider network, and that is where many issues arise: “For example, we see an increase in Distributed Denial of Service [DDos] attacks,” he says. “Protection must come from the network provider as by the time the malicious traffic has reached the customer network and any security appliance, the system has been cut off the network. The best approach is to start the testing and protecting from attacks within the service provider network. This is so that malicious traffic

or data gets filtered from the service provider network so that the attack never reaches the customer.”

Hybrid approach Dave Ewart, director of product marketing EMEA, Blue Coat Systems, recommends a hybrid approach so that, as networks become ‘de-perimeterised’ due to greater employee mobility and a diversification of devices, organisations implement security functionality with a consistent and flexible policy. This would be achieved through appliances and Internet-delivered cloud security in a hybrid deployment. The balance between cloud-delivered security and traditional appliances will depend on a number of factors.

Stefano Maifreni: We are still seeing a role for security appliances in the network.

Network Security

9

FEATURE a key concern. Appliances offer certain advantages, he points out, including the ability to cache content, video or even software downloads locally. However, in smaller branches, where having hardware and onsite IT support may not be practical, the cloud becomes more appropriate.

Architecture

Paul Hooper, Gigamon: The network security appliance should sit further up the stack.

“Your business initiatives, user demographics and location drive specific needs and determine the appropriate fit for your environment,” says Ewart. “Large headquarters premises and datacentres will continue to be best served by large, robust security appliances, while smaller branches or retail sites that don’t have IT personnel on-site, and individual mobile or home workers, will be better served by a cloud-delivered service. Protecting modern workers who access the Internet and corporate resources from multiple networks, on multiple devices, requires this hybrid security approach.” A policy-based framework can underpin a hybrid technology approach. Creating an identity-based policy that runs a consistent set of functionality – whether it’s delivered by an appliance or from the cloud – is key. “For example, while malware protection is a given across all locations and use cases, different acceptable-use criteria may be appropriate between the office and home and the coffee shop,” says Ewart. “So the policy is the linchpin, attached to the user, aware of the differing levels of protection and risk inherent in each of the network access points and devices and designed to leave no security gaps as the user crosses from one to another. The fact that the policy is applied by appliances or clouddelivered service is transparent. The protection is 100% consistent.” Ewart believes that there will always be a need for a physical appliance at the heart of the organisation and larger branch locations where compliance is 10

Network Security

As de-perimeterisation becomes a reality, enterprises and vendors are looking again at where the appliance fits into the network security stack. Security appliances may be divided into two categories – in-band and out-of-band. In-band appliances (sometimes called ‘bump in the wire’ solutions) require all network traffic to pass through the appliance to enable them to perform the function or service. Out-of-band appliances are more passive and perform their services using a copy or replica of the production network traffic. However this is just a starting point in understanding where the appliance may fit into an increasingly complex network.

“Approaches are emerging that deploy security systems as appliances attached to traffic distribution technology, allowing for network communications to be forwarded to a range of systems, avoiding the ‘single point of failure’ exposure” Paul Hooper, vice-president at Gigamon, explains: “Many years ago a common phrase in the network industry was ‘complexity is the enemy of reliability’. But with the increasing and justified demand for heightened security within and around enterprise architectures today, both architectural and operational complexity have increased. With the deployment of security appliances and systems, additional consideration needs to be given to the design of the topology to ensure that the addition of security does not create ‘weak link’ or ‘single-path’ topologies that are prone to failure and instability.” He adds: “While many security systems have the ability to be deployed as redundant pairs or with hot-cold

switchover capability, other approaches are emerging that deploy security systems as appliances attached to traffic distribution technology, allowing for network communications to be forwarded to a range of systems, avoiding the ‘single point of failure’ exposure.” Hooper believes the simple answer to the question of where the network security appliance should sit today is ‘further up the stack’. “The point here is that with greater intelligence and greater traffic ‘awareness’, security and compliance management can be implemented without requiring significant and pervasive deployment of physical devices,” he says. “At Gigamon we see security tools and appliances being centralised as far as possible and then intelligent control and forwarding of traffic to occur through the capabilities of [our] Visibility Fabric.” In contrast, Cisco’s position is that network security needs to be pervasive throughout the network, with appliances used for specific, advanced purposes in particular locations. Philippe Roggeband, business development manager for Cisco Security products (EMEAR), says: “Cisco’s SecureX architecture is designed to provide consistent context-aware policy enforcement across the network infrastructure. In order to achieve this, security is built-in in most of the routing, switching and mobility devices which make up the network fabric. Dedicated, high-performance security appliances are used for advanced security features in the more sensitive or critical points in the network, such as identity firewall or context-aware firewall, or for security components operating at the application layer, such as email or web security. Our security appliances participate in the global scheme of security, and operate under the control of a single policy server.”

Policy versus appliance Roggeband points out that enterprises can choose to mix and match policy and appliance-based approaches but their choice may be determined by compliance requirements: “Security appliances can indeed be used to control

August 2012

FEATURE access to the network from external sources – in other words, at the physical perimeter of the network, or for internal segmentation purposes by controlling exchanges between physical or logical sub-networks,” he says. “A similar level of segmentation can also be achieved using policy-based enforcement, using the TrustSec technology under the control of the Identity Services Engine (ISE). Physical appliances will, however, be preferred, for example, when regulations require separate physical networks.” Following Dell’s acquisition of SonicWall, Dell SonicWall has set out a vision of security appliances that deliver UTM and Next-Generation Firewall (NGFW) protection. Malecki at Dell says: “Security appliances can cover a very large range of security solutions from next-generation firewall, Secure Sockets Layer Virtual Private Network (SSL VPN), strong authentication, email security, data protection, client security solutions, security assessment and management, wireless access and so on.” NGFW, UTM and SSL VPN appliances combined provide a ‘clean VPN’, he says, defining this as intelligent layers of secure remote access, gateway firewall, and policy control. NGFW and UTM appliances sit at the network perimeter and are the first line of defence. They are therefore the first and most important brick of the security wall, according to Malecki.

“Security appliances are becoming the de facto standard for security, and we are seeing a lot of deployments pushing this into the core of the LAN rather than out at the perimeter” He describes where appliances would fit within a typical Dell network security solution: “To secure their network, companies can use an NGFW such as Dell SonicWall SuperMassive E10800 with SSL VPN Gateway like Dell SonicWall Aventail to protect the network being accessed from the LAN and remote locations as well as to secure BYOD. These appliances can also be combined with mobile security

August 2012

applications, such as Dell SonicWall Mobile Connect, a unified client app for Apple iOS and Google Android, which provides smartphone and tablet users with network-level access to corporate and academic resources over encrypted SSL VPN connections.”

Multiple single-function appliances Jon Addison, consultant system engineer, Fortinet UK, describes the deployment of multiple single-function security appliances as “unfeasible” and says core appliances need to become much more user- and applications-focused. “Whether you call them next-generation firewalls, UTM devices or whatever else, security appliances are becoming the de facto standard for security, and we are seeing a lot of deployments pushing this into the core of the LAN rather than out at the perimeter,” he says. “Inside the traditional perimeter, visibility and control are everything, especially given the nature of the latest blended threats and user trends such as BYOD. At the core, high throughput and nearzero latency are critical – yet another reason why a deployment of multiple single-function security appliances is unfeasible.” Perimeter security and technologies such as network access control have their important uses but, in Addison’s view, core security appliances are needed to provide continuous real-time protection, and to enable the granularity of policy control and enforcement at not only traditional Layer 3 and Layer 4 levels, but also on a user-aware basis: “The trend has been for security appliances to become far more user and applicationcentric, executing awareness far above the traditional controls,” he says.

Latency issues Incorrectly specified security appliances can become bottlenecks in the core routing and switching infrastructure. Typically, as enterprise networks develop, security appliances are brought in on an ad hoc basis, resulting in a range of different security appliances of different

Robert Day, ValidEdge: today’s network security protection is struggling to contain new and emerging threats.

throughput capabilities in different places. Another issue is that security appliance deployments risk being too expensive if over-sized solutions are all that is available for a specific scenario. If enterprises are to entrust their network security to appliances, it is important to evaluate what competing products can and can’t do. Malware can very quickly bring down an organisation’s systems so it is vital to understand how different appliance solutions monitor and handle threats. “Executives at all levels expect to access a range of applications including social media tools to communicate effectively, but even experienced users can be caught out by malware that uses these applications as vehicles to bypass corporate firewalls,” explains Robert Day, VP marketing at appliance supplier ValidEdge. “Zero-day malware and singletarget attacks are especially problematic. IT organisations and security incident managers now need to detect and analyse threats in real time to fully understand who is attacking them and how.” The most effective analysers provide real-time intelligence about the behaviour of the suspect code to the IT organisation, without requiring any signatures or updates from the vendor. “They will describe how the malware will attack the system, expose any logic bombs that may be hidden in the code waiting for an eventual trigger and create a repair tool for each specific malware that can be easily applied to an infected system,” says Day.

Network Security

11

FEATURE He believes today’s network security protection is struggling to contain new and emerging threats. “Effective protection means partitioning at the device level rather than the network level,” he says. The only solution, in his view, is using platform security, either on the network infrastructure or endpoints themselves. Securing the Internet connection or adding security to a browser are traditional methods of endpoint protection, but a better approach is to use secure virtualisation to isolate sensitive data and applications from the point of potential attack.

No magic bullet While appliances continue to have their place in the security architecture, Martin Jordan, head of Cyber Response UK,

KPMG, argues that that place is now in the cloud. “Necessity is the mother of invention and security appliances fall nicely into this adage,” he says. “Some appliances are born to counter a threat, such as botnet and advanced malware detection, while others exist to support working conditions, such as SSL VPNs. The future for security appliances will see less tin onsite and a growing number of appliance vendors running their software in the cloud, as a service.” Appliances are no magic bullet, if they ever were, and security appliances will only assist in the diagnosis of a malware infection, they cannot cure the root cause of the infection nor prevent re-infection. This will take human intervention from those that have expertise in this area.

About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier. www. traceycaldwell.co.uk.

References 1. ‘Global Virtual Security Appliance Market 2011-2015’. March 2012. Technavio. Accessed June 2012. www.technavio.com/content/ global-virtual-security-appliancemarket-2011-2015. 2. ‘Gartner Says Worldwide Unified Threat Management Market Surpassed the $1 Billion Mark in 2011’. April 2012. Gartner.

Fighting botnets with sinkholes Danny Bradbury, freelance journalist

Danny Bradbury

In the early days of the Internet, domain theft was a problem. But these days, it’s a legitimate practice, designed to make the network a safer place. Sinkholing is becoming a relatively commonplace practice in the cyber-security research community. It enables law enforcement organisations, security companies and large software vendors to displace cyber-criminals online, effectively stealing their online homes from under their noses. But how does it work, and what underlying ethical considerations does it raise? Most botnet operations rely on a network of Command and Control (C&C) servers that relay instructions to clients, and also act as dropboxes for the data they steal. This malware generally uses the Domain Name System (DNS) as a means of communicating with the servers, rather than talking explicitly to an IP address. One way for security researchers to deal with these botnets is to seize control of the domain that the criminals are using for their C&C servers. Simply neutering the botnet isn’t always the goal. “If you really want to mitigate something you just get the site suspended,” says Yuval Ben-Itzhak, chief 12

Network Security

technology officer at anti-malware tools firm AVG Technologies. Instead, researchers will maintain sinkholed domains, collecting information about the clients that try to communicate with them. By having traffic meant for the criminal’s domain directed to their own servers, they can analyse the traffic and learn more about the botnet. This is the basis of sinkholing.

Ethical concerns This creates an ethical issue, says Gunter Ollman, vice-president of research at Damballa. Simply sinkholing a botnet

to stop it maliciously controlling servers is one thing, but it would be easy for those controlling a sinkholed domain to do more. Sinkholes can collect swathes of detailed information about infected clients, including where they are, and what software they’re running. Anything else that the malware collects, such as passwords, locally-stored data, applications and licence keys can all be uploaded. “There are many routes to monetising this data,” Ollmann says. “The most common one is selling victim enumeration on to different players.” But who? Government agencies might want to know which machines had been compromised, especially if those machines were in politically or economically sensitive locations. “A number of defence contractors might want that information,” he adds. The information could be used to map types and versions of operating system by

August 2012