By Andreas Antonopoulos, Nemertes Principal Research Analyst

Executive Summary

Security professionals often argue about whether they should apply security in the network layer or at the application layer. But for an enterprise’s security architect or chief security officer, the answer is “apply security where the risk justifies the cost.” In most cases, that means applying security controls in the network layer, at the application layer and pervasively throughout the organization. The disappearing security perimeter only heightens the need for a holistic approach to security.

To apply security controls and sensors throughout the network, a network equipment provider must provide a broad range of security solutions:

• Traditional perimeter devices such as firewalls and IDS/IPS.
• Access control and potentially IDS/IPS within the switched LAN environment.
• VPN capabilities based on IPSec and SSL, on the perimeter, for remote access and perhaps internally.
• A broad range of VPN clients for desktops, servers, and mobile devices (laptops, PDAs, smart-phones).
• Endpoint security to inspect mobile devices, integrated with host anti-virus/anti-spyware/firewall/IDS/IPS etc.
• A enterprise-class management system for all of the above.

Applying security controls on the application and on the network layer requires a bit of integration between the two. Most network equipment vendors can integrate with application-based security tools such as host-IPS and host-firewalls. This is mostly the case with VPN-based remote access, where the gateway “inspects” the end point and confirms that the security tools are running correctly. Increasingly though, the desktop and server security tools within the enterprise may be integrated into the network security management tools.

Moving the perimeter to the end-point
Software systems are by their very nature in a state of constant decay. Security specialists discover vulnerabilities on an almost daily basis, while vendors keep adding features—and often creating bugs in the process. In a data center environment containing a variety of operating systems, applications, network appliances and security systems, maintaining software integrity and security is a struggle, and patch management has become a substantial headache for data center managers, according to our upcoming benchmark, “Securing the Enterprise.” Indeed, patch management and vulnerability scanning is one of the top security initiatives for 2005.

For most enterprise data centers, every new patch presents a dilemma: Installing a patch presents the risk of software conflicts and failures due to unanticipated changes in functionality. Not installing the patch exposes the infrastructure to known vulnerabilities that will be attacked. Deciding whether to apply a patch is a complex exercise of balancing risk, exposure and countermeasures. The near-infinite number of possible configurations makes applying even the simplest patch on production systems a gamble.

Without thorough testing, patches can cause unanticipated software conflicts and errors. And while this effort is ongoing, new patches are released almost daily. A contributing challenge is the fact that an organization’s security is no longer clearly defined. With laptops coming and going, it’s easy for a virus or worm to enter behind a firewall and wreak havoc from within. As the perimeter has eroded, IT executives have built a new perimeter around every desktop and server in their networks. Using host-based security products such as personal firewalls and desktop intrusion prevention systems (IPS), IT managers can provide a “personal” perimeter that protects each host.

The advantages of moving the perimeter to the host are significant. Host-based firewalls and IPSs can protect the host from unknown exploits (known as zero-day exploits) even if the host is un-patched and vulnerable to the exploit. Furthermore, host-based firewalls can block unauthorized outgoing traffic from the host. This means that even if a host is infected by malware, it cannot spread the infection to the rest of the infrastructure. Host-based protection therefore creates the ultimate compartmentalization within the network, protecting each host from its neighbors and vice versa.

Integrated Anti-Spyware
Host protection, perimeter protection and remote-access-endpoint protection are especially important in the face of new threats. For example, until recently, Spyware was mostly a consumer problem, caused by home PCs infected with hundreds of pop-up-generating spybots. But the threat to enterprises is serious. As enterprise applications are increasingly delivered over the Web, the browser becomes the de facto platform for these mission-critical applications. Spyware can cripple the browser and prevent users from accessing their applications and data. Almost any browser can be infected with spyware, and if an enterprise application is Web-based, an infected browser may affect overall application performance.

Distributed Denial of Service
Finally, add distributed denial-of-service attacks and the harm they can wreak on organizations to the list of enterprise threats. You might think the risk is insignificant, because you’re not a high-profile target such as Google, Yahoo, or Microsoft (all of which have suffered severe outages due to distributed DoS attacks), or if you’re primarily a “bricks-and-mortar” organization with limited Web presence. You’d be wrong. In recent months, two trends have combined to greatly increase the risk to companies of distributed DoS attacks.

The first is that an increasing number of organizations are using the Internet to enable remote workers to connect to corporate resources. The number of remote workers has skyrocketed by 800% in the past five years, according to Nemertes’ benchmark, “The Virtual Workplace: Leveraging Real-Time Communications in the Enterprise.” Many of those users connect to corporate resources via the Internet, and distributed DoS attacks could keep these legitimate users from accessing their data center resources. The second trend is the dramatic increase in distributed DoS-based extortion. Hackers have learned that the ability to connect to the Internet has tangible value, and they’re starting to use distributed DoS attacks as a way to attempt to force companies to pay up.

Distributed DoS attacks work by paralyzing the victim’s servers and systems and clogging their network access points with useless traffic. The attacker lines up a network of hacked machines, called “zombies,” across the Internet that, upon command, launches an assault on the target. Many times, taking out the “control” machine won’t stop the attack; the zombies keep assaulting the victim. Moreover, hackers don’t even need to create their own zombie armies—other hackers have compiled armies as large as 20,000 machines, and will rent these to other hackers.

Premises-based solutions are helpful in protecting servers and other on-site resources, but they don’t protect against network congestion that can take a site offline. (Any solution that drops packets only when they’ve reached the premises can’t address network congestion.) To protect against distributed DoS attacks, data center managers should look into network-based solutions, particularly managed DDoS protection services by service providers such as AT&T and Sprint. There is also significant potential for future integration between the on-site anti-DDoS solutions and external network anti-DDoS services.

Andreas Antonopoulos is Principal Research Analyst and senior partner at Nemertes Research LLC, a leading research firm that provides in-depth analysis of the business value of emerging technologies. Mr. Antonopoulos can be reached at 888-241-2685 or research@nemertes.com