Enterprise Vs Desktop Firewall - 4th May 06 - Dhj

OPINIONS : SECURITY WATCH: Desktop firewalls require a revolution in their management to be truly effective InfoWorld; 1/22/2001; By P.J. Connolly

InfoWorld 01-22-2001 ABOUT A DECADE AGO, I learned the hard way why protecting the desktop is one of the most difficult tasks. A virus infection came into our shop through an outside contractor, and it spread everywhere. I spent the better part of the next two weeks scanning local drives and floppy disks, but I eventually declared victory. The lesson from that experience is best expressed by Walt Kelly's Pogo: "We have met the enemy, and he is us." Too many companies have focused their efforts on computer security at the perimeter and ignored the need to defend against threats from within. Even companies that recognize the possibility of an internal threat tend to minimize or misidentify the nature of the problem. Microsoft's recent trouble with the Trojan horse "QAZ" didn't come about because an employee was unhappy, it happened because the employee and Microsoft's security staff were sloppy and an unknown party took advantage of it. Although we all know that perfect security is impossible, a lot can be gained by beefing up your current set of tools. For example, 10 years ago, you may have installed antivirus software only on key machines. Today, many PCs come with it pre-installed, and most companies use anti-virus software on the desktop, file server, and mail server. It's time that we treated "desktop" or "personal" firewalls with the same seriousness. In the last couple of years, the personal firewall market has exploded with the increasing use of cable modems and DSL. Although dial-up connections are also subject to attack, the "always-on" nature of cable and DSL technologies makes it a lot easier for attackers to compromise systems. The personal firewall software scans network traffic to and from the PC, and permits or denies the passage of packets based on predetermined rules, just like the firewall at the edge of a network. Personal firewalls usually offer remote workers a number of predetermined traffic rules, and users rarely have to perform any configuration. For example, certain types of application traffic might be allowed if the application is active on the desktop, but not if it's coming from a background process. The current generation of personal firewalls for Windows systems isn't perfect. The most glaring problem is that they don't check on applications trying to pass data through the firewall. If the executable's name matches one on the "approved" list, passage is granted.

This vulnerability allows a Trojan horse to pass itself off as, say, netscape.exe or another application that has transit rights. The other problem with most personal firewalls is that they don't play well in an enterprise environment. Although many vendors tout their remote installation and configuration, too often that's the limit of the product's manageability. We learned a long time ago with anti-virus software that products without central management and reporting aren't worth using. Unfortunately, it seems that most of the people selling personal firewalls missed this lesson. So for their benefit, let's dust off the Commandments of Manageability: I Thou shalt enable remote management of desktop configurations. II Thou shalt send alerts via e-mail, pager, and SNMP trap. III Thou shalt provide reporting tools that focus on exceptions, not norms. IV Thou shalt not update the product by repackaging the entire code. V Thou shalt protect the client even if the network connection is broken. VI Thou shalt provide the administrator with defaults that match best practices. VII Thou shalt provide the administrator with complete control over how and when clients are updated. One vision that might provide a model for delivering enterprise security is McAfee's Security.NET service, an ASP (application service provider) approach that offers an alternative to "boxed" security packages. Whether companies are comfortable with this approach is another matter. If you aren't already considering personal firewalls as part of your security strategy, now is the time to do so. P.J. Connolly is a senior analyst in the InfoWorld Test Center; he has almost 15 years of IT experience building, maintaining, and securing networks and clients. Write to him at [email protected]. Copyright © 2001 InfoWorld Media Group Inc. This material is published under license from the publisher through ProQuest Information and Learning Company, Ann Arbor, Michigan. All inquiries regarding rights should be directed to ProQuest Information and Learning Company.

Best Firewalls for the Enterprise By Vincent Ryan June 19, 2003 4:00AM How important is a firewall's throughput? According to Check Point Technologies' Mark Kraynak, price performance -- the amount of throughput an enterprise gets versus the dollars it spends -- is more important than top-end throughput. The enterprise firewall market is a study in contradictions. Translation: The market is in such a state of flux that enterprises facing a buying decision have some tough choices to make and might be better off waiting until the smoke clears. But few enterprises have that luxury. Why the changes? Over the last few years, the leading firewall vendors in the space have focused their attention on protecting the packet layer of networks. But today, the biggest threat to networks is at the application layer, so these vendors are having to switch gears and rework their products to suit customer needs. At the same time, there are vendors that -- while claiming just a small share of the market -- have been offering applicationlevel protection all along. And those are not the only thorny questions facing buyers. Appliance versus software choices, virtual private networking capabilities and firewall throughput also come into play. Market Changes For the most part, enterprises will be choosing among four leading vendors -- Check Point, Secure Computing -- Michael Rasmussen, a director of research at Forrester Research, told NewsFactor. Check Point is known for its management capabilities, NetScreen for its speed, and Cisco for its ability to integrate with the core of the network. These three companies offer stateful packet-filtering firewalls, which means they operate at the network level and inspect packet headers to decide whether to block or allow access. But if security is the top priority, enterprises are best off going with Secure Computing, which offers an application-proxy firewall, Rasmussen said. Application-proxy firewalls are software applications that run on a server between a network and the server, and determine what type of traffic is accepted or blocked. Because it operates at the application layer, an application-proxy firewall guards against such dangers as e-mail and instant-messaging attacks, as well as buffer overflows. Although the earliest firewalls were application-proxy firewalls, stateful packet-filtering products have taken over the market, Rasmussen said. But the "threat model" that organizations are facing is in flux right now, Mark Kraynak, strategic marketing manager at Check Point Technologies, told NewsFactor. Attackers

are taking advantage of application-level vulnerabilities, Kraynak says, because the number of applications is multiplying -- leaving more security holes -- and because many enterprises already have firewalls in place that do a good job of protecting against network-level threats. As a result, "the definition of what a firewall does has to change," Kraynak said. A firewall has to perform both access control and attack protection at the network level and the applications level, he said. Building Intelligence Check Point and other network-level firewall developers are working to build "application intelligence" into their products. NetScreen acquired OneSecure, an inline intrusion detection and prevention company, last year to add application layer protection to its products. NetScreen currently provides OneSecure's product as a standalone appliance, but also is integrating some of its capabilities into its core firewall product line, Chris Roeckl, director of corporate marketing at NetScreen, told NewsFactor. "Customers have been saying they want to make the firewall smarter," Roeckl said. Firewalls need the ability to discern not only where a packet is coming from and going to -- and whether it is properly formed -- but also what the content layer looks like, he said. At the same time, network layer protection cannot be ignored. "One of the key things enterprises need to remember is that even though the threat model is morphing toward applications, it's absolutely critical that they don't neglect the network side," Kraynak said. "As soon as organizations stop focusing energy on the network level, the threat model will change back to that level." According to Kraynak, traditional application-proxy firewalls have failed in two ways: They have not secured a broad enough range of network protocols, and they have not provided enough manageability. An enterprise also can take a performance hit with application-proxy firewalls, especially if it has concurrent connections numbering in the tens of thousands. Soft or Hard? Application versus stateful packet-filtering is not the only question enterprises must consider. The choice of whether to buy a software-only system and run it on an open server or buy a dedicated hardware appliance also can be difficult. Most organizations are looking for a package from a single vendor, Rasmussen said, so they prefer the appliance approach. An appliance offers seamless firewall functionality and a lightweight, proprietary operating system. It also eliminates the vulnerabilities that come with running a firewall on top of a general-purpose operating system, Rasmussen said. "You reduce your security exposure tremendously," he added.

NetScreen offers "purpose built" appliances based on ASICs that offer ease of deployment and performance, Roeckl said. "The market is moving toward the appliance form factor," he explained. "In the software world, you're not tied to a network platform. How do you optimize the device to sit in a dynamic routing environment?" Check Point's firewall products are sold as stand-alone software that can run on a generic server or as software that runs on top of appliances built by the likes of Nortel Networks and Nokia. Although appliances usually offer added systems-management capability, Kraynak said, many customers want to optimize their hardware and personnel investments by utilizing older servers and standard OSes, such as Linux. VPN Choices In most cases, virtual private networks and firewalls go hand-in-hand, so VPN support is important in choosing a firewall. Integrating a VPN with a firewall is the best choice, according to Kraynak. "If you can terminate your VPN at the same gateway you're doing your firewall functionality, then you can inspect that traffic," he pointed out. A separate VPN would sit either behind or outside the firewall, and in both cases can cause problems, Kraynak said. If behind, then VPN traffic would have to tunnel through the firewall. But since it is encrypted, the firewall would not be able to inspect it. If outside the firewall, the VPN device itself would be subject to attack, Kraynak said. Sometimes, however, having separate VPNs makes sense. Many IT staffs just do not want to "put all their eggs in one basket," Rasmussen said. Additionally, if an organization has a large number of VPNs and a large user base, a separate VPN offers better performance. Firewalls running on general purpose CPUs, for example, are slowed down by VPN encryption. "VPN encryption and decryption are just overhead," Rasmussen said. Dedicated VPN hardware, however, can maximize encryption throughput. NetScreen integrates VPN capabilities but also provides up to two gigabit per second VPN throughput, Roeckl said. A high performance VPN often is needed in enterprise data-center environments, he said, as well as in networks that have multiple workgroups operating on a wireless LAN that requires traffic be encrypted. Speed Counts How important is a firewall's throughput? Although the number of customers needing a 12-gigabit firewall may be relatively small, high-speed throughput in a firewall is important when an enterprise is looking to protect the core of the network, Roeckl said. Many enterprises are looking to add an additional layer of security in the switching fabric of the enterprise, which operates at multi-gigabit levels. "An application proxy can't be deeper into the core of a network because it has performance problems," Roeckl said

According to Kraynak, what is more important than top-end throughput is price performance -- the amount of throughput an enterprise gets versus the dollars it spends. "Ultimately what [enterprises are] buying is a security solution. A lot of times they look at throughput and performance, but that's not the primary function of the product." Policy Priorities In the end, making sure that the right security policy is implemented in the firewall may be more important than the choice of a particular firewall product. A firewall is only as good as the security policy it implements, Kraynak said. "Sometimes, organizations don't spend enough time looking at policy," he said. Policy concerns with firewalls include who is going to be allowed to access a network, how they will be authenticated, what activities the firewall will log and track, and what type of security is required on client machines that access the VPN. "If your policy is fundamentally flawed, the firewall can't fix that," Kraynak said. Considering the dizzying array of choices facing firewall shoppers, the notion that policy is the most important element may be welcome news.

Get smart with business intelligence software: companies faced with everexpanding information sources both in and outside the firewall are scrambling to find easier ways to collect, aggregate, and report on data and make it available throughout the enterprise. EContent; 11/1/2003; Miller, Ron At first blush, that would seem to be the territory of database reporting tools, and to some extent it is, except that most corporate information does not reside in structured databases. In fact, a great deal of it is unstructured information such as documents or email or, even harder to pin down, it's somewhere out on the World Wide Web waiting to be found. Perhaps it's in a newsfeed or it can be found in a business database such as Dun & Bradstreet, but wherever it is, it is important for companies to be able to make use of and share with others in the enterprise. This type of information-gathering falls within the broad category of software known as "business intelligence" tools, which allow employees to learn about a particular subject such as how the sales department is performing, what customers complain about most or what your closest competitor is doing. This article looks at the range of business

intelligence software and provides some examples of how companies are using this information to run their businesses more efficiently. THE BI LANDSCAPE Since Business Intelligence (BI) spans a wide range of information types, it's not an easy area to nail down. For some, it means looking at pure business information such as sales data broken down by territory and pulled directly from a database. For others, it's less structured information such as internal PowerPoint presentations or other business documents or information found on the Web. Databases and data warehouses provide a large source of business information, but they are far from the only sources available to the enterprise. Actually, unstructured data found in places other than databases comprise the vast majority of data in the enterprise. "Today about 15 percent of the data are in a structured form and 85 percent of the data is in unstructured form. There is a big industry around that 15 percent," says Anant Jhingran, director of business intelligence at IBM. According to Dan Vesset, research manager, analytics and data warehousing at IDC in Framingham, Massachusetts, that 3.5 percent is part of a huge industry IDC defines as business analytics (BA), which includes query and reporting tools, multi-dimensional analysis tools, datamining, and packaged data marts. Vesset says that BA accounted for 12 billion dollars worth of business in 2002. IDC sees BI as a piece of the broader business analytics market, which Vesset says accounted for 3.7 billion dollars of the total business analytics pie. Beyond the data found in conventional databases, there is a whole area of business information sometimes referred to as marketing intelligence (from CRM sources, for example), business intelligence, or competitive intelligence. This type of information might be found inside the firewell or out on the open Web. Employees need to not only find this information, but make it available to their fellow employees. John Blossom, president of Shore Communications, Inc., a content industry research firm, sees portals and knowledge management tools playing an important role in gathering and distributing this information. Blossom says, "Portal software and knowledge management is fairly key to success in business intelligence. Being able to transmit business intelligence into the organization is a key factor, not only to collect it, but to get it actionable. So you see major corporations, not only gathering information to be distributed in reports, but making it available online." Whichever information type or source companies use, a tool to help extract the data exists. In the structured data market, that might be Cognos or Business Objects. In the unstructured market, you mlight use a visual taxonomy tool such as Inxight Smart-Discovery to get a grip on the data in your enterprise (or from the Web), or an unstructured data search tool such as Insightful's InFact. You might look outside the firewall with tools such as IBM's nascent WebFountain product or Anacubis Desktop, which gives you a front end to help you make sense of data you find on Web-based subscription services such as D&B. Let's look at these options more closely now.

MAKING SENSE OF STRUCTURED INFORMATION One thing is certain: There is no shortage of information sitting in enterprise databases today. The trouble comes when companies try to actually make sense of that data. Throughout the 90s, many companies spent loads of money and time building huge data warehouses. Today, they want to use that information they have gathered to build a competitive advantage. "Now the business units, the business people in the organization are saying, 'OK we have those data warehouses and we need to get some information out of there, make better decision, drive our business better, help us run our business.' BI feeds off databases and presents information to business users in an organization in a way that's meaningful." says Anil Dilwari, product marketing manager at Cognos, an enterprise BI software vendor. Dilwari says his company helps organize information by displaying data in a visual window. Cognos presents this information in a single interface, but breaks down the gathering process into a process that includes what they call a scorecards, dashboards, OLAP (online vertical processing technology) analysis, reporting, and event detection. By providing a smooth path through each of these different functions, Cognos software gives users a way to get the big picture and drill down to find the answers they need. Business Objects is another company trying to help companies make sense of structured data. Their strength lies in giving the end-user control of the query process. Early on, that meant giving end-users the power to write their own queries without IT assistance and more recently providing a set of tools in an integrated end-user interface. Darren Cunningham, group manager for data integration at Business Objects says, "Our early value proposition was for a patented technology that we call a semantic layer, which essentially shields end-users from having to work with any underlying programming language, from having to write their own queries, really giving end-users the ability to analyze the data that lives in these disparate systems." Today, they offer a full set of data analysis tools. MINING UNSTRUCTURED DATA With the prevailing wisdom that 85% of the data in an enterprise exists in sources other than databases, an awful lot of valuable data can be left behind by tools that search in only structured databases, and if you don't look at this vast collection of data, depending on your needs, chances are you'll be missing something. To get at unstructured data, you need a different toolkit. Vesset from IDC thinks the unstructured side of the market is growing as companies develop tools to get at this data. He says, "It's a hot emerging market and it's faster growing than structured data analysis. Some of the BI vendors are getting into it such as SAS and Insightful. Both have come out with text-mining solutions, the ability to mine unstructured text and then integrate that with your analysis. I think those two areas (structured and unstructured) will continue to merge." Although Vesset says it's early in the merging process and structured and unstructured for the moment are treated separately, there are industries

such as oil and gas, manufacturing, and pharmaceuticals where they need to look at unstructured data as part of the nature of their business process. Jeffrey Coombs, senior vice president of sales and marketing at Insightful--makers of both structured and unstructured data tools--agrees with Vesset's analysis. His company has found that industries such as pharmaceuticals benefit from having both types of tools. He says, "Within pharmaceuticals is a very large requirement that was previously unmet regarding looking at unstructured data." This is the ability to not only research a drug, but to also check the literature to make sure nobody else has already looked at it." Another way to see these kinds of relationships across unstructured data is using software such as Inxight SmartDiscovery to build a taxonomy that provides a visual map of data relationships. David Spenhoff, vice president of marketing at Inxight, says, "What we enable people to do is to analyze text-based data." They then present the data in a visual map that shows the relationships between different key entities as defined by the end-user. The information could come from inside the firewall such as documents, PDFs, PowerPoint presentations, or email; or from outside the firewall such as Web pages or newsfeeds. CLIMBING THE FIREWALL Of course, a whole world of information lives beyond the firewall and, if companies want to keep track of their competitors, follow industry news and stay on top of information outside the company, they need to be able to get at that information, too. Much of this information could be on Web sites or it could be in online Web-based databases like Dun and Bradstreet. The type of software that allows users to collect, aggregate, and report on information on the Web is only just beginning to emerge. IBM's WebFountain has received a lot of attention in the press and a British company, Anacubis, is beta-testing a new product called Anacubis Desktop, which collects information from online databases and presents it in a way that you can aggregate and report on. IBM describes WebFountain as a tool to gain access to information that is not otherwise readily available such as people's perception of a brand or product. IBM's Jhingran uses a product launch as an example. He says, "Think about a marketing manager. You've just launched a product and you want to know what people are saying about it or what the competition is doing to counteract that. Does it have a positive buzz or a negative buzz." WebFountain looks for this data in unusual places such as chat rooms, advertising sites, competitor's sites, or newsfeeds such as Factiva and tries to build a picture for the marketing manager as to what is happening with the new product. Anacubis takes a different tack. They have partnered with several Web-based subscription companies including D&B and LexisNexis, and have developed a desktop product to help end-users makes sense of the information they find in these databases. The companies still need to subscribe to the fee-based information services, but they have a tool to help them see patterns and trends that might not otherwise be obvious. Rebecca Pointer, marketing manager at Anacubis describes it as follows. "What Anacubis Desktop does is support all parts of the information flow, so gathering

information from multiple sources, consolidating and organizing that data, and then allowing users to perform some real analysis of the data they are looking at." As information resources continue to develop, it becomes imperative for the enterprise to get a grip on data to help employees understand the business, products, relationships, and competitive landscape. There are a growing number of software packages and services to help do that. Perhaps these tools will eventually merge to allow you to capture structured and unstructured data both inside and outside the firewall from a single tool, but until then, depending on your needs, you may need an information gathering toolkit to be certain you gather, analyze, and understand all the available data, and finally, communicate what you have learned to the rest of the organization. Tracking Down sales slump Cognos' Anil Dilwari offers the example of finding a reason for a sales slump to explain how the different pieces of Cognos software work together to build a picture and track specific information. In the Cognos scorecard, green means everything is OK, while red means there is a problem. Suppose you come in one morning, look at your data scorecard, and you see U.S. sales marked in red, You want to do further analysis and find out what went wrong, so you go into the Dashboard setup to see a graphical representation of the U.S. sales figures presented on a map and you see that California is shaded in red, indicating that it is a state with a problem. Clicking on California launches a multidimensional OLAP analysis environment. You find out that the main problem is in Los Angeles and San Francisco, and specifically it's a problem that surfaced in the last 30 days. You drill through to the lowest level of detail to a report outlining the status of the sales people in those two problem areas and you find that your two best representatives from Los Angeles and San Francisco have actually left the company within the last 30 days, which explains the reason for slumping sales in these areas. You can take this a step further and get proactive by enabling event detection, so that if you ever lose two key sales people in this manner ever again, you will be informed by cell phone, pager, RIM device, or however you wish to be notified. UC Berkeley provides unique data access Debra Kelly, museum information specialist at The University of California at Berkeley uses Business Objects to put powerful query tools in the hands of end-users in the campus' Museum Informatics Project (MIP). Kelly says she bought Business Objects way back in 1995 after evaluating 30 tools that were around at the time. She was attracted to Business Objects because it put query writing in the hands of her non technical users with out them having to know any SOL (structured query language). She says users could simply drag and drop items they wanted to roper on into the query panel. This appealed not only to her, but also very much to her end-user community.

Kelly's department is responsible for maintaining the MIP databases. She says that her two main Business Objects users are the Botanical Gardens and the History or Art department. The Botanical Gardens, which maintains a collection of over 35,000 plants, uses Business Objects software to keep track of items in their collection. For example, when they receive a request from students or researchers, such as all plants in a certain genus, they can build a query in Business Objects without help from IT and generate a printed report to give to the researcher. The History of Art department uses Business Objects to keep track of its collection, which includes more than a half-million slides. Although Kelly has developed some custom reports for her users, she says that for the most part, users can goner are the reports they need without her help and that's why she continues to use Business Objects after all these years. Pharmaceutical Company mines unstructured data Insightful's Coombs says their InFact product works quite well in the pharmaceuticals market because of how it integrates into the nature of their research process. Coombs says a pharmaceutical company may do all kinds of research to see how a certain protein may impact a particular gene. They may do experiments and generate large amounts of data, leading to the development of a drug, They store this information in conventional databases, but once they find something promising, they need to mine the research literature lo see if what they are developing has been touched before. This involves huge volumes of text in the pharmaceutical journals. It is nearly impossible to review this volume of data by hand, Coombs says, so they need an automated solution. InFact ingests the text-based data and analyzes it looking for the user-defined text relationships to see if another company has made a similar discovery. In this case, it might ingest a huge database called Medline, which contains pharmaceutical and biological publications. InFact thee performs information extraction, which means it reads all of the documents sentence by sentence looking for any information that shows a relationship between the gene and the protein this company was researching. At the end of the process, it generates a report of what it has found. Companies Featured in This Article Anacubis www.anacubis.com Business Objects www.business objects.com Cognos

www.cognos.com IBM www.ibm.com IDC www.idc.com Insightful www.insightful.com Inxight www.inxight.com Shore Communications, Inc. www.shore.com

Symantec, Check Point Software, F5 Networks and McAfee Lead the Enterprise Firewall Sector in Marketing Momentum Index; The Marketing Momentum Index is the First Independent Ranking of Competitive Marketing Performance. Business Wire; 10/18/2005

Search for more information on HighBeam Research for enterprise software firewall market. WESTPORT, Conn. -- Symantec, Check Point Software, F5 Networks and McAfee respectively earned the highest Marketing Momentum Index scores for the April-June quarter of 2005. The Marketing Momentum Index, the first independent ranking of competitive marketing performance, is published quarterly by Market Bearing LLC. For more information, visit www.marketbearing.com. The Enterprise Firewall Marketing Momentum Index Report ranks the competitive marketing performance of the following companies: Check Point Software, F5 Networks, McAfee, Radware, Secure Computing, SonicWall, Symantec and

WatchGuard. The average MMI score for the Enterprise Firewall sector is 488 out of a possible score of 1,000.

Enterprise Firewall, Q2 2005 Marketing Momentum Index Top Performers (maximum score: 1,000) Company MMI ---------------------------------------------------------Symantec 850 ---------------------------------------------------------Check Point Software 691 ---------------------------------------------------------F5 Networks 661 ---------------------------------------------------------McAfee 540 ---------------------------------------------------------Editor's note: A full color chart is available by emailing [email protected]

The Marketing Momentum Index is a composite score of marketing results as determined by commitment of time, money or resources by an outside stakeholder to a brand. The MMI is a ranking of competitive marketing performance in four areas: alliances, customers, technology research and press. Proprietary algorithms are applied to each area and the composite MMI scores are relative to each sector. As a competitive quarterly measurement, MMI scores are only comparable within their sector and do not cross sectors. The Marketing Momentum Index focuses on pure play and mid-tier technology providers. Mega-vendors who are also dominant in the sector are not included in the reports as their brand equity has an umbrella effect over many sectors. To order the full report, contact Dan Lannon at Market Bearing at 203 653 5600 and [email protected]. A complete list of MMI Reports is available at www.marketbearing.com/products_services.html. About Market Bearing The Marketing Momentum Index is the only independent ranking of competitive marketing performance. The MMI is a quarterly measurement of outside commitment to a company's brand enabling management and financial analysts to make smarter investment decisions. Visit www.marketbearing.com to learn more about Marketing Bearing LLC and the Marketing Momentum Index.

COPYRIGHT 2005 Business Wire This material is published under license from the publisher through the Gale Group, Farmington Hills, Michigan. All inquiries regarding rights should be directed

IP VPNs are not just for Christmas ...(usage of virtual private networks predicted to grow) Communicate; 3/1/2005

Search for more information on HighBeam Research for Shrinking of VPN. The huge growth in demand for IP VPNs will start to plateau next year as deployment reaches saturation point and businesses start to demand more applications and services, according to recent research. The Western European managed IP VPN services market grew 23 per cent in 2004, according to analyst firm IDC which warns that just installing an IP VPN is not enough if businesses want to continue to grow and cope with increased mobility. Total spending by customers on IP VPN services from network service providers is still increasing at a rapid rate, but in 2006 the growth will slow to 8 per cent and in 2007 will decrease further to 3 per cent. According to IDC, this is due to the following reasons: * Price erosion--this is a competitive market and while list prices of IP VPN services are relatively stable, providers are discounting heavily to win key contracts. * Spending shift--this forecast measures spending on IP VPN connectivity. As providers discount connectivity to win key business, and as IP VPN penetration rates continue to increase, spending will shift from IP VPN connectivity to IP VPN applications such as voice- and video-over-IP VPN services. * Market saturation--the greenfield territory for IP VPN services is shrinking all the time and providers will find new business hard to win. * Layer 2 VPN (L2VPN) services--next generation L2VPN services based on Ethernet are growing extremely quickly, albeit from a small base, and will become significant by the end of the forecast period. In addition, MPLS' ability to support legacy Layer 2 services such as frame relay and ATM will, to an extent, stem the migration from those technologies to IP VPNs. "2004 was another high-growth year for IP VPN services, with DSL and the midmarket the hot areas," said James Eibisch, research director of IDC's

European Business Network Services. "However, as we are now seeing, providers of all sizes targeting companies of all sizes need a proposition much broader than 'just IP VPN'. Applications and value-added services such as voice/video, storage, mobile integration, and professional services will provide long term growth, not MPLS switching on its own. The start of 2005 has seen several providers launch IT outsourcing initiatives, particularly for the SME market, that demonstrates the direction these companies need to go in." IDC predicts that of the three main types of IP VPN used by companies, network-based IP VPNs mainly based on MPLS will continue to grow strongly.

Defending against viruses, worms and DoS attacks: new technologies are continually becoming available, but the problem goes beyond technology.(NETWORK SECURITY) Business Communications Review; 12/1/2005; Robb, Drew It is easy to secure the perimeter when the borders are well defined and all the troops wear uniforms. But the world doesn't see many of those wars any more. Rather, the enemy is within, and security relies not on guarding borders, but on maintaining constant vigilance to detect friend from foe. This clearly applies when looking at the conflict in Iraq or homeland security, but neither do the old rules of engagement apply to IT security. "It is relatively easy to keep malware content out of the environment on the Internet side of the house, but internally, the infrastructure is a huge challenge," said Andre Gold, director of information security for Continental Airlines in Houston. "There is no more outside/inside, only varying levels of trust in your environment." Coupled with this, the types of threats companies face have changed over the last two years. Consequently, IT needs to evolve a set of technologies and procedures to protect systems from a full spectrum of internal and external dangers. "It's a buyer beware world out there; you have to fend for yourself," said Bruce Schneier, security consultant, author and CTO of Counterpane Security of Mountain View, CA. "No manufacturer will do a good job. You are forced to make your own security, which is a combination of people and products." In the July 2005 issue of BCR, Mark Hoover covered some of the technologies for dealing with a porous security perimeter (see pp. 40-44). This article takes a look at how several different organizations are applying a mix of technologies and procedures to protect their infrastructures from viruses, worms and denial of service attacks. Willie Sutton: The Real Story

If Willie Sutton had been born today, he probably would have become a hacker. Instead, being born in 1901, he robbed more than 100 banks, making the FBI's most wanted list in 1950. Legend has it that when a reporter asked him why he robbed banks, he replied, "Because that's where the money is." But Sutton denied ever having made such a statement, holding instead that a reporter had made up that quote to make an interesting story. His real motivation, according to his autobiography, Where the Money Was: The Memoirs of a Bank Robber, was something different: "Why did I rob banks?" he wrote. "Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job." And this may be the primary motive of hackers as they seek ways to deface websites or snarl email systems. It is a personal challenge and a way to show off their skills. For the enterprise, however, bigger threats are coming from those who follow the statement misattributed to Sutton. The Internet is now where the money is and the criminals are taking their rackets on line. "The main change in the threats we have seen is that there are fewer experimenters and more professional cyber criminals," said Rich Mogull, research vice president for Gartner, Inc. "The more serious attacks are the targeted attacks. It is harder for a script kiddie to write something and get it through an enterprise firewall." The types of criminal threats are not new--it's just that they used to be done by sending goons around to break kneecaps, rather than creating zombie networks. Nowadays, the money isn't in the cashier's drawer, but in the database. "There are more new threats, they are more dangerous, and they are criminal," said Schneier. "The criminals don't care about technical finesse, they just care about doing it. Phishing is just impersonation fraud done on a large scale, and denial of service is extortion." There is, of course, also an increasing degree of sophistication in some of the automated attacks, as intruders probe for different routes into the system and weak points to exploit. But Schneier says that IT administrators don't really need to concern themselves with the specifics of the virus or worm construction. The antivirus and firewall vendors can worry about dissecting the code and coming up with the appropriate signatures. A Layered Approach Rather, from the IT perspective, dealing with the multitude of threats involves a layered approach. "With viruses, we have antivirus, which are usually client based, but we also have scanning tools on email servers," said Mogull. "Next is worm attacks--there we are talking about firewalls and intrusion prevention system (IPS) appliances, in the network

as well as on the endpoint. DoS attacks are something completely different; there you need high availability networks in order to protect yourself." The Weather Channel Interactive in Atlanta has IPSs on the Internet border, intrusion detection systems that filter inbound email for viruses and malicious content, traditional packet-based firewalls and a product for filtering instant messaging (IM) traffic. "Different areas call for different responses," said John Penrod, The Weather Channel Interactive's director of network architecture. "No one vendor or one product is able to answer for everything." Recently the company has started doing more to secure the endpoints. It is applying Windows Group Policies on the company's 800 desktops, as well as using local firewalls. It is looking at installing anti-spyware on the desktops. "It is no longer a situation where you can have a crunchy shell with a soft middle, you have to start securing your insides," said Penrod. "We have done a lot more to secure the inside endpoints, including the desktops themselves." Next up is improving network access control so that when someone brings a laptop into the building and plugs it into the internal network, the device is scrubbed for viruses and checked for up-to-date patches before it is allowed access to the network. And even then it is only granted limited access privileges. "The firewalls are doing a good job, but you have to start focusing on the endpoints," he advises. "When someone physically brings a laptop into the building, you have to look at the risk associated with that." Beyond NAC One of the options The Weather Channel is considering is implementing Cisco's Network Admission Control (NAC), a set of technologies built into the network infrastructure which enforce policy compliance on all devices connecting to the network. While this may wind up fulfilling The Weather Channel's requirements, it won't be the best option for everyone. Continental Airlines looked at such a system, but found it wouldn't meet their needs. The company has about 30,000 IT-connected devices at its Houston headquarters and at hundreds of airports and city ticketing offices. In addition to having to secure its own infrastructure, it also has to maintain security on links with the other airlines' back-end systems. "The airline industry tends to be a very meshed environment," said Continental's director of information security, Andre Gold. "You can go to a kiosk in Las Vegas and select which airline you want to check into. That kiosk has infrastructure provisioned back to all the airlines, and I have to open up a conduit into my own systems."

In deciding how to provide defense against worms and viruses, Gold considered adopting NAC. But, although it looked like a great idea, and Continental is a Cisco shop, he found that it just wasn't feasible to do. To start with, there was cost. It would have required upgrading hundreds of switches plus numerous routers which, given the current financial health of the airline industry, wasn't an option. The second reason was that NAC would have required deploying a software agent on each asset. Continental has a heterogeneous platform environment-meaning software agents might not be available for some devices. For others, dropping in an agent would violate SLAs or license agreements. "In such cases, people say I can just white-list an asset, but I have thousands of devices I can't put an agent on," said Gold. "Do I want to manage a white list of multiple thousands of devices? Absolutely not." In addition, printers and other devices on which he can't deploy an agent still represent vulnerability, since they are running Web services or telnet and are subject to exploits. He must, therefore, be able to provide quarantining and remediation for those assets. On top of this, Gold said that network-based security products typically cannot adequately integrate with the network fabric, because the fabric tends to operate at 2 Gbps-10Gbps, but the security devices generally only operate at 1-2 Gbps. "If I implement a 1-2 Gbps device into my network, I have introduced an immediate security bottleneck when I am trying to get passengers on planes and planes out of the gates," he said. "If the plane is not in the sky, it is not generating revenue." The high price and technical shortcomings of NAC led him instead to the CS2400 Secure LAN Controller from ConSentry Networks of Milpitas, CA. The CS2400 is a purposebuilt network appliance that operates at 10 Gbps, which allows Continental to integrate it into the network fabric. The product uses algorithms rather than signatures to detect network anomalies. "It allows us to throw security into our network fabric and get it as close to the host as possible without installing an agent on the host," said Gold. "I can allow the network transport to do what it does well, which is pushing data." One aspect he likes is that, when the CS2400 detects an infected device, it just blocks those parts of the machine the virus or worm is leveraging. It doesn't completely lock out the user. That way, employees can continue doing their job in some cases, even if they have something like Zotob running on their workstation. The other factor is the price. The best security system in the world is worthless if you can't afford it. "Unlike other technologies out there, this one doesn't require a huge capital investment for an infrastructure upgrade," he said. "It can be done at a small fraction of the price." Day Zero Attacks

The ConSentry box is just one of a new class of devices which use algorithms to analyze traffic, rather than using signatures of viruses or worms. Traditional signature-based security is a reactive approach. The signature can only be developed once the malware is out in the wild and has already started infecting machines. That method will protect those who aren't hit first, but given the rate at which some of these attacks spread, they can still cause significant damage. The SQL Slammer worm, for example, infected more than 100,000 database servers within the first 10 minutes following its launch. In addition, signature-based software doesn't offer protection against targeted attacks. "We are seeing custom viruses created to attack a specific organization, and there is no antivirus in the world that will protect you from that," said Mogull. "We are having to move away from signature based antivirus since it no longer offers sufficient protection." So, while traditional antivirus and worm defense depends on comparing a piece of traffic against databases of known threats, the newer appliances take the opposite approach. They analyze network traffic to determine what is normal, and then block the rest. "Modeling expected behavior becomes attractive, especially for the new or emerging threat that doesn't have a signature yet," said Jeff Zalusky, principal of Chrysalis, Inc., an IT risk management firm. "You want to look at any suspicious behavior and quarantine it or eliminate it before it hits critical servers." He recommends the SecurVantage appliances from Securify, Inc. of Cupertino, CA, which he has installed for customers including Deutschebank. "They were implementing a global project which had the need for individual locations to be properly segregated from each other," said Zalusky. "Some countries have more inherent security risks and they wanted to prevent those locations from crippling the worldwide network." The University of Michigan is going with Peakflow X appliances from Arbor Networks of Lexington, MA. The university has six different networks at its campuses, containing around 50,000 nodes. "It is hard for IDS vendors and firewalls to keep up with the signature analysis and detect an attack," said Matt Bing, University Security Analysis Senior who works at the main campus in Ann Arbor. "If there is a worm no one knows about, even a zero day attack, the Peakflow appliances can detect it based on oddities they perceive in network traffic." He said that setting up one of the boxes just requires installing it on the network, at which point the device starts analyzing the traffic to determine what is normal. It starts sending alerts almost immediately but, as the device goes through a learning curve on the network, it adjusts its operations for better results. In addition to tracking down

infected machines, since it is looking at the network traffic, it also provides metrics on network performance. "We think it is useful to put the devices closer to the assets you are trying to protect, at the end nodes, rather than at the border," Bing said. "It gives you a better vantage point on your network." People Problems Technology, however, will only get you so far. In the end, maintaining adequate security comes down to people. "Because of improvements in perimeter security, the focus now is more on spyware kinds of attacks," said Gartner's Mogull. "When the user goes outside the organization, they can be tricked into opening an email or visiting some kind of a website, and that can be used to gain a foothold into the system." Headquartered in Le Mars, IA, privately held Wells Dairy, Inc. sells $700 million worth of ice cream and yogurt annually in 28 countries under the Blue Bunny, Weight Watchers and other brand names. Like most enterprises, it employs an array of security devices and software. It has antivirus, anti-spam and anti-spyware applications; Cisco enterprise firewalls; and does some application scrubbing on the email. "Network-based threats can almost be ignored because the hardware handles it so well," said Jim Kirby, network architect for Wells Dairy. "Social engineering is the biggest threat today." Being in a small Midwestern city, his firm may actually face a bigger threat than one in a larger city might face. "Everybody around here trusts each other," he explained. "We live in a place where people don't lock their cars or houses, so why would we think that someone would try to trick you over the telephone?" The company has implemented educational programs for the staff to address that area, and just put in a new security response team to help identify and respond to those types of threats. For the 400 employees who use laptops and remote connections, Wells Dairy installs remotely managed personal firewalls from Sygate, Inc. (recently acquired by Symantec). The firewalls are configured to use different policies depending on the type of connection. When the computers are outside the network, the firewall blocks all incoming traffic except for the VPN. It also only allows human-generated output from the computer so spyware and Trojan horses can't report home. The firewall controls are hidden from the users. There is no icon indicating it is running and the users aren't asked to change the security settings based on the type of connection. Instead, the firewall recognizes the type of connection and automatically applies the appropriate policies.

Conclusion While such comprehensive and automated approaches to security take some of the human factor out of the equation, there are other threats. For example, USB ports simplify network connections, but they also simplify data theft. "The thumb drive risk is only starting to be recognized, but it is the same problem that was raised with fax machines and manila envelopes" said Kirby. "The basic problem hasn't changed in the last 10 years, it is just easier to be secretive." So, while there are technological options such as turning off USB ports, there is no hardware, application or policy that will completely solve security problems. "It is almost always a personnel issue," he said, "and I don't see the personnel issue changing."