Defending Data: A Never-Ending VigilBy Baselinemag | Posted 2004-10-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
When it's your job to worry about protecting a data network and the systems attached to it, paranoia becomes a way of life.
Just ask Dan Lohrmann, chief information security officer for the state of Michigan. He and his staff of 30 are responsible for designing and monitoring the security infrastructure for the systems used by 55,000 employees in 22 agencies. On a typical day, the security team logs 38,000 attemptsby unauthorized individuals or automated probesto access the state's networks. That's about one every 2.3 seconds.
"Of course it's an ongoing challenge," says Lohrmann, who was previously a network analyst at the National Security Agency for six years. "What worries me, I think honestly, is that I don't know where the next security threat could come from." For example, he says, any one of the state's employees might violate a security policy accidentally (or worse, purposely) and expose sensitive government data: "Who are the bad guys of those 55,000?"
Another of Lohrmann's challenges is to win funding for security initiatives at a time when the state of Michigan is under severe fiscal constraints. "How do I sell security to people who are considering layoffs?" he says.
But the task of securing networks, besides requiring constant watchfulness, isn't a discretionary budget item. "It's the cost of doing business," says Mike Block, information-technology officer for Equitable Bank in Wauwatosa, Wis.
Per employee, organizations last year spent an average of $302 on security-related operations (including staff) and $267 in security capital expenditures, according to the 2004 Computer Security Institute/FBI survey of 494 U.S. computer security professionals at corporations and government agencies. For about two-thirds of the respondents, that represented up to 5% of their overall information-technology budget.
The main component of network security is the firewall, the equivalent of a border guard who decides which cars to let through the gate and which ones to shoot on sight. A firewall, which can be either a special-purpose hardware device or software installed on a server, typically sits between a public network, such as the Internet, and a private one to monitor traffic going in and out. A related category is virtual private network (VPN) technology, which creates an encrypted and authenticated "tunnel" through a firewall to let remote users and partners access network resources securely.
In the early days of the Internet, developing and maintaining firewalls was something of an esoteric art. Check Point Software Technologies, one of the first commercial vendors of firewall software, built a highly profitable business around this need. But in recent years, the technology has become almost standardized. "A lot of people can do the firewall pretty well now," says Pamela Fusco, chief security officer of Merck & Co.
As network security has matured, firewall and VPN functions are being distilled into the network infrastructure. Cisco Systems, the No. 1 networking vendor in the world, is also now the top provider of firewall and VPN products, according to Infonetics Research. In second place is Juniper Networks, which earlier this year bought NetScreen, a fast-rising firewall appliance company. Even Check Point has rolled out some VPN security appliances, although for enterprise firewalls the company says it will continue to rely on partners like Nokia.
Unlike firewall software that must be loaded onto a server, firewall appliances typically include a "hardened" operating system that has nonessential functions stripped out to reduce potential points of attack.
Doug Torre, director of networking and technical services at Catholic Health System in Buffalo, N.Y., says appliance-based firewalls like Juniper's NetScreen are much more manageable for his team. "There are fewer moving parts with an appliance," he says. "You give up a little bit of customization, but it's easier to manage for that reason. You're not spending time and money monkeying with it."
But there's no such thing as one-stop shopping for security. Cisco itself recommends taking a "layered" approach to designing network security, which may include, for example, antivirus software from competitors like McAfee or Symantec. "The changing paradigm is to deploy multiple technologies through the infrastructure, including at the endpoints to protect the desktops," says Richard Palmer, general manager of Cisco's security products business unit.
And while security features are inexorably melting into the network, a die-hard faction of administratorsmany of whom are longtime Check Point customersinsists on deploying software-based firewalls as standalone entities.
Among them is Keith Rajecki, information-technology infrastructure manager at Golden Gate University in San Francisco. He says it's not necessarily true that appliances are easier to maintain. Three years ago, his group put in Nokia appliances running Check Point's firewall software, believing they would provide better performance and be simpler to maintain than firewalls on general-purpose servers.
As Rajecki discovered, however, Nokia's appliance runs a proprietary operating system with its own quirks and a fairly steep learning curve. The university ultimately decided to run the firewalls on Linux servers because the hardware was less expensive, and also because its staffers are well versed in the vagaries of Linux. "We wanted to get away from having to support multiple hardware platforms and operating systems," Rajecki says.
At the same time, some security managers believe it isn't wise to stick all their eggs in one basket. The theory is that using security products from multiple sources mitigates the risk of vulnerabilities that may arise in one supplier's technology.
"Some people would say support and management are easier with a single vendor," says Lloyd Hession, chief security officer of Radianz, a New York-based provider of networking services to the financial industry. "But in terms of security, diversity has a very significant benefit."
Group Dynamics: Perimeter Guards
Category: Network security
What It Is: Software and devices that prevent the unauthorized access of computer systems and information over a network, while letting through and encrypting data from specific partners and employees in virtual private networks.
Key Players: Check Point Software Technologies, Cisco Systems, Fortinet, Juniper Networks, Nokia, Nortel Networks, SonicWall, Symantec, WatchGuard Technologies
Market Size: $2.4 billion for firewall/VPN software and appliances worldwide, 2003 (Infonetics Research)
What's Happening: Firewalls are becoming closely tied to the network infrastructure itself, able to scan "deeper" into network packets to identify and stop sophisticated attacks. On the VPN side, a Web-based form of encryption, Secure Sockets Layer (SSL), is growing more popular.
Expertise Online: The SANS Institute (www.sans.org) provides guides, training, e-newsletters, discussion forums and other resources on computer security.