Don’t leave it all to the firewall

Although firewalls form the first line of defence for most companies, it is becoming clear that a layered approach is vital to...

Although firewalls form the first line of defence for most companies, it is becoming clear that a layered approach is vital to cope with a battlefront that is becoming much more mobile. Antony Savvas reports

Firewalls are no longer sufficient to protect a corporate network from viruses, system penetration, spoofing, data and network sabotage, and denial of service attacks. The majority of large companies have firewalls in place and security experts still consider they should form the first line of defence in a corporate IT security policy. But firewalls cannot stop everything; they need to allow data to pass through into a network and that is what makes them vulnerable.

Bob Walder, director of the independent NSS Group security testing labs, says, "The problem is that many exploits take advantage of the weaknesses in the protocols that are allowed through the firewall perimeters."

One such problem area is the web server. "Once the web server has been compromised, this can be used as a springboard to launch additional attacks on other internal servers," he says.

In Walder’s experience, many security exploits are launched unintentionally from within the organisation via devices and applications that are behind an organisation’s firewall. In this case the firewall can do little to protect the company’s network.

"Virtual private networks, laptop PCs, mobile devices and wireless network connectivity can all provide access to the internal network that often bypasses the firewall perimeter," he says.

The problem now faced by companies has led to the promotion of layered approach security that no organisation would want to be short of.

  • Firewalls set to "sniff" suspicious data
  • Secure virtual private networks for remote workers that offer encrypted data "tunnels" to allow access to the corporate network
  • Anti-virus software for desktops, standard servers and mail servers
  • Content filtering
  • Anti-spam systems
  • Intrusion detection and prevention systems
  • Web application firewalls that can block certain applications that are deemed a potential threat to an organisation
  • Penetration testing.

The requirement for all these technologies has led many organisations to buying a single security appliance that offers several of the above functions built in. Such a move helps them streamline the way they deal with such threats. And the traditional network switch and router suppliers are also now starting to bring out products with many of the prerequisite security requirements.

For large companies, security devices often have to be installed at many various weak points of the corporate network. As a result, the concept of a fixed security perimeter now has to be replaced by a constantly changing line of defence in response to specific threats at any given time.

Seeing a limitation in current technology, the IT security and network suppliers have formed alliances to meet these changing needs. For instance, many of the firewall and VPN appliance suppliers are now bundling anti-virus, anti-spam and content filtering technologies as standard.

The 3Com Security Switch 6200 offers CheckPoint’s Firewall-1/VPN-1 product, and Internet Security Systems’ Realsecure intrusion detection, anti-virus and content filtering. Cisco is building up alliances with Microsoft, IBM and the anti-virus companies to offer more secure network infrastructures.

Cisco’s work on switch and router security integration is an important part of its Self-Defending Network initiative. This includes the adoption of intelligent software agents for desktops and servers that prevent the proliferation of attacks across networks by checking host and client operating systems and anti-virus components before any network access is granted.

This means that if a desktop, laptop or mobile device is not loaded with the latest security patches, it is not allowed network access. A pretty simple and sensible approach but complicated when high-level staff suddenly cannot access the network for their important data because hardware is not protected. Education and board acceptance therefore has to go hand-in-hand with effective security.

Cisco and IBM announced the latest development in their security partnership last month. IBM’s Tivoli security policy compliance software has been integrated with Cisco’s Network Admission Control technologies with the aim of automatically quarantining and fixing vulnerable computing devices, such as laptops and wireless devices.

Systems and devices with out-of-date operating systems, missing firewalls, security vulnerabilities and weak passwords are often connected to enterprise networks. These devices present a weakness that, if exploited, can infect the entire network unless the user runs proper proactive systems management.

For example, salespeople on the road may not install the latest critical security update on laptops because of hectic travel schedules. If a computer becomes infected with a worm during a trip, this presents a risk to the company when the worker returns to the office. As soon as the worker reconnects to the network, the worm can spread causing damage to the entire business, resulting in downtime and lost productivity for staff across the business.

Kevin Regan, Cisco consulting systems engineer, says, "Building security services into switch and router platforms can deliver the highest performance firewall, intrusion prevention system, IP security, VPN, secure sockets layer security and network analysis functions, and it allows security to be applied in the most flexible way.

"Network devices designed with integrated security capabilities provide a tight coupling between security and network availability functions and allow faster deployment and reduced operating costs," he says.

Cisco and other network infrastructure suppliers - Nortel Networks and Juniper Networks, for instance - say they are moving in the same direction by concentrating on making more secure switches and routers. There is a trend towards all-in-one security appliances placed at the network gateway, identified by analyst firm IDC this autumn. IDC decided to study a new form of security it termed unified threat management (UTM).

The new IDC segment is separate from traditional firewall and VPN appliances and covers all-in-one enterprise security devices that unify and integrate multiple security features onto a single hardware platform.

To qualify for this category, the device must have network firewall capabilities, network intrusion detection and prevention and gateway anti-virus functions.

IDC expects a big rise in user adoption of UTM security appliances because of the rise in "blended threats", which require a greater breadth of integrated functionality and deployment flexibility. According to IDC, the UTM segment of the general security appliance market is the fastest growing segment of the security market, with £59m in sales in 2003, up 160% on 2002.

By 2008, IDC estimates UTM appliances will make up the majority of the £1.88bn security appliance market with 58% of the overall share. Charles Kolodgy, an analyst at IDC, says, "The UTM security appliance market transforms single function appliances into a more flexible environment for deploying multiple security features on a single platform.

"These appliances are quickly gaining popularity because they offer security application performance, operating cost savings and capital cost preservation."

Fwo players in the UTM market are Fortinet and Secure Computing. Secure Computing claims its appliances have never been hacked into and never been the subject of a computer emergency response team security alert. The company has been offering a £55,000 bounty to anyone who thinks they can bypass its systems. So far, there have been no winners. Fortinet platforms are deployed for anti-virus protection and content filtering alone in conjunction with existing firewall, VPN and related devices, or as complete network threat prevention systems with just a simple configuration change.

Simon Heron, technical director of Network Box, a supplier of integrated security appliances designed for smaller companies, says, "In an integrated security appliance, the various applications can benefit from accessing each other, improving the protection they offer. For example, an anti-spam function can use a content-filtering database such as SurfControl, and the intrusion detection function can act with zero latency [processing delay] with the firewall.

"An integrated appliance can have the right architecture to readily deal with tomorrow’s unknown blended threat. If you need a fix that is part intrusion protection and part anti-virus, an integrated appliance is the best place to provide this," Heron says.

However, this may not always be the case. Dave Beesley, director of security consultancy Network Defence, says, "In general, all-in-one appliances deliver fewer features in each specialist area than a dedicated device, and can also be slower as the appliance is trying to do lots of different tasks simultaneously.

"Their main benefits are relatively low cost and, potentially, ease of management owing to a single interface. However, some manufacturers simply throw three or four open source products together with a basic web interface. This means that for more complex requirements the administrator has to drill down to the specific application. This negates the single management platform concept."

Mike Smart, European product manager at Sonicwall, a provider of security appliances for smaller enterprises and branch offices, agrees that all-in-one appliances may not be suitable for everyone. "Larger enterprises like dedicated hardware and software because they are looking for best-of-breed and have resources to deal with them. Branch offices want a similar approach but are prepared to dispense with some of the high-end features in favour of greater degrees of integration."

On the question of more secure switches and routers, Smart says, "Such products are more of an additional layer of security rather than a replacement for perimeter security.

"Companies will always have to have something checking traffic in and out of the network. New technologies like deep packet inspection firewalls could make perimeter devices more aware than ever. But for even greater security, companies can use perimeter appliances to split networks up into zones."

This last point is a good option for organisations concerned about internal threats. If those users with laptops are only connected over a particular section of a corporate network and one user has an infected laptop, that section of the network can be quickly quarantined without the entire business grinding to a halt.

However, Walder believes that deep packet inspection firewalls, which can analyse every single packet of data in great detail very quickly, are up to two years away, despite a great deal of excitement among analysts.

He says, "It is not time to rip out your intrusion prevention systems, but if you are going to use one, you need to make sure it meets minimum requirements."

Such requirements include the appliance being "in-line" so no packets of data are dropped and all are examined.

An intrusion protection system should also offer low latency. When in-line, packets should be processed quickly so the overall latency of the device is as close as possible to that offered by a layer 2 or 3 network device, like a switch, and no more than a typical layer 4 device such as a firewall or load balancer.

As always when it comes to security, there is no one hard and fast solution for every company in response to evolving threats, but inflexible static security appliances are certainly on their way out.

Types of security products

  • Firewalls
  • Virtual private network
  • Anti-virus software
  • Content filtering
  • Anti-spam systems
  • Intrusion detection systems
  • Intrusion prevention systems
  • Web application firewalls
  • Penetration testing

Main threats

  • Viruses
  • Worms
  • System penetration
  • Spoofing
  • Data/network sabotage
  • Data theft
  • Denial of service attacks

Case study: National Galleries of Scotland gets protection from an all-in-one security appliance

Kenny McLeod, IT manager at the National Galleries of Scotland, chose an integrated, remotely-managed security appliance from Network Box. He says, "The fact that Network Box offered a single appliance and a single point of management was very attractive to us, and it has simplified our job in managing security."

He was impressed by the appliance’s ability to be remotely updated to respond to new threats. This has meant that the appliance is quickly protected against new threats without any user intervention by National Galleries.

Price was a third key factor, says McLeod.

"The Network Box works out cheaper for us than standalone solutions. Ongoing maintenance is similar in cost, but the initial installation costs were quite a lot lower than the standalone approach," he says.

This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft

Read more on IT strategy