Quick Start: Setting up all-in-one security appliances

Here's how multifunction gateways can protect your IT infrastructure

In the past, you might have purchased enterprise firewalls, installed software to detect e-mail viruses and deployed even more solutions to stamp out spam, spyware and malware. Even with all those products, vulnerabilities still exist because a visiting contractor or an employee can plug an infected laptop PC onto the corporate network, malware embedded in HTTP traffic can cross via Internet port 80 on your Web server, or a threat can lurk within Simple Object Access Protocol (SOAP) message exchanges with your Web services.

You may soon have the upper hand. Just as we experienced the convergence of printing, faxing, copying and scanning technologies a few years ago, security solutions are now uniting one or more types of threat mitigation tools in a single form. Instead of deploying multiple software programs to user desktop PCs to stamp out viruses, spyware and other malware, it is possible today to find solutions that address all of those threats in a single piece of software.

Another trend is also reshaping how agency security administrators architect infrastructure threat protection. The amount of scanning currently being executed across agency desktop PCs and servers often slows the completion of business tasks. Thus, many security administrators are moving primary threat mitigation closer to the network edge to make more core infrastructure resources available. In the future, threat mitigation technology will move yet again and we will examine this forthcoming trend later in this article.

Network-edge threat mitigation tools usually come in the form of a gateway appliance -- typically a rack-mounted, hardware-based unit. Some appliances may address only a singular type of threat -- content protection, for example, while others offer safeguards against multiple risks such as viruses, spyware and malware.

Although gateway appliances offer more efficient and sophisticated threat management, there is no one appliance that provides a magic-bullet shield to cover all possible risks. Moreover, some vendor offerings may be stronger on the network side while others focus more heavily on blocking HTTP attacks and other application-related risks. It is highly likely that for now most agencies and departments will need more than one appliance.

Entering the matrix
To determine which gateway devices are best for your agency you first need to determine which types of risks you want to mitigate at the edge of your network. For example, if you already have viable solutions in place to protect against viruses, spam and spyware and are happy with the performance, you may want to focus on reducing Web-based risks that arrive via port 80 on your Web server.

Conversely, maybe employees agencywide are complaining about how productivity slows when a security-scanning program is running. In a case like that, you might seek a solution that is network-focused and addresses viruses, spam and other malware.

Regardless of which security area you focus on, a proof-of-concept project for security gateway appliances should be executed at least during a 90- to 120-day period. You need to gauge performance, scalability during peak usage times, and month-to-month trend and reporting information.

You'll want to create a scoring matrix by using a spreadsheet that outlines all of the areas crucial to judging which security gateway appliance is best for your agency. In your matrix, you'll want to include categories that highlight the types of security risks that each appliance covers.

For example, is the appliance heavily focused on ferreting out SOAP-based risks? Is it strong on SOAP protection, but weak on anti-virus aspects? SOAP allows a program running in one operating system to exchange information with a program in the same or different operating system by using HTTP and Extensible Markup Language. List all of the risk types that each solution covers.
Pay close attention to the depth of coverage and the technical approaches that each vendor uses to provide coverage of one or more security areas. Each will claim that their approach is unique -- and the best, of course! Your evaluation should judge which solution provides the best coverage for your agency.

Next, add entries in your proof-of-concept matrix for performance and scalability. Some devices have limits as to how many e-mail messages they can scan per hour. Other appliances may have networking limitations or only provide capabilities to protect a narrow range of application protocols.

Complete your matrix by adding categories to judge audit and compliance, administration needs, vendor viability and cost. With your matrix defined, you'll next want to choose three to four gateway appliances that you will test in your 90- to 120-day project. Be sure to select appliances that cover the area you are interested in such as HTTP/HTTPS for an apples-to-apples comparison.

Suppose you choose to evaluate for four months a total of four devices that identify and eliminate risks found in your Web traffic. During each week of a given month, plug in and configure one of the four devices and observe how it performs during that week. Then, in the second month of the testing, rotate each device back by a week. Device A will be used in the first week of the first month, in the fourth week of the second month, in the third week of the third month, etc. This is to ensure that each device encounters similar levels of activity.

Do the same rotation of each device during the third and fourth month. By the end of your testing period you should be able to accurately judge how each device performs in terms of average, peak and minimal workloads. Be sure to gather monthly reporting data for the four-month interval so you can spot trends among the devices.

Weighing the market
Though the security gateway appliance field is awash with many products, there is currently no market leader. Rather, there are a range of solutions covering different risks -- whether network-- or application-based. Let's examine a few of those solutions now.

CP Secure (www.cpsecure.com) offers two types of appliances. The company's Content Security Gateway appliances scan Web, file transfer and e-mail traffic to filter malware -- especially attacks that attempt to enter by using more than one protocol.

The company's second type of appliance is geared to provide protection on the internal agency network. Called WormSecure, this appliance uses behavior and signature-based approaches to locate infected sources on the intranet. It supports the scanning of TCP, UDP and ICMP protocols.

Juniper Networks, Inc. (www.juniper.net) offers a variety of security-related solutions. Aside from its core firewall products, Juniper provides Integrated Security Gateway devices that incorporate firewalling and virtual private network support together with intrusion-detection and prevention technologies.

With its ThreatWall appliance, eSoft, Inc. (www.esoft.com) can supplement an agency's existing firewall with security features such as anti-virus, anti-spam, anti-phishing, and inspection of e-mail and Web content. eSoft also offers a second type of appliance, InstaGate, which combines firewall functions and virtual private network technology with intrusion prevention and protection from viruses, spyware, spam and phishing attacks.

NetContinuum (www.netcontinuum.com) offers Web Application Firewall devices that monitor Web, and file transfer activity. Those appliances monitor other ports and provide optional protection for Web services.

In addition, the company's Security Application Gateway appliances blend the properties of the Application Firewall together with acceleration and traffic management capabilities. Agencies that use this type of device can manage load balancing, connection pooling, compression and similar functions.

Securify (www.securify.com) offers a security appliance, which locates risks by comparing identity and behaviors with previously collected information. In particular, the Securify device can detect the use of tunneling to evade agency policies and check for misconfiguration of security devices in a network's demilitarized zone.

Back to the future, Part II
Four years ago, security gateway appliances were the new kids in town. Even though they've matured and are undergoing mainstream adoption, it is useful to also consider upcoming security trends when purchasing appliances.

One of the emerging technologies -- endpoint deep packet inspection (DPI) -- may ultimately replace desktop anti-virus solutions given its capabilities. DPI enables desktops and servers to execute context-aware inspection of in-flight traffic. This technology may also reduce the need to constantly patch machines in a reactive fashion.

The downside to DPI today is that it requires some fairly beefy processing power, which agencies may not yet have -- especially on end user machines. However, as more 64-bit multicore machines are used, DPI deployments should follow. Virtualized implementations can also take advantage of DPI to preprocess incoming traffic before it reaches the machine's operating system.

DPI is also making its way into next-generation firewalls. Those newer devices combine standard port and protocol inspection and blocking techniques with application-layer inspection and intrusion prevention tools. Some of the vendors supporting the move in this direction include iPolicy Networks, Check Point Software Technologies and Juniper Networks.

Another emerging technique involves the movement of security features, such as firewalls and intrusion prevention, into core agency switches. Industry analysts warn though that this technique can provide some workload and performance challenges. Agencies considering this type of technology should work with security and network administrators to discuss zoning and segmentation techniques before deployment. Vendors going down this path include 3Com, Cisco Systems and Nortel Networks.

Other providers, such as Sprint, AT&T and SAVVIS view security evolving quite differently. Those companies are beginning to offer "in the cloud" security services. That is to say your bandwidth provider would handle security functions, such as firewalling, intrusion prevention, anti-virus, distributed denial of service protection, anti-spam and other types of filtering.

Agencies will need to consider a cost comparison of internal versus service-based security mechanisms to see if an in the cloud strategy is the best way to go.

Also on the horizon is Quality of Service traffic shaping. QOS is used today mainly in wide area network and telecommunications environments for prioritizing traffic to provide the best service. As voice and data networks increasingly converge, the use of QOS in local area network settings is likely to increase. In such a setting, QOS can be used to limit or stifle available bandwidth when malicious traffic is discovered.

Network Access Control is another security technology that is newly arriving. Solutions supporting it evaluate the state of systems and users as they access the network. For example, this technology can be used to verify that a server or desktop has the latest security patches loaded. When implemented, it allows agencies to create and enforce tighter security policies enterprisewide. Check Point Technologies, Cisco and Microsoft are providing support for Network Access Control going forward.

Also, the implementation of client-side intrusion-prevention solutions (IPS) is just now beginning to take off. Although some agencies may find this to be overkill, IPS deployment consideration should be given to staffers that have open access to download information from the Internet as well as mobile and distributed workers. Either locate a suite that includes IPS technology or consider separate IPS solutions to strengthen proactive client-side security measures.

Finally, your agency may already be using additional hardware-based technology, such as cryptographic coprocessors, to speed some security functions. Hardware vendors are also preparing the next generation of security-related processors -- currently known as network security silicon -- to increase performance of next-generation security techniques, such as multigigabyte-range deep packet inspection. In the cloud security providers are expected to take advantage of this technology, but agencies with heavy, complex workloads and rapid performance expectations should also consider it.

As many choices as threats
The bottom line is there is no obvious best solution for choosing a gateway security solution. Each agency and department has its unique set of existing infrastructure and unique vulnerabilities that go along with that infrastructure, so selecting the right mix of gateway security technologies is going to require an interactive process between the IT staff and vendors.

This process is complicated because available technologies are rapidly changing. As we begin a new emerging technology cycle for security-related solutions, your agency will need to carefully consider what is coming and what is viable in the near term. That knowledge, together with a carefully planned and executed proof of concept, should yield a solid infrastructure protection strategy for your agency.

Analyzing security event data can bolster agency defensesGateways don't just block threats; they collect data that can be used to detect subtle attacks.

If you have a distributed agency or an enterprise that is large, chances are you will also have multiple pieces of security software and several security devices -- all of them collecting a large amount of data. One of the most useful things you can do is to gather that data and put it in a location where you can analyze it.

Why analyze? Real-time analysis is an effective way to establish an early warning system that enables an agile agency to quickly deploy additional security defenses in the event of an attack. Moreover, agency analysts can scour collected data to detect trends and then develop ongoing strategies to combat threats.

CERT (www.cert.org) offers an interesting analysis effort known as the AirCERT project (http://aircert.sourceforge.net). AirCERT is an automated incident reporting solution that offers a distributed architecture, which can span one or many domains. You might securely share information throughout multiple agency locations or simply collect all agency data within a single location. Your AirCERT topology can be flexibly tied to your agency's security policy.

There are different components within AirCERT that you need to deploy. For example, one portion of AirCERT is its normalizers, which extract and standardize data from multiple security sources, such as firewall, an intrusion-detection system and agency security analyst reports. Collectors then combine and store the security data. A publisher component is also included to facilitate secure exchange of security data with other collectors.

To analyze the data, an agency can use the Analysis Console for Intrusion Databases (ACID). By using a browser to access ACID, an agency analyst might use one or more of the included tools to examine events.

ACID enables analysts to build queries of the events database based on signature, time, source or destination address, ports, payload or flags. Also included is a packet viewer that can be used to display packets involved in a threat situation. In addition, a charting and statistics generation tool is included and can be used to create reporting to tie into audit and compliance processes.

The console also allows analysts to manage alerts by grouping them in meaningful ways, archiving or moving alerts between security events databases and removing alerts or false positives that are no longer needed.

AirCERT is one method you might consider to analyze security events as a way of increasing infrastructure protection. Using AirCERT or a similar tool to focus on what is going on within your network or inside your demilitarized zone is yet another way to get the upper hand on intruders.

-- Maggie Biggs

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.