Enterprise networking has long been a game of cyclical expansion and contraction: network architectures and applications are centralized, then distributed; connectivity is aggregated, then segmented; equipment is aggregated, then separated; you get the picture. There are several factors that drive these cycles, including new protocols, architectures and product categories.

Network security is no exception to this trend, particularly on the perimeter, where security architectures have traditionally been anchored. The perimeter has become the primary location to deploy security functionality, including and in addition to the typical enterprise firewall. Virtual Private Network (VPN) gateways, content/URL/email filtering, and virus scanning are all being concentrated on the perimeter, and with good reason: if an attack penetrates the firewall and breaches the LAN before it is addressed by these systems, then you can count on your operational staff spending days focused on forensics and cleaning up the mess the attack caused. Fortifying the perimeter significantly reduces the likelihood that an outside attacker will ever
reach the LAN and, by extension, critical enterprise assets. In short, most network executives are creating a hard shell around the perimeter of their enterprise.

The Perimeter Expands

One of the biggest challenges faced by IT managers is maintaining control over a constantly growing number of security threats, devices and policies. It´s true that deploying a multi-faceted, multi-tiered security framework is paramount to ensuring network security, but no one said it was going to be easy. Over the past 12-24 months, several new product categories have emerged to fortify the network perimeter. Scanning and filtering functions have moved off the desktop and up into the perimeter, bringing a range of new devices with them. Intrusion Detection Systems (IDS) and, more recently, Intrusion Prevention Systems (IPS), have also appeared. These systems focus on identifying ?¬¢‚Äö?ᬮ??¨abnormal?¬¢‚Äö?ᬮ¬¨?? behavior on the network ?¬¢‚Äö?ᬮ‚Äö?Ñ?? operating under the premise that an
attacker´s behavior is notably different than typical network activity.

While the significant volume of data and false alarms (false positives) generated by IDS are a common objection to their deployment, perhaps the larger issue is that IDS are passive: even if an actual breach is detected, the IDS can do nothing but activate an alert and report on the incident. This shortfall was the basis for the development of IPS ?¬¢‚Äö?ᬮ‚Äö?Ñ?? platforms that not only identify breaches, but actively close ports and LAN resources to thwart the attack. Herein lies the rub: if I´m not mistaken, this is the definition of a stateful firewall. If so, why do enterprises need to purchase, configure and manage another device with seemingly redundant functionality?

Network Security Contraction: The Security Services Switch

Given that it increasingly makes sense to concentrate multiple network security functions on the perimeter and the corresponding increase in expense and management overhead this creates, it was only a matter of time before the vendor community addressed the situation with an integrated solution. Enter the Security Services Switch ?¬¢‚Äö?ᬮ‚Äö?Ñ?? a purpose-built, integrated security platform designed to collapse security functions and management into a single perimeter device. Most of these devices utilize the foundation of perimeter security ?¬¢‚Äö?ᬮ‚Äö?Ñ?? the firewall ?¬¢‚Äö?ᬮ‚Äö?Ñ?? as the core building block of the platform.

The premise of the Security Services Switch is simple: reduce the number of moving parts on the network perimeter, thus simplifying the security infrastructure and reducing the capital and operational burden of securing the network. In looking at how large enterprises traditionally scale and harden their security infrastructure, this makes good sense. As mentioned above, each new security application has traditionally required a separate appliance. This includes Firewall/VPN gateways, virus scanning, content filtering, IDS/IPS, etc. In order to achieve redundancy and high availability, multiple platforms for each security function are often deployed, along with additional software to manage outages and failover issues. Next, load balancers and
switches are deployed in front of these security clusters, making both primary and backup platforms active to load share and maximize performance.

Sound confusing and expensive? It is. And perhaps the greatest challenge of this approach is managing this environment. The sheer volume of devices deployed to secure the enterprise is daunting enough, and these platforms rarely come from one or even two vendors. Often times when they do, it has been through acquisition, and limited integration exists between the management systems of each - meaning several separate proprietary management systems must be mastered. This creates possibly the most significant vulnerability of all: an understaffed IT department attempting to manage and maintain a broad and disparate security environment. Security Services Switch vendors are mitigating this issue by layering key security applications into a single, robust platform with a common centralized management interface. These platforms range from SMB-targeted bundling of firewall, VPN, IDS, content filtering and virus scanning, such as Symantec´s Gateway Security Appliance, to full-blown large enterprise/carrier-class chassis-based platforms from startups Crossbeam Systems (www.crossbeamsystems.com), Nauticus Networks (www.nauticusnetworks.com), and Inkra Networks (www.inkra.com). These platforms provide high- performance, high-availability infrastructure for a combination of firewall/VPN, IDS/IPS, and multiple scanning and filtering functions ?¬¢‚Äö?ᬮ‚Äö?Ñ?? all of which can be added by the enterprise through a variety of a la carte application modules. Cisco has also thrown its hat into the ring by
adding security blades for its Catalyst 6500 line, as well as Nortel, which is leveraging the load-balancing and webswitching legacy of its Alteon acquisition to drive high-performance security applications.

The Security Services Switch marks a new way of thinking for enterprise network security. Crossbeam is a primary example of this. First, enterprises have long believed they needed to deploy several discreet devices to achieve security and reliability ?¬¢‚Äö?ᬮ‚Äö?Ñ?? this is no longer the case with Crossbeam´s high performance architecture and fully redundant design. Next, until only recently, it was thought that the processor-intensive nature of security applications required custom ASICs to achieve the desired performance metrics. With Moore´s Law humming along as fast as ever, general-purpose network processors, and even standard Intel-based platforms, provide more than adequate performance. This is a key paradigm shift in network security platforms; as vendors simply
cannot spin new ASICs fast enough to keep pace with software development. Utilizing general-purpose network processors such as Crossbeam has helped to control costs and accelerate the pace of feature additions.

Stepping outside of the hardware, perhaps the most interesting aspect of Crossbeam is that it has not fallen victim to the common startup mistake of attempting to develop every feature and application internally. Crossbeam has focused on developing the underlying platform for security services, a high-performance network-based application server. It has turned to industry leaders to provide security applications: Check Point (www.checkpoint.com) and Secure Computing (www.securecomputing.com) for VPN/firewall; Enterasys (www.enterasys.com) and ISS (www.iss.net) for IDS/IPS; Trend Micro (www.trendmicro.com) and F-Secure (www.f-secure.com) for antivirus and content filtering; and Websense (www.websense.com) for monitoring and reporting. This aggressive partnering strategy with major players is key to Crossbeam´s success, as they have learned early what many now-defunct security startups failed to understand: given the critical and strategic nature of network security, brand names matter. And, while Crossbeam may not yet be a household name, its partner roster suggests otherwise.

Pulling It All Together

What does the advent of the Security Services Switch mean to your enterprise? Should you run out and replace your multi-device, multi-tiered security infrastructure with a Security Services Switch? Not just yet. The majority of the robust, modular platforms in this space are still very large and expensive, making them ideally suited for enterprise data center and service provider implementations. That said, if you have a data center security initiative upcoming or already underway, you should absolutely add these platforms to your due diligence list. On the lower end and for branch and satellite sites, bundled security appliances from Symantec, Network Associates and others, which include VPN, firewall, IDS and virus scanning, are a solid choice.

But what about the enterprise that has already invested significantly in its perimeter security infrastructure? The answer, simply put, is go back to the beginning: the firewall. Stateful filtering and blocking functions, such as those provided by IPS, should not require a separate discreet device. Enterprises should push their firewall vendors to integrate this functionality into the firewall where it belongs. The IDS/IPS space has grown on the premise that firewalls are ineffective at keeping intruders out of the enterprise network ?¬¢‚Äö?ᬮ‚Äö?Ñ?? the very reason for the firewall´s existence. As new perimeter security functions come to market, don´t run out to purchase the latest and greatest point appliance solution, yet another device that needs to be separately deployed, managed and maintained ?¬¢‚Äö?ᬮ‚Äö?Ñ?? instead, look to your firewall vendor to tie these applications up into a robust, integrated platform,
as well as to the evolving Security Services Switch.

Posted 20 September 2003 at 7:21 pm under Lippis Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.