The Lippis Report

Thanks for visiting the Lippis Report. We provide access to thousands of industry white papers, case studies, presentations and podcasts, all you need to do is register. Enjoy!

Network security is so important and complex that I decided to provide a framework on the subject. What follows is a short version of the Enterprise Network Security Framework white paper I have authored. You can view the white paper at www.businessrealities.com/default.asp? RC=MI61. I recommend that you view the ?¬¢‚Äö√ᬮ?√¨Protect and Prevail?¬¢‚Äö√ᬮ¬¨√π webinar /on-line forum where I am a featured speaker along with John Payne, CIO San Francisco International Airport and George Sullivan the Chief Technical Officer at Avaya Global Services. The Protect and Prevail webinar is very well done, perhaps one of the best produced on-line forum that I´ve been involved in.

Introduction

Over the past 3 years most CIOs were tasked with finding ways to reduce network cost by increasing returns on existing investments. During this time, most CIOs made their networks more efficient and secure to mitigate business risk, but kept the network structure relatively constant. Most corporations are in fact analyzing, planning and starting to implement structural changes to their network, thanks to an improving economic climate. Most CIOs realize that the economic efficient phase of the last three years has run its course and now the only way to grow revenue profitably and deepen customer and supplier
relationships while achieving a further 15 to 30% reduction in network spend is to redesign their network.

Key in this thinking is the fact that during the economic down turn, most corporation´s established new business processes that allowed a greater focus on core competencies, which are now being supported with new applications such as contact centers and customer relationship management packages. But network spending to support new applications lagged since budget was held back to a tight 12 month ROI. CIOs are now getting the go ahead to seek out “structural” changes that will reap huge rewards even if it takes a few years to realize.

And what kind of structural change is on the minds of most CIOs? In a phrase, ?¢‚Ǩ?ìsecure convergence?¢‚Ǩ¬ù. The time for secure convergence is right thanks to the maturity of IP Telephony offerings, the emergence of Managed Security Service Providers or MSSP, wireless local area networking or WLANs and a slightly more lenient time frame for ROI calculations. In short, a post recession network is an IP converged network that wraps IP communications securely around corporate profit drivers within a robust business continuity context. As corporations migrate toward converged IP networking, an enterprise network security framework is a must to eliminate the ?¢‚Ǩ?ìall eggs in one basket?¢‚Ǩ¬ù vulnerabilities, which lie inherently within a single network structure.

The distributed and urgent nature of today´s business environment has driven enterprises to increasingly rely on their networks and the Internet to deliver on customer requirements and gain a competitive advantage. This has forced the enterprise to extend and open its network to partners, suppliers, customers and other ?¬¢‚Äö√ᬮ?√¨untrusted?¬¢‚Äö√ᬮ¬¨√π third parties, as well as to make corporate resources accessible via the Internet. In short the number of network connections continues to grow unabated. As a result, the enterprise must now focus considerable attention on securing its network and resources from hackers, intruders, other unauthorized users and even employees.

Enterprise network security is now at the top of every IT manager´s list of responsibilities. A 2003 IDC study found that security was second only to uptime in a survey of CEO IT concerns. This prioritization of CEO concerns remains steady in 2004. Numerous new threats and vulnerabilities have led to the development of new security technologies, devices and applications ?¬¢‚Äö√ᬮ‚Äö√Ñ√∫ all contributing to increased complexity in this area. Further, deploying new security technologies increase capital and operational expenses with no positive impact on overall productivity ?¬¢‚Äö√ᬮ‚Äö√Ñ√∫ exactly what IT managers have been instructed not to do by executive management. The business case for network security is exactly like insurance: it neither increases revenues nor reduces cost, but rather provides a safeguard in the event that an incident should occur.

While large enterprises can afford to staff IT with specialized security staff, small/medium enterprises (SME´s) face significant challenges in designing, implementing and managing a network security infrastructure. In fact, it is known that as much as 95% of all security breaches are attributed to misconfigurations. As a result, many SME´s have turned to Managed Security Services Providers (MSSP´s) to assist in the design, implementation and ongoing management of their security infrastructure. MSSP´s enable SME´s to economically extend the security infrastructure and expertise while simultaneously reducing overall spending and enterprise liability.

Enterprise Security Risks

Many corporations have implemented new business processes to streamline operations in direct response to the economic down turn over the past three years. Applications that automate these new processes have been the extension of new virtual business models and increased web based applications and infrastructure. Enterprise IT managers have been tasked with providing security solutions for these new applications and initiatives. In the area of communications, a new set of tools and options, which enable collaboration, are growing. Collaboration will allow corporations to achieve another level of productivity and automate new business process during the secure convergence era. Collaboration enabled through a set of IP communications that use various medium, such as instant messaging or IM, email, voice, video, text, etc., bring colleagues together to solve a problem or seize an opportunity. The economy is entering a new growth stage where businesses will take advantage of convergence by implementing IP Telephony to increase productivity with IP Communications as the new business platform enabling collaboration. But to deliver on the promise of collaboration, communication channels need to be secure.

Enterprise IT managers have long been challenged by a variety of hackers, system vulnerabilities, viruses and other attacks against the enterprise network. Over the past several years, the sophistication of these attacks, and the extent of their damage, has increased significantly. In recent years, there have been several distributed denial-of-service attacks (DDoS) launched against some of the world´s most prominent websites and companies, including Amazon.com, eTrade, CNN and Charles Schwab. An epidemic of email-borne worms, including iloveyou, nimbda, W32klez and MSblaster, as well as rapidly propagating
viruses like the infamous SQLslammer, have caused tens of billions of dollars in damage. For example MSblaster cost Time Warner $500,000 in operational cost alone to clean up the mess it left behind. In addition to this operational cost, several facilities had to be taken off line for two days to disinfect IT resources from MSblaster. While Time Warner is a large firm with a highly skilled IT staff, the result would be worse for the small to medium sized business which can not afford a large IT staff with highly specialized network security skills In addition to these ?¢‚Ǩ?ìtraditional?¢‚Ǩ¬ù security threats, enterprises now face a new breed of non-technical threats, including terrorism, the SEC and medical privacy regulations. IT security is now accountable for matters of national security, fiduciary integrity and personal privacy. New legislation and presidential initiatives such as Homeland Security initiatives, the Sarbanes-Oxley Act, the Presidential Decision Directive 63 (PDD 63), and the Health Insurance Portability and Accountability Act (HIPAA) carry severe non-compliance repercussions for employees, executives and enterprises at large. These new requirements have placed additional strains on already struggling IT departments that are understaffed and under budgeted to address such issues. With the promise of voice and data convergence finally being delivered upon, enterprises also now face serious security concerns in their IP telephony network. Moving voice to an IP infrastructure introduces voice communications to the same threats and vulnerabilities found on pure IP data networks. In addition to security threats, there are also privacy and billing concerns with IP phone spoofing. Reliability is also an issue, with many implementations of call management being implemented on a Windows-based operating system. The culmination of all of these IP telephony issues, are now compromising the one network IT managers once felt was secure and reliable.

Many corporations have implemented wireless local area networks or WLANs to increase mobility and productivity. But security, configuration and on going management have paused the acceptance of WLANs within the enterprise market. Concerns of ?¢‚Ǩ?ìwar driving?¢‚Ǩ¬ù where hackers or intruders equipped with a simple laptop computer and wi-fi card gain access to corporate LANs and its resources pose a serious security threat. Rogue access points or ad hock WLAN end points can also breach security defenses.

Unfortunately for many enterprises, security is an event-driven, reactive process. A major incident, such as a DDoS attack or virus outbreak, is the only thing that drives the update of the security infrastructure. When such an event occurs, it is isolated and addressed individually, rather than in the context of the overall enterprise network. The result is a ?¬¢‚Äö√ᬮ?√¨Jacob´s Ladder?¬¢‚Äö√ᬮ¬¨√π effect, leaving IT managers constantly running to catch up with security issues, only to end up worse off than they were previously.

So how are IT managers to cope with the complexity, cost, vulnerabilities and liabilities imposed upon the enterprise, which network security both creates and solves? We offer a four-tier network security architecture that segments defenses in to a simpler and more manageable model. You can view a multimedia online forum on this topic at www.businessrealities.com/default.asp?RC=MI61.

The Vulnerability Gap

While it is clear that developing and implementing a robust technical security architecture is a complex process, the day-to-day operations, management and maintenance of this security infrastructure can be outright daunting. Many enterprises make the mistake of viewing security as an event, rather than an ongoing process. Once the components are in place and have been initially configured, they employ the ?¬¢‚Äö√ᬮ?√¨plug and dust?¬¢‚Äö√ᬮ¬¨√π mentality and assume that the policies and deterents in place will remain adequate into the future. This ?¬¢‚Äö√ᬮ?√¨once and for all?¬¢‚Äö√ᬮ¬¨√π mindset could not be further from the truth. Several new vulnerabilities and exploits are discovered every day, on the order of 3500-4000 annually according to BindView Corporation´s RAZOR vulnerability research team. These exploits compromise firewalls, applications, operating systems and antivirus systems.
While the vendor community is diligent in providing rapid fixes to newly discovered vulnerabilities, many enterprises (particularly SME´s) find it difficult to keep up with patches and virus definition updates, leaving their systems vulnerable to these exploits. In fact, Gartner estimates that 95% of all attacks target vulnerabilities for which a fix already exists. While the ?¬¢‚Äö√ᬮ?√¨0-day?¬¢‚Äö√ᬮ¬¨√π virus (a virus for which there is not yet a fix) does occur, these are few and far between. Most outbreaks involve known viruses that have been previously addressed. Some enterprises with extremely low risk-tolerance thresholds have implemented ?¬¢‚Äö√ᬮ?√¨zero tolerance?¬¢‚Äö√ᬮ¬¨√π policies with strict repercussions (including immediate termination) to motivate end users to keep current, but such stern policy is impractical for most organizations.

The fact is that the speed of security outbreaks and propagation of viruses greatly outpaces most enterprises´ ability to react and contain them. For example, SQLslammer propagated throughout the globe in just 9.5 minutes. Perhaps large IT staffs can react to a propagating virus on this time scale, but the small to medium size enterprise is totally unable to respond until well after the virus has done its damage. This is a factor of the limited security budget, expertise and proactive initiatives currently in place within the small to medium size enterprise. In fact, many companies receive funding for network security well after an outbreak and apply that money to fixing an outdated security problem. In essence, many if not all SME´s find themselves totally unable to respond to new security threats thus always fighting a losing battle as their vulnerability gap grows faster then they can close it. The security incident ?¬¢‚Äö√ᬮ?√¨speed coefficient?¬¢‚Äö√ᬮ¬¨√π and resulting vulnerability gap leave enterprise IT managers constantly running behind security issues, instead of enabling them to establish a solid defensible position.

To view the entire Enterprise Network Security Framework white paper please go to www.businessrealities.com/default.asp?RC=MI61.