The Leading Security Players
Continued Product Improvements From The Industry Leaders

Processor, April 16, 2004
By Stephen J. Bigelow

Today's network security extends far beyond the traditional protection of firewalls and antivirus technologies. Intrusion detection and prevention technologies are emerging to protect the internal network. Remote access must be kept secure, and encryption is being adopted to protect valuable corporate data and email. Ongoing security threats are prompting new products and changes to existing products. Let's see what the leading security players think are the most important security concerns and how their product offerings will be affected by those concerns.

The Enforcers
Zone Labs (http://www.zonelabs.com) emphasizes proactive and responsive network protection that responds to new threats without the need for constant patching and updating. Frederick Felman, vice president of marketing at Zone Labs says, "Zero-day threats have become the biggest security concern. The time between the announcement of a vulnerability and the creation of its exploit has shrunk to mere days. With dwindling timeframes, there's less chance of a patch being released or deployed before the exploit appears."

PCs must be protected. "It is imperative that companies secure the weakest link in the network: the endpoint PC. A single insecure PC can create a massive vulnerability for the entire company," says Felman. Zone Labs' Integrity software secures networked PCs with robust endpoint protection, ensuring that all PCs that can access the network comply to network security policies. Integrity also quarantines noncompliant PCs and prevents access to network resources until the PC is brought into compliance. A lockdown feature prevents even users with local administrative privileges from disabling endpoint security and policy enforcement.

The Urge To Merge
Companies such as iPolicy Networks embrace traditional perimeter security but include robust internal security to protect against malicious or accidental user events. Prabhu Goel, CEO and chairman at iPolicy Networks, says, "It is critical that companies secure all access points in the network. That includes remote users and wireless users, as well as users within the company. A network is only as secure as its weakest link."

Confusion is inherent in today's diverse solutions. "If you look at the way security was done in the past, you'll see it is piecemeal. You have firewall and IDS in individual boxes, with their own management consoles in each location. There are very few options to coordinate the products in response to an attack between the different locations. It's very difficult to ensure that corporate security policies are being consistently followed across all of the locations," says Goel.

iPolicy products integrate a range of security features in a single high-speed appliance that can offer real-time threat prevention on the network wire with negligible latency, and the company expects to announce VPN, surveillance, and vulnerability assessment products in the near future.
Feeling Vulnerable

The attacks plaguing today's networks are almost universally based on OS and application vulnerabilities. Consequently, vulnerability testing and rapid-response patching are critical to a corporate security scheme. Ray Gazaway, vice president of professional services at Internet Security Systems (http://www.iss.net), says, "In the fourth quarter of 2003, ISS added 610 new vulnerabilities and 691 new worms to its database. The first quarter of 2004 saw a swell in worms including MyDoom, a mass emailing worm, and Bagel, a phishing scheme."

The potentially devastating consequences of system exploits make vulnerability testing a top priority. "The first step in protecting an organization's IT infrastructure is to conduct penetration testing to detect vulnerabilities that can be exploited by hackers. Once the vulnerabilities have been detected, the network or IT managers should remedy the vulnerabilities and implement technologies to block exploits before they impact the network," says Gazaway. Fortunately, vulnerabilities can be identified and managed with the proper tools, such as Internet Scanner, an integrated part of ISS' Enterprise

Protection.
Proventia Intrusion Prevention appliances from ISS can block attacks in real-time, minimizing the need for administrator oversight and freeing IT resources for other tasks. ISS released new Gigabit Ethernet products in March, including the Proventia G1000F and G1000 gigabit intrusion prevention appliances for fiber and copper network environments, respectively. Hostile Territory

Symantec (http://www.symantec.com) continues the ongoing fight against viruses, worms, and Trojan horse programs that seem to place networks under constant attack. David Loomstein, senior product manager at Symantec Security Response, says that vulnerabilities are increasingly severe and easy to exploit. "On average, over the past six months, 99 new high-severity vulnerabilities a month were announced. Vulnerabilities are becoming increasingly easy to exploit. This either means that no specialized knowledge is required to gain unauthorized access to a network or that tools are readily available to help attackers do so. This increases the likelihood of damaging intrusions. In 2003, 70% of vulnerabilities announced were considered easy to exploit." This is up from 60% in 2002.

Symantec is receiving an increasing number of malicious code submissions, suggesting that hackers are working harder than ever to exploit vulnerable networks. Blended threats are also prominent. "Blended threats continue to be a major concern, representing 54% of the top 10 submissions. Blaster, Welchia, Sobig.F, and Dumaru are four blended threats that have spread rapidly over the past six months," says Loomstein. Hackers are also making increased use of existing backdoors. "By leveraging existing backdoors to gain control of a target system, attackers can install their own backdoor or use the compromised system to participate in a distributed denial-of-service attack," says Loomstein.

As with Zone Labs, Symantec dreads the specter of "zero-day" threats, and Loomstein believes that these threats are imminent. "A zero-day blended threat could target such a vulnerability before that vulnerability is announced and a patch made available. If such an outbreak occurs, widespread damage could occur before users are able to effectively patch their systems." Symantec continues to match wits with hackers, and users can expect to see regular virus database updates into the future.

No Stone Unturned
Nortel Networks (www.nortelnetworks.com) continues to emphasize a more traditional layered approach, which is often more practical to implement in large complex networks. It emphasizes comprehensive security for every part of the network. Atul Bhatnagar, vice president and general manager of enterprise data networks at Nortel, cites increasingly sophisticated threats as a rationale for comprehensive solutions. "While we're concerned with anything which can pose a threat to today's enterprise networks, particularly in light of legislation impacting many of our customers, we are especially concerned with blended threats posed by worms and viruses and the swift and costly damage they can do to the enterprise."

Although Nortel does not offer ubiquitous "single-box" solutions, its suite of products is evolving to extend security across every part of the network. "Nortel Networks Unified Security Framework is reliant on providing integrated security across the infrastructure wherever possible, right down to ensuring that each product and device that touches the network is secure. By ensuring each product is secure, an approach we call Security in the DNA, a layered approach to security can be implemented across the entire infrastructure," says Bhatnagar.

There have been several recent changes in Nortel's product line. Nortel's Contivity Secure IP Services Gateways now include Tunnel Guard, ensuring that only users with adequate virus definitions and patches can access the network. Enabling 802.1x support verifies users inside of the network. Bhatnagar also notes the inclusion of DoS, P2P, and threat signature filtering features to Nortel application switches.

Mystic Voices
Avaya (http://www.avaya.com) focuses on VoIP, although it shares many of the same security concerns echoed by other industry leaders. DoS due to worms and viruses is Howard Kradjel's, a member of Avaya's Security Architecture team, biggest concern, although protecting content from eavesdropping and capture is also a high priority. He says, "Access control and encryption are two methods of protecting against these threats. Access control requires authentication and authorization to take place prior to accessing resources, and encryption protects content from being deciphered."

For IP telephony, security gateway access control capability at the enterprise edge and the expansion of media and signaling encryption among IP telephony servers and endpoints are of extreme importance. Kradjel points to the Security Gateway line as Avaya's only true security product, "Beyond that, we have been adding security capabilities to our applications, primarily encryption capabilities in media and signaling among IP telephony servers." Layer After Layer

The one common thread embraced by security leaders is the use of layers. Each leader notes that a single solution will not be adequate to stave off every attack, so a combination of firewall, antivirus, vulnerability testing, intrusion detection/prevention, and encryption will be required, depending on the needs of your particular network and industry. Administrators must be prepared to accept the learning curve and management burden associated with a layered security scheme.