Modernizing Authentication — What It Takes to Transform Secure Access
Speed made headlines again at Interop LV 2010, the 23-year-old conference devoted to infrastructure that makes the Internet tick. This year, attendees couldn't move without bumping into a 10GigE switch or some other furiously fast data center device. With a multitude of virtualized services migrating into "the cloud," Sun's prescient vision has finally come to pass: The network really is the computer.
This year's show focused on core network innovations that make clouds possible. But, for security folk, clouds pose new threats and opportunities. Dedicated, on-prem devices may be tough to secure but they're all yours. On the other hand, cloud services must be logically configured, often from afar, powered by (possibly shared) platforms you've never seen. Interop attendees explored this increasingly cloudy forecast and glimpsed the latest gear designed to support it.
What you can't see...
According to Network Instruments, 41 percent of surveyed attendees already ran some kind of Software-as-a-Service (SaaS) most often Salesforce.com or Google Apps. Another 19 percent reported using Infrastructure-as-a-Service (IaaS), like Amazon's Elastic Compute Cloud. Why adopt these cloud services? One third said to cut costs; another 30 percent sought more flexibility to react to business changes.
But even bullish-about-clouds Interop attendees had serious reservations about loss of visibility and control. Twenty-two percent worried about tools to monitor and manage cloud activities; 27 percent feared that bandwidth costs might exceed forecasted budget.
While Interop attendees may be more inclined than your average IT guy to use network-based virtual services, cloud providers and platform vendors clearly need to reach out and comfort those who will be responsible for administering and securing cloud initiatives. Several did just that during Interop conference sessions.
Look before you leap
This year's sessions ran the gamut from cloud computing, virtualization, and app delivery 2.0 to networking, storage, and unified communication. Security issues were sprinkled throughout, but served as the focal point for two tracks: one on governance and compliance, another on IT security and risk management.
In the latter, Brian Contos, Chief Security Strategist at Imperva, discussed "Data Security in the Cloud." Technologies that have long secured our networks -- ACLs, firewalls, IDS, VPN, anti-virus -- are not defending us from attacks like cross-site scripting and SQL injection, he said. Cloud services exacerbate these existing threats.
"When you move data into the cloud, it becomes easier to attack multiple targets at once," said Contos. "A successful attack can bring down an entire service. It can impact many more [companies and users], so the risks around financially-motivated attacks are amplified."
But Contos argued that clouds can also reduce risk through more effective network-based defenses. "You can do reputation-based security really well in the cloud. You can do virtual patching there more efficiently. You can unify data and network-centric controls [inside the cloud]," he said. A good cloud service provider can also deliver faster incident response, using a deeper talent pool.
Chris Richter, VP of Security Services at Savvis, said clouds raise security concerns in part because services are so varied. "You've got multiple models, multiple vendors, and multiple policies. Some providers dont reveal their policies or architectures or even allow vulnerability scans," said Richter. "Security auditors are understandably worried."
Security standards are being drafted by organizations like the PCI Security Standards Council and the Federal Cloud Computing Advisory Council. But enterprises also need to adopt more methodical approaches to secure cloud deployment. Specifically, Richter recommends the following steps:
- Evaluate your applications suitability for cloud deployment
- Classify the value and sensitivity of data to be stored in the cloud
- Determine cloud type (SaaS, PaaS, IaaS) based on app needs
- Select an appropriate delivery model (private, public, hybrid)
- Specify platform requirements (e.g., CPU, storage, bandwidth)
- Specify security controls, including firewall/IDS rules, log management, application and database protection, identity/access management, and encryption
- Determine if your policies can be satisfied by your providers policies
- Establish provider selection criteria (e.g., geographic reach, stability)
Like Contos, Richter said a well-designed cloud should incorporate security. "Data is the ultimate prize, so Web app [and database] firewalls in the cloud are very important to stop ports 80 and 443 from becoming gaping holes," he said. But buyers must become informed, ask questions, and walk away from services that don't meet their needs. For example, when deploying a service subject to compliance audits, "If you cant scan your [cloud hosted] environment, you have to look elsewhere," said Richter.
Building secure clouds
Not surprisingly, many big Interop announcements dealt with plumbing, such as Arista Networks' 7500 (a 384-port 10GigE cloud computing switch) and Mellanox Technologies' BridgeX InfiniBand gateway (for high I/O virtualized services). But you can't build self-defending networks that push tens of gigabits without more efficient security products too.
SonicWALL announced Project SuperMassive (above), a data center firewall that combines reassembly-free deep packet inspection with threat intelligence gathered from 1.5 million deployed devices, running in a 4U chassis equipped with up to 20 Cavium 12-core CPUs. The result: a furiously fast box that performs full unified threat management (UTM) at throughputs up to 13 Gbps with just 400 milliseconds of latency. With SuperMassive, 10GigE network operators don't have to choose between performance and reputation-based, application-layer threat prevention.
McAfee used Interop to announce Firewall Enterprise 8, a feature update to the SideWinder acquired from SecureComputing. This proxy firewall has always been application-aware, but FE8 adds "any port" protection, meaning that it can now block SSH tunnels on port 53, etc. FE8 also leverages TrustedSource, McAfee's geo-location and reputation-based filtering service that uses cloud-sourced data from 100 million sensors to block emerging threats. For customers moving to virtual data centers, FE8 is now available as hardware, software, or a virtualized appliance.
German company gateProtect introduced its latest firewall at Interop: the GPZ-2500. This large enterprise UTM firewall combines 6 fiber ports, 18 GigE ports, VPN acceleration, redundant disks, and redundant power supplies to achieve 99.97% availability. The GPZ-2500 delivers up to 9 Gbps of firewall throughput, dropping to 1.1 Gbps with full UTM. GateProtect's "secret sauce" is its icon-driven ergonomic GUI. In multi-site or cloud deployments, the gateProtect Command Center can manage 500 gateProtect UTM firewalls, using eGUI drag-and-drop and visual rules to simplify accurate configuration.
Offering security as a service
Barracuda not only announced its own Next-Generation Firewall, but demonstrated its Purewire Web Security Service a SaaS offering that inspects Web requests (local, remote, or mobile) for policy compliance and analyzes responses before letting them enter corporate networks. Depending on requirements, inspection can be performed by the provider's cloud or a CPE gateway. Focused on Web-borne threats, Purewire combines anti-virus signatures, AJAX-aware object analysis, and behavioral analysis to block bots, spyware, and malicious Web apps that use HTTP/HTTPS.
Trustwave decorated its Interop booth with a banner announcing "Cloud Security," referring to both cloud management of CPE-based services (e.g., managed UTM, managed IDS/IPS) and in-the-cloud services (e.g., secure e-mail). For example, Trustwave recently added Data Loss Prevention (DLP) Discover to its security services portfolio. This service scans internal corporate assets to discover and classify sensitive data, applying "smart tags" to each file to enable access control, encryption, logging, etc. Trustwave delivers unified dashboard access to all of its compliance and security services (including DLP) through its on-line integrated Managed Security Portal.
Cisco announced a pair of cloud-based security services: IronPort Email Data Loss Prevention and Encryption, and ScanSafe Web Intelligence Reporting (WIRe). To support these cloud services, Cisco now owns 30+ data centers world-wide, handling 2.8B reputation look-ups, 2.5B web requests, and 250B spam messages per day. WIRe gives enterprises detailed per-user data about employee web activities, including malware interception, bandwidth usage, and policy compliance. IronPort is a hosted secure e-mail service that inspects and optionally encrypts outbound messages, applying custom or predefined policies for regulatory compliance, regional laws, intellectual property protection and acceptable use.
E-mail-related cloud services were especially popular at Interop this year, with emphasis on making secure e-mail more scalable and manageable. For example:
- AppRiver earned a Best of Interop nomination for its Akamai-optimized Microsoft Exchange Service a refinement to this provider's popular Secure Hosted Exchange service which cuts average download time from 80 to 20 seconds. AppRiver baked SecureTide spam filtering and anti-virus into its basic hosted e-mail service not only to benefit customers, but to reduce storage requirements. Optimizing delivery with Akamai now makes this service more reliable and attractive to mobile users turned off by poor performance.
- Astaro announced a new Mail Archiving Service (now in beta), which makes it easier for companies to meet regulatory requirements by offloading long-term e-mail archival into Astaro's cloud. All messages are immediately transferred to the archive, stored in encrypted format, and available for discovery purposes. By using a cloud-based service, employers can control e-mail retention and ensure compliance, without buying or managing petabytes of on-site storage.
Of course, clouds weren't the only topic at this year's Interop. Several major security product announcements dealt with visibility or lack thereof. New technologies often introduce risk because they bypass traditional defenses, impeding our ability to monitor and inspect (much less control) what's happening.
For example, virtualized servers, desktops, and switches make it difficult to inspect traffic exchanged between logical environments residing on the same physical system. But TippingPoint's new vController (Best of Interop in the Security category) lets you scrub virtual machine (VM) traffic using a traditional TippingPoint Intrusion Prevention System. By making it possible to visualize, inspect, and control traffic flows between physical and virtual systems in exactly the same way, TippingPoint can eliminate blind spots otherwise introduced by virtualization.
Security Information Management (SIM) also attempts to restore visibility by aggregating and analyzing events logged throughout a network. But SIM has gotten a bad rap as a promising concept that often proves too expensive. TriGeo hopes to change that. The TrioGeo SIM doesn't gather logs it uses native feeds to collect live events, correlate them in real-time, and take corrective action (e.g., disabling offending NICs). Although TriGeo blurs the line between SIM and IPS, this turn-key appliance could help midmarket admins avoid overflowing unread logs and too-little-too-late mitigation.
Astaro's RED takes a unique approach to restoring remote office visibility -- it eliminates challenges commonly posed by ROBO firewalls by eliminating them. There's nothing to configure or watch because RED Ethernet extenders forward everything over a self-configured SSL tunnel to a head-end UTM (which can be any Astaro firewall). By bridging remote devices onto a central LAN, all packets (including those bound for the Internet) flow through a single point of control and visibility. Bonus: the $300 RED doesn't require annual UTM subscriptions or maintenance agreements.
Flying on auto-pilot
Sometimes, poor visibility results in loss of service. To this end, Cisco took a whack at automated RF interference mitigation by introducing the Aironet 3500 Series AP with CleanAir Technology. The premise: mission-critical mobile applications require self-healing WLANs. Cisco's solution: using AP-embedded, ASIC-based spectrum analysis to monitor, identify, classify, and map RF interference sources, determine their impact, and adjust WLAN settings as needed to maintain availability and performance.
According to Chris Kozup, Senior Manager of Mobility Solutions, Cisco ran beta tests at over 30 customer sites before releasing CleanAir (Best of Interop in the Wireless/Mobile Category). Those most likely to benefit include retail, manufacturing, and education venues that have little control over nearby RF devices, but where WLAN applications simply can't go down. "Retailers don't want to become a demo center for Amazon.com they need to engage you quickly, get your credit card number, and make the sale," he said. "That requires a robust WLAN as a foundation."
The key to automated mitigation, said Kozup, is a measured approach. "First, you need 100 percent clarity on what's out there you can't make the right decision without that, and people need to trust the system to make good choices," he explained. When CleanAir changes a channel to avoid interference, that channel won't be selected again for any other AP for a while to avoid flapping. The system also fingerprints and tracks interferers to help WLAN operators find and permanently eliminate trouble-makers.
Mitigating mobile threats
At this year's Interop, WLANs went quietly mainstream; exhibitors were largely those offering both wired and wireless infrastructure (e.g., Cisco, D-Link, Enterasys, Seimens, SMC). However, the same can't be said for mobile wireless clients. Safe-but-productive ways to fold smartphones and their applications into enterprise networks was a major topic of debate, both on the exhibit floor and during conference sessions.
Alex Wolfe, Editor-in-Chief at InformationWeek, kicked off his Mobile Security panel by stating "When it comes to deploying enterprise apps on smartphones, security is the elephant in the room. Comprehensive security must do more than simply wipe a device."
Jay Barbour, Security Advisor with RIM's BlackBerry Security Group, observed that smartphone shipments will outpace PCs by 2013, becoming a primary enterprise computing device. To navigate this shift safely, enterprises must address today's failure points: uncontrolled downloads, poorly-protected operating systems, devices vulnerable to physical threats, users with administrative privileges, and weak encryption. To mitigate these, Barbour recommended app sandboxing, hardware-based signature verification, tamper-proof policies, and phones with strong elliptical curve encryption and self-wipe. "But don't just look for checkbox support; ask how well is it implemented?" he said.
David Perry, Global Director of Education at Trend Micro, said "Every year, computing systems get faster, smaller, more connected, and more mobile." Although researchers find more than 100,000 new pieces of malware each day, most are still written for Windows. "The main advantage we have right now is that no one [mobile] OS is dominant it's too hard for bad guys to write malware for everything," he said. "But think your mobile devices are safe? Think again."
Perry warned that mobile attacks, when they take off, are likely to be different. "I dont think were going to see [many] viruses and rootkits on mobile devices," he said. Instead, attackers will exploit always-on connectivity in ways that users won't even notice. For example, Perry described an attack on NTT DoCoMo phones that overwhelmed Tokyo's 911 service for six hours.
Khoi Nguyen, Group Product Manager for Mobile Security at Symantec, warned that smartphone consumerization and app downloads may be a tipping point for mobile attacks. "Smartphones are the hackers next destination," he said. "The biggest risk today is about data loss and theft, not malware. But we do see malware data attacks being propagated already, like snoopware, pranking4profit, and SMS spam."
Given these trends, Nguyen argued that all endpoint needs to be secured including mobile devices. "Back in the 90s, most enterprises didnt centrally manage and secure PCs, but today its a basic requirement. On the smartphone side, were where we were 15 years ago. We need to secure and manage smartphones through their entire lifecycle, and we shouldnt be creating separate management frameworks just for mobile."
Ryan Naraine, Senior Security Evangelist at Kasperksy Lab, said that asking users to lock down and use their own smartphones safely is an exercise in futility. "User education never works on the PC side, its been proven that it doesnt work," he said. But Nguyen disagreed, stating "User awareness is still a key part of the overall solution, because social engineering is one of our biggest problems."
Make it work
Interop is always a great place to learn about new network hardware, software, and services, and to hear about how others are using them. But a secure network whether a traditional private, dedicated, on-premise deployment or some new virtualized cloud service involves more than technology and infrastructure. In the end, security must be accomplished through policies, practices, and people. At Interop LV 2010, attendees got a chance to see how the latter must adapt to safely use tomorrow's networks.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.