|
Lead
Embedded security’s the watchword
Companies are offering networking hardware with in-built
security features. Priya Jain reports
 As
networking infrastructure starts to span the broad landscape of enterprise systems
with almost anyone and everyone accessing the network from within and often
outside an organisation, the success of an organisation’s IT set-up revolves
around being able to securely transmit data and conduct transactions.
While networks are becoming central to the way we live, the
convergence of networking and security is rapidly becoming fait accompli. Add
to this the rising use of mobile devices and security takes centre-stage.
"It is impossible to deploy centralised security devices for large
networks, primarily due to performance and scalability issues"
- Sajan Paul
Head, Technology & Consulting
Enterprise Solutions
Nortel India |
Cisco’s NAC (network admission control) initiative was
an early example of a networking company working with security vendors to create
a security solution that checks access to the network if the device accessing
the network isn’t up to date in terms of OS and anti-virus patches.
Nortel’s recent initiative to collaborate with Symantec
takes this concept one step forward by integrating the third-party software
onto its switch. The company’s application switch now comes loaded with
intrusion protection software from Symantec.
Networking vendors are attempting to convince users that there’s
nobody better placed to secure the network than the people who build the gear
for it.
"A self-defending
network provides
integrated security,
collaborative security and adaptive security"
- Hayath Mohammed
Business Development Manager Cisco Systems
India & SAARC |
Observes Sajan Paul, Head, Technology & Consulting, Enterprise
Solutions, Nortel India, “Network security is always a layered approach.
There are various elements like the end-user terminals, network infrastructure,
and servers, all of which are vulnerable. It is impossible to deploy centralised
security devices for large networks, primarily due to performance and scalability
issues.”
The argument put forth is that what’s needed is to protect
a network in a distributed manner covering end-user terminals, networking infrastructure,
and the data centre at all levels. With the availability of high-speed network
processors, it is possible to perform wire-speed packet and session monitoring
at the entry point and proactively isolate network segments while notifying
admins of potential attacks.
Says Hayath Mohammed, Business Development Manager, Cisco
Systems, India & SAARC, “Infrastructure has become complex…each
application passes through the network. Every component in the network needs
to be secure. This requirement has given rise to the trend of secure switching
and routing infrastructure.” The initiative of Cisco to take this security
aspect to the architecture is a move away from looking at just the switch/router
points.
"To divide the work between what happens in hardware and
what happens in software is an engineering art form"
- Sam Srinivas
Chief Technologist
India Operations
Juniper Networks |
Agrees Sam Srinivas, Chief Technologist, India Operations,
Juniper Networks, “Since the network has become critical to corporate and
personal life, there has been a matching rise in the scope and sophistication
of criminals trying to misuse the network. To address this, security has needed
to evolve from point checks to something within the network.”
The need for integration arises because of the need to ensure
that critical threats are proactively identified and stopped before they can
penetrate a company’s network infrastructure and impact business. Points
out Anand Naik, Director, System Engineering, Symantec India and SAARC, “Vulnerabilities,
and the hackers who exploit them, are steadily increasing around the world,
leaving IT organisations open to attack during the gap between discovery of
a threat and deployment of a patch to protect against the same.”
Bringing it all home
When integrating security into networking infrastructure,
the ability to scale has to be preserved despite the complex additional processing
entailed by scanning data packets and then taking action depending on the results
of the scan. Adds Srinivas, “Keeping in mind the scalability required,
the technology which makes such integration possible is a purpose-built appliance
that does most of the processing in the hardware (the fast path) while doing
the complex control and edge case processing in the software. To divide the
work between what happens in hardware (very fast but not very flexible) and
what happens in software (very flexible but high overhead) is an engineering
art form.”
Attacks often cripple network infrastructure either by generating overwhelming
traffic flows or launching a targeted attack on the equipment itself. Explains
Paul, “One of the key aspects is to build self-defending network elements.
With widespread availability of network processors and Application-Specific
Integrated Circuit-based security chips, it is possible to scrutinise every
packet and session that enters a port. All this is done at wire-speed so that
performance does not suffer.”
Mohammed believes that a self-defending network provides integrated security,
collaborative security and adaptive security. Also with respect to security,
these products are constantly updated about the latest malware and spyware threats.
Convergence to IP is yet another reason that is making organisations look at
such options since all applications are progressively being delivered over IP.
As the means of accessing the network multiply via a greater variety of access
devices, enterprises are increasingly vulnerable to attack. Many feel that these
attacks are best addressed by integrating security pervasively and deeply into
the infrastructure.
“Research is underway to provide optical-level encryption chips. Another
trend is to have security hardware right on the core LAN switch. We have embedded
firewalls and threat protection systems —like an intrusion detection system
and intrusion prevention system—available as part of the core switch offering,”
states Paul.
A bit of this and that
Organisations continue to prefer a combination of dedicated security appliances
and integrated appliances. Previously, the trend was to build and deploy enterprise
applications that were Lightweight Directory Access Protocol-aware. Such applications
redirect authentication attempts to a centralised directory that authenticates
and often even authorises the users.
According to Naik, “There is an increasing convergence of networking and
security as customers demand that security be weaved into the network fabric.
Enterprises are now looking to take a defence-in-depth approach to securing
their networks. Our solution provides a network layer of protection that complements
gateway and end-point solutions.” To which Paul of Nortel adds, “Some
of these technologies emerged due to advanced technology innovation, partnerships
and product mergers. Nortel works with Checkpoint for firewall applications…SNORT
and ISS are the intrusion protection partners.” Today, more than 30 vendors
including Network Associates, Symantec and Trend Micro have evolved their technology
to work with Cisco’s NAC.
The technology should be such that it provides an easy and automated way of
upgrades, and no dependency on the platform. It is obvious that any security
device will need timely updates on stuff like security signatures and attack
policies in the ever-changing security landscape.
| Secure network architecture frameworks
|
The way it works |
| Cisco's Network Admission Control
(NAC) |
NAC controls access to the LAN, preventing
access devices that do not comply with pre-determined policy from connecting
to the network. It affects both wired and wireless client devices. If a
vulnerable host, say a PC that's not up-to-date in terms of anti-virus or
OS patches, tries to access the LAN, it can be isolated, given reduced network
access, or directed to remediation servers based on organisational policy.
By ensuring that every host complies with security policy, organisations
can significantly reduce the damage caused by infected hosts. |
| Nortel's Secure Network Access (SNA)
|
SNA is Nortel's end-point security and
policy compliance solution designed to inspect, assess, ensure compliance,
and remediate at the network end-point source prior to network access. SNA
leverages Tunnel Guard technology to enforce end-point compliance by checking
and controlling user access through Nortel VPN routers, SSL VPN gateways,
and Nortel LAN switches. |
| Nortel's application switch with Symantec
Intelligent Network Protection |
This solution builds intrusion prevention
into the fabric of your network. Some features include the ability to block
network-based intrusions and worms, protect against vulnerabilities before
exploits appear in the wild and before systems can be patched, and protect
against critical vulnerabilities including those in Microsoft OSs. It can
operate on any Nortel application switch running Nortel's Intelligent Traffic
Management option. The Symantec Intelligent Network Protection option requires
installation of Nortel's Intelligent Traffic Manager on the application
switch, and availability of a computer to run Nortel's Java-based Application
Switch Element Manager client and server software. |
| Juniper's Enterprise Infranet |
The Enterprise Infranet framework creates
an IP-based enterprise infrastructure which addresses the key challenges
faced by network managers. It coordinates network, application and end-point
intelligence to deliver the control required to support today's demanding
network applications, manage network use, and reduce threats without requiring
a forklift upgrade. |
Pros & cons
Building security into switches and routers ensures that no packet gets into
the network without being run through a fine toothcomb. That’s the upside.
The trouble with integrated technologies is that they can only be built with
joint endorsement by vendors, which means that it will take longer for these
to reach the market.
An immediate gain is that one integrated system replaces multiple systems, simplifying
network management, improving performance, and reducing operational expenses.
This integration also allows capabilities which were not possible in the past
as the network is fundamentally more capable.
“Probably a larger issue slowing the growth of integrated networking would
be the convergence of standards. The good news is that today there are efforts
like Trusted Computing Group, Network Access Protection, and NAC addressing
these issues. The bad news is that these are multiple parallel efforts,”
remarks Srinivas.
As another example, a specialised kind of firewall called a Session Border Controller
(SBC) allows VoIP traffic to cross a network boundary. The industry direction
is to move capabilities such as SBC into the networking infrastructure. Since
the VoIP protocols have multiple proprietary variants, the infrastructure vendor
needs to invest in chasing the variants rather than in just a standard implementation.
This is where the lack of a standard hurts.
When exploring new capabilities that were not possible before,
the customer typically has to spend time working out a deployment which best
suits his needs. For example, in implementing comprehensive controls for who
accesses what in a LAN, there are a variety of issues such as needing a central
identity store which knows what each person’s role is, a clear mapping
from roles to permissions, etc. These need not necessarily be present in an
organisation, and to get there may need some spadework before the deployment.
After looking at all these aspects of integrating networking infrastructure
with security, one can conclude that there is a progressive need to look deeper
into application traffic. This is computationally very expensive, and it is
challenging to do this at scale. However, it seems that new developments like
specialised multi-core processors aimed at networking functions could help keep
performance matched with the need.
|
