Friday, June 30, 2006

Network Security Platforms

In the past, best-of-breed security solutions have been the most-effective choices for securing enterprise networks. However, this approach has resulted in the deployment of a disparate set of point products for firewall, intrusion detection,antivirus blocking, vulnerability analysis, and other network-centric security functions. This has led to gaps in protection and a high cost of ownership because of the need for multiple management consoles and a lack of integration.Gartner believes that the rise of network security platforms will enable best-of-breed security solutions to blur the lines between firewalls, network-based intrusion detection, and vulnerability scanning, as well as other network-centric security technologies.

What are network security platforms?
Network security platforms are network-attached devices that can apply multiple security functions (at a minimum, firewall, intrusion detection, and vulnerability scanning)at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a structure for controlling communications between
security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding
suspected malicious activity or to take specific actions—such as blocking connections, dropping packets, or terminating sessions—when malicious activity is detected. These platforms perform functions that currently are performed by firewall network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus, and URL blocking products.
Many network security platforms will include virtual private network capabilities; however, we believe that these capabilities will not be long-term platform requirements, except for site-to-site connections. Network security platforms must run at wire speeds; for most enterprises, these will be in the 100 Mbps to 1 Gbps range for single connections, and much higher for multiple networks. For “in the cloud” security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. These requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms will need to support software-based updates, customization, and scripting similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency.Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure ).

There are four primary types of network security platforms:

Closed integrated platforms—The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point Technologies, NetScreen Technologies, BlueCoat Systems, and Array Networks.

Closed separate platforms—The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach.

Open integrated platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel/Alteon, CloudShield, and Ingrian Networks.

Open separate platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform; however, integrated processing across functions isn’t supported. Vendors include Crossbeam Systems, Blade Fusion, and OmniCluster Technologies.

Closed integrated platforms offer more effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products.

Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04.
Within these types of platforms, different performance/price points will emerge:Carrier class—Products that run at OC24 and higher rates, and that allow network service providers to offer “in the cloud” security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class—Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small and midsize enterprise class—Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points.

Types of network security platform vendors
Network security product vendors will migrate to offering security platforms, while other network performance management vendors also will provide these platforms. Network-security-focused vendors (such as firewall, intrusion detection, and gateway antivirus companies) will begin to offer security platforms to meet the challenges of blended and application-level attacks, and to address market demand to lower total cost of ownership. By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms.

Content-switching and load-balancing vendors will add security functionality to their platforms, which already offer high-speed processing and deep packet inspection for making caching/load balancing type decisions. These vendors see security as a new revenue stream from their installed base, and as a way to avoid the threat of network security platform vendors that are adding switching and load-balancing functions to their platforms. Although content-switching/load-balancing vendors have extensive experience in wire-speed traffic processing, they don't have deep security expertise. This will prompt network performance vendors to acquire network security technology companies that specialize in deep packet processing.

Network security platform market road map

In 2002, firewall vendors such as Check Point Software Technologies, Symantec, and NetScreen took steps toward becoming network security platform vendors. Check Point announced Smart Defense, which integrates intrusion detection capabilities onto Firewall-1. Symantec's Gateway Security product combines firewall, intrusion detection, gateway antivirus, and URL blocking functions into one appliance. NetScreen’s implementation of simple, signature-based filtering and its acquisition of OneSecure were strong moves in the platform direction.

However, these first-generation efforts provide minimal integration between functions, and they generally don’t add vulnerability assessment capabilities. Newer market entrants such as TippingPoint provide tighter integration of the required functions, but in a closed architecture that will require enterprise testing to determine the effectiveness of the individual firewall, intrusion detection, and antivirus functions, as well as integrated capabilities.

Gartner believes products that fully-integrated network security functions that can operate at wire speeds will not affect the firewall and intrusion detection markets until 2H04. After 2H04, intrusion detection vendors that do not offer network security platforms will begin to exit the market through acquisition by network security platform players or loss of market share.

The initial product focus between 2004 and 2006 will be at the enterprise level, with price points in the $25,000 to $75,000 range. If the telecom market recovers from the economic downturn before 2006, mainstream telecom and Internet service providers will begin to offer managed security services that will drive the development of higher-speed, lower-priced offerings and use-based pricing models. Gartner believes that aggressive telecom providers will offer some “in the cloud” services by late 2004. The low-end, small-and-midsize-enterprise-class network security platform will not be a market factor until 2007, when platforms with limited functionality and processing speeds will be available at price points of less than $10,000.

Managing multiple security devices

Most enterprises have deployed numerous firewalls, and many also have deployed one or more intrusion detection products. Network security platforms will be viable enterprise solutions by 2006, and they will transform today’s disparate network security market. Until that occurs, enterprises that have deployed firewalls and intrusion detection systems can use security device management products to gain a preliminary level of integration between network security products. These products support alarm/alert normalization, aggregation, data reduction and a degree of correlation to greatly reduce the false alarm rate and the operational burden of monitoring security devices. Although the loose integration that is provided by these products doesn't support the speed of response necessary to implement intrusion prevention, security management products enable enterprises to extend their investments in security products and provide a management structure for incorporating advanced security products.

Security management price points will have to drop below the six-figures of current offerings to reach the broad market. Outsourcing the monitoring and management of perimeter network security devices is another option for enterprises that are looking to avoid investing in early-stage technology or limited security staffing levels.

Bottom line

Tighter integration and common management across network security controls is a panacea of Internet security. Network security platforms maintain best-of-breed security approaches while supporting improved attack blocking and lowering total cost of ownership.

Thursday, June 15, 2006

Significant increase in probes reported by FBI

The probes are searching for systems that have vulnerable versions of LPRng, the "Next Generation" version of the widely used LPR printing utility, as well as the RPC daemon used with Network File System (NFS) services. While a large portion of these attacks were the result of U.S./Chinese cyberskirmishes following the downing of a U.S. spy plane, the subsequent hacking traffic has not died down. Check your software distribution's home page for an updated version of LPRng and RPC, and do so without delay!

Remember that automated probes are looking for TCP/IP listening ports that are associated with known system weaknesses. Make sure that you're running your Linux system with all ports disabled; save the ones that you absolutely need. In a terminal window, switch to superuser status, open /etc/inetd.conf, and comment out ports you're not using (for a single-user system that isn't functioning as a server, likely candidates include anonymous FTP, POP3, Telnet, rlogin, and rcp).

New vulnerability in wu-ftpd

I have recently found a article on net that vulnerability has been confirmed in the wu-ftpd FTP daemon. This vulnerability is remotely exploitable and can be used to execute arbitrary code on the vulnerable FTP server.

Because wu-ftpd is such a popular and widely used FTP server, not only for Linux but for other UNIX-derivatives like BSD systems, the security impact is quite high. The fact that most FTP servers in use these days provide anonymous FTP access compounds the problem. This means that a user doesn't even have to authenticate himself or herself on the server as a real user in order to exploit this vulnerability.

The problem is due to the "file globbing" support in wu-ftpd. This globbing allows clients to organize files for FTP actions, such as list and download, based on patterns. A heap corruption problem in the wu-ftpd, in its most innocent form, will simply cause the FTP server to die with a segfault. Unfortunately, this same corruption problem can be exploited to run programs on the server that the user should not be permitted to execute.

Most vendors have released updates to fix this problem quickly. Therefore, if you are running a version of wu-ftpd installed prior to Nov. 27, 2001, you are vulnerable and need to obtain an update from your vendor.