Network Security: Six Burning Questions

Network security is an ongoing concern, but questions remain.

1 2 Page 2
Page 2 of 2

"A tremendous amount of the operating system is undocumented," Lieberman says."They're moving so fast and doing so many releases and updates, no one is keeping track of what they're doing. For instance, if Microsoft goes and changes something for Patch Tuesday, and a [Data Link Library] is changed, they don't bother to change the documentation, and your application stops working. We have to go research this and we find they've changed it."

While acknowledging Microsoft's poor track record, others are a tad more conciliatory.

Microsoft's efforts to improve have had a"positive impact," says Oliver Friedrichs, director of Symantec's Security Response division."We have to give Microsoft some credit for improving operating system security."

In the past few years there just haven't been the types of devastating worm attacks, such as Code Red, Blaster and Nimbda, that exploited holes in Microsoft products to wreck havoc around the world.

"Attackers today are focused on the third-party Web plug-ins," Friedrichs adds.

"It's easy to pick on Microsoft because they're ubiquitous and historically had a problem," says Jon Gossels of SystemExperts."But year after year, their products are getting better, and a lot of professionals out there are trying to find the bugs."

NAC: Is your firewall enough?

Network access control (NAC) isn't for everybody, but it can be a valuable tool for controlling the circumstances under which individuals gain network access. (Compare Network Access Control products.)

That can be valuable for heavily regulated businesses. NAC can perform a comprehensive check of endpoints before they are allowed to get on to corporate networks, and that kind of check can help placate regulators that demand enforcement of policies about how legitimate endpoints must be configured.

Most NAC platforms not only perform this function, but they keep records of performing it, something demanded by various regulations such as payment card industry (PCI) standards and the Health Insurance Portability and Accountability Act (HIPAA).

Screening guest users is a particular problem that NAC can address well, according to Gartner."Most Gartner clients that are planning to deploy NAC report that their first priority is to implement a guest network," says Gartner analyst Lawrence Orans in a report."In 2007, many security managers who viewed NAC as a strategic security process were able to use the near-term benefits of guest networking to justify getting started in NAC."

If businesses have a diverse set of full-time employees, contractors and guests that use their networks regularly, NAC can help assure that the devices they use to connect meet configuration policies. For machines that flunk, NAC can either fix them, quarantine them or grant them access to a network segment with only limited resources and where they can do limited damage.

Similarly, businesses that need to segment their networks based on department or job function can use the authorization controls in NAC to do so on a fairly detailed level.

"We see a perfect storm if companies have multiple compliance requirements (the Sarbanes-Oxley Act, PCI, HIPAA), a diverse workforce (employees, contractors, remote workers, partners, suppliers) and global operations (the need to segment the environment by region, business unit and others)," says Rob Whitely, an analyst with Forrester Research.

NAC will ultimately become an element of layered security architectures that rely less on perimeter firewalls as the main bastion and more on layers of security that seek to mitigate threats, Whiteley says."This is part of a larger trend around de-perimeterization. NAC is not necessary, but will become a critical component for these new security architectures," he says.

Most networks can get by without NAC. The technology reduces the risk that compromised machines gain network access and that they can do damage if they manage to get admitted anyway. But it doesn't guarantee security. NAC came about in response to threats that traditional Layer 3 firewalls couldn't handle, and there are threats that NAC can't handle, but it can make important contributions.

"Ask yourself: Is your firewall enough?" Whiteley says."If so, NAC is most likely unnecessary. It provides the additional host integrity checking, but this provides little value above and beyond more granular authentication and authorization — which are really just attempts to make up for shortcomings of today's firewalls."

Has IT licked patch management?

Patch and vulnerability management tools can take on detecting and protecting vulnerable machines in a mostly static, controlled environment.(Compare Patch and Vulnerability Management products.) The technology area is considered a priority among IT managers, who most likely have spent many years perfecting their vulnerability scanning, patch testing and software distribution processes.

According to an Enterprise Management Associates (EMA) survey, more than three-quarters (76 percent) of 250 IT managers surveyed had some sort of patch management product in house and said patching is an important to very important process. VanDyke Software's fifth annual enterprise security survey of 300 network administrators showed that 30 percent still worry about patching, a number that has declined over the years. Some industry watchers speculate that the lessening concern reflects a maturity in patch management products and in IT managers' processes.

"We really don't have anything that changes what needs to be patched, with the exception of remote access users, who are constantly a difficulty for us to keep patched," says Craig Bush, network administrator at Exactech in Gainesville, Fla. "Currently, we have to wait until the client connects to our VPN to make the updates happen, which isn't always regular."

Bush says his patching processes are mature, but vendors could ease the process by building in time for users to properly test patches before rolling them out across distributed machines.

"Vendors should make sure they are testing patches extensively before pushing them out the door," he says. "This is much easier for open source technologies than it is for closed source companies like Microsoft, which tends to have longer lead times on patches and fixes."

Yet industry watchers say the problems with patching today and going forward will have more to do with user environments than with vendor updates. They warn that while patch management technology can be considered mature, as environments evolve to include more virtualization and complex application infrastructures, patching will need to grow up. And in turn, vendors such as Altiris (now part of Symantec), BigFix, CA, St. Bernard Software, PatchLink and Shavlik Technologies will need to bring support for virtualization and other technologies into their tools to adequately patch customer environments.

"It is a relatively mature technology, but that doesn't mean it's under control. Patching in areas such as virtualization remains considerably immature at this point; server and desktop virtualization are throwing the old rules for patching out the window," says Andi Mann, research director at EMA.

According to Mann, virtualization introduces complexity as well as exponentially more machines to be patched in the same amount of time. This could cause IT managers to hasten the patch testing process, which would ultimately cause configuration conflicts on production machines. "Testing is a critical element of patching, and with immediate threats like zero-day attacks and the proliferation of virtual machines being certain all the updates will work together and protect the environment is more difficult," Mann says.

Add to that dependency patching, says Jasmine Noel, principal analyst at Ptak, Noel & Associates, and patching could become a new challenge for IT managers. As environments get more complex and the number of vendors distributing patches grows, she says, the layers of testing and distribution of updates will break the old approach to patching for many IT managers.

"What still needs work is sequencing patches from multiple vendors because of all the infrastructure layers — hardware, operating system on the physical box, virtualization software and the virtual machines (operating system and application stack) — so what is the right sequence to install your HP, Microsoft and Oracle patches that all came out last Tuesday?" she asks.

This story, "Network Security: Six Burning Questions " was originally published by Network World.

Related:

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Survey says! Share your insights in our 19th annual State of the CIO study