Who Said that Your Firewalls Secure Your Network?

Transcript of a webinar by Secure Computing, Gartner and Harris Online ATRI CHATTERJEE:

Let me first introduce you to our distinguished panel of speakers here. Our keynote today is Greg Young. Greg is research vice-president at Gartner. He has over 20 years of IT experience spanning a broad spectrum of experiences in industry, including running a security services organization and being a chief security architect at a company. Greg is a CISSP and a certified common criteria evaluator. Greg today, for those of you who read Gartner reports probably know that he is one of the prolific publishers of research at Gartner.

> View this webinar on-demand right now

Our second speaker is Rhonda Henning. Rhonda is senior scientist at Harris Corporation and also has the unique additional title of security queen. She's responsible for the information assurance methodologies, capabilities, and security conformance for Harris. Rhonda also has a long and distinguished career in technology and security spanning all sorts of things ranging from development, architecture, and implementation at various well known organizations including the FAA and DARPA.

And finally we have Scott Montgomery. Scott is vice-president of product management at Secure Computing. He is responsible for directing and planning the development of all security products here at Secure Computing Corporation. Scott also represents us at various kinds of groups and is closely involved with many of our largest customers in helping them with their deployments and planning.

Without saying any more, let me pass this one to our keynote speaker, Greg Young. Greg, please take us on.

GREG YOUNG: All right, thanks very much. So, first of all, some quick boilerplate. Gartner participation here today does not constitute an endorsement of any products that are mentioned here or not, but I'd like to thank the organizers for inviting us to share our thoughts on the network security market today and our content today is primarily around the network security market, changes we're seeing, and why - you know, sticking with the traditional views is not a good idea.

Overall there's been a significant change in some of the network security landscape that has not been sort of in terms of big events but has been a gradual change. So, first of all, there's one constant is that threats stay still - or threats don't stay still and neither do the networks that they secure either. The DMZs that we've had in place are, you know, have to change themselves and in this effectiveness and efficiency approach we have to build security into the network for the well known threats, but we also have to be prepared for the changes and threats, you know, particularly the ones that we're really seeing a change in terms of the targeted attacks as well. I also want to talk about how, you know, the in the network security versus the non-embedded approaches and also just some of the blending between network security and endpoint security and some of the rumors and the like out there concerning how these should be conjoined.

We do a survey with approximately 1200 CIOs, mostly on large enterprises around the world, so it's a pretty good sampling of what's important to them in terms of business priorities and technology priorities. So, as you look at this chart you see moving from right to left, you know, 2005 up to 2007 that security was pretty high up. You know, it was in the top ten of business priorities for CIOs in past years. However, essentially dropped off - you know, pretty much dropped off the chart as a business priority. The reason for that is security no longer an issue? No, it's not; it's just that we found that there's bigger issues coming up in terms of dealing with some of the rust out in hold back of IT spending in some of these areas. So when you look at some of the top items, you know, real business focus, which seems to match with the business priorities and there is operating costs, you know, keeping costs of IT down, you know, things like Green IT, dealing with data center changes. Those have had huge impacts on enterprises and security just can't currently compete with that. Security spending, though, does, however, remain high and fairly constant.

When we asked them about what their technology priorities are, security does, however, remain high, does remain in the top ten of all the things that CIOs worry about. So in previous years it was number one and number two issue, and again, you know, because of the changes in dealing with [Indiscernible] dealing with changes in spending priorities, dealing with some of the complexities of late, particularly on the application side, security technologies have taken a bit of a drop. So this represents a real challenge for the CISOs and security folks and even the network staff who are tasked with securing this network that they've been given, getting that executive attention, getting this issued raised to top of mind is a real challenge. Now, that being said, because this has been high for several years the education has been done, that management recognizes that security is important. So some of this is a bit of yeah, we get the message, we're moving onto other things; security's still there. But however, it does show that there's a change in priorities that you have to recognize and if you ignore it you ignore at your peril.

We had a research note come out recently called the Current Critical Issues in Securing Your Network. And one of the - I think it was the number one item we put in there was these changes in defense in-depth and we call it the end by end DMZ. Significant changes in particularly the last two years over how our networks are constructed in terms of security and also how they're constructed in terms of general - you know, the network's ability to push packets as is its job is, and the security that goes around that has seen a fundamental shift. One of them is that we seen the change in two particular ways. So, in breadth and in depth. So, clearly, there's a greater focus on defense and depth now, so no longer a single layer in the DMZ, you know, a single or even just a few layers. We're seeing increasing layers of depth between the Internet employs and the endpoint of the data. So, you know, between Web application data with security between those layers and even more between that on the - you know, putting the additional layers between internal resources such as data servers and the internal cloud of employees. A lot of this recognizes that changing threat of, you know, if you have a botnet or an infected laptop that jumps the - you know, it jumps the outside/inside barrier, you have to protect those internal resources. So we're seeing changes to that.

Most of the changes that are happening, though, are really, instead of what kind of business you're in - well, instead of what your security is like it's more what kind of business you're in. So we're seeing what we call these type A enterprises who heavily rely on technology as their lifeblood be the fastest adopters of these changes in network security. And then moving down to the type B's and C's being the most common types of enterprises, use of technology and then type C is a low reliance on technology, them being the latest adopters of that. So it's less about - it's somewhere related to vertical but it's less related about size and it's just about how reliant you are on IT. So this increasing depth is one aspect.

The second aspect is, in terms of breadth, so instead of a single connection method now between all users of your network, we're seeing real change in providing multiple connection methods. So employees can have one connection method, partners another, and also how many steps and what kinds of inspection they go through also based on types of protocols, for example. So we're just seeing a real segmentation on not only types of communication but who's making those communications. And some of this is being supported by more modern products now, which we're able through virtualization, through greater use of - you know, greater - you know, poor densities, greater capacities. Now we're able to support these more complex configurations. Also a real change in consoles, for example, now being able to support things like admins of admins [ph] and the like. So real change there in virtualization acceleration, et cetera, also, you know, having a change on that and virtualization having a very large impact, mostly for the negative, on security infrastructure.

But the biggest change of all of this, the pressure is that as the threats move up the stack inspection has to move up the stack as well. So the network firewall doesn't go away, but there's a demand now for being able to see into and inspect those higher layers of the stacks and things like IPS, whether embedded in the firewall or as a standalone, are really becoming important and great inspection as you go up and not just in pure network parliaments [ph] but also in terms of email inspection. You know URL blocking, the like. So real change in how we're seeing network security constructed.

The perimeter does not go away as part of the discussion, you know, in the previous slide is that we're seeing a greater requirement for depth but the network firewall, that edge of network, is the first, best place to catch things and to stop it. However, you now need increasing levels of depth. You cannot rely on host-only protection because until we have perfect host security we won't be able to rely on them only. And if anybody disbelieves that you can put your personnel server or your payroll server out on the Internet for a few hours and see how you fair. So, again, there's disappearing perimeters. It's just more complex to manage and you require more depth and it's a greater challenge to manage.

In terms of the flavors of network protection, we're really seeing it map to how networks themselves operate. So in terms of email servers there's focus safeguards for that, for you know, secure message and gateway, for application delivery controllers - that's that ADC acronym - it's your SSL termination load balancers, web optimization tollers [ph] are being helped with the Secure Web Gateway, and in terms of the pure networking gear functions are tied with that latency profile to things like what we call next-generation firewall which are that combination of firewall plus intrusion prevention together as a closely coupled platform. There's specific niche markets so we don't see a lot of activity around XML firewalling as a standalone product. The same with database firewalls and some of the content monitoring and filterings. Some of these functions we're seeing really more embedded in other technologies, other pre-existing network technologies. And a very important point is in that last bullet of the separate security control plane, which we're going to speak about in a few moments as well.

This is a different view of how platforms are coming together. So the [Indiscernible] enterprises by network security devices versus other sizes of organizations are very different. So, to date, enterprises still buy best of breed or endpoint products. These point products do come together in two different ways, and they come together at the SMB [ph] and the branch office differently than they do in the enterprise. At the enterprise, which is represented by the blue circles, there's four primary platforms that these security products are coming together. So, in the upper left the firewall and intrusion prevention come together in what we're calling the next-generation firewall. And that's not just sheet metal integration; that's a closely coupled throwing of the two products where there's a well unified console and interoperability and visibility between the products. So there's DPAK and inspection going on and it's not just in serial, and also there's intelligence about how that traffic is handled; it's not just, you know, virtualized - you know, clients, for example, don't just pass off between instances of firewall to IPS to go through multiple inspections for no true benefit. On the upper right side is the border messaging security gateway, anti-virus, IM, and spam, you know, safeguards coming together. The reason those come together is because those are typically more latency tolerant to applications. Whereas firewalls and IPS, you have to keep up with wire speed on your wire speed and the - you know, on the latency tolerant type applications users can wait for a delay; there won't be a noticeable lag for inspection unless it goes on into the minutes. URL filtering and Web antivirus come together in a Secure Web Gateway; you know, there's a report mentioned at the start of the call, speaks about that market. And the VPN products, typically standalone, sometimes [Indiscernible] into the firewall, depending on application. So all of that together, we do see also in a single product but only at typically the small, medium branch - or small, medium businesses and in branch offices. One of the trends we're seeing as well at branch office firewalls or security products for -- in enterprises are typically moving towards being the same product as is what's used in the core. So if you're using Brand X of firewall, you know, in the core of your enterprise or at the primary Internet point of presence you'll also be using that out at the branch offices as well.

And also the - for the largest of enterprises just won't - the platforms just aren't optimized to date to use all of these in a single appliance. There's talk at Moore's Law; however, most Moore's Law gains we're seeing in terms of, you know, processor increase, we typically eat up in the security market with adding new types of safeguards. So a few years ago we didn't know about IM hygiene, we didn't know about spam and anti-spam and things like this. So, as these new safeguards come in based on new types of threats, we typically eat up any Moore's Law gains that we made.

Intrusion prevention, very large market. We sized it about - should be about a billion dollars this year which is considerable when you think that the overall firewall VPN market is about three to four billion, depending on what products are in and out. So it's growing up to be a very large market very, very quickly. And we're going to see that market contract a bit as more of that market goes into the firewall market as next-generation firewalls become more mature. To date most IPS's deploy at the edge. This is not, you know, in-line, deep inspection technology. And contrary to rumors, most deployments are in blocking mode. The majority of users start out at the 20 to 30 percent of signatures and blocking mode and as they learn more about their environment then they tune them upwards. Nobody uses all the signatures in blocking mode typically. And those signatures are deployed more depending on what you're vulnerable to. It doesn't make too much sense to block things that you're not vulnerable to, provided you know you're not vulnerable to them.

Very important issue right now for enterprise is the decision on whether to go with a separate security control plain or embed security in the infrastructure components. Most enterprises we're advising consider the separate security control plain for a number of reasons. On this chart at the top graphic is embedded and at the bottom is the, you know, in the separate security control plain. If you're embedding in the infrastructure you can save some money on some perspective; however, you may end up having to pay downstream by having to upgrade components to accommodate the additional security. Also, this technology is made to move packets not to block them. Also, the operating - the software and core of these products are not intended to be secure. That's not their primary goal, as well as they tend to have a much larger kernel, tend to see more vulnerabilities out of networking components than you see from pure security components. So, from any organization that want to go with a separate security control plain [Indiscernible] that, you know, changes can go on within. Now, for some organizations where you don't have a very dynamic network, you don't - if you're a type C enterprise, definitely embedded makes sense. Sometimes at the branch office it may make sense depending on what the model is. But you should know which path you're on and then stick with that path. The danger is going down a path and you believe you're on the other one.

Suppose we take a step back and look at the market. There's three big changes that have gotten us to where we're at and why we have all these different security markets now instead of just the good ole days of flipping a coin and deciding between RACDEF [ph] and top secret and the going off [Indiscernible] and read the Orange Book and go to conferences. Now, as you look at the right side of this graphic there are a - as time has gone on, as we move up that list we're seeing, you know, considerable change.

Moving from software firewalls certainly at the enterprise is primarily purpose-built appliances we see now for most large networking deployments, not all, but that's, you know, I think where enterprises are leaning. These changes of the threat on the left, we started seeing worms and as the worms have tailed off, you know, as we got through this cycle moving up the stack and a little bit likely it will all back down again, we move to application exploits and we're seeing a very large increase in targeted attacks which is very insidious because your IPS vendor or your firewall vendor will be, at the immediate point, not able to help you, so you have to recognize that and then use that product to defend yourself and then call in your vendor to help you. So knowing how they would respond is a very important factor to consider.

As we get more evasive attacks, more hard to detect things, those technologies on the right have to change as well. So we're seeing combinations of technologies, I think are part of the theme. So the next-generation firewall being a combination of firewall plus IPS and we're seeing a real trend now towards dealing with this problem of dealing with encrypted traffic. So that SSL inspection is not just intended to be a - you know, a break in restart. That's only one sort of technique for, you know, looking at encrypted traffic, but I think there's a bigger issue around dealing with the - you know, as more communication gets pushed through port 80 and the HTTPS port as well that we have the ability to pull that open somehow and be able to look into it as time goes on with increasing need. So that's one of the close in the landscape sort of issues. Not only that, but just being able to determine what protocols are in there as well. Network Access Control (NAC) very over-hyped, very crowded, noisy market. You know, that's confusing a lot of folks and rightly so given all the complexity around that, primarily a lot of tactical deployments today. But as we looking on greater, you know, deep inspection into the traffic stream, it gets interesting to start trying to match that with what our firewalls do with what we do with the vulnerability assessments. We're trying to make the inspection smarter and also make the reactions a bit more intelligent without having them become the source of attacks themselves.

All this to say that, you know, the bad boys and girls are still out there, clearly. They're more motivated by money now instead of just annoying everybody and going with the bragging rights, and that makes a much tougher opponent because, you know, you're quite often going to be - it's going to be you and your incumbent vendors who are going to have to deal with any attack in that case. And quite often, any sort of measures that you can take you had better had put them in place. It's the wrong time to be bring in products. Virtualization represents a real security challenge, mostly breaking security architectures as we understand them, or as you understand them yourself as to what you have in place, and security products themselves need to be secure. So as you're going with a separate security control plain or embedding into the infrastructure, recognize what the pros and the cons are there and make a informed decision about which path you're going to take. Again, a hybrid is fine, but again, as long as you know which path you're on. And that architecture has to be reflected in terms of the reality of what the deployment is.

So thanks very much for that segment. I'd like to turn it over now to Atri.

ATRI CHATTERJEE: Thanks, Greg. Scott?

SCOTT MONTGOMERY: Thanks, Atri; thanks, Greg. I want to take just a moment and talk a little bit for those of you who aren't familiar about Secure Computing. It's just a very high level. We're - if you shook us awake in the middle of the night and said what are you? We'd say we're an Enterprise Gateway security company and we're focused on those security tools in the Enterprise Gateway space that are making a difference for the most heavily abused and used protocols, Web and mail and network firewalling. We also have a strong authentication presence.

But if you look across these slides - I'm not going to read every slide, but I'm going to point out to you what I think is important. With respect to market leadership, we have a great deal invested here. We have a great deal of customers and organizations who invest in us, which represents very well in terms of our penetration into the market. With respect to technology leadership, we're going to talk a little bit in a moment about Trusted Source, a real-time Internet reputation system and how we've integrated that across all of the products. But this is a very mature company, very mature technology. We've been around the public since the mid 90s and at present we have about a 1,000 employees and we're going to do about $300 million this year. So there's a great deal of separation between Secure Computing and those 800 security companies in the Silicon Valley area, which are going to do no more than a million dollars in revenue lifetime. Most of them are building a widget in order to be bought by somebody much, much larger. We're here to stay.

So, if we take a look for a moment, we're going to focus basically on this segment of our strategy, the network gateway and securing your network edge. But if we look at the rest of the Secure Computing strategy, this is a very layered approach between network gateways and application gateways. Moving from left to right, we have technology that will authenticate users prior to their entrance into network resources, whether they're DMZ resources or other protected resources or remote users getting to actual data within the network, and we obviously are talking about our network edge technology securing and using traditional firewalling and IPS and utilizing some non-traditional ways that we'll be talking about in a few minutes.

If we move one column to the right to the application gateway, this is where we have a lot of powerful technology and customers who have invested in either a Messaging Gateway or a Web Gateway or both. And you can see that a lot of the areas that we focus on our similar with respect to anti-malware, with respect to compliance, with respect to encryption, because we believe that we're far ahead of the curve in so far as inspecting inside. You know, Greg alluded to the need to be able to be aware of the presence of attacks or bad payload, regardless of whether the protocol is encrypted or not. We actually have decryption and inspection across all of these products. So we believe we're at the forefront of that.

A quick translation of these spaces into the product names. There's SafeWord for our strong authentication play in ensuring the identity and access, IronMail with respect to securing traditional messaging communications, Webwasher with respect to Web communications. But what we're going to focus on is Sidewinder and the network edge. So, Sidewinder, this is a bidirectional firewall and one of the things that we think that is important here is that we're capable of doing the same level of inspection regardless of which direction the traffic is going, regardless of what the intent of the traffic is. So if we're looking at incoming network protection this is unknown sources trying to access corporate or protected resource. The one thing I want to point out here is that with respect to securing active connections, reputation-based firewalling. We're unique in the industry in this in that we are utilizing a global reputation database to make policy-based decisions or to enable administrators to make policy-based decisions. We'll talk a little bit more about that in a moment. But if you look at the right column, outgoing network protection, this is basically fairly similar in terms of what the controls are. And we believe that this level of control, the ability to inspect within encrypted packets in both directions is going to become extremely important to administrators as they try and protect themselves from tunneling across ubiquitous, very porous protocols such as sys-L [ph] or a sys-H [ph].

So I've mentioned a couple times about Trusted Source in a global reputation database. What we have here is a system by which our devices throughout the world, whether they're Web Gateways, whether they're Mail Gateways, whether they're Network Gateways, report upon source IP and destination activity. This no different than what could be glean from a snoop of the traffic or a NS look-up. There is not proprietary or private company payload that's examined. But by collecting billions and billions of transactions about - actually, this slide's a little bit dated. We're up to about 140 billion messages and transactions per month. You get to see a little bit with respect to social networking, persistence and longevity.

For instance, spammers, they send out a great deal of information but they don't really traditionally receive anything. So you can begin to guess a little bit about the nature of an IP by the behavior that you see. Other examples of this would be longevity. For instance, Rhonda represents Harris Corporation, Harris.com, the network records for that are very static. They've been there for years and years and years. They may bring on a new MX record for a mail server online every now and again as they're load increases. But by and large, their IP infrastructure as far as the public and Internet know is very static; it stays the same.

Well, spammers and zombie networks aren't like that. They come up, they go down, they come up, the go away. So, again, basically if you're looking at only the traffic on our network you're going to be aware of what has arrived at your network. We look at this from the global perspective. What is arriving at our customers' networks? Where is it coming from? What's the nature of those IPs? The most analogous situation in the real world is a credit system. So if you pay your bills on time, you pay off a car loan early, you've never had defaulted on a home mortgage your credit score remains pretty high. But bad behavior, being late on bills, missing a mortgage payment, having a car repossessed, it affects your credit score, but it is a fluctuating score, not a binary, not a hard yes or a hard no, this is good or bad. There are thresholds. There are numeric thresholds. It's the same thing with Trusted Source. So we give a number and allow people to set thresholds based on the score to determine is this potentially bad? Is it definitely bad? Is it potentially good? Is it definitely good? And they then make policy-based decisions according to the results. And again, this is all in real-time. All of the products utilizing Trust Source in real-time for IP information, domain information, URL information, image and message information.

And I do want to dwell on this a little bit because I think this represents a significant shift in the way that we do firewalling. If you are building your network out there and trying to play Moore's Law - you know, Greg mentioned Moore's Law. If you're trying to fight the battle of attacks one signature at a time, you've already fought and lost that battle, folks. The for-profit and State sponsored attackers are no longer utilizing some silly tool kit that is repeated thousands and thousands of times across networks. They are looking at your organization, gleaning what they can from reconnaissance during your busiest network times and then building specific attacks to compromise your specific network. Guess what? There is not a signature for that.

So, what we're trying to do here is two things. We want to give people the ability to do some country source blocking. If you have no reason to be doing business with a particular geography we're going to give you the ability to do a blocking or higher level of logging or whatever you choose as a response based on an incoming source IP. Now, some of you may not be able to do blocking, but you may want to know more about the connection aspects of a connection coming from what you deem to be, by policy, a dangerous IP block. And then sender source blocking. Again, the simple example here is what are the connection mechanisms that your business partners utilize to communicate with you? And if you're receiving communications, even from your partners, on unwanted protocols, why support those? If you're expecting everything via Web services and suddenly you're getting a lot of SSTP, why support that?

So, the way that we do that with Sidewinder is basically a two-fold system. We're build to top, literally this is going on 12 years, fielded in live production networks, our secure operating system. I won't have a lot of time to devote to this. I would be happy to go into depth if you're interested. This a mandatory access control system. It sounds pretty smart and intelligent and sophisticated; it isn't. It's actually quite dumb. That's the point. The software kernel of our device has what is basically a white list of activities that are allowed to occur for every file, every directly, every executable on the box. So if a command comes from the external or Internet facing DNS server we run BIND. BIND is a notoriously shaky package, but it's what we use for name services. But when an attacker compromises BIND running on a box the purpose is to fork a shell or execute arbitrary code basically with the same permissions that BIND has. And on many devices, not Secure Computing Sidewinders, but on many devices that could be rude. So now you have somebody who's sitting on the software kernel with the permissions of root. With Sidewinder, each one of these little executables has a finite list of permissions that are allowed to occur. It's not theoretical, it's not well, it's just smart programming; it's quite dumb. It's a white list. DNS on the exterior Internet facing side is allowed to duh, log names - or look up names, and duh, log what it did. That's it. So if this is attacked successfully and somebody says I want to fork a shell; I want to execute arbitrary code; I want to look at the contents of the shadow password file, when that gets to the software kernel it looks at the white list and says I just can't support that activity. It's not smart programming. It's very, very simple, very, very, very down to earth. That's the whole reason that we never had a CERT issued against us in 12 years of fielded service.

Atop that secure operating system we layer a number of controls that are going to allow administrators a great deal of granular control over the traffic that comes in and out of their networks. At the network layer, very, very fine DOS and DDOS protection. We have some patent-pending advances in high availability. Our V-LAN implementation is being utilized by a number of different customers. We have some new customers that have bought Sidewinders literally because of the way we're doing VLAN-ing (sic). From the intrusion prevention standpoint, we went with a two-fold process. We have a signature partner called Endeavor Security. We have an acceleration partner called Terrari [ph] working with Secure Computing to accelerate the activity of looking at intrusion prevention signatures. So, why do other providers have problems? Look at signatures is very CPU intensive. We have made this a silicon-based problem, hardware-based problem rather than using software in order to maintain line speeds. Our Onbox services, a lot of folks using us for split DNS so that they can have secure DNS on both sides of the device. But the real meat and potatoes here is in the top two stripes. Application Gateway Security, this is the whole meat and potatoes. People want to be able to inspect at layer seven a variety of different kinds of traffic and ensure that what is in the Ethernet frame is what it has reported. If I have something coming across an Oracle SQL connection or [Indiscernible] and what's in the Ethernet frame isn't Oracle but is some other protocol, why would I want to support that? That would be bad. That would be dumb. This is what proxies do, they insure that what is in the policy matches what is in the frame. And then something that basically nobody else has is our global intelligence. Tight integration on a per policy basis with our Trusted Source reputation database. And at the left you can see that for the first time, with respect to Sidewinder, we are managing this in one single rule view. Every single one of these services available from one screen to be managed on a this is the most important policy, this is the next most important policy, et cetera. I want more inspection on a particular rule, I turn it on. I want less inspection on particular rule, I turn it down. I want more logging, I turn it up. But all in one single rule view.

So, one of the things that I'm very happy about in our partnership in working with Gartner is that for the first time in my career I feel like the device that we have available to the general public lines up with Gartner's notion of what the next most important security tool should be very, very, very closely, and in my opinion, more closely than some of our competitors. If you look a Gartner's next-generation firewall sort of cookbook, the left column represents some papers that Greg himself has contributed to an authored and basically on the right is how we lined up with Sidewinder 7.0. If you look at the first two together, both single and large deployments and management for branches from a centralized location, we have a system where from the NIC - we have a NIC-based firewall to small form factor firewall to carrier grade. All devices can be managed from one central location in our command center. And we have customers that to do exactly that, code base from carrier grade all the way down to small form factor is the exact same code base. So you can get the same protections in the branch that you do at the datacenter.

If you need to go down to the very remote part, home office or small office branch, the code base is a little bit stripped down, but it's still managed from the same place. So you can manage your entire security perimeter security posture from one place.

High thru-put, we just published a paper where we took on one of our competitors head-to-head in a layer 7 inspection test and we maintained a gigabit plus full application inspection, gigabit plus thru-put where our competitor was - when they turned on more inspection on a per policy basis was down around the 300 megabyte thru-put standpoint.

Network IPS and preventing malware, we talked a little bit about this. We're accelerating our IPS and leveraging award-winning anti-malware kit from our Webwasher technology. By having multiple layers of gateway we have multiple layers of technology available to us. Our own anti-malware from Webwasher happened to be the best kit available; that's the one we're using. Close integration of all functions. I love Greg's phrase sheet metal integration and I know exactly what he's talking about. I've been building firewalls for 15 years. And a lot of times you see something where, yeah, it's sort of slapped together and you see a little bit of bailing wire and what have you. All of our functions, everything we've talked about today is available in the same UI, available on a per policy basis. If you want Trusted Source on a particular policy you turn it on. If you want signature-based inspection on a particular policy you turn it on. It's just that simple. So, we believe that we have achieved that where we have a definite tight integration, even for those technologies that we don't make ourselves, like our signature database from a company called Endeavor, like one of our anti-virus providers, Sophos Antivirus, all of those controls are within our single rule view, regardless off who made them.

With that, I'd like to turn the presentation over to Rhonda Henning who has been running some security deployments for Harris for longer than I've been building firewalls. So, Rhonda, please take it away.

RHONDA HENNING: Sure. Thanks, Scott. As Scott said, I am a Sidewinder customer and I've been a long time Secure Computing follower from the days when - well, from the free Sidewinder days, to go all the way back. And my role at Harris is the senior security architect for our customers' solutions. And I'm sure most of you don't know who Harris is, so let's start with what is it, or what is this company that uses these Sidewinders?

We're headquartered in Melbourne, Florida, and today we're having a nice, bright, sunny day. And we have a customer base that extends out to over 150 countries with almost $4 billion in sales. Our last annual report was $3.5 billion. We have about 14,000 employees and we were founded way back in 1895 in the publishing industry. And before you say well, you know, it's nice you've got some size to you and things but what exactly is it you do. Well, we participate in two different spaces in communications and IT systems. One is the government space. In the government space we are the leading provider of communication systems for the FAA (Federal Aviation Administration); that's the group of people that are responsible for air traffic control. And we provide their complete Wide Area Network Infrastructure. We also provide the wireless infrastructure associated with the upcoming 2010 census. We're piloting the handheld capabilities for the U.S. Census Bureau. We also do a considerable amount of high frequency multi-band tactical radios for the military services. They like our products. We like - and they work very well. In the commercial communications segment we are the world leader in television and radio broadcast infrastructure, including content management systems and high definition TV and radio transmission systems. And we are the number one microwave systems provider in North American, providing microwave infrastructure to private and public consumers or subscribers.

Now, within that realm, as you might as you might suspect, to be a good communications provider you have to be a good security provider. So we try very hard for our customers to provide high value and low risk communications infrastructures. And our customers have very critical missions. It doesn't do if the network dies or if a denial service attack impacts the backbone infrastructures of our customers. They want their data to be available. They want it to be secure. They want confidentiality. They want privacy. So we have to find a way to give that to them. And by the way, since we're dealing with sites that could be scattered all over the United States or all over the world we prefer to do centralized security policy management, meaning I can provision devices, I can change policy from a central location, and I can monitor systems from that central location so I know what's going on through my security information management and my event management toolset on a 7 by 24 by 365 basis. Our customer community does not tolerate failure is the best way I can describe it. And the other thing our customers are very adamant on is that our systems survive the Federal certification and accreditation process for systems. Just as the Sidewinder goes through a common criteria evaluation, the integrated capability of the Sidewinder plus all of the other components of our layered defense in-depth infrastructure goes through a complete certification and accreditation by the customer security organization, which by the way, our customers have no control over; they're totally independent. And they come in and live with us for a while and make sure that we're doing what we claim we are doing as far as maintaining the security and the operational status of their networks.

Now, the program that I'm talking about and the program where we have our largest deployment of Sidewinders is a mission-critical federal network modernization. This is a network where the technology was previously based on proprietary protocol, a lot of them were very custom, a lot of them were very old. And the customer badly needed to gain economies of grooming I guess is the best way to put it, where we could do consolidation of communications requirements from the carrier based infrastructure. So the system and the modernization was designed from the ground up, complete re-architecture and instantiation of security policy, architecture products, configuration and provisioning and operation. The goal in life for this network is to maintain a known secure state at all times for all locations. And we have approximately 15,000 distinct sites in this infrastructure and those sites range from the size of a single router to 24, 25 racks of equipment, depending on the size of the facility. We have to make sure that there's connectivity not only within the customer community but with the customer's partners as well. Our customers have commercial organizations that depend on their data and the commercial data providers also expect to have availability and accessibility of their information. At the same time, our customers do not particularly want their data to be tampered with. In other words, they want feeds to external sources to be a read-only, one direction connection. But we have to be able to provide that connection reliably. If you can't provide it reliably we're not going to stay in business. And we have some very interesting service level agreements. If I take a region of the United States down it costs me $200,000 every time it happens and every time it lasts more than ten minutes at a time. So, obviously, we don't like that to happen very often because my management gets very upset when that occurs.

So that's one of the reasons that we actually went with Secure Computing. Because we enjoy the fact and benefit from the fact they have a very long history in the information assurance field; they pioneered the work on type enforcement. Back when I was a young security engineer I remember Earl Boebert walking in the building and everyone sort of humbly walked behind him. And that technology eventually became embodied and evolved into the Sidewinder. We like the fact the Sidewinder gives us the ability to be flexible with our customers because our customers don't always use standard protocols. If would be nice if we could convince everyone and convert everyone at the same time, but it doesn't always work that way. So we have to be able to accommodate legacy, as well as accommodate what is evolving and what is migrating to current generation technology. It also means that we have to support a very diverse set of environments; we also have to be able to manage and integrate. If I can't provide global situational awareness and do that from my security information management consoles it doesn't help me. So I have the ability with Secure Computing to integrate their capability into my send [ph] environment and function as a common operational picture, giving me full situational awareness.

We have the ability in Secure Computing to influence product direction. We had a very long and heated discussion with Scott about the concept of failing open. Our particular application, the traffic has to get through. For some of our customers it's a matter of life and death that the connectivity remain in place. So, failing closed, which is what the preferred approach for security practitioner, is not always an option because in our world availability and integrity is every bit as important, if not more so, than confidentiality. So, the fact that Secure Computing supported us and worked with us to figure out how to fail open as well as fail close is a major plus in our customers' eyes.

The other thing that we really like about Secure Computing is the fact that we have all the security features that you get in a proxy firewall, which is very necessary when you're dealing with such a diverse set of protocols, and we get the performance that we need to be able to do high speed networking in a very dynamic world and that is extremely important because when you're dealing with data that has to get there you want to make sure that it gets to where it is suppose to be when it is supposed to be there. And for those reasons we are very pleased to be a partner and to use the Secure Computing products integrated with our infrastructure.

And with that, we will turn it back over to Atri.

ATRI CHATTERJEE: Thank you, Rhonda. Thank you, everyone. Thank you very much. We are now going into - we've got a ton of questions and let me just give you a quick housekeeping on how we're going to deal with this. I have been going through a variety of the questions that we've been receiving and marking them and I will read them out for the next - actually, nicely distributed amongst all our speakers. Anything that we don't get to, because we run out of time or something, we will make sure to answer those questions and send you those answers on email. So, rest assured, any questions not answered directly and during the session will be answered on email. We'll do our best to address as many of them as possible.

While we are going through the question and answers session, just wanted to let you know we do have a special offer, a 30 day evaluation of the Sidewinder product. There's a phone number up there, 800-379-4944, if you would like to participate in this, if you haven't tired out the Sidewinder product yet. We also encourage you to please fill out the survey. That always helps us with improving these types of things that we do. You also get a copy of the Magic Quadrant report done by Gartner on the Web Gateway Security.

Now, with that said, let me get to the questions. I have several questions here for Greg. Let me start off with one. The first one that I thin is probably relevant is what is the best way to protect VoIP network that is combined with a regular network? So, that one is for Greg.

GREG YOUNG: There's some very different issues with securing voice. So a couple of factors come into play. So one is understanding where the voice network is delivered. Is it delivered via the general purpose network or is it in a separate network primarily for voice communication? So I think one of the biggest factors - two of the biggest factors in securing it, or number one is vulnerability protection. The initial parade of voice products that came out were highly vulnerable. In fact, there was, you know, the initial sort of few products that came out. They all had vulnerabilities into them in almost every service. So, I think understanding where your voice infrastructure is and providing some vulnerability assessment, vulnerability manage for that is one, and you know, [Indiscernible] any short of shield can be part of that. I think next is, you know, denial service protection. Again, most voice implementations are primarily internal ones. So I think those two factors, protecting against denial service, whether it be intentional or unintentional, having a plan B for when those communications do go out, and then there's the vulnerability, you know, the vulnerability production side.

ATRI CHATTERJEE: Great. Anything to add, Scott or Rhonda?

RHONDA HENNING: Nope.

ATRI CHATTERJEE: Okay. Another question for Greg. This actually is specific to your presentation. I thought maybe we could address those. There are a couple of questions here. One is what exactly do you mean by a separate security control plan? And the other one is what do you - what is meant by a virtualized network security and how is that handled? Two sort of related questions on some of the slides that you had.

GREG YOUNG: Right. The separate security control plain means having appliances and safeguards that are standalone for providing security. The alternative when it's embedded in the network is where you'll see it, you know, in a general purpose networking device, you know, combined with them. So whether it's in a switch or whether it's combined in a router, you know, or some other combination of what's intended to be a general purpose networking gear that also has security built into it. So that's the first part of the question. ATRI CHATTERJEE: The second one - let's go back here. Sorry. The virtualized network security -

GREG YOUNG: Oh, right. Thank you.

ATRI CHATTERJEE: Yeah.

GREG YOUNG: Yeah, there's - virtualization comes into play in three aspects in security that cause us concern. The first is the - is not so much a concern but just understanding it is when you have, for example, in a single firewall you have multiple instances of that firewall as part of the security product. So many of the more modern safeguards now, whether it be firewalls, IPS, other safeguards, you can have multiple instances of what looks like a separate appliance but in fact it's in the same box but providing very different services. So it's nice to be able to customize as we talked about that end by end DMZ you can have a - you know, what appears to be a separate firewall assigned for an interface or the like. The second aspect is in VLANing, having VLAN aware type products. That's fairly straightforward provided that you understand the weaknesses and you know, that VLANs alone do not provide security.

The real concern, though, is in virtualization of servers. So where you thought that you had separate physical servers across your different layers of your security architecture, when those are collapsed together you can lose that separation. So you may have a great series of firewalls separating these layers but if you join the servers together into a single component you've got a - you know, a vulnerable aspect there. And the next is network attach storage, SANS, when you compress the storage together you can also break what you thought was a secure architecture. So, you know, when you combine the storage from your data server with your Web server you make the job for an attacker quite easy when they just have to compromise the Web server and they may be able to then more easily compromise the - you know, through the storage plain.

ATRI CHATTERJEE: Excellent. Great. Thanks, Greg. We've got a question for Scott. I'll give Greg a little break here. Scott, this one's for you. Everyone claims to have central management and reporting. What specifically is unique about the Sidewinder Central Management and Reporting Solution and what can you call out here. You give us a little bit in your presentation. Maybe if you summarize some of the core distinguishing points here.

SCOTT MONTGOMERY: Sure. It's a great question, and it's true, I once visited a multi-national bank where they showed me a room full of racks of equipment. I said oh, is this where the Sidewinders are? And the fellow says well, no, this is our racks of enterprise managers for all of the products that we have. So, yeah, I hear you loud and clear with respect to is this me too or is this clearly taking a leadership position? And I believe it is more the latter. One of the things that we wanted to ensure was that we gave flexibility to end users. And one of the key defining things here I believe is the ability to import an existing firewall set. So if there is a firewall where the local policies are actually the ones that need to be captured and utilized through the enterprise management system an import can be done and a real-time review of the rules can be done in order to say yes, these rules are the ones that will work, these are the ones that should be replaced by global objects and rules, so a very powerful, flexible way to not have to redo a lot of work if you're introducing enterprise management into an existing network set-up.

One of the other things I think that is key is the ability to aggregate or subdivide based on your particular corporation's needs. So, for instance, if you want to see the enterprise rollup of all of the logs aggregated to show how many DOS's across the entire infrastructure you can do that. If you want to subdivide - one of the interesting things about Gartner's criteria is service level view of what's going on. And I think it's very interesting because we've heard this from a lot of customers as well, which is - obviously, well, Gartner is hearing it as well - where they say well, we want to be able to report based on billing. So if I have a particular business unit that is using this much bandwidth or is being attacked this much or requires this much protection or requires this much inspection I want to be able to bill appropriately. And we give - through the reporting technology that we have we give the ability to say okay, well, everything that's in Arizona could be reported here; everything that's in Idaho can be reported here, or everything that's west of the Mississippi or east of the Mississippi. We don't' make any logical distinctions. We don't force you into any particular buckets. If you need to do it geographically you can do it geographically. If you need to do it via business unit or business purpose or size of business, we don't make any definitions there. So I think we are limiting ourselves very well to a centralized management play.

ATRI CHATTERJEE: Great. Thanks, Scott. Actually, while you're on a roll I thought I would give you another question and then go on to a question for Rhonda. Here's a question that I think that you probably will be to answer. I was reading that hackers say that they can just tunnel attacks or use encrypted protocols because of all the firewalls just pass through - let them pass through. Isn't there something that firewalls should be doing here for encrypted traffic?

SCOTT MONTGOMERY: Oh, amen, brother. I don't know who asked that but this is a genius question. The long and the short of it is that there are - and Greg can probably speak to the numbers, but I would say 85% of the organizations out there, when they receive an encrypted packet simply do the ostrich approach, push their head through the sand and just hope that everything that is in it is okay. I think there's a small percentage of organizations, maybe 10% of the remainder that are blocking encrypted packets that they can't terminate and decrypt and then maybe 5% really heavy lifting your super Secret Squirrel intelligence community guys nd some really heavy lifting banks are actually doing something about it. So the short answer is yeah, I believe you should be inspecting, and the way that we're doing that in Sidewinder is two-fold. We have an number of traditional vanilla, according to Hoyle [ph] IP SEC mechanisms, so if it's an expected packet from an expected partner we can encrypt and decrypt accordingly. But if you're receiving an HTTPS packet from a client in the wild and you're not decrypting that for the purpose of a security examination you're rolling the dice. With Sidewinder we do exactly that. We have another - a card available which we will use to accelerate the handshake. For us the SSL handshake is the heavy lifting, so we offload that to silicon, we decrypt. We terminate the session, we decrypt, we inspect for the purpose of security examination, whether it's to remove embedded mobile code or look for the presence of a signature based attack or control headers or header lengths, whatever. We're also extending that capability in the short-term to a really nasty tunneling protocol nightmare, SSH. So we'll have a fully functioning SSH proxy which will terminate, decrypt, inspect, and re-encrypt.

So, yeah, I believe that the firewall is responsible for that and we're stepping up to the challenge.

ATRI CHATTERJEE: Great. Greg, anything to add to that on the whole issue of encrypted traffic and how we should be dealing with it?

GREG YOUNG: No, I think there's - you know, there's some - certainly some intelligence you can gain based on, you know, the behavior of that [Indiscernible] but I think the big issue is that not only does it blind, you know, firewalls but the deep inspection technologies, and also some non-security technologies such as Web optimization controllers, which if they can't peak into the traffic to determine what protocol it is they can't balance it appropriately, so certainly an increasing problem across [Indiscernible].

SCOTT MONTGOMERY: I think, Atri, one other thing that's worth mentioning. For non-encrypted tunneling, so I saw several questions with respect to this throughout the list. So people are trying to get peer-to-peer clients out through the firewall and they're finding a very porous port 80, for example. Well, traffic going through port 80 that is not traditional browser to Web server traffic doesn't look the same. The header controls of eDonkey or [Indiscernible] (Overlapping conversation)

ATRI CHATTERJEE: Yeah.

SCOTT MONTGOMERY: Or what have you. It doesn't look the same. And that's the whole reason that we utilize our application inspection to say okay, what is coming through this Ethernet frame is trying to make access to port 80 on the firewall but it is not in fact a Web browser; I'm going to deny it. I'm going to deny this traffic because it's against policy. So I believe yeah, we're absolutely taking responsibility for that kind of traffic as well. If you want only port 80 traffic to be Web - clients going to Web servers we can help.

ATRI CHATTERJEE: Yep. Excellent. And a question for you Rhonda. Here's someone who had a specific question about how you've worked with Sidewinder. How has the Sidewinder integrated with your wireless solutions and have there been any wireless related issues arising out of this, especially when securing and managing across several access points?

RHONDA HENNING: Well, we haven't had an issue with it yet. Knock on wood. I'm sure something will happen today just to make life interesting. But we use - the Sidewinders are part of our backbone infrastructure, not necessarily at the user access points. So we don't really see a significant impact through the wireless infrastructure because where there's a wireless access point it gets translated into a wired connection before it ever hits our Sidewinder implementations. So we really don't see a significant impact.

ATRI CHATTERJEE: Okay. Excellent. Here's a question that I think any one of you can take on. I think it's pretty relevant because it sort of points to what's happening in the world today in a lot of our environments is that the questions says we talk a lot about incoming and outgoing network protection but a lot of attacks happen on the Internet through malicious insiders or unknowing insiders, frankly - that's an editorial add-on from me - what protection is available for that category of users? How do we track what happens with those internal users and do they have to be implicitly trusted or what protective measures can we take? Who wants to take that one on?

SCOTT MONTGOMERY: I'll have a go first if that's all right. So, we definitely have - and I think Rhonda's customer may even be one of them where aspects of the network are subdivided in order to provide not only strict access control but also potentially authentication. So, for example, if Jim is on the engineering network and is trying to access the finance network we can utilize a single sign-on challenge to make sure that Jim has proper credentials to get to that network. So we do see a lot of intranet firewalling as well utilizing Sidewinder.

And then I think the other thing that's key, it's not specific to Sidewinder, but among Secure Computing technology we actually have the ability to look at encrypted outbound payload from a network segment to ensure that it complies to network and compliance policies. So, for example, if you're sending an email out of the infrastructure or you're sending something to a Web mail infrastructure that included credit card numbers, for example, we're able to terminate, decrypt, inspect for the purpose of a data leakage. Again, whether - like Atri said, whether it's malicious or whether it's inadvertent. So, yeah, I believe we have - now, obviously a dedicated insider who has physical access as well as virtual access is going to be very, very potentially damaging. But I do believe we allow customers to mitigate that risk.

RHONDA HENNING: I think another thing that you have to look at with insider threat is whether or not the system has been adequately partitioned or separated from a privilege level to start with. In other words, a user can only do what a user is allowed to do. So if a user has been given carte blanche than you get what you deserve. As Scott said, in our customers' case we have very stringent separation of duty requirements that say our security managers cannot see and cannot impact the same devices as our network fault management teams can. And further than that, we've partitioned the network into the absolute mission-critical traffic, as well as administrative traffic and we do the management traffic totally out of band from either of those partitions. So by prudent use of policy and by prudent use of separation you can do a lot of activity to prevent insider threat and through the use of next-gen firewall technologies like Sidewinder you can mitigate even more.

ATRI CHATTERJEE: Excellent. Thanks, Rhonda. Actually, we've got a couple of minutes left and I wanted to address a couple of - one question in particular which has to deal with dollars and cents and money. It's sort of open to the group. Here's the question: a major concern is spending. It's hard to justify a firewall then a application - a traditional firewall then an application firewall and database firewall, IDS and IPS, a Web filtering solutions and so on and so forth. What are your recommendations on how a company deals with these multiple threats and without really, you know, breaking the bank? Who wants to take that? Greg, can we start with you?

GREG YOUNG: Sure. I'll give you the -- sort of the industry view first. You certainly need the majority of those safeguards. That's the bad news and what the threat environment we're in today, so you do need a lot of security stuff. Where you can keep the spending down is in a couple of areas. So, first is placement. For example, you don't need IPS at every network junction point. You don't need it, you know, on every LAN switch. So, you know, picking where you're going to do - where you're going to do a deep inspection is one factor. Also, looking at technologies like firewall virtualization, you know, is another example where you can keep costs down, you can press costs together, and also looking for that - on that slide we showed you where you had similar products converged together, such as firewall plus IPS and those other measures. That's a way to keep some capital costs down and even some recurring costs down when you have them on the same appliance. What you don't want is, you know, [Indiscernible] see a threat, buy an appliance. You want to try to rationalize that. Also, we've had some scaling issues as well of looking at capacity and making some hard decisions as well between - for example, between a Web application firewall and application scanning you may only want to do one of the two.

ATRI CHATTERJEE: Excellent. Anything to add to that, Rhonda, from your perspective, you know, as a person who's deployed some of these technologies?

RHONDA HENNING: I mean, the bottom line with deploying any security technology or all security technologies is what benefit are you getting back for the threat you're countering? It's very easy to say I must counter every threat. In reality not all threats are necessarily worth countering. I'll give you a case in point. There are places in our network where data is refreshed every ten seconds. So the amount of traffic that would have to be spoofed to be able to launch certain classes of attacks is just - it would be cost prohibitive for an intrude to go to those extremes because you'd have to spoof not only one set of data that's being replicated every ten seconds but you'd have to replicate several sets because they overlap and there's redundancy built in. So there are ways to counter the costs and there are ways to balance the risk but it comes down to the business decision of how much risk an organization can tolerate. And that's something that every organization has to decide on by themselves.

ATRI CHATTERJEE: Excellent. That's very good advice. We are out of time. It's been over 75 minutes now that we've been on this call. Really appreciate all of the attendees for sticking with us. I think we've got almost 500 people still on the call here. Wanted to thank our speakers Greg Young and Rhonda Henning, as well as Scott Montgomery. Thank you very much. I wanted to remind everyone that we will respond to every question. We have 65 questions here and we only addressed about half a dozen of them or maybe a dozen of them. We will send you response to - answers to every one of these questions to the best of our abilities. Finally, I just wanted to remind everyone to please fill out the survey as well as take us up on the 30-day free trial for Sidewinder. Thank you very much for joining us.


About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.