4 must-have security solutions

Vulnerability and automated patch management top the list

No silver bullets or holy grails can ensure that your corporate network is totally secure from cyberattacks. To mitigate risks, however, most information security professionals agree that a multilayered approach to security is needed. This approach might include technologies such as firewalls, intrusion detection, authentication and access control hardware and software, and antivirus protection on desktop computers and at gateways into the network.

But as the number of threats rises and software vulnerabilities continue to be exposed, information security managers need new technologies and procedures to lock down their networks. Simultaneously, they must keep networks open to people outside the organization such as business partners, citizens, contractors and suppliers. No doubt, many administrators have deployed the technologies mentioned above, but here are four others they should consider.

1. Vulnerability management

Vulnerability management should be at the top of government information technology managers' security priority lists. With legislation and mandates from the Office of Management and Budget that require administrators to secure and accredit systems, determining what assets are at risk from cyberattacks and intrusions should be a high priority.

Vulnerability management hardware and software identify systems and applications that have security holes that attackers can exploit. Leading players in this arena include Qualys Inc. and Foundstone Inc., which McAfee Inc. is in the process of acquiring.

"There is no question that the active implementation [of vulnerability assessment tools] will radically reduce the cost" of certification and accreditation, said Alan Paller, research director at the SANS Institute, a security training and education organization.

Foundstone's flagship product, Foundstone Enterprise, is a network appliance that can continuously monitor and map an organization's global network. It then probes every host system on the network for vulnerabilities. Critical assets are identified and marked for remediation work if necessary. Measurement reports are generated so managers can get a clear picture of the organization's security status.

Qualys officials released a version of the company's scanner appliance, which is bundled with its on-demand vulnerability management service. This version lets users map network topology and run automated vulnerability audits from any Web browser.

These types of vulnerability assessment products and services are essential for government agencies that need to continuously monitor networks for vulnerabilities, said John Pescatore, vice president of Internet security research at Gartner Inc.

2. Automated patch management

You cannot get rid of vulnerabilities if you don't have an automated patch management system, Paller said. There are vulnerabilities in commercial software, such as Microsoft Corp.'s Windows operating system. Attackers can exploit those vulnerabilities, which are being discovered daily, using computer worms or malicious code. And network administrators are racing the clock. Attackers are much quicker at taking advantage of those vulnerabilities. The malicious code, which once took months to make the rounds, now can appear in days, said Chris Farrow, senior manager for regulatory and security research and development at Configuresoft Inc., a maker of configuration management software that includes a patch management software module.

The patch management software builds on the capabilities of Configuresoft's Enterprise Configuration Manager (ECM) suite. ECM gathers configuration information from each Microsoft-based workstation and server on the network and displays a centralized view of the data. Users can view the data from a Web portal or through prepackaged reports.

Because patch management is linked to ECM, IT administrators have information about their systems — such as the registry, disk space, device drives or whether a file to be updated is sitting in the right path — that would be useful for a successful installation of security patches, Farrow said. "Patch management is critical, but it is far from being a silver bullet," he said. "Sixty-five percent of the vulnerabilities could be corrected by better configuration management."

Some industry experts view patch management as a software distribution issue. If an agency doesn't have a good infrastructure for distributing software, then a stand-alone automated patch management product might be more appropriate. Vendors include Big Fix Inc., PatchLink Corp. and St. Bernard Software Inc.

3. Enterprise firewalls and intrusion prevention

Hackers are launching more sophisticated attacks on Web protocols and applications that network-based enterprise firewalls are unable to detect.

"Attacks are moving up to the application layer," and as a result, firewalls that mainly protect the transport layer of the network are less effective, said John Diaz, an analyst with the Computer Incident Advisory Capability, which provides the Energy Department and National Nuclear Security Administration with incident response, reporting and tracking.

New technologies complicate matters. "With the advent of Web services, about 70 percent of attack paths closed with firewalls will be reopened," Diaz said.

To keep these paths closed to attacks, organizations need enterprise firewalls that perform deep-packet inspection, a technique of closely examining the packets of information traversing networks for application-level attacks.

Network-based firewall vendors, including Check Point Software Technologies Ltd., have added more application-level security to detect and block worms and malicious code before they can wreak havoc on a network, said Bill Jensen, Check Point's government marketing manager. The company's Application Intelligence function can "understand not only attacks but how protocols are supposed to [actually] work" to more effectively detect bad network traffic that is disguised to look legitimate.

Companies such as TippingPoint Technologies Inc. and Juniper Networks Inc. that supply intrusion-prevention products are also offering network appliances that provide deep-packet inspection engines to block worms and malicious code.

4. Token-based identity management

Identity management software is essential for managing user accounts and privileges to ensure that the right people have access to the applications they are authorized to use and that their accounts are closed when they leave an organization or move to different jobs in an agency.

Although demand is growing for identity management software suites that include functions for managing accounts and privileges, access control and user provisioning, IT managers should also consider token-based access control, industry observers say.

Paller said secure tokens that can quickly be plugged into a USB port on a laptop or desktop computer can protect against unauthorized access, especially by employees.

USB tokens are designed to store a person's digital identity. When someone is ready to log in to applications via a PC, virtual private network, wireless network or Web portal, he or she is prompted to enter a unique personal identification number. If the number matches the USB token, access is granted. The numbers stored on the tokens are usually encrypted for additional security.

Leading players in the authentication and access control arena such as Entrust and RSA Security Inc. offer USB tokens. Other companies that provide such technologies include ActivCard Inc., Aladdin Knowledge Systems and Authenex Inc.

Using these layered technologies — vulnerability assessment, scanning and blocking, and intrusion prevention — agency officials can capture about 90 percent of the security holes in their networks, Pescatore said.

Now, as far as addressing vulnerabilities caused inadvertently by uneducated users or IT administrators, that's another story.

Find more security solutions on the FCW.com Download's Data Call at www.fcw.com/download.

Two more solutions

Security compliance gateways: Policy enforcers

The corporate network has no boundaries anymore. Employees, contractors and business partners might connect to an organization€s network via laptop computers, PCs or servers from almost any point, including branch offices, homes, hotel kiosks or airport terminals. How do you make sure that these machines comply with corporate policies and are updated with the correct security patches and configured properly?

An emerging class of security compliance gateways can scan networks to ensure that any new machines being hooked onto the network comply with an organization€s security policies and are configured properly, said Alan Paller, research director at the SANS Institute, a security training and education organization. John Pescatore, vice president of Internet security research at Gartner Inc., calls this area "scan and block." Both agree that products such as Sygate Inc.€s Secure Enterprise solution fit the bill.

Secure Enterprise includes security agent software that runs on each client machine — laptop computer, PC and server — and on one or more policy management servers distributed enterprisewide. Other agent software runs on enforcement servers inside the network and at the entry into the network.

Security agents protect client machines by combining application-centric firewall capabilities and an intrusion-prevention engine that analyzes traffic for patterns of known attacks. Using Secure Enterprise€s endpoint enforcement functions, security agents automatically check compliance and alert information technology administrators about devices that fail to comply with security policies, patches and operating system configurations. Agents can then block network access or direct systems to a remediation area.

Antivirus: Waves of the future

As an onslaught of new worms and viruses continues to wreak havoc on networks, are antivirus vendors doing anything new to block attacks? Because many viruses are coming through e-mail via the Web, Gartner€s Pescatore said something needs to be done about Web mail.

"Desktop antivirus is almost useless," Pescatore said, although he doesn€t advocate getting rid of antivirus software on desktop computers. Instead, he points to Network Associates Technology Inc.'s recently released McAfee VirusScan Enterprise 8.0i as the wave of the future. VirusScan integrates antivirus, intrusion-prevention and firewall technology in a single package for desktop PCs and servers. It gives users three technologies for the same price as antivirus client software, Pescatore said.

There is still a need for new kinds of protection for desktop PCs, said Tom Simmons, director of the federal sector for Trend Micro Inc., a maker of antivirus software. Known for its gateway and mail server solutions, the company is tackling Internet-borne worms with its Network VirusWall appliance. Deployed in local-area network segments, Network VirusWall lets IT managers isolate unpatched machines before an attack occurs. It can also send threat-prevention policies to the LAN segments to block attacks.

NEXT STORY: USDA hires AT&T