Seven Security Technologies To Watch

Next-generation tools secure applications and wireless networks and manage user identities

Most government agencies have — or should have — basic security devices such as firewalls and intrusion-detection systems in place to help protect their networks. Such technology is fairly well understood and has been increasingly successful in stopping intrusions into enterprise networks.

But new and more sophisticated kinds of attacks have emerged over the past year or so. Viruses and worms attached to e-mails or disguised in the body of other application data pass unnoticed through network firewalls and have wreaked havoc around the globe.

Legislative mandates such as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 have increased the pressure on organizations to make sure their data is wrapped up even tighter.

As Web applications such as Extensible Markup Language-based Web services proliferate, and wireless technologies and mobile devices push the edge of the network out ever further from the comfortable confines of corporate headquarters, traditional methods of ensuring security will no longer be enough.

Here are snapshots of some of the next-generation security technologies and the problems they are intended to address.

SSL VPNs

Problem: Traditional virtual private networks based on IP Security (IPSec) are great for site-to-site connections, but client software has to be maintained on each device that seeks a connection and they are intended to secure network access only.

Solution: Secure Sockets Layer VPNs require only a Web browser on a client, thereby reducing administration costs. Plus, they provide secure access to specific applications. They can initially be pricier than IPSec VPNs, but end-to-end costs work out to be lower.

Solution maturity: Most VPN vendors have introduced SSL VPNs over the past few years. The SSL protocol is well understood, but the quality of components such as management tools vary greatly. IPSec VPNs are the standard when it comes to connecting people at a branch or home office to the agency's network using an agency-sanctioned desktop or laptop computer. But costly client software must be installed and maintained on every one of those machines.

IPSec VPNs also can't cope with the expansion of the many nontraditional ways people now seek online access, such as airport kiosks, hotel business centers or Internet cafés or by tapping into another agency's local-area network (LAN).

SSL VPNs use the SSL security built into Web browsers, to which billions of dollars of transactions are entrusted daily. All someone needs to connect through an SSL VPN is a device — such as a wireless phone, personal digital assistant or laptop computer — with a Web browser.

SSL VPNs can also limit access to specific applications, such as e-mail or calendars.

"That kind of granularity requires additional configuration, but in the process you are gaining superior security and more control over what users are doing, along with an audit trail of their activity," said Dore Rosenblum, director of product marketing for F5 Networks Inc.

Infonetics Research expects the SSL VPN market to grow from $4 million in 2002 to close to $1 billion in 2005. At this early stage there are more than a dozen SSL VPN companies — from newcomers Aventail Corp. and Juniper Networks to old hands such as Cisco Systems Inc. and Check Point Software Technologies Ltd. — which means customers can choose from a wide range of features and management tools.

Application-layer firewalls

Problem: Network-layer firewalls stop attacks by examining the kinds of traffic passing from external networks such as the Internet, but they do nothing to stop threats masquerading as normal application content.

Solution: Application-layer firewalls pass or stop network traffic by examining the data itself, though this takes far more time than network packet filtering and can significantly affect the performance of other activities such as Web-based applications.

Solution maturity: Traditional firewall vendors have begun to build application-layer capabilities into their products, and newer providers offer specific content-filtering solutions.

Traditional firewalls have become quite good at protecting networks by using some form of packet filtering to examine the headers on the data packets passing through them to block suspicious traffic. But they can't stop the newer generation of viruses and worms embedded in normal-looking traffic such as e-mail messages.

Application-layer firewalls look for abnormal traffic in headers, but they also look for telltale signs such as particular character strings or keywords in the data and then block specific messages based only on that information.

There are drawbacks. For one thing, application-layer firewalls are more complex to manage and add overhead.

"People have to be knowledgeable about the applications that these firewalls are looking at," said Barry Cioe, senior director for product marketing at Symantec Corp.

Because application-layer firewalls examine all of the content of the data passing through them, they slow operations such as Web page loading.

"Users may be forced to make a trade-off between adequate security and protection," said Richard Kagan, vice president of marketing for Fortinet Inc. "If you have strong protection, it can significantly slow [network] processes."

Newer companies such as Fortinet are starting to build application-layer firewall devices that use hardware-based acceleration to get around the performance issues and provide real-time content filtering for applications such as Web browsing.

Wireless LAN security

Problem: The use of wireless LANs is growing fast because of their flexibility and easy installation, but there is still no comprehensive solution for WLAN security and ignorance of security requirements is still widespread.

Solution: Organizations are taking various approaches. Some are using repurposed tools such as VPNs and firewalls to secure WLANs. Others hope that products based on recently published security standards will provide an answer, though many companies offer products officials claim will provide some measure of WLAN security.

Solution maturity: Educating users is still considered the major security need for WLANs, and doubt persists about the solidity of security standards. Meanwhile, officials at agencies such as the Defense Department are starting to take matters into their own hands.

WLANs are quickly becoming a ubiquitous feature of the network infrastructure, but users largely remain ignorant of just how insecure they are. A quick scan of organizations that have WLANs would show that many access points are not locked down and instead are open to anyone in range with a laptop and a wireless card.

"Many people believe there is a secure connection because they are connected to the corporate net and just assume someone has taken the trouble to secure the wireless connection as well," said John Dunk, vice president of public-sector systems for Sigaba.

Major companies such as Cisco provide WLAN security as part of their layered enterprise security solutions, while newer companies such as Cranite Systems Inc., Fortress Technologies and Bluesocket Ltd. provide products aimed specifically at wireless security.

The situation for WLAN security has not been helped over the past few years by confusion over standards. Wired Equivalent Privacy (WEP) and its successor Wi-Fi Protected Access (WPA) were both at one time considered an answer to WLAN security. But they have flaws.

The final version of 802.11i, due out later this year, will be the latest attempt to define a comprehensive security standard, covering security measures such as authentication, session management and Advanced Encryption Standard (AES) technology. Products fully compliant with 802.11i are expected on the market about six months after publication of the standard's final version.

Some organizations are developing their own approaches. DOD officials, for example, who are in favor of using WLANs, are mandating in a new policy that all classified and unclassified data must be encrypted before it can travel across a wireless network.

Managed security service providers

Problem: As the number and complexity of security threats increase, organizations are pressed to provide ever higher levels of network security — at a time when budgets and other constraints are placing limits on the resources organizations can devote to the task.

Solution: A managed security service provider (MSSP) can partner with agencies, providing help with tasks such as security device configuration and around-the-clock monitoring of the security infrastructure, as well as threat analysis and vulnerability assessments.

Solution maturity: Once a marketplace for mom-and-pop entrepreneurial companies, most MSSPs are now large companies with extensive global organizations.

As the sophistication and breadth of security threats increase, organizations' needs have moved beyond point solutions and the mere detection of threats. More and more, the need is for integrated solutions and threat prevention, which has ushered in the era of round-the-clock oversight of security infrastructures.

Legislative mandates such as Sarbanes-Oxley and HIPAA have also increased the focus on security.

Only the largest organizations have the resources in-house to provide this level of security. And even they, particularly in government, have to cope with increasing constraints such as budget cuts. Small and midsize organizations are simply overwhelmed.

MSSPs offer a way for organizations to outsource many of their security needs. They provide round-the-clock monitoring of firewalls, intrusion-detection devices and other elements of the security infrastructure; provide ongoing vulnerability assessments; and continually assess the potential impact of threats such as viruses and worms.

It's a rapidly growing area. The Yankee Group predicts that the total managed security services market will jump from $1.5 billion in 2003 to close to $4 billion in 2008. Most of the major IT companies such as IBM Corp., AT&T, Unisys Corp. and Verizon have managed security groups, as do integrators such as Accenture and Science Applications International Corp. and security specialists such as Symantec and VeriSign Inc.

Interestingly, many organizations have been turning away from fully outsourcing their security. The trend now is toward agencies taking a more hands-on role because they are being held to higher levels of accountability for their networks' security. In that way, MSSPs are seen more as true security partners than as traditional contractors.

Portable device security

Problem: Threats aimed specifically at devices such as handheld computers, PDAs and wireless phones, which increasingly are connected to enterprise networks, are expected to increase dramatically during the next 18 months, and so far most of these devices are not secure.

Solution: Traditional security solutions such as firewalls and VPNs are being used to define security for portable devices, and some companies are starting to produce solutions specifically for portables, applied both on the devices themselves and behind the enterprise firewall.

Solution maturity: Some solutions address portable-device security specifically, but the issue is only just starting to pique the interest of organizations, and broadly applicable portable security models have not yet been developed.

Few organizations are paying attention to the threat posed by portable devices, even while many of the devices are increasingly being connected to corporate networks. Officials from Gartner Inc.'s Dataquest estimate that more than 20 million handheld computers have been sold in the past five years, but only 1 percent of them employ any kind of virus protection.

So far, the actual threat to devices such as Palm PDAs, Pocket PCs and wireless phones has been slight compared to what has been happening to traditional computers. However, attacks are expected to increase as wireless bandwidths improve enough for these increasingly powerful devices to be used regularly for activities such as e-mail and Web-based applications.

Some security solutions use a client/server approach focused on the network. Avantgo Inc.'s M-Business Server, for example, sits behind an enterprise firewall to provide a gateway between mobile devices and network-based applications and allow only authenticated traffic from mobile devices onto the corporate network.

Others focus on putting security tools on the handheld devices.

"Not everything can be filtered at the gateway level," said Matt Ekram, Symantec's product manager for wireless. "And if you want to protect the device itself and its contents, the only way to do that is with client-level security."

Mobile devices are now considered add-ons to the enterprise network. But they will increasingly be accepted as just one more component and will eventually be managed with the same security focus as other computing technologies.

Web services security

Problem: XML-based Web services have so far been used mainly to exchange information among sites behind enterprise firewalls or with trusted partners, but as they are increasingly exposed to the outside world they become the target of malicious attacks.

Solution: Application-specific devices such as XML security gateways inspect XML data coming into the network and enforce access and encryption policies, while tools such as SSL VPNs can be used to authenticate the XML traffic.

Solution maturity: The current level of security may be adequate to protect Web services from the limited threats of today, but as attacks become more sophisticated, more pervasive protection will be needed.

Most organizations have begun cautiously developing Web services, mostly keeping them behind the enterprise firewall to exchange information among groups within the organization or with trusted business partners outside the enterprise.

But now Web services are beginning to be used more widely to enable transactions between organizations and their customers, or between government agencies and their constituencies. That opens XML applications up to the same kinds of attacks that are bedeviling other applications as attackers wrap viruses in the cloak of normal XML traffic or try to attack XML applications directly.

Newer companies such as Datapower Technology Inc., Teros Inc., Sarvega Inc. and Forum Systems Inc. produce firewalls as both hardware and software solutions that provide gateways to filter XML messages. Most traditional firewalls don't inspect messages that use the XML Simple Object Access Protocol for communications.

Other than using existing tools, it's a matter of developing the same kind of authentication, encryption, signature and other solutions for Web services that are the basis for security in other areas. How that evolves depends on how people use Web services.

"If you are doing relatively simple XML extensions and building Web services around the XML equivalent of static Web pages, then that's not a hard thing," said John Heimann, director of security products for Oracle Corp. "But it is if more complicated trust models are required."

Identity management provisioning

Problem: Identity management is at the core of any organization's security administration, but managing users' access to business applications and network resources is usually very complex and labor-intensive.

Solution: User-provisioning software automates the process of granting, changing and revoking user access.

Solution maturity: Until recently, user provisioning was the province of smaller companies with stand-alone products, but they are now being integrated into larger companies' suites of identity management software.

Most organizations keep their user identities in a number of different directories, and it's a complicated chore for IT administrators to keep track of who is where and what changes in access privileges are needed, as well as making sure those changes are incorporated into network access policies.

User-provisioning software automates this process. The software tracks when user records are created and deleted in separate directories, and synchronizes the activity across all of the relevant directories.

Depending on what business-level privileges the user is provided with, the software automatically changes IT policies to grant the relevant level of network access rights. It can also delegate the administration of a user account to the users, allowing them to manage their own passwords.

IT administrators, until recently, would have had to use stand-alone provisioning products from small specialist companies if they wanted to include that facility in their identity management schemes. But major IT providers have begun buying out or partnering directly with these companies and integrating those products into their own access management suites.

IBM bought Access 360 Corp. two years ago, for example, and last year security specialist Netegrity Inc. partnered with Business Layers Inc. More recently, Sun Microsystems Inc. bought Waveset Technologies Inc.

However, warned Chris Catron, director of identity management solutions for Unisys, people shouldn't look to user provisioning as some kind of panacea. Organizations must first ensure they have well-ordered directory services. Otherwise, user provisioning will be useless. l

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com.