Network Security Scenario Jeffrey Wheatman Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Network Security Sea Change Threats don't stay still networks aren't, either Your father's DMZ zone won't work for changing networks moving upward and onward Effectiveness and efficiency - Build security into the network for well-known threats - Rapid evaluation of new approaches for dealing with new threats - "Baking" security into every new network services What if none of the endpoints are managed?
Defense in Depth and the 'NxN' DMZ Complex applications require a more-complex yet well-structured DMZ "Death spiral "of increasing rules or access control lists Increased connection methods Protecting assets from the internal network Mobility of endpoints DMZ and data center protection Virtualization and acceleration
There Will Always Be a Perimeter Neither "all network" nor "all host" safeguards are feasible The edge changes and gets more complex but doesn't go away Coordinated safeguard approach rather than a single safeguard Unmanaged endpoints will only increase
Flavors of Network Protection Persistence of buying centers Changes in threats Changes in business demands UTM for SMB In the cloud(s) for large enterprises Niche markets for threat-specific protection: - Web application firewall - Database firewall - XML firewall, and so on Perimeter stays separate - Rapid response - Separate control plane Secure Message Gateway (E-mail servers) Secure Web Gateway (ADC/WOC) Next-Generation Firewall (Network gear) WOC = WAN optimization controller
Embedding Network Security in Endpoints Network group can always talk to an NIC Fourth firewall tier in the NIC Silicon-based firewalls are inexpensive and widely available Firewall provides a panic button IPS can provide hardware acceleration and close-to-host network deep inspection
IPS Primarily at the Edge and in Blocking Mode IPS moves beyond threat signatures Endpoint and "extra IPS" intelligence A big market Forecast >$1 billion in 2007 Deployments march inward at critical points Signatures In Blocking Mode IDS High Fidelity Tuned Maximum 0% 20% 30% 40% Process Endpoint Intelligence Capability
The Need for a Separate Security Control Plane Guidance Decision not accident Hybrids can be worst of both approaches A security decision Foundation design principle Can always change back Infrastructure vendor products can be used for a control plane, but this is not the default Asset Dynamic Move Packets Vulnerabilities Costly Block Packets Secure Configuration Kernalized and Evaluated Infrastructure Security Costly
Web Application Firewalls Can openers: Great idea, but you only need one Market pressure has led to good standardization Use of Web application firewall evaluation criteria for selection against criteria Market divided: In-the-ADC or stand-alone In-the-ADC has enterprise advantage but is not leading in features True competition is with code/application scanners PCI will drive some increase
Content Monitoring and Filtering/Data Loss Prevention E-Mail Surfing Web Mail FTP Data in Motion (Network) PCI IP Sensitive Data Description Data at Rest EPHI NPPI Servers Desktops Laptops SAN NAS USB Key Endpoint Cut and Paste Print
Network Security Market Dynamics New threats and technology will continue to emerge - Network security add-ons will be first reaction point - Embedded network and host security later - Acquisitions and failures follow Still much room for innovation - Detecting and blocking arbitrary malware - Content-aware network security - Dealing with encryption - Securing Web 2.0
Network and Host Security Will Communicate but Not Become One Benefits - Buying center - Some efficiencies and early warning - Signature enablement Problems - Conflicting blocking policies - Operations and business knowledge across network/host boundary is limited
Encryption of MPLS and Internal Links Remains Niche Encryption can "blind" WOCs, IPSs, NBA, firewalls High cost and disruption Drop-in appliance approach is most common approach Overlay approach from Cisco GET VPN Longhorn brings IPsec, but authentication only Quantum cryptography will remain niche until at least 2011
In the Cloud Non-CPE Moved easily into the cloud: - Distributed denial of service - E-mail spam/antivirus -Firewall More problematic: -IPS -CMF - Anti-phishing New pricing/availability Carrier/ISP Enterprise
Recommendations Maintain that separate network security control plane but take advantage of embedded network security capabilities where possible Move beyond just default IPS blocking - - Integration of endpoint intelligence and network behavior analysis (NBA) - - Try out innovative new solutions - - Content-aware security (CMF/DLP) Look to aligning refresh cycles based on where point products are converging