Assessing IT security claims - especially in the all-important area of perimeter security - is difficult at the best of times. Vendors in this area often exaggerate their offerings (sometimes spectacularly!). It can be very difficult to compare products side-by-side. Compounding this problem is the lack of clarity in the terms that are used. It's almost impossible to make rational comparisons between the different offerings available.
This paper has been written for IT managers who aren't security specialists, but who want to make good decisions about IT security. This guide is about giving you the tools for evaluating your options and making good decisions. It's not about what the answers might be.
How Important Is IT Security?
It's often assumed (and always proclaimed by IT security vendors) that the correct answer is "extremely". Realistically, it isn't so. The truth of the matter is that it depends on what you're trying to protect. Just as banks spend more money on physical security than milk bars do, so the right level of IT security for your organisation depends on the value of what you're protecting.To assess what constitutes a sensible level of protection, you need to consider three things:
- The value of what you are protecting
- The likelihood of you having a problem
- The things you can't replace
So what are you protecting?
There are lots of things to consider here. The bulk of your physical IT assets aren't under threat: that's a question for physical security. But your confidential information and IP are, and the value of these varies dramatically from business to business. Consider, for example, the impact on your business if your accounts receivable data were altered, if your customer contact details were stolen, or if tender documents were accessed without your permission.
The cost of bandwidth, often consumed by hackers (and sometimes by staff!) in very large quantities, is commonly overlooked.
And consider also the cost of the business interruption caused by a compromise. Such costs can't be recovered: lost productivity is lost forever, as anyone who's had a virus infection knows.
How likely is it that it will happen to you?
Businesses often wonder why they would be a target? "I'm not a bank - who would worry about me?" is an understandable comment.
To an extent that's true: some businesses are much higher profile than others. But that analysis ignores the proliferation of automated hacking tools that can search for vulnerabilities across an entire country in a matter of hours. With access to such tools, hackers often no longer worry about targeting: they don't need to. They concern themselves only with who's vulnerable.
Finally, consider the possibility of industrial espionage. It's very unusual, but it does happen.
Like it or not, the Internet is still a lot like the Wild West, and there are some talented and unscrupulous guns for hire out there.
Replacing the irreplaceable
The third category of potential loss you should consider is the question of the irreplaceable. Some things, once lost, can't be replaced.
Lost productivity is one. A large accounting firm lost more than half a days's work for over 50,000 staff as a result of one virus attack.
Confidential information is another: once Pandora's box has been opened, it's too late.
And reputation, of course, is the big one. A good reputation can be very hard to develop, but it can be easy to tarnish.
Summary
There is no fixed answer. IT security may not be important to you, although the fact that you're reading this suggests that it probably is. How important is a question only you can answer.What Makes Good IT Security?
Security is a huge field, and in this paper we are confining ourselves to discussing the first and most important area: perimeter security: the safeguards between your systems and the outside world.
So what makes good perimeter security?
First of all, as an absolute basic level of security, you'll need a firewall. Many vendors make a lot of fuss about firewalls, but the truth is that good firewalls are fairly common nowadays: there's no real rocket science in a good firewall. It's broadly accepted that stateful packet filtering is better than stateless packet filtering. Application proxies offer an additional level of security as well, but in the end a run-of-the-mill firewall, well configured, will give better security than the world's best technology if it's not well set up and managed.
Won't my router do what a firewall will do?
This is a common myth, promoted largely by those who sell routers! If a router could do what a firewall can do, no-one would need firewalls.
The fact that many router manufacturers sell firewalls says a lot.
The truth of the matter is that routers can do a portion of what a firewall can do. But don't confuse the two. A router is designed for speed and efficiency, a firewall for security. It's like comparing a Ferrari with an Abrams tank. Either could replace the other in one sense: you could drive to work in the Abrams, and you could go to war in the Ferrari. But it wouldn't make much sense.
So is a firewall enough?
In most cases, no, firewalls are important but not sufficient. They don't, just by themselves, address issues like viruses or other inappropriate content. They will, quite correctly, let harmful traffic through to mail servers and web-servers without hesitation, because they make decisions based on the type of traffic only, not the content! So they don't deal with other important problems like SPAM, either.They're a critically important starting point and foundation, but that's all they are.
In that case, what else will I need?
That depends on what else you're concerned about. The following list might help.
- gateway anti-virus
- VPN
- SPAM-filtering
- Content filtering/management
- Bandwidth management and reporting systems, QIS/traffic shaping
- Better general security and reporting of intrusion attempts - IDP (Intrusion Detection and Prevention systems)
Gateway Anti-Virus
Gateway anti-virus systems are systems that quarantine viruses at the Internet gateway, before they reach your trusted internal network.
Why would I need that? I have Anti-Virus on my desktops?
There are several good reasons for using gateway A/V in addition to desktop A/V.
Firstly, it's very hard to control whether desktop A/V systems are kept up to date because they're almost all dependent on the operation of the individual desktop or notebook machine, and users make changes to their machines. Even if you can lock them down, they're dependent on being frequently connected, and it's hard to control that.
The use of a good gateway A/V system doesn't take away the need to keep the desktop systems up to scratch, but it does mean that if something goes wrong on that front, the downside is a lot smaller.
Secondly, most desktop A/V systems are only updated at most daily. This really isn't anywhere near often enough. A good gateway A/V system should be kept scrupulously up to date, and it's a lot easier to keep one system up to date than dozens or hundreds of desktops and notebooks.
So how do I pick a good gateway A/V system?
Here's what you should look for:
- Find out how often updates are made available. One of the main issues with A/V systems is how well they're kept up to date. Don't be satisfied with "you can download updates as often as you want", because the issue is how often the signature files are updated. Downloading every six hours won't help you if the signature files are only updated weekly.
- Choose an A/V system for your gateway that's different from the desktop systems. Doing the same filtering twice is not as good as using two different systems.
- Check out exactly what channels your gateway A/V system will scan for viruses. Ideally, it should be scanning email (SMTP, POP, and IMAP), FTP and HTTP as well.
- Try to find an A/V system with heuristic detection as well as signature-based detection. Heuristic detection enables your system to trap new viruses before there are signatures written for them.
SPAM filtering
SPAM filtering is important to many organisations because of the tremendous drain on productivity that SPAM represents. But be aware of this: SPAM filtering cannot ever be 100% reliable. The reason? An email offering you a great deal on a new car will almost certainly be SPAM, unless it happens to come from a friend who knows you're in the market for a new car. No SPAM filtering system can tell the difference.
That said, good SPAM filtering systems can filter upwards of 90% of SPAM.
So how do I select a good SPAM filter?
Like anti-virus systems, the main issue to consider is how often they're updated. Like virus writers, senders of SPAM are constantly up to new tricks.
The other important issue is flexibility. It's important to ensure that your SPAM filtering solution give you the flexibility to adjust it to your needs.
VPN
VPN systems are probably the easiest to choose. IPSec is the standard, but many organisations are happy with the lower security of PPTP because it's easier to set up.So how do I select a good VPN system?
There are three things to consider:
- How fast does the product work? Your VPN needs to be able to process data fast enough that the VPN won't become a bottleneck.
- What key lengths does the product support? In general, 1024-bit keys are considered a prudent minimum.
- What are the options for client systems? If you're providing VPN facilities for roadwarriors, consider what client software options you have. This is where PPTP support becomes an issue for many organisations (but not for all).
Internet Content Filtering
There are several content filtering systems on the market that work well and have substantial market-share. The cold commercial fact is that commercial success is important here, since content filtering businesses are very expensive businesses to set up and run. A warning: content filtering systems aren't 100% effective: sites are being added at a phenomenal rate so it just isn't possible. That's why it's good to go with a substantial product in this area: the smaller players in general can't compete with the larger ones.
So how do I choose a content filtering system?
No real surprises here:
- How often is the database updated? Most of these products use a database of URLs or keywords or exceptions to make their decisions about how to categories a given item. Like anti-virus and SPAM filtering, frequency of update is critical.
- How much flexibility does the product give me? And how much do I need? Some organisations have filtering needs that vary from one group of users to another. If you do, you need to select a product that will support it. Furthermore, the default setup may not suit your organisation. Check that you have the ability to establish flexible rules.
Intrusion Detection
There are two approaches in the market.
The first is what might be termed the "traditional approach", more commonly called IDSs (Intrusion Detection Systems). These systems involve the comprehensive detection of (and reporting on) anomalous traffic. Typically, they generate huge amounts of data, most of which is of little value, because the fact that the traffic is anomalous does not mean that it is bad. It takes human expertise to work out what's worth acting on.
And in the hands of those with the right expertise, this information can be of tremendous value. That's the upside. The downside is that if you're compromised it will be able to tell you all about it, but it doesn't attempt to prevent it.
The more recent approach is called IDP (Intrusion Detection and Prevention). It's a different approach, and opinions are divided as to whether it's better or worse. It's less exhaustive: it doesn't even attempt to detect and log everything, but rather just the traffic that's undeniably bad. The advantage of this approach is that knowing that it has detected something bad, it can take action, and that's where the "Prevention" part comes in. IDP systems often make on-the-fly changes to security configuration to ensure that bad traffic never gets to your internal systems.
How do I choose an Intrusion Detection system?
The first thing to do, of course, is to decide which general approach you prefer. Then, regardless of your choice, the issues come down to many of the same questions:
- How often is the IDS/IDP system updated? Like anti-virus and SPAM filtering, frequency of update is critical.
- What happens when something bad is detected? Whether the system itself acts on it (in an IDP system), or whether your own experts will analyse the reports (in an IDS), there's no point having the system if you can't get a benefit from it.
Integration
Many organisations have been misled by the "best of breed" approach that's touted by some suppliers. The truth of the matter is that a "best of breed" solution is an ill-defined concept. Quality systems are undeniably important, but it's more important to ensure that your systems are well integrated and managed.
A "best-of-breed" firewall and a "best-of-breed" IDS won't deliver the value you expect unless they're properly integrated with each other and with your other security systems. For good security, integration is more important than many people initially think. Anti-virus needs to be integrated with mail servers. It should also work with HTTP proxies and caches. Content filtering should be integrated with email. Your reporting systems should be integrated with the lot!
The point is that the characteristics of an individual technology component aren't the be-all and end-all of security; the ability of the subsystems to work together where appropriate is critical.
By: Simon Heron
No comments:
Post a Comment