New-breed network management vendors are currently locked in a war of words over how to best manage intrusion detection with some of the IT industry's most seasoned security product vendors.
Ask a security appliance or software vendor what their greatest fear is at the moment and there is almost certainly one answer you will not get. You may hear about the rising tide of spam-driven Trojans, the lurking threat of application layer attacks such as Blaster, or even speculation about how soon a zero-day attack may come. But what you won't hear is how network management vendors are encroaching onto the prized turf of IT security products and the myriad point solutions that go with it.
Nowhere is this more so than the intrusion detection and prevention space. For years IT security has been dominated by a plethora of specialized sniffers, barriers and alarms that supposedly enable a humble network manager to filter out and repel the multitudes of automated daily attacks any given system must withstand in order to survive.
Firewalls, packet inspection, antivirus and anti-intrusion technologies have all flourished in an environment where patching is a weekly if not daily ritual. So fierce is the level of external hostility aimed at today's networks that most IT managers have abandoned any hope of a single node even temporarily surviving connection to the Internet without some sort of intrusion protection.
"It takes two minutes for one of our machines to get compromised. We've timed it. That's the longest any machine has survived on the network without protection in place. It's just phenomenal," complains an IT manager for the NSW Department of Education and Training (DET).
While DET employees are not allowed to speak publicly about IT security measures utilized to keep over a million registered users – ranging from C-level executives to primary school children – out of harm's way, it's obvious DET is trying to look at IT security in a holistic manner.
"We have to look at it from a network perspective. Even when we plumb-in firewalls and security appliances they just can't cope with [the volume of malicious traffic] unless we manage it at the network level. We could put in another five or 10 devices in some places and they still wouldn't cope, it's really got to that level now," the DET IT manager says, noting solutions that anti-intrusion vendors offer "always involve buying more of their product in one form or another".
Analyst firm Meta Group has also noted some networking vendors sizing up the intrusion detections systems market, with senior analyst for security and risk Michael Warrilow pointing out that users are more aware than ever that intrusion risks can be mitigated by network architecture in addition to traditional point solutions.
"Managing trust through [the network architecture] allows organizations to right-size their investment in security. It seems to be moving from the hard perimeter and soft centre [model] to different zones of trust within the network. Obviously the more sensitive a zone is - for instance where sensitive intellectual property is kept - the more hardened the security will be around that.
"That means that you can spend on the areas that really need protection [rather than applying a uniform standard to less sensitive areas," Warrilow says.
One such vendor is networking solution specialist Enterasys, which recently re-invented its pitch to customers away from the meat-and-potatoes of switching and routing, to what it now calls "secure, highly available and mobile infrastructure".
This has included the purchase and integration of a network intrusion detection and prevention system known as Dragon NIDS which administers automated security policies as part of an overall network architecture.
Unsurprisingly, Enterasys' ebullient executive vice president and chief technology officer John Roese is more than keen to put the boot into security appliance solution vendors for trying to sell customers the world in a box.
"You must bring the network into the security equation. Intrusion detection systems only look at a tenth of the packets [present in network traffic]. The trade-off is that you need to bring security into the architecture. You don't want an IDS on every subnet – you want them in the places that count. The perimeter is dead," Roese claims…before launching into why packet sniffers need to be put on strict diet.
Similarly, David Taylor, the Australian director of network operations solution vendor NetIQ, claims he has no shortage of clients looking for ways to consolidate security product, reduce costs and improve network performance.
Taylor claims that over the last five years many security vendors have grown accustomed to "dumping more product" onto customers and fail to consider hidden overheads such as having to comb through the masses of logs generated by rack upon rack of security appliances.
Taylor says that as every new vulnerabilty is made public, network managers need to be able filter alerts, apply resources with discretion and automate much of menial day-to-day tasks that suck time and money out of organizations.
NetIQ's fans include Village Roadshow's support services manager, Tony Sutton who recently expanded the cinema chain's content management solution to cover instant messaging – albeit with considerable vigilance.
“[We] wanted staff to be able to use instant messaging and, as with e-mail and Internet use, ensure [it] was adequately monitored and corporate security was maintained. We can now manage, monitor, report and control all aspects of employee activity on the Internet,” Sutton says.
As for how to manage things inside the perimeter, Enterasys' Roese says pragmatism must rule for security to start being seen as a benefit rather than a cost.
"You have to acknowledge sometimes good users go bad. You have to be able to dish out a metered and measured response that is appropriate. It can be a penalty box where you have a policy delivering the bare minimum of application functionality [to a recalcitrant user]. These days you can't afford to just cut people off," Roese says.