The promise of all-in-one security

At least three times per week, Arkansas State University's network is threatened by a virus, denial-of-service attack or system hack, often by students trying to tap the school's resources from their dorm rooms. "The reality is my network is my own worst enemy," says Greg Williamson, associate IT director at the Jonesboro school.

The university relies on multitasking devices to stave off such attacks. Arkansas State uses four Cisco Catalyst 6513 Gigabit Ethernet switches outfitted with intrusion-detection system (IDS) modules. IDS belongs squarely in the network's core, Williamson says.

"If the core goes down, so does the network. With voice over IP running on the network to serve resident housing, there is a high-level, critical need for 911 services. The network can't go down," he says.

The IDS blades watch traffic as it crosses the switch backplanes, defending against denial-of-service and other attacks, Williamson says. They simultaneously monitor multiple virtual LANs. If a blade detects malicious or unauthorized activity, it triggers an alarm.

Injecting security functions into network gear like routers and switches is one method of integrated security attracting the attention of enterprise network managers. Another is tools that blend two or more security functions, such as IDS, Internet filtering, firewall, vulnerability assessment, and virus scanning. Vendors also are embedding security features into nonsecurity software products, such as virus scanning into e-mail.

The lure of simplification

In a traditional network security setup, each device - firewall, IDS and vulnerability assessment tool - has its own console. Bundled products promise to integrate these, an appealing prospect to users.

"The benefits of using integrated solutions to us would be the use of a single management console to manage different security layers," says Aidan Garcia, network services manager at Eastern Bank in Boston.

Mike Cothren, MIS director at the Pulaski County Special School District in Little Rock, Ark., says simplification was a reason his organization chose appliance vendor SonicWall, which supplies the district with the SonicWall Global Management System. Along with firewall capabilities, this appliance performs Internet filtering by checking each request sent from Pulaski's LAN against a list of unacceptable URLs and IP addresses. It denies requests deemed inappropriate.

"Trying to make products from different vendors work together can be a nightmare. If there is a problem, each vendor will point its finger at the other. This allows you to work with one tech support shop that will handle all the issues," Cothren says.

Integrated products also could eliminate duplicate security functions and lower false-positive alarms - incidents in which systems report problems that have not occurred.

"One of the things integrated vendors claim is that their products will have people spending less time on worthless administrative things and more time on critical threats," says Chris Christensen, an analyst with IDC. To that end, vendors have unleashed a variety of integrated security products.

TippingPoint Technologies, for instance, hawks a combined firewall/IDS device the company says can outperform software-based offerings and costs less because it is part of the network infrastructure.

NetScreen Technologies says it soon will support IDS and virus scanning on high-speed devices already hosting firewall and VPN software. NetScreen's offering "certainly would be an attractive thing," says Chuck Horvat, director of network services at Divine, a service provider in Chicago using integrated NetScreen appliances at all 27 of its corporate infrastructure sites.

Along those lines, Nokia and Internet Security Systems (ISS) allied last year on RealSecure for Nokia, an IDS appliance the vendors say will build on Nokia's firewall capabilities.

Other alliances include a Network Associates and ISS agreement that pairs McAfee antivirus technology with ISS' RealSecure IDS products.

SonicWall user Pulaski County will benefit from a similar partnering because the organization is poised to implement McAfee antivirus capabilities on the SonicWall platform.

"The solutions we looked at generally would require a Windows 2000 server to manage virus updates to the workstations," Cothren says.

Because the school district is a Novell shop, adding the Microsoft servers would have added cost and complexity that Cothren preferred to avoid, he says.

Meanwhile, Inktomi announced in April that it had combined virus scanning, content filtering, user authentication and access controls into its caching software, Traffic Edge Security Edition.

In contrast to product bundling, Crossbeam bills Version 2.0 of its X40S appliance as a common platform for running applications from leading security vendors, such as Enterasys Networks' Dragon Sensor IDS and Check Point Software's firewall and VPN software. The company suggests the device can stand in place of servers, load balancers and switches.

E-mail vendors are also nailing down security alliances. Rockliffe teamed with F-Secure to inject virus scanning into Version 5 of its MailSite SE software.

Watch for laptop and mobile devices to join the crowd, too, by adding authentication like tokens or biometrics.

A hybrid approach

But for all the promise and vendor activity, integrated products have a spate of potential drawbacks. For instance, IDS, a commonly bundled technology, is difficult to engineer. (See Technology Insider: Network-based intrusion-detection systems for related story.) And users like Eastern Bank's Garcia who yearn for easier management worry that a bundled product creates vulnerability.

"The shortcoming that has prevented us from investigating integrated solutions has been the single point of monitoring. If hackers could find a way around the system, they would have open access to the network beyond it," he says.

For such reasons, analysts question how widely enterprise users will accept bundled security wares. Eastern Bank has decided to forgo them for now. It stitches together dedicated products from vendors like Network Associates, Garcia says. Eastern Bank uses McAfee virus protection suite and e-business server.

A hybrid approach, using dedicated and integrated products, makes sense even to Arkansas State's Williamson, an avowed believer in integrated security tools. "It has to be blended at this point," he says, characterizing the university's planned security architecture. "But while the integrated pieces seem to work better for us in many situations, I am still buying separate appliances as well."

The university employs several stand-alone IDS appliances to monitor traffic passing through switches and uses firewalls at the network perimeter and in a server farm, he says.

"I can't look at a single security appliance or integrated appliance and rest knowing that it will protect me," says Williamson, who says that the university's ongoing VoIP upgrade makes security even more vital.

"We are putting in 100M bit/sec connections to potentially hundreds of hackers sitting in their dorm rooms," he says. "I'm not going to put all my eggs in one basket."