• United States

Security issues to dominate Interop

Dec 12, 20056 mins

As Interop New York opens its doors for the first time this week, the focus will be on security and the effect of government regulations on network design and operations.

Vendors, including Avaya, Aventail and Lockdown Networks, are using the show as a platform to launch new security products, and the keynote list has been revised to add a talk on security services.

AT&T pulled President David Dorman from the list of speakers and replaced him with the company’s chief information security officer Ed Amoroso, who plans to outline AT&T’s road map for corporate security services. “The corporation wants to stress security,” a spokeswoman said, but declined to say whether Amoroso will announce new services.

The heightened interest in keeping networks safe stems in part from increasing government and industry regulations that make business executives more responsible for data security, says Allan Carey, an analyst with IDC, whose report on security has just been released. The study, called “2005 Global Information Security Workforce,” finds that about 21% of CEOs now bear ultimate responsibility for information security, up from about 12% last year.

High-profile thefts of personal customer information and the use of computer forensics to uncover corporate wrongdoing are prompting business executives to seek training in these technologies, Carey says. “Shifts in attacks, tactics and [attack] vectors require security professionals to fine-tune existing skills and learn new techniques,” the study says (see graphic).

Theft of student information is a top concern of the U.S. Merchant Marine Academy in Hunts Point, N.Y., says the school’s CIO Howard Weiner. The problem is compounded by the use of laptops by the roughly 1,000 undergraduates, who take their machines with them when they travel around the world during their year at sea. “They come back severely compromised,” Weiner says.

To address these problems, the school beta-tested access-control gear from Lockdown Networks that will be announced at Interop.

New software for its Enforcer appliance makes it possible to carry out network security policies on smaller and smaller switches, giving security executives tighter control of each machine on the network.

Enforcer can impose access policies via unmanaged hubs and switches, not just via switches that are networked under a unified management system.

The gear first checks that computers meet security configuration policies before they are admitted to the network, and then controls what resources they are allowed to reach by enforcing policies at switch ports.

The appliance has dramatically cleaned up student computers at the Merchant Marine Academy, Weiner says. Enforcer security scans found more than 4,000 infections that could turn the student laptops into slaves on bot nets, he says.

Non-tech execs seek knowledge

This trend toward non-technical executives seeking IT knowledge is reflected by the makeup of people pre-registered for the show, says Lenny Heyman, the general manager for Interop. The list of attendees shows that 45% of those registered hold general business titles, not technical titles, he says.

Growing security concerns also include keeping businesses up and running in the face of terrorism or natural disasters, Carey says.

For instance, the American Red Cross relied on VoIP phones to set up emergency aid offices in its efforts to help after Hurricane Katrina, says David Craig, chief engineer for the agency’s response technology unit in Washington, D.C. It used beta versions of Avaya IP phone software – to be announced at Interop – that supports secure IPSec VPN connections for phone calls.

This made it possible to deploy the phones wherever Red Cross workers found Internet connections, Craig says.

The phones tunneled securely over the Internet to an IP PBX that Avaya provided for the emergency, he says, and switched calls through the PBX to the public phone network. The same technology can enable distributed call centers, where agents work at home, without having to issue separate VPN appliances for each worker.

The VPN support is key for punching a call through corporate firewalls to PBXs, Craig says, because it eliminates the need to make the firewall VoIP-aware. Removing the firewall and exposing an IP PBX to the Internet would also expose it to denial-of-service attacks and to hijackers who would try to make calls on it for free, he says.

For businesses that want to secure Web conferencing as well as VoIP chat, Aventail plans to announce at Interop an appliance that supplements its SSL VPN gear.

Security needs

Security is a major theme at Interop this week, and as a new IDC study finds, it holds a top priority for corporate executives, who say these are the 10 areas where they need more training :
1Business continuity and disaster recovery.
3Information risk management.
5Security management.
6Access control.
7Law, investigations and ethics.
8Security for applications and systems development.
9Code of practice for information security (ISO/IEC 17799).
10Security architecture and models

The Aventail Secure Collaboration appliance sets up Web conferences on the fly and protects them via SSL supported by a separate Aventail SSL VPN appliance. The appliance also supports instant messaging.

Protecting Web application servers from attack is another security concern that will be addressed by Coyote Point with its announcement of a new application front-end appliance that includes a Web application firewall as a software option.

The hardware would be deployed in a data center or server farm in front of Web or application servers. Offloading tasks such as compression, SSL acceleration and other features allows users to reduce processing load on servers and make applications run more efficiently.

Add-on hardware and software modules include bandwidth management and traffic prioritization; HTTP application compression; SSL acceleration (as many as 10,000 transactions per second); packet filtering for protecting data-center applications; and an SNMP module for managing the device remotely.

The New York Interop is an attempt at a comeback. The East Coast edition of Interop, held in Atlanta, folded in 2002, leaving only spring Interop in Las Vegas. But that put Interop out of reach for half the country, Heyman says. For example, at the Las Vegas show earlier this year, 79% of the attendees were from the West Coast. Of those registered to attend the New York show, 84% are from east of the Mississippi.

The scale of the New York show is a far cry from the old Interop Atlanta, which at its peak drew 50,000 attendees and more than 400 exhibitors. New York organizers are promising a turnout of 5,000, and the show Web site lists about 140 exhibitors.

Heyman acknowledges that sandwiching the show between Thanksgiving and Christmas is not the best timing, but that was the only slot available when organizers decided to give it a go earlier this year.

That may have kept some exhibitors away. Cisco, for example, has no presence at the show. Next year the show will be held in September, when people are more likely to free up time to attend, he says. n