Protected by the network gear

Some switches and routers now can identify, prevent or at least lessen the effect of security threats, but interoperability, performance and management are sticking points.

As you mop up after the latest worm attack and chat with your network infrastructure vendors, talk inevitably will turn to preventive and protective measures. Chances are, your vendors will encourage you to secure every switch and router, making your infrastructure gear part of the layered security approach you are taking toward security under the new data center.

You just never know when or where software will be waylaid by its next vulnerability, the vendors will say. As such, they’ll argue, switches and routers should be smart enough to be your helpmates – able to recognize and halt buffer overflows, quarantine infected or unknown clients or help push out patches.

That’s a particularly logical gambit in discussions of zero-day attacks, in which the hacker games begin the same day that the software vulnerability is publicized. But just as experienced shoppers know that you never ask a tire salesman if you need new tires, so do enterprise network executives understand that they must do their homework when vendors push security frameworks. That means, of course, pushing back – and hard – to make them prove their claims of performance, interoperability and management.

Still, zero-day attacks highlight a continuing enterprise challenge: the drawbacks of the hard-shell/soft-center architecture created by traditional network security designs. Such designs might make the perimeter harder than nails, but that won’t stop a rogue internal user or a corrupted download from making a shambles of the whole network, says Timon Sloane, director of product management at Extreme.

Preventing the network infrastructure from turning to mush is behind gear vendor’s latest strategies such as Cisco’s Self-Defending Network, Enterasys Networks’ SecureNetworks, Extreme’s Clear-Flow and Nortel’s Unified Security Framework. Everybody wants to make sure their network equipment can help identify, prevent or at least lessen the impact of security threats.

Cisco has the NAC

Cisco has its Network Admission Control (NAC) program for using network infrastructure devices to prevent the spread of viruses and worms. NAC, which Cisco defined with the help of anti-virus vendors Symantec and Trend Micro, falls under the Self-Defending Network umbrella.

As a start, Cisco offers Cisco Security Agent (CSA). The CSA software, which runs on user clients and enterprise servers, authenticates users and provides policy-based access. If users have not updated their desktops with the latest patch for Microsoft’s Internet Explorer or don’t have the latest virus’ digital signature files, the CSA would quarantine the non-compliant devices or restrict access.

With this effort is a focus on tougher security for VPNs. Cisco has extended link-layer encryption to IPSec- and Secure Sockets Layer (SSL)-based VPNs. Previously available only for SSL VPNs, link-layer encryption ensures the security between every two endpoints that an IP tunnel traverses from origin to destination. Each link might use a different encryption key or algorithm.

Cisco also is looking at certificate exchanges as a way to make positive identification of a user and handle identity management, says Jeff Platon, senior director of product and technology marketing for Cisco.

The company also is researching a VPN model that goes beyond IPSec, SSL or a dedicated service, creating secured links between all nodes on the Internet, he says. That would mean embedding ASICs in public and private switches and routers to use link-layer encryption that’s more tightly integrated to the application in use – whether it’s e-mail, an accounting package or a large e-commerce transaction.

In the holding cell

While Siemens Energy and Automation (SEA) hasn’t necessarily embraced Cisco’s whole NAC program or Self-Defending Network concept, it has found the CSA piece a godsend. SEA relies on the authentication software to support almost 11,000 internal users and multiple third parties accessing Web-based applications, says Kathy Taylor, information security officer at the Alpharetta, Ga., company.

This sort of authentication is great for ensuring that SEA engineers, who spend more time at customer sites than they do at the home office, do not infect the internal network, she says. “We want to be able to grab their devices and make sure they’re up to date when they initiate dial-up connectivity,” she says.

Taylor says she doesn’t foresee the need to blanket SEA’s switches and routers with Cisco security software, but cautions that she views the issue from a WAN-facing perspective.

A product such as CSA is an easier business case to make than security software for all switches and routers, perhaps in part because it deals with a specific piece of the network and a few critical functions, she says.

Al Foitag, chief network architect for a major Hollywood movie studio that he doesn’t want named, also likes the idea of being able to quarantine users – building what he calls a “jail network.” He would send users who can be authenticated but who have not been on the network before – consultants, customers and partners, for example – to this location.

“Put them somewhere that they can be checked for patches and scanned before they are given an IP address,” Foitag says. If they’re not policy-compliant, then the users could either open a trouble ticket or go to a self-remediation environment.

But interoperability – or the lack thereof – is a problem. “The trouble right now is that all of that is very specific to a certain vendor’s hardware and software,” Foitag says. “If they pitch a client-specific approach and say ‘Replace all your switches with this Cisco device,’ then I’m not buying.”

Mining switch security

While we might be several versions shy of interoperable security, vendors are pushing ahead with new enrichments. Extreme has focused on embedding security functions into its BlackDiamond 10K, a 10G Ethernet switch. BlackDiamond features Clear-Flow to detect network anomalies such as viruses. Clear-Flow can provide detailed views of network traffic, examining all traffic destined for the accounting server or all telnet packets, Sloane says. It just depends on the policy the user wants to implement.

Clear-Flow also can filter traffic and track how many kinds of certain events are taking place, such as SYN packets flooding a server (a precursor to a denial-of-service attack) or how many new connections are being initiated from a network node (a sign a worm is propagating itself). When these events hit certain thresholds, Clear-Flow immediately will direct the traffic off the network to mirror ports and send alerts to network administrators.

Clear-Flow also can activate specific network policies when certain conditions appear. For example, it can quarantine the accounting server or block telnet traffic at all network ingress points.

Clear-Flow can support 128,000 rules or policies and penetrate into incoming packets to check digital signatures or for a code string associated with a certain virus, for example.

While these Clear-Flow capabilities are only available now on the Extreme’s 10K switch, the long-term plan is to enable them across its entire product line.

In principle, this type of approach to network security is great, says David Silversmith, CTO of Carfax, an automobile sales and information Web site. But he points out two problems with it. The first is the overhead added to each network infrastructure device when it becomes security-enabled. The second is device management gets more difficult when security functions are added.

Silversmith compares adding anti-virus, firewall and intrusion-detection features into switches and routers to the all-in-one printer, copier and scanner device that locks up all functions if one fails.

“When I add nine things to the router, will I reduce its reliability?” he asks.

As an e-commerce site, Carfax cannot risk a performance impact. “Running slow is almost as bad as being down,” he says.

Foitag and Silversmith point out that manageability and interoperability are big issues that beg the question of whether switches and routers are the best places to house a rich menu of security services.

“Getting security functions tangled up in very expensive switches means that upgrading to new capabilities will be slower and more expensive,” says John Pescatore, a Gartner security analyst.

Firewall vendor NetScreen Technologies has added many application-level intrusion-prevention features, but Cisco has little capability in that area, Pescatore says.

Switches and routers have broader reach, and that level of complexity takes time to develop and implement – just ask Microsoft. But that didn’t stop Juniper from acquiring NetScreen in a stock transaction valued at $4 billion. That deal, expected to close in the second quarter, should give Juniper’s enterprise customers richer embedded security features in its M-series of high-capacity edge routers.

As enterprise users investigate new network infrastructure, they need to be aware of hackers’ remarkable innovation and flexibility.

If companies are hampered by a switch operating system and a blade architecture, and can only apply security where the switch is, their reaction time is going to be longer. That becomes a problem as zero-day worm attacks become the norm.

As with other big-ticket network purchases, pragmatism will guide most enterprise security buyers. The layered approach permits them to add where they can or where they must, without making wholesale changes to their network. And they can implement security policies for different departments or equip a location with application-level protection.

And that’s a welcome change from tire salesman tactics.

Sweeney is a writer and editor in Los Angeles who has covered IT and networks for 20 years. He can be reached at terry@tsweeney.com .