Network security doesn't stop at the perimeter
Exhibitors at the RSA Security Conference this week are focusing on what is inside the network, not just on what is outside trying to get in.
SAN FRANCISCO?The proliferation of mobile devices connecting with networks and of blended threats exploiting multiple avenues of attack are changing the way security is implemented.
Exhibitors at the RSA Security Conference this week are focusing on what is inside the network, not just on what is outside trying to get in.
"Firewalls don't stop everything," said Greg Stock, vice president of sales and marketing for Mirage Networks Inc. of Austin, Texas.
And insiders are recognized as the largest source of security headaches. "In most cases, it is not malicious intent" that produces insider threats, it is carelessness, Stock said.
Poorly configured computers, unauthorized software and sloppy security practices can move threats into the core of the enterprise, and outward-facing security is not enough. Mirage is touting its new Inverted Firewall as a tool to identify and isolate malicious behavior inside a network.
InfoExpress Inc. of Mountain View, Calif., is announcing a gatekeeper that enforces security policy on all devices connecting to the network, whether internal or external, and WebWasher USA AG of Santa Clara, Calif., is releasing a filter for instant messaging and peer-to-peer file sharing.
Unlike a perimeter firewall that blocks all traffic except what is allowed, Mirage's Inverted Firewall allows all traffic except that recognized as malicious.
"It's a traffic cop rather than a roadblock," Stock said.
The Internal Firewall is deployed in access layer switches. Behavioral algorithms "learn" normal network patterns to identify abnormal behavior. The firewall also detects packet activity against unused IP addresses, a telltale sign of an attack, to provide early warning of malicious activity. It also uses a network's unused IP addresses as a sort of honeynet, providing them with false attributes and counterfeit responses to help camouflage real network devices and draw the attention of attackers.
Mirage, which released the firewall in December, has attracted some state and local customers and is talking to some feds, Stock said. But the product has not yet been certified to the Common Criteria for security devices.
"For a company our size to spend the $150,000 to $200,000 to get a certification is difficult," Stock said.
Federal regulations allow agencies to buy uncertified products with a promise from the vendor that it will become certified. Stock said Mirage expects to follow that path with its Inverted Firewall.
InfoExpress takes what some might call a cynical approach in enforcing security policy with its CyberGatekeeper.
"Systems are untrusted by default," said chief executive officer Stacey Lum. Every device trying to connect with the network is quarantined until an audit is performed.
The original product released in 2002 audited remote devices connecting to a network. CyberGatekeeper LAN, being announced this week, performs the same function on devices?desktop and notebook PCs, PDAs and wireless access points?logging onto the network from inside the enterprise.
Upon logging on, each device is shunted to a secure quarantine area and not allowed on the network until it passes muster.
"Authentication is not enough," to reach the network, Lum said. An audit is conducted to ensure that each device meets policies for configuration and for required and forbidden software.
CyberGatekeeper has three components:
William Jackson, who writes for Government Computer News magazine, was at this week's RSA Security Conference.