|
The ability to deep-inspect a packet's payload
has opened up a whole new world of application layer protection
technologies. Intrusion Prevention Systems (IPS) remains the
mother of all security infrastructures, followed by Security
Event/Information Management (SEM/SIM), Identity and Access
Management (IAM), and Remediation Management technologies.
From an infrastructure perspective, the focus of emerging
security technologies is moving upstream from platforms to
enterprise networks, and on to the Internet itself. This has
been precipitated by the mounting exploitation of vulnerabilities
at the network level.
Protecting platform and network
Evolving technologies such as Microsoft's Longhorn OS
(under its Trustworthy Computing initiative) will secure input
from devices such as keyboard, protect application data modification,
encrypt storage, and provide attestation to enable the owner
to verify whether the data or software has been modified.
Microsoft is also actively working with anti-virus vendors
to add features to its software that will make it possible
to verify if a user's desktop is secure and has updated anti-virus
signatures in place, before granting access to corporate resources.
The Trusted Platform Module (TPM) technology developed by
the Trusted Computing Group (an industry consortium led by
AMD, HP, IBM, Intel and Microsoft) has been around for two
years and is finally emerging in the mainstream. The TPM is
a chip inserted in PCs and notebooks to run applications more
securely and to make transactions and communication more trustworthy.
Network security technologies that foster trust by automatically
enforcing security policy compliance are now becoming universal.
A new security specification being developed by the Trusted
Computing Group, called Trusted Network Connect (expected
to be released by the end of this year) aims to remove the
danger posed by insecure PCs connecting to a corporate network
— a danger that has grown with the spread of laptops
and mobile computing devices in the enterprise.
Similarly, Cisco's Network Admission Control (NAC) program
(under its Self-Defending Network strategy) configures routers
to permit end-point devices such as PCs, PDAs, or servers
to connect to the network only if their security status is
in compliance with the network's security policies. This enables
the network to protect itself against viruses, worms and other
security threats.
Security devices in the network are more effective if they
can dynamically share information and cooperate with each
other in the face of an attack. Dynamic coalition security
technologies are emerging that not only permit real-time device-level
information sharing and interactions within a local network,
but also between devices in different administrative domains
distributed across WANs. Autonomic security technologies that
enable devices to learn and heal themselves while under attack
are on the horizon; and Survivability technologies are emerging
that can implant fault and intrusion tolerance mechanisms
into networks.
Securing the Internet
The Internet's weakest links are its domain name system
(DNS) and core routing protocols. This is compounded by its
easy susceptibility to DDoS attacks.
The DNS can be easily spoofed to redirect or steal email,
intercept pages sent over the WWW, or impersonate other Web
surfers. DNSSEC, a technology developed by IETF, is being
adopted to secure the DNS. The DNSSEC uses public key encryption
and digital signatures to certify every address resolved by
the DNS system eliminating DNS spoofing attacks.
The core Internet routing infrastructure is based on the Border
Gateway Protocol (BGP), which is highly vulnerable to attacks
because it lacks an authentication mechanism. An attacker
can masquerade as a peer router and reroute traffic. A flaw
in the TCP protocol highlighted in April of this year, allows
attackers to launch denial of service attacks on Internet
routers supporting BGP. Secure BGP (S-BGP) technology addresses
these vulnerabilities by making use of PKI, digital signatures,
and IPsec encryption to secure transmissions.
DDoS is a major concern, more so because of the anonymous
nature of IP protocol which makes it difficult to identify
the true source of the packet. An attacker can freely generate
DDoS IP packets with spoofed source addresses. The Source
Path Isolation Engine (SPIE) technology provides the ability
to identify the source of an individual IP packet. SPIE records
every single packet that passes through a router. Tracing
a particular packet back to its source is simply a process
of asking each router if it has seen that packet.
Plugging the Port 80 hole
Port 80 is now the primary passageway for web content
to enter and exit the corporate network. The port 80 traffic
will only increase consequent to the official ratification
of the 'Web Services Security 1.0' specification in April
of this year, which will serve as the foundation for building
security into Web services, paving the way for widespread
corporate adoption.
With 70% of all intrusion attempts targeting port 80, the
battlefield has moved from the network layer to the Web applications
themselves. Many firewalls in use today allow port 80 requests
to pass through a network's perimeter (in order to reach a
Web server) with just rudimentary protocol checks, potentially
allowing malicious code to slip through the barrier.
Web application security technologies to plug the port 80
hole are appearing. Web application firewalls (like the KaVaDo
security platform) address different types or segments of
application-layer threats, both known and unknown. Specialized
intrusion prevention systems focusing on .NET services and
XML transactions, and vulnerability scanners that determine
holes in the web servers are now becoming ubiquitous.
Secure messaging applications
Bulk of the corporate traffic moves over email, inviting
hackers and spammers to exploit this avenue. Spamming, phishing,
and using email as carriers of malicious code into corporate
networks are becoming routine. This is mainly due to the ease
with which the attacker is able to spoof his email ID.
Messaging technologies are using the Internet's DNS to authenticate
the sender of the email, thus thwarting email spoofing. In
February of this year, Microsoft announced its Caller ID for
Email specification (under its Coordinated Spam Reduction
Initiative) which effectively prevents email spoofing. Other
similar technologies to detect spoofed email addresses used
by spammers and phishers to disguise identities are Meng Wong's
Sender Policy Framework (SPF) and Lightweight MTI Authentication
Protocol (LMAP) under development by IETF. Yahoo has developed
an authentication scheme using digital signatures called DomainKeys.
In end-May 2004, Microsoft has proposed merging its anti-spam
measure with the domain authentication SPF.
Email application firewalls integrate multiple capabilities
like anti-spam, anti-phishing, anti-virus, email policy enforcement,
email privacy and gateway protection into a single platform,
with capability to analyze, manage and report on email traffic
flowing in and out of the organization. Email archiving technologies
are becoming widespread to meet compliance requirements of
Acts that mandate preservation of email records.
Though Instant Messaging (IM) usage has become commonplace
within the enterprise, IM protocols are very difficult to
control, and contain no provisions for message logging, confidentiality,
or security. Rogue use of IM is a possibility with serious
repercussions. Emerging IM technologies control who can use
IM, which IM protocols are allowed, what features are to be
enabled, to whom the users may IM or chat with (within the
company and/or outside the company). Thus rogue IM usage is
contained, while allowing IM for authorised business communications.
Remediation technologies
Active vulnerability scanning that probes or simulates
attacks on network components could crash production systems.
Emergence of effective Passive Vulnerability Scanning technologies
(such as Tenable's NeVO) has made it feasible to monitor the
network continuously for vulnerability without network degradation
or threat to production systems.
Technologies for automated and remote patch updating such
as PatchEasy, eliminate the complexity and drudgery of enterprise
patch management. While patch management software has been
around for a while, emerging technologies include the ability
to verify a patch's suitability before applying it in production
environment.
Security technologies that manage configuration control -
documenting changes, troubleshooting problems, controlling
access, and enabling disaster recovery, are being integrated
with security event and information management consoles to
provide a holistic security management solution.
Secure remote and wireless access
SSL VPN technology is rapidly taking the place of traditional
IPSec VPNs which was designed for site-to-site security. SSL
VPNs offer greater scalability and flexibility for remote
access, combining SSL encryption and proxy technologies. It
provides client and server authentication and data encryption
between Web servers and Web browsers.
Crucial flaws in the 802.11 WEP security protocol has been
the bane of wireless LANs. The Wireless Protected Access (WPA)
replaced WEP as the standard 802.11 WLAN security in March
2003, and WPA compliant products started shipping in May 2003.
Now, the WPA2 specification is on the horizon (it was scheduled
to be released in December 2003). The WPA2 is a super-set
of WPA with a full implementation of 802.11i security standard
including AES encryption and 802.1x authentication.
Apart from the inherent vulnerabilities of the WLAN protocols,
one of the main reasons why organizations shy away from using
wireless is that in larger environments with over 15-20 Access
Points (often found in campuses, hospitals etc), the control
over the network becomes heavily decentralized making it difficult
to enforce security policy. Also, rogue Access Point detection
becomes daunting. Emerging security technologies address these
concerns, making it safe to deploy WLAN over any environment.
Employees are increasingly using PDAs to send mail and access
the corporate network. The devices can easily be lost or stolen,
compromising sensitive corporate data or access to the network.
Enforcing control over PDAs has become an imperative. PDA
security technologies protect data stored in the PDA through
strong encryption, and deny unauthorized access to data by
automatically wiping it if the PDA is lost or stolen. The
technologies also prevent users from running unauthorized
applications, and set individual and enterprise-wide policies
(like minimum password length).
Other areas
Most security breaches occur over a period of time, sometimes
over many days or even weeks. Vital evidences generated during
the period leading to the security breach (like probes, failed
entry attempts etc) are mostly overwritten or obliterated.
Now, stream-to-disk technology (in products like InfiniStream
and Niksun) efficiently captures and stores all traffic on
the network providing a complete packet-level history for
all network activity spanning large time periods, permitting
action replays of HTTP, FTP, POP3, VOIP, SMTP, and IRC traffic.
Such forensic capability is vital for gathering evidence to
validate computer hacking.
The strength of present-day cryptography lies in the difficulty
of factoring numbers. The larger the numbers, the more difficult
it is to factorize. However, as the processing speed of computers
increase, the difficulty in factorizing correspondingly reduces,
forcing use of longer numbers to attain the same level of
security (that is why we moved from 64-bit to 128-bit encryption
keys). With grid computing technologies, (theoretically) infinite
processing power is available on demand, making any factorizing
problem a breeze. This points to an eventual demise of conventional
cryptography. In its place is appearing quantum cryptography
that scrambles data using the properties of quantum physics
— and is unbreakable. Quantum cryptography has already
moved out of the Lab into the real world. Companies like Magiq
and ID Quantique have already sold hardware to several customers
in the Government and armed forces keen to protect data with
quantum cryptography.
Target-based IDS technologies that can slash noise are now
available. The older generation IDS spewed alerts indiscriminately.
It was left to the administrator to determine what the alert
was. Automating the process of qualifying an alert as relevant
or irrelevant is a big advantage of the target-based IDS.
The act of determining the target's vulnerability before sounding
an alert is what differentiates target-based IDS from the
older generation IDS.
Anti-virus technologies based on signature or heuristic detection
are ineffective at best to mitigate unknown or zero-day worm/virus
attacks. Technologies (such as McAfee's VirusScan 8.0i) are
evolving to surmount this limitation through incorporation
of Intrusion Prevention mechanisms into traditional AV.
Anti-Worm (AW) technologies providing specialized protection
against worm threat are becoming popular. The AW solution
divides the network into smaller segments with AW appliances
deployed at strategic locations inside each segment. Each
appliance can identify the early signs of a worm outbreak
and act automatically to suppress it.
Bottom line
Security technologies have been emerging to counter threats
as they arise. Some of these, like the IPS, have been exceptionally
effective. However, most security technologies succeed in
managing the risk only partially. This is because, in addition
to technologies, effective risk management also requires the
right mix of people and processes.
|
