Computerworld - My company has good security, but at times it's too good. Occasionally users complain that the level of security is too high. When that happens, we try to work with them to find a way that they can still get their jobs done. But despite our best efforts, we can't always find a solution. When that happens, either we in the IT security group have to bite the bullet and accept the risk, or the users must accept the fact that they can't do what they wanted.
Recently, however, we were on the receiving end, when a security project was derailed by product limitations and the policies of our networking team.
The problem came up as we began outfitting and configuring a new data center. It's always a pleasure to work on a "greenfield" IT project because you can avoid compromises made by others in the past. It seemed the perfect time to update and deploy improvements to our monitoring infrastructure.
We currently run host-based intrusion detection on all desktops and critical servers, and we run network-based intrusion detection at our perimeter entry and exit points. Although Gartner Inc. analysts recently predicted the imminent demise of intrusion-detection systems (IDS), they have worked very well for us, and we're sticking with them in our new data center. We do see a threat from the increase in encrypted network traffic that's blinding our IDSs. Despite this, our experiences tell us that a network IDS will continue to be valuable.
We know that our IDSs would work even better if we included them on internal network segments. That would provide protection against insider threats, in addition to what we get from our host-based IDS.
Until now, we've limited our IDSs to the perimeter networks because the devices could only handle those low-bandwidth segments and because we have a relatively small number of external points. But our newer IDS products support gigabit speeds. Coping with high traffic volumes isn't an issue, although we do have to conquer the complexity of getting the data to our sensors.
Switch Disconnect
Many years ago, we helped push the deployment of a switched Ethernet LAN. With properly configured switches, data goes only to those systems involved in the conversation. Traditional managed hubs, in contrast, send a copy of the data to every system in a LAN segment and only the intended recipient reads it.
Switches are great for performance and for protecting data in transit, but we need centralized access to all the data in transit so we
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
