Six burning questions about network security

Issues about server virtualization, in-cloud security, NAC, firewalls and more

Security issues often seem to smolder more than burn, but these six are certainly capable of lighting a fire under IT professionals at a moment's notice. Handle with care.

Is server virtualization worth the risk?

The benefits of moving away from traditional servers to virtual machine (VM) arrangements are the cost savings in hardware consolidation and remarkable flexibility. But less-welcome consequences can include security gaps and virtual server sprawl, risks that draw fire from auditors.

VM security too often is being addressed after the fact, says Douglas Drew, a senior consultant at BT Group PLC's emerging technologies office and an auditor for the Payment Card Industry (PCI) standard. "How do you handle access control or auditing? Suppose I migrate an instance of a virtual machine from Rack A to Rack B: Is one a locking rack that needs a physical badge to get to the console, and the other does not? Does the VM hypervisor allow for separation of administrators A and B so A can only logically touch System A and Administrator B only touches B? How are you re-upping the risk assessment based on the architecture change?"

Like more traditional networks, the VM environment, whether based on VMware, XenSource or Microsoft, calls for applying best practices defined under the ISO 27002 standard for secure systems, Drew says. "We've seen some cases where people are slow to adopt VM because they haven't gotten their arms around this," he says.

And VM software out of the box won't suffice for security, many say.

"The virtual machines are mobile; they're designed to be mobile," says David Lynch, vice president of marketing at Embotics, a start-up that makes VM life-cycle management software. "You take a physical server and make a clone of it. You lose the identity of the physical server, but your existing management tools are based on the idea you have a physical server."

As designed today, VMware's VirtualCenter management won't prevent VM sprawl because identification numbers can be changed and reset, Lynch contends. He adds that it's not possible to ensure a unique VM ID system for an enterprise using more than one VirtualCenter.

The Embotics software, which works with VirtualCenter, tries to compensate by using a cryptographic hash, combined with metadata, to brand a VM ID as legitimate and authentic. Other start-ups, including Fortisphere Inc. and ManageIQ Inc., are also tackling the VM sprawl issue.

Some security vendors are convinced that the main VM software developers are in such a rush to get their products out to grab market share that, as Andrew Hay, product program manager at Q1 Labs Inc., puts it, "security is an afterthought."

Hay notes there's no NetFlow-enabled virtual switch to help with activity monitoring. "You're creating a separate network that happens to reside on a box," Hay says. "But no one pushes for flow analysis in the virtualized world." Should all this stop IT managers from going virtual? The bottom line, according to Hay: "It would be best to research your options before going fill tilt."

Does stopping data leaks lure lawyers?

Data loss prevention (DLP) -- or call it data leak protection -- lets you monitor content for unauthorized transmission. But organizations gaining experience with it are finding that DLP sheds so much light into the darker corners of the corporate network that IT and business managers may find themselves in regulatory and legal peril.

"You move from ignorance to compliance jeopardy," says Tony Spinelli, senior vice president of information security at credit information services firm Equifax Inc., describing the early days of deploying the Symantec DLP in his organization. DLP became a spotlight in the dark, exposing data-storage practices that needed to be improved.

That puts both business and IT management on the spot to make changes. And more security managers are finding that once they know that DLP tools are in place, picky auditors are demanding security changes that corporations would be at their legal peril to ignore.

So is this "see all, know all" aspect -- in addition to the fact that DLP can still be expensive -- enough of a downside to turn off potential buyers? Maybe, but it would mean turning away from the most promising content-monitoring approach, which might be sorely needed to help keep your organization out of regulatory and legal trouble.

Knowing in advance that DLP may be a disruptive technology, security managers can make plans to prepare business managers -- the rightful data owners in the eyes of most corporations -- as well as auditors and legal staff.

One security professional with DLP experience, Ron Baklarz, who recently left MedStar Health to join Amtrak as chief information systems officer, said the approach he took with the Reconnex DLP used at MedStar was to bring business people into the data-oversight process.

"You need to partner with them on compliance," Baklarz advises. Giving authorized business staff a log-in to technical DLP systems makes them active participants in the data loss prevention effort.

In-the-cloud security: Dreamy or dangerous?

According to Gartner analyst John Pescatore, in-the-cloud security services -- be they be for e-mail, denial-of-service (DoS) protection, vulnerability scanning or Web filtering -- are an alternative to the do-it-yourself approach in buying software or equipment.

There are strong reasons to ascend into the cloud by buying a service -- but also times to stay in the more earthly domain with your own stuff.

To start, it's worth thinking about two basic types of enterprise in-the-cloud security services, Pescatore suggests. The first is bandwidth-based, such as Internet service provider- or carrier-based DoS protection and response.

"AT&T Inc., for example, can do this better and more cheaply than you can, plus they're filtering out attacks further upstream than you can using their bandwidth," Pescatore says. The alternative would be buying anti-DoS equipment from a firm such as Arbor Networks Inc. and setting up protection on your own.

The second type of in-the-cloud service is what Gartner prefers to call "security as a service," which is "totally divorced from a bandwidth service," Pescatore says. For example, using an antispam service involves redirecting the MX record to the service provider but doesn't entail specific bandwidth services tied to a single carrier.

1 2 3 Page 1
Page 1 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon