A Friend to the Budget-Constrained
Bravo to Shawn Moyer for the informative and insightful "Brick By Brick" (Bits and Bolts, September 2006), which demonstrates the value that free open-source software (FOSS) can provide to budget-constrained infosecurity departments.

The high cost of enterprise-grade security appliances should not mean that the smaller players are left without any options; and FOSS can often fill that need. Information security professionals owe it to themselves to take a closer look at these software options.

I believe that FOSS projects, like OpenBSD and ModSecurity, deserve more attention than they are getting from the media. I look forward to more articles like this.

Alex Di Giuseppe
Information security consultant, Securis Networks

Call to Action
While we want to thank you for Steve Weil's recent iPolicy ISM Express 1000 product review (Products, September 2006), we at iPolicy Networks note the device security issue and rating with great concern.

Typically, management appliances are placed in internal private network segments protected by perimeter network security, so the risk of someone exploiting this weakness is limited. However, being a security company, we are deeply concerned about the vulnerabilities uncovered in the review and have taken immediate action to address them.

The following steps were taken within 48 hours of the review's publication:

• We have corrected our factory shipment process to fix the vulnerabilities mentioned in the review for all shipments after Sept. 8.



• To avoid the exploit risk to our current customers as a result of the published vulnerabilities, we have issued an immediate security response advisory.



• A Field Advisory Notice has also been posted on our customer support site, giving specific procedures on how to patch vulnerable systems.



• Customers with support contracts can also schedule a call with iPolicy technical support to patch their ISM Express appliances. All iPolicy staff has been notified and advised.

Get the Message
With reference to Dorian Deane and Benny Jones' "Obstructed View" (September 2006), the authors do not discuss the third—and, perhaps, most important—alternative to the IDS/IPS and encryption conundrum: message-level security.

Sensitive data transmitted between two systems can be protected with a sentry that filters content (firewalls, IDS/IPS), by protecting the carrier (SSL, TLS, IPSec) or by protecting the payload itself through message-level security.

Unfortunately most vendors and companies focus only on sentries and protecting the carrier, forcing them to contend with decisions like what the writers describe. The companies do not realize that, if they protect the payload itself, they could dispense with the other two completely.

If applications encrypt payloads and digitally sign the message before sending it to the recipient, the recipient could verify the digital signature on the payload container to ensure that it is from a trusted source before attempting to process the payload.

With message-level security, companies can spend a lot less time and money on sentries and carrier protection, while staying focused on the most important aspect of security: protecting the data. Therefore, it deserved mention in this article. Arshad Noor
StrongAuth Inc.

Send your e-mails to feedback@infosecuritymag.com.