| |||
|
|
||
|
|||
| |
|
Home > Security News > Security needs bring redundant systems back in style |
| |
|
|
|
|
| Security News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||
Whether you're considering a multifunction appliance, a broad suite of software or a combination of both to secure your Windows infrastructure, security consultants say there is one key principal to keep in mind: Don't rely on a single vendor for everything. The issue comes to the fore as more market-leading vendors introduce devices that offer a simple way to ward off all types of security breaches with a single device. Networking powerhouse Cisco Systems Inc., San Jose, Calif., has become the latest to deliver a multifunction security appliance, which is loaded with a firewall, gateway antivirus, spyware and adware protection, intrusion protection features and other threat-defense services. The ASA 5500 sits at the network's edge, blocking unwanted incoming traffic. It can also be used inside a corporate network by IT managers who want to block access to certain data center assets. Cisco, whose executives said at the recent Interop 2005 conference that the technology will eventually be included in the company's line of Catalyst switches, is not the first to bundle different capabilities together. Companies such as Fortinet Inc., Internet Security Systems Inc. and Symantec Corp., have also done it. The choices are many With threat levels and regulatory diligence increasing, administrators responsible for Windows-based systems are starting to favor security products that guard the perimeter, the desktop and the data center. But with a such a wide array of choices, selecting one can be a daunting task. Microsoft has its own security arsenal, including new, free patch management tools, such as Windows Server Update Services (WSUS), now in a release candidate beta and due out in June. There is also its Network Access Protection technology, which restricts the access of a computer to a network until its health can be verified. Microsoft has pledged to build it into the Longhorn OS platform, as well as a firewall, antispyware and antivirus technologies. There are also systems software companies, security software companies and vendors traditionally known for network appliances that offer the same promises of security protection, and they are converging around the issue of policy management, according to Dan Blum, an analyst at the Burton Group, a Midvale, Utah-based consulting firm. Networking vendors are now providing security suites in much the same way that the big systems management vendors, such as IBM and Computer Associates International Inc., are doing. And the approach is also similar to what security software specialists, such as Symantec and McAfee Inc., offer for desktops, Blum said. 'Best of suite' not 'best of breed' The biggest danger, however, is buying products with all of these security features from one vendor, Blum said. "It's a violation of the principals of layered defense." A company can get more for its security money by purchasing from fewer vendors, but a "best of suite" strategy is preferable to a "best of breed" one, he said. For example, an IT executive may want to buy a device from Cisco or Checkpoint Systems Inc. for the perimeter, but they may choose another vendor for intrusion detection. "If you buy that from the same vendor as is providing your perimeter products, maybe both products will make the same mistakes," Blum said. Some customers in IT agree that while it may be appealing to have a single appliance to manage and maintain, there is the concern that that device may also be a single point of failure. Security is about limiting your exposure. If you go to one source, and someone attacks that source, you're out of luck, said Bill Randall, director of MIS infrastructure at Red Robin Gourmet Burgers Inc., in Greenwood Village, Colo. "You still need to have redundant systems," he said. Different pieces for different needs Randall said his company uses individual appliances for some tasks. For example, it uses an intrusion prevention system from 3Com Corp.'s Tipping-Point Technologies division, but he believes there are many more vulnerabilities than just the network edge. "For antivirus and spyware, it's easy to integrate whatever solution you're using for your end users [at the desktop] and just extend it out," he said. Other users agree that it's not always possible to control all security from the network perimeter. One reason is because that in some environments, such as a university setting, it's hard to make a universal policy about what is and is not allowed to come into the network. The IT staff at a college has no clear knowledge of what is being used by everyone on campus and is therefore reluctant to take any action that will break something for someone, said Joe Strecker, an IT manager of the computer resources group at J.L. Voss Veterinary Teaching Hospital at Colorado State University, in Fort Collins, Colo. Strecker prefers to zero in on an individual machine. "Even if the border is well sealed, there are still people bringing in laptops from home, so individual machines must be hardened," he said. Step one: Do a self-evaluation Burton Group's Blum suggests that in developing a security strategy, IT managers should start with a risk management assessment of their company that looks at people, processes and technology. In terms of technology, he recommended developing a security architecture in which the target starting period is a few years away. Blum warned that there may be political reasons within a company that dictate the selection of certain vendors. And in some cases, it may be mandated that a product has to interoperate with specific platforms, such as SAP, Linux or Windows, he said. Regardless of individual cases, though, securing the perimeter of a network goes far beyond "set and forget."
|
|
|
|
|||||||||||||||||||||||
| ||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
