Joel Synder on the future of intrusion defense

This article analyzes network intrusion defense technologies and illustrates how the growth of networks with many distributed control points is creating a greater need for technological integration. Learn strategies to prepare for the future and provide interim relief from "black box networks."

If divide and conquer is a winning strategy for solving problems, intrusion defense is still in the divide phase. Most networks have a firewall, many have an IDS, all of them have antivirus and antispam, and some have an IPS. But none of the vendors out there are making it easier to combine and manage all of these technologies into a unified whole.

Put in more global terms, most network managers have a wide variety of very effective control points along their networks, both at the perimeter and towards the core. However, as any engineer will tell you, a network with only control points is not a controlled network. A controlled system needs measurement points, control points and a feedback loop to keep it all running within tolerances. Of course, data networks are not the same as oil pipeline networks -- except that, in many ways, they are. We are in a security regime where we have control, but don't know what we're controlling and why.

While one of the arguments for unified threat management (UTM) in the firewall seems to be better integrated management, the answer isn't in putting multiple functions in a single box. In small networks where a single UTM firewall is the only defense point, the benefits of a single management point are significant. However, even as UTM vendors strive to create one-stop-shops for security, they'll readily admit that the UTM firewall doesn't cover all the bases. If your UTM firewall has a virus scanner, does that mean that you don't need antivirus on the desktop? UTM firewalls also move the problem one step back: sure, you can now manage a single point, but what if you have two of them?

Requirements for knowledge
One reason that networks look the way they do, with many distributed control points, is that in the past, we have had little need for knowledge about the network itself. But today, most networks are over-engineered by one or two orders of magnitude, and this is a continuing trend. Watch the proliferation of small wiring closet switches with 10Gbit ports in the next 12 months and you'll see further evidence of this.

It's easier to build a huge network that has ten or a hundred times the needed capacity than it is to build a network that fits the requirements. Network vendors have jumped on this bandwagon wholeheartedly, and have given significant financial incentives to do so. Who in their right mind would install a 48-port 10/100 switch in a wiring closet, when a 10/100/1000 switch is only a few hundred dollars more?

With network gear having such a precipitous drop in price, we tend to buy a lot of very fast, very inexpensive hardware without installing much in the way of measurement and management tools. The trend is only going to continue, as the price disparity between basic plumbing components such as switches and routers, and the more sophisticated management and control components such as IDSes and security information managers (SIMs), increases. The price disparity is even greater when human time is factored in: an unmanaged switch may cost $1,000 worth of the network manager's time to install, but it runs with nearly no ongoing cost. Put an IDS on the network, and now you're committing hours a week, every week, to actually putting that device to good use. That's a significant expense. The result is "black box" networks: networks with lots of connection points without any visibility into what's going on.

The consequence of building these black box networks is that they work great most of the time -- except for when they don't. While network outages aren't necessarily getting any more frequent, the consequences of a network outage are becoming more significant. As IT functions and even Internet connectivity become more closely integrated into critical operations, the need for rock-solid network performance also becomes critical. If you outsource your CRM to, but can't get to the site, how will you make sales? If you move to a paperless MRP system, which is unavailable when a pallet of materials shows up at the loading dock, what are you going to do?

This dependence on the network implies a requirement for knowledge, specifically knowledge about the network. By knowing more about what is going on inside of our networks, we can forestall or avoid problems, and we can more quickly resolve issues when they occur.

You can know too much
When I say you need knowledge about your network, I don't necessarily mean complete knowledge. It's very easy to fall into a trap of spending all day, every day, looking at meaningless security and performance data on your network. Any investment in network knowledge, control and visibility has to consider the value to the enterprise. It is easy to have too much information. In fact, it's common. Each of our control points is almost always a measurement point, and if you simply enable logging or statistics, you will quickly be overwhelmed with data.

Turning that data into useful information is a very difficult task. The products we have available today for massaging all this data are generally either overweight or narrowly focused. For example, SIM systems look great, but most of them are only designed to handle firewall and IDS logs, with a little bit of network flow data thrown in. Those SIMs that have a larger scope cost hundreds of thousands of dollars and require significant continuing human resources to monitor, a massive investment to answer what are fundamentally simple questions: Is the network healthy? Is it secure? Do we need to add capacity, and when?

This is the undesirable situation right now: most networks are built and managed as black boxes with little or no monitoring and management capabilities in use. A few networks have all the monitoring they need, but installed at significant expense and with high continuing operations costs. And an even larger percentage has installed some monitoring tools, but because the tools don't meet the needs of the IT staff or because the tools take too much time, they're unused.

Prescription for the future
Today, security specialists have few alternatives to construction of black-box networks. In an era of tight budgets and eternal tensions between security and network teams, only the largest enterprises can afford to purchase and staff the tools that are needed to offer true network visibility. This will change over time. An increasing number of security product and network information vendors are beginning to see the desirability of developing products that balance reasonable acquisition and operations costs with the benefits that increased network and security visibility can bring. The key today is to position your network and security architecture to take advantage of these new products as they come to market.

With that goal in mind, consider the following strategies to both prepare for the future and provide interim relief.

  1. Most of your security control points have the ability to provide logs to external devices. However, network control points such as switches and routers are often less capable. Integrating information from both the security and infrastructure sides of the house will be important to creating an effective security strategy. Make sure you work with the network team to guide new equipment to be "security reporting compatible." For switches, that might be as simple as SNMP-capable port statistics and forwarding tables, while for routers, flow statistics and NAT tables will be critical. This may require some arm-twisting, because sizing a router to be able to deliver flow statistics can add to cost.

  2. Learn what types of data are useful to you. Do you need alerting when something bad is happening? In that case, products that filter IDS and IPS logs for significant events might be good to start with, and tools that match vulnerability analysis information with attack alerts are even more useful. Are you looking for forensics information to track back problems and break-ins? SIM devices and IDS "super consoles" can help provide the correlation information that isolates the important from the irrelevant when researching problems. Get experience with the focused point-solution tools that are available today, because that will help you discover what you'll need in the future.

  3. Most security products, such as IPSes and virus scanners, are proactive in intrusion defense. However, more passive tools such as behavioral anomaly detection systems and IDSes can provide the additional data that true security visibility will require. Even if you don't have these kinds of tools now, plan where you'll put them, and make sure you design your network for these all-seeing devices. Dropping a few open source IDS sensors in, even if you don't look at their results very often, will give you additional confidence that you're gathering the right data at the right points.

  4. Build bridges between the network and security teams at your organization. Most enterprises divide responsibility in a very stark way between these two functions. Eventually, that divide will disappear as the security of the network becomes a core function and requirement of the network itself. As security of the perimeter is indistinguishable from security at the core, visibility into network and security status information simultaneously will be an assumption of any monitoring system. With tighter ties now, you can assure that the continuing build-out and upgrade of the corporate network meets these visibility requirements.

About the author:
Joel Snyder is a senior partner with consulting firm Opus One in Tucson, Ariz. He has worked in IT for more than 25 years.

This was last published in April 2006

Dig Deeper on SIEM, log management and big data security analytics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.