Network Diversity Causes Growing Security Challenge
How should the enterprise approach the tradeoff between speed and safety?
It probably comes as no surprise that the enterprise is caught in a dangerous game of catch-22. Evolving technologies and competitive pressures are increasing the diversity and complexity of data infrastructure, making it more difficult to secure. At the same time, government and industrial espionage programs are becoming better at exploiting the many vulnerabilities that modern network architectures present.
How, then, is the enterprise supposed to protect itself without hampering the capabilities people have come to expect from today’s virtual, cloud and mobile infrastructure?
The need to achieve that delicate balance between security and performance has driven many of the next-generation network security platforms of late. For example, Dell recently introduced the latest version of its SonicWALL firewall system, the SuperMASSIVE 9000 Series. It combines fresh-from-the-lab intrusion prevention and anti-malware technology with multi-gigabit performance that cuts latency to near zero.
Packed into a 1U form factor, the firewall system offers four 10 GbE and 16 single-GbE interfaces with 12 Gbps application control performance. It can function as a standalone gateway or as a supplemental tool for existing networks in either a Layer-2 bridge or wire-mode configuration. Two key components in the system are the Reassembly-Free Deep Packet Inspection (RFDPI) module, which scans incoming data before it hits the enterprise network, and the Application Intelligence and Control system, which provides real-time bandwidth and throughput optimization throughout the authentication and identification process.
But as enterprise networks transition from static to virtual infrastructure through SDN and other developments, is there a risk that security could be diminished even as versatility increases? Christopher Hoff, Juniper’s chief security architect, says no, provided the enterprise is aware of the vulnerable points in a virtual architecture. For most systems, that would be the controller, which houses many of the networking applications that guide data flow in highly dynamic environments. As he told ENP’s Sean Michael Kerner recently: if your network vendor offers optional security on the controller, take it.
These days, however, even medium-sized networks are loaded with end-points and processing components that generate disjointed data regarding security and performance. Bit9 is making a bid to integrate all that information with a new real-time security solution that gathers data from firewalls, file analysis systems and other sources to provide a broad-based malware alert and incident response platform. The firm is forging partnerships with a range of network security providers to enable a robust solution even in highly mixed platform environments. These partnerships will allow advanced features like real-time end-point monitoring and detection, automated server and end-point protection, enterprise-wide visibility and real-time file analysis.
At the same time, packet inspection and brokerage is becoming a hot commodity — a reflection of the fact that data is increasingly finding its way onto third-party infrastructure. VSS Monitoring recently unveiled a new version of its vBroker solution, featuring new tools to enable link-layer visibility and in-line security and monitoring across complex network fabric architectures.
These tools include a new vProtector system that provides failsafe performance and on-demand bypass for individual network links, and the PowerSafe override control panel that streamlines the upgrade process for network security and monitoring systems. In addition, the company has released a new vInspector SSL appliance that improves visibility into encrypted traffic, as well as a DPI-Finder application that provides large scale filtering and analysis.
It goes without saying that enterprise networks can never be too speedy or too secure. Despite the best efforts of the vendor community, there will always be a certain degree of give and take between these two goals.
However, it’s important to remember that the fastest, most dynamic network in the world isn’t worth a hill of beans if it exposes critical data to the outside world.