Bugwatch: Third-generation security

Each week vnunet.com asks a different expert to give their views on recent security issues, with advice, warnings and information on the latest threats.

This week Dave Roberts, co-founder and vice president of strategy, product management and marketing at Inkra, explores how virtualisation technology is making layered security a reality.

In the beginning corporate networks were flat. They were private domains used internally only by employees. Network security employed physical locks to prevent unauthorised access to assets. This was the first generation.

Then companies connected networks to the internet. Firewall appliances sat at perimeter access points to prevent unauthorised access to internal systems and data. These few security checkpoints were easy to manage and relatively low-cost. This was the second generation.

Today, however, corporate network boundaries are blurred. Secure connection protocols enable businesses to bypass firewalls and use the internet to exchange information with remote employees, branch offices, customers, suppliers and partners.

But this has created a back door for attackers who can enter the corporate network over a secure virtual private network (VPN) tunnel from an employee's compromised home PC.

Firewalls don't block email, providing the perfect cover for attacks disguised as attachments. And wireless local area networks (Lans) can also be vulnerable to hacking.

A perimeter security strategy is no longer enough to protect porous corporate networks. Today's security challenges call for a third-generation security strategy.

Third-generation security is deep and pervasive, reinforcing the perimeter with layers of firewalls and intrusion detection and prevention systems to plug back-door security holes and detect and eliminate attacks.

Third-generation security is also compartmentalised, isolating important assets and containing attacks to limit damage.

Firewalls and intrusion detection and prevention systems are placed throughout the network - around the perimeter, in front of application servers, in front of network segments, and between application tiers.

As you move toward the centre of the network, security policies become increasingly stringent. Network segments and assets can sectioned off into individually secured compartments.

For example, a firewall between Lan segments can prevent an attack unleashed via email from spreading through the network. Together, layering and compartmentalisation provide defence in depth.

The only way this sort of security could be implemented was with security appliances: individual security services installed on dedicated hardware. At every point requiring defence, one or more appliances must be deployed.

Providing layered security with appliances means acquiring, managing and maintaining tens to hundreds of devices.

Stringing these appliances and management interfaces together makes deployment and management even more complex. And, while control software is being improved, it can be a complex task.

The other route to third-generation security transition is virtualisation technology. Virtualisation separates functionality and management away from physical hardware.

It is a well-established method - employed by technologies such as VPNs, virtual machines and virtual Lans - of meeting logical resource needs with fewer physical resources.

As IP security services are virtualised, delivery can be fully automated, and browser-based management tools enable functionality to be simply dragged and dropped into virtual racks to provision services.

Virtualisation makes third-generation security possible, on demand and within budget. Virtualisation lets you customise and deploy multiple, pre-tested security services to specific requirements, with a single, simplified management interface.

The choice is yours but the hackers won't wait long for you to decide.