One Solution Aims to Secure Multiple Systems

By Geroge Hulme  |  Posted 11-13-2007

One Solution Aims to Secure Multiple Systems




Managing IT security software and appliances isn't getting easier. Most companies operate under what seem to be ever-changing, ever-growing risks to their IT systems--whether it's denialof- service attacks choking network and application availability or a teenager from Estonia using MPack to crack their defenses. Then, of course, there are the typical worms, viruses and daily barrage of other "mundane" threats that have plagued companies for nearly a decade.

The conventional approach to defending systems has been to deploy dedicated security products at each layer of the IT infrastructure: network and application firewalls, intrusion detection and prevention sensors within the DMZ, and vital internal network segments. Also, content filtering is used on Web gateways to ensure that employees don't access forbidden or malicious Web sites.

Despite the best efforts of most enterprises, losses stemming from security breaches remain high. The average annual loss associated with security breaches reached $350,424 this year, up more than double from $168,000 in 2006, according to the 2007 Computer Security Institute Computer Crime and Security Survey.

To protect system availability and the confidentiality of private information, organizations spend three percent to 10 percent of their annual IT budgets on security.

In an effort to reduce cost and improve manageability, vendors began combining into a single appliance various levels of security defenses including network firewalls, virtual private networks, intrusion detection/ prevention systems, Web content filtering and anti-spam. Identified as unified threat managers, or UTMs, these devices initially were aimed at small and medium businesses, but their capacity and manageability have been increasing steadily.

UTM vendors include Crossbeam, Fortinet and Secure Computing, while conventional network equipment makers such as Cisco and Juniper also provide networking equipment with security capabilities built in. Cisco's 3800 integrated services routers, for example, include firewall, IP security, secure-sockets-layer VPN and intrusion prevention, and Juniper's ISG series provides a fully integrated firewall, VPN, and intrusion detection and prevention.

"A growing number of Fortune 500 companies are expressing interest in Cisco's 3800 UTM series, not for their core networks, but to manage the security and networking of their branch offices more easily," says Greg Shipley, CTO at security consultancy Neohapsis. "This gear has firewall, intrusion prevention and more built right into the router. So why not incorporate it as part of your normal network refresh?"

UTM appliance revenues for the first quarter of this year reached $271 million, up nearly 30 percent from first quarter 2006, according to IDC. The bulk of these devices will be the primary line of defense for small and midsize enterprises, and for larger companies aiming to ease security management and costs associated with locking down branch locations. "As to whether these devices are enterprise ready--that is, do they adequately protect the primary network perimeter?--the answer is not always clear," says Joel Snyder, partner at IT consultancy Opus One. "But there are areas in which they certainly can provide security and reduce complexity."

Richard Isenberg, director of security for CheckFree, would agree. "When the term UTM first surfaced, the technology was geared toward the low end of the market," he says. "But vendors have built more scalability and high availability into these devices. Still, you have to do your homework."

Ask Your Network Architect:

Are there firewalls, IPS sensors or other security technologies on your network that could be consolidated into single appliances?

Ask Your CFO:

Will the budget allow for devices that could reduce costs of securing and managing network traffic?

Next page: Strategy





Less than a decade ago, the Circuit Court of Cook County (Chicago)--the second largest county in the U.S.--operated completely on thin client terminals and paper, and without Internet access. That began to change in 2000, when Dorothy Brown, the newly elected clerk of the Circuit Court, which has 2,100 employees and an operating budget of $100 million, moved to bring more efficiency through the use of technology. But as the court's use of technology grew, so did its need for IT security.

That included the need to secure its $5 million integrated cashiering system, which maintains all of the county's cash transactions, such as traffic ticket fines and filing fees, its case management system and its records management systems.

At first, the primary lines of defense were the use of Norton antivirus software and constant patching.

Despite those precautions, trouble still hit at times. Cook County shares its network with many other agencies on the county's wide area network, segmented by IP addresses. "What wound up happening was that if other agencies got a virus, we'd get infected too," Circuit Court CIO Bridget Dancy recalls. "We had to do more to protect our environment. We were getting attacks, and as soon as we cleaned one, another virus hit."

Dancy recommended that the Circuit Court Clerk's Office expand its security protection beyond antivirus and patch management and put into place a hardware-based UTM that included intrusion protection. "Installing additional and separate antivirus, intrusion prevention and network firewalls would have been a budget buster for us," Dancy says. For $25,000, the county chose to deploy Fortinet's Fortigate 1000. The UTM appliance keeps the court's 17 separate locations protected behind its antivirus, intrusion prevention and network firewalls. The appliance's antivirus also protects the Circuit Court's 2,100 employees' e-mail inboxes and provides intrusion protection for its intranet and help desk applications.

One primary concern of organizations considering a move to UTM is the potential impact on network performance from running multiple security applications on a single appliance. But the Circuit Court's experience was positive. By clearing useless and malicious traffic and bandwidth, its server availability soared.

Prior to installing the UTM, it was common for the county's servers to reach 95 percent usage levels. "Utilization went down to 10 percent after we installed the appliance; from that point on, we were sold," Dancy says. "Although we experienced 381,407 attempted attacks against our network, the Fortinet solution blocked and protected us from every single one."

The implementation also helped increase efficiency of the court's small IT support team. Previously, administrators would have to travel to each of the 800 computers in various locations whenever there was a network security incident. Now, they can centrally manage the network.

That's what Sonnenschein Nath and Rosenthal found. The Chicago-based multinational law firm has more than 700 attorneys in the U.S., Europe, Asia, the Middle East and Latin America.

The firm relies largely on IBM Proventia Network Multi-Function Security UTM devices to keep much of its infrastructure secure, with additional intrusion prevention systems installed on the network, as well as IBM RealSecure Server Sensors, which provide additional preemptive intrusion prevention defenses for its servers.

Sonnenschein centrally manages each of these security technologies using the IBM's Site- Protector, which simplifies the monitoring of its overall security processes and network health. "We're able to centrally manage all of these devices," says Adam Hansen, director of security at Sonnenschein. "It's proven to be a great move for us. Throughput hasn't been a problem."

Beyond simplifying security management, Hansen says, moving to UTM has helped the law firm provide faster, nimbler services to its clients without security being the corporate bottleneck it often is. "We don't have to slow down business for the sake of security," he says.

That certainly was true when the firm decided to deploy VoIP to hundreds of attorneys so they could work more efficiently from their homes. Because the firm couldn't control how the home PCs are used, how Web sites are visited or even enforce the security of those homeoffice systems, Sonnenschein needed to make some tough choices when it came to securing its move to VoIP. "We looked at whether we could manage device security at each home office, or centrally manage security in-house," Hansen says.

Using IBM's Proventia UTM devices, it became clear that the best choice would be to secure the devices centrally. "In this way, we can provide inline antivirus and intrusion prevention," Hansen says. The Proventia UTMs are placed behind the corporate VPN concentrators at both of the firm's data centers, where the traffic is decrypted and analyzed by the UTM before it is sent to critical internal systems. "If the UTM spots anything bad, it's blocked or cleansed," Hansen says. "So far, the set-up has protected us from anything bad that can come across that wire."

Sonnenschein considered managing antimalware, intrusion prevention and other security technologies from a set of separate appliances, but found it wouldn't be cost effective. "From our perspective, [UTM] has been a godsend," Hansen says. "These devices take 15 minutes to configure and to integrate into your console. It takes us more time to get the paperwork done and stage the box than to configure it."

Ask your CSO:

Is security proving to be a bottleneck on certain projects?

Ask your operations teams:

Which security functions are too time-consuming?

Next page: Implementation





Three years ago, the $879.4 million electronic bill payment and presentment provider CheckFree was in hypergrowth mode. "Our infrastructure was constantly getting overwhelmed," says security director Isenberg. The company kept adding appliances, servers, firewalls and intrusion detection systems, but the management burden "grew immense. It just wasn't scalable," Isenberg says. Eventually, CheckFree had amassed 20 separate intrusion detection system sensors, 20 switches and 26 firewalls.

The firewall and intrusion detection system architecture became so cumbersome the company couldn't get the throughput it needed. "We just couldn't keep up," says Isenberg. So CheckFree went seeking a high-availability, unified solution.

The search culminated in deployment of "We had to do more to protect our environment. We were getting attacks, and as soon as we cleaned one, another virus hit."

Crossbeam's X-series, which combines firewall and intrusion prevention capabilities. "We saw that we could consolidate all those boxes into only seven chassis," Isenberg says. The move also solved the longer-term challenges of the company's scalability. "Today, if we start to experience growth, we no longer have to add appliances and devices. We just add the blades we need. No cable moves, no change control, not another failure point added to our network."

Another benefit: There are now fewer systems to patch, upgrade and manage. "Each device was a separate console, so CheckFree had to add people continuously to manage," Isenberg says. Overall, savings came to about $194,000 a year, with a capital return realized within three years.

Whether unified threat management appliances prove powerful enough to serve as your primary network defense, as they do for Cook County and CheckFree, they can help most organizations cut operating and management costs, reduce points of network failure, and trim software licensing and maintenance fees.

Before making the move, it's essential to determine where UTM makes the most sense for your organization, based on volume of network traffic and potential security technologies to be converged. Experts say the performance demands of larger businesses may be too much for UTM appliances to handle, despite published vendor performance specifications. "You absolutely have to test these devices with your specific network conductions and the exact modules--antivirus, intrusion detection and prevention systems, content filtering and so on--to get a feel for how it will operate in your environment," says Joseph Blankenship, director of marketing at security services firm Vigilar.

During the evaluation, you'll see whether or not the UTM appliance can handle the demands of being the primary line of defense for your network. "Some of these products come with huge performance hits," Snyder warns. "You may get a new IPS signature and all of a sudden performance goes to hell." The reason: Vendors that specialize often provide better results. "IPS vendors will tend to do a better job at developing signatures than vendors who do many things," he says.

Adds Neohapsis' Shipley: "Many large enterprises won't move to UTM for their main network because they have the resources to maintain best of breed. But that changes when looking at the price, performance and benefits equation for remote offices, where these devices don't pose a performance problem and provide good security."

Before any move to UTM, experts suggest evaluating the following attributes carefully: dnetwork traffic performance demands; deffectiveness of the intrusion prevention system (nothing is worse than too many false positives or negatives), to provide for failover and high availability;

VPN capabilities for secure site-to-site access manageability.

"You want aggregated manageability; you don't want to have to log into multiple devices individually to apply changes or updates," says Sonnenschein's Hansen, who ranks manageability high on the list. "That defeats the point."

Ask your CSO:

Can a UTM appliance serve as your network's primary line of defense?

Tell your network architect:

Consider adding UTM appliances, or network routers and switches with built-in security, into network equipment refresh plans.

"These devices take 15 minutes to configure and to integrate into your console. It takes us more time to get the paperwork done and stage the box than to configure it ."

Can a UTM appliance serve as your network's primary line of defense?