Buyer's Guide

Network security basics: A Buyer's Guide

A collection of articles that takes you from defining technology needs to purchasing options
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Questions to ask when choosing a network security tool

In this article, expert Andrew Froehlich breaks down the top use cases for network security, and lays out the questions you should ask when choosing a network security tool.

Justifying the cost for a next-generation network security tool can be problematic if you don't fully understand the need. Enterprise-class security devices don't come cheap. Yet, if you chalk up the cost of losing sensitive data, you'll find that security tools are relatively inexpensive in comparison to the data breaches they can prevent. Moreover, significant cost savings can be achieved by reducing outages and lowering the overall number of security components that are managed. In a nutshell, an effective network security strategy permits companies to handle an ever-growing number of security threats more effectively and at a lower operational cost.

A shift in data interaction and a rise in data loss threats

One of the biggest concerns on the mind of any CIO when choosing a network security tool is how it can best protect corporate intellectual property. At one time, a company's network infrastructure consisted of a strictly defined network perimeter. This functioned as the primary security posture because data was stored in private data centers within the company and managed by in-house IT staff. Any data behind the boundary was protected with traditional, single-purpose products to prevent data loss. But that's not how most businesses operate today. Instead, network boundaries have all but dissolved thanks to mobile devices, cloud computing and next-generation collaboration tools. Today, data is not only stored in corporate data centers but also on employee smartphones, within third-party cloud storage services, or on any number of social media sites.

At the same time, hackers are becoming increasingly sophisticated in their methods to the point that they can fool traditional network security components, bypassing them as if they never existed. Methods like dormant malware, modular malware and a significant increase in zero-day exploits are just a few examples of threats that evade traditional security products. How do these techniques work? They capitalize on the fact that detection tools use non-overlapping methods and outdated information to identify threats.

Regardless of your company's intellectual property, it almost certainly holds great value to the organization. But a next-generation network security tool might also be used to protect customer, partner and other third-party data. For example, if you store any credit card, healthcare or any other type of sensitive data for customers, a breach could be devastating -- both from a regulatory and customer trust standpoint.

Next-generation security tools meet business needs

To protect these important assets, enterprises are relying on a suite of security tools, among them next-generation firewalls (NGFWs), network access control (NAC), secure Web gateways (SWGs) and malware sandboxing.

A brief review: NGFWs look deep into the content of each packet to better assess whether data has been maliciously manipulated. They also automate intelligent policy-making decisions by incorporating the source or destination identity of users and their devices. This functionality bolsters security beyond the network perimeter, allowing businesses to place data outside the network -- usually in the cloud -- for higher cost savings, flexibility and ease of infrastructure management.

NAC shores up authentication and authorization security -- important for handling such functions as the acceptance of BYOD or guest access to internal resources. Many NAC options have additional features -- such as posture assessments to verify whether antivirus and patching levels are within a specified minimum threshold -- and the ability to identify and track users or devices as they access network resources. These are critical security components that should be considered as the BYOD trend continues to grow.

Similarly, SWGs can help prevent data loss or theft when a company uses the Web for collaboration or for social media marketing purposes. Web-based data loss prevention policies can be implemented to prevent intellectual property from leaving the safety of the enterprise network. Also, because a growing proportion of Web traffic is encrypted using SSL, SWGs can be configured to terminate SSL connections locally, and then re-establish the remaining leg of the connection. This allows for the inspection of intellectual property over encrypted tunnels.

Finally, malware sandboxes are often implemented as a "catch all," particularly when a business makes the decision to disperse data across cloud, Web and other repositories outside of the traditional network perimeter. This is commonly done to allow employees, customers and other business partners easy access to applications or data from anywhere in the world. But this flexibility often makes the enterprise a bigger and easier target for more sophisticated attackers looking to steal your data. Malware sandboxes help by providing a far more sophisticated analysis of data that is deemed suspicious.

Leveraging an adaptable unified security architecture

In addition to their other capabilities, next-generation network security tools reshape how enterprise users and components interact with data. Smartphones and software as a service (SaaS) applications have dramatically shifted the landscape of where data is generated and stored from where it was even a few years ago. This trend will only continue, and data and devices will continue to expand data protection boundaries.

Consider the concept of the Internet of Things (IoT), where objects and people become network-accessible and generate and transmit data across networks through automated, machine-to-machine transactions. Thanks to IoT, the number of end devices on enterprise networks is expected to grow exponentially, increasing the risk of devices being compromised and used to extract sensitive data.

It's safe to say that enterprise data no longer flows in and out in a linear fashion. Instead, data travels among multiple network paths. As companies begin to adopt IoT, SaaS and other techniques, they need overlapping and interoperable network security tools that can support business policies tied to that data.

Not only is this approach more efficient and secure, it also lowers the costs associated with purchasing, deploying and managing a comprehensive network security strategy.

Traditional firewall, intrusion prevention systems and basic packet inspection/filtering, for example, have merged to form the key components of what are now known as NGFWs. What once used to be three independent tools to purchase, implement and support has turned into a single unified security platform.

Reductions in downtime, faster deployments and a lower cost of ownership

Some final points to consider when making a business case for the latest network security tools: faster deployment of new applications and reduced production downtime. With traditional security tools, administrators sometimes struggled with securing new applications, services and devices -- all of which interacted with data differently. In many cases, tools that could have been extremely valuable to the organization were either significantly delayed or scrapped completely. This type of sluggishness and barricading due to inflexible network security tools is one key factor behind the shadow IT movement where end users bypass IT in order to use the applications and tools they need to perform job duties at an optimal level. One way to reduce shadow IT is to provide security tools that can quickly and easily wrap security processes around new applications and services that users demand.

Network security's impact on production downtime, meantime, takes many forms. If tuned properly, today's network security tools will yield fewer false-positives and provide a more stable and reliable operation.

Next Steps

Explore strategies for perimeter network security

Improve your network security through geofencing

Expand your security strategy to include IoT

Improve your network security with behavioral detection

This was last published in September 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Buyer's Guide

Network security basics: A Buyer's Guide

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is your organization's network security tool robust enough for BYOD?
Cancel
It's a wildly subjective question and also assumes folks actually have a tool that does this work instead of a strategy that dictates the actions IT and the security team takes. We don't pay for a software solution to do this, we manually evaluate our systems daily and look for anomalies. The team is trained to ensure people are provisioned correctly, that log management is conducted on a timely and accurate basis, and that our networks remain secure. One step is that we're not a 24/7 business, so our valuable servers in-house are disconnected from the Web and our Intranet nightly. If that's not security, I don't know what is.
Cancel

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close