Problem solve Get help with specific problems with your technologies, process and projects.

Three essential ingredients for network integrity

Yankee Group analyst Eric Ogren says it's time to shift our thinking about network security from a defensive, attack-centric approach to a proactive, access-centric approach.

Businesses depend on their applications and their networks, so it's obvious that network security should be a high...

priority -- and it is. Over the past few years, enterprises have invested heavily in a complex battery of perimeter defense systems that are updated daily, if not hourly, with new signatures.

But today's security practices, with their emphasis on defense, have two important shortcomings. First, signature-based defense systems can recognize and stop only the worms and viruses that are already known. Fast attacks, like last year's Slammer worm, which spread around the world so quickly it had infected most of its targets within eighteen minutes, can defeat any signature-based defense system.

Eric Ogren, The Yankee Group

A second serious shortcoming to this defensive security is cost. A recent study by The Yankee Group found that the largest area of IT spending is staffing costs. Why the large investment in staffing? To keep up security bulletins, signature files, and application updates, IT organizations have been forced to hire a virtual patch brigade -- a growing group of network administrators who spend their days scanning security bulletins and installing service packs, patches, more patches, and other versions of upgrades. Unfortunately, the result of all this busywork is a defense system that remains vulnerable to new kinds of attack, as the example of the Slammer worm proves. More fast worms and blended attacks are expected this year. How should enterprise IT organizations prepare?

It's time to shift our thinking about network security from a defensive, attack-centric approach to a proactive, access-centric approach. The goal of this new approach is to preserve network bandwidth and availability for mission-critical applications at all times -- even when attacks occur. Instead of focusing just on defense, enterprises need to adopt a holistic view of guaranteed network services that encompasses security, performance, availability, and control. At the Yankee Group, we call this holistic view Network Integrity. Network Integrity Systems are essential to all mission-critical application environments that depend on network uptime. If your business has its mission-critical operations online, you need Network Integrity.

No single product offers a complete security solution for the enterprise. To achieve a strong layered defense, enterprises need to use a combination of existing products, such as firewalls and anti-virus filters, along with new products with traffic management features that promote network uptime. The resulting architecture is centered around a high-performance Network Integrity System (NIS).

An NIS must perform these three essential tasks:

  1. It must clear the network of the attacks and unwanted traffic that signature-based systems cannot detect, protecting against any anomalous traffic that threatens the network. This defense must be automated, instantaneous, and precise. Enterprises need to reduce the manual labor involved in network security, while increasing the security and resiliency of the network.
  2. It must preserve network bandwidth so enterprises can get the most out of their online resources. This broadens the scope of network security from simply blocking hostile traffic to actively managing all network traffic, including traffic that might be legitimate but that deserves a lower priority than traffic supporting mission-critical applications. Examples of that type of traffic are instant messaging and peer-to-peer traffic.
  3. It must present upper management with a comprehensive view of the behavior of the network, as well as the behavior of mission-critical servers and hosts. To manage networks and applications strategically, executives need to know how their current investments in applications and bandwidth are performing.

Vendors delivering Network Integrity System features include Arbor Networks, Captus Networks, DeepNines, ForeScout, Lancope, Mazu Networks, NetScreen, Network Associates, RadWare, Riverhead Networks, Symantec, and TopLayer. Enterprise security architects should be familiar with the concepts of NIS and evaluating the vendors against NIS requirements.

The benefits of Network Integrity include making networks more resilient to attacks like the next Slammer worm. Other benefits include improved application uptime, control over IT expenditures, and increased business efficiency. Network Integrity also offers some relief to IT managers who wonder if there's more to IT than applying a never-ending series of patches. After all, the mission of IT is to support and enhance the operations of business itself. By thinking proactively about Network Integrity, IT can better fulfill that essential mission.

This was last published in January 2004

Dig Deeper on Network management and monitoring