With the threat of ever-more sophisticated attacks, so increased security measures – including the deployment of multiple firewalls, intrusion detection systems and Virtual Private Networks – have now become standard procedure. With a comprehensive security plan comes the challenge of managing and optimising these resources without conflict. While security measures are essential as part of a global security solution, deploying them creates further issues that must be addressed.
A firewall is a set of related programs located at a network gateway server that protects the resources of a private network from users of other networks. An enterprise with an Intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources, and for controlling those outside resources to which its own users enjoy access.
Whether it examines each individual 'packet' of data or not, a firewall works closely with a router program by way of determining whether to forward it towards its destination. This is the first line of defence against unauthorised traffic and attempts to hack into a system.
Due to the importance of the firewall, it must always be available and ready to identify and inspect any suspect traffic.
Failures, traffic and optimisation
There are three major issues involved when using a firewall – failures, increases in traffic and optimisation. If a firewall on the network fails, traffic is then 'lost' as it's unable to reach its final destination. Therefore, all client requests will remain unfulfilled due to the firewall failure itself.
As mentioned previously, firewalls typically search for suspect traffic by performing packet inspection. As network traffic increases, this becomes increasingly difficult. Simply adding additional firewall resources is extremely difficult from a logistics standpoint, as it requires scheduled downtime and the re-allocation of IP addresses.
Firewall resources are stretched very thin as traffic grows and, in some cases, the firewall can become the bottleneck in the network. Given such a scenario, and under extreme conditions, the firewall may fail completely.
In some network settings there can be multiple firewalls inspecting traffic. While these firewalls are inspecting packets, optimisation of those firewalls is not occurring. At any given time, one firewall may be straining under the traffic while a second could be sitting there virtually idle. Firewall resources are therefore some way from being optimised.
Intrusion detection uses vulnerability assessment (sometimes referred to as ‘scanning’), a technology developed to assess the security of a computer system or network. Due to the importance of the intrusion detection system, it must always be available an
As part of a more comprehensive security protocol initiative, intrusion detection systems occupy an important place in identifying suspect traffic. Typically, such a system resides on each network segment and 'listens' in promiscuous mode for traffic that may constitute an attack. These systems will gather and analyse information from various areas within a computer or a network in order to identify possible security breaches, which include both intrusions (attacks from outside the organisation) and misuse (attacks from within the organisation).
Intrusion detection uses vulnerability assessment (sometimes referred to as 'scanning'), a technology developed to assess the security of a computer system or network. Due to the importance of the intrusion detection system, it must always be available and ready to inspect and identify suspect data traffic at any time.
Much like a firewall, an intrusion detection system must inspect packets for suspect traffic. Under circumstances where the system fails, there's no back-up resource, traffic isn't scanned and the network is open to attacks. When data traffic increases on the network, the intrusion detection system is unable to inspect all packets. Adding more than one system per segment is not an option. When the amount of traffic reaches this critical mass, packets are dropped and – in some cases – may be passed into the network without any inspection at all.
Both scenarios might be termed sub-optimal, as the network is open to an attack or content requests aren't being addressed.
An ability to scale?
Since they reside on a per-segment basis, intrusion detection systems typify non-optimisation of resources in two distinct ways. First, busy segments of the network may have detection systems that are straining under the load, while quiet segments lie idle. On the busy segment there's a bottleneck with no ability to scale, while on the quiet segment there's no choice but to dedicate a full intrusion detection system to the segment for which it will sit idle.
A second area of non-optimisation is evident when an attack is detected. If the intrusion system recognises an attack, it drops the traffic and updates rules on the firewall in order to guard against future attacks. While this process thwarts attacks, it's not an ideal solution. In some cases, the intrusion detection system must constantly update the firewalls with static rules that don't change even though conditions do. Issuing static rules can overburden the firewalls. Again, as network conditions change, the firewalls aren't being optimised.
In order to reap the full benefits of security infrastructures, a comprehensive data traffic management tool is an essential for in-house data security professionals. You need to procure an application switch that guarantees the full activation of all security tools while boosting performance to Gigabit speeds.
Source
SMT
Postscript
Dominic Byrne is regional director for northern Europe at Radware
No comments yet