Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Multi-Layer Security Platforms 60

An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"
This discussion has been archived. No new comments can be posted.

Multi-Layer Security Platforms

Comments Filter:
  • Considering I'm planning to go into the network security field, any other interesting/fact-filled articles or websites I should check out?
    • by drpimp ( 900837 )
      One well know place to start

    • by Bishop ( 4500 ) on Wednesday July 05, 2006 @11:20PM (#15664630)
      This article is terrible and contains no real facts. It is full of buzz words for management.

      Go read Schneier [schneier.com]. It may seem that most of what he writes is not security related, but it usually it. All forms of security are related. It is important to look at the big security picture and not concentrate on the individual technology pieces.
      • Except for the squids on Friday.
        • Well seeing how many squids there are in the world (every major restaurant has them) I would say that at least thier avaiablity is doing well (if not confidentiality and integrity also). Oh and to the OP, also check out the internet storm center (part of sans). http://isc.sans.org/ [sans.org] and maybe some vendor blogs. F-Secure keeps one I like to read every once in a while.
      • Anyone who doesn't know about Bruce Schneier should check out his writings (he has several books out). He thinks to the bottom of things, recursively asking "what's the *real* problem?" until he gets to a real solution. I've tried to follow his example in my security blog for normal people [berylliumsphere.com].
      • Yeah, the article is clearly marketing hype. All broad brush, loaded with scary terms couched in small technical-sounding (but relatively non-technical paragraphs by some VP of Marketing. Note the use of hanging "and,"s as paragraph breaks, lest some poor, ignorant exec's eyes glaze over at uninterrupted technobabble.

        I was rather amused at how the writer(s) sort of lost it, style wise. I found the fact that threat-scape was unquoted the first time it was used (at the end of a paragraph) while it was q
    • by jd ( 1658 ) <imipak.yahoo@com> on Wednesday July 05, 2006 @11:38PM (#15664732) Homepage Journal
      Read absolutely everything the DoD and NSA have published on host and network security. Study the crypto and hashing function lounges to understand what underlying mechanisms are known to be flawed and which have a high liklihood of having problems. Devour everything that NIST, NESSIE and eCrypt have published on cryptographic techniques (such as authenticating encryption modes). Read up on intrusion detection and intrusion countermeasure systems, their strengths and their weaknesses. Find out about different active and passive scanning techniques (you can get a lot of forensics from timings, and passive fingerprinting is a big nasty). Understand completely ALL of the implications of the Byzantine General's Problem, The Byzantine Agreement Problem, Byzantine Fault Tolerent Authentication (ie: parallel security). Comprehend the consequences of DNS poisoning, router table poisoning, ARP poisoning and other lower-layer attacks.

      Then go on BBC's Mastermind. Or be the world's leading expert on IT security. Or both. The problem is that security is one of those fields where there needs to be only one weakness and ALL of the strengths will count for nothing. As such, comprehending one tiny segment in isolation is not a valuable exercise - it WILL be bypassed. Security specialists are the worst specialists to be, you need to be a security generalist if you are to be able to stop anything much beyond the most trivial of attackers. Particularly in a day and age where tools are so easily exchanged that attackers do NOT need to be generalists. The Internet is a gestalt of everyone who uses it and is ergo the ultimate generalist. THAT is who you would be defending against.

      • It's not even enough to be a security generalist.

        After you've studied every facet of security, remember that some attacks come from backhoes and hurricanes. Learn about business continuity. Then instead of getting frustrated when security measures don't work, learn systems safety engineering to understand why. Study finance and risk management so you can have common ground for discussion with C-level managers. Maybe insurance is better than prevention in some cases.
        • In order to implement risk management, you'd ned to learn about risk assessment and business modelling. Insurance would need a working knowledge of statistics, Operational Research (for the optimization) and related methods such as cost/benefit analysis. In order to effectively discuss with managers (and/or users), you really need good communications skills (including formal and informal writing skills, and presentation skills). In order to turn actual requirements into programmable implementations, you wou
          • At a very rough guess, I'd say that between the two of us, we could produce a text at least 20-30 (maybe 40) volumes long on what a security expert would need to know. Dunno how much you could add, but I could certainly manage the chapter titles and maybe even a little of the content we've listed so far.

            Actually, I think this is the wrong approach. I think that a security expert only needs to read 3 or 4 volumes in their specific field. The idea that a single person can be a master of all areas of secu
  • by tlambert ( 566799 ) on Wednesday July 05, 2006 @10:23PM (#15664413)
    Sorry; I wasn't that impressed... the entire article read like a hard-sell pitch for all-in-one security appliances. And it turns out one of the authors is the V.P. of marketing for a company selling a range of all-in-one security appliances.

    I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.

    I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, rather than loading a bunch of diverse software strikes me as a false one.

    The same arguments that make me want to run a MacOS X box or a FreeBSD box or a Linux box instead of some other platform with well known vulnerabilities make me *not* want to run the same appliance box in front of my network that everyone else is running, too.

    Maybe I'm just jaded, and have heard "best of breed" one too many times. 8-(.

    -- Terry
    • by b0r1s ( 170449 ) on Wednesday July 05, 2006 @10:35PM (#15664458) Homepage
      We've been testing a BUNCH of 'all in one' security appliances, and most are clearly running Linux, and at least one of the VERY LARGE, WELL KNOWN appliances is even missing stability updates (yes, that's right, off the shelf bugtraq code can DoS it).

      There's a time and place for security appliances, but they're not a cure-all. Some of the brands (I'm actually a fan of Watchguard for small businesses) do great work blocking malicious web and email traffic, but the stability and security are still far from perfect.
    • I'd love to let me users run whatever they wanted. But then we'd need to tripple the hell-desk staff. Here's what I'd like:

      Secretaries should be running bootable knoppix with an automagic mapping to the SAN/NAS. No worry about them downloading crap. Of course, they'd still call 15 times a day wanting to know how to send an Outlook appointment that some people can decline while others cannot. And they'd still accidentaly overwrite or delete the C*Os' proposals.

      Devs should be able to run whatever they li
    • I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.

      I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, ra

    • Usually, there's not enough to read, but at 10 PM on a weeknight, the last thing I want to do is read something that long. Thanks for telling me that I don't need to read it.
    • TFA is a terrible sales pitch (complete with CIO buzzwords) for Fortinet's products.

      Last year we were testing one of the smaller Fortinet "firewalls." It was easy to crash the Fortinet box and the protocol/data scanners with a boring network fuzzer. (i.e. we sent bad data at the box) Given time I am sure that we could have exploited the crashes. But, as that was not our job, we moved on to testing better products.

      These all in one (adaptive filtering with super duper special proxies) traffic scanning firewal
    • well, security is a tricky game :)

      I've said it before that the best security feature is to unplug your computer and bury it in concrete :) even just filling the case with concrete will help keep it from getting lojacked.

      ah well, there are Good security practices, and pointless ones :) security appliances may help some people, but they're no replacment for a certified security professional (enough to keep a 24/7/365 staff) keeping hackers out, and keeping your network secure.

      I won't say this appliance is b
    • I'll agree for the most part. If you took an A1-class general purpose OS, mandated IPSec w/ public key encryption for all connections, used S/Key-encrypted passwords over Kerberos for the user authentication, used source routing with an internal routing map, had a static DNS system also internal to it, ran firewalls on layers 2, 3 and 7, placed active intrusion detectors on a parallel (A1) OS on a parallel processor, ran all software with ElectricFence or other malloc protection, used secure (maybe encrypte
  • by mfaras ( 979322 ) on Wednesday July 05, 2006 @10:29PM (#15664434) Homepage
    ... is still there, as it was in the good ol' times: Unplug the damn thing

    2 cores, 2 monitors, 2 hands!
    When are those duble-dick body upgrades coming out?
  • by Raleel ( 30913 ) on Wednesday July 05, 2006 @10:50PM (#15664532)
    4 pages to say defense in depth? Any person who's spent a little time reading about security on the internet could tell you that. Heck, with a touch of extrapolation, combined forces has been used for how long? A couple thousand years?

    I agree with the poster above who said like it sounded like an ad for an all in one appliance. It spends the first page putting down best of breed security means, then says we need to use best of breed ones, only under this new definition. It ignores that these all in one solutions generally have the cost of integration factored into the cost of the very expensive product. It talks about the changing security environment, trying to pump up your fear, but it totally ignores insider threat, which constitute the larger chunk of threat.

    Essentially, this is a document for security managers, not for anyone on the ground, so to speak. The language is unnecessarily obtuse and ornate.
  • by CrazyJim1 ( 809850 ) on Wednesday July 05, 2006 @10:55PM (#15664551) Journal
    When you install software, it tells you its installing, and goes into the installed directory so you can browse every piece of software installed on your computer... Instead of letting software designers put their software everywhere they feel like hiding it on your harddrive and registry. Yes I'm looking in your direction windows. Power to the user, less abusive power to the developer.
  • There's nothing like a good old-fashioned false dichotomy to start off a shameless product promotion. Kind of reminds me of those late-night informercials for "Y-Bron" hosted by the Man from U.N.C.L.E. himself. Anyone see those? Viagra has made the whole argument kind of redundant, but it was gruesomely presented. Your first option against "male impotency", as I think it was called, is a very nasty looking penis implant and inflation device. Well, doctor, that seems a bit severe. Is there any alternat
  • So this says people should put all their eggs in one basket and that is the proper way to protect the network. It mentions protection at the edge only as being bad, which it is. Then doesn't really come back to that and tries to sell a box that brings to mind a wan,lan,dmz port.

    This is lame. Sure it may be running some kind of magical software that knows in advance all of the 0 day stuff better than tipping point. Really though, layered multi-vendor approaches are best. I've had a virus make it through the
  • Puffy! (Score:2, Informative)

    by astra05 ( 987104 )
    My security solution that handles 95% of what I need is OpenBSD (plus a couple of ports) The documenation is awesome as is the community, and it is built to be proactively secure. Give it a try: http://www.openbsd.org/ [openbsd.org]
  • Ahh, a comprehensive article on security structure written by someone out to sell something. Only one good tag for this story - "markitechture".
  • I thought the network was supposed to facilitate business and personal communication. One configured like this looks more like 'walking through a minefield'. How do you ever get a distributed application (think funds transfer between banks) working ? Cash on a motorcycle ?
  • To be clear, best-of-breed point products do in fact provide in-depth security capabilities. However, each product is only narrowly applicable and is therefore unable to provide the breadth of coverage needed in today's IT environments. To put it another way, the (potential) incremental gain in security capabilities that can be attained with best-of-breed products is simply not sufficient to offset the complexity and expense that will result from organizations needing to implement many of them to cover all

  • Trite, insipid and banal. I agree that a holistic approach is needed and because of that a 'platform' is only part of the remedy. Apart from stating the obvious, the approach advocated here actually amounts to a view of information security which is curiously not holistic. As is usual, there is no mention of any process involved in information security simply a thinly veiled entreat to buy the snake oil and all will be well. Reader beware if devices are all that is mentioned then question the writers mot

    • I fully concur with the above comment, and strongly recommend adoption of the ISO27001 series of standard (there is also ISO27002, 3, with more to come.)

      I've written a paper on how to approach this, available here (PDF.) [lanifex.com]

      I was disappointed by the title, since it hints at security convergence -- but completely fails to explore the space where my company is active, which is integrating physical security monitoring (alarm systems, environmental controls, UPS monitoring) with data security controls (IDS, ne

  • it was generated by http://pdos.csail.mit.edu/scigen/ [mit.edu].

    Except in fake papers and speeches by our college president have I heard something simple ( and trivial ) said in so many words.
  • by sgt scrub ( 869860 ) <saintium@yahooUMLAUT.com minus punct> on Thursday July 06, 2006 @10:24AM (#15666808)
    This article is nothing but crap marketing words designed to confuse the ignorant.

    Translation with missinformation: Hackers are now attacking vulnerabilities in applications.

    The trueth: Script Kiddies are learning how to attack vulnerabilities in applications thanks to frontend applications like Metasploit.

    What they don't know: Hackers designed layers 1-7.
  • Nothing!!! Absolutely nothing to see here! This post like http://www.google.com/search?&q=network+security [google.com]

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling