Faster Networks Mean More Security

By eweek  |  Posted 2007-08-01

Faster Networks Mean More Security

Lisa Vaas: Could you give us just a really brief overview of what were talking about when were talking about enterprises moving to these new, faster 10g networks?

Dave Marcus: Well, that really kind of encapsulates it. Its mainly the same kinds of services, the same kinds of applications, just moving exponentially faster. Most enterprises were at a gig or Ethernet speed in the past, but now theres definitely been a move toward faster and faster backbones, and faster and faster application speeds and with that definitely comes some increased concerns.

Vaas: Do we have any idea roughly how many enterprises have migrated at this point?

Marcus: I dont think you would find 5 or 10 percent whove actually completely migrated yet. Theyve been talking about it for a while. Certainly, a lot of customers in the military space, the federal space and things like that are already there, but I think enterprises are just kind of at the burgeoning stages of design because its a big architectural change.

Vaas: Yeah, I would think so. OK, well Im definitely going to have to ask you if weve learned anything from their move, if we know anything about what theyve learned. But first, do tell us. Were looking at malware continuing to evolve. What is that going to have to do with enterprises going to these new speeds? Are we looking at overall security and safety concerns?

Marcus: Ive actually been really considering this for a while, and I think the biggest impact theres going to be is from a performance side on the network. So whatever kinds of things theyre deploying defense-wise on the network is definitely going to be a cause for concern. So when they transition from a firewall, theyre going to have to transition from a firewall that was used to decoding protocols and applications going through at 10/100 speed or a gig speed. Now its going to have to end up doing decodes for something thats going across at a 10-gig speed. So I think, for a while, thats going to be their largest concerns - keeping up with things from a performance point of view so as not to degrade the new networks performance. You dont want your security technologies to be the bottleneck for the application speed.

Vaas: So weve really got to get out security solutions ramped up for this. How are vendors doing with that?

Marcus: It depends on the vendor. The biggest trend over the last couple of years, strangely enough, has been more toward application malware and malware thats really geared toward user data. So in truth, thats not necessarily going to be affected a lot by a transition to a 10-gig network. A malware writer writes a password in Trojan to target the information thats on the users box. Thats really not going to be ultimately affected at the beginning by a 10-gig network.

Vaas: Weve talked about this quite a bit that the techs were moving down the stack. Is there any reason why a 10g network would be more attractive to a tech, or are the same reasons why a techs move to application going to hold true?

Marcus: I think the same reasons that theyre moving toward applications and data are going to hold true. We really havent seen a lot of backbone attack-wise for the last couple of years. There was only one or two vulnerabilities and pieces of malware that actually utilized a network in the last couple of years. There was a DNS flaw not too long ago, but that is definitely not the norm. The norm has been very application-based.

Vaas: Yeah, and this is because networks are too closely guarded nowadays, and applications are just a lot easier, not as good protection on the applications. Is that what Im getting?

Marcus: Thats definitely part of it. But the biggest shift over the last four or five years, from a malware writers point of view anyway, is to be more financially motivated. So more and more, they simply write their malware to make money. And to make money, they really go after the data thats on the users computer. There is not a whole lot of reasons for them to do a denial service attack, or go after a core router or go after a switch. If theyre really looking for identity information to sell in the underground, password stealing Trojans and BOTS really are the du jour right now.


Next Page: Lessons Learned from Government.

Lessons Learned from Government

Vaas: Im sure McAfees been working with government agencies and military, moving to 10g networks. What can you tell us about any lessons learned there? What can we come away with?

Marcus: I think what youll start seeing over the course of the next few years is much more stuff on the network going toward appliances and away from things that run through an operating system. Thats definitely a lesson learned. When you deploy something on the network, more and more theyre becoming appliance-based, so they dont have a lot of overhead. The problem with running a security application through a regular operating system is you incur all the processing byte of whatever the operating system its running is. More and more, we see people looking to create things that are very appliance-based, because you get such an increase in performance. And thats been a big lesson learned: run more stuff on the network on appliances.

Vaas: All right, definitely appliances. We have seen a lot more companies going into the appliance space for sure.

Marcus: Yeah, absolutely, because you definitely avoid a lot of problems when you run things in a very custom-built appliance mode. You can burn things into the hardware so you dont incur the processing cost, and that definitely is a big benefit.

Vaas: Is there any other benefit to going to appliance, besides performance? Off by itself, it really doesnt have a lot of interaction.

Marcus: Not necessarily. It definitely makes it a lot more difficult to attack the device, too. When youre running something thats an appliance-base or something thats an inline device thats kind of doing silent analysis on the wire, it makes it essentially invisible or at least a lot more difficult to attack directly. Thats always a benefit. When your security technology is a lot harder to identify, its always better that it cant get attacked.

Vaas: Lets talk about the move to an appliance or to 10g networks in general. What should companies be thinking about as they prepare for that kind of a move?

Marcus: Well, they should definitely be thinking about what is the speed of their application, how much data are they actually moving across their wires and then making sure that the countermeasures that theyre going to implement can successfully deal with that new speed, because you certainly dont need your intrusion prevention device, or your firewall, or your e-mail server or anything like that to be the bottleneck, to not be able to analyze the new traffic correctly. Its going to cause it to bottleneck, drop traffic, drop mail and we certainly dont need that.

Vaas: Do you have a list of questions people should be posing to vendors as theyre contemplating the switchover?

Marcus: Well, the same types of questions from when they went from a 10/100 network to a 1-gig network - are you running an application, are you running in appliance mode, do you have the ability to do decodes at 10 gigs, are you introducing any latency, if so, how much latency are you introducing. Those are probably some of the biggest questions that weve learned over the years; make sure your security technology is as invisible on the wire as possible, and its able to keep up with the wire speed. Dont inject any latency. Or if youre going to inject latency, make sure its as little as possible.

Vaas: What are some good benchmarks out there?

Marcus: Its really hard to say at this point, because not enough companies really have been running 10gs long enough for us to know what benchmarks are. But once again, it comes down to the latency thing. For instance, http is a good way to test network latency. You have a device that can produce large amounts of Web traffic and, essentially, you have a reflector on the other end. So if it puts out 10, it should reflect 10. And if you put your security technology in the middle of it, whats the difference now that youve introduced the security technology. Those kinds of things are very easy to benchmark.


Next Page: Predictions for the Future.

Predictions for the Future

Vaas: In an ideal world, everything would be equal. That would be nice.

Marcus: That would be correct. There would be no difference between running with the security technology and running without the security technology. However, weve definitely learned some lessons as to all things being equal can sometimes be a little bit different.

Vaas: OK, what about predictions for increasing security risks over the next 12 months as these new networks become more prevalent?

Marcus: I think youll end up seeing a lot more of what weve been seeing recently. Certainly, the trend has been toward data, application data and attacks toward applications, lots and lots more phishing activity, lots and lots more spam activity. But those kinds of things exist in other places through the world. So if youre luring the victim to come to the fake Web site, the 10-gig network really ultimately doesnt affect it. Maybe it allows you to get there quicker, so you may get infected or get the Trojan on your machine quicker, but I think youll end up seeing a lot of the same kinds of trends that weve been seeing now, just maybe a little bit faster. But I really dont think youll see large attacks against the infrastructure. Thats definitely not been the trend lately.

Vaas: So were just going to get infected more quickly, more efficiently. Thats good.

Marcus: Which is always a wonderful thing, right?

Vaas: I hate it when malware writers have to wait for me to get infected. Thats such a drag.

Marcus: But you know, thats really been the thing, its very much toward that trend of going after the applications data, going after the users data thats on the box.

Vaas: Interesting for me that were not looking at anything different substantially, except for more data going out quicker, more text coming quicker. Its just kind of ramped up everything that were seeing right now. Would that be fair?

Marcus: I think thats a fair estimate, when you look at the same period of time, where were hearing all this talk about Web 2.0 and all of this new interactiveness through Web sites and stuff like that. So I think their end probably lies where the next threat frontier lies, all that new dynamic data, and are they doing everything they need to enforce security of that kind of data.

Vaas: Yeah, well well be sending more people to bone up on their secure coding practices, thats for sure.

Marcus: Thats definitely something that can never be done enough. I mean security code practices, good back ends. You know, if youre encrypting the data, are you doing it correctly, all that kind of stuff.


Rocket Fuel