Monday, 28 April 2008

It's not in the network

Everyone's bored of network security aren't they? I certainly haven't thought much about it recently. There are a few reasonable sized companies out there doing very well from network devices, by which I mean devices which control the network traffic in some way, not just sit on the network, analysing this or that, controlling something or providing a secure store for something else.

Back in the year dot of the internet, Cisco made it big from connecting everyone together. At the same time Microsoft made it easy to use a computer, and the internet boom started to have some knock on effects. Suddenly hundreds, thousands and eventually millions of people were connected to each other with little more than an open pipe to each other which could be stopped, stolen or even hijacked.

Corporations understood the need for computer communication between them, it's almost a given these days that you need a computer in business to survive, but security was nowhere near top of their minds.

So a few scary years later, antivirus and then firewall products started to appear. This gave Mr. Corporation a feeling of safety, the bad guys were outside the network, the network was self-cleaning, and the good guys were inside, just like in a normal, physical-world company. The amount of headline space given to firewalls and AV around the beginning of the 90s is, in my humble opinion, the main reason why security is now so difficult to teach and sell. Up until fairly recently, you mentioned IT security to a CEO and he would answer 'we have a firewall already'.

After firewalls came IDS then IPS/IDP, to stop live nasties getting in, undetected by AV, largely because they weren't viruses, or were zero-day attacks, the AV as yet unaware of their signature. Then came VPNs, proxies, reverse proxies, SSL termination points, load balancers, link controllers, etc. To analyse every product would take another 3 weeks, and would not add to this post.

The market was flooded with all manner of devices in the mid to late 90s, and the messaging was hard to follow. This market evolved relatively slowly (compared to the internet boom) and only in recent times have we been able to pick the parts which make sense to use in the network, drop those that don't and turn them into what we are now calling UTM - Unified Threat Management.

UTM is a much better solution to network security issues, but it doesn't cover everything. You still need to have separate user security for example. User security is also still evolving into identity management and identity based access management. Security will never be perfect, so this process will always continue in ever decreasing forward steps. Certainly for now, I'm done with network security. Data security is much more interesting, and that's where I'll continue tomorrow.

No comments: