Choose Your Poison, Part II

This Musing continues the Long Conversation About Security started in October of last year.  After this installment, there will be a pause in the discussion as Mark “turns the keys” of Musing over to Tom Garland in May so that he can get some things off his chest and so that Mark can help his wife birth a baby by making sure the anesthesiologist gets there at the right time with the right stuff.   

In the last Musing, I discussed host-based solutions to LAN security and arrived at the conclusion that while they may be suitable for small environments - especially if the requisite software becomes baked in to O/S software - they don’t seem to me to be a viable solution over all.  I’m always suspect of things that require presence everywhere in order to deliver value.  Remember ATM?  Just because huge armies of engineers try to make it happen doesn’t mean it will.  The things that really seem to take root are those that can be deployed as an overlay to an existing infrastructure, add value, and then be deployed more widely incrementally to add even more value.

If you care to know that the host that wants to connect to your network is running the proper software and hasn’t been infected before you allow it to connect to the network, there is another way to achieve this that doesn’t have the burden of host-based agents.  That approach is network-based vulnerability auditing (VA).  Such devices plug in anywhere in your network and can perform a scan of any network-attached device using a “dissolvable” agent, usually a JAVA Applet, that downloads, does its stuff, and then disappears.  Its “stuff” can include anything from determining the presence, status, and version of all software running on the host, to inventorying DLLs, to examining registry settings, to searching for known O/S and application vulnerabilities, etc.  In other words, pretty much everything you might have otherwise expected a host-based resident fat agent to do for you – but with less management overhead, instantaneous upgrade and rollback capability, and more device coverage.  

The state-of-the-art of vulnerability auditing has progressed rapidly in recent years.  If you tried out a product 2001 or 2002 or 2003, it would hearken to the early days of IDS – lots of vulnerabilities missed, lots of false positives, frightfully long and undecipherable reports, deleterious impact in the devices under test, etc.  But the products have matured rapidly and many of these issues have been resolved or at least under control now. You can’t expect nearly 100% vulnerability detection, but you can be pretty sure there won’t be significant impact on the devices under test, that false positives have been reduced to a manageable roar, and that the reports generated will be somewhat useful.

I expect network-based vulnerability auditing to rapidly become commonplace in larger networks over the next 12-24 months. Since the use of these products was almost nothing as recently as a year ago, this implies a huge uplift in deployment.  But before the vendors have a big party to celebrate their rapidly expanding pie, I should point out a couple of issues they have.  (1) There are a lot of vendors in this space, and (2) it is rapidly evolving toward being a feature rather than a stand-alone product category.

Some of the many vendors who offer products in this arena include InfoExpress (www.infoexpress.com), Tenable (www.tenablesecurity.com),  Information Security Systems (www.iss.com), Foundstone (www.foundstone.com, recently acquired by McAfee), Qualsys (www.qualys.com), Harris (www.stat.harris.com), eEye Digital Security (www.eeye.com), SAINT (www.saintcorporation.com), nCircle (www.ncircle.com), and many others, including some more big guns like Symantec and Network Associates. 

So it is a crowded space.  And as the products have matured, they have become more similar as well.  In discussions with customers and some vendors who OEM some of these products, it has become clear to me that the differentiation between these products as related purely to vulnerability auditing is small.  Tenable tends to stand out more than the others because they sponsor an open source solution called Nessus that is used by a lot of customers and OEMs.  The weight of the open source community adding value to Nessus gives it kind of an unfair advantage, both stand-alone and as integration occurs as discussed below. 

The VA capability is rapidly morphing from a product category to a feature with-in a larger solution.  What is important now is how well that capability is leveraged with-in the larger solution.  The process of integrating VA with patch management is well underway, for example, so that you cannot only identify vulnerabilities automatically, but also fix the issues.  Now, the hot thing is integrating VA into an overall network admission control solution.  The vendor that appears to be in the lead in this regard is Lockdown Networks (www.lockdownnetworks.com).  Some of the founding leading lights of F5 Networks joined Lockdown when they were called Interact Networks and have morphed a one-of-many VA competitor into a very interesting network admission control play.  They have wrapped their historical VA technology into a proxy RADIUS function, so that they are in the path of authentication handshaking.  When they see authentication requests come in, they do a vulnerability scan of the requesting device.  If it passes muster, they allow the handshaking to complete, simultaneously sending a command to the edge switch serving the host to set an ACL to allow connectivity to the network.  Then, on an on-going basis, they’ll re-do the vulnerability audit on attached devices to make sure an infection hasn’t snuck in.  If a host doesn’t pass muster, they’ll send a different ACL to the switch, so that the device can connect to a remediation VLAN and attempt to get updated to meet policy.  Thus Lockdown is leveraging their domain expertise in VA as the brains of their admission control solution, but are leveraging installed base and multi-vendor switches as the brawn.  I like this approach a lot.  It doesn’t perturb the network infrastructure, require new authentication methods or access control methods, or require host software.  It’s a nice overlay that adds a lot of value.  The value/effort ratio is well in favor of IT. 

The Lockdown approach is worth highlighting for many reasons.  One of which is that it represents an example where a total solution requires both an off-line device (a Lockdown appliance as a RADIUS proxy and VA launch point) as well as an in-line device (multi-vendor switches), to represent a complete solution.

But even this solution is not totally complete.  VA, whether performed off-line or with host software, does not provide 100% vulnerability detection.  Even if it did, you can’t do a scan every millisecond. There are still going to be infections and/or willful destructive behavior by network users operating on systems that are completely compliant with the present configuration policy.  It would be nice to be able to detect and squash such network activity. To this end, about a year ago, the concept of “Internal Firewalls” was introduced via products such as CheckPoint’s Intercept and Tipping Point’s (now 3COM) IPS.  These products are geared towards LAN applications in terms of their feature set, but they still only run at speeds of 2-4 Gbps and come with very high price tags.  They are good for isolating a network for contractors from your production network, or perhaps isolating engineering from sales, or protecting some critical servers.  But their price/performance does not allow you to use them to inspect every packet on every wire to detect infections and corral them at the device level.  You could try to achieve that goal via host-resident “O/S wrapper” software as discussed in the last Musing.  But I told you why I think that approach doesn’t fly, at least for now.

What is needed is an IPS that has been repeatedly rubbed with flaxseed oil from Balco -- one that does all of the complex protocol, application, and user behavioral monitoring and analysis required to detect infections, reconnaissance, and attacks, but with lots of ports at LAN speeds and at LAN prices.  Such a beast could be deployed in a lot of places in the network, ideally as close to the LAN internal edge as possible, to create a highly distributed internal perimeter, providing detection, prevention, and isolation down to individual users and network ports, but under total IT control.  Then you’d really have something.

Is this a pipe dream?  I don’t think so.  About 18 months or so ago there were several business plans circulating Silicon Valley by start-up teams intending to build next generation security processors or stateful processors. These devices were intended to address the processing and (more importantly) memory bandwidth issues required to perform deep and state-based inspection on packets at very high packet rates.  There is a huge challenge to make volumes work for a fables semi-conductor company.  You either don’t get Cisco as a customer and suffer a slow painful death, or you do and suffer a fast painful life.  Realizing this, many switched to being a systems company, directed at an application where their technology could be used as an “unfair advantage” under-the-hood to create a new product category.  For many of these companies, LAN security fit the need due to the confluence of rich feature requirements and high speeds.  As far as I know, all of these companies are still in stealth mode as they put the finishing touches on their products and head to beta.  There may be some announcements coming up at Spring N+I, but I don’t think so.  You’ll see more later. 

One company in stealth mode that I do have some information on is ConSentry Networks (www.consentry.com), formerly Tidal Networks.  They fit the definition above.  They are a unique all-star team of veteran Silicon Valley executives and investors who still hunger to do something significant in the industry again.

Their “under-the-hood” technology is a massively multi-threaded processor capability that enables parallel code and memory look-up operations on packets as they fly through at high speeds.  The rest is just a simple matter of coding.  The result is an affordable very high speed in-line device that looks at every packet and flow on every wire to rapidly detect infected hosts, prevent network meltdown, support automated remediation of infected hosts (per host per application soft quarantining), and provide granular (per user, per flow, per application, per file, time stamped) network usage profiling and control.  The device can also participate in network admission control either by functioning as the Network Access Device in an 802.1x scenario, or avoiding the need for 802.1x entirely by monitoring and participating in native Windows and Novell authentication schemes.  Similar to the case with Lockdown, no new host/endpoint software is required, and no modification is required to existing host authentication schemes. And no upgrades to existing switches or routers are required.  Thus, the right value/effort ratio is achieved. 

As with other similar products that I think are in the development pipeline, these devices can be deployed in-line or off-line via network taps and/or spanning ports.  The granularity and reliability of the feature set reduces if you move it off-line, but they can still be powerful devices. 

It seems to me that the ultimate role for such devices is to be part of the switched infrastructure itself.  Some switches today, from Extreme Networks and Enterasys, for example, perform a subset of these functions -- mostly packet classification and analysis along with their Layer 2 duties. So it is possible. But customers will probably always want to have a choice between integrating this functionality into their switched infrastructure or deploying a best-of-breed overlay that just focuses on the security functions. 

There are other products out there worth taking a look at that are oriented towards active internal LAN security similar to ConSentry but that only run in off-line mode (and there are some advantages to that), often assessing sampled traffic.  These include products from Arbor Networks (www.arbornetworks.com), Mazu Networks (www.mazunetworks.com), Top Layer (www.toplayer.com), Lancope (www.lancope.com),  and Mirage (www.miragenetworks.com).

I think it is the case with all of the network-based devices (whether they are in-line or off-line) that if they participate in the network admission control decision at all (some do, some don’t), the software integrity of the host desiring connectivity is not taken into account in the connection decision.  The only thing taken into account is if the host has the right credentials (e.g. password, certificate) to connect.  Therefore, there are some things the vulnerability auditing solutions bring to the table (better authentication and connection decisions) and some things the in-line network devices bring to the table (monitoring and control after connectivity is established; granular visibility into how the network is being used, including tracking document and other information transfers). 

I would have loved to have told you that a single device exists that requires no changes to your existing infrastructure – host software configurations, authentication schemes and servers, switches and routers – that meets or exceeds all of the promise of Cisco’s SDN with-in the LAN.  But that is not the case, at least right now.  Instead, it looks like you need to deploy two best-of-breed solutions – vulnerability auditing and in-line monitoring and control – to meet the need.  Maybe that will change some day as products evolve and/or the industry consolidates.  But at least the costs and operational complexities of deploying such a two-pronged solution will be a lot simpler than SDN due to the fact that if you choose right, you don’t have to perturb much of your existing infrastructure to overlay these solutions. 

That’s all for now.  Thank you for enduring this Long Conversation.

Author’s Note:  Of all the vendors and products mentioned in this and prior Musings, I have a financial interest in only one – ConSentry Networks.  Early on, I did some strategic consulting work for them and continue to be on retainer.  That is what has given me some visibility into the capabilities and plans of this stealth company.