Enterprises should be more wary than ever, a panel of security vendors Tuesday told a crowd at the Network World Security Showdown at ComNet. While enterprises are opening up their networks to admit legitimate business partners, at the same time attackers are becoming more sophisticated, warned the experts.
"You are letting strangers in to operate your machines," says Bob Blakely, chief scientist, security, for Tivoli Systems Inc. Some of those strangers are there on legitimate business, but others are there to cause mischief or worse.
During a spirited presidential-style debate, the top five security vendors as ranked by IDC sparred about which offers the best network protection, but agreed on some principles.
For example, the parties agreed that no single type of security - firewall, intrusion detection or antivirus software - could protect against all threats. There are "too many lines of code to block all holes," says Rob Clyde, vice president and chief technologist for Symantec's Enterprise Solutions Division.
And they agreed enterprises cannot look at security as a one-time event, but rather must constantly review and improve their defenses. If they do, the odds are in their favor, it seems. Clyde says enterprises can protect against 80 percent to 90 percent of all security breaches by doing two things: Using hard-to-guess passwords and keeping operating systems up to date with the latest security patches.
The participants suggested that the best security might come from more than one vendor. "Nobody has a solution to all the problems that are going to arise," Tivoli's Blakely says, even though his own company claims to meet all security needs. "Don't believe our marketing or anybody else's if they are obviously untrue."
Greg Smith, director of product marketing at firewall expert Check Point Software Technologies, admitted his company didn't even attempt to offer all the elements of network security such as antivirus protection or intrusion detection. But he couched that as a strength. By teaming up with the top vendors in other areas, Check Point makes it possible to build a security scheme using the best parts, Smith says.
The participants didn't hesitate to point out what they see as weaknesses in the competition's products. Blakely said that Computer Associate's eTrust products must be present in all the networks crossed in an e-business transaction, for example, in order to be effective. Simon Perry, vice president of security solutions at Computer Associates, countered that it is important for enterprises to analyze the security of their business partners' networks, then defend their own networks based on what the analyses reveal. Perry recommended compartmentalizing your enterprise to isolate the resources that business partners have access to.
Some promising new technologies still need development, the vendors say. Marvin Dickerson, director of product management at PGP Security Business, a division of Network Associates, says his company's Cyber Cop Sting software - which redirects hackers to a single machine that appears to be the enterprise network - is still directed to a small market. Only financial institutions and "three-letter organizations in government" would need to bait attackers in order to trace them.
Likewise, Computer Associates' Neugent technology, which mines network data and promotes security improvements based on changes to network use, is not a cure-all, Perry says. It is a tool to be used along with firewalls and antivirus software.
Smith says his firm recognizes the need for faster and faster firewalls and VPNs as Internet connections from enterprises get larger. He promised 1G bps firewall and VPN protection by year-end.
To give customers the widest choice of security options, Symantec acquired Axent, which added firewall, VPN, vulnerability assessment and intrusion-detection products to Symantec's line of antivirus and content-filtering software. But Clyde acknowledged the company is still working to integrate products.
Dickerson noted that his firm has grown dramatically through a string of purchases of other security vendors. And that poses challenges, Smith pointedly notes. "They did the acquisitions, now you have to trust they do the integration," Smith says.
The vendors didn't always see eye-to-eye. Network Associates' Dickerson says using biometrics such as scanning handprints won't be available as a widespread authentication tool until 2003. CA's Perry later said that was the silliest comment he heard in the debate. He noted that medical enterprises faced with new government security regulations want biometrics now.
Symantec's Clyde noted that security bug trackers found a dozen breaches in Check Point's Firewall 1 product last year while none were found in Symantec's Raptor firewall. Check Point's Smith countered that 80 percent of Fortune 500 firms use its Firewall 1 product, exposing it to more attacks. "We are a big target," he says. And he claims the company has had no customers whose security was compromised by a vulnerability in its product.
Perry questioned whether the recent stock declines of Network Associates and the departure of three key executives should be cause for concern among potential customers who need long-term support of security products. "I think we'll be around for a long time," Dickerson responded.