Wednesday, February 27, 2008

Application Protection, a Distributed Approach



Source: WSTA written by Peter Glock, Head of Solution Development & Marketing, Orange Business
--------------------------------------------------------------------------------



The ability to talk to someone at a distance has been taken for granted by large businesses since the widespread adoption of the telephone. Market forces are reshaping the ways we communicate with each other, bringing a new set of security challenges.

Conferences on collaboration driven by technology vendors often assume that all organizations have or are in the process of converging all applications onto one IP network that connects users to a unified communications system that enables visibility of co-workers (or maybe even customers and partners) availability and communications via IM, email, and/or voice at the click of a mouse.

The reality is that many are just starting to plan for these changes, especially outside of head office locations. Indeed, many still manage voice and data communications budgets and operations in different parts of their business.

One of the potential barriers to realizing the benefits of a converged network is how to provide security and appropriate service levels for all the applications, now that they are no longer separated.

Application firewalling has been around for a while but has largely been used to protect specific applications that are exposed to the public Internet but are confined to a few protected locations.

Now that many applications will be carried on a corporate intranet, the network itself has to become application-aware and provide appropriate performance and security for each application at all points. A problem with one application must not be allowed to take down the others as has happened with malware outbreaks in the past.

The threats facing a network application like Voice over IP are:

1. Infrastructure- and application-based attacks

2. Denial of service (DoS) attacks

3. Eavesdropping

4. Toll fraud

5. Protocol-specific threats (SIP, H.323, and MGCP)


This implies that the application needs protecting across the network and at all end points. There are similar threats for most network applications. Defensive approaches that should be examined include:

The Fortress
Consolidating applications into a small number of data centers, providing high performance gateways at the center through which all communications flow and policy are enforced. Effectively, the infrastructure outside the data center is treated as semi-trusted or untrusted. This can have significant cost impact on the network but leads to consistent policy enforcement and lower security infrastructure operating costs.

The United Nations
This approach uses federated policy with codes of connection that are enforced by each entity, and audited by a central team. Operational risks are difficult to manage across disparate teams. It is usually adopted by decentralized organizations as they find it inappropriate to push central control on their subsidiaries, many of whom may be not under direct control, i.e., joint ventures and partners.

Distributed Security
This strategy involves building security enforcement points at various points around the network, pushing a central security policy to all points. The availability of unified defense technology facilitates implementation at a much lower cost than the typical fortress gateway.

For organizations that have adopted the fortress or United Nations approach, now is the time to examine distributed security.

Peter Glock is Head of Solution Development & Marketing at Orange Business Services. He was one of the founders of the managed security business back in the last millennium. Please contact Alan Simpkins, Solutions Manager, IT Services, Orange Business Services;
email: alan.simpkins@orange-ftgroup.com;
web: www.orange-business.com.

No comments: