Guarding the Guards Themselves-The Truth Behind Security Devices
By Dennis Cox, Chief Product Officer, Ixia
We trust numerous security devices to protect our networks, and they have an exceedingly difficult job. The number of applications that now make up a network has hit ridiculously high numbers. Who knows what the latest cloud-based applications will bring? In today’s IT environment, security solutions still have to solve the security issues of the past and present but be capable of predicting future issues as well. That is such a high bar to achieve—it’s nearly unachievable—but these devices can’t be blamed.
"Ask for a list of the components that make up the network devices you are using and make sure to note any possible issues"
The answer, of course, is layering multiple solutions to ensure the widest breadth of protection possible. Unfortunately this too has its own set of issues, such as the cost of managing multiple solutions. So what is the best way to make sure you pick the best device for your network?
All about the Apps
At the end of the day, your company has the goal (most likely) of making money. Anything that isn’t a key part of the core business or helps deliver on this goal must be treated secondary. With this in mind, you can outline a list of the top three applications in your network to better understand what those key facets are. For example, I would list my top three applications as Oracle for finance, salesforce.com for our sales process, and Office365 for our messaging (e.g. email, Skype). There are many more but those three are the cornerstones of the business—at least for the sake of this article. What are your top three? Write them down! You need to understand and not forget about updating them or using the vendor’s security updates.
Armed with this list, you can also ask the vendor(s) of your network or security devices how they perform with those applications. Let’s face it; if the vendor hasn’t tested with Oracle do you want to use them? What about salesforce.com? Over 100,000 companies use salesforce. com, if your network equipment vendors aren’t testing with it, you might want to switch vendors. Ask them to share the results. Perhaps the best vendor is the one that shows you that they know how each application impacts their device and how it will perform.
The Sum of all Parts
Network security devices like firewalls, routers and switches are the sum of the parts that make them. When you deploy Java in your network—you most likely check that it is up to date or get an alert when a new vulnerability is announced. This is pretty standard—Patch Tuesdays, automated updates and more, all alert users to possible risk. But, what about the components that make up your firewall? Would you know if the network processor or switch chip in that platform became an issue?
Rarely are those alerts made, in fact, rarely does the vendor that sold you the product even know about the vulnerability. This can be noted in when we look at hardware. It is important to understand that security devices leverage third-party chips from all over the world, which can house their own vulnerabilities.
To illustrate, consider what happens when you need a storage device? An engineer in operations or the vendor’s hardware team picks one. He or she publishes the BOM (bill of materials) and their job is done. If a part goes end of sale or end of life, the BOM is updated with a replacement part. Other than that, the job is done. However, if a vulnerability is found in a switch chip, who updates the software on the chip for a customer? Generally nobody. That vulnerability gets to live for a very long time. To protect your organization, ask for a list of the components (at least the data path components) that make up the network devices you are using and make sure to note any possible issues. This also allows you to add the component vendors to your vulnerability alerts.
Additionally, spread the love around a bit and make sure you don’t have a clear path. You don’t want every device using the same Ethernet chip from end to end, which is more common than you can imagine. It would mean a Layer 1 or 2 DDOS attack could really ruin your day.
Ultimately, you want your organization to be in a place where vulnerability won’t be your undoing because a security device that was supposed to protect you was the vector of compromise. Someone has to guard the guardians.