Net security: urgent, but at what cost?

Net security: urgent, but at what cost?
There is no doubt that concern about the security of the "information superhighway" has increased significantly in the year since the terrorist attack on the U.S. physical infrastructure in New York City and Washington, D.C. For example, while IT and security executives and the general public do not agree as to the likelihood of a cyber-terror attack, they are more or less in agreement in the view that U.S businesses are not prepared for such attacks.

According to Mario Correa, director of network security policy at the Business Software Alliance in New York, a recent survey by his organization on the first question found that 47 percent of the IT professionals questioned felt that the likelyhood of such an attack on the information infrastructure would happen in the next twelve months, versus 19 percent who did not think it was likely. Just as disturbing, 45 percent do not think U.S. businesses are prepared, versus 18 percent who were confident in current security protocols.

The same survey showed that among the security specialists in the IT departments, more than 60 percent were expecting a serious attack on the information superstructure somewhere. Among the general public only 25 percent thought a cyber-terror attack was likely but almost 40 percent did not feel all that confident we were prepared.

There are good reasons for this concern. According to contributor, John Carbone, vice president of marketing at Green Hills Software, Inc., (Santa Barbara, Calif.) as far back as 1997 the National Security Agency conducted a simulated cyberattack demonstrating that in only four days they could have taken control of the major power grids in Chicago, Los Angeles, New York and Washington.

And after September 11th, investigations by the FBI and other agencies revealed that Al Qaeda had penetrated security on numerous systems in the U.S. in order to monitor and collect data from high-tech companies, utilities, and government offices. Carbone points out that the U.S. Energy Department has identified eight scenarios for successful SCADA (supervisory control and data acquisition) attacks on electrical power grids using tools readily available on the Internet.

Even without such direct threats, there are still good reasons to be concerned about the security of the network computing infrastructure, said Madeleine Campbell, security technology manager, at the Information Technologies Division of BTG (West Conshoken, Penn.). "Remember, the Internet was not designed to be a secure environment. Rather it was a barebones non-secure set of protocols designed to operate within a secure environment," she said. "There is a big difference between the two."

The new Internet-centric communications and computing environment is in the midst of profound structural changes, in terms of types of connections, services and protocols, according to Kieren Taylor, director of XML product development at Datapower Technology, Inc. (Cambridge, Mass.). "Broadly speaking, we are evolving from a relatively simple paradigm to a much more complex and interrelated network environment," he said. "And with more complexity comes more possibilities for holes and gaps in the security famework."

Part of the problem is also the rapid growth — not just in the number of users — but the number of different types of users and in the number of web sites. How does a company or organization know with any exactness the extent of its network sprawl, the number of dead end streets, the unguarded intersections, the unauthorized connections? Bill Cheswick, chief scientist at Lumeta Corp. (Somerset, N.J.), believes the answer to this part of the equation is better ways to map Eeb connections. "If you do not know the boundaries of your territory, how will you know if there is unauthorized entry?"

Legitimate activity

Another aspect to the Internet and Web growth that makes it difficult to manage security is determining exactly what a legitimate message or activity is or is not. "Coming up with a clear set of standards as to what is allowable and what is not won't work," said Taher Elgamal, chief technical officer at Securify Inc., (Mountain View, Calif.). "The needs of individuals and organizations connected to the Internet are so diverse that such a cookie cutter 'one size fits all' approach will not work. What is not allowable in one environment and indicative of a potential security problem may be perfectly OK in another context."

What is necessary, he said, is to find some method of efficiently analyzing the traffic, and quickly and accurately determining the potential problems, developing a set of policies and initiating them as quickly and as broadly as possible. "That means automating this whole process as much as possible, so that the solutions can be initiated as fast as the problems occur."he said.

Fortunately, as the many contributors to this week's In Focus indicate, a flood of new technologies, devices and software solutions is emerging. And the developers and the hardware and software companies that provide them with the tools and building blocks are taking a second look at their systems, checking to see if techniques used for other functions can be re-purposed to the enhance the security of their systems.

For example, in the late 90's Green Hills Software began to sense that companies and industries, outside the military and government segments were beginning to pay more attention to the security issue: industrial control, power and gas distribution, chemical processing, anywhere, he said, that a Distributed Control System (DCS) or a supervisory control and data acquisition (SCADA) system was deployed. "When we were looking at the design of our Integrity RTOS we felt that the best bet was to design it to the most stringent security standards around," said Carbone, "not only because a portion of our customer base required it, but because eventually as a wider range of applications became more connected, they would require the same sort of security discipline, or at least as much as they could afford."

And Bodacian Technologies Inc., formed by a group of programmers originally as a contract programming house has evolved into a security problem solver in the embedded space to many of these same industries using DCS and SCADA implementations. "While there are more issues facing embedded developers than those who work on desktop and enterprise systems, the issues are easier to solve in an embedded system," said contributor Eric Uner, cofounder and chief software architect at the Barrington, Illinois- based company. "For one thing, since the systems are typically smaller than large enterprise, they can undergo more scrutiny for security issues." Often, he said, depending on the level of security needed, it is a matter of the programmers assessing the tools and techniques they already use and determining it they can be used to enhance the security of the OS or the application.

At the other end of the spectrum, in servers, a wide range of offerings are becoming available to solve the security problems raised by the increase in complexity that such new protocols as XML and Java and frameworks such as .NET and competitive XML/Java alternatives have brought to the web experience.

"Fortunately, many of the developers of these new protocols were aware of the increased security problems that their complexity brings to the Web and there has been significant efforts made at coming up with the appropriate standards to plug the potential security holes," said Leon Baranovsky, vice president of marketing at Reactivity Inc.(Belmont, Calif.) "Unfortunately it is still a problem of deployment to accept that fact and take the appropriate measures."

Economics: the big question

However, the center of much security activity, at least at the hardware level, is in the very infrastructure of the network, in the routers, switches and VPNs. The big questions still facing designers of such systems are the most economical way to do this and which way has the least impact on performance. "Both are important questions in today's network environment where the collapse of many of the leading network vendors and the general economy has shifted the equation from performance at all costs, to performance at the best cost," said Bernard Cowens, vice president of security systems at Rainbow Mykotronix. "Unfortunately, they are also using the same equation for security."

In it's new IXP2800 family of 10 Gbit/sec network processors, Intel's engineers have attempted to address both issues by integrating as much security hardware as possible into the core of the design in a way that does not substantially decrease the overall performance. According to Intel engineers in an article in this report, tests on one particular member of the family, the IXP2840, have been able to achieve sufficient performance to encrypt and authenticate IPSec at 10Gigabit/second Ethernet rates when 100% of the traffic needs to be secured.

And, at least one company, Servgate, has begun deploying router/switch/ VPN server solutions based on the IXP2800 and have used the built in cryptographic functions to generally lower the cost that additional security adds to its system implementations.

Integrating security mechanisms into the very core of the systems we use, making it just another feature that must be used to conduct business on the network is the best way to go, pointed out David Leiman, founder and chief technical officer at Ntru Technology Inc. (Burlington, Mass.). "Over and above all of the various technologies and methods of implementing security into the network and compute infrastructure, in order for security to be ubiquitous it has got to be available and mandated in all software and all hardware as simply a cost of access," he said. "Security features will have to be as wide spread and as mandatory as, say TCP/IP is when we access the network. There is no law or federal mandate saying we must use TCP/IP. It is just a minimum requirement if you are going to access the Internet."

Building in IPsec

Margaret Wasserman, principal technologist in the IPv6 effort at Wind River Systems, Inc. said the company has just introduced additions to its network support packages integrating the next generation IPv6 128 bit Internet access protocol, this new standard may accomplish the same thing. It incorporates the IPSec standard as the basic minimum security protocol in the suite. Unlike IPv4 which designers can implement with any security protocol they want, IPv4, sets IPSec as the minimum, she said, the only choice the developer has is whether or not to add additional security mechanisms.

The inclusion of IPsec was an absolute requirement when first deliberations on the follow-on to IPv4 was being considered. "With the current 32 bit IPv4 we are rapidly running out of URLs to assign," she said. "With the 128 bit IPv6 the are so many URLs available that each person in the world could have as many as they want and still not use them up. That tells you something about the level of complexity it will bring to the Internet and Web just in terms of sheer numbers alone, all of which requires security equivalent to the potential complexity."

As new and established companies move into the market with security solutions they believe are necessary, they are finding a mixed response from corporate buyers. "The IT and security guys are pretty convinced they need to spend more on additional security," said Tom Dent, CEO at Lumeta. "It is at the executive level where the roadblocks seem to be." In the down market, such executives are concerned about the bottom line and look at security expenditures from the point of view of a return on investment, rather than as a cost of doing business.

Despite this focus on the bottom line during a down turn, said John Pescatore, senior security analyst at the Gartner Group, the security specialists have actually been winning the war of ideas. Within the IT budgets of most organizations, he said, the share devoted to the problems has actually gone up from an average 3.3 percent last year to 4.3 percent this year, with next year's share increasing to about 5.6 percent of IT spending. "Unfortunately, this increase is coming at a time when spending on IT in most organizations has been cut about 5-6 percent of the total corporate budget to about 3 percent," Pescatore said, "so the net effect is flat to declining absolute expenditures on security enhancements."

This dichotomy is reflected in a number of market research reports, which while optimistic about the security market long term are much more muted and conservative over the short term. Zaplink Inc., (Waltham, Mass.), which focuses on the server-based XML and Web Services segments projects that by 2006, sales of security products should reach $4.4 billion, an astounding 200 times the total market size in 2001 of about $40 million. In the hardware infrastructure segment — security devices in VPNs, routers and switches — the Gartner Group projects a total market by 2005 of about $400 million dollars, up, about five times the size of the market in 2001 of about $86 million.

It is important to remember, said Garnter Group's Pescatore, that all such projections have been made with the proviso that the economy will pick up in 2003. "If it doesn't, the industry will have a hard time meeting such optimistic straight line projections."

The one bright spot: the market for specialized security accelerators has continued to show modest growth rates throughout the ups and downs of the market in general and networking in particular. "I think the reason for that is that the upper management executives can see a clear return on investment because these security chips are replacing functions done in software previously," said Pescatore. "It is immediately obvious to even the non-technical that there has been a substantial improvement in performance for the same security protocol operations, something to which you can assigned a number."

"Last year, before 9/11 we expected at least a doubling in the market sales overall, and afterwards, given the seriousness of the threats we expected that to stay relatively firm," said Kittu Kolluri, CEO at Neoteris Inc. ( Mountain View, Calif.). "I think that the best the security market can expect is to stay even with last year, with perhaps some modest growth. I would like to think that there is going to be some major change in corporate mindset that will allow us to reach those projections, but that's not in the cards."

Outside of sales to the military/government sector, where the appetite for security defenses is voracious, Reactivity's Baranovsky divides the total available commercial market into three categories. "The customers that we do not even have to make an effort to sell to are the ones who have had a security problem and are now believers," he said. "They will spend what ever it takes to prevent such a problem again. Just as receptive are those companies which are indirectly controlled by federal requirements, such as banking and finance."

The hardest sells right now, he said, are to the executives at companies outside these segments where they have invested a little in security infrastructure and have had no problems so far as they know. These executives, he said, do not feel there is a compelling need to "invest" anymore unless there is a clear return on investment. In this environment it is hard to sell security, he said, because it is hard to justify a negative. "The best measure of a security product's effectiveness is the absence of security problems," he said. "How do you put an ROI spin on that?"