February 21, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Can You Afford Not to Secure Your SOA | Main | What's So Funny About SOA Security? »

February 18, 2008
Trust No One: A Talk With Juniper Networks

Don't forget next week's ebizQ roundtable on SOA security. Sign up right here!

Listen to or download the 13:52 minute podcast below:



Download file

What follows is a transcript of my podcast with Sanjay Beri, Vice President of Access Solutions for Juniper Networks. Sanjay has ten years' experience in the high-tech industry having played key roles at companies such as Microsoft, Newbridge Networks and McAfee, and in this podcast we discuss today's attack vectors, Juniper's solution, and the future of security attacks.

What type of attacks do companies need to be most concerned with in 2008.

Sure, there's really two types of categories of attacks that I would say come to the forefront. The first are associated with insiders, or your own employees, or end-users. And the first thing that most folks are realizing is that the threat of inside folks, employees, contractors and even partners often outweighs the attack vector that, for example, an outsider who wants to penetrate your network and steal data could weigh in on.

So that's the first threat. The first threat is employees, they're not experts in security, they do open email attachments, they do browse to websites, which are consumer-based websites full of malware and so on. They do what many would call normal things but in the security world, frankly, opening themselves to many threats.

And as a result, I think the first thing that folks need to realize when they look at threats is valid employees trying to do the right thing, doing things that are authorized at work will do things that open themselves up to attack and it doesn't need to be -- an attack doesn't need to be instigated by an outsider. An employee can actually instigate it by simply going to a website. For example, going to Facebook, downloading a widget, doing whatever many employees do with either for business or consumer purposes at work and that's -- that's the first thing.

And then the second, of course, is the traditional one, which is attackers, right, hackers. Most of them used to many times script kiddies and -- and folks doing this for fame. Nowadays, these are in many cases criminals, people actually trying to penetrate your network not leave any, you know, leftovers that tell you that they did it and often end-pointed attacks steal a lot data, those are the two big categories of threats that are out there.

So those are the attacks. Give me a quick overview of Juniper's solution?

So Juniper's solution is really broken up into both of those different vectors. And -- and the first is the recognition, I think, that-- and this sort of drives Juniper's development of its solutions -- the recognition that employees, partners, contractors, you know what, the philosophy that not to trust anyone is actually a good one.

And it's not to say that your employees aren't trustworthy or your partners aren't, it's just that, you know what, they don't know often what's on their systems. They don't know, for example, that there's a bot or a piece of spyware, or a malicious code on their system that will propagate to other users or servers.

So Juniper's solution on that side is to ensure that, for example, before a user gets onto the network, you not only validate who they are, user name, password, token, and so on but, frankly, that's not good enough anymore. You go in, for example, look at where they're coming from. Are they coming from my LAN? Are they coming from a kiosk? Are they a partner coming in from an external site, which I do not control? Are they coming in from the wireless network?

So that's one other factor. And then the other factor is what is their net, you know, end-point that they're connecting from look like? Is it all company- issued laptop, which has AV, personal firewall and so on, on that system, i.e., is it a secure system, you know? Is it, wow, that system is locked or that's a pretty open system? Take all of that data, all of those parameters and using our product, whether it's the SSL VPN, which is our market leading remote access product or Unified Access Control product, which is built off the SSL VPN but is more for campus and wireless networks versus remote access.

Those two products which basically have the same platform, same underlying policies, they take all of the data I just mentioned and they then allow a user access to the network in the right way, to the right resources, with the right security privileges, and they do that, basically, by dynamically assessing all three parameters, user, location, end-point state.

Then they provision the network. We do that in the UAC case, provision your firewalls; provision your switches via 802.1 access and so on. They provision them so the end-user gets access only to the right things. For an SSL VPN, where all traffic goes through the product, it is a proxy and as a result can do it immediately for you on the product itself and provision only the right resources to the right users at layer seven.

That's the first step, access. Ensure that the right users get access to the right resources with the right security policies and do it in a way that's easy, manageable and as well open so that whatever vendor they have in the end-point. And frankly, in the UAC or NAC's case, whatever they have in their network, Juniper's switches or someone else's, it works, so open is key.

The second piece is -- let's say me, Sanjay. I have a valid computer, locked down, I authenticate it properly, I'm on the LAN. Does that mean that I just stop there and all of a sudden, I get access to everything and they, you know, I don't check that the person is doing something malicious? No. The second thing you need to make sure you have is inline control of these systems. You need to make sure that you have firewalls and IPSs looking at the traffic and seeing if there is something malicious that is being passed on the network from the user to the user and so on.

And that's where intrusion prevention comes in and we have products that integrate firewalls and IPSs together. And those products as well by the way do, for example, take that data that they get and pass it back to our SSL and net -- and UAC products so that if I'm on the network, and these products detect something malicious on the network, they notify a remote access and UAC NAC products and they can then de-provision or re-provision the user's access based on what dynamically was going on in the network.

How is Juniper's solution different from simply just bundling a bunch applications together and do a single appliance?

Sure. I think the first thing to remember about Juniper's solution is it's open. We are not forcing people and we never will to just buy our products. And it is a key characteristic of Juniper in general and a key characteristic of our solutions to combat these threats. We promote open standards like TCG and TNC, and we drive those standards in the industry, and collaborate with partners, competitors and others to make sure that, for example, if you have our UAC or NAC product, you can have whatever you want on the end-point.

If you want to use our 802.1X supplement you can, if you don't, you don't have to. If you want to use Vendor A's antivirus, you can, or Vendor B's, sure. Whatever it is on the end-point, we're driving open standards so that data can be in an open standard way fed to a NAC product and then provision the network. We're also driving things in the industry that allow networking devices to feed the results of what they see on the network to a product like a or UAC, Unified Access Control, which is our NAC offering to that in an open way so if you have our firewalls, our IPSs or someone else's, you can feed that data out.

So that's one big thing, it's open. The other key characteristic is that we focus on what I would say is “closed loop” systems. Systems that don't just, for example, you stick our SSL VPN in and or you stick our UAC in and you're done, that's it, you know. It doesn't work with any your other products. From a management point of view, you can't get reporting through that same management system that you manage your UAC or SSL with your other product that we have.

So generally, trying to solve that management framework while remaining open and realizing that single box integration is definitely valuable, for example, in the branch where you can't afford multiple devices. But people will want multiple devices in many cases. And they may not want them from the same vendor. When integration makes sense, we make and we offer those products, firewall IPS integrated, done.

You know we have that best-of-breed. Firewall IPS routing, same thing. However, in many cases, for vendors or customers who don't want that, we'll also make sure we work in that other mode so that's one big difference. Open, you want integrated, you want stand-alone. Making sure, that works. Closed loop systems, i.e., don't just let one product operate by itself.

It'd be great if you're a UAC and SSL product could interoperate with the firewalls, and switches, and IPSs out there and they made one plus one equal three instead of operating a silos, we make that happen. And then, the last point I tell you is this. One of the keys that we focus on is developing best-of-breed systems. We focus on the quality of what we deliver because we're focusing on customers who view they networks as strategic, right.

Customers who view security and networking as a driver for their business in terms of, hey, this is a differentiator, right. This can differentiate me. Not someone who just views it as, hey, let me just buy the cheapest appliance, that's not who we sell to. We sell to folks who view their networks as strategic and that drives our development and the quality of products we put out.

Since some of the solution is automated, can't that create problems if a hacker manages to change some of the automatic settings?

Sure, that's a good question. The automation, if you remember, the first thing that when folks, for example, configure a product. Say you go to our UAC product or SSL VPN product and you configure a policy, the first thing is everything I describe to you about end-users, it should apply to that administrator too. Who are they? Where are they coming from? What does their end-point state look like?

Access all that, then let them configure the product and set the policy. So first of all, on a control channel side, you need to make sure that you have the right level of authorization, authentication, access of that user before you even let them change any policies, and that is the first step to making sure that an unauthorized user doesn't get onto your equipment and set policies.

So that high level of security it needs to apply not just to your employees, and remote access employees, and your contractors, but to your administrators as well, and that's one of the big reasons you can avoid this. In terms of automation, after those automation policies are set, what we find is customers often start sort of in a non-automated way, they setup policies, they see how things often go, for example, you remember the IDS IPS transition.

Many folks adopted sort of IDS first and then moved inline prevention. On the remote access and NAC market, some have more closed looped systems than others. Some choose to automatically, you know, re-provision switches and firewalls across their campus. Some wait and get comfortable with it and then do it. So it's also a process, right. We don't expect folks to do everything immediately.

They'll go through pilots, they‘ll go through larger deployments and then they'll get eventually to fully or partially automated. So, you know, our system allows folks to cross all that chain, right. They can do whatever they want from the most automated to partially, whatever they're comfortable with. So that's -- that's one of the big things to make sure that folks have a plan and a phased plan to move along and roll these things out.

Now, what do you see as the future for security threats?

Sure. So the future is, you know, I categorize in two things. And I said, you know, these hackers and which are often criminals now and then there's protecting a corporation from its own people, and its partners, and contractors. Those two vectors are still the same. I think some of the big changes that you'll see is nowadays an employee often does a lot more than work at work.

You know it's not just surfing traditional websites and, you know, news sites and so on. It's frankly going to Facebook looking at widgets which one day could have malware on them or going to Google's, you know, initiatives when they, for example, launch lots of their, you know, whether it's video, open social whatever it is. Lots of these things, which take up a lot of bandwidth, which folks will be looking at, at work. These are just new vectors of attacks, new vectors of threats.

And as social networking and P-to-P and so on takeoff even more, it will enter the corporate world. Whether that is through employees doing things that have nothing to do with work or it's corporations using these applications for the betterment of themselves. So having a device and a system, which does what I said, access first. Who gets access to what with what security privileges, dynamic assessment of user location end-point?

Those paradigms will remain the same. What will change is all the different vectors in which attacks can come into the network. The other big thing, I think, you will see as well pretty soon and you've already seen, it's just this notion that folks who are attacking you -- malicious folks, they're not out for fame, they're still criminals so more pointed attacks whether its credit cards from large corporations or it's personal data; that will continue and that will get more and more sophisticated.

And as a result, systems on your network need to get more sophisticated, they need to understand applications. Ports and IPs, you know, that's a thing of the past, right. It's users, applications, understanding them, protocol, decoding them and so on. So more of that is absolutely critical to combat sort of the complexity of what attackers out there will be throwing at us.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/3157

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
ebizQ Web 2.0 and the Enterprise
Your E-mail Address:
BPM Basics for Dummies: Getting a Read on BPM
Date: Feb 26, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Roundtable: SOA Security - The Real Deal, or Much Ado About Nothing?
Date: Feb 27, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map