Evolution of Perimeter Defence
First Published: SC Magazine

IT Security has to be one of the most dynamic industries in the world. The continual release of new software and hardware technologies, each with ever increasing complexity and broadening integration requirements, has assured that the security arms-war will continue to force ever more sophisticated counter-attack and protection orientated systems into commercial organisations to counter past, present and future threats.

It is this evolution of threat that has traditionally driven the development of many of the security products available to organisations. A little over a decade ago, anti-virus products had only just migrated from detecting viruses transported on floppy disks and CD-ROM’s, and started to counter virus threats within a newly networked world. A short time after, network level attacks started to exploit the limitations of simple port filtering devices; consequently firewall technology improved with the inclusion of packet inspection and state maintenance.

As the complexity of corporate software and business applications increased further, attackers began to target specific vulnerabilities within the coding of the application itself. Detecting and responding to this type of threat required a security product that could decode the applications communication channel and identify likely malicious content. Thus the first generation of Intrusion Detection Systems (IDS) were conceived.

These three classes of security product form the basis of most organisations perimeter defences. The success of these critical defences is dependant upon the software’s ability analyse the observed transient data and successfully respond. The security product must apply its own particular rule or logic flow (such as anomaly detection) to the data and evaluate whether to allow it, deny it, log it, or remove it in its own way.

The point is, as each new threat developed, a new security technology was developed and consequently a new product was born. Organisations then had to implement each new technology within their environment – overcoming internal resource and costing issues, and battling through a vendor evaluation process. These largely disparate security technologies have become entrenched within almost all organisations. They now find themselves in the position of having many “point” security products scattered throughout their networked infrastructure, consuming evermore valuable human resources - and still requiring further products and updates to counter this years threat. It has even got to the point where security companies are producing software to check and secure other security products.

Fortunately, these disparate security technologies are in the process of migrating to the next level – they are amalgamating into solutions. A similar process happened within the desktop productivity software arena a decade ago. It used to be the case that organisations would choose their word publishing software from a dozen vendors, offered in a dozen different versions. The same applied to their spreadsheet software, desktop publishing software, presentation software, personal databases and email clients. While the variety of options was often pleasurable, their inter-compatibility and robustness was not. The development of desktop productivity suites such as Microsoft Office or Lotus’ Smart Suite simplified the decision process and offered something more than the sum of its parts.

Within the next year or two, organisations will be offered all-in-one device based “suite’s” of threat protection systems. By removing the underlying device operating system and integrating the functionality of these previously disparate security products, organisations will finally find their security operational costs lowering. Instead of having to host separate software based solutions on individually managed hosts and operating systems, these threat protection devices will manage all necessary patching and updating through a centrally managed or automated process.

Some will say that this should have happened earlier. It has taken several years for the underlying technology (such as operating systems, processor efficiency, and software development practices) to stabilise and reach the necessary level of maturity. Consequently, the first generation of threat protection systems will utilise core anti-virus, firewall and IDS technologies from vendors with an established pedigree in security.

Out of necessity, they will probably be marketed according to the merits of the individual component security products (rather than increased functionality and removal of duplicate functionality) until organisations understand the nature of this evolution.

As these security suite’s mature and organisations become more familiar with threat protection, the use of traditional names (such as antivirus, firewall and IDS) will disappear to be replaced with the term Intrusion Protection System – or IPS for short. Thus, the IPS will soon become the standard in corporate perimeter defences.

Around the same time, leaps in centralised management and IPS integration with threat identification services (such as vulnerability scanners and world-wide alerting services) will ensure that organisations can not only protect against current threats, but can also prevent future undisclosed threats from being an issue. Finally, organisations can focus valuable resources to doing business - as their security infrastructure evolves from detection, through protection and onto prevention.
    Copyright 2001-2007 © Gunter Ollmann