Anyone who says that there will be a new buying center created from the convergence of host security and network security has to put a nickel in the silly jar.

What availability model will you choose, or has been chosen for you?  Sometimes security gets to choose it, and other times the business lines will direct what model applies.  Active-Passive means a nearly 2x cost, even if the passive equipment is not as robust as the active side and often with a less expensive support fee.   Active-Active means at least a 2x cost, more when you consider the equipment to maintain state and heartbeat in case of equipment failure.  Now when you add in geography, and you want to have a second site in case of flood, fire, pestilence, or attacking-radioactive-daschunds.  That means 4x.  There are some options to scale down parts of this on one side of the balance sheet (e.g. having your second site use smaller equipment), but often there are neutralizers on the other side of the sheet (e.g. needing equipment in a test/devel environment).  There are also variants of security high availability that are not trivial.

Your availability model has significant security cost and delivery implications.

One of the questions that comes up as part of DMZ design is is it best to have one firewall vendor (for simplicity of management) or two (to provide an overlap of protection in case one firewall has a vulnerability), and what are my peers doing on this topic? 

John Pescatore and I have provided an update on this in a research note “Q&A: Is It More Secure to Use Firewalls From Two Different Vendors?”

 The NIST stone test wall in Gaithersburg, Md.

This usually is a sign that the vendor has lost sight of their customers and gotten into a spiral with competitors.   Their competitors may be scared for a day or two until they get their product into their lab, but then they have a legitimate criticism they can use in sales. And guess who is grumpiest – customers. 

If a customer wants to buy 100mbps of firewall, they want to look at 100 mbps products.  Anything else only leaves them disappointed. 

Vendors – don’t apologize for specs, be tempted to nudge up some ratings, or list the port type as the throughput.  Customers – reward honest specs,  and push back if you are sold a box that underdelivers.  And, Gartner customer, call us before you make a netsec buy and I can help make sure your short list has the right products and models on it.

Caveat datasheetum.

Your network is now the honeypot.  Bot networks and rootkits made seeing if you are in anyone’s sights or attempting to divert them not that valuable.  MSSPs, ISPs/carriers, and security vendors are exceptions to those who should spend time watching the threat trend, but this is now more macro and inspecting for broad trends rather than finding if someone is gunning for you.  Vendors are started to introduce “opt in” features where you can share the general information from your security product with the vendor, who in turn will process the collective information and share it back with you to help better configure your product based on what your peers are doing.

There are only a few exceptions – maybe if you are trying to root out a specific instance of corporate espionage.  But otherwise spend the time and money on cleaning up the damage that has already been done: patch management, IPS, or a tool to watch for bot infections.  See our Case Study here on Procter & Gamble’s project to get ahead of botnet infections.

Tell users what is not allowed and be specific, and give examples.

A university student was criminally charged in this story for allegedly testing out the student access card system, and later emailing the personal information he found to the university and the students involved.  To his credit, the student didn’t go evil and sell the information.  The student was quoted as saying that he was doing this in the interests of students.

When the norms for acceptable use are vague or unclear, you get behavior proportionally straying form the center line in both directions.  Positive change is hindered, unacceptable behavior is winked at, and the really bad behavior can proceed under the cover of a wide gray line.  Being unclear lowers the trust in the IT security function.  On the other side, security going all medieval on what is well intended and non-dangerous behavior is also a problem.  Anomie is a $5 sociology word for the stress you feel when you don’t know what norms apply. 

Tell your users that freelance white hat penetration is not allowed, but only if you have a mechanism to report and react to suspected weaknesses.  Without the responsive element of the contract (and having it be more than lip service), it won’t work.  Instead of your enemy, make the tech-savvy users your neighborhood watch.

Be very specific across your acceptable use policy (AUP) about what is and isn’t good and bad, and challenge your company’s AUP if it is a placebo or has the weight of a set of encyclopedias.  Oh yeah – and don’t rely on policy alone.  Policy is the weakest lever, and you need technology and people with it to make security work.

One oldie but a goodie is that “brakes don’t help you stop, they make it so you can go faster”.  Good network security let’s the business get on with doing business.  Relying only on embedded security constrains business. 

Let’s pile on the metaphors now: good network security encloses the sandbox.  by containing and not constraining new creative things can happen and no one loses an eye.  A playground monitor is required to make sure that any indictable behavior gets stopped or no cats get to burying things in the playarea, but embedding security in the network is limiting.  Networks and network equipments change a lot.  By embedding security in the infrastructure your security can limit innovation and security.  Want upgraded deep packet inspection?  Then you had better look at upgrading all your routers and switches and having some downtime kicking the SLAs right in the soft packets, only deploying security where you have those switches and routers, and forget about the real world where multiple network vendors are used.   

Network devices are made to move packets, not stop them.  Let the network move ‘em, and use a separate security layer to put the brakes when things go too fast or you want to let an annoying passenger off.

So the rules of physics don’t change, but neither are they expanded linearly. Security inspection at higher speeds is like that. An all-in-one firewall is a really good choice for most small and lower-end midsize companies. The load of differing profile inspection loads is not so great as to warrant the overhead of having different point security products. Find out when it is time to turn the handlebars in the other direction – there comes a point in growth when simply expanding into a larger single device doesn’t work anymore. As in driving, there are always exceptions to the rule (counter-steering at high speeds while driving over a wide white pavement marker in the rain is a great way to see what the non-shiny side of the motorcycle looks like).

I  have a research note on current critical network security issues with section titled “There Is No UTM For The Enterprise”. In our joint presentation at the Gartner Security Summit back in June, my colleague John Pescatore and I gave a segment on the differing requirements and future for the network security (netsec) platforms in the SMB, Enterprise and Carrier space, including the differences between edge and internal/datacenter platforms. John is presenting on some netsec trends as part of his presentation at the Gartner Symposium in Orlando on 12 Oct. 08, as I am at the Gartner Enterprise Network & Communications Summit in Orlando in November. We’ll also be making this available in the near future on the Gartner for IT Leaders Security & Risk Management portal.

During the last 3 days at MES I worked with quite a few CIOs of midsize enterprises helping many of them get rid unneeded appliances, or make the move to point-products and get better value and performance. Think about whether rationalizing netsec products or redesigning your DMZ needs to move to the your security agenda. And if your netsec vendors aren’t helping you do this … 

During my advisory sessions with midsize CIOs today the topic of Web Security came up frequently.  Aside from the increased interest due to PCI requirements, web applications are the flavor-du-jour for attackers and companies are struggling with how to protect themselves.  Web applicatons are right now the weakest link, since Off the Shelf products have the backing of vulnerability management techniques such as vulnerability scanning and or the shielding of IPS.  But when it comes to your web applications your bad coding practice chickens are coming home to roost and are dropping SQL-injected eggs, and you are on your own. 

You have really only two choices – check your applications before deployment using a code scanner, or shield them post-deployment using a web application firewall.  I have a recent research note on the web application firewall products, which provides an overview of the major web application firewall vendors I have been tracking, as well as some explanations of some of the complex and confusing deployment and technical issues (including the 6 operating modes such as reverse proxy, out-of-band, etc.). 

“MSSPs provide an off-premise service for customer premise equipment (CPE),  whereas ITC is off-premise services for off-premise equipment”.  

This afternoon I spoke this with my colleague Kelly Kavanagh who is Gartner’s lead on MSSPs and security services.  Kelly said “That’s accurate — I would also add a third definition.  ITC requires bandwidth as an adjunct service, whereas remote service absent an adjunct fits the security as a service definition”.  He explains that you can’t buy ITC firewall without buying the network, because that’s were the firewall is. You can however buy anti-spam without buying network or anything else from that same vendor.

So our expanded definition is: MSSPs provide an off-premise service for CPE.  ITC is off-premise services for non-CPE.  If the ITC doesn’t come with the network, it is security-as-a-service.

The other piece of advice during the talk was that anyone looking for some quick investment cash should start a company advertising agentless-In-the-Cloud-virtualized-green-PCI-open-source-security-as-a-service.  I think I need to stop working on the Hype Cycle…