Digital Convergence: Putting all your eggs in one basket?

While my daughter was collecting eggs this Easter, and our class was just beginning to talk about digital convergence, it struck me to investigate how one aspect of this global phenomenon was affecting the security world. Traditionally the enterprise network looks like the topology in the picture above. After reading an article from Gartner on the network firewall market, they pointed out that, “Moore’s Law is finally beginning to apply to…network security”, which has caused prices to drop (but not commoditize) and has allowed firms to target emergent SMB (small to medium sized business) with low cost all-in-one solutions. Here I will investigate what are the targets for network security convergence and the implications on business.

The eggs
There are many target devices for convergence in network security infrastructure, so for brevity I will describe 5 of the most common:

Router – these devices direct traffic that is being sent through the network and when a packet needs to leave the network it can calculate the shortest/economical path to get the packet there.

Firewall – analogous to buildings, these devices restrict access so as to act as an impervious wall whereby only authorized packets may pass. The trick here is how one defines what is authorized and how deep into the packet is one willing to inspect (trade-off with speed and cost).

IDS/IPS – Intrusion Detection/Prevention Systems – these devices have threshold ‘sensors’ and behavioral logic regarding what is considered an intrusion. For example, multiple failed login attempts may be an indication of a brute-force password cracker trying to gain access; therefore a red flag should be thrown.

VPN – virtual private network – these devices provide perform the encryption and private ‘tunneling’ protocol which enables secure connections between networks.

Gateway – these devices serve to limit and translate data send across the network so that the message is in an understandable format. For example, you use a proprietary email system called Mail-e and you want to send a message to another person who uses Microsoft exchange. When sent directly to each other the messages are unreadable, so the Mail-e gateway can be used to convert the messages to its readable format and also ensures that only email of a certain type may enter and pass through its ‘gates’.

The basket
In the Gartner report that I mentioned earlier they identified a few ‘leaders’ in the market (Checkpoint, Cisco, and Juniper), so I compared their SMB product features. What I found was every permutation of the above 5 ‘eggs’ in different product lines, but I want to focus on one that I found from Juniper Networks. The product name is the secure services gateway (SSG) 140, and it can be configured to combine all 5 ‘eggs’ (link to product).

Why this is a bad idea for SMB
The statement that “Moore’s Law is finally applying to network security” indicates that since processors are getting faster due to greater density, you no longer require separate machines to split up the processing load, and can now combine these tasks under a unified device. Although lower cost and more convenient this convergence brings to mind 3 problems from the loss of modularity:

1. Single point of failure (SPF) – As I mentioned to Peony in one of her recent blogs, the more we converge appliances, the greater the cost of downtime, and also the greater the probability of failure. Combining all these functionalities into a device and relying on that single device is contradictory to the goal of security which is to mitigate risk. In practice, organizations overcome SPF through redundancy in parallel or in series, but this kind of configuration is still susceptible to the following two problems.
2. Reduced ability to combine with physical and administrative defenses – assuming that this monolithic device can meet all your technical security needs, what’s to stop a malicious insider employee from simply unplugging or stealing it? In high security environments, these devices are usually physically separated by being locked up in different nearby rooms and each room requiring some kind of authentication whether that is a simple sign-in at the front desk or the approval of two supervisors through biometric scans.
3. Independence of audit trail – after a good hacker gets access to your systems they typically cover they’re tracks by clearing the logs. In the traditional model where the devices are separated each network appliance contains their own independent logs and each layer of defense is progressively harder to break through. Under a unified appliance a hacker can clear these logs at one fell swoop.

Implications for Business
As usual, I’ve got to give my disclaimer: I’m not trying to say that these devices shouldn’t be purchased, but one should take into account their strengths as well as their vulnerabilities before doing so. These devices were built to target the SMB which is generally low risk and low budget, so they don’t need a multi-tier network. Nevertheless, just because you are small doesn’t mean you are low risk (ex: local patient clinics), and security begins with a critical assessment of your information.

Despite all this, internally businesses are always being pressured to cut costs, and, at the surface, these devices seem ideal. Since security is a cost center in most organizations, that pressure is compounded by those who don’t understand security’s true value and the risks their actions entail. For this reason it is important for you to not fall in to a similar trap, and appropriately identify the needs of your organization now and in the near future.

The Gartner article that I mention above doesn’t have a direct link since it’s a subscription service, so here is the citation:

Young, Greg. “Magic Quadrant for Enterprise Firewalls, 1H06.” Gartner Group. ID Number: G00141050. 5 June 2006. Accessed 15 April 2007.