Perspective: How to Plug Holes in Disjointed Security

Nick Urick, regional vice president of F5 Networks, discusses the strategies and technologies government should use to withstand today’s evolving cyberthreats.

by / January 13, 2012
Nick Urick, regional vice president of F5 Networks

Editor's Note: Nick Urick is the regional vice president of F5 Networks.

As hackers become more vigilant and cyberattacks more sophisticated and prevalent, the media has lost no opportunity to spotlight assaults against federal agencies, global corporations and various governments around the world. Whether politically or maliciously motivated, targeted attacks such as denial of service, cross-site scripting, and SQL injection, can — and have — resulted in serious government security breaches. At a minimum, these breaches disrupt operations. Even more devastating, they can threaten national security.

In response to a growing number of these data leaks, last fall President Obama issued an executive order calling for improved security of classified computer networks. The order, carrying the force of law, assigns responsibilities to various agency heads, steering committees and task forces to develop more stringent policies for mitigating threats and safeguarding classified information while still ensuring fast access to valid users. Ultimately these new policies will apply to all federal departments, agencies and their contractors.

The Weak Link: Disjointed Security

The potential devastation caused by data leaks underscores that access control is no less important than attack protection when developing a comprehensive security strategy. Yet traditionally, it has been difficult for organizations to implement broad security measures because the various layers and types of protection that are needed haven’t been available as a single solution. For example, protecting the network perimeter, the network itself, core applications, Web applications and data often entails deploying various types of firewall, anti-virus, and intrusion detection products that usually run on different platforms.

Authenticating users and enforcing access policies requires yet another solution, many of which lack the sophistication and visibility to identify who users are, where they’re going in the network, and what applications and data they’re using. As a result, it’s been tough (if not impossible) for organizations to restrict user access at a granular level.

Ironically a mismatched collection of nonintegrated security solutions that were originally intended to provide greater protection has left organizations with significant security gaps and vulnerabilities. In addition, these point solutions are difficult and complex to manage and maintain, so they come at a high cost.

Rethinking Yesterday’s Security Strategies

Government organizations can better position themselves to comply with new and more stringent security mandates by rethinking the “one-off” security approach of the past and moving toward an integrated and comprehensive security strategy for the future.

The first step in that evolution is to get the most value from existing solutions, combining them wherever possible. As an example, many government organizations rely on advanced application delivery controllers (ADCs) in their environments to intelligently manage and optimize network traffic. However, they often aren’t aware that those same ADCs can play a more central role in enabling a comprehensive security strategy.

Because of their strategic position in the infrastructure — typically sitting between the network firewall and the applications — advanced ADCs have the unique ability to see and analyze all traffic that passes through the network. That means potentially they can provide protection at every layer of the TCP/IP stack, not just the transport layer. As a result, a range of security solutions often can be layered on a single ADC device or platform, enabling organizations to get the most use out of their existing solutions and to eliminate their multiple, isolated security products. This ability to consolidate provides a huge opportunity to reduce cost and complexity, and improve efficiency.

What Matters Most?

What other capabilities should government agencies look for as they move toward implementing comprehensive security strategies?

• solutions that employ a full proxy architecture, enabling them to understand content and not just packets;

• centralized, unified access control solutions that provide the context and visibility needed to create one policy for all access methods, devices, user groups, or other criteria, or unique policies for each;

• advanced ADC solutions that can authenticate users with Common Access Card and Personal Identity Verification (PIV) cards, checking them against Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OSCP) responders;

• strong endpoint security to protect against virus or malware infections, accidental data loss and rogue device access;
• Web application firewall functionality that uses both positive and negative security models to identify, isolate, and block sophisticated attacks without impacting legitimate network traffic; and

• solutions that can run Domain Name System Security Extension (DNSSEC) at the global server load balancer level to protect the DNS infrastructure across multiple data centers and scale as the infrastructure grows.

Finally virtual desktop infrastructure (VDI) solutions deserve serious consideration as an alternative to PCs, especially by large government agencies that are struggling to manage and secure hundreds (if not thousands) of PCs. To avoid vendor lock-in, seek vendors that can support any VDI platform.

A VDI solution replaces PCs with thin client devices that have no local disk drives and no resident applications. Instead of providing individual PCs to users, the IT organization hosts virtual desktops on virtual machines in the data center and then streams those desktops across the network to users.

With a VDI solution, IT has complete control over the client devices themselves, the applications that run on them and the data that users generate. The absence of local storage on thin clients minimizes the opportunity for classified information to be copied, stolen or otherwise improperly disclosed. For IT, VDI solutions greatly simplify management because all client devices, applications and data are centrally managed in the data center.

Whatever solution an organization chooses, it should not have to sacrifice high performance, scalability and flexibility for improved security. “Next-generation” security solutions must perform at unprecedented speed, scale as needed, and support thousands of users easily and cost-effectively.

Nick Urick

Nick Urick is the regional vice president of F5 Networks