Brave new world

New technology is essential in equipping the IT manager to secure infrastructure effectively but conversely, developments in technology are creating new vulnerabilities that demand attention in the enterprise.

  • E-Mail
By  Simon Duddy Published  August 29, 2004

|~|van-de-veld-avaya_m.jpg|~|Avaya's Van De Velde says the vendor deploys a multi-layered IP telephony security solution featuring encryption and Dual Tone Multi Frequency (DTMF) to relay sensitive information.|~|Research firm IDC claims that security has surpassed cost control as the concern that tops the list of challenges facing IT personnel. According to IDC’s latest enterprise technology trends survey, conducted between April and May 2004, over 75% of IT and business executives rate security as an extremely or very significant concern for their organisations. “Our latest survey findings indicate that IT spending on security and business continuity has increased at a rate of 59% in organisations in the last 12 months,” says Lucie Draper, programme manager for IDC’s enterprise technology trends, vertical markets group. “We believe that despite the economic environment, and in some cases because of the geopolitical environment, the prospects for vendors of security technologies are good,” she adds. But it isn’t all plain sailing for security vendors and the issue certainly isn’t simple for today’s network managers. They need to be able to think on their feet if they are to counter the manifold threats that could breach the enterprise. The pace of technological change is proving to be a double-edged sword. On one hand, it puts better tools at the disposal of security managers but on the other hand, it adds complexity to the network, which almost inevitably introduces new vulnerabilities into the business. Technologies such as encryption and enhancements to authentication offer promising solutions to important threats and need to be understood if the enterprise is to survive. At the same time, emerging technologies such as radio frequency identification (RFID) and voice over internet protocol (VoIP) are placing new demands on the security infrastructure as they improve enterprise functionality. One new initiative that could boost security in the network is the Trusted Platform Module (TPM), which has been drawn up by the Trusted Computing Group (TCG), which comprises virtually every major IT vendor, including Intel, AMD and Microsoft. TPM is a chip that the TCG intends to place on every PC, which will provide a unique digital signature to each machine. The TPM contains a random number generator, memory and RSA encryption and SHA1 hashing algorithms. The random number generator is used to create key pairs, with the public key exported and the private key stored within the chip. The TPM ensures that machines at each end of a link can be certain of each other’s identity. It will also let enterprise networks detect and isolate client machines containing viruses and other malware. “The goal of the TCG is to improve trust in PC-based transactions by laying a foundation for better and more cost effective security,” says Ferhad Patel, strategic relations manager for Middle East & North Africa, Intel. “The existing TCG specification sets comprehensive standards for a hardened platform including hardware, BIOS, system software, operating system and the TPM. The TCG compliant platforms not only enhance platform security but also help to simplify and improve integration with other standards-based security solutions,” he adds. The idea does pose problems, not least privacy concerns as the manufacturer of a PC could track the models that it sells. The technology could also be theoretically used to track PCs used by criminals. “If you sell your PC or it gets stolen, someone could do something criminal with the PC and it could get traced to you,” says Alain Kallas, chief security officer (CSO) for Front Defense. A less controversial authentication technology, Sender Permitted From (SPF), has been deployed by AOL to combat spam, another key annoyance in the enterprise. The technology is designed to more accurately trace the true origin of e-mails and therefore make it more difficult for spammers to use spoofing to crank out large volumes of mail. “SPF is one component which can assist in the complex job of determining whether an e-mail message is legitimate or not. It is not a single bullet solution to the spam problem, but is one of the many contributing factors that can assist a comprehensive anti-spam defence,” says Graham Cluley, senior technology consultant, Sophos. The increasing use of server-based spam tools will no doubt have an effect on the amount of spam received by a company. “The server is the best place if the technology works. It’s more suitable for the enterprise to deal with the problem before it reaches the desktop,” says Justin Doo, managing director, Trend Micro Middle East and Africa. Most antispam products fall down, however, when dealing with daily business terminology, for example a pharmaceutical distributor may consider viagra a legitimate word in an e-mail subject box. “To combat this you need a gateway appliance that addresses more than spam and looks at the security of any SMTP feed through it,” says Dean Bell, regional director, BorderWare. “Becoming more popular now is end user black and white listing, which is server based but with a component at the client so the user can create lists tailored to them within the corporate policy,” adds Bell. For every clever technological breakthrough that makes it harder for the bad guys to penetrate the enterprise, there is a technological development that opens up possible new avenues. This includes new methods of communication such as VoIP, which is making steady inroads into the Middle East enterprise. “There are lots of issues regarding the security of the IP telephony system. You have to deal with hackers, viruses and hijacking,” says Thomas Van De Velde, convergence director at Avaya EMEA. “One of the most serious issues is that you are mixing two worlds and there is the fear that a weakness in one can be used to penetrate the other,” he adds. One example of this is a hacker sitting in a car outside an enterprise with a softphone. He/she can crack into a Wi-Fi network and from there can use the company’s PBX to make international calls. Another danger is loss of information as interactive voice response (IVR) systems are connected to voice and to business applications. This means it could be possible to extract business data through infiltrating the IVR. Avaya deploys a multi-layered IP telephony security solution featuring encryption between end points, such as terminals, gateways, IP phones and soft phones and Dual Tone Multi Frequency (DTMF) to relay sensitive information such as PIN numbers. “The third layer concerns making sure no one gets control of the server. You can help in this by using a dedicated interface for voice traffic. This way you can use VLAN through the gateway and not directly with the server,” explains Van De Velde. Ever since US retail giant Walmart’s decision to push RFID to its suppliers, the technology has been taken seriously by the industry. RFID tags carry identifying data about the item they are attached to, which can be read by an RFID reader. It has been touted as a time and money saving solution, especially for retailers and distributors who need to process large amounts of stock quickly. But many fear that the technology could pose security problems. “This can be a problem if you have sensitive data on a tag,” says Tony Nasr, area manager, Gulf & Levant, Intermec Technologies Middle East. “In theory, anyone with an RFID reader can pick up the data on the tags,” he adds. RSA Security is rolling out a set of services to help organisations manage and secure their implementations of RFID technology. “Most RFID pilots have no security at all,” says Dan Bailey, RFID architect at RSA Laboratories. “The system is fine if you trust the reader, but if not, you have problems.” However, the nature of the implementation is key and for most security will not be a prime concern. “An RFID tag on a container is just an identifier,” says Tom Scholtz, analyst at Meta Group. “It’s useless to everything except the back-end application that reads it. If this is secure then your system is secure,” he adds. As the technology matures, security solutions will evolve to meet challenges as they arise. It is conceivable that encryption could be built into RFID tags to protect sensitive data. “Privacy is more of an issue in RFID. In the retail environment, tags could be hidden in products users buy and used to track them,” says Scholtz. “It is all in the implementation. If the customer can remove the tag it is not a problem,” he adds. Not all new technologies pose security problems and a pleasing trend is that vendors are building robust security solutions into software at the development stage. A good example of this is the next generation internet protocol IPv6, which represents a steady evolution from IPv4 in this respect. One improvement is the traffic classifier, which allows incoming internet traffic to be identified and redirected based on security needs and other protocols. Another improvement is that the IPv6 header now includes extensions that allow users to authenticate the origin of an incoming packet, which goes a long way toward ensuring data integrity and privacy. “IPv6 requires the use of IP Security (IPSec) to encrypt traffic at the IP layer, offering a secure means to forward data end-to-end for all IPv6 based applications. Network infrastructure equipment such as routers can rely on IPSec for secure routing updates and it also offers security extension headers to facilitate the implementation of encryption and authentication,” says Yarob Sakhnini, regional technical manager Foundry. That said, the enhanced security of IPv6 is not generally seen as a factor in companies’ decisions to upgrade. “We have not seen clients cite security as a driver to move to IPv6,” says Scholtz. “IPv4 with IPSec has the same level of security as IPv6 will have,” he adds.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code