June 7, 1999 Web posted at: 9:31 a.m. EDT (1331 GMT) by Peter Ruber

From...

(IDG) -- When IT invests in a product suite, whether it's a productivity suite like Microsoft Office or a network management tool like CA Unicenter TNG, the expectation is that the whole is greater than the sum of its parts. Tighter integration begets easier training, better information, greater versatility. Shouldn't you expect the same from network security suites?

After all, for years security administrators have been clamoring for tools that smoothly integrate point solutions. Unfortunately, even with mergers, acquisitions and partnerships, the suite spot of security isn't so sweet. What's emerged from customer demands and vendor response is a work-in-progress that doesn't make either group feel secure.

The fundamental problem is simple: confusion over what should be in a security suite combined with, as the boundaries of the enterprise stretch, a proliferation of security needs. In their traditional definitions, there are five categories of security. Within those five categories, you'll find anywhere from three to six kinds of tools, for a total of about two dozen tasks. Does a suite constitute multiple tools in one category, or does it constitute tools that cover multiple categories?

The security matrix

Before treading into quicksand, it's important to know the security categories breakdown.

Integrity: You need access controls, authorization and authentication for both users and devices, especially on the Web. Specialized tools, such as single sign-on software, fall into this category too.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
CIO home page
Make your PC work harder with these tips
Reviews & in-depth info at IDG.net
IDG.net's personal news page
IDG.net's products pages
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletters
Search IDG.net in 12 languages
News Radio
	CIO radio
	Fusion audio primers
	Computerworld Minute

Alerts: Whether you're monitoring a single host or an entire network, you need intrusion detection, scanning and logging capabilities.

Encryption: This encompasses anything relating to the transmission of e-mail and data files, not to mention public key infrastructure (PKI) certificates and virtual private network (VPN) protection.

Firewalls: As electronic commerce and Web access grow, so does the need for tools like packet filters and application proxies. Content. Good old-fashioned virus protection for files that reside on desktops, servers and gateways.

Vendors trying to provide one-stop shopping in more than one of these categories include Axent Technologies Inc., Computer Associates International Inc., eCommerce Corp., FreeGate Corp., Internet Devices Inc., Internet Dynamics (USA) Corp., Lucent Technologies Inc., Network Associates Inc. and Radguard Inc. As is happening in many technology categories, smaller vendors with unique technologies are being subsumed by the larger players, with both sides promising -- but not always delivering -- future integration.

Of course even users don't agree on their expectations -- one person's suite is another person's point solution. Greg Anuzelli, manager of information security for Comcast Cellular Communications Inc. in King of Prussia, Pa., defines the Entrax Security Manager as a point solution, even though the Centrax Corp. tool covers risk assessment, intrusion detection, response and event logging.

On the other hand, Michael Meakim, information systems security officer for the County of San Bernardino in Southern California, defines a point solution as a tool that focuses on a single functionality within a security category. He cites Defender Security Server from Axent Technologies, which he's using to authenticate remote access users on his virtual private network (VPN), as an example. If nothing else, this makes the comparative shopping difficult.

One corporate security officer who wished to remain anonymous says he looked at products from Computer Associates and Network Associates and laments, "Frankly, we found gaping holes in some of the pieces in their products." The officer stressed that he's a satisfied user of Network Associates' CyberCop security scanning software, but he found the company's intrusion detection products unusable. Despite the advantages of consolidated reporting available in suite products, he says, it doesn't make up for the lack of maturity of the individual products.

Whose fault is it?

Analysts echo user concerns that product suites spanning multiple security categories aren't the productivity tools they should be. Once a vendor goes beyond its core technical competency, whether that's intrusion detection, firewalls, authentication or antivirus software, the sum of the products become less than the whole.

"Customers can largely blame themselves and not the vendors for these problems," says Steve Hunt, director at Giga Information Group Inc. in Chicago. "Users have been clamoring for a one-stop shop for all their security needs because they had so much difficulty integrating all these disparate technologies."

Nonetheless, sources are still demanding the same kind of consolidated reporting and centralized management from security products as they have with network management frameworks from Computer Associates, Tivoli Systems Inc., Hewlett-Packard Co., Boole & Babbage Inc. and Candle Corp.

That centralization is crucial to San Bernardino County's Meakim. "My wide area network is spread over 24,000 square miles, so we need to administrate everything from our data center," he says. "I don't have the resources to deploy technicians to remote regions, especially if we're going to do security scans and security analysis against a set of servers of a particular LAN segment."

Meakim acknowledges that centralized management can be achieved only if you can get all your security tools from a single vendor. "They'll talk to each other because there's a certain sense of security logic that flows from one product to another," he says.

Analysts counter that, for the most part, vendor suites don't have that logic and level of integration yet. In fact some products within a single security class don't always have it. And it gets worse when you try to integrate products from different vendors. Cambridge, Mass.-based Forrester Research Inc. recently reported that Axent's Raptor firewall "not only failed to respond to intrusions detected by Internet Security Systems' RealSecure, but it also can't do anything about intrusion detected by Axent's own Intruder Alert software." At the same time, the report praises Security Dynamics Technologies Inc.'s authentication capabilities and buries its intrusion detection products. Its conclusion: The security field is too broad and technology is changing too rapidly for one vendor to be best-of-breed across all product classes.

What's a CIO to do?

Given the problems concerning integration between products from a single vendor -- the relative strengths and weaknesses of single-class or multiclass products, the problems of interoperability between disparate product lines and the overwhelming administrative issues -- what can you do to protect your network?

IT folks who have survived earlier integration battles are reaching into their bag of tricks for what's worked in other situations. Insisting that some security is better than no security, Meakim is solving his security problem one step at a time. First, he's using an ISP for his remote access VPN because, he says, "this is what they do well and what they're in business for."

Next year Meakim will test various security tools to find those that integrate best into his environment and do the most effective job. He has concerns about how easy this will be, because while the county uses Microsoft Windows NT predominantly, it still has a daunting mix of systems running Unix, OS/2, NetWare, OS/400, OpenVMS and other operating systems for which few security choices exist.

This brings up a thorny administrative issue. Since security tools sometimes don't interoperate well with each other, much less with industry-standard network management tools, Meakim may have a long wait before he can achieve a single consolidated and centralized management infrastructure.

That doesn't concern Comcast's Anuzelli. "We feel that security information is a very tight subnet of information. I only want a few eyeballs looking at. Until solutions are robust enough that we can reap the benefits of interoperability between applications, I'm fully prepared to support two management domains and two separate staffs."

Between a lock and a hard place

How can something so important still be so difficult? Maintaining separate staffs or outsourcing something that you paradoxically want in as few hands as possible seem like partial solutions. And yet there's still a third option to consider. Because some organizations are unable to hire personnel qualified to install, configure and manage multivendor security tools, they are turning to outsourcing firms that have those resources for the whole caboodle of security.

"Our network was so complex [we needed] a company that had the infrastructure to manage our security on a 24/7 basis," says Mark Gilbert, vice president of operations for SmartStop Inc., an 18-month-old communications provider to the trucking industry in Portland, Ore. It is currently outfitting 300 truck stops across the country with a combination of secure Internet and intranet service kiosks, LAN and WAN data connectivity, POS terminals and coin-operated phone services that drivers for long-distance trucking firms could access through smart-card technology. It contracted with Lucent Technologies to help design, install and manage the network. "We made them totally accountable for integrating their own and third-party security tools."

Offloading the security challenge didn't faze Gilbert. "If the Department of Defense can't keep its network from being penetrated with the brain power it has and the government commitment behind it -- what chance do I have?" On the other hand, he does believe in the old adage "trust but verify," admitting that to be on the safe side, he hired a hacker to test just how well Lucent was doing.

Oakdale, N.Y.-based writer Peter Ruber can be reached at lbsb20a@prodigy.com.