Managed security offerings target threats where they are best defeated.

The Internet is a double-edged sword. On the one hand, it provides the enterprise with an unprecedented ability to reach new and existing customers, driving new revenue while decreasing costs; at the same time, it opens the enterprise network to a world of intrusion threats, viruses, spam and “zombie armies” that can disrupt business, decrease efficiency and drain resources. The complexity of these threats–when combined with the need to introduce and support new applications, conform to regulatory requirements, and cut costs–has driven IT staffs to look for external support in securing the enterprise network.

To meet this need, network security providers are stepping up their managed security services offering. What is differentiating this new breed of services is that they target security threats where they are best defeated–either at the enterprise premise for certain types of intrusion prevention, or in the network for resource-intensive threats, such as e-mail-borne viruses.

Firewalls and intrusion-detection/prevention systems (IDS/IPS) are currently designed to work most effectively on the customer premise, customized to the enterprise’s specific requirements. Equipment manufacturers, however, are developing carrier-class network equipment that can provide “virtualized” security capabilities at bandwidth speeds that could enable more of this functionality to move to the network in the next few years.

An example of a threat that is best defeated in the network is e-mail-borne viruses and spam. Enterprise IT managers can choose to deploy appliances or software that address spam after it has reached the enterprise network. These types of premises-based solutions, however, have shortcomings, including unnecessary bandwidth consumption, capital requirements, IT resource consumption, and a “single-point” approach vs. an approach that captures the “bigger picture.”

With network-based e-mail protection services, the network service provider filters the enterprise e-mail from “within the cloud.” E-mail is therefore free of spam and viruses before it ever reaches the enterprise premise, drastically decreasing the amount of bandwidth and CPU resources consumed. This type of solution also enables enterprises to retain control of their e-mail server, while retaining control of their e-mail assets.

Since IT managers no longer have to deploy security appliances or software on the enterprise LAN to filter spam, a network-based solution reduces complexity, frees up IT resources and decreases capital costs. In addition, since network-based services do not require an upfront investment in capital equipment, the enterprise can take a “try before you buy” approach.

Finally, a network-based security solution can detect a new threat that is beginning to occur across several client accounts and take action to deter the attack, which is more difficult with the single-point approach of a LAN-based appliance. Faster response time plays an increasingly important role in network security, as hacker attack schemes become more complex and more distributed.

Distributed denial-of-service (DDoS) attacks are one of the biggest emerging threats to premises-based security solutions. A hacker preparing to launch a DDoS attack first distributes malware to hundreds or thousands of infiltrated computers that are set up to attack the victim in unison.

Hackers then threaten to send this zombie army against the target, typically a Web site, and overwhelm it with requests in such a way as to deny access to legitimate users. DDoS extortion attacks are expanding from targeting the shadowy realms of gambling and extreme political Web sites, and are beginning to threaten mainstream financial and other business sites as e-commerce grows in importance.

A premises-based DDoS mitigation solution will likely fall short under this type of attack because the Internet connectivity will typically be overwhelmed by the attack traffic–meaning that the denial of service is actually occurring before the traffic reaches the mitigation device. Only by moving the solution “upstream” into the service provider network, where the bandwidth exists to absorb the attack, can an effective response to DDoS attacks be realized. To this end, network service providers have begun to deploy network-based DDoS mitigation services to provide enterprises with the benefits of upstream protection against these attacks.

As security threats evolve and the technology to thwart these threats matures, service providers are increasingly looking at bundling network-based security with Internet access services to provide “clean pipes” to customers. By providing an enterprise with connectivity that has built-in protection, the service provider removes the security burden from the IT manager. So, for example, an enterprise could procure a “spam-protected T-1” from the service provider, ensuring that its Internet connection is a “clean pipe” from a spam perspective. At the same time, both premise- and network-based security services can still be provided on an a la carte basis.

This clean pipe approach can be extended beyond Internet connectivity to encompass enterprise WANs.

To that end, network service providers will increasingly offer security services that are built into private networking services, such as MPLS-based virtual private networks. By layering security services into these networks, service providers can provide a “utility-based” approach to security for both private and public networks, enabling the enterprise to take advantage of security capabilities on an as-needed basis.

.: Back to Menu :.