The fast (network) and the furious (rate of security attacks)

A Gartner analyst warns that companies are facing a dilemma in conducting thorough inspections while ensuring traffic can flow freely

Share this article:

network security 2014

Network security will adapt gradually to increased threats over the next few years. But the question of when vendors will provide your business with the most cost-effective solutions looms large.

In a recent webinar, Gartner’s Greg Young, the company’s lead analyst for network security, laid out some of his predictions for the next few years. Chief among them are bottlenecks resulting from a balancing act between network speed and security, the need to cope with volumetric DDoS attacks, the robustness of virtualized and software-defined networks, and the slow pace of convergence.

Can fast networks remain secure networks?

“Advanced threats have really changed the equation,”  said Young. “The bad guys have found some cracks in how we look at network security, particularly between latency and inspection.”

He says companies face the dilemma of having to conduct thorough security inspections while keeping network traffic flowing freely. Zero-day or multi-vector attacks can drive a wedge between these two goals, he said.

Next-generation firewalls, which include a combination of intrusion-prevention, application control and false-flag inspection, will see widespread adoption in the future, he added. “This is pretty much where the enterprise market is heading.”

However, Web anti-virus protection and e-mail security are unlikely to become part of these products, Young warned, at least for large enterprises. Convergence might be a good choice for small or mid-sized businesses, but the salient problem is that Web anti-virus protection is slowing things down over big network pipelines.

“It just doesn’t scale up, particularly  as more enterprises now are starting to look more at doing more SSL inspection…terminating and restarting SSL, because a lot of attacks can incorporate encrypted communication— thats putting additional load. So, we don’t see that anytime soon.”

“We’re looking for Moore’s Law to help us in this area,” he says, but new types of attacks are forcing companies to add more standalone appliances rather than converging their network security regimes.

SDNs and virtualized networks will remain fragile

There won’t be any strong security advances in this area due to conflicts between IT security departments and auditors. “We’re going to have to secure SDN. It will not be self-defending.” In other words, in the next few years, we’ll have to focus on keeping SDNs secure—not expect their inherent security to improve to a great extent.

Young points to the fact that less than 1.5 per cent of network security appliances are virtual today, according to Gartner’s research. With few exceptions, enterprises aren’t going all-virtual with network security today, and aren’t expected to do so in the near future. But some convergence will occur when network virtualization vendors begin to work more closely with their security counterparts and offer improved products, albeit at higher cost and with more risk attached.

DDoS mitigation moves to the cloud, IPv6 security awareness becomes more important

Because of the extent of the threat of volumteric DDoS attacks, companies will adopt more hybrid approaches in their DDoS defences. On-premise security is becoming very expensive and simply cannot cope with the the load, he said.

The same goes for IPv6 security. Companies will have to find a middle-ground strategy to secure both  IPv4 and IPv6 networks. Internal security mechanisms for IPv6 are lagging behind, especially in more conservative organizations. These companies will have to make their defences more “IPv6 aware,” Young says.

The bottom line: network security convergence isn’t coming soon

Expect to spend more money in the future on network security, and accept that “point solutions” will remain for the time being.  It will be up to vendors to offer businesses more converged security infrastructure over the long term. In the meantime, stick to the basics of defence in depth, and consider hybrid approaches where they’re most needed:  in DDoS mitigation and securing new IPv6 networks.

photo credit: perspec_photo88 via photopin cc

Start protecting your organization by downloading the Internet Security eBook, from Allstream. 

Share this article:
Comments are closed.