Page 1
    Page 2
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 
by William Van Winkle		  
 
GET A LOCK ON SECURITY
 In 2003, the U.S. Air Force performed a year-long study of white and black hat (the “good” and “bad”) hackers and challenged them with altering a Web page, obtaining a secret 15-digit credit card number stored in an SQL database, and hacking the admin’s email account to obtain a secret code in one message. This was done on a fully patched Windows 2000 server sitting behind a properly configured SonicWALL firewall. One hacker (a white hat) completed all three tasks in 14 minutes.		  
 


Viruses. Trojan horses. Spyware. Adware. Hackers. Distributed denial of service (DDoS) attacks. Disgruntled employees. Inevitable human error. The list of security threats that every client of yours faces, whether they’re individual home users or Fortune 500 enterprises, grows every month. During the preparation of this issue, both the Production Manager and Technical Editor for RAM were hit with malware agents in their respective offices virulent and stealthy enough to knock their systems offline (save for extremely high outbound traffic) and disguise where on the network the problem was coming from. In both cases, these LAN clients were protected with recently updated antivirus software, soft firewalls, and firewalls built into their consumer-level routers.

According to Symantec’s September 2004 Internet Security Threat Report, the average time between the announcement of a vulnerability, meaning some security weakness on a commonly deployed platform, and the appearance of exploit code designed to capitalize on that vulnerability is now 5.8 days. But this is for vulnerabilities disclosed to the public. Vulnerabilities might be known and floating around hacker sites and chat groups for much longer. For a taste of this, check out packetstormsecurity.org.

The same report shows that, despite ongoing efforts from the government and private sector, security threats continue to mount exponentially. The number of bot-infected computers rose by 600% in the first half of 2004. During that period, Symantec documented an average of 48 new platform vulnerabilities per week. Of these 64% were considered “high severity” and 70% “easy to exploit.” The report also shows that an increasing amount of attack traffic is originating outside the U.S.

“The interesting part about the rising wave of DDoS attacks, at least from a security professional’s standpoint, is that the reasoning behind those attacks has moved away from the kid trying to show off to stealing credit cards,” affirms Alex Thurber, director of security, worldwide channels for Cisco. “One of the newest reasons for these attacks is extortion. We’re seeing more and more criminal enterprises getting involved and threatening online Web sites with ‘pay me money or I’ll shut you down.’ In many cases, they’re successfully getting this money, because if they’re coming out of eastern Europe or some of the other hot spots in the world, the local police there are a lot more concerned about survival and not whether rich Americans can get to their Web sites.”

“In the hacker community,” adds Christine Pomeroy, director of channel marketing for WatchGuard Technologies, “people are getting paid now to take over systems for sending out those horrible spam emails about certain pharmaceutical products you might want to buy. They get paid for every message sent, but, of course, they’re not using their own systems. They’re stealing time on other people’s systems. Small businesses often think, ‘Who would want to attack me?’ The news only talks about some big entity being attacked by some big worm. Realistically, it hits plenty of small guys, because everyone is just an IP address.”

No matter what niche or demographic you sell into, security is all but mandatory. It is quite probably the lowest hanging fruit in the entire computing industry and one which mass merchants and retail are virtually unable to touch from a service standpoint. In this month’s cover story, industry insiders share their thoughts on why security hardware and services is some of the most profitable business you’re likely to find and how to get started in it.

The Security Hardware Opportunity

Here’s one perspective on the value of security. In 2003, the FBI and the Computer Security Institute published its Annual Computer Crime and Security Survey. The report stated that the average notebook PC sells for $1,500 to $2,500. The value of the data on that notebook is roughly $250,000. Wouldn’t most clients be willing to spend at least a few hundred dollars to protect such assets?

According to Jupiter Research, 84% of companies deploying wireless LANs have not experienced any security breaches. This number seems a bit suspect given that the National Cyber Security Alliance recently stated that the odds of any given person experiencing a computer security breach is 7 in 10. Moreover, Jupiter’s estimate would infer that all 84% of those companies were assiduously maintaining and auditing their network logs with qualified staff to look for signs of intrusion. (If a hacker slipped in and out of your network undetected, how would you answer that survey question?) And even if Jupiter’s number is accurate, that still means every 16 out of 100 companies out there are getting hacked over their wireless networks and need help.

For resellers who target small businesses, it’s hard to imagine a more effective demonstration of why security is necessary than doing an impromptu site survey and network penetration attempt in the parking lot using the Knoppix-STD tools discussed in our spotlight interview (see page 44), making sure you can get inside the network, then performing the same feat again while in your meeting with the purchasing manager. That done, take the manager out into his parking lot, show that you still have a strong network connection, then explain that most owners of wireless access points fail to turn down the power settings and place the device such that its reach stops near the building’s outer walls. With a wireless site survey and some device tweaking, you can remedy that problem. While you’re at it, you might also check the WPA settings, set up MAC filtering, and turn off the SSID broadcasting.

WPA is another facet of wireless security that resellers can turn into revenue. The deficiencies of WEP (Wired Equivalent Privacy) are notorious. Not only can WEP’s encryption be cracked by “sniffing” and cracking a couple gigs of wireless data, but WEP also fails to provide for adequate key management. WEP keys are little better than passwords. Especially in businesses juggling dozens or hundreds of clients, changing a WEP key at the access point and then every single client NIC is a more daunting task than most IT folk care to tackle. Swipe the password and you’re in like flint.

The newer 802.1X spec remedies this flaw by generating a new WEP key for every login session, but it still leaves WEP’s fundamental encryption problems in place. WPA (Wi-Fi Protected Access) improves on this still further by adopting TKIP encryption, which is based on the same RC4 algorithm as WEP but takes several steps forward in key selection and changing. WPA is also all but hack-proof against packet stream substitution or modification.

The holy grail of wireless security is 802.11i, which essentially does everything right all the way to basing its encryption on AES. However, while the 802.11i standard was finalized last June, its deployment is still a work in progress. In the interim, you’re starting to see vendors release security products with or firmware upgrades to “WPA2,” which is essentially WPA with support for AES.

The opportunity for resellers is to get client wireless security up to modern spec. In reality, most SMBs running WPA on a properly configured access point backed by effective security policies are secure enough. The objective is to make sure people have their APs properly configured and are not running WEP. Some vendors, such as D-Link, make upgrading from WEP to WPA as simple as downloading a free firmware update. Others require the purchase of an entirely new AP. Either way, you have the chance to step in with on-site service and possible hardware upgrades. This is security selling at its most basic, with only a minimal level of knowledge required. If you’re completely new to security, this is a solid place to begin and one that is very much in demand by SOHO and SMB markets.

Another advantage to selling security is that, unlike most hardware sales, the soundest approach is to layer your solution, almost in a redundant fashion. You don’t just sell a firewall on the desktop, you also sell one at the network gateway, and, if your client is large enough or his business valuable enough, you sell two firewalls so the first one can fail over to the second in the event of a DDoS attack.

Defensive depth is always better than a single point. Having a desktop firewall on every client does nothing to stop a targeted DoS attack, and it does nothing to safeguard servers, switches, routers, and everything else above the client level. Running Norton or McAfee to scan mail at the client is good. Adding an additional appliance to guard the mail server is better. Extra care and layering also need to be employed for businesses using VPNs (virtual private networks), especially if that VPN is on a pass-through straight to the server and not decrypted at the firewall. With a VPN, a remote worker can take his laptop home, get infected from his home network, VPN into where he has direct access to the Exchange server and all the corporate files, and bring the entire LAN to its knees in only minutes.

“Another great opportunity in the SMB market is managed security services,” says Cisco’s Alex Thurber, referencing companies such as VeriSign and others that offer 24x7 security monitoring and management. “Not providing them yourself, because that could take a multi-million dollar investment, but partnering with some of the managed security companies out there who are looking for local feet on the street and have agent programs. They can help you sell the service and then get a recurring revenue stream from it. The reality is that the Fortune 500 companies probably have the resources on-site to keep up with these needs, but that may not be the case with a smaller business.”

After being presented with all this, many customers may start to feel they’re being oversold. The simple way to answer that question is to ask: What are we protecting? Say Company X is out to protect its list of distributors, clients, and unique processes. What is the value of those assets? Well, the customer says, we make $40 million a year in revenues. Perhaps, but that’s not the real risk. Losing a customer list could conceivably lead to revenue of no dollars, but the legal liability with releasing customer data, including credit cards, can dwarf revenue losses. Is blocking this risk worth $20,000 of hardware? Selling security is a lot easier than selling gigahertz.

The range of high-margin opportunities in security are bounded only by your clientele and expertise. The trick is to find the right vendors and mine the resources they have to offer you.

Partners and Products

Cisco PIX 506E

A cursory glance across Cisco’s massive product line and its excellent channel programs reveals why the company is the global leader in networking hardware. With the Cisco’s recent acquisition of Linksys, its offerings now span from the fastest optical backbone switches in the world to sub-$50 home routers. However, even Cisco admits that its Linksys line may not be a good fit for resellers aiming at the security market.

“When it comes to reselling products, you need to get out of the low-end and move up,” says Cisco’s Alex Thurber. “Quite honestly, you need to move up out of the Linksys range, too. We’re improving the security of Linksys, but Linksys is never going to be aimed at the SMB market. It’s aimed at the home and SOHO, and it works very well there. But if you’re an SMB trying to minimize your staff and keep expenses down, you need to have something easily managed by a single IT person who may even be part-time.”

The PIX 506E($989) was designed in this vein for branch and remote offices. The desktop firewall features two 10/100 Ethernet ports, up to 25,000 concurrent connections (25 simultaneous VPN sessions max), and can perform 256-bit AES encryption in hardware at up to 25 Mbps throughput. The box maintains a catalog of over 55 attack signatures, 100 applications and protocols (plus additional admin-defined applications), and two dozen specialized inspection engines. This provides for very granular access control of security policies. As you would expect, Cisco’s remote management features and auto-updating are second to none, allowing managers at the main office direct control over branch security.

The code base residing in the 506E is the exact same code sitting in the flagship PIX 535 ($35,000). The difference is in the scaling. The 535 offers nine GbE interfaces, up to half a million concurrent connections, and 440 Mbps of hardware-based 256-bit AES encryption. Your small business clients may be gratified to know that they’re honestly buying enterprise-class security for under $1,000.

Another advantage of adopting the Cisco platform is that its various devices are able to interoperate.

“You may have a Cisco router on a small network, and behind that router is a PIX firewall,” explains Thurber. “The PIX can detect a problem and then communicate to the router and try and shut down the problem higher up in that network path, because the farther away you block the trouble, the better you are. Low-end devices are never going to get involved in that kind of communication.”

Cisco’s revamped channel program makes it surprisingly easy for new security resellers to get up and selling quickly. The company maintains over 300 account managers around the country who can guide you through the process of training and understanding security as a channel business as well as a set of technologies. Additionally, Cisco offers impressively flexible financing options for smaller resellers, deal registration to make sure your bids don’t get swiped by larger competitors, referrals, the usual bevy of sales tools, and complimentary learning credits. Since Cisco has a keen interest in educating the end-user almost as much as the reseller, the company provides these training credits to the reseller to either pass on as a value-add or charge for as seems appropriate.

Akin to Microsoft’s revamped channel program, Cisco has changed tactics to reward its partners more on the basis of knowledge than sales volume. The networking titan designed a series of “specializations” based around different technologies, one of which is security. Becoming certified in a specialization requires a formidable amount of study, partnership with Cisco in the field, and staff commitment.

“We have specializations in security, IP telephony, storage, optical, and lots of other technologies,” says Thurber. “To become Cisco security specialized, you have to have a salesperson go through security sales essentials and understand what the value proposition is of our security and how to sell it. You have to have an engineer go through our pre-sales training to become a Cisco-certified security SE, or pre-sales engineer, so you can get in and help the sales rep explain the product from a technical perspective as well as help do the design, make sure the code is correct, the RFP responses are accurate, etc. Then we require an FE, or field engineer, which is a second engineer who’s gone through additional training, so they can go out and do post-sales deployment. So this specialization lets a customer know that you can sell it, design it, and install it.”

Knowing that not all small resellers can afford to dedicate three people to a vendor-specific security program, Cisco created the Security Express specialization. This only requires two people to be trained. You get a few less perks, but you’re still in the incentive program, receive partner discounts, and are on Cisco’s partner locator for lead generation.

D-Link DFL-1100

D-Link’s flagship DFL-1100 ($2,499) is a remarkably robust yet friendly firewall suitable for standalone use in SMBs or clustering in an enterprise. Enabled with four 10/100 ports (LAN, WAN, DMZ, and High Availability Sync or ETH4) and the ability to handle up to 1,000 simultaneous VPN tunnels with AES and automated key management, the DFL-1100 can manage bandwidth and perform content filtering, including the blocking of content such as ActiveX, JavaScript, and cookies. The firewall comes with numerous intrusion signatures enabled out of the box, but D-Link provides for an easy signature database upgrade function on the same page as its firmware update function, and anyone who sells D-Link knows that the company is assiduous about improving its hardware with a steady stream of updates.

The surprising part about the DFL-1100 is that its setup doesn’t feel much more complicated than one of D-Link’s consumer products. The Web-based, remotely-controllable setup area features the same tabbed interface as D-Link’s routers and access points, and the setup wizard also runs you through basic installation in just a few minutes. Firewall configurations can be backed up, but this also means that config files can be saved and loaded onto new DFL-1100s elsewhere in the business to help save time.

The DFL-1100 can send log data to one or two Syslog servers. Email alerts for detected intrusion events can go out to up to three addresses, and D-Link provides five levels of alert sensitivity. This feature should prove to be a strong selling point with clients looking to have 24x7 management for their network. Even if the client outsources management to a security service, the alerts offer the buyer a way to stay in the loop when trouble pops up.

The DFL-1100 makes custom policy creation, port mapping, and VPN tunneling a snap. One cool feature is the firewall’s “Activate Changes” button in the System tab. Just like when modifying display settings on the desktop, if the admin doesn’t log back into the firewall within a selectable time after hitting this button, the firewall will figure that you’ve accidentally locked yourself out and revert to its prior settings. This could prove to be a very handy feature for admins or installers still learning the ropes.

D-Link may not (yet) have the comprehensive partner program offerings of a Cisco, but the company remains committed to building up its channel efforts and giving resellers the tools they need to compete in security and networking.

“Starting in January,” says Rob Robinson, director of D-Link’s business channel sales, “you will see D-Link roll out service programs available on our high-end APs as well as our business-class switching, IP cameras, firewalls—a whole suite of service opportunities available only through the channel. It’s part of the VAR program we rolled out in early Q4 designed to embrace VARs doing business-class products. Essentially, it offers people a front-end discount at distribution and a back-end discount for hitting a sales bar. VARs in 3Com and other competing programs can be grandfathered into the program at the highest level. But part of this program is to institute the service packages nationwide.”

Small resellers may also be relieved to find that D-Link is considerably more liberal about its partner training requirements. Robinson notes that while the company is careful about which partners are allowed into its program and makes sure that the reseller has expert staff with some general or vendor-specific security training, “I don’t think it’s D-Link’s place to tell them exactly how much training that should be.” So if you’re in the early stages of your security efforts, you may find D-Link a more accommodating and immediately lucrative vendor for higher-end SMB security sales.
 ...more

 
         
    Back to top
Page   1 2
   
   
Copyright © 2007 RAM Magazine. All rights reserved.
Do not duplicate or redistribute in any form.