Page 1
    Page 2
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 
by William Van Winkle		  
 


Symantec Gateway Security 320

“Either this year or next, appliances will overtake software in terms of percentage of market share,” says Greg Gotta, vice president of engineering at Symantec. “When you look at the issues customers have from the small office to the medium enterprise, the cost of procuring system hardware, potentially procuring an operating system, installing and maintaining software—the investment just around that is absolutely huge. We’re driving for leadership in this newly defined UTM category, which is the combination of firewall, VPN, antivirus, and intrusion detection. You get all that running on one device in which you get a timely, consistent level of content provided to it. We can do that today with our 300 series at a sub-$500 price point with full wireless capabilities that provides dual LAN port fail-over.”

The Gateway Security 320 ($475 direct with bundled 802.11b/g add-in card) sports a street price as low as $235 after rebates. The appliance lacks the load balancing, bandwidth aggregation, and central management features found higher up in Symantec’s firewall ladder, but it does allow for remote management from a specified IP address range and comes set to block all inbound traffic by default. This is typical of Symantec, which tends to block first and ask questions later—a smart thing in this context.

The 320’s list of benefits is surprisingly long for such an inexpensive device. The unit can fail over to a serial modem (models 360 and up can fail over to another WAN port), supports custom rules for inbound and outbound application traffic, and offers content filtering, intrusion detection, LiveUpdate support (which includes firmware updates), and hardware-based VPN encryption. Just be sure to watch the firewall’s capabilities versus the client’s needs. The 320 supports 50 concurrent VPN sessions (10,000 concurrent connections total) and has a stateful throughput of 55 Mbps. Symantec has not released bandwidth capabilities for AES encryption, but the 320 can only handle up to 10 Mbps under 3DES, which tends to be less demanding than AES. For SOHO operations, this should still be plenty of overhead.

“The 320 also has AV policy enforcement,” says Gotta, “so for anybody on the LAN with network traffic, we will check to see if your Symantec antivirus is turned on and your virus definitions are current, as well as for any outbound traffic. We actually create a relationship with the firewall box to make sure that the endpoints behind it are doing the right things.”

Of course, in addition to helping enforce a responsible security policy, that might also help sell more copies of Norton Antivirus.

WatchGuard Firebox X15 Edge

WatchGuard may be small compared to its rivals discussed here, but the company has been specializing in SMB firewalls with its Firebox series for a very long time, and this has yielded a mature channel support and education system that helps to make WatchGuard one of the more attractive value-add vendors.

Take the Firebox X15 Edge ($499). This is an excellent, fully configurable firewall ready to drop into any small office. Appointed much like Symantec’s 320, the difference (besides the X15’s lack of wireless—there’s the X15w for that—and the omission of AES support) is WatchGuard’s extensibility. The X5/15/50 line offers 35 Mbps of VPN throughput and up to 8,000 concurrent sessions. The beauty of the product is that while out of the box it only supports 30 users, has 95 Mbps stateful packet throughput, and support for a maximum of 25 mobile user VPNs, when needed the buyer can then upgrade the feature set to the higher-priced X50 and have 110 Mbps stateful packet throughput, unlimited users, and up to 50 mobile user VPNs. Alternatively, you and the client may decide that starting with the X5 ($350) and its more modest support range makes the most sense.

“Nothing burns out an end-user like saying, ‘I gotta buy what now? How much will it cost? How long will my network be down?’” says Christine Pomeroy, director of channel marketing for WatchGuard. “So we put in a hardware architecture that allows for a lot of these new security applications to be easily added without the box even being touched. You just add a license key to activate new services on the box. It does your firewall, antivirus, Web blocking, cleaning out spam. The VAR can sell these services to the end-user, make good margin on it, and they’re not taking down the network for days on end to install new hardware. That same box also grows with the user. That way the client doesn’t have to overbuy. They just spend today’s dollars on today’s needs.”

WatchGuard excels at then letting the reseller step in with plenty of high-margin value-adds. Need more VPN licenses? Content filtering? A 12-pack of vulnerability assessments? WatchGuard has SKUs for all of these as well as desktop antivirus licenses (McAfee VirusScan ASaP) and annual subscriptions to WatchGuard’s LiveSecurity service, which covers everything from software updates to timely security bulletins. The recurring revenue opportunity with WatchGuard in the small business space is one of the best in the business.

One more advantage in WatchGuard’s corner is its superior monitoring and reporting interfaces. Rather than simply spitting out a load of text lines, the Firebox System Manager software provides at-a-glance graphs on elements such as traffic, bandwidth, which users are connecting to which outside domains (in both directions), and the amount of data exchanged with visited domains. All of this adds up to some great tools that salespeople can either offer as competitive benefits or technicians can monitor on a management contract.

NVIDIA nForce4 Firewall & Board-Level Security

If you’ve followed the nForce chipset platform, you know that the product integrates firewall protection at the motherboard level. NVIDIA’s latest version of this for the nForce4 is called the Active Armor Secure Network Engine.

Active Armor allows the client to do nearly all of its firewall processing in hardware without assistance from an outside appliance. Software firewalls from the likes of Symantec, McAfee, and Computer Associates use CPU cycles for all firewall packet processing, and, especially when running at 100 Mbps or gigabit speeds, the processor can become saturated.

“When a packet comes in, you have to decide whether to allow or deny it,” says NVIDIA’s Peter Rizk, technical marketing engineer for networking and security. “That portion of the processing is very limited. You can do that stuff in software. But once a connection has been established and data is being transferred, then we take over in hardware. Doing this, we’ve seen performance enhancement by up to 75 percent. You can go from 80% utilization to about 10 or 15 percent. You’ll see the main advantage when doing high-speed traffic. This is great for LAN parties when people bring in their 100 Mbps or gigabit switches. A lot of people do that. At gigabit speeds, you really need this, because with a software firewall, you can’t keep up with the traffic. So many people will turn off the firewall when gaming because it degrades their performance. Our solution does hardware firewall all the way up to gigabit speeds. Conventional approaches to do this literally cost several thousand dollars.”
NVIDIA’s Active Armor is essentially plug and play. All the dealer has to do is load the driver. From that point on, Active Armor is bonded to the Ethernet driver. Thus, as soon as the user obtains an IP address, the firewall is on. In contrast, most software firewalls wait until Windows loads, then the firewall loads, leaving maybe 25 seconds between the time the system is connected to when it’s protected. For a savvy hacker, 25 seconds is plenty of time.

Also, hackers have shown that they can disable software firewalls then access the network because the drivers are separated. Because of NVIDIA’s unified approach, if a hacker tries to disable the firewall, he also disables the network connection.

Active Armor is available on the nForce4 Ultra and SLI versions. The standard nForce4 uses the identical “hardware optimized” firewall approach found on the nForce3, which leans much more heavily on software processing. NVIDIA’s ForceWare interface is impressively robust and gives users or resellers plenty of options for fine-tuning the firewall. Just keep in mind that a third-party software firewall will effectively short out NVIDIA’s implementation, although NVIDIA anticipates third-party compatibility in the future.

Unlike some router firewalls, Active Armor controls both inbound and outbound traffic. It also provides client-to-client protection that consumer routers don’t accommodate so that malware doesn’t quickly spread throughout a LAN.

NVIDIA’s solution is also significant because it highlights some of the advantages that can come from building security into a system’s foundational hardware. NVIDIA is not the first to pursue this approach, though. In 1999, AMD, HP, IBM, Intel, and Microsoft came together to form the Trusted Computing Platform Alliance, which grew and then regrouped in 2003 to form the Trusted Computing Group.

“The [TCG] design calls for several fundamental changes to the PC to make it more secure,” says Clain Anderson, program director for client security at IBM. “Among those are a more secure boot process so you can actually tell if the machine boots the same way each time. Also, there’s an embedded security processor, a cryptographic chip on the motherboard. This is for PCs, of course, but the spec applies to other devices, as well.”

Like a smart card, a TCG chip has a cryptographic processor and memory on-board. It also has a secure memory space and processor so that any cryptographic operations can happen outside of main memory. A secure set of digital keys are stored on the chip and cannot be accessed from any outside source. This means that any other operations can be done using a key without ever having it be exposed to memory. The TCG is working to secure devices ranging from PCs to mobile phones.

“The most common viruses you hear about are ones where someone gets an email and it causes their system to send email to a gazillion other people who catch the virus,” says Anderson. “This embedded security chip can prevent that from happening because you can structure it so that it requires individual authentication before any message is sent from your machine. If I set the system up so that it requires a fingerprint, for example, before it launches an email, then no viruses are going to be sending any messages.”

TCG technology is at the heart of Intel’s forthcoming LaGrande effort (see www.intel.com/technology/security), and is expected to arrive on desktop and mobile platforms in two to three years. The wave of security sales and upgrades LaGrande will usher in is massive. According to IBM’s Anderson, it only costs manufacturers $3 to $4 to adhere to TCG spec.

For those who don’t want to wait, TCG security is already built into the Core Managed Environment from Phoenix Technologies as well as the Padlock technology from VIA. We recently covered VIA’s EPIA MII motherboard in the Easy Upsell column. The board’s integrated C5P Nehemia processor offers VIA’s Padlock Random Number Generator (reliable RNG is essential for crack-proof cryptography) and the Padlock Advanced Cryptography Engine, which uses the new U.S. government-adopted AES encryption algorithm. As a point of reference, if a super-computer could crack the government’s previous standard, DES, in one second, it would take the same computer 149 trillion years to crack a 128-bit AES key—and AES also uses 192- and 256-bit keys.

Hardware-based encryption and decryption are going to prove increasingly essential to next-generation security applications as organizations opt to protect their valuable assets with uncrackable security. This spans across everything from confidential customer records to the DRM used in entertainment media. Performing AES encryption and decryption in software is crippling even to the latest, fastest CPUs. This is why good firewalls on fast networks require hardware-based VPN generation. VIA’s forthcoming C5J “Esther” core will similarly support the RSA and Secure Hash algorithms, both of which are very prevalent in today’s security scene.

Starting your Security Education

The liability involved in selling security and not being sufficiently trained to do proper installation and maintenance is overwhelming. You can only sell as far as your security competence allows, so if you’re starting out in security, you need to gather basic education ASAP.

“There used to be a time where if you just had Microsoft or Novell or Red Hat certification, you were golden,” says CompTIA network security program manager Kris Madura. “Now, in the last six months, study data is showing that you really need to start with foundation-level knowledge that spans across vendors and platforms. Most people will tell you that you need to have a combination of vendor-neutral knowledge and then combine that with whatever vendor-specific knowledge is necessary for your particular career. Vendor certification is a supplement to general education.”

Where to go for general ed? Honestly, one of the best resources around is the local community college. The closest community campus to this author offers classes such as Secure Cisco IOS Networks, Administering Windows 2003 Security, Basic Computer Security, and Security+. These last two are CompTIA certifications. Security+ in particular is about as close to a basic prerequisite as the computer security space has. The course runs two nights per week for three months and costs $990 after fees.

According to CompTIA+, over 11,000 people have completed Security+ training, and the organization recommends that students have at least two years of network administration with security responsibilities. The exam is an entry-level exam in the security world, but that doesn’t mean it’s easy. The subject domains cover general security concepts (30%), communication security (20%), infrastructure security (20%), basics of cryptography (15%), and operational/organizational security (15%).

One of the focal points in any strong security education will be on corporate security policies and practices. Any security system is only as strong as its weakest link, and millions of dollars of security hardware can be thwarted in seconds by a careless employee. John Klein (see our interview on page 44) once made use of a social engineering persona he called “Phone Boy.” By donning a set of overalls, scribbling some notes on a clipboard (the names and titles of the key executives), and slapping on a leather utility belt with a utility worker’s “stinger” phone, Klein gained access to major corporations and went from cubicle to cubicle “testing” phones while collecting usernames and passwords left on Post-It notes in drawers. Social engineering exploits continue to work because surprisingly few companies enforce and reinforce security policies aimed against them.

“There’s tremendous business opportunity for the reseller market because in addition to selling security technology to the client, they can sell security best practices,” says CompTIA’s Madura. “They can go in with even moderately trained staff and say, ‘Here’s where we see some basic holes in your security systems, and here are some steps that either you can do or our technicians can do for you to save you money and fix these security problems.”

Most vendors feel that general training, such as Security+, along with their own in-house training, works in a complimentary fashion. In other words, you’ll sell more security goods and services with general education plus vendor education than just vendor education alone.

With Security+ under your belt, move on to the SANS Institute’s baker’s dozen of GIAC certifications (www.giac.org) as well as the training and certifications available via the International Information Systems Security Certification Consortium (www.isc2.org). In particular, the latter’s CISSP (Certified Information Systems Security Professional) certification is very highly regarded in the industry.

One Reseller’s Security Sucess

Like many resellers, Wisconsin-based DCS Netlink started out as a very small white box builder. That was in 1991. In 1995, the company started getting involved in networking services and by 1998 was gathering a large number of networking clients even beyond the company’s immediate reach. In 2000, DCS added an ISP side to its business as it became a broadband wireless provider, and at that point security became a paramount concern. The company partnered up with WatchGuard Technologies and soon became a certified trainer for the security vendor. Today, roughly one-third of DCS’s revenue comes from security offerings.

“Even with a generic Windows setup, people don’t understand the huge holes sitting there, that the machine will tell everybody around it usernames and passwords and share information,” says Pete Adams, CIO/COO for DCS Netlink. “A lot of resellers we meet at trainings feel that security is all about antivirus or that a Linksys firewall is going to do the trick for an organization. But as soon as you open a hole through the firewall to allow access into the building, you need to step up to that next level of product, stuff like SonicWALL and WatchGuard. The main differences are the ability to monitor, to control traffic much better, reporting functionalities, packet inspection, proxy capabilities—all the types of things a home user wouldn’t need or couldn’t handle.”

After gathering some basic education and research into the security needs of your core customer base, Adams recommends starting small with one key offering. In DCS Netlink’s case, that offering was firewalls. The reseller worked with a lot of small- to mid-sized manufacturing firms, became intimately acquainted with WatchGuard firewalls and their configuration, and went on to saturate 50% to 75% of its regular customers with firewall appliances.

From there, DCS had to find room to grow, and the solution proved to be vertical markets. In particular, DCS gained a strong foothold in banking, an industry in which security is of unparalleled importance. DCS gained a competitive edge in this field by spending a significant amount of time researching the state and federal requirements imposed on banks, then figuring out how to coordinate these requirements with the functionality of their security offerings.

“There’s always less profit in hardware than there is in services,” says Adams. “So for a small VAR trying to delve into this arena, they should know that margins are going to come out of their installations and their consulting after the fact. That’s why it’s so important to understand security. As a reseller becomes more educated about the capabilities of the products they sell and understands how to secure an operating system and control traffic, they actually find that there’s all these other services that come in as a result of that.

“Say you’re just getting started with security and you find a firewall to sell to your customer. You sell one, install it, and it’s great. You got an hour of labor out of that. As you get more involved in Internet security, you’ll realize, ‘Well, I should really egress filter this firewall for the customer and control outbound traffic.’ That adds another hour of support. “I need to install a centrally managed antivirus system.’ There’s more time. It’s these other pieces that generate the profit.”

Be Safe

The idea of getting up to speed on every element of computer security before you make a move is practically impossible. The environment simply changes too quickly. You’re going to have to find a critical piece, get into it, understand it, deploy it within your customer base, and then learn the pieces that fit around it.

Former top White House cyber security advisor Richard Clarke once drew the illustration of a CEO accessing his network from home over a VPN. In the near future, when refrigerators and other home electronics all feature wired or wireless connectivity, each device will have the potential to be compromised with a buffer overflow or similar vulnerability. These devices will be tied to our home network, which may not be secure. An intruder could hack any of these appliances then access the corporate network over the VPN. It gives “raiding the fridge” a whole new meaning.

A broad grounding in security will prepare you to meet such emerging challenges and be in the front line of defenders ready to help users guard against them. In RAM, we give a lot of suggestions on ways in which you can expand your business and profits. In this regard, security may be the best of any topic we’ve ever covered. It is without question the most needed.

  
         
    Back to top
Page 1 2
   
   
Copyright © 2007 RAM Magazine. All rights reserved.
Do not duplicate or redistribute in any form.