Integrated Secure Communications System
The
ISCS (Integrated Secure Communications System) is designed to address
one of the most pressing yet understated needs in enterprise,
multi-partner collaborative, mobile, wireless or multi-client service
security - containing the cost of security management. Year after
year, we live with the fact that 70% of our data security breaches
are from within. We know the problem will only exacerbate as the
lower cost of connectivity brings more small and physically insecure
offices onto the corporate WAN and as hand held and embedded
computing devices become more common. We know that simple and easy
data sharing between business partners is very healthy for corporate
objectives but we cringe at the security implications. Why do we live
with these problems and do so little about them?
It is not for lack of tools. Plenty of products from firewalls to
VPN's to Intrusion Detection Systems to content filtering exist to
implement the security we need to meet these issues. The problem is
not the technology; it is the implementation of the technology --
specifically the complexity and cost of managing such granular
security. So what are we going to do about it?
ISCS reduces the cost of managing complex security by 90%.
That grandiose a statement should turn some heads. If we can
implement sophisticated security for less than 10% of its current
cost, we can afford to implement stringent inter-office security so
that a tiny branch office that accounts for 0.1% of revenue cannot be
the access point for a WAN based data attack against a hub office
that generates 45% of revenue. We can say, "Yes," to
business units when they want to increase data sharing with their
external business partners. We can safely create multi-client service
delivery infrastructures with shared facilities without sleepless
nights worrying if Client A can compromise Client B's data. We can
affordably and efficiently sandbox mobile, hand held and wireless
computing devices to minimize the impact of physical theft, identity
theft or security compromise. We can create a multi-layered internal
security model that effectively contains phishing, spam and trojan
exploits without undo financial and administrative burden.
The 90% security management cost reduction is not a projection; it
is based upon production data for existing installations of the
proprietary, conceptual forerunner of the open-source ISCS. To be
fair, the entire cost of administration is not security management.
There are still system upgrades, hardware failures, physical
installation, planning and troubleshooting. Those are not reduced 90%
but the cost of creating and implementing security policies is. This
product has not been designed by speculation. It is based upon real
world deployment.
The underlying concept of ISCS is to automate the creation of
security device specific rules. This frees the security administrator
from the need to know the details of each device and from manually
configuring the rules on each device. The reduced time needed to
implement security policies allows the more sophisticated security
required by contemporary environments to be cost-effectively
deployed. We can finally do something to reduce the 70% of data
compromises that are internal. We can finally easily facilitate
business partner connectivity. We can finally safely operate shared,
multi-client infrastructures. We can finally integrate hand held,
wireless and embedded computing devices into our business processes
without constant fear of a security catastrophe.
Traditional security products cannot scale to the number of rules
and, most importantly, the rate of change of the rules necessary to
cost effectively manage this sophisticated security. If the security
environment cannot be easily managed, it will not be secure no matter
how good the underlying technology is. Manually created, order
dependent access rules, complex security associations and other forms
of manual security subsystem administration are far too labor
intensive and prone to human error for such a constantly and rapidly
changing environment. Thus even the most advanced network security
management tools are entirely inadequate for contemporary security
needs and will be as long as they rely upon manual rule creation and
configuration.
The ability to quickly create, change and distribute security
configurations in a distributed environment -- the ability to cope
with change is the key differentiator for ISCS.
HOW IT WORKS:
To repeat, manually created rules and configurations are far too
labor intensive and prone to human error for a constantly and rapidly
changing environment. Thus even the most advanced network security
management tools are entirely inadequate for contemporary security
needs and will be as long as they rely upon manual processes.
This need to accommodate constant and rapid change is a major
reason why inter-office security is rarely implemented, partner
connectivity is a nightmare, why multi-client providers endure the
expense of duplicate, independent infrastructures and why we cringe
at the thought of executives and sales staff using their mobile
phones and PDAs for data access. ISCS removes these barriers by
dramatically reducing the cost of security configuration.
ISCS achieves this breathtaking cost reduction by insulating the
security administrator from device rule creation. The security
administrator creates high level, business function oriented policies
such as "Sales has access to Sales data", "Executive
and Financial have access to Financial data" or "Project A
Engineers and Partner Company B Project A Engineers have access to
Project A data." The reduced opportunity for human error in the
configuration and rule creation process additionally increases the
overall security of the environment.
These high level policies are then translated by ISCS
(specifically the SPM discussed below) into potentially hundreds or
thousands of device specific rules and automatically distributed to
the devices that enforce those rules. VPN tunnels are automatically
created where needed, user authentication and access control is
enforced, NAT is implemented, proxy ARPs created, certificates
managed, routes created and, in the near future, intrusion
detection/prevention, anti-virus and content filtering rules are
distributed. The security administrator never has to touch a single
device or write a single device specific rule. In fact, ISCS allows
the administration of a multi-vendor security environment without
requiring vendor and device specific knowledge on the part of the
day-to-day administrator. As long as the vendor's device can talk to
the SPM, all configuration looks the same to the administrator. The
security administrator lives in a world of policies rather than
devices.
Architecture:
ISCS operates at the network layer. Although its decision criteria
may involve information up to the application layer, the ultimate
function of ISCS is to allow or deny a data packet. ISCS has three
functional components, namely, PEPs (Policy Enforcement Points), the
DBD (DataBase Distributor) and SPMs (Security Policy Managers).
PEPs are the physical gateways that make the decision to allow or
deny a packet. They are very similar to gateways from traditional
vendors. The current incarnation supports Linux based PEPs but the
architecture is entirely modular. As long as the device can provide
the needed functionality, ISCS can be adapted to use any enforcement
device regardless of hardware or software platform. The PEPs have
both an out-of-band communications route to the DBD.
The DBD is responsible for storing the SQL database which describes
the security environment and for distributing the changes to the
PEPs. The DBD is designed to run on virtually any RDBMS. Where there
may be thousands of PEPs and many SPMs in a large ISCS environment,
there is only one DBD.
The SPM is the brains and magic of ISCS. It is currently a Linux
based X application but is developed in C++ using Trolltech's Qt
toolkit with an eye to easily porting it to Windows and Macintosh. It
creates the device rules based upon highly abstracted, business level
policies as well as managing the PEP configuration. Phrased another
way, the SPM performs two principle functions -- element management
and security policy management.
As an element manager, the SPM is quite similar to the best "policy
enabled" management consoles of traditional security device
vendors. In their vocabulary, "policy enabled" means
centralized element management. As such, the SPM enables the
automatic creation of VPN SAs, full integration with its PKI
(creating an interesting potential solution for PKI enabling legacy
applications without rewriting legacy code), the automatic
distribution of rules to the PEPs and the ability to remotely
install, configure or repair a PEP. The only major difference from
the better available element managers is its vendor independence.
However, it is the SPM's ability to create device level rules from
high level policies in an extraordinarily efficient manner that is
unique to the industry. This is what we mean by "security
policy management."
The SPM
difference is manifold yet elegantly simple.
ISCS is a very rich product but to best illustrate how it is unique,
we will focus on access control. The same principles can be applied
to other aspects of security management. The SPM's extraordinary
efficiency is achieved through the following:
Separate
the processing of WHO, ACCESS and WHAT in the question "WHO has
ACCESS to WHAT."
Allow
many different means of user identification (IP address, X.509
certificate, browser certificate, NDS, Active Directory, NT Domain,
LDAP, RADIUS, SecureID Token) to be included in the same user group
(an Access Group in SPM terminology).
Organize
Access Groups in a hierarchical structure with inheritance.
Combine
the server and service, i.e., destination address and destination
protocol, into a single composite object -- a Resource in SPM
terminology. Organize Resources with similar access needs into
Resource Groups.
Organize
Resource Groups in a hierarchical structure with inheritance.
Create
policies by defining relationships between the Access Group and
Resource Group hierarchies.
Manipulate
the relationships through an easy to use, drag and drop GUI.
WHO has ACCESS to WHAT?
This is the classic access control question. Traditional access
control mechanisms such as firewalls answer this question in a
monolithically with a rule syntax such as:
Given Source
Address A on Source Port B trying to access Destination Address C on
Destination Port D, take action E.
The more sophisticated systems may allow for user identification
beyond just IP address and port so their syntax might be:
Given User A
trying to access Destination Address B on Destination Port D, take
action E.
Because it is monolithic, i.e., the question is answered in a single
statement, the security administrator must create a rule for every
needed combination of user (Accessor in SPM terminology) and
destination (Resource in SPM terminology). ISCS answers these
questions separately. First it processes a rule to determine who the
Accessor is. Then it processes a rule to ask what kind of access the
Accessor is requesting. Then it finally processes a rule to determine
what resource is being requested.
On the surface, the modular approach seems more complicated. In
practical application, it is much simpler. First, ISCS only has to
define its Accessors and Resources once. It can then mix and match
its predefined Accessors and Resources to answer the questions. High
reuse with corresponding greater efficiency is the traditional
advantage of modularity. Second, the separate processing creates a
natural sort order for the rules. Instead of potentially having to
traverse the entire rule set to evaluate a packet, the ISCS PEP only
has to traverse the rules that apply to the Accessor and then only
those that apply to the type of Access. This allows for a far greater
number of rules on an enforcement device without significant
performance degradation -- the number of rules necessary for
sophisticated, granular security.
Combine different types of Accessors into the same Access Groups
to minimize the number of security policies
The benefit of this principle is reducing the number of policies that
the security administrator must define. In a rules based system, the
security administrator would likely need to configure a separate rule
for each type of user and that assumes that the enforcement device
has the ability to identify users by more than IP address. In the
SPM, we combine users of any type based upon identical access needs.
We can then create a single policy for the Access Group that will
apply to all the different types of user identities rather than a
separate policy for each. Again, our goal is to write as few policies
as possible. We can let the SPM then go ahead and create the rules
that are specific to each different type of user identity whether it
is IP address, X.509 certificate, Active Directory, LDAP,
e-Directory, RADIUS, SecureID, etc. The computer does the work. The
security administrator never has to be bothered. He merely says, "The
entire company has access to Human Resource employee policies."
He does not have to bother himself with how "The entire company"
is identified -- at least not when he creates the policy.
Organize Access Groups into a hierarchical structure with
inheritance to minimize the number of security policies
This principle is also targeted at minimizing the number of policies
needed to create the needed security. Our business processes
naturally fall into hierarchies. They may be shallow or deep. They
may be geographic or functional but we will find hierarchies. When a
right is granted to an Access Group in the SPM, all Access Groups
below it in the hierarchy inherit the same rights. This eliminates
the need to explicitly create policies for all the descendant Access
Groups.
Thus there is great flexibility in how we can create user access
policies. Some data needs to be accessed by a very specific group of
users. Rights can be granted to just that one, low-level of users.
Other data may need to be accessed by the entire organization.
Instead of needing to create a policy for every single organizational
unit in the enterprise, the security administrator can simply grant
the right at the top of the enterprise tree.
The efficiency gains are enormous. Eventually, the individual, device
specific rules must be created for each user definition but the SPM,
the computer, does that. The security administrator does not. She
simply grants the high level right in a single policy. Imagine a
large, multi-client service provider. Perhaps they want to grant
everyone in all of their 10,000 customers access to the customer
interface of the trouble ticketing systems to check the current
status of their own trouble tickets. The access can be granted to the
entire customer base by granting the right at the top of the client
tree. That single drag and drop operation may produce 100,000 rules
that need to be distributed to 50,000 devices but it took the
security administrator literally five seconds to drag the "All
Clients" Access Group onto the "Public Services"
Resource Group. The SPM will handle creating and distributing the
device specific rules. The computer is far less expensive than the
security administrator and less prone to human error.
Combine server and service into a single Resource object to
minimize the number of security policies
This is a subtle but very important principle to minimize the number
of policies that need to be created. Some vendors such as Solsoft,
SmartPipes, Evidian and NetScreen have made initial attempts at
security policy management but all of them fell into this trap and
will require a major recoding effort to extract themselves.
The few who have attempted this kind of organization allow the
security administrator to create a group of servers and a separate
group of services. She can then grant users rights to that group of
servers and that group of services. The problem is that such a policy
grants rights to all the services within the service group on all the
servers within the server group. That is still pretty cryptic. Let's
illustrate with an example.
Let's say that our security administrator has three Windows servers
(A, B and C) that the Facilities department needs to access.
Facilities specifically needs access to the http service on A, file &
print on B and ftp on C. Of course, it just so happens that server A
also has file & print and ftp services for the administrators to
use. Server C has file & print for the same reasons. Server B
just happens to have a web server running to administer an
application for the Sales department that happens to be running on
the same server as the Facilities file & print (it saved Sales
the cost of buying another server and the Facilities file & print
server was lightly used anyway).
Our security administrator creates the server group "Facilities
Servers" and adds servers A, B and C to it. She then creates the
service group "Facilities Services" and adds http, netbios
(file & print) and ftp to it. She now creates a monolithic,
device level rule that says:
If
"Facilities" tries to access "Facilities Servers"
on "Facilities Services", allow the packet.
If we analyze that rule, we will quake in security horror. As well as
the intended rights, we have just given Facilities access to the file
& print and ftp services used to administer Server A and the file
& print services used to administer Server C as well as access to
the Web based management console for the Sales application on Server
B! This is not at all what the security administrator intended.
To not create such a security nightmare, our security administrator
will have to create three separate monolithic rules -- one to give
http rights to Server A, one to give file & print rights to
Server B and one to give ftp rights to Server C.
Contrast this to the SPM. The security administrator first creates a
Resource Group called "Facilities Data" and next creates a
single policy to grant "Facilities" access to "Facilities
Data." To grant access to http on Server A, she merely adds the
object for http on Server A to the Facilities Data group. She does
not even have to create a new policy. She drags the netbios (File &
Print) services for Server B into the Facilities Data group and the
ftp services for Server C. If Facilities adds another service, there
is still no need for an additional policy -- just add the new
server/service object (Resource) into the Facilities Data Resource
Group.
Organize Resource Groups in a hierarchical structure with
inheritance to minimize the number of security policies
This is the same concept as organizing Access Groups into a
hierarchical structure with inheritance. If the security
administrator grants rights to a Resource Group to an Access Group,
the Access Group also receives rights to all the Resource Groups
below that Resource Group. For example, one might have a superuser
administrators group that has access to everything. That group can be
given rights at the top of the Resource Group tree and there is then
no need to further define policies for each of the subgroups. The
superuser group will automatically have rights to the rest of the
tree. On the other hand, a high level Access Group such as "Entire
Company" might be given access to a low-level Resource Group
such as "Company Forms."
Create policies by defining relationships between the Access
Group and Resource Group hierarchies
This is where everything comes brilliantly together. As already
described above, creating a security policy is as simple as dragging
a Resource Group onto an Access Group or vice versa. The SPM creates
all the device specific rules, links the modular WHO rules with the
modular ACCESS rules with the modular WHAT rules and distributes
those device rules to all the PEPs. A five second drag and drop
replaces hours, perhaps even days of security administration.
Imagine what this kind of efficiency could mean to a carrier offering
a managed secure communications service - CPE IPSec security with the
management overhead of MPLS and the added customer value of
inter-office security. Imagine what it could mean to a multi-client
service provider trying to deliver its remote services inexpensively
yet securely to client sites. Imagine what it means to enterprises if
they can limit user access to data to what users need and respond
quickly to those changing needs -- they can finally start to do
something about those 70% of data compromises that are internal.
Imagine what such responsiveness to change would mean during a merger
or acquisition or in the creation of a partner Extranet.
Manipulate the relationships through an easy to use, drag and
drop GUI
The SPM is a perfect application for a GUI. Complex relationship are
best understood and manipulated visually. The SPM GUI has been
designed by the same security administrators who used the previous
proprietary system for four years. It incorporates what they have
learned through practical field use.
REAL WORLD COMPARISONS
Our estimates of a 90% reduction in the time to administer security
devices in ISCS is based upon our real world experiences. Please
remember that not all of a security administrator's time is spent
administering security policies. Other activities such as physical
installation, planning and executing upgrades are going to be similar
to other products. But, when it does come time to administer security
policies, a 90% savings is a conservative estimate.
Here is a sample scenario based upon an actual comparison between how
we would approach a situation with ISCS and how we would have to
approach the same situation with one of the existing vendors. This is
from a real discussion with the NetScreen sales team for our area.
The initial scenario is that we have 200 offices. We have Sales staff
in all 200 offices. We are taking advantage of our position as a
global company by connecting ourselves as a global company with an
Internet based VPN. Because we are aware of the security implications
of such a move, we are implementing inter-office security. All the
Sales staff need to connect to a database in New York. We have not
implemented PKI and user certificates so we will identify Sales users
by allocated IP addresses.
To do this with NetScreen (at least using the management console that
was presented to us by the NetScreen sales people), we would need to
create 200 order dependent rules -- one for each IP address range to
allow them access to the database service in New York.
Let's assume that a blindingly good security administrator can create
one of these rules and determine in which order to place it in 30
seconds. That is a very aggressive number. 200 rules times 30 seconds
per rule is 6000 seconds or 100 minutes.
The ISCS process is a little more involved. The security
administrator does not have to create monolithic order dependent
rules. Instead, he creates a Sales Access Group and a Sales Data
Resource Group. He then makes a list of 200 IP addresses (far simpler
than creating a source address, source port, destination address,
destination port, action rule). He adds one entry for the database
service on the New York server to the Sales Data Resource Group.
Finally, he drags the Sales Access Group onto the Sales Data Resource
Group. That sounds like much more work but let's look at the numbers.
We'll pretend our security administrator is suffering from a massive
headache and has arthritic fingers. Thus it will take him ten seconds
to add an IP address to the list and one minute to create each Group
and Policy. Two Groups and one Policy = 3 x 1 minutes or 3 minutes.
200 items listed at 10 seconds each = 2000 seconds or 33 minutes for
a total of 36 minutes. A sizable reduction from 100 minutes and that
with a hangover! But it is still not a 90% reduction. Watch what
happens next.
Our new globalization strategy has succeeded and Sales is expanding.
We have now added a web service in Paris, file & print servers in
London and Chicago and another database server in Hong Kong.
Our traditional security administrator needs to add 800 more rules.
One rule for each of the new servers for each of the 200 offices. But
he is a very good administrator and can add them all in just the
right order with no typographical errors and no human errors and can
do all 800 at the rate of one every thirty seconds. 800 rules x 30
seconds per rule = 24,000 seconds or 400 minutes or almost seven
hours.
Life is much simpler for our suffering ISCS security
administrator. Since the Sales Access Group, Sales Data Resource
Groups and the policy giving one access to the other are already
created, he merely needs to add the four additional services to the
Sales Data Resource Group by dragging and dropping them in on the GUI
and clicking on the "Commit Changes" button. He is rather
slow this morning from his headache and arthritis so each drag and
drop operation takes him 10 seconds. The total time to add the four
new Sales Resources is 40 seconds as opposed to seven hours. Well . .
. that is really not fair. The ISCS administrator does need to create
the definition for the server and resource. That takes the
traditional administrator 30 seconds so it will take our impaired
ISCS administrator one minute. This increases our total time to four
minutes and 40 seconds - roughly a 99% reduction in administrative
overhead.
HISTORY:
In 1999, Nexus Management, a global IT Service Outsourcing company
targeting international SMEs, decided to radically alter its service
delivery method. Nexus felt it could add more value by minimizing the
number of service delivery personnel on site and delivering systems &
network monitoring, systems & network remediation, remote control
help desk, desktop asset, configuration and software management,
security management and project planning & engineering from
follow-the-sun Global Network Operations Centers in the Americas,
EMEA and APAC. The service delivery team would also include engineers
scattered throughout the world working from home or client sites -- a
physical as well as virtual centralization that would fully exploit
the trend toward globalization.
ISCS enables the virtual enterprise.
Nexus found that its needs were almost identical to those of its
enterprise customers. Nexus needed ubiquitous, inexpensive
connectivity. A T3 line might be justified to the 10,000 person
headquarters in New York but even a fractional T1 was not justified
into the seven person outpost in Bangkok. This was not the only
issue.
ISCS provides VPN
ISCS provides user authentication and access control
ISCS provides inter-office security
Nexus needed security between its GNOCs and its client sites. The
data needed to be protected in transmission thus requiring a VPN. The
clients needed to be assured that Nexus staff would only have access
to what they needed to access. Nexus needed to be sure that any
client systems connecting to the Nexus GNOCs only had access to the
systems and services they needed and that one client could not use
the Nexus GNOCs to relay into another client's systems. This required
the user authentication and access controls of a sophisticated
firewall.
This was neatly analogous to Nexus' clients' need for inter-office
security. Nexus' clients should be able to limit user access across
the WAN to only those services they need. Someone who has disguised
themselves as the local repairman and walked into the server room of
the ten person office in Bogota should not be able to launch a denial
of service attack against the servers at the corporate headquarters
in London. An ordinary user in Bahrain should not be able to send
packets for host administration functions to the database server in
Hong Kong. Users need to be identified and their access restricted to
what their identity entitles them.
ISCS provides intra-office security
Nexus also needed to address user security within its GNOCs. It
should not be possible for a visitor to plug in their laptop to a
convenient wall jack and suddenly have access to all of Nexus'
clients' systems. It should also not be possible for them to access
Nexus internal systems or to capture clear text traffic from the
network. Thus Nexus needed the same VPN, user authentication and
access control on the LAN as the WAN with the additional need of wire
speed throughput.
ISCS provides inter-company security
Nexus additionally had the need for its engineers on one client site
to access systems on a different client site. This is directly
analogous to a corporate need to allow some but not all people at a
partner site to access a restricted set of data resources on the
internal network. This required the data to be tunneled while
traversing the partner's internal network as well as sophisticated
user authentication and access control.
ISCS provides distributed security
Nexus clients had an additional need to move Internet access security
enforcement policies out to the branch offices. Nexus found that for
many clients the principle WAN bandwidth usage was not mission
critical applications but Internet traffic that needed to be hauled
across the WAN to the corporate firewall which, in turn, sent the
responses back over the WAN to the branch office. Nexus needed a way
to centrally create Internet security policies and distribute them to
branch office security enforcement points.
Traditional
VPN/Firewall products cannot scale to the number of rules and, most
importantly, the rate of change of the rules necessary to cost
effectively manage such sophisticated security. If the security
environment cannot be easily managed, it will not be secure no matter
how good the underlying technology is.
Nexus initially thought the answer would be to use VPNs through the
Internet to provide the requisite connectivity. After investigating
virtually every VPN vendor available in 1999, Nexus concluded the
changing security needs of a global, collaborative market place had
stood the world of VPNs and firewalls on its head and the vendors had
not yet fully realized the implications of the shift.
The use of the Internet for connectivity meant that instead of 300
offices with three Internet access points, the enterprise would now
have 300 offices with 300 Internet access points. How would one
manage the Internet security policies for 300 gateways? That problem
was trivial compared a more subtle implied issue. With 300 potential
points of compromise, the old "hard and crunchy outside but soft
and chewy inside" security model, i.e., a fortress perimeter at
the Internet access points with a wide open WAN, was no longer safe.
In reality, it never was safe -- that is why 70% of data compromises
are internal! The problem has only grown worse with telecommuters,
mobile workers, hand held, embedded and wireless computing devices.
The low cost of connectivity opened the door to bring previously
isolated branch offices onto the WAN. This, again, greatly increases
the need for inter-office security. Physical security may be
impregnable at corporate headquarters in San Francisco but what is it
like in Backwater Flats? A wide open WAN means that the systems are
only as safe as the security in the weakest office.
Implementing inter-office access control is an entirely different
matter from Internet access control. Traditional firewalls are
relatively static. Basic services are let out to virtually all
Internet hosts and, occasionally, inbound services are opened for
public servers. With inter-office access control, every time a new
server is added, every time a new service is added to an existing
host, every time a new office opens and every time a new user
community is defined there is a change to the security configuration.
It is the difference between a few changes per quarter and many
changes per day.
The problem is made even worse when inter-company collaboration is
added. In that scenario, security changes are provoked with each new
partner, each loss of a partner and each expansion or contraction of
the scope of collaboration. Changes to partner security must be
implemented immediately and not queued for processing. Manually
created, order dependent access rules are far too labor intensive and
prone to human error for such a constantly and rapidly changing
environment.
Nexus needed to find a solution that addressed all these issues. The
solution needed low cost of acquisition, deployment and maintenance.
The Internet allowed for low cost, high bandwidth, ubiquitous
connectivity but the cost of managing security with traditional,
manual security products would easily negate any savings and
intolerably inflate the cost of the proposed remote support model.
Nexus did find a solution but there were problems.
WHY OPEN SOURCE?
The Open-Source model frees us from vendor vicissitudes
Nexus reviewed virtually all VPN vendors available in
1999. All were eliminated in the first review because of their
inability to be cost-effectively managed except for Nortel,
Checkpoint, Cisco and a little US West Coast startup company. After
extensive review, Nortel, Checkpoint and Cisco still proved to have
too high a cost of management. Nexus swallowed hard and chose the
startup because they had such a revolutionary product - the only one
that even came close to meeting the specified needs. Nexus also knew
that the small company was in financial difficulty.
Nexus endured six months of the startup not being able
to take the product forward until they finally were acquired by
another company. That company had no idea of the power of what they
purchased so Nexus invested another six months helping them see the
potential of the product. Just when Nexus thought the new company was
ready to bring the product forward, they also stumbled financially .
They sold the rights for the product back to the original venture
capitalist who buried the product. The new company was subsequently
themselves bought by a third company.
Now stranded with core infrastructure built on an
unsupported product, Nexus attempted to find an existing vendor who
would not be blinded by "not-invented-here" syndrome and
consider using the Security Policy Management paradigm. They were
delighted when a major security vendor expressed an interest. The
vendor was stunned when they saw what Nexus was able to do and
committed to building the next generation of their VPN appliances
around the Nexus management model. Nexus expected shipping product in
seven months. However, the company seemed internally torn about its
appliance business and, after a year of waiting, Nexus was told that
the new company was backing out of the VPN appliance business. Nexus
had now endured two years of being held hostage by vendor
circumstances outside of its control.
However, during those two long years, something
radically changed the IT landscape -- the rise of Open-Source
development. Nexus had considered self-development of a solution but
rightly perceived that they were not a software development company.
The needs of the product were huge - VPN gateway, VPN client,
firewall, proxies, Certificate Authority, Intrusion Detection,
Content Filtering, Anti-Virus, router, policy manager. There was no
way Nexus could tackle it all even though it had discovered a truly
non-linear innovation in the marketplace . . . that is, not until
Open-Source.
After the final vendor debacle, Nexus looked around and
realized that virtually everything it needed was available freely and
widely supported in the Open-Source world. There were even ready made
appliances running all the software Nexus would need. The only
missing pieces were the policy manager and the glue to tie the policy
manager to the PEPs.
The Open-Source development model allows higher quality at a
lower cost for companies whose primary function is not software
development
Nexus felt it could write enough of the policy manager
to make it functional, release it under GPL to the Open-Source
community and then try to build a community of other organizations
who would have an interest in the advancement of ISCS. The Nexus goal
was not to make a fortune from selling ISCS but to derive revenue
through the delivery of IT services over the infrastructure created
by ISCS.
By banding together multiple companies with a need for
secure communications management, Nexus could forge a larger and more
varied development team than it could ever afford on its own. The
cost of development is divided among many and the variety should lead
to a more balanced, higher quality product. It is more important that
ISCS deliver Nexus services well than that Nexus make money from
ISCS.
The SPM is only a small piece of the picture. The
quality of the firewall, VPN, Certificate Authority, router and all
the other components needed for ISCS is certainly greater and derived
from a vastly larger development team than Nexus could ever field.
The Open-Source development model insulates other contributors
from Nexus
To be fair to the rest of the contributors to ISCS, ISCS
needs to be able to stand independently from Nexus. The Open-Source
model means that those who have invested in ISCS are not left exposed
should anything ever happen to Nexus. Unlike proprietary solutions,
the end of the vendor does not mean the end of the product or even
support for the product.
An Open-Source solution gives us innumerable platform options
The selection of Linux as the first PEP OS opens the
door to an incredible variety of potential PEPs to meet every
conceivable client need. There are sub-$200 Linux security devices
from companies like SnapGear that can be used as personal security
devices. On the other extreme, there are devices from companies like
Bivio and Arkoon that can pass encrypted traffic at Gigabit wire
speeds. One can even choose to create one's own appliances.
FINAL THOUGHTS
ISCS was original envisioned as a service delivery
mechanism for Nexus. However, it is such a radical improvement to the
world of secure communications that Nexus Management has released it
to the Open Source community to foster its widespread adoption and
further development outside of Nexus under the independent auspices
of the Open Source Development Corporation.
The potential uses are numerous. Service providers like
Nexus can use it to reduce the cost of service delivery. Carriers can
use it to provide sophisticated security services to their clients at
a minimal cost. Enterprises can use it to finally do something about
the problem of securing internal communications. Security vendors can
ISCS enable their products to create a tangible differentiator in an
increasingly commoditized market.
There are surely some less direct uses as well. An
obvious use is enhancing the security of legacy applications. By
shifting some of the user authentication responsibilities from the
application layer to the network layer, legacy applications protected
by ISCS can use its strong user authentication features to enhance
their own security. For example, there has been much talk of the
desire to PKI enable legacy applications but the expense if modifying
the legacy code is prohibitive. If such a legacy application is
protected by ISCS, a user may be required to first authenticate with
their digital certificate before they can send a packet to the legacy
application. From the user's perspective and from a practical
perspective, the application is PKI enabled for initial access -- the
end users cannot use it unless they can furnish a valid digital
certificate. However, from the perspective of the legacy application,
nothing has changed. It is oblivious to the implementation of PKI to
enhance security.
In conclusion, ISCS automates the creation of
low-level device based rules and configurations through the use of
high-level, business function oriented policies. The result is vendor
and device transparency to the security administrator and reduction
of over 90% in the cost of managing security. The massive cost
reduction and ease of management imply better quality and more
extensive deployment and use of existing security tools. The ability
to rapidly and inexpensively respond to changing security needs
allows internal data communications to be secured, easier
accommodation of data sharing with business partners, secure sharing
of infrastructure in multi-client environments and the ability to
secure mobile, hand held and wireless devices. ISCS warrants the
attention and support of the communications security community.