Let’s talk about applications risks.  Internet applications are becoming a threat vectors for the new generation of spyware, viruses and other malware. Many of these applications use evasive tactics to escape detection which includes hiding in encrypted SSL tunnels.  Again, traditional firewalls cannot see inside the encrypted payload therefore, missing the attack completely.  The only thing you can do is block port 443 (SSL).  Unfortunately, blocking port 443 can impact business critical applications that also use SSL to encrypt their content.

The other risk to organizations today is sensitive information leaving the network undetected.  For example: Credit Card & Social Security numbers, Confidential information sent through public Webmail accounts, Lost or Stolen information by undetected malware or bots.  These are just a few examples.

The truth is, most applications — good or bad — carry some level of risk that can result in loss of confidential information.  A recent report by the Ponemon Group surveyed users from 193 organizations and found that 33% of them have already experienced this problem from using Internet applications.  Even more shocking, about 45% of these users continued using the same applications.  No change in their behavior!

So many apps and so many risks, yet so little visibility and control.  This is why “It’s Time to Fix the Firewall”.

I’m not saying that all Internet traffic is bad.  Actually, the Internet is a vital extension of today’s corporate networks.  Cloud Computing is becoming increasingly popular however, there are endless streams of consumer and recreational applications that employees are bringing into the network.  You might be familiar with some of them — P2P, IM, Bit-torrent, Social Networking, Audio / Video and Gaming.  But, there are many more that you’ve never heard of like apps that get around your Internet security controls — i.e. UltraSurf, Zelune, Vtunnel and Anonymizer.  Unfortunately, traditional port-blocking firewall (or IPS) can’t stop them.

Internet users are much more Internet-savvy these days.  Not surprising, since the Internet is an integral part of their personal and professional life.  And now their two worlds are colliding!  It’s no wonder that Internet traffic dominates corporate networks.  Today’s enterprises have on average 424 different Internet applciations running across their networks.  Some are legitimate business applications however, most of them are non-essential consumer apps that carry some level of risk to the business.  Again, traditional port-blocking firewalls can’t detect them and therefore can’t stop them.

It’s Time to Fix the Firewall.

Network Instruments is about to embark on a 10-city North American troubleshooting tour. The tour, Destination: Performance, will introduce network professionals to the latest troubleshooting trends and techniques including:

• Application performance monitoring
• VoIP and Unified Communications analysis
• Device and route monitoring
• Back-in-time troubleshooting
• Enterprise-wide reporting

Join NI for lunch and enjoy highly relevant presentations from their resident network troubleshooting experts. You’ll learn new approaches to optimizing network performance and handling application rollouts and problem isolation. In addition, see how the Observer platform tackles performance challenges

by providing high-level to packet-level views and expert analysis.

Destination: Performance tour stops include:

Minneapolis, MN - February 12, 2009 (Event Full)
Dallas, TX - March 3, 2009
Chicago, IL - March 4, 2009
Toronto, ON - March 5, 2009
Boston, MA - March 10, 2009
Philadelphia, PA - March 11, 2009
Atlanta, GA - March 12, 2009
Phoenix, AZ - March 24, 2009
San Francisco, CA - March 25, 2009
Seattle, WA - March 26, 2009

Save your spot now.

Nobody gets excited about the firewall anymore.  That’s because innovation has been absent from the firewall for the last 15 years.  Traditional firewalls have been out of step with the times for a while now.  The Internet has changed the way we secure our networks.

Years ago the firewall did a pretty good job at controlling traffic that flowed in and out of the corporate networks.  That’s because traffic was generally well behaved.  Email typically used port 25, FTP was port 20, and web surfing was port 80 HTTP.  Back then “Ports + Protocols = Applications”.  Blocking a port meant blocking an application.  Unfortunately, that is not the formula today.

Today, the Internet accounts for 70% or more of the traffic traversing the corporate network.  However, it’s not just port 80 “Web Surfing”.  20% - 30% of it is encrypted SSL traffic on port 443.  Also, new Internet applications are wrapping themselves in other protocols to sneak through ports that don’t belong to them and even bury themselves inside of SSL tunnels.

All of these applications carry some inherent risk to businesses.  They play host to clever new threats that usually slip through the traditional firewall undetected.  This is because the firewall is still playing by the rules that don’t exist anymore!

The old port-blocking firewalls have not really changed in 15 years and really are no longer effective in protecting the corporate perimeter.  That’s because they were not designed to control all of the evasive, port-hopping, or encrypted Internet applications, content and threats that are common in today’s networks.  People have tried to compensate for the firewall’s deficiencies by adding IDS, IPS, Network AV, URL filtering, etc.  However, adding all of these other solutions just causes “box-creep” and takes up precious rack space.

It’s Time to Fix the Firewall!!!

In my next few posts I am going to discuss how we got to where we are today and why we need to fix the firewall.  The bottom line is the firewall has been and still should be the most important security device in your network.  However, making sure it protects today’s applications and networks is extremely important, not to mention being able to keep up with today’s high bandwidth rates.

Stay tuned as we explore the Past, Present and Future of the firewall.

Say that 3 times fast… Network World’s Debbie Dubie’s article on “How to troubleshoot sluggish apps” talks about how poor performing applications has affected overall corporate revenue by as much as 9% (according to a survey conducted by Aberdeen Group).  She looks at 3 scenarios where application-performance problems can impact business productivity and profits.

One of the scenarios is poor quality of VoIP calls.  Debbie interviewed Koie Smith, an IT administrator at Jackson, Tenn., law firm Rainey, Kizer, Reviere & Bell.  Koie noticed that calls were performing poorly across the network and tried to trace it to a port on his switch.  He then looked at his QoS settings and discovered “Undefined” priority tags on his voice traffic.  Rather than going through all of the above steps to determine that his QoS priority tags were not set correctly, Koie could have identified the problem faster by simply looking at the VoIP Expert Analysis screen of the Network Instruments Observer.  The Observer provides visibility into the VoIP traffic while expert analyzing the information to quickly resolve issues.  The VoIP Experts immediately flag problems such as unacceptable jitter levels, lost packets and alterations in the QoS stream.  The Observer also tracks VoIP and overall network performance and can identify whether the jitter or delay is caused by other applications on the network.

Read more about Monitoring and Managing VoIP.

A colleague of mine sent me this article last week “Symantec Takes Big Deals, Renewals Direct“.  It talks about how Symantec, who once was hailed as the constant friend of the channel, is taking its largest 900 customers and SMB subscription renewals and handing them to its direct sales team.  Symantec’s COO commented to 20 Wall Street analysts on a conference call “… we’ve built out a very strong direct salesforce where we’re heavily engaged with each customer, it doesn’t make sense to continue to leverage both a distributor and a partner to serve let’s say, the seven, eight, 900 largest customers in the world.”

I have been on the channel side of large organizations like Symantec in a past life and can honestly say that executive management views the partner channel as a necessary evil.  They hate giving up margin to distributors and resellers.  The belief is that the business is out there and that the channel is there to fulfill orders.  I think it’s pretty funny how the channel became the manufacturer’s best friend at the end of the quarter when they needed to “stuff the channel” with inventory so that they could make their numbers.  Manufacturers don’t realize the power of the channel and how partner relationships with customers can help drive the sale and move the sales process along.  Customers want to do business with a “Trusted Advisor” not just a company that only cares about making the sales regardless if the customer is satisfied or not.

The lead story in last night’s news, “Feds Announce ‘Largest’ ID Theft Case“, investigators broke up a major hacking ring allegedly responsible for stealing and selling more than 40 million credit and debit card numbers.  Federal indictments were handed down to 3 men for allegedly hacking into wireless computer networks of several major corporations, including OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ’s Wholesale Club and TJX Companies, which operates retail stores T.J. Maxx and Marshall’s. All three of the men reside in Miami.

It seems like shopping with your credit card these days, regardless of the store, is not safe.  However, carrying large amounts of cash, especially in Miami, is not safe either.  Every major and minor enterprise is vulnerable to wireless attacks.  War driving is not uncommon.  A few years ago, a Loews Home Improvement store was compromised by hackers stealing credit card data from a van in the parking lot via their wireless network.

Today, there are so many wireless security solutions on the market that could have prevented this from happening.  I feel that it is the responsibility of the retail companies to invest in these solutions.  As for the consumers, it is quite difficult to determine which retail stores are using insecure wireless networks for their business transactions unless you have some technical expertise with wireless security.  Therefore, I believe the best protection a consumer can have is to subscribe to a credit card monitoring service that will alert you of high activity volume and increased spending on your cards.  I also subscribe to LifeLock to protect against identify theft.  LifeLock puts fraud alerts on your credit reports so, if someone tries to open a new account using your identity, the credit agency will first contact you for verification.  They also back their service with a $1 million service guarantee.

So, if the retailers are not being responsible it is up to us to take the appropriate measures to protect our identity.  After all, we only have one.

Dave Jevans, CEO of IronKey and chairman of the Anti-Phishing Working Group (www.antiphishing.org), wrote a post on his blog the other day about using IronKey’s SecureSessions service for Web surfing and checking Web email while in Beijing at the Summer Olympic Games. SecureSessions encrypts all outbound traffic, and routes it through IronKey servers around the world, protecting the security and confidentiality of communications.  There have been several reports that the Chinese government has put in place a system to spy on and gather information about every guest at hotels as well as journalists, athletes and family members attending the games.

The Beijing 2008 Summer Olympic Games begins this Friday, 08-08-08.  For the first time in history, viewers will have 24/7 coverage via the Internet.  Enterprises and organizations are bracing for the demand that these broadcasts will have on their networks and Internet gateways.  Blue Coat Systems has published a whitepaper offering a few tips on instituting network policies to counter the effects these videos could have on precious bandwidth and business critical applications.  Some of the tips might seem a bit extreme.

1. Block Web access to all known Olympics sites known to offer video
2. Block all streaming video
3. Block all video embedded in the HTTP stream
4. Allow streaming or embedded video or content, but not during business hours, or allow only during lunch and after hours.
5. Allow video content, but limit the amount of bandwidth it can consume.

Organizations that have branch offices using a centralized connection to the Internet will most likely be effected the worst.  The added load of the Olympic Games video could swamp the WAN links to branch offices, making business critical applications and communications exceedingly slow or completely non-functional.