In part this is necessary to ensure applicability in the greatest number of use cases, which is a topic that will be covered more thoroughly in the next section. However, from a security perspective it is also about having the ability to protect against all manner of threats with a single device.
In this regard, it is imperative to recall the implications of the previously discussed challenges. Specifically, it should be clear that effectiveness will depend on having a set of security services (a) that provide protection not just at the network layer of the communications stack but at the application layer as well, and (b) that are not just reactive, but which also include proactive mechanisms capable of stopping unknown attacks.
It should also be noted that this blending of techniques and mechanisms can occur not just across different services, but also within the individual countermeasures. For instance, a reactive (i.e., signaturebased) anti-virus engine can be made more effective by coupling it with a proactive intrusion prevention engine and/or by enhancing it to include a proactive, heuristics-based virus detection capability. In fact, because it correlates well with security effectiveness, the characteristic of having a high-degree of both inter and intra -service blending should be considered an important criterion when selecting a multi-layer security platform.
Of course, just because a given solution incorporates a wide range of security services does not automatically mean it will be effective. This is why it is also necessary to consider the quality of the individual countermeasures that are included. Ideally, there should at least be parity with the main features, functions, and security mechanisms employed in corresponding best-of-breed point products.
For example, an intrusion detection and prevention capability included in a multi-layer security platform, in addition to signature-based detection, would ideally incorporate protocol anomaly, behavioral anomaly, and heuristics based mechanisms. Furthermore, there should be sufficient evidence that the associated vendor is serious about continuously improving their solution. Typically this would include (a) having a team dedicated to researching new threats, vulnerabilities, and emerging security techniques, and (b) routinely issuing updates to both content (e.g., signatures) and firmware.
Yet another consideration will be inter-service integration. Products which demonstrate even a basic level of pre-configured capabilities in this area will have both operational and effectiveness advantages over competing solutions, especially most point products.
Firewall Including multi-layer and protocol inspection, access control, and traffic segmentation VPN Supporting all common tunneling protocols (e.g., PPTP, L2TP, IPSec, SSL) and on-demand hostintegrity checking Intrusion Detection and Prevention Featuring a wide range of detection techniques and rich customization capabilities Antivirus Scanning for malware and spyware in all web, email, and file transfer traffic Web Content Filtering Enforcing access to allowed web content and filtering high risk URLs Anti-Spam Mitigating directory harvest attacks, spam and enforcing email policy Instant Messaging & Peer to Peer Controls Applying quality of service to IM/P2P applications, restricting access and ensuring messaging hygiene if allowed.
Whereas multi-layer security capabilities are critical to addressing the evolving threat and vulnerability landscapes, flexibility is another essential ingredient needed to ensure coverage can economically be provided for the widest possible range of IT resources and in the widest possible set of locations. In other words, the key to an ideal multi-layer security platform is having it be appropriate for use in virtually any deployment scenario – not just for small and medium businesses, as is the case with UTM devices.
At a high level, achieving such a degree of flexibility entails:
Providing multiple hardware choices so that organizations can pay only for what they need by selecting a system that closely matches the performance, capacity, and advanced features (e.g., high availability, virtual domains) they require in a given scenario.
Providing support for multiple networking interfaces/ports/mediums (e.g., 10/100/1000 Ethernet, ADSL, dial-backup, wireless), features (e.g., QoS/traffic management, VLANs), and deployment options (e.g., transparent, routed, NAT) so that the solution will fit seamlessly into any environment.
Providing multiple choices in terms of the combinations of security services/modules that can be purchased.
Providing optional subscription services to keep signatures and other content-oriented portions of the security modules up-to-date with the changing threat, vulnerability, and technology landscapes.
Beyond providing adaptability over time, this will ensure the solution is able to accommodate the needs of multiple constituencies within the IT organization (e.g., network operations, security operations, messaging operations, compliance). Different groups can opt either to embrace the consolidated solution, or associated capabilities can be left out (or just go unused) so that they can retain allegiance to any preferred solution provider they already have. For example, the team responsible for email and other messaging applications may already have associated security capabilities as part of their overall, headquarters-based messaging solution. In this case, anti-virus and IM/P2P modules would not be needed in an upstream multi-layer security platform.
In addition, it is this same selectivity, along with the performance capabilities discussed in the next section, which will enable an ideal multi-layer security platform to be used not just in small and medium business but in larger enterprises as well. For the former customers, all-in-one functionality is a musthave.
In contrast, it is expected that entrйe into larger outfits will be based, at least initially, on only providing a handful of services to supplement what these organizations already have in place – either at the perimeter or even on internal networks. Subsequently, the multi-layer security platforms can serve as a point of consolidation, either as the organization seeks to simplify matters and/or the other products reach obsolescence/end of life.
Finally, given that it has the greatest potential of meeting whatever needs a customer might have, a highly flexible multi-layer security platform would also be the ideal solution for providers of managed security services, supporting both in-the-cloud and customer premise options.
The Power to Perform
Performance related capabilities comprise the third category of evaluation criteria for multi-layer security platforms. They are essential for the straightforward reason that processing communications traffic through multiple security services is far more taxing than it is with a single-service point product.