Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
SteveHanna

Coordinated Security: Putting It All Together

by Juniper Employee on ‎03-02-2009 09:57 AM - last edited on ‎04-07-2011 03:12 PM by Administrator Administrator

For too long, our security systems have acted like territorial bureaucrats, hoarding the information that they have and refusing to share with each other. An Intrusion Detection System notices odd behavior but only logs it. A Virtual Private Network (VPN) gateway authenticates a user but doesn't pass the identity to anyone else. We must stop this madness! Coordination and cooperation are at the foundation of any successful and cost-effective security system.

 

Sharing security information is not a new idea. RADIUS and other identity management protocols have helped us move from the multiple directories of the early 1990s to modern identity management systems. Network Access Control (NAC) systems gather information about endpoint health and combine this with user identity to determine network access. And security management systems like Juniper's STRM Series Security Threat Response Managers provide sophisticated correlation of alerts from many sources. But the coordination here is one way. We need full information sharing among our security systems.

 

Fortunately, there is a new standard for security coordination. In May 2008, the Trusted Computing Group announced the new IF-MAP specification, which defines a standard protocol for security coordination. Security devices (like VPN, NAC, and IDS devices) use the IF-MAP protocol to store data into a shared database called a Metadata Access Point or MAP. Other security devices can search the MAP or even subscribe to specific changes.

 

Let's walk through a simple use case to see the benefits of IF-MAP. A user connects to a network through a VPN or NAC system, passing through identity checks and endpoint health checks. If the user is allowed on the network, the VPN or NAC system uses the IF-MAP protocol to store information about the user and their endpoint into the MAP. If an IDS later sees an endpoint device attacking someone or sending spam or engaging in some other undesirable behavior, the IDS can use the IF-MAP protocol to find information about that device that was previously stored in the MAP (such as the identity of the device's user). The IDS can even store an event into the MAP, reporting the bad behavior. If the VPN or NAC system has subscribed to notifications for such events, the MAP will notify the VPN or NAC system of the bad behavior using the IF-MAP protocol. This example just scratches the surface of what the IF-MAP protocol can do.

 

As you can see, the primary purpose of the IF-MAP protocol is to help security systems share information. They can store information in the MAP about which devices are connected to the network and how they connected, who's using them, how they're behaving, and so on. Security systems can use the shared information to provide better reports (with user names and device locations), make more intelligent decisions (knowing what is normal for a particular user), and provide better response to problems (since one security system can now immediately alert other security systems of problems).

 

Coordinated security provides better security and more automation, thus reducing the cost of security management. Because it is an open standard, IF-MAP can integrate equipment from multiple vendors, allowing customers to choose the best products for their purposes and avoiding expensive and proprietary single-vendor approaches.

 

The advantages of coordinated security through open standards are clear. However, the IF-MAP specification is fairly new, less than a year old. Several key vendors have demonstrated prototype implementations but none have yet shipped products that implement the standard. When will that happen? Very soon, I hope. Let us keep our eyes out for the first products in this new world of coordinated security. We will all benefit.

Message Edited by ac on 03-02-2009 10:02 AM

Comments
by Phil(anon) on ‎04-14-2009 06:00 AM

Steve,

 

Great point.  Security built on a cobbled together collection of parts is far less likely to be secure and manageable than a holistic, integrated architecture built with parts designed to work together.  The manageability point is critical since security that isn't manageable isn't sustainable.

 

Thanks,

Phil Stevens

CIO, http://www.TechnologyProfessional.Org 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.