For too long, our security systems have acted like territorial bureaucrats, hoarding the information that they have and refusing to share with each other. An Intrusion Detection System notices odd behavior but only logs it. A Virtual Private Network (VPN) gateway authenticates a user but doesn't pass the identity to anyone else. We must stop this madness! Coordination and cooperation are at the foundation of any successful and cost-effective security system.
Sharing security information is not a new idea. RADIUS and other identity management protocols have helped us move from the multiple directories of the early 1990s to modern identity management systems. Network Access Control (NAC) systems gather information about endpoint health and combine this with user identity to determine network access. And security management systems like Juniper's STRM Series Security Threat Response Managers provide sophisticated correlation of alerts from many sources. But the coordination here is one way. We need full information sharing among our security systems.
Fortunately, there is a new standard for security coordination. In May 2008, the Trusted Computing Group announced the new IF-MAP specification, which defines a standard protocol for security coordination. Security devices (like VPN, NAC, and IDS devices) use the IF-MAP protocol to store data into a shared database called a Metadata Access Point or MAP. Other security devices can search the MAP or even subscribe to specific changes.
Let's walk through a simple use case to see the benefits of IF-MAP. A user connects to a network through a VPN or NAC system, passing through identity checks and endpoint health checks. If the user is allowed on the network, the VPN or NAC system uses the IF-MAP protocol to store information about the user and their endpoint into the MAP. If an IDS later sees an endpoint device attacking someone or sending spam or engaging in some other undesirable behavior, the IDS can use the IF-MAP protocol to find information about that device that was previously stored in the MAP (such as the identity of the device's user). The IDS can even store an event into the MAP, reporting the bad behavior. If the VPN or NAC system has subscribed to notifications for such events, the MAP will notify the VPN or NAC system of the bad behavior using the IF-MAP protocol. This example just scratches the surface of what the IF-MAP protocol can do.
As you can see, the primary purpose of the IF-MAP protocol is to help security systems share information. They can store information in the MAP about which devices are connected to the network and how they connected, who's using them, how they're behaving, and so on. Security systems can use the shared information to provide better reports (with user names and device locations), make more intelligent decisions (knowing what is normal for a particular user), and provide better response to problems (since one security system can now immediately alert other security systems of problems).
Coordinated security provides better security and more automation, thus reducing the cost of security management. Because it is an open standard, IF-MAP can integrate equipment from multiple vendors, allowing customers to choose the best products for their purposes and avoiding expensive and proprietary single-vendor approaches.
The advantages of coordinated security through open standards are clear. However, the IF-MAP specification is fairly new, less than a year old. Several key vendors have demonstrated prototype implementations but none have yet shipped products that implement the standard. When will that happen? Very soon, I hope. Let us keep our eyes out for the first products in this new world of coordinated security. We will all benefit.
Discussing a wide range of topics impacting enterprises and
data center security.