The Smart Techie was renamed Siliconindia India Edition starting Feb 2012 to continue the nearly two decade track record of excellence of our US edition.

April - 2008 - issue > Cover Feature

The Hybrid Approach to Security

Jayakishore Bayadi
Tuesday, April 1, 2008
Jayakishore Bayadi
CEO Dr. Parag Pruthi and his team of engineers at NIKSUN are keenly watching the shift in the enterprise world from 1 GB Ethernet to 10 GB Ethernet. Though the transformation to the new paradigm has been relatively slow, they are confident that the pace will catch up in a year or two.

In the 10 GB Ethernet world there will be multitude of services and application available to users. At the same time the rate of information flow will be much higher. Dr. Pruthi firmly believes that software-based network security solutions that are designed for today's networks will not be able to scale up and address the challenges of a 10 GB Ethernet world. "Software-based solutions will not be able to cope up with the high volume and large variety of information flowing on the network," he argues.

Despite the fact that organizations have deployed devices such as firewalls and intrusion detection systems (IDSs) to secure their networks, they continue to experience security violations and network attacks. Chief Security Officers have started to believe that there is no such thing as 100 percent security. Firewalls can be bypassed or tunneled through. Authentication can be foiled, guessed, or attacked. IDS systems can be evaded. Signatures and anti-virus systems can only flag known attacks. IPS systems can be compromised or made to cause denial-of-service (DoS) situations themselves. Due to the complexity of network attacks and the extent of the damage they cause, organizations are spending considerably more time and resources recovering from security incidents than in the past.

Network security is typically performed by detection mechanisms that identify anomalies or potentially harmful data. In particular, the IDS scans for known attack patterns and generates alarms when those patterns are detected in the network traffic or in host logs. Essentially this is based on signatures or trying to match patterns of packets or strings that flow in a network. However, scanning the network traffic in a 10 GB Ethernet world is not that simple using this approach.

"IDSs are not the network security panacea they were originally thought to be, but rather are prone to suffering from a host of shortcomings," says Pruthi. Chief among these shortcomings is the proliferation of false positives, the cases where the IDS raises an alarm when no real breach has occurred thereby greatly reducing the effectiveness, usability, and manageability of such systems. Indeed, industry estimates generally place the average occurrence of false positives above 90 percent. The increasing need to monitor faster and faster networks threatens to make matters worse.

Share on Twitter
Share on LinkedIn
Share on facebook