Author: admini

“A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Litan said in an accompanying statement.

Litan recommended encryption as the first step enterprises and government agencies should take to protect customer/citizen data.

http://www.darkreading.com/document.asp?doc_id=96671&WT.svl=cmpnews1_2

The type of work the offshore group is contracted to do will influence how you extend your network. If the offshore group only needs to check code in and out, a full VPN would be overkill. Most major code repositories have built-in Web interfaces and username/password protection. Your network only needs to be extended to allow the front-end Web piece to access the back-end code repository. Using the popular Concurrent Versions System (CVS) as an example, there are several free, commercial-grade Web front-ends available. By setting up a publicly available Web site, using Secure Sockets Layer and relying on the built-in username/password protection in CVS, all that is required is a public IP address and fully qualified domain name. This is a simple solution that will let you sleep at night and play an uninterrupted round of golf on the weekend.

It also applies to offshore work that doesn’t require live access to your internal systems. Building on the above concepts will work for any access requirements that don’t involve live, real-time access to systems. If the business requirements are more involved than simple code check-in and check-out, then put the clubs aside.

What are the services the offshore workforce will need to consume that are hosted on your local network, such as Web services, database services or Network File System services? It might seem like more work than necessary to grant access to these systems at such a granular level. But by only exposing the application ports and hosts that are required for the specific job, you prevent any other traffic coming from the offshore network into yours, regardless if the traffic is hostile or not. Depending on the size of the offshore workforce, there are two common methods normally used to accomplish this — implementing a LAN-to-LAN VPN tunnel or client-based VPN access. A LAN-to-LAN VPN tunnel is a secure connection between two otherwise separate networks. A VPN endpoint can be a router, firewall, Windows server, Linux system or a dedicated VPN concentrator — anything that can encrypt and decrypt packets at an acceptable speed.

At this point, you have selected an offshore business partner, gathered a list of resources and purchased a VPN endpoint device. Name resolution, routing, latency and IP address conflicts all have the potential to keep you off the golf course. For an offshore workforce that has its own internal DNS servers, name resolution for the resources/hosts that I identified earlier can be an issue. A DNS zone transfer can be done between your DNS servers and the local DNS servers inside of the offshore group’s network, or you can create alias records on your public-facing DNS for these hosts. This filters traffic after it comes out of the VPN tunnel and before it reaches any part of your local network. You need to inject this network into your routing process or use static routes on the systems that the offshore group will access.

All the traffic that will come through the VPN will traverse the firewall. There are devices that will perform the VPN piece, NAT translation and stateful inspection all in one, but I have found these devices very hard to troubleshoot when using all of the above functions and not very good at controlling access to perform different functions.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000983&source=rss_topic17

Unfortunately, purchasing and deploying a full range of best-of-breed security solutions can be daunting for small-mid sized businesses that typically have only have a fraction of the resources and budgets of larger enterprises. These customers are typically willing to sacrifice best-in-class security, performance and features for simplicity, ease-of-use, and low price. To better serve this segment of the market where simplicity and low cost are top priorities, Unified Threat Management (UTM) products have emerged.

UTM is the evolution of the traditional Firewall into a Swiss Army product that not only includes a firewall but also content inspection and filtering, spam filtering, intrusion detection and anti-virus. The biggest value with UTM platforms is simplicity and lower price given its “all-in-one” footprint. While UTM solutions provide significant benefits, especially for SMBs, the design of many UTM appliances on the market today is a compromise of performance, functionality, price and simplicity.

Performance: The practical performance of a UTM appliance is often not obvious from reading the appliance specifications, since they typically depict just the performance of the firewall with the other security applications disabled or providing minimal functionality. The anti-virus performance of a UTM is typically limited to a small set of in-the-wild viruses, supported by a limited virus signature database. When simultaneously running another scanning application such as anti-spyware, UTMs will become less accurate as the scanning coverage is scaled down in an attempt to maintain speed throughput, or a combination of reduced accuracy and lower speed.

Scalability: With limited throughput and system performance, first-generation UTMs are expected to quickly run out of horsepower to keep up with the broadband speeds enterprises are demanding. Additionally, since many security platforms today utilize signature-based technologies, being able to flexibly reconfigure the platform and update the signature databases, in response to new variants and threats, has become essential. Utilizing a high-performance acceleration engine that can be easily integrated into an existing appliance and operate in conjunction with the appliance’s core CPU/NPU, UTM performance can be accelerated by as much as 70X.

Designed to accelerate bottleneck operations associated with supporting multiple simultaneous applications, high-speed packet process and content inspection, a security acceleration engine can provides CPU/NPU offload and ensure multiple application support with full content coverage and accuracy while maintaining throughout performance.

http://www.it-observer.com/articles/1151/utm_preparing_new_generation_security_threats/