OPINIONS : SECURITY WATCH: Desktop firewalls require a revolution

in their management to be truly effective

InfoWorld; 1/22/2001; By P.J. Connolly

InfoWorld

01-22-2001

ABOUT A DECADE AGO, I learned the hard way why protecting the desktop is one of
the most difficult tasks. A virus infection came into our shop through an outside
contractor, and it spread everywhere. I spent the better part of the next two weeks
scanning local drives and floppy disks, but I eventually declared victory. The lesson
from that experience is best expressed by Walt Kelly's Pogo: "We have met the enemy,
and he is us."

Too many companies have focused their efforts on computer security at the perimeter
and ignored the need to defend against threats from within. Even companies that
recognize the possibility of an internal threat tend to minimize or misidentify the nature
of the problem. Microsoft's recent trouble with the Trojan horse "QAZ" didn't come
about because an employee was unhappy, it happened because the employee and
Microsoft's security staff were sloppy and an unknown party took advantage of it.

Although we all know that perfect security is impossible, a lot can be gained by beefing
up your current set of tools. For example, 10 years ago, you may have installed anti-
virus software only on key machines. Today, many PCs come with it pre-installed, and
most companies use anti-virus software on the desktop, file server, and mail server. It's
time that we treated "desktop" or "personal" firewalls with the same seriousness.

In the last couple of years, the personal firewall market has exploded with the
increasing use of cable modems and DSL. Although dial-up connections are also subject
to attack, the "always-on" nature of cable and DSL technologies makes it a lot easier for
attackers to compromise systems. The personal firewall software scans network traffic
to and from the PC, and permits or denies the passage of packets based on
predetermined rules, just like the firewall at the edge of a network.

Personal firewalls usually offer remote workers a number of predetermined traffic rules,
and users rarely have to perform any configuration. For example, certain types of
application traffic might be allowed if the application is active on the desktop, but not if
it's coming from a background process.

The current generation of personal firewalls for Windows systems isn't perfect. The most
glaring problem is that they don't check on applications trying to pass data through the
firewall. If the executable's name matches one on the "approved" list, passage is granted.
This vulnerability allows a Trojan horse to pass itself off as, say, netscape.exe or another
application that has transit rights.

The other problem with most personal firewalls is that they don't play well in an
enterprise environment. Although many vendors tout their remote installation and
configuration, too often that's the limit of the product's manageability. We learned a
long time ago with anti-virus software that products without central management and
reporting aren't worth using.

Unfortunately, it seems that most of the people selling personal firewalls missed this
lesson. So for their benefit, let's dust off the Commandments of Manageability:

I Thou shalt enable remote management of desktop configurations.

II Thou shalt send alerts via e-mail, pager, and SNMP trap.

III Thou shalt provide reporting tools that focus on exceptions, not norms.

IV Thou shalt not update the product by repackaging the entire code.

V Thou shalt protect the client even if the network connection is broken.

VI Thou shalt provide the administrator with defaults that match best practices.

VII Thou shalt provide the administrator with complete control over how and when
clients are updated.

One vision that might provide a model for delivering enterprise security is McAfee's
Security.NET service, an ASP (application service provider) approach that offers an
alternative to "boxed" security packages. Whether companies are comfortable with this
approach is another matter.

If you aren't already considering personal firewalls as part of your security strategy,
now is the time to do so.

P.J. Connolly is a senior analyst in the InfoWorld Test Center; he has almost 15 years of
IT experience building, maintaining, and securing networks and clients. Write to him at
pj_connolly@infoworld.com.

Copyright © 2001 InfoWorld Media Group Inc.

This material is published under license from the publisher through ProQuest
Information and Learning Company, Ann Arbor, Michigan. All inquiries regarding
rights should be directed to ProQuest Information and Learning Company.
Best Firewalls for the Enterprise

By Vincent Ryan
June 19, 2003 4:00AM

How important is a firewall's throughput? According to Check Point Technologies'

Mark Kraynak, price performance -- the amount of throughput an enterprise gets
versus the dollars it spends -- is more important than top-end throughput.

The enterprise firewall market is a study in contradictions. Translation: The market is in

such a state of flux that enterprises facing a buying decision have some tough choices to
make and might be better off waiting until the smoke clears. But few enterprises have
that luxury.

Why the changes? Over the last few years, the leading firewall vendors in the space have
focused their attention on protecting the packet layer of networks. But today, the biggest
threat to networks is at the application layer, so these vendors are having to switch gears
and rework their products to suit customer needs. At the same time, there are vendors
that -- while claiming just a small share of the market -- have been offering application-
level protection all along.

And those are not the only thorny questions facing buyers. Appliance versus software
choices, virtual private networking capabilities and firewall throughput also come into
play.

Market Changes

For the most part, enterprises will be choosing among four leading vendors -- Check
Point, Secure Computing -- Michael Rasmussen, a director of research at Forrester
Research, told NewsFactor. Check Point is known for its management capabilities,
NetScreen for its speed, and Cisco for its ability to integrate with the core of the network.
These three companies offer stateful packet-filtering firewalls, which means they operate
at the network level and inspect packet headers to decide whether to block or allow
access.

But if security is the top priority, enterprises are best off going with Secure Computing,
which offers an application-proxy firewall, Rasmussen said. Application-proxy firewalls
are software applications that run on a server between a network and the server, and
determine what type of traffic is accepted or blocked. Because it operates at the
application layer, an application-proxy firewall guards against such dangers as e-mail
and instant-messaging attacks, as well as buffer overflows.

Although the earliest firewalls were application-proxy firewalls, stateful packet-filtering

products have taken over the market, Rasmussen said.

But the "threat model" that organizations are facing is in flux right now, Mark Kraynak,
strategic marketing manager at Check Point Technologies, told NewsFactor. Attackers
are taking advantage of application-level vulnerabilities, Kraynak says, because the
number of applications is multiplying -- leaving more security holes -- and because
many enterprises already have firewalls in place that do a good job of protecting against
network-level threats.

As a result, "the definition of what a firewall does has to change," Kraynak said. A
firewall has to perform both access control and attack protection at the network level
and the applications level, he said.

Building Intelligence

Check Point and other network-level firewall developers are working to build
"application intelligence" into their products. NetScreen acquired OneSecure, an inline
intrusion detection and prevention company, last year to add application layer
protection to its products. NetScreen currently provides OneSecure's product as a stand-
alone appliance, but also is integrating some of its capabilities into its core firewall
product line, Chris Roeckl, director of corporate marketing at NetScreen, told
NewsFactor.

"Customers have been saying they want to make the firewall smarter," Roeckl said.
Firewalls need the ability to discern not only where a packet is coming from and going
to -- and whether it is properly formed -- but also what the content layer looks like, he
said.

At the same time, network layer protection cannot be ignored. "One of the key things
enterprises need to remember is that even though the threat model is morphing toward
applications, it's absolutely critical that they don't neglect the network side," Kraynak
said. "As soon as organizations stop focusing energy on the network level, the threat
model will change back to that level."

According to Kraynak, traditional application-proxy firewalls have failed in two ways:

They have not secured a broad enough range of network protocols, and they have not
provided enough manageability. An enterprise also can take a performance hit with
application-proxy firewalls, especially if it has concurrent connections numbering in the
tens of thousands.

Soft or Hard?

Application versus stateful packet-filtering is not the only question enterprises must
consider. The choice of whether to buy a software-only system and run it on an open
server or buy a dedicated hardware appliance also can be difficult.

Most organizations are looking for a package from a single vendor, Rasmussen said, so
they prefer the appliance approach. An appliance offers seamless firewall functionality
and a lightweight, proprietary operating system. It also eliminates the vulnerabilities
that come with running a firewall on top of a general-purpose operating system,
Rasmussen said. "You reduce your security exposure tremendously," he added.
NetScreen offers "purpose built" appliances based on ASICs that offer ease of
deployment and performance, Roeckl said. "The market is moving toward the appliance
form factor," he explained. "In the software world, you're not tied to a network platform.
How do you optimize the device to sit in a dynamic routing environment?"

Check Point's firewall products are sold as stand-alone software that can run on a
generic server or as software that runs on top of appliances built by the likes of Nortel
Networks and Nokia. Although appliances usually offer added systems-management
capability, Kraynak said, many customers want to optimize their hardware and
personnel investments by utilizing older servers and standard OSes, such as Linux.

VPN Choices

In most cases, virtual private networks and firewalls go hand-in-hand, so VPN support
is important in choosing a firewall. Integrating a VPN with a firewall is the best choice,
according to Kraynak. "If you can terminate your VPN at the same gateway you're doing
your firewall functionality, then you can inspect that traffic," he pointed out.

A separate VPN would sit either behind or outside the firewall, and in both cases can
cause problems, Kraynak said. If behind, then VPN traffic would have to tunnel through
the firewall. But since it is encrypted, the firewall would not be able to inspect it. If
outside the firewall, the VPN device itself would be subject to attack, Kraynak said.

Sometimes, however, having separate VPNs makes sense. Many IT staffs just do not
want to "put all their eggs in one basket," Rasmussen said. Additionally, if an
organization has a large number of VPNs and a large user base, a separate VPN offers
better performance. Firewalls running on general purpose CPUs, for example, are
slowed down by VPN encryption. "VPN encryption and decryption are just overhead,"
Rasmussen said. Dedicated VPN hardware, however, can maximize encryption
throughput.

NetScreen integrates VPN capabilities but also provides up to two gigabit per second
VPN throughput, Roeckl said. A high performance VPN often is needed in enterprise
data-center environments, he said, as well as in networks that have multiple
workgroups operating on a wireless LAN that requires traffic be encrypted.

Speed Counts

How important is a firewall's throughput? Although the number of customers needing a

12-gigabit firewall may be relatively small, high-speed throughput in a firewall is
important when an enterprise is looking to protect the core of the network, Roeckl said.
Many enterprises are looking to add an additional layer of security in the switching
fabric of the enterprise, which operates at multi-gigabit levels.

"An application proxy can't be deeper into the core of a network because it has
performance problems," Roeckl said
According to Kraynak, what is more important than top-end throughput is price
performance -- the amount of throughput an enterprise gets versus the dollars it spends.
"Ultimately what [enterprises are] buying is a security solution. A lot of times they look
at throughput and performance, but that's not the primary function of the product."

Policy Priorities

In the end, making sure that the right security policy is implemented in the firewall may
be more important than the choice of a particular firewall product. A firewall is only as
good as the security policy it implements, Kraynak said. "Sometimes, organizations
don't spend enough time looking at policy," he said.

Policy concerns with firewalls include who is going to be allowed to access a network,
how they will be authenticated, what activities the firewall will log and track, and what
type of security is required on client machines that access the VPN. "If your policy is
fundamentally flawed, the firewall can't fix that," Kraynak said.

Considering the dizzying array of choices facing firewall shoppers, the notion that
policy is the most important element may be welcome news.

Get smart with business intelligence software: companies faced with ever-
expanding information sources both in and outside the firewall are
scrambling to find easier ways to collect, aggregate, and report on data and
make it available throughout the enterprise.

EContent; 11/1/2003; Miller, Ron

At first blush, that would seem to be the territory of database reporting tools, and to
some extent it is, except that most corporate information does not reside in structured
databases. In fact, a great deal of it is unstructured information such as documents or
email or, even harder to pin down, it's somewhere out on the World Wide Web waiting
to be found. Perhaps it's in a newsfeed or it can be found in a business database such as
Dun & Bradstreet, but wherever it is, it is important for companies to be able to make
use of and share with others in the enterprise.

This type of information-gathering falls within the broad category of software known as
"business intelligence" tools, which allow employees to learn about a particular subject
such as how the sales department is performing, what customers complain about most
or what your closest competitor is doing. This article looks at the range of business
intelligence software and provides some examples of how companies are using this
information to run their businesses more efficiently.

THE BI LANDSCAPE

Since Business Intelligence (BI) spans a wide range of information types, it's not an easy
area to nail down. For some, it means looking at pure business information such as sales
data broken down by territory and pulled directly from a database. For others, it's less
structured information such as internal PowerPoint presentations or other business
documents or information found on the Web. Databases and data warehouses provide a
large source of business information, but they are far from the only sources available to
the enterprise. Actually, unstructured data found in places other than databases
comprise the vast majority of data in the enterprise. "Today about 15 percent of the data
are in a structured form and 85 percent of the data is in unstructured form. There is a big
industry around that 15 percent," says Anant Jhingran, director of business intelligence
at IBM.

According to Dan Vesset, research manager, analytics and data warehousing at IDC in
Framingham, Massachusetts, that 3.5 percent is part of a huge industry IDC defines as
business analytics (BA), which includes query and reporting tools, multi-dimensional
analysis tools, datamining, and packaged data marts. Vesset says that BA accounted for
12 billion dollars worth of business in 2002. IDC sees BI as a piece of the broader
business analytics market, which Vesset says accounted for 3.7 billion dollars of the total
business analytics pie.

Beyond the data found in conventional databases, there is a whole area of business
information sometimes referred to as marketing intelligence (from CRM sources, for
example), business intelligence, or competitive intelligence. This type of information
might be found inside the firewell or out on the open Web. Employees need to not only
find this information, but make it available to their fellow employees. John Blossom,
president of Shore Communications, Inc., a content industry research firm, sees portals
and knowledge management tools playing an important role in gathering and
distributing this information. Blossom says, "Portal software and knowledge
management is fairly key to success in business intelligence. Being able to transmit
business intelligence into the organization is a key factor, not only to collect it, but to get
it actionable. So you see major corporations, not only gathering information to be
distributed in reports, but making it available online."

Whichever information type or source companies use, a tool to help extract the data
exists. In the structured data market, that might be Cognos or Business Objects.

In the unstructured market, you mlight use a visual taxonomy tool such as Inxight
Smart-Discovery to get a grip on the data in your enterprise (or from the Web), or an
unstructured data search tool such as Insightful's InFact. You might look outside the
firewall with tools such as IBM's nascent WebFountain product or Anacubis Desktop,
which gives you a front end to help you make sense of data you find on Web-based
subscription services such as D&B. Let's look at these options more closely now.
MAKING SENSE OF STRUCTURED INFORMATION

One thing is certain: There is no shortage of information sitting in enterprise databases

today. The trouble comes when companies try to actually make sense of that data.
Throughout the 90s, many companies spent loads of money and time building huge data
warehouses. Today, they want to use that information they have gathered to build a
competitive advantage. "Now the business units, the business people in the organization
are saying, 'OK we have those data warehouses and we need to get some information
out of there, make better decision, drive our business better, help us run our business.' BI
feeds off databases and presents information to business users in an organization in a
way that's meaningful." says Anil Dilwari, product marketing manager at Cognos, an
enterprise BI software vendor.

Dilwari says his company helps organize information by displaying data in a visual
window. Cognos presents this information in a single interface, but breaks down the
gathering process into a process that includes what they call a scorecards, dashboards,
OLAP (online vertical processing technology) analysis, reporting, and event detection.
By providing a smooth path through each of these different functions, Cognos software
gives users a way to get the big picture and drill down to find the answers they need.

Business Objects is another company trying to help companies make sense of structured
data. Their strength lies in giving the end-user control of the query process. Early on,
that meant giving end-users the power to write their own queries without IT assistance
and more recently providing a set of tools in an integrated end-user interface. Darren
Cunningham, group manager for data integration at Business Objects says, "Our early
value proposition was for a patented technology that we call a semantic layer, which
essentially shields end-users from having to work with any underlying programming
language, from having to write their own queries, really giving end-users the ability to
analyze the data that lives in these disparate systems." Today, they offer a full set of data
analysis tools.

MINING UNSTRUCTURED DATA

With the prevailing wisdom that 85% of the data in an enterprise exists in sources other
than databases, an awful lot of valuable data can be left behind by tools that search in
only structured databases, and if you don't look at this vast collection of data, depending
on your needs, chances are you'll be missing something. To get at unstructured data,
you need a different toolkit. Vesset from IDC thinks the unstructured side of the market
is growing as companies develop tools to get at this data.

He says, "It's a hot emerging market and it's faster growing than structured data
analysis. Some of the BI vendors are getting into it such as SAS and Insightful. Both have
come out with text-mining solutions, the ability to mine unstructured text and then
integrate that with your analysis. I think those two areas (structured and unstructured)
will continue to merge." Although Vesset says it's early in the merging process and
structured and unstructured for the moment are treated separately, there are industries
such as oil and gas, manufacturing, and pharmaceuticals where they need to look at
unstructured data as part of the nature of their business process.

Jeffrey Coombs, senior vice president of sales and marketing at Insightful--makers of

both structured and unstructured data tools--agrees with Vesset's analysis. His company
has found that industries such as pharmaceuticals benefit from having both types of
tools. He says, "Within pharmaceuticals is a very large requirement that was previously
unmet regarding looking at unstructured data." This is the ability to not only research a
drug, but to also check the literature to make sure nobody else has already looked at it."

Another way to see these kinds of relationships across unstructured data is using
software such as Inxight SmartDiscovery to build a taxonomy that provides a visual
map of data relationships. David Spenhoff, vice president of marketing at Inxight, says,
"What we enable people to do is to analyze text-based data." They then present the data
in a visual map that shows the relationships between different key entities as defined by
the end-user. The information could come from inside the firewall such as documents,
PDFs, PowerPoint presentations, or email; or from outside the firewall such as Web
pages or newsfeeds.

CLIMBING THE FIREWALL

Of course, a whole world of information lives beyond the firewall and, if companies
want to keep track of their competitors, follow industry news and stay on top of
information outside the company, they need to be able to get at that information, too.
Much of this information could be on Web sites or it could be in online Web-based
databases like Dun and Bradstreet. The type of software that allows users to collect,
aggregate, and report on information on the Web is only just beginning to emerge. IBM's
WebFountain has received a lot of attention in the press and a British company,
Anacubis, is beta-testing a new product called Anacubis Desktop, which collects
information from online databases and presents it in a way that you can aggregate and
report on. IBM describes WebFountain as a tool to gain access to information that is not
otherwise readily available such as people's perception of a brand or product. IBM's
Jhingran uses a product launch as an example. He says, "Think about a marketing
manager. You've just launched a product and you want to know what people are saying
about it or what the competition is doing to counteract that. Does it have a positive buzz
or a negative buzz." WebFountain looks for this data in unusual places such as chat
rooms, advertising sites, competitor's sites, or newsfeeds such as Factiva and tries to
build a picture for the marketing manager as to what is happening with the new
product.

Anacubis takes a different tack. They have partnered with several Web-based
subscription companies including D&B and LexisNexis, and have developed a desktop
product to help end-users makes sense of the information they find in these databases.
The companies still need to subscribe to the fee-based information services, but they
have a tool to help them see patterns and trends that might not otherwise be obvious.
Rebecca Pointer, marketing manager at Anacubis describes it as follows. "What
Anacubis Desktop does is support all parts of the information flow, so gathering
information from multiple sources, consolidating and organizing that data, and then
allowing users to perform some real analysis of the data they are looking at."

As information resources continue to develop, it becomes imperative for the enterprise

to get a grip on data to help employees understand the business, products, relationships,
and competitive landscape. There are a growing number of software packages and
services to help do that. Perhaps these tools will eventually merge to allow you to
capture structured and unstructured data both inside and outside the firewall from a
single tool, but until then, depending on your needs, you may need an information
gathering toolkit to be certain you gather, analyze, and understand all the available data,
and finally, communicate what you have learned to the rest of the organization.

Tracking Down sales slump

Cognos' Anil Dilwari offers the example of finding a reason for a sales slump to explain
how the different pieces of Cognos software work together to build a picture and track
specific information.

In the Cognos scorecard, green means everything is OK, while red means there is a
problem. Suppose you come in one morning, look at your data scorecard, and you see
U.S. sales marked in red, You want to do further analysis and find out what went
wrong, so you go into the Dashboard setup to see a graphical representation of the U.S.
sales figures presented on a map and you see that California is shaded in red, indicating
that it is a state with a problem. Clicking on California launches a multidimensional
OLAP analysis environment. You find out that the main problem is in Los Angeles and
San Francisco, and specifically it's a problem that surfaced in the last 30 days. You drill
through to the lowest level of detail to a report outlining the status of the sales people in
those two problem areas and you find that your two best representatives from Los
Angeles and San Francisco have actually left the company within the last 30 days, which
explains the reason for slumping sales in these areas.

You can take this a step further and get proactive by enabling event detection, so that if
you ever lose two key sales people in this manner ever again, you will be informed by
cell phone, pager, RIM device, or however you wish to be notified.

UC Berkeley provides unique data access

Debra Kelly, museum information specialist at The University of California at Berkeley

uses Business Objects to put powerful query tools in the hands of end-users in the
campus' Museum Informatics Project (MIP). Kelly says she bought

Business Objects way back in 1995 after evaluating 30 tools that were around at the time.
She was attracted to Business Objects because it put query writing in the hands of her
non technical users with out them having to know any SOL (structured query language).
She says users could simply drag and drop items they wanted to roper on into the query
panel. This appealed not only to her, but also very much to her end-user community.
Kelly's department is responsible for maintaining the MIP databases. She says that her
two main Business Objects users are the Botanical Gardens and the History or Art
department. The Botanical Gardens, which maintains a collection of over 35,000 plants,
uses Business Objects software to keep track of items in their collection. For example,
when they receive a request from students or researchers, such as all plants in a certain
genus, they can build a query in Business Objects without help from IT and generate a
printed report to give to the researcher. The History of Art department uses Business
Objects to keep track of its collection, which includes more than a half-million slides.
Although Kelly has developed some custom reports for her users, she says that for the
most part, users can goner are the reports they need without her help and that's why she
continues to use Business Objects after all these years.

Pharmaceutical Company mines unstructured data

Insightful's Coombs says their InFact product works quite well in the pharmaceuticals
market because of how it integrates into the nature of their research process.

Coombs says a pharmaceutical company may do all kinds of research to see how a
certain protein may impact a particular gene. They may do experiments and generate
large amounts of data, leading to the development of a drug, They store this information
in conventional databases, but once they find something promising, they need to mine
the research literature lo see if what they are developing has been touched before. This
involves huge volumes of text in the pharmaceutical journals. It is nearly impossible to
review this volume of data by hand, Coombs says, so they need an automated solution.

InFact ingests the text-based data and analyzes it looking for the user-defined text
relationships to see if another company has made a similar discovery. In this case, it
might ingest a huge database called Medline, which contains pharmaceutical and
biological publications. InFact thee performs information extraction, which means it
reads all of the documents sentence by sentence looking for any information that shows
a relationship between the gene and the protein this company was researching. At the
end of the process, it generates a report of what it has found.

Companies Featured in This Article

Anacubis

www.anacubis.com

Business Objects

www.business

objects.com

Cognos
www.cognos.com

IBM

www.ibm.com

IDC

www.idc.com

Insightful

www.insightful.com

Inxight

www.inxight.com

Shore

Communications, Inc.

www.shore.com

Symantec, Check Point Software, F5 Networks and McAfee Lead the

Enterprise Firewall Sector in Marketing Momentum Index; The
Marketing Momentum Index is the First Independent Ranking of
Competitive Marketing Performance.

Business Wire; 10/18/2005

Search for more information on HighBeam Research for enterprise software firewall
market.

WESTPORT, Conn. -- Symantec, Check Point Software, F5 Networks and McAfee

respectively earned the highest Marketing Momentum Index scores for the April-June
quarter of 2005. The Marketing Momentum Index, the first independent ranking of
competitive marketing performance, is published quarterly by Market Bearing LLC. For
more information, visit www.marketbearing.com.

The Enterprise Firewall Marketing Momentum Index Report ranks the competitive
marketing performance of the following companies: Check Point Software, F5
Networks, McAfee, Radware, Secure Computing, SonicWall, Symantec and
WatchGuard. The average MMI score for the Enterprise Firewall sector is 488 out of a
possible score of 1,000.

Enterprise Firewall, Q2 2005

Marketing Momentum Index Top Performers
(maximum score: 1,000)

Company MMI
----------------------------------------------------------
Symantec 850
----------------------------------------------------------
Check Point Software 691
----------------------------------------------------------
F5 Networks 661
----------------------------------------------------------
McAfee 540
----------------------------------------------------------

Editor's note: A full color chart is available by emailing

carol@marketbearing.com

The Marketing Momentum Index is a composite score of marketing results as

determined by commitment of time, money or resources by an outside stakeholder to a
brand. The MMI is a ranking of competitive marketing performance in four areas:
alliances, customers, technology research and press.

Proprietary algorithms are applied to each area and the composite MMI scores are
relative to each sector. As a competitive quarterly measurement, MMI scores are only
comparable within their sector and do not cross sectors. The Marketing Momentum
Index focuses on pure play and mid-tier technology providers. Mega-vendors who are
also dominant in the sector are not included in the reports as their brand equity has an
umbrella effect over many sectors.

To order the full report, contact Dan Lannon at Market Bearing at 203 653 5600 and
dan@marketbearing.com. A complete list of MMI Reports is available at
www.marketbearing.com/products_services.html.

About Market Bearing

The Marketing Momentum Index is the only independent ranking of competitive

marketing performance. The MMI is a quarterly measurement of outside commitment to
a company's brand enabling management and financial analysts to make smarter
investment decisions. Visit www.marketbearing.com to learn more about Marketing
Bearing LLC and the Marketing Momentum Index.
COPYRIGHT 2005 Business Wire

This material is published under license from the publisher through the Gale Group,
Farmington Hills, Michigan. All inquiries regarding rights should be directed

IP VPNs are not just for Christmas ...(usage of virtual private networks
predicted to grow)

Communicate; 3/1/2005

Search for more information on HighBeam Research for Shrinking of VPN.

The huge growth in demand for IP VPNs will start to plateau next year as deployment
reaches saturation point and businesses start to demand more applications and services,
according to recent research.

The Western European managed IP VPN services market grew 23 per cent in 2004,
according to analyst firm IDC which warns that just installing an IP VPN is not enough
if businesses want to continue to grow and cope with increased mobility.

Total spending by customers on IP VPN services from network service providers is still
increasing at a rapid rate, but in 2006 the growth will slow to 8 per cent and in 2007 will
decrease further to 3 per cent.

According to IDC, this is due to the following reasons:

* Price erosion--this is a competitive market and while list prices of IP VPN services are
relatively stable, providers are discounting heavily to win key contracts.

* Spending shift--this forecast measures spending on IP VPN connectivity. As providers

discount connectivity to win key business, and as IP VPN penetration rates continue to
increase, spending will shift from IP VPN connectivity to IP VPN applications such as
voice- and video-over-IP VPN services.

* Market saturation--the greenfield territory for IP VPN services is shrinking all the time
and providers will find new business hard to win.

* Layer 2 VPN (L2VPN) services--next generation L2VPN services based on Ethernet are
growing extremely quickly, albeit from a small base, and will become significant by the
end of the forecast period. In addition, MPLS' ability to support legacy Layer 2 services
such as frame relay and ATM will, to an extent, stem the migration from those
technologies to IP VPNs. "2004 was another high-growth year for IP VPN services, with
DSL and the midmarket the hot areas," said James Eibisch, research director of IDC's
European Business Network Services. "However, as we are now seeing, providers of all
sizes targeting companies of all sizes need a proposition much broader than 'just IP
VPN'. Applications and value-added services such as voice/video, storage, mobile
integration, and professional services will provide long term growth, not MPLS
switching on its own. The start of 2005 has seen several providers launch IT outsourcing
initiatives, particularly for the SME market, that demonstrates the direction these
companies need to go in."

IDC predicts that of the three main types of IP VPN used by companies, network-based
IP VPNs mainly based on MPLS will continue to grow strongly.

Defending against viruses, worms and DoS attacks: new technologies are
continually becoming available, but the problem goes beyond
technology.(NETWORK SECURITY)

Business Communications Review; 12/1/2005; Robb, Drew

It is easy to secure the perimeter when the borders are well defined and all the troops
wear uniforms. But the world doesn't see many of those wars any more. Rather, the
enemy is within, and security relies not on guarding borders, but on maintaining
constant vigilance to detect friend from foe. This clearly applies when looking at the
conflict in Iraq or homeland security, but neither do the old rules of engagement apply
to IT security.

"It is relatively easy to keep malware content out of the environment on the Internet side
of the house, but internally, the infrastructure is a huge challenge," said Andre Gold,
director of information security for Continental Airlines in Houston. "There is no more
outside/inside, only varying levels of trust in your environment."

Coupled with this, the types of threats companies face have changed over the last two
years. Consequently, IT needs to evolve a set of technologies and procedures to protect
systems from a full spectrum of internal and external dangers.

"It's a buyer beware world out there; you have to fend for yourself," said Bruce Schneier,
security consultant, author and CTO of Counterpane Security of Mountain View, CA.
"No manufacturer will do a good job. You are forced to make your own security, which
is a combination of people and products."

In the July 2005 issue of BCR, Mark Hoover covered some of the technologies for dealing
with a porous security perimeter (see pp. 40-44). This article takes a look at how several
different organizations are applying a mix of technologies and procedures to protect
their infrastructures from viruses, worms and denial of service attacks.

Willie Sutton: The Real Story

If Willie Sutton had been born today, he probably would have become a hacker. Instead,
being born in 1901, he robbed more than 100 banks, making the FBI's most wanted list in
1950. Legend has it that when a reporter asked him why he robbed banks, he replied,
"Because that's where the money is." But Sutton denied ever having made such a
statement, holding instead that a reporter had made up that quote to make an
interesting story. His real motivation, according to his autobiography, Where the Money
Was: The Memoirs of a Bank Robber, was something different:

"Why did I rob banks?" he wrote. "Because I enjoyed it. I loved it. I was more alive when
I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything
about it so much that one or two weeks later I'd be out looking for the next job."

And this may be the primary motive of hackers as they seek ways to deface websites or
snarl email systems. It is a personal challenge and a way to show off their skills.

For the enterprise, however, bigger threats are coming from those who follow the
statement misattributed to Sutton. The Internet is now where the money is and the
criminals are taking their rackets on line.

"The main change in the threats we have seen is that there are fewer experimenters and
more professional cyber criminals," said Rich Mogull, research vice president for
Gartner, Inc. "The more serious attacks are the targeted attacks. It is harder for a script
kiddie to write something and get it through an enterprise firewall."

The types of criminal threats are not new--it's just that they used to be done by sending
goons around to break kneecaps, rather than creating zombie networks. Nowadays, the
money isn't in the cashier's drawer, but in the database.

"There are more new threats, they are more dangerous, and they are criminal," said
Schneier. "The criminals don't care about technical finesse, they just care about doing it.
Phishing is just impersonation fraud done on a large scale, and denial of service is
extortion."

There is, of course, also an increasing degree of sophistication in some of the automated
attacks, as intruders probe for different routes into the system and weak points to
exploit. But Schneier says that IT administrators don't really need to concern themselves
with the specifics of the virus or worm construction. The antivirus and firewall vendors
can worry about dissecting the code and coming up with the appropriate signatures.

A Layered Approach

Rather, from the IT perspective, dealing with the multitude of threats involves a layered
approach.

"With viruses, we have antivirus, which are usually client based, but we also have
scanning tools on email servers," said Mogull. "Next is worm attacks--there we are
talking about firewalls and intrusion prevention system (IPS) appliances, in the network
as well as on the endpoint. DoS attacks are something completely different; there you
need high availability networks in order to protect yourself."

The Weather Channel Interactive in Atlanta has IPSs on the Internet border, intrusion
detection systems that filter inbound email for viruses and malicious content, traditional
packet-based firewalls and a product for filtering instant messaging (IM) traffic.

"Different areas call for different responses," said John Penrod, The Weather Channel
Interactive's director of network architecture. "No one vendor or one product is able to
answer for everything."

Recently the company has started doing more to secure the endpoints. It is applying
Windows Group Policies on the company's 800 desktops, as well as using local firewalls.
It is looking at installing anti-spyware on the desktops.

"It is no longer a situation where you can have a crunchy shell with a soft middle, you
have to start securing your insides," said Penrod. "We have done a lot more to secure the
inside endpoints, including the desktops themselves."

Next up is improving network access control so that when someone brings a laptop into
the building and plugs it into the internal network, the device is scrubbed for viruses
and checked for up-to-date patches before it is allowed access to the network. And even
then it is only granted limited access privileges.

"The firewalls are doing a good job, but you have to start focusing on the endpoints," he
advises. "When someone physically brings a laptop into the building, you have to look
at the risk associated with that."

Beyond NAC

One of the options The Weather Channel is considering is implementing Cisco's

Network Admission Control (NAC), a set of technologies built into the network
infrastructure which enforce policy compliance on all devices connecting to the network.
While this may wind up fulfilling The Weather Channel's requirements, it won't be the
best option for everyone.

Continental Airlines looked at such a system, but found it wouldn't meet their needs.
The company has about 30,000 IT-connected devices at its Houston headquarters and at
hundreds of airports and city ticketing offices. In addition to having to secure its own
infrastructure, it also has to maintain security on links with the other airlines' back-end
systems.

"The airline industry tends to be a very meshed environment," said Continental's

director of information security, Andre Gold. "You can go to a kiosk in Las Vegas and
select which airline you want to check into. That kiosk has infrastructure provisioned
back to all the airlines, and I have to open up a conduit into my own systems."
In deciding how to provide defense against worms and viruses, Gold considered
adopting NAC. But, although it looked like a great idea, and Continental is a Cisco shop,
he found that it just wasn't feasible to do.

To start with, there was cost. It would have required upgrading hundreds of switches
plus numerous routers which, given the current financial health of the airline industry,
wasn't an option. The second reason was that NAC would have required deploying a
software agent on each asset. Continental has a heterogeneous platform environment--
meaning software agents might not be available for some devices. For others, dropping
in an agent would violate SLAs or license agreements.

"In such cases, people say I can just white-list an asset, but I have thousands of devices I
can't put an agent on," said Gold. "Do I want to manage a white list of multiple
thousands of devices? Absolutely not."

In addition, printers and other devices on which he can't deploy an agent still represent
vulnerability, since they are running Web services or telnet and are subject to exploits.
He must, therefore, be able to provide quarantining and remediation for those assets. On
top of this, Gold said that network-based security products typically cannot adequately
integrate with the network fabric, because the fabric tends to operate at 2 Gbps-10Gbps,
but the security devices generally only operate at 1-2 Gbps.

"If I implement a 1-2 Gbps device into my network, I have introduced an immediate
security bottleneck when I am trying to get passengers on planes and planes out of the
gates," he said. "If the plane is not in the sky, it is not generating revenue."

The high price and technical shortcomings of NAC led him instead to the CS2400 Secure
LAN Controller from ConSentry Networks of Milpitas, CA. The CS2400 is a purpose-
built network appliance that operates at 10 Gbps, which allows Continental to integrate
it into the network fabric. The product uses algorithms rather than signatures to detect
network anomalies.

"It allows us to throw security into our network fabric and get it as close to the host as
possible without installing an agent on the host," said Gold. "I can allow the network
transport to do what it does well, which is pushing data."

One aspect he likes is that, when the CS2400 detects an infected device, it just blocks
those parts of the machine the virus or worm is leveraging. It doesn't completely lock
out the user. That way, employees can continue doing their job in some cases, even if
they have something like Zotob running on their workstation. The other factor is the
price. The best security system in the world is worthless if you can't afford it.

"Unlike other technologies out there, this one doesn't require a huge capital investment
for an infrastructure upgrade," he said. "It can be done at a small fraction of the price."

Day Zero Attacks

The ConSentry box is just one of a new class of devices which use algorithms to analyze
traffic, rather than using signatures of viruses or worms. Traditional signature-based
security is a reactive approach. The signature can only be developed once the malware is
out in the wild and has already started infecting machines. That method will protect
those who aren't hit first, but given the rate at which some of these attacks spread, they
can still cause significant damage. The SQL Slammer worm, for example, infected more
than 100,000 database servers within the first 10 minutes following its launch. In
addition, signature-based software doesn't offer protection against targeted attacks.

"We are seeing custom viruses created to attack a specific organization, and there is no
antivirus in the world that will protect you from that," said Mogull. "We are having to
move away from signature based antivirus since it no longer offers sufficient
protection."

So, while traditional antivirus and worm defense depends on comparing a piece of
traffic against databases of known threats, the newer appliances take the opposite
approach. They analyze network traffic to determine what is normal, and then block the
rest.

"Modeling expected behavior becomes attractive, especially for the new or emerging
threat that doesn't have a signature yet," said Jeff Zalusky, principal of Chrysalis, Inc., an
IT risk management firm. "You want to look at any suspicious behavior and quarantine
it or eliminate it before it hits critical servers."

He recommends the SecurVantage appliances from Securify, Inc. of Cupertino, CA,

which he has installed for customers including Deutschebank.

"They were implementing a global project which had the need for individual locations to
be properly segregated from each other," said Zalusky. "Some countries have more
inherent security risks and they wanted to prevent those locations from crippling the
worldwide network."

The University of Michigan is going with Peakflow X appliances from Arbor Networks
of Lexington, MA. The university has six different networks at its campuses, containing
around 50,000 nodes.

"It is hard for IDS vendors and firewalls to keep up with the signature analysis and
detect an attack," said Matt Bing, University Security Analysis Senior who works at the
main campus in Ann Arbor. "If there is a worm no one knows about, even a zero day
attack, the Peakflow appliances can detect it based on oddities they perceive in network
traffic."

He said that setting up one of the boxes just requires installing it on the network, at
which point the device starts analyzing the traffic to determine what is normal. It starts
sending alerts almost immediately but, as the device goes through a learning curve on
the network, it adjusts its operations for better results. In addition to tracking down
infected machines, since it is looking at the network traffic, it also provides metrics on
network performance.

"We think it is useful to put the devices closer to the assets you are trying to protect, at
the end nodes, rather than at the border," Bing said. "It gives you a better vantage point
on your network."

People Problems

Technology, however, will only get you so far. In the end, maintaining adequate security
comes down to people.

"Because of improvements in perimeter security, the focus now is more on spyware

kinds of attacks," said Gartner's Mogull. "When the user goes outside the organization,
they can be tricked into opening an email or visiting some kind of a website, and that
can be used to gain a foothold into the system."

Headquartered in Le Mars, IA, privately held Wells Dairy, Inc. sells $700 million worth
of ice cream and yogurt annually in 28 countries under the Blue Bunny, Weight
Watchers and other brand names. Like most enterprises, it employs an array of security
devices and software. It has antivirus, anti-spam and anti-spyware applications; Cisco
enterprise firewalls; and does some application scrubbing on the email.

"Network-based threats can almost be ignored because the hardware handles it so well,"
said Jim Kirby, network architect for Wells Dairy. "Social engineering is the biggest
threat today."

Being in a small Midwestern city, his firm may actually face a bigger threat than one in a
larger city might face.

"Everybody around here trusts each other," he explained. "We live in a place where
people don't lock their cars or houses, so why would we think that someone would try
to trick you over the telephone?"

The company has implemented educational programs for the staff to address that area,
and just put in a new security response team to help identify and respond to those types
of threats. For the 400 employees who use laptops and remote connections, Wells Dairy
installs remotely managed personal firewalls from Sygate, Inc. (recently acquired by
Symantec). The firewalls are configured to use different policies depending on the type
of connection. When the computers are outside the network, the firewall blocks all
incoming traffic except for the VPN. It also only allows human-generated output from
the computer so spyware and Trojan horses can't report home.

The firewall controls are hidden from the users. There is no icon indicating it is running
and the users aren't asked to change the security settings based on the type of
connection. Instead, the firewall recognizes the type of connection and automatically
applies the appropriate policies.
Conclusion

While such comprehensive and automated approaches to security take some of the
human factor out of the equation, there are other threats. For example, USB ports
simplify network connections, but they also simplify data theft.

"The thumb drive risk is only starting to be recognized, but it is the same problem that
was raised with fax machines and manila envelopes" said Kirby. "The basic problem
hasn't changed in the last 10 years, it is just easier to be secretive."

So, while there are technological options such as turning off USB ports, there is no
hardware, application or policy that will completely solve security problems.

"It is almost always a personnel issue," he said, "and I don't see the personnel issue
changing."