You Cant Buy Network Security

You Can t Buy Network Security

Most security vendors would like you to believe that network security is for sale. A quick flip through the latest information security (INFOSEC) trade rag yields no shortage of claims to that effect. Generally, security vendors don't sell security solutions; they sell security products. Unfortunately, many inexperienced security professionals fall victim to a "cult of cool" in which each security problem is viewed as an opportunity to try out these products, often with mixed results. In some cases, the technology provides solutions to a different problem than the organization has, and in still others it creates new problems unforeseen by the implementers.

This case of the "solution looking for a problem" started with firewalls back in the 1990s, when it was common to hear statements such as, "We're secure, we have a firewall." So far, the early part of the new millennium seems to have the same root problem but with new tools. Instead of firewalls, security is dominated with talk of intrusion detection (or its marketing-defined cousin, intrusion prevention) and event correlation tools. Following the latest trends in security only guarantees that you will spend your entire security budget each year, not that you will address any of your security issues. But enough about the wrong way to do things; for a "solution" to really work, it requires constant care and feeding, diligent sysadmins, and a well-thought-out policy.

To avoid the haphazard cult of cool security product deployment cycle, you must have clear and current security policies. Often, these latest toys from the security industry can help organizations implement the requirements of their security policies, but the policies must come first. It is in this way that a given technology's role can be understood within the larger framework of your network security system.