By Kenny MacIver
There has been an explosion recently in new security products for firewalls, virus protection, audit trail logging, access control, data encryption, identification, authentication, and security administration, in an attempt to make secure the combination of distributed client-server computing and the Internet. But while the industry’s biggest challenge is to secure the Internet so it can carry transactions and other secure data, by far the biggest threat to companies today still comes from within. In a recent survey of 160 hackers by Computacenter Ltd, 55% said they believed that the Internet provided more opportunity to access private systems. Hackers believe few organizations appreciate how open the Internet is and most have ineffective security. Similarly [they point out] there are many security companies selling useless software. That combination represents too much of a risk for some. Many company information systems directors are shying away from implementing Internet systems because of the security risk, says Deb Triant, chief executive of Check Point Software Inc. At the Wall Street Journal, for example, journalists do not have access to the Internet from the newspaper’s network – they use a separate standalone computer – for fear that outsiders could hack into the network and use it as a conduit for altering financial wire stories and thus effecting financial markets. And they are not alone in their concern. In some US banks you can be fired for accessing the Internet through a phone line [that bypasses firewall/virus catching software], says Anne Marie Roussell, a networking analyst at the Gartner Group. There is further evidence that their concern is well placed. The FBI says that in 80% of the computer-related crime cases it investigates, the hackers entered corporate networks via the Internet.
Although firewall products vary in their scope and functionality – and should therefore be chosen carefully to match the application – the better products provide most of the functionality a Web site needs. As a result of the growth of firewalls on Web servers, the market is expanding at unprecedented rates. According to International Data Corp, over the past year, sales of firewall products have more than doubled from $160m to $338m. It predicts that, in unit shipment, the market will steam ahead at an annual compound growth rate of 174% between 1995 and 2000 when 1.5 million units will ship. As unit prices drop, compound revenue growth will tail off to 7% in 2000 when $980m worth of firewall software will be sold, says IDC. Given its youth, the firewall software market exhibits some strange characteristics. Firstly, there are over 70 firewall products being sold today and many more that have been written in-house. Many are only available as part of a hardware bundle, others are stand-alone. Even more bizarre for a two year-old market, shares are split between scores of small players and one dominant company. Check Point Software, headquartered in Tel Aviv, is said by industry research groups IDC and the Yankee Group to command 40% of the market. No other company has more than 12%, says Yankee. Check Point’s Firewall-1 has its roots within the Israeli army where its founders worked on a ‘proof of concept’ product while on military service. The big break for the company came in 1994 when Sun Microsystems Inc chose to offer the Check Point product both standalone and bundled with its Internet servers. Because of its OEM customer-focused sales model, Check Point’s costs are low and its profit margins high. Its 48% net margin is the highest in the software industry. Like other firewalls, Check Point’s product authenticates users, restricts incoming/outgoing traffic, logs traffic information, generates traffic reports, detects possible intrusions, and limits the amount of damage any successful breach can have. At its 1,500 installations, Check Point claims there has never been a report of a break in. Several hardware companies also offer their own firewalls – most notably Digital Equipment Corp, Harris Computer Systems Corp, and Cisco Systems Inc. There are three kinds of firewall, each of which has its advantages. Application-level gateways are regarded as the most secure; packet filters are faster but less secure; and circuit-level gateways are also less secure and are typically implemented in hybrid firewalls with application-level capabilities for incoming connections, says Yankee. Alongside the firewall market is the separate market for user identification and authentication: the passport control of networking. Vendors that predominate here are Security Dynamics Technologies Inc and Cylink Corp. The technology goes one important step beyond standard passwords for authorizing access. With Security Dynamics’ SecurID token authentication, a second factor is added to authenticate the user’s identity. A randomly generated one-time access code that changes every 60 seconds is associated with the password. To date many of these firewall, authentication, and other access control offerings have been point products – focusing on doing a single job well. What is underway at some companies is an attempt to establish an architecture to be used as a broader security system. Check Point’s Opsec is one such attempt.
But the company hints at higher ambitions – to add more and more products and establish a more secure environment. In doing so, it will be moving into territory that Axent Technologies Inc feels it owns. Axent emerged two and a half years ago after splitting off from its parent company Raxco Inc, a Vax systems management software specialist. In November 1995, it launched OmniGuard, a policy-based client-server security framework that includes modules for access control, intruder alert software, and for the integration of third-party products. OmniGuard’s aim is to centrally manage all aspects of security, establishing a policy that can be implemented across all aspects of the network. One of the starting points to our strategy was to take the architecture used in security products such as IBM Corp’s RACF and ACF2 – and bring it to the client-server market, says Richard Lefebvre, chief executive of Axent. Having gone public in April, Axent intends to use its war chest of cash and high share price to acquire a range of products that will flesh out its underlying framework. For Lefebvre, there is too much fear and doubt cast about protecting assets from Internet-borne intruders or from internal incompetence or criminal behavior. Having the right policy and assigning the right privileges inside your company is very important, and then you need to make sure you are protected from any outside threat. So solve the 75% internal threat which is divided between unconscious corruption of files and conscious theft or fraud. Then solve the other 25% that is external with good perimeter defenses, the right firewall, intrusion detection, remote access control and encryption devices. When you do that, you have done as much as you can to protect your corporation.
From an article titled Over Exposed in January’s Computer Business Review.