Security specialist The Windermere Group, which up to now has developed surveillance products for government agencies, is extending its focus to internal networks.
"The product that we're building allows for secure Web browsing between domains," explains Tom Ruoff, director of Windermere's systems division, adding that this will link networks with different security levels and protect the data being transferred among them.
The government defense sector alone, for example, relies on a number of different networks, such as the top-secret Joint Worldwide Intelligence Communications System (JWICS), the Secret Internet Protocol Router Network (SIPRNet), and the Non-Classified Internet Protocol Router Network (NIPRNet), all of which have their own security standards.
At the heart of Windermere's effort, backed by government funding, is a device Ruoff describes as a "guard." This, he adds, has been in development for two years and will carefully monitor traffic between different networks.
Specifically, the guard consists of software developed by Windermere running on a Sun Microsystems V40 server. This, in turn, links up with Microsoft's Terminal Server and Citrix's ICA technology.
According to Ruoff, the guard will be more secure than using a firewall. "With a firewall, you can undermine the operating system," he explains, adding that the guard instead uses a hardened version of the Linux operating system called Security Enhanced (SE) Linux.
Bob Egan, director of emerging technologies at analyst firm TowerGroup, tells Byte and Switch that, increasingly, users are turning more and more to products that serve as a secure bridge between networks. "Setting up systems with devices that have built-in security and monitor data in motion are becoming increasingly more prevalent," he says. "9/11 really changed the game, and people began to realize that security is a distributed problem."
Egan agrees that firewalls can be compromised. "Simple browser technology requires so many ports to be open on the firewall that you're shooting holes in your firewall with a 10-gauge shotgun." But the analyst warns that a hardened version of Linux is hardly a silver bullet. "Linux feels more secure today because it's a smaller target" than Windows.
But Windermere, nonetheless, appears to be getting some traction for its new devices. Ruoff tells Byte and Switch that the technology has already been tested within the U.S. government, and he expects to see the guards fully deployed within a couple of defense agencies early next year.
Commercial deployments could also be on the agenda. "If Pfizer or Merck were concerned about information leakage from their research department out to the Internet, then these are the kinds of devices that would reduce that risk," says Ruoff.
The Annapolis, Md.-based vendor, however, is not the only firm tackling the network security problem, and a number of suppliers, including Getronics, already have offerings in this space. But, Ruoff says that, rather than focusing on specific network protocols, the guard will look for changes in individual service activity, such as email.
Egan believes that this is a sensible strategy. "Focusing on a more services-based approach fits in with my notion that security is a distributed problem," he asserts. "If somebody gets into your email system, the email system is down."
U.S. organizations have been dogged by a string of security snafus over the last couple of years, with the Veterans' Administration recently hitting the headlines over a stolen laptop. (See VA Reports Massive Data Theft.) Although the laptop reappeared last week, the episode underlined the importance of implementing robust security policies and technology. (See Breaches Stress Need to Improve, IT Managers Walk Tape Tightrope, Financial Security: Priceless, Don't Be a Data Privacy Dunce, and CardSystems Responds to Security Incident.)
Pricing for Windermere's network security offering, which will be on the market in early 2007, is expected to be in the region of $250,000 for around 200 concurrent users.
James Rogers, Senior Editor, Byte and Switch. Special to Dark Reading.