The ability to deep-inspect a packet's payload has opened up a whole new world of application layer protection technologies. Intrusion Prevention Systems (IPS) remains the mother of all security infrastructures, followed by Security Event/Information Management (SEM/SIM), Identity and Access Management (IAM), and Remediation Management technologies.

From an infrastructure perspective, the focus of emerging security technologies is moving upstream from platforms to enterprise networks, and on to the Internet itself. This has been precipitated by the mounting exploitation of vulnerabilities at the network level.

Protecting platform and network
Evolving technologies such as Microsoft's Longhorn OS (under its Trustworthy Computing initiative) will secure input from devices such as keyboard, protect application data modification, encrypt storage, and provide attestation to enable the owner to verify whether the data or software has been modified.

Microsoft is also actively working with anti-virus vendors to add features to its software that will make it possible to verify if a user's desktop is secure and has updated anti-virus signatures in place, before granting access to corporate resources.

The Trusted Platform Module (TPM) technology developed by the Trusted Computing Group (an industry consortium led by AMD, HP, IBM, Intel and Microsoft) has been around for two years and is finally emerging in the mainstream. The TPM is a chip inserted in PCs and notebooks to run applications more securely and to make transactions and communication more trustworthy.

Network security technologies that foster trust by automatically enforcing security policy compliance are now becoming universal. A new security specification being developed by the Trusted Computing Group, called Trusted Network Connect (expected to be released by the end of this year) aims to remove the danger posed by insecure PCs connecting to a corporate network — a danger that has grown with the spread of laptops and mobile computing devices in the enterprise.

Similarly, Cisco's Network Admission Control (NAC) program (under its Self-Defending Network strategy) configures routers to permit end-point devices such as PCs, PDAs, or servers to connect to the network only if their security status is in compliance with the network's security policies. This enables the network to protect itself against viruses, worms and other security threats.

Security devices in the network are more effective if they can dynamically share information and cooperate with each other in the face of an attack. Dynamic coalition security technologies are emerging that not only permit real-time device-level information sharing and interactions within a local network, but also between devices in different administrative domains distributed across WANs. Autonomic security technologies that enable devices to learn and heal themselves while under attack are on the horizon; and Survivability technologies are emerging that can implant fault and intrusion tolerance mechanisms into networks.

Securing the Internet
The Internet's weakest links are its domain name system (DNS) and core routing protocols. This is compounded by its easy susceptibility to DDoS attacks.

The DNS can be easily spoofed to redirect or steal email, intercept pages sent over the WWW, or impersonate other Web surfers. DNSSEC, a technology developed by IETF, is being adopted to secure the DNS. The DNSSEC uses public key encryption and digital signatures to certify every address resolved by the DNS system eliminating DNS spoofing attacks.

The core Internet routing infrastructure is based on the Border Gateway Protocol (BGP), which is highly vulnerable to attacks because it lacks an authentication mechanism. An attacker can masquerade as a peer router and reroute traffic. A flaw in the TCP protocol highlighted in April of this year, allows attackers to launch denial of service attacks on Internet routers supporting BGP. Secure BGP (S-BGP) technology addresses these vulnerabilities by making use of PKI, digital signatures, and IPsec encryption to secure transmissions.

DDoS is a major concern, more so because of the anonymous nature of IP protocol which makes it difficult to identify the true source of the packet. An attacker can freely generate DDoS IP packets with spoofed source addresses. The Source Path Isolation Engine (SPIE) technology provides the ability to identify the source of an individual IP packet. SPIE records every single packet that passes through a router. Tracing a particular packet back to its source is simply a process of asking each router if it has seen that packet.

Plugging the Port 80 hole
Port 80 is now the primary passageway for web content to enter and exit the corporate network. The port 80 traffic will only increase consequent to the official ratification of the 'Web Services Security 1.0' specification in April of this year, which will serve as the foundation for building security into Web services, paving the way for widespread corporate adoption.

With 70% of all intrusion attempts targeting port 80, the battlefield has moved from the network layer to the Web applications themselves. Many firewalls in use today allow port 80 requests to pass through a network's perimeter (in order to reach a Web server) with just rudimentary protocol checks, potentially allowing malicious code to slip through the barrier.

Web application security technologies to plug the port 80 hole are appearing. Web application firewalls (like the KaVaDo security platform) address different types or segments of application-layer threats, both known and unknown. Specialized intrusion prevention systems focusing on .NET services and XML transactions, and vulnerability scanners that determine holes in the web servers are now becoming ubiquitous.

Secure messaging applications
Bulk of the corporate traffic moves over email, inviting hackers and spammers to exploit this avenue. Spamming, phishing, and using email as carriers of malicious code into corporate networks are becoming routine. This is mainly due to the ease with which the attacker is able to spoof his email ID.

Messaging technologies are using the Internet's DNS to authenticate the sender of the email, thus thwarting email spoofing. In February of this year, Microsoft announced its Caller ID for Email specification (under its Coordinated Spam Reduction Initiative) which effectively prevents email spoofing. Other similar technologies to detect spoofed email addresses used by spammers and phishers to disguise identities are Meng Wong's Sender Policy Framework (SPF) and Lightweight MTI Authentication Protocol (LMAP) under development by IETF. Yahoo has developed an authentication scheme using digital signatures called DomainKeys. In end-May 2004, Microsoft has proposed merging its anti-spam measure with the domain authentication SPF.

Email application firewalls integrate multiple capabilities like anti-spam, anti-phishing, anti-virus, email policy enforcement, email privacy and gateway protection into a single platform, with capability to analyze, manage and report on email traffic flowing in and out of the organization. Email archiving technologies are becoming widespread to meet compliance requirements of Acts that mandate preservation of email records.

Though Instant Messaging (IM) usage has become commonplace within the enterprise, IM protocols are very difficult to control, and contain no provisions for message logging, confidentiality, or security. Rogue use of IM is a possibility with serious repercussions. Emerging IM technologies control who can use IM, which IM protocols are allowed, what features are to be enabled, to whom the users may IM or chat with (within the company and/or outside the company). Thus rogue IM usage is contained, while allowing IM for authorised business communications.

Remediation technologies
Active vulnerability scanning that probes or simulates attacks on network components could crash production systems. Emergence of effective Passive Vulnerability Scanning technologies (such as Tenable's NeVO) has made it feasible to monitor the network continuously for vulnerability without network degradation or threat to production systems.

Technologies for automated and remote patch updating such as PatchEasy, eliminate the complexity and drudgery of enterprise patch management. While patch management software has been around for a while, emerging technologies include the ability to verify a patch's suitability before applying it in production environment.

Security technologies that manage configuration control - documenting changes, troubleshooting problems, controlling access, and enabling disaster recovery, are being integrated with security event and information management consoles to provide a holistic security management solution.

Secure remote and wireless access
SSL VPN technology is rapidly taking the place of traditional IPSec VPNs which was designed for site-to-site security. SSL VPNs offer greater scalability and flexibility for remote access, combining SSL encryption and proxy technologies. It provides client and server authentication and data encryption between Web servers and Web browsers.

Crucial flaws in the 802.11 WEP security protocol has been the bane of wireless LANs. The Wireless Protected Access (WPA) replaced WEP as the standard 802.11 WLAN security in March 2003, and WPA compliant products started shipping in May 2003. Now, the WPA2 specification is on the horizon (it was scheduled to be released in December 2003). The WPA2 is a super-set of WPA with a full implementation of 802.11i security standard including AES encryption and 802.1x authentication.

Apart from the inherent vulnerabilities of the WLAN protocols, one of the main reasons why organizations shy away from using wireless is that in larger environments with over 15-20 Access Points (often found in campuses, hospitals etc), the control over the network becomes heavily decentralized making it difficult to enforce security policy. Also, rogue Access Point detection becomes daunting. Emerging security technologies address these concerns, making it safe to deploy WLAN over any environment.

Employees are increasingly using PDAs to send mail and access the corporate network. The devices can easily be lost or stolen, compromising sensitive corporate data or access to the network. Enforcing control over PDAs has become an imperative. PDA security technologies protect data stored in the PDA through strong encryption, and deny unauthorized access to data by automatically wiping it if the PDA is lost or stolen. The technologies also prevent users from running unauthorized applications, and set individual and enterprise-wide policies (like minimum password length).

Other areas
Most security breaches occur over a period of time, sometimes over many days or even weeks. Vital evidences generated during the period leading to the security breach (like probes, failed entry attempts etc) are mostly overwritten or obliterated. Now, stream-to-disk technology (in products like InfiniStream and Niksun) efficiently captures and stores all traffic on the network providing a complete packet-level history for all network activity spanning large time periods, permitting action replays of HTTP, FTP, POP3, VOIP, SMTP, and IRC traffic. Such forensic capability is vital for gathering evidence to validate computer hacking.

The strength of present-day cryptography lies in the difficulty of factoring numbers. The larger the numbers, the more difficult it is to factorize. However, as the processing speed of computers increase, the difficulty in factorizing correspondingly reduces, forcing use of longer numbers to attain the same level of security (that is why we moved from 64-bit to 128-bit encryption keys). With grid computing technologies, (theoretically) infinite processing power is available on demand, making any factorizing problem a breeze. This points to an eventual demise of conventional cryptography. In its place is appearing quantum cryptography that scrambles data using the properties of quantum physics — and is unbreakable. Quantum cryptography has already moved out of the Lab into the real world. Companies like Magiq and ID Quantique have already sold hardware to several customers in the Government and armed forces keen to protect data with quantum cryptography.

Target-based IDS technologies that can slash noise are now available. The older generation IDS spewed alerts indiscriminately. It was left to the administrator to determine what the alert was. Automating the process of qualifying an alert as relevant or irrelevant is a big advantage of the target-based IDS. The act of determining the target's vulnerability before sounding an alert is what differentiates target-based IDS from the older generation IDS.

Anti-virus technologies based on signature or heuristic detection are ineffective at best to mitigate unknown or zero-day worm/virus attacks. Technologies (such as McAfee's VirusScan 8.0i) are evolving to surmount this limitation through incorporation of Intrusion Prevention mechanisms into traditional AV.

Anti-Worm (AW) technologies providing specialized protection against worm threat are becoming popular. The AW solution divides the network into smaller segments with AW appliances deployed at strategic locations inside each segment. Each appliance can identify the early signs of a worm outbreak and act automatically to suppress it.

Bottom line
Security technologies have been emerging to counter threats as they arise. Some of these, like the IPS, have been exceptionally effective. However, most security technologies succeed in managing the risk only partially. This is because, in addition to technologies, effective risk management also requires the right mix of people and processes.