In depth: Outsourcing security may fit smaller businesses

Keeping your Internet and network safe is a real concern and one that your organization may not be able to handle in-house. According to this Auerbach report, outsourcing may be the answer for smaller organizations now entering the high-speed market.

Summary prepared by TechRepublic's Dana Norton

If you are staying awake at night worried about the security of your network, now is the time to create a comprehensive Internet security plan that works. But creating a new in-house security initiative may not be an option for smaller operations now entering the high-speed market or if your organization is already fighting a tight budget.

An alternative is to use an outsourcer to handle Internet security. And while there is an expense involved with outsourcing, the service may pay for itself, according to Auerbach Publications author Joan Wilbanks in her report “Outsourcing Internet security: The life you save may be your company’s.”

“With the right kind of network security service, the cost is easily absorbed, and the results are far superior to anything [an organization] could achieve on their own,” Wilbanks writes.

In the report, Wilbanks explains the following:
  • Why traditional security solutions, including firewalls, intrusion detection systems (IDSs), and virtual private networks (VPNs) may not be enough to halt many security breaches.
  • What criteria organizations should look for in an outsourcer.
  • The questions you need to ask to isolate the best Internet security service.

Read the full Auerbach article to learn more about the risks of always-on access and how the right provider can help mitigate those risks.

Auerbach Publications on TechRepublic
For 40 years, Auerbach Publications has been publishing premier content for IT professionals. You can find many of its enterprise computing articles at TechRepublic. You can read more Auerbach Publications articles by clicking here.

Outsourcing Internet security: The life you save may be your company's
By Joan Wilbanks

Freedom from dial-up modems! Incredible speed! Glorious connectivity! Caught up in the value of high-speed Internet service, many businesses ignore the dark underbelly of always-on access—the serious security risks that accompany any such connection. They may have a vague notion that danger lurks but often remain unaware of how susceptible they are to denial of service (DoS) attacks, resource hijacking, e-mail viruses, and other Internet-borne plagues that could cripple not only their networks, but also their entire enterprise.

In fact, this lack of awareness is occurring at a time when security risks are increasing dramatically for businesses of all sizes. For one thing, the public infrastructure of the Internet is more subject to attack than the dedicated private lines that corporations traditionally used for high-speed data exchange. Now that many corporations have switched to virtual private networking (VPN) over the Internet, the inherent security of the private line has been compromised.

Even more significant, however, is the fact that high-speed access is now within reach of virtually any organization. When only multimillion-dollar corporations could afford high-speed connections, security issues were dealt with by large IT departments with an in-house contingent of network security specialists. In contrast, many of the organizations that are signing up for high-speed services today do not even have an IT department, let alone a security specialist on staff. This, in turn, compromises the effectiveness of virtually all existing network security solutions, because these technologies require skilled people to configure, manage, and monitor them.

Wanted: Internet security specialists
Many organizations keep their heads in the sand concerning Internet security because they think they cannot afford to do otherwise. Hiring a security specialist is out of the question, so what is the point? Although they know—subconsciously at least—that the risks are there, they blindly hope nothing will happen to their network. These are the organizations whose computing resources are easily commandeered by Internet vandals to perpetrate DoS attacks and whose sensitive data (think medical records, law briefs, product designs, financial statements) are an open book to any passing hacker.

Other organizations fully recognize that a threat exists but believe that simply installing technology solutions on their networks will effectively nullify that threat. Unfortunately, most of these solutions—from firewalls to intrusion detection systems—are not designed to run unsupervised, any more than a hammer works well without a hand to wield it. Technology solutions are tools that require expert hands. For small- to midsize businesses and branch offices, this brings us back to the primary obstacle: the prohibitive cost of in-house network security specialists.

A growing number of organizations have discovered a solution that takes into account both their limited budgets and the limited effectiveness of technology-only solutions. They have chosen to outsource Internet security rather than trying to take care of it themselves. With the right kind of network security service, the cost is easily absorbed, and the results are far superior to anything they could achieve on their own.

Traditional network security solutions are not enough
Traditionally, Internet security solutions have assumed that the user would have (or have access to) a high level of technical expertise. This was indeed the case before advances in digital subscriber line (DSL) and cable modem technology brought high-speed access to the masses. Now that high-speed services are widely available, Internet security technologies are just as widely needed, yet there has been no inverse reduction in the level of expert oversight they require. This is evident in three technologies that address Internet security: firewalls, intrusion detection systems (IDSs), and virtual private networks.

An effective firewall, which is based on either hardware or software, encloses the internal network in a kind of a protective yet permeable bubble designed to prevent unauthorized access. Any inbound traffic that fails to meet predefined security criteria is rejected, and outbound traffic can be similarly scrutinized to ensure that authorized network users are not doing something they shouldn’t.

Most firewalls filter network traffic on a packet-by-packet basis, making it difficult for unwelcome data to slip through undetected. However, configuring packet filtering is no activity for the novice. It requires a nuts-and-bolts understanding of internetwork communications, including protocols, ports, and sockets. And because firewalls must keep pace with “advances” in network attack methods, they require frequent updates.

In addition, packet filters themselves are not foolproof. Hackers can trick them using techniques such as IP spoofing, a favorite attack method in which one host claims the IP address of another. To help prevent IP spoofing and similar attacks, some firewalls use stateful packet filtering, which tracks information across packets. This allows the context of each packet to be taken into account, making it easier to distinguish suspicious activity from legitimate network usage.

But even stateful packet filtering is not bulletproof. No firewall can, by itself, stop all questionable traffic or always tell the difference between an innocent e-mail message and a plot to bring down the network. The fact is that hackers stay up nights inventing ways to bypass firewalls. So even the best firewalls cannot keep out many kinds of attacks. For example, hackers use “tunneling” to encapsulate stealth packets within the legitimate packets of alternative network protocols.

It is, therefore, clear that while firewalls provide a necessary first-line defense—much like the moat around a castle—they cannot be considered an impassible barrier to attack. Firewalls can be forded. They need archers on the roof, so to speak, who can stop those attempting a crossing before they have a chance to invade the network.

Intrusion detection systems (IDSs)
Another Internet security solution, the intrusion detection system (IDS), is often used in conjunction with a firewall. An IDS monitors network traffic for certain patterns of activity that could mean trouble and issues alerts when it finds anything that varies from the norm. The IDS usually works by comparing the data that pass through it to a database of predefined “attack signatures.” These signatures are data sequences that correspond to different ways hackers might launch an attack or even attempt to disguise one.

The very fact that hackers try not to attract attention to themselves makes it difficult for the IDS to distinguish harmless activity from malicious intent. That is why IDSs often generate a number of false alarms each day and why they require close supervision by experienced network managers. These managers or other security personnel can review the full context of the offending activity and determine whether or not concern is warranted.

This is where one of the limitations of the IDS becomes apparent. It is, essentially, a passive system. Much like the weather service, its role is to monitor, to alert, and to continue monitoring. But when nobody is there to receive an alert, or when the alert does not reach the people who need to know, the warning is virtually useless.

A virulent attack on a company’s network can literally destroy a corporation. This is especially the case for smaller companies—the very ones who cannot afford to hire a network manager, to say nothing of a security specialist. Yet without an expert to analyze alerts, assess the circumstances, and determine an appropriate response, an IDS is of limited value.

Even when an alert reaches a security specialist, many commercial IDSs have other limitations that hamper their effectiveness. Some of them monitor audit trails rather than live network traffic, which means that any alert is received after the fact, sometimes after the damage has been done. In addition, most have a proprietary design that makes them slow to incorporate new attack signatures identified by reputable third-party organizations, such as the CERT Coordination Center. These proprietary designs also make them complex and costly to install, putting them beyond the reach of most small to midsize businesses.

Virtual private networking
Before the Internet became widely available, companies that wanted to connect headquarters with branch offices or cross-town campuses would lease dedicated lines to carry broadband traffic between LANs. These point-to-point links were, by definition, secure. But they were also very expensive.

The Internet has provided a welcome new option at far less cost: the virtual private network. But making a VPN as secure as a private line takes considerable insight and expertise. Most VPNs overcome the dangers of transmitting private information over the public infrastructure by using advanced encryption techniques, as well as other security measures. No matter how safe data is in transit, though, if the VPN’s endpoints are not just as secure, the interconnected LANs remain vulnerable to intrusion, theft, or vandalism.

For example, many companies find the VPN a wonderful way to maintain contact with suppliers or other business partners, allowing them to easily connect while on the road or from their own LANs. Although the convenience is marvelous, this easy connectivity can also provide openings for an attack. If the partner’s LAN is unprotected, for example, an attacker can exploit weaknesses on that LAN to infiltrate the VPN and gain access to the corporate intranet.

In short, it is simply not enough to rely on the VPN’s built-in encryption techniques and security features. People on both ends of the VPN link have to make the connection secure. Once again, technical expertise is required; all too often it is conspicuously absent where it is needed most.

The decision to outsource
Many companies that are serious about protecting their information assets are now realizing that simply installing Internet security solutions does not adequately protect their networks. Lacking the technical expertise in-house (as well as the ability to pay for it), they have decided to outsource Internet security.

A relatively new concept, outsourced Internet security is similar to a home security service. In the home security business, most people contract with a security service to monitor their alarm systems 24 hours a day. When an alarm is tripped inside a residence, it also sounds at a remote monitoring center, where employees take quick action to determine whether the alarm is a real one and then to notify authorities.

In the same way, an Internet security service provider installs network security equipment between the customer’s LAN and Internet connection (usually a firewall combined with an IDS), then keeps tabs on the equipment from a remote monitoring center. Customers are relieved of all installation, configuration, and maintenance responsibilities. Plus they reap many other benefits by outsourcing Internet security in this way:
  • The cost of the service is far less than hiring a full-time security expert, yet it provides the technical know-how every organization connected to the Internet desperately needs.
  • Network activity is monitored—in real time—24 hours a day, not just during work hours.
  • The service can protect the internal network from unsecured VPN endpoints.
  • The firewall and IDS solutions are far more effective because they are managed and monitored by security pros; the customer should not have to solve security problems.
  • When an intrusion is detected, these pros can use the remote monitoring connection to determine whether the alarm is justified and to actually block the intruder’s actions.

Good candidates for outsourcing
An organization or branch office with 250 or fewer networked users is an ideal candidate for this type of Internet security service. In many ways, outsourcing actually provides a higher degree of security than they could achieve in-house, where a system manager or security specialist is often pulled off-task to deal with unrelated networking issues or to help coworkers disentangle themselves from computing snafus.

In contrast, the people who man the service provider’s remote monitoring center are always 100 percent dedicated to watching for and responding to alerts that come from their customers’ networks. Or they should be. Not all Internet security services are created equal, so organizations should definitely investigate the service and talk to satisfied customers before signing up.

What to look for in an Internet security service
For small- to medium-size companies, the greatest barrier to adequate network security has always been cost. So when making a decision about outsourcing, it is important to calculate whether the cost is significantly less than hiring a dedicated security manager. For example, outsourced security for fewer than 250 seats should not require intensive on-site consulting. Although Fortune 500 companies can afford to pay thousands of dollars in consulting fees, smaller firms simply cannot.

On the other hand, to provide real value, the service provider must do more than simply install a firewall or IDS product. Again, without round-the-clock monitoring and active intervention in the case of attack, technology solutions cannot adequately protect the network.

Some questions to ask
Before signing up with a network security service, a company should have a clear picture of exactly what to expect from it. Important questions to ask before selecting a provider include the following:

Does the service offer real-time monitoring of all traffic entering and leaving the network? Real-time monitoring means that security specialists are stationed 24 hours a day in the remote monitoring center, ready to respond if an intrusion is detected on the customer’s network. “Real-time” also means that actual network activity is tracked, not log files or audit trails.

What actions or countermeasures are taken when alerts are generated? The service should do much more than just notify the customer when an alert has been detected. After all, gaining access to security expertise not available in-house is the primary reason to outsource Internet security. An effective security service should be willing and able to take action to defend its customers’ networks.

The actual response depends on the severity of the attack. Low-level attacks, such as port scans, may not merit human intervention but should be automatically terminated and logged by the monitoring equipment. New rules should also be automatically added to the firewall to block traffic from that address in the future.

Midlevel attacks, which are often difficult to distinguish from data that coincidentally matches a known attack type, should be immediately reviewed by security specialists to determine whether they are real threats. If so, the specialists can move to block the attack.

High-level attacks, such as distributed DoS attacks, should also be terminated automatically, then investigated by the specialists. A good network security service will not just foil attacks; it will also try to trace them back to the source. Being able to rely on knowledgeable security specialists, who can intervene in case of attack, is the single greatest benefit of outsourcing security.

How quickly does the security service respond? The response should be immediate, whether it is automated or requires human attention. Customers should be notified of any serious attack but should never be expected to solve the problem themselves.

How much training does the service provide its people? A robust training program is a very good indication of how seriously the network security service takes its job. The quality of the firewall and the IDS is important, but the quality of the people manning the monitoring center is even more vital.

How involved does the customer have to be? The answer should be this: not at all, at least in the area of detecting and responding to security threats. On the other hand, the service should maintain close contact with its customers, keeping them apprised of their network’s security status. In addition, customers should have a way to view and modify security settings or firewall rules, if they want to. There should be an easy interface they can use for this purpose.

How "secure" is the network security service? A security monitoring service cannot have the mentality of the shoemaker whose own children go barefoot. Security should be a top priority at the monitoring center. Access to customer systems should be tightly controlled, advanced encryption techniques should be employed for any data exchange, and the monitoring facility itself should be physically secured.

Technology considerations
In addition to asking questions about how the security service is delivered, it is a good idea to become informed about the technology that makes it possible. Some good questions to ask include the following:

How easy is installation? Is the equipment compatible with a variety of Internet connection methods? No complicated configuration procedures should be required. The monitoring device should be easily and transparently installed between the Internet service provider’s connection device (a router or modem) and the LAN or LAN segments that will be protected. It should accommodate all common types of Internet connections, including DSL, cable modem, T1, and ISDN.

How does the monitoring equipment affect other security equipment or software already in place? The equipment installed by the monitoring service should not interfere in any way with other security measures, such as other firewalls or network auditing software.

Does the monitoring equipment include VPN protection? Companies with virtual private networks should make sure the monitoring device provides protection from attacks launched from an unsecured endpoint.

Does the monitoring equipment ensure a stateful firewall? While plain-vanilla packet filtering considers each packet individually, stateful filtering is able to put the packets into a meaningful context. This results in fewer “false positive” alarms and more intelligent monitoring results.

How easy is it to update the monitoring equipment? The equipment should run without customer intervention and should be automatically updated when new attack signatures are discovered either by the security service itself or by organizations such as the CERT Coordination Center. Also look for an open architecture that allows these updates to be made within hours of a newly discovered virus strain or attack method. (In contrast, proprietary technology can take days or weeks to upgrade.)

A life preserver for the Internet Age
While outsourcing Internet security does not make sense for every organization, it can be a crucial business strategy—even a business saver—for any company that cannot afford a regiment of in-house security specialists. After all, just because a company fails to qualify for the Fortune 500 list does not mean the information stored on its internal network is any less important to its continued profitability or success.

TechRepublic and Auerbach Publications
This article first appeared in the May/June 2001 issue of Information Systems Security. It appears here under agreement with Auerbach Publications. For information on subscribing to this journal or to see a list of previously published topics, click here . To find out about other Auerbach publications, click here .

Joan Wilbanks is cofounder and CEO of SecureWorks, which offers 24/7 Internet security monitoring and response services to locations with 250 or fewer IP addresses. For more information about SecureWorks, visit

Editor's Picks

Free Newsletters, In your Inbox