NEC developing network security analysis system

NEC is developing a network security system that will automatically monitor and analyze the configuration of security tools deployed in a network and suggest changes to fix vulnerabilities and any redundancies that exist between them, the company announced Tuesday.

The system is intended for use in networks where a mix of security tools, such as firewalls and intrusion detection systems (IDSes), are being used to guard against worms, viruses and other malicious traffic. As servers and client computers are added and removed from networks, and as security tools are installed or taken away, security holes, redundancies and other "mismatches" can appear in the tools being used, said Riyuuichi Ogawa, principal researcher at NEC's Ubiquitous Intelligence Technology Group.

"Security boundaries are constantly changing and one of the most urgent needs is to be able to perform a security health check to reveal weaknesses," Ogawa said.

NEC's product, which is still being developed and may not go on sale until early next year, collects and analyzes the configuration parameters of the security tools in a network to detect any holes or overlap between them. For example, it will detect when FTP (file transfer protocol) data is being allowed in through a firewall but is not being monitored by an IDS. As well as identifying the weakness, the system will also propose revisions to correct the problem, Ogawa said.

The system uses a language called Security Configuration Coordination Markup Language, or SCCML, which is able to describe the filtering and monitoring functions of firewalls and IDSes, Ogawa said.

In Japan, about one third of the incidents of unauthorized access to enterprise networks result from mismatches in the configuration of security systems, according to a January report by the Information-technology Protection Agency (IPA), a Japanese government-affiliated IT security promotion body. Another third are caused by the use of older, vulnerable software, and the remainder by misuse of user identifications and passwords, according to the IPA.

While security tools exist to patch vulnerable software and improve ID and password security, none provide a unified analysis of the protocols used by the firewalls and IDSes, according to NEC.

Because a single firewall might have more than 1,000 filtering rules, finding mismatches among security systems can take network administrators hundreds of hours. NEC's system can perform its analysis in minutes, according to Ogawa.

"As far as we know, this is a world's first for this type of technology," said Hiroshi Katayama, general manager of NEC's Internet Systems Research Laboratories.

Analysts believe NEC's technology could be significant for businesses, since more effective network security systems are always needed. But much is unclear until the technology has been fully tested in corporate networks, they warn. For example, it remains to be seen just how efficiently SCCML will perform, said Kazuyuki Ide, software research manager at market research company IDC.

"There is a possibility that (NEC) has got great technology, but there is some gap between good technology and being commercially successful," Ide said.

It will also have to compete with established network security products from vendors such as Juniper Networks, Hewlett-Packard, and Check Point Software Technologies, said Kenshi Tazaki, vice president of Gartner Japan's network, telecom and semiconductor group's research division.

Nevertheless, if NEC's system performs its checks as quickly and as thoroughly as the company claims, it could be a big benefit to enterprises, Tazaki said.

NEC plans to begin testing the system internally in the near future and plans to offer it in Japan before the end of March next year under its Valumo middleware brand. It may make an English-language version of the system to sell internationally, Katayama said. Pricing has not yet been set.