Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Netzwerksicherheit: Vorhersage von Gartner für 2002,

Network security in 2002
By John Pescatore
Provided by Gartner
February 4, 2002 4:24 PM PT

     Although the terrorist attacks against the United States in
     September of 2001 changed the perception of security, other
     technology issues are more important factors in determining what
     security issues enterprises will have to worry about in 2002.

     Web services tools and technologies will expose an accelerating
     stream of discovered vulnerabilities in 2002 (0.7 probability).
     From a security perspective, Web services represent another
     approach to tunnel applications through firewalls. The major
     transport mechanisms will be SOAP over HTTP, putting more stress
     on the extremely vulnerable Web server implementations found in
     most enterprises. The use of Secure Sockets Layer (SSL) for
     transport security of Web services will drive application owners
     to lobby for firewalls to allow SSL connections through corporate
     firewalls, greatly increasing the likelihood of application-level

     Recommendations: Until the second half of 2003, enterprises should
     terminate external Web services connections in a transaction zone
     outside the corporate firewall. Any connections that are allowed
     to connect directly to internal servers should be required to use
     SSL certificates at both ends, and XML encryption and digital
     signature services to protect sensitive information in Web
     services transactions. Enterprises should, in 2002, begin planning
     for implementing application-specific firewall functions, such as
     those offered by Sanctum, Ubizen, KaVaDo, CipherTrust, and others.

     Managed security providers

     At least six managed security service providers (MSSPs) will leave
     the market in 2002 (0.6 probability). In 2000, venture capitalists
     showered funding on MSSP startups. Gartner accurately predicted
     that the business model of the MSSPs would survive the first wave
     of consolidation. We expect that, in 2002, larger network service
     providers will enter the MSSP market and use selective acquisition
     as a growth strategy. Smaller, regional players that do not meet
     the criteria for survival will be acquired or disappear.

     Recommendations: Gartner believes most enterprises will find that
     outsourcing repetitive firewall, intrusion detection and gateway
     antiviral monitoring functions will result in a higher level of
     security at an equal or lesser cost than doing so in-house.
     Enterprises evaluating MSSP offerings should include Gartner's
     selection criteria in all requests for proposal.

     Attack target: Videoconferencing

     At least one widespread Internet attack will target increased use
     of Internet-based videoconferencing and application collaboration
     capabilities deployed to reduce travel due to security and cost
     concerns (0.6 probability). Most security-conscious enterprises
     block unneeded or dangerous protocols and services (such as
     ActiveX controls) at the corporate firewall. Attempts to reduce
     travel costs before the terrorist attacks, and to avoid travel
     after the attacks, have resulted in increased demand for video-
     and Web conferencing and shared applications over the Internet.
     Many of these capabilities provide minimal security controls, and
     often require that additional ports and services be enabled at the
     firewall. Denial-of-service attacks will likely be the first to be
     launched, but 2002 will see additional attacks against specific
     vulnerabilities in commercial services.

     Recommendations: Where possible, conferencing services should be
     terminated in a transaction zone and thin-client connections used
     from internal desktops. Enterprises should prototype any
     self-hosted conferencing capabilities and perform (or contract
     for) penetration testing. Enterprises using commercial services
     should require service providers to demonstrate successful
     security testing by an outside security firm.

     Bottom Line

     Political realities, new technologies, and changing priorities
     will cause 2002 to be a year of increased threat for
     Internet-exposed systems. Enterprises should start the year by
     ensuring that their Internet security foundation is solid, through
     security audits and application-level protection, and require each
     new IT project to have security built into the application.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.