Building on its experience with carrier-grade products, iPolicy Networks recently released a series of integrated security solutions for the enterprise market.

by Jeff Goldman [March 3, 2004]

iPolicy Networks was founded in January of 2000 to develop a carrier-class solution for offering managed security services. The company's first product was a platform that delivered firewall, IDS, URL filtering, and antivirus in a single box, which was soon picked up by a major U.S. carrier for deployment directly in their POPs.

As the industry began to shift in 2002, iPolicy took note and responded by broadening its target market. "We saw that there was an opportunity for us—while we were able to continue to secure bridge funding from existing investors—to take our carrier-rugged solution and make it available to the enterprise," says Prabhu Goel, iPolicy Networks' Chairman and CEO.

iPolicy Networks Voice: (510) 687-3000 E-mail: info@ipolicynetworks.com

As a result, the company recently announced a full suite of enterprise-targeted ipEnforcer products ranging in speed from 10 Mbps to 5,000 Mbps, with adaptability a key focus of the offering. "This is not about new signatures," Goel says. "It's about an architecture that allows for rapid development of new functionality. In today's world where new threats keep coming rapidly and you have to develop new technology, that's very critical."

The other focus of the products is unified security. "Rather than putting point tools together onto a box, the way we've done the architecture is that we have dynamically collaborating security technologies," Goel says. "The antivirus, URL filtering, IDS, firewall, etc., actually collaborate with each other in real time to provide security, rather than having point solutions that collaborate after the fact."

Goel says that iPolicy's experience with carrier grade products served it well in developing its enterprise product. "From an enterprise standpoint we're brand new, but we're bringing a carrier-rugged product to the enterprise," he says. "We're downscaling our product to offer it to the enterprise, while a lot of other security vendors have to scale up their product when they try to service this category. That's harder to do."

Current limitations
Security threats, Goel points out, are constantly changing—and for enterprise clients, any point on the Internet can become a point of attack. "If somebody surfs an untrusted website, they can bring down worms without even realizing it, which can then attack the inside of the network," he says. "Then there are multifaceted attacks like MyDoom that, once they get inside the network, can launch different sorts of attacks."

Most integrated security products, Goel says, combine a number of different point tools for IDS, firewall, etc. into a single box. "The problem with that is that each packet is opened up again and again by each application inside that box," he says. "So as you add more applications, the performance of the appliance degrades."

More importantly, the ability to respond to blended threats is greatly limited when working with traditional products. "Let's say somebody's trying to scan your network," Goel says. "An IDS picks it up, and a few minutes later that same IP address is trying to authenticate to your servers. That's something that should have a very high alert—but to try to get that to happen in an architecture like this is virtually impossible."

Similarly, cost of ownership becomes a significant issue, particularly when you combine a number of different point tools from different vendors—and the operating cost is also high. "That's particularly true if you're trying to cover multiple locations and multiple points of deployment, because the management is still point tool centric and device centric," Goel says.

Integrated security
The ipEnforcer takes a more dynamic and integrated view of security. Key to the offering is the idea that each packet should only be inspected once. "In that one-time packet inspection, you should be able to pull out all the information you need," Goel says. "Furthermore, that architecture should enable real time correlation to respond to a threat as a system, rather than just as a firewall or just as an IDS solution."

By running security services in a coordinated manner, the ipEnforcer minimizes latency and improves performance. "We're able to run up to seven services in a unified way where they're actually collaborating in real time," Goel says. "And because of the architecture, we're able to deliver wire speed while adding applications to cover new threats very rapidly, and not degrade performance."

The company's Unified Security Manager allows different people and different groups to be given individual rules of access. "You could have one administrator that's responsible for entering all security policies for the entire enterprise, another that's responsible for monitoring, another that's responsible for specialized IDS handling, and so on," Goel says.

No matter how globally dispersed those administrators may be, the management system is able to coordinate security policies between disparate people and locations. "What we have created is a very flexible security environment where you can have consistent global security policies along with local adaptation based on what local needs or functional needs are," Goel says.

A solution for ISPs
Pricing for the products ranges from approximately $2,000 for the 10 Mbps i1000 ipEnforcer product to just over $150,000 for the five gigabit i6500. Ongoing fees of 15 to 25 percent of the purchase price provide access to all signature and application updates.

Looking ahead, Goel says, adaptability and flexibility will be crucial to any future security solution. "The world of security is going to show us a pace of change that we haven't seen elsewhere," he says. "The rate at which hackers can change threats is just mind-boggling."

ISPs essentially have two options in deploying iPolicy Networks's product. First, a small ipEnforcer box could be deployed at the customer premises as a managed service. "Our 10 Mbps box could sit in a SOHO office, and the service provider could say, 'I'll take care of security for you, centrally managed,'" Goel says.

Alternatively, a higher speed ipEnforcer could be deployed in a POP, allowing the ISP to provide universal security. "That's a huge operational cost savings against a model where you have to ship equipment to the customer premises," Goel says.

Allowing for both remote and onsite security management, Goel says, integrated security solutions like the ipEnforcer provide an excellent opportunity for ISPs. "It's a very cost effective solution for providing security services," he says. "And for Internet service providers, that's a very attractive revenue generating opportunity."

— End

Related articles:
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security
	[July 11, 2001]	ISP-Planet Survey: MSSPs

Resources:
	Intrusion Detection Systems Directory
	Intrusion Detection Systems Directory: Quick Reference Chart