In last 15 years, security has changed drastically. Initially security was focused on Operating System and its patches. Windows NT Operating System + IIS 4.0 webserver spelled disaster in default configuration. By default everything will work and for security you need to run the hardening script. Advent of Internet brought altogether different perspective and outlook to the word stealing !
With this technology someone in Russia can hack in to the servers in US via some zombies sitting in Germany. To prevent the attack from Internet , Firewall was developed. Best practice for firewall was to allow required protocols and services and deny everything else. Deny ANY ANY was catch all rule for every firewall.
As time went by hackers became more sophisticated and there came the whole new level of attacks with Firewalk and specially via TCP and IP fragmentation which could bypass the firewall. Also for the allowed services there was no security , some one can easily exploit bug in IIS, if Port 80 was allowed.
If you have Unicode vulnerability on IIS, then sure enough, Firewall (Stateful or packet filter) will allow directory traversal and if IIS root is in the same logical drive as the system root , one can get the shell of remote machine.
Hence the advent of IDS and IPS technology to thwart these attacks on the allowed services and protocols.
Soon Hacker realized that Firewall and IPS both has some inherent vulnerability in its protocol stack specially with IP Fragmentation(Overlapping fragments) which can bypass the IPS and Firewalls. Many tricks were identified , and papers were written on IPS evasion techniques one of the paper was eluding IDS by Thomas H. Ptacek and Timothy N. Newshamand . Based on this paper Dug Song wrote Fragroute.
Soon Whitehat realized that IPS is not Nirvana and we required something more than IPS and Firewall.
Some key security players came with concept of security closer to host to avoid the typical issues with Network based security devices. Hence the Start of AV+ Hostbased IDS/IPS+Firewall.
If you look at the product set all the security products, except for firewall, came with the approach of identifying all the bad things which is infinite in number, on the other hand firewall denied all the bad things except for few allowed trusted sources and protocols.
Network based or Host based, except for firewall technology, all the other technology was based on Signature or behavior or some hybrid approach (combination of both) to identify malicious intent.
While Whitehats were busy securing OS and networks with these technologies, suddenly Web 2.0 and new application based attacks were identified like XSS, SQL injection and Cross-site request forgery on the application server side.
Clients became more and more powerful , technologies like AJAX, Java Script, Activex on the client side created whole new category of vulnerabilities which is client side vulnerabilities and were hard to detect with the scanners.
To reduce such attacks Application Firewall, IPS with appropriate application vulnerabilities signatures and protocol decode capabilities were introduced to the market.
For client side vulnerabilities scanner started adding the checks to identify key vulnerabilities in MS Office, Web browser and other client side and P2P applications.
Soon everyone realized that this is not enough, and came Application Whitelisting technology, which is based on the concept same as of the firewall, to allow known application to execute and disable execution of any other applications/code.
As I said before, conceptually we are back to square one ! Same concept as of the firewall where everything started , Allow required service and Deny everything else, this time its on the host for applications !
We took complete 360 degree turn and we are back to the same point.
As you can see the clear trend of Network to Host.
Firewall-->IDS-->IPS-->Application Proxy.
On Host, AV-->Firewall -->IDS/IPS-->Application Whitelisting
Soon another paradigm was introduced by DLP players, of Data centric Security and new gadgets were introduced for IT, to prevent unauthorized malicious or unintentional data leakage.
However question is if you have all these technology to secure your data, how do you integrate and identify trend in order to pro-actively identify the threats?
Integration between these technologies is must! All the security products in the organization should create this huge ecosystem , with ability to share information and alerts and learn from the information and alerts. This is organization wide Integration which is must in todays challenging and evolving technology space.
While Organization wide integration is great, I am envisaging the Inter Organization Information Sharing, Like blackhat contribute and support each other in the community, whitehat should have some way of sharing their data between organization which allows them to better prepare for the threats.
Having said that we are not too far away from it, I believe cloud computing will allow us to do just that !
Only time will tell....
