With Distributed Denial of Service (DDOS) attacks on the increase, it is becoming more and more difficult to protect against them. And the victims are twofold - the target of the attack obviously suffers, but those machines that are used as "zombies" are also affected.

Who is to blame? The user, for allowing a zombie to be installed? The security administrator, for not preventing such incursions at the network perimeter? Or the ISP, for not filtering traffic effectively before it gets to our gateway? What can the ISP do once a DDOS attack has swamped our bandwidth? Could ISPs be more proactive in stopping DDOS attacks altogether?

Or perhaps the ISP would maintain that it is entirely our responsibility. In which case, how effective are perimeter firewalls, personal firewalls, anti virus mechanisms and Intrusion Detection Systems at protecting us against full-blown attacks, or the insertion of zombies onto our networks?

It's like two freight trains heading for each other at top speed. IPsec has been the protocol of choice for virtual private networking, guaranteeing cryptographic authentication of each end of the VPN tunnel to each other, as well as encrypting the data traffic so that spies can't tap into or spoof critical business data. But then comes along MPLS, or Multi Protocol Label Switching, which brings ATM-like quality of service and circuit-based routing to the carrier networks and, someday, perhaps to the public Internet. MPLS may not have built-in encryption and authentication methods, but it does have the advantage of robust traffic engineering, genuine quality of service, and the ability to turn a non-deterministic IP network into the model of efficiency and reliability. MPLS, heavily promoted by router vendors like Juniper and Cisco, is tailor made for helping carriers provision VPNs. But what about companies like CheckPoint, Avaya, Alcatel, and others, who have been successfully selling their IPsec-based VPN gear into enterprises and carriers? They're arguing that MPLS isn't secure enough, and that everyone should stick with the tried-and-true IPsec technology. The carriers are caught in the middle, and customers are confused. We'll dig down and discover the truth.

Round Table III - "Wire Speed Security"
Chaired by the NSS Group

Networks are getting faster, yet some security products seem rooted in the days of 10Mbit Ethernet. Whilst such products are fine when all they have to address is a slow Internet connection, they must also be able to handle 100Mbit or even 1000Mbit LANs when installed on an intranet.

How much of a problem is a firewall that only has 100Mbit throughput when installed on a Gigabit backbone? How effective is an IDS that cannot handle a heavily loaded Fast Ethernet segment? Does it matter if packets are dropped, attacks are missed? Is it possible to perform true wire-speed analysis up to Gigabit speeds or should we always bank on having to install multiple IDS engines to cope with such situations?

The NSS Group will present the findings of its latest IDS Group Test, where intrusion detection products were put through their paces on heavily loaded high speed networks.

The whole world is going wireless, it seems. But what is the effect on security? The mobile user has always presented a challenge to the security administrator, but just as we get to grips with securing remote connections from a few laptops to head office, along comes the Internet-enabled PDA. And, of course, the smart phone.

Now everyone wants access from their own hand-held device. What sort of management and security challenges does this present? How easy is it to hack into our PDAs? Does the "always on" nature of the next generation mobile phones present a hacker with an easy route into our corporate data? Is Bluetooth a hacker's dream? How soon will we need firewalls and AV scanners on our mobile phones? And how quickly can the software vendors oblige?

Pre-dinner cocktail reception