Network Security
Malware 2.0 meets security 2.0
A three-pronged approach can prevent
threats from damaging data networks.
by Richard Hanke
The
most traditional approach used to block
malware from entering a corporate network is
URL filtering.
Although many companies have policies in
place that deny employee access to Web sites
that are not work related, the monitoring
and enforcement of these policies is not
always easy. Over the past year, there have
been numerous stories about employees who
visited Web sites such as YouTube or
Monster.com, resulting in their work
computer becoming infected with a piece of
Web-borne malware. This type of problem is
likely to grow as cyber criminals find that
the use of Web-borne malware can infect
hundreds of thousands of users in moments.
Designed to keep Web traffic flowing and
safe from malware, the latest Web security
appliances scan all HTTP and SMTP traffic
coming in and going out of the network to
ensure that each piece of content is not
infected with malware. The traffic is
scanned against a database of
threat-protection signatures and is allowed
to pass through the network if no malware is
detected.
Some users might argue that desktop
software is more efficient or effective
Web-borne malware protection, but servicing
50 to 5,000 desktops with antivirus software
can be challenging. Keeping all desktops
current with complete threat protection
requires antivirus and antispyware clients
that can also degrade computer performance.
A single Web security appliance can apply
both signature and reputation filters,
delivering complete protection from
Web-borne malware. If the appliance is
"network friendly," it will fit seamlessly
into any network topography, no matter how
complex the network environment, and will
perform at gigabit rates, so there is no
performance degradation.
The Internet has become a major source of
infection for PCs, and the massive adoption
of Web applications, in addition to the
popularity of blogs and social-networking
sites, has made this vector much harder to
control. Most companies have focused their
security efforts on the desktop with
software designed to be deployed on each PC
in the organization, or on e-mail protection
with a gateway to block malicious content
entering a network through spam e-mails
containing malware.
The enterprise Web gateway is another
tier in need of additional protection from
malicious code and inappropriate use. A
secure Web gateway is a product that filters
unwanted software or malware stemming from
users visiting sites with malicious malware
code. The gateways enforce corporate and
regulatory policy compliance.
Leading solutions will also be able to
provide Web application-level controls for
at least some of the more popular
applications, including instant messenging.
Secure Web gateways should integrate with
directories to provide authentication and
authorization, along with group- and
user-level policy enforcement. A strong
Web-secure gateway should bring together all
these functions, without compromising
performance for end-users, which has been a
challenge for traditional antivirus Web
filtering.
URL filtering includes the categorization
of known Web sites into groups to enable
comprehensive reporting, as well as blocking
some sites, for acceptable usage,
productivity and security risks. There is
also an increasing requirement for dynamic
risk analysis of uncategorized sites and
pages. Web reputation will be an area of
differentiation as vendors invest in ways to
better identify and classify Web sites and
domains.
URL filtering can be effective in setting
and enforcing policies for employees. The
most traditional approach used to block
malware from entering a corporate network is
URL filtering. Based on policies set forth
by network and security administrators,
users are either permitted or denied access
to certain categories of sites. Typically,
categories blocked are pornography or
gambling.
In addition, known malware sites can be
blocked. Since the Internet is made up of
hundreds of millions of sites, URL filtering
approaches rely on Web crawlers to
categorize sites to add them to the
database. Hackers, however, are getting more
sophisticated and are fighting Web crawlers
by serving up good content so they are
placed on the list of permitted sites, and
then, when a user visits that Web page, they
are served malware. Malicious code filtering
eliminates all malicious and potentially
unwanted code from Web traffic.
The most-common malware detection
techniques are signature-based detection of
known malware. As threats continue to
evolve, however, leading vendors are
expected to offer a cocktail of
non-signature-based malware detection
techniques to detect and block unknown and
more evasive threats. So, although URL
filtering has its place, relying solely on
policies set forth by URL filters is not
enough.
Content filtering scans traffic coming in
and out of the network and inspects every
Web page for malicious code. This approach
utilizes camouflaged machines that are
placed around the world to collect malware
samples. These samples are continually
analyzed and are added to the database of
threats. Signature-based scanning, however,
may not be enough.
Reputation filtering is the newest
approach to fighting Web-borne malware.
Based on site reputations, content may not
be scanned or filtered. For example, CNN is
a popular news site and must have a good
reputation, so it is not scanned or
inspected. Well-known sites, however, are
frequently compromised.
The best method of reputation filtering
is to utilize it as a blacklist instead of a
whitelist. Black-listed sites are always
blocked, while white-listed sites are always
permitted to pass. Thus, blocking access to
sites known to distribute malware is more
effective.
Richard Hanke is vice president of
marketing for Anchiva Systems, Santa Clara,
Calif.
For more information
(click here)
by John Yun
One way to address security concerns
caused by new technologies, such as
peer-to-peer (P2P) applications like instant
messaging (IM) and voice over IP (VoIP), is
to add dedicated application security
appliances, such as those designed
specifically for P2P applications.
Purpose-built hardware and software focus
tightly on a single problem and offer
plug-and-play simplicity, but narrow-focused
solutions solve only one problem. Point
products also introduce network complexity
that can compromise not just security, but
the network’s performance and quality of
service (QoS).
New applications often introduce new
underlying protocols. The capabilities in
P2P applications, for example, come from
specialized IP protocols—multimedia
protocols in IM attachments, or various
protocols for voice communications. As with
other protocols, hackers and viruses can
exploit implementation flaws in P2P
protocols to launch attacks.
Dedicated appliances designed
specifically to assure protocol integrity
before granting network access can be
effective, but many enterprise networks
already have that capability and more built
into the deep-inspection and
intrusion-detection capabilities of modern
security products. To realize that
capability, an enterprise’s existing
infrastructure vendors should provide
regular updates—supporting the popular and
latest IM protocols; providing capabilities
for IM attachment scanning; and sending
updates promptly on release of new
applications. If such updates are provided,
the network is most likely already protected
from protocol abuse without the purchase of
any new, special-purpose gear.
Even if the benefits do not measure up to
their costs, what harm can come from the
added security of single-purpose security
appliances? Aside from the time and money
needed to purchase, implement and maintain
point solutions, network administrators
should consider the hidden costs from:
performance and QoS issues these products
may raise in high-priority applications such
as VoIP; and managing the additional network
complexity point solutions create, in
particular the fragmentation of staff time,
attention and span of control.
Applications vary greatly in the network
performance they require. E-mail, for
example, is especially forgiving—a few
seconds’ delay is seldom noticeable. Delays
in the rapid bidirectional flow of data for
IM can be a minor annoyance, but the
synchronous communication of VoIP demands
the highest standard of network performance,
avoiding latency and jitter that introduce
intolerable experiences in voice calls.
Point security solutions for VoIP seldom
address network performance and QoS issues
like latency and jitter. Under load, they
may even contribute to the problem. The
right solution includes inspection of
packets, identifying them by application and
prioritizing them so VoIP takes precedence
over less performance-sensitive
applications. The overall performance of the
security solution should also be considered,
but it is often connection rate, not overall
throughput, that is the key factor in QoS.
Separate security solutions for P2P
applications and emerging videoconferencing
applications add complexity to data centers
already struggling with multiple hardware
platforms, operating systems and storage
solutions. In addition, solutions that
divide the attention of security
administrators across multiple solutions
introduce risk during the critical early
minutes of an attack. By consolidating and
centralizing the monitoring and alerts, IT
departments can best utilize their staff.
The sophistication of security products
and infrastructure has improved considerably
in the past few years. Many products are now
designed from the ground up to support
future technologies and applications.
Standards have also improved, and checking
compliance to them has become standard
operating procedure at most sophisticated
data centers.
John Yun is with Juniper
Networks,
Sunnyvale, Calif.
For more information
(click here)