A Double-edged Sword

Your network model must feature one layer of protection covering the next

• By Kevin Prince
• Apr 02, 2008

Securing an entire network at a finite number of ingress points simply does not offer the risk mitigation companies need. This does not, however, mean there is no value in continuing to deploy and maintain an edge security model as one layer of a multi-layered security strategy.

An Evolving Threat
Data security attack methods can be numbered in the hundreds or even thousands. This is different from just a few years ago, when such attacks were simple and direct. Companies are always trying to reduce the greatest amount of risk possible at the lowest cost. Before, the answer was a firewall—a single device that could be put between the network and the Internet to block unwanted inbound connections. Companies could protect thousands of systems with this one device.

Later, as ports were required through the firewall for business purposes, such as e-mail and Web sites, more layers of protection were required, including intrusion detection and prevention systems to monitor for malicious packets. Soon, a barrage of technologies meant to be deployed at the edge, such as gateway antivirus and spam filtering, also were used in an attempt to stop the attack at the door.

Quickly, this approach lost its effectiveness as a single method of security. Attack methods shifted to target individual systems rather than network devices. The attacks began using techniques to install trojans, malware or other malicious software on internal computers. Encryption and other techniques then were used by the attacker to stay under the radar once the internal computers were compromised. While once attackers would want you to know they took control of your systems, now they often remain completely undetectable.

Now, to prevent attacks, system-level protection is a must. This protection takes a combination of properly deployed and managed technology and means adherence to policies and procedures. Some of the required technologies include globally managed patch and policy management and desktop security software that includes firewalls, malware protection and antivirus. The market is exploding with new technologies meant to protect individual systems while granting IT administrators global management, visibility and reporting of the entire network.

Layered Protection
The idea of an edge security model as the only layer of protection has decayed. But using it as the first in a series of layers has tremendous value. When designing an effective edge security platform—as one layer in a series—IT managers should try to reduce noise, capture and review meaningful information, and limit exposure through user behavior. Managers also should preserve the connection, find and protect the edge, identify and remediate vulnerabilities, and expect technology to not solve all the problems.

Reduce the noise. Because of the heavy dependence most companies now have on Internet-based services, firewalls behave more like chain-link fences than impenetrable fortifications. But with the vast amount of automated scanning and searching done by bad guys on the Internet, firewalls can be effective in blocking some of this traffic. Anything that can filter out this type of background noise will make research of legitimate attacks easier and faster.

Create outbound filters. Most firewalls are configured to limit the inbound ports or services that can be accessed from the Internet, but it’s amazing how many firewalls do not have filters set for outbound traffic. This is only a small help as many malicious programs are designed to use commonly used ports for outbound access.

For this reason, many programs have default ports that, unless changed, will be blocked. Many users are not trying to be malicious—perhaps they just want to load some software to download music or chat with a friend. These programs could grant access to the user’s system or prompt the user to perform some action—like running a malicious program— that he would not normally do. Another reason to create outbound filters is to analyze which systems are attempting to use unauthorized ports. This only works if logging is turned on and the logs are being stored. Without this, even with logging turned on, all traffic being recorded is combined, making it difficult to distinguish good from bad traffic.

Capture and review meaningful information. Remember that even with all of this protection, many malicious programs can use common ports. One of the most common is port 443, normally reserved for secure Web traffic. Traffic using the SSL protocol is encrypted and usually uses port 443, therefore few firewall administrators log this traffic because it is unrecognizable. Logging and review of port 443 traffic may lead to the detection of malicious traffic. However, the bad guys are often encrypting their traffic as well.

As a result, detection methods that review packets based on packet headers such as source and destination IP can be valuable. For example, if traffic is passing through port 443, where the source is a common file server, it could be suspicious if the port is often used to access secure Web sites.

This level of monitoring and detection assumes that you know your network, which isn’t true of many IT administrators. Unless you know what your network looks like, and what constitutes normal behavior, it becomes difficult to find anomalies that can lead to the detection of a security compromise.

The only way to know your network is to create diagrams and log traffic. Any device that has the capability of logging should be turned on and pointed to a common place where review can occur. Security event information management software is available to correlate and identify problems, as well as create easyto- manage views of the data. The longer you can retain this data, the better. But a week’s information should be maintained at a minimum.

Limit exposure through user behavior. A common tactic of attackers is to lure unsuspecting users to Web sites that have been infected with malware. In some cases, simply clicking on the link can infect the user’s system with malware or a Trojan horse program that can compromise the entire network’s security.

One of the best ways to reduce this threat is by deploying a URL content filter at the edge of the network. This will force all Web-based traffic through, blocking the user’s ability to access malicious sites. The side benefits of using this system are reduced liability and increased productivity. Such a system also may block malicious programs from making outbound connections that can lead to a compromise. This can include blocking access through common ports like 80 and 443.

Often, data is leaked from an organization through something as simple as email. Using technology such as an e-mail content filter that can detect and stop sensitive data from leaving the network is another worthwhile edge security layer.

Organizations also should provide a secure way of sending e-mail. Regular SMTP is unencrypted and, if captured, easy to read. Sending messages securely requires an encryption-based system.

Preserve the connection. Botnets are not new; however, the scale they now use is nothing short of amazing. In 2007, it was not unusual to see 200,000 compromised systems—known as zombies—in a single botnet. It was only a few years ago when Mafiaboy—a Canadian teenager— took down many Internet sites with only a handful of compromised computers. With armies of compromised systems at their control, it is not difficult for the bad guys to facilitate an attack that renders the victim’s network useless.

To reduce your risk from distributed denial of service attacks, several technologies exist. These often can be expensive. However, for those Internet services that are mission-critical, it may be worthwhile. Also, talk to an Internet service provider about ways of reducing risk from these types of attacks.

Find and protect the edge. It wasn’t too long ago that you could easily identify the network’s edge. Today, wireless LAN technology can extend the network to anywhere, including business neighbors and the parking lot. IT managers say they either have secure wireless or don’t allow wireless at all.

Many new laptops now include wireless WAN capabilities, which allow PCs to have direct Internet access through the mobile phone network. This can create back doors to the network. Thumb drives, iPods and smart phones are just a few of the devices that can infect a network or permit the download of sensitive data and allow it to walk out the front door.

Identify and remediate vulnerabilities. On average, 19 new vulnerabilities are found daily. Although most might not apply to you or exist on your systems, it is only a matter of time before you face an exposure from one or more of these. In times past, an annual or quarterly scan was sufficient to identify and remediate vulnerabilities. Now, monthly scans are necessary, with many organizations choosing weekly or even more frequent scans to find these access paths to sensitive data.

It also isn’t enough to do traditional vulnerability scans. Also do periodic application level tests, which find application errors and vulnerabilities that can be more devastating than standard vulnerabilities. Test for SQL injection vulnerabilities, buffer overflows and ways of facilitating cross-site scripting attacks. These are becoming much more popular for attackers and are increasingly successful.