A Double-edged Sword
Your network model must feature one layer of protection covering the next
- By Kevin Prince
- Apr 02, 2008
Securing an entire network at a
finite number of ingress
points simply does not offer
the risk mitigation companies
need. This does not, however, mean there
is no value in continuing to deploy and
maintain an edge security model as one
layer of a multi-layered security strategy.
An Evolving Threat
Data security attack methods can be numbered
in the hundreds or even thousands.
This is different from just a few years
ago, when such attacks were simple and
direct. Companies are always trying to
reduce the greatest amount of risk possible
at the lowest cost. Before, the answer
was a firewall—a single device that could
be put between the network and the
Internet to block unwanted inbound connections.
Companies could protect thousands
of systems with this one device.
Later, as ports were required through
the firewall for business purposes, such
as e-mail and Web sites, more layers of
protection were required, including intrusion
detection and prevention systems
to monitor for malicious packets. Soon, a
barrage of technologies meant to be
deployed at the edge, such as gateway
antivirus and spam filtering, also were
used in an attempt to stop the attack at
Quickly, this approach lost its effectiveness
as a single method of security.
Attack methods shifted to target individual
systems rather than network devices.
The attacks began using techniques to
install trojans, malware or other malicious
software on internal computers.
Encryption and other techniques then
were used by the attacker to stay under
the radar once the internal computers
were compromised. While once attackers
would want you to know they took control
of your systems, now they often
remain completely undetectable.
Now, to prevent attacks, system-level
protection is a must. This protection takes
a combination of properly deployed and
managed technology and means adherence
to policies and procedures. Some of
the required technologies include globally
managed patch and policy management
and desktop security software that
includes firewalls, malware protection
and antivirus. The market is exploding
with new technologies meant to protect
individual systems while granting IT
administrators global management, visibility
and reporting of the entire network.
The idea of an edge security model as the
only layer of protection has decayed. But
using it as the first in a series of layers has
tremendous value. When designing an
effective edge security platform—as one
layer in a series—IT managers should try
to reduce noise, capture and review meaningful
information, and limit exposure
through user behavior. Managers also
should preserve the connection, find and
protect the edge, identify and remediate
vulnerabilities, and expect technology to
not solve all the problems.
Reduce the noise. Because of the
heavy dependence most companies now
have on Internet-based services, firewalls
behave more like chain-link fences than
impenetrable fortifications. But with the
vast amount of automated scanning and
searching done by bad guys on the
Internet, firewalls can be effective in
blocking some of this traffic. Anything
that can filter out this type of background
noise will make research of legitimate
attacks easier and faster.
Create outbound filters. Most firewalls
are configured to limit the inbound
ports or services that can be accessed
from the Internet, but it’s amazing how many firewalls do not have filters set for
outbound traffic. This is only a small
help as many malicious programs are
designed to use commonly used ports for
For this reason, many programs have
default ports that, unless changed, will be
blocked. Many users are not trying to be
malicious—perhaps they just want to
load some software to download music or
chat with a friend. These programs could
grant access to the user’s system or
prompt the user to perform some
action—like running a malicious program—
that he would not normally do.
Another reason to create outbound filters
is to analyze which systems are attempting
to use unauthorized ports. This only
works if logging is turned on and the logs
are being stored. Without this, even with
logging turned on, all traffic being
recorded is combined, making it difficult
to distinguish good from bad traffic.
Capture and review meaningful
information. Remember that even with all
of this protection, many malicious programs
can use common ports. One of the
most common is port 443, normally
reserved for secure Web traffic. Traffic
using the SSL protocol is encrypted and
usually uses port 443, therefore few firewall
administrators log this traffic because
it is unrecognizable. Logging and review of
port 443 traffic may lead to the detection of
malicious traffic. However, the bad guys
are often encrypting their traffic as well.
As a result, detection methods that
review packets based on packet headers
such as source and destination IP can be
valuable. For example, if traffic is passing
through port 443, where the source is
a common file server, it could be suspicious
if the port is often used to access
secure Web sites.
This level of monitoring and detection
assumes that you know your network,
which isn’t true of many IT administrators.
Unless you know what your network
looks like, and what constitutes normal
behavior, it becomes difficult to find
anomalies that can lead to the detection
of a security compromise.
The only way to know your network is
to create diagrams and log traffic. Any
device that has the capability of logging
should be turned on and pointed to a
common place where review can occur.
Security event information management
software is available to correlate and
identify problems, as well as create easyto-
manage views of the data. The longer
you can retain this data, the better. But a
week’s information should be maintained
at a minimum.
Limit exposure through user behavior.
A common tactic of attackers is to
lure unsuspecting users to Web sites that
have been infected with malware. In
some cases, simply clicking on the link
can infect the user’s system with malware
or a Trojan horse program that can compromise
the entire network’s security.
One of the best ways to reduce this
threat is by deploying a URL content filter
at the edge of the network. This will force
all Web-based traffic through, blocking the
user’s ability to access malicious sites. The
side benefits of using this system are
reduced liability and increased productivity.
Such a system also may block malicious
programs from making outbound connections that can lead to a compromise.
This can include blocking access
through common ports like 80 and 443.
Often, data is leaked from an organization
through something as simple as email.
Using technology such as an e-mail
content filter that can detect and stop sensitive
data from leaving the network is
another worthwhile edge security layer.
Organizations also should provide a
secure way of sending e-mail. Regular
SMTP is unencrypted and, if captured,
easy to read. Sending messages securely
requires an encryption-based system.
Preserve the connection. Botnets are
not new; however, the scale they now use
is nothing short of amazing. In 2007, it
was not unusual to see 200,000 compromised
systems—known as zombies—in a
single botnet. It was only a few years ago
when Mafiaboy—a Canadian teenager—
took down many Internet sites with only
a handful of compromised computers.
With armies of compromised systems at
their control, it is not difficult for the bad
guys to facilitate an attack that renders
the victim’s network useless.
To reduce your risk from distributed
denial of service attacks, several technologies
exist. These often can be expensive.
However, for those Internet services
that are mission-critical, it may be worthwhile.
Also, talk to an Internet service
provider about ways of reducing risk
from these types of attacks.
Find and protect the edge. It wasn’t
too long ago that you could easily identify
the network’s edge. Today, wireless
LAN technology can extend the network
to anywhere, including business neighbors
and the parking lot. IT managers say
they either have secure wireless or don’t
allow wireless at all.
Many new laptops now include wireless
WAN capabilities, which allow PCs
to have direct Internet access through the
mobile phone network. This can create
back doors to the network. Thumb drives,
iPods and smart phones are just a few of
the devices that can infect a network or
permit the download of sensitive data and
allow it to walk out the front door.
Identify and remediate vulnerabilities.
On average, 19 new vulnerabilities
are found daily. Although most might not
apply to you or exist on your systems, it
is only a matter of time before you face
an exposure from one or more of these. In
times past, an annual or quarterly scan
was sufficient to identify and remediate
vulnerabilities. Now, monthly scans are
necessary, with many organizations
choosing weekly or even more frequent
scans to find these access paths to sensitive
It also isn’t enough to do traditional
vulnerability scans. Also do periodic
application level tests, which find application
errors and vulnerabilities that
can be more devastating than standard
vulnerabilities. Test for SQL injection
vulnerabilities, buffer overflows and
ways of facilitating cross-site scripting
attacks. These are becoming much more
popular for attackers
and are increasingly