Network security is one of the most talked about and high investment areas
for enterprises. During the course of the year we have seen all sorts of
attacks, ranging from Phishing to Zero Day, and various trends such as Managed
Security Services and Network Access Control (which is said to be next big
thing) emerge. Here we look at some of the new trends and solutions, and see
what kind of protection they provide and how.
Managed Security Services (MSS)
Managed security services means outsourcing an enterprise's security to an MSP
(Managed Security Provider). By outsourcing the network security tasks which are
crucial and require 24x7 support, monitoring and maintaining compliance,
enterprises don't have to worry about latest threats and can stay focused on
their core businesses. IPS and IDS management, firewall management and
monitoring, vulnerability management, log management, security risk profiling
are the most commonly outsourced services in MSS.
Another advantage with MSS is that security Experts will be monitoring your
infrastructure so you don't have to worry about hiring in-house experts. MSS
also gives security cost control as the enterprises don't have to worry about
making frequent investments as all that is the responsibility of the MSP.
Zero Day Solutions |
Zero Day Attacks have been in the news of late. Network security providers have started providing Zero Day protection software, and almost all security appliances have started offering Zero Day protection. The most popular technologies/methods are application level firewalls and pro-active protection against Zero Day Vulnerability Exploits. In app-level firewalls, the software/client sitting on the machine constantly monitors app behavior and restricts the application in case of a problem. In the proactive protection approach, as soon as the vulnerability is released (even before the patch release by vendor), the security vendor releases an alert and protection against that vulnerability. In the latter case, even before the Zero Day Worm attacks, you are already protected against it. |
Unified Threat Management
Security appliances made waves throughout 2006. Security software that we had to
install separately, can now be clubbed together and implemented as an appliance.
Currently leading appliances are firewalls/ VPN appliances, IPS, e-mail security
appliances and UTM (Unified Threat Management). UTM Appliances provide firewall,
gateway anti-virus, anti-spam, content filtering, IPS and VPN capabilities in
one box. These UTM devices use function specific ASIC's to provide better
performance and use stripped down and hardened versions of OS. Many UTM vendors
use application-specific ASICs to accelerate deep packet inspection at layers
3-7 to detect network threats. UTM devices use all sorts of technologies
including new and old to provide protection against various threats. For
firewall capabilities commonly used technologies are: Stateful Inspection, Deep
Inspection and Full Inspection. Full Inspection firewalls are comparatively new
and come with capabilities of simple, application layer and stateful firewalls.
Each capability analyzes a packet separately for threats, which ensures that a
suspected packet cannot pass through the firewall. For VPNs, UTM devices provide
support for IPSec VPN, SSL VPN, VPN Endpoint and clientless VPN using SSL. For
anti-viruses and anti-spam every vendor uses different techniques, but mostly
they are based on signature and hesturic analysis, and by looking up black and
white lists available online to detect spam.
Network Access Control
In simple terms, Network Access Control (NAC) is enforcing policies on a machine
and determining what level of network access to grant, depending upon the state
of the machine. NAC is termed differently by different vendors. Microsoft calls
it Network Access Prevention, Cisco calls it Network Admission Control as there
is no standard for NAC yet. A NAC solution gives a centralized view of security
policies and state of the network. If it finds an infected machine, based on the
defined policies, it can limit/ban access to that machine. To achieve this, the
machine has a client installed. When an infected client or a endpoint system
connects to the network, NAC device or software challenges the anti-virus state
of the endpoint device. Now, the agent installed on the machine sends anti-virus
details to the NAC control device. If the endpoint is non-compliant, NAC
solution makes the decision, on the basis of policies, whether the non-compliant
endpoint should be quarantined or given access.
Spear phishing |
Spear Phishing is targeted at a specific group or an enterprise where the e-mail sent seems to be coming from a genuine employee with its headers and sending information spoofed. The e-mail sent by the phisher is designed to look like it has been sent from people who regularly send e-mail such as an administrator, and contains details such as phone numbers etc. It usually takes the user to a fake website which is made to steal company information from the user as compared to normal phishing attacks which are designed to steal an individual's information. So beware as spear phish mail can also contain key loggers or Trojans. |
Various software and appliances are available for enforcing NAC like Cisco's
NAC framework and MS NAP (Network Access Protection).
Image spam and solutions
This is spam that comes with an picture attachment with the message written on
the image. This beats traditional spam filters which are not built to decode
images. Barracuda Networks has come out with OCR and fingerprint analysis
methods to detect such spam.
OCR: With OCR, Barracuda Spam Firewall decode text in images and gives
it a score based on rule sets present in the device. This score is combined with
factors like how the message is constructed, its headers, etc to determine
whether to block the mail.
Fingerprinting: Spam fingerprints are collected from honeypots as well
as from other Bararacuda Spam Firewall users who opt to submit their spam for
analysis. Using this database, the solution can profile components of new spam
against known fingerprints and automatically detect spam based on a match.
Context Adaptive Scanning Engine (CASE): Ironport's CASE counters
image spam by looking at the full context of a message and analyzes who has sent
the message, 'Where' message is directing the recipient, 'How' the
message is constructed and 'What' it contains. It also looks for color
patterns within an image that can identify the presence of text within an image,
since majority of valid images sent through e-mail hardly contain a large
quantity of text.
Solution Vendors |
MSS Vendors Verisign: www.verisign.com Secure Synergy: www.securesynergy.com UTM Vendors NAC Vendors |
Network behavior analysis
This is an additional layer of security that can be added to the existing
security infrastructure of an enterprise. An NBA solution continuously monitors
traffic in a network looking for unusual patterns, which could indicate the
presence of threats. They use this information to set a baseline for normal
network activity and then detect abnormal activity. The system builds a profile
of the behavior of systems, users and applications inside the network and
continuously monitors their activity, alerting operations teams of security
events, performance issues and policy violations. NBA systems profile every
system on the network, identifying clients and servers logged on, which ports
and protocols are used, etc. An NBA program has to be used in addition to
conventional security solutions for blocking malware and are not useful on their
own.
SSL VPN
SSL VPN Gateways enable secure access to data and applications residing on
networks from anywhere. SSL is used to encrypt to VPN tunnels over the Internet.
A user connects to the appliance through a Web browser and after authentication
from the appliance, gains access to the permitted applications and resources.
SSL VPN doesn't require clients on the user's machine compared to the
traditional IPSec VPNs- everything is Web based. Initially SSL was designed to
encrypt only Web traffic, Getting non-Web applications work through SSL requires
redirecting application traffic through the SSL tunnel. The appliance performs a
vulnerability check on the user's device to make sure device doesn't affect
corporate network.