Advertisment

Network Security

author-image
PCQ Bureau
New Update

Network security is one of the most talked about and high investment areas

for enterprises. During the course of the year we have seen all sorts of

attacks, ranging from Phishing to Zero Day, and various trends such as Managed

Security Services and Network Access Control (which is said to be next big

thing) emerge. Here we look at some of the new trends and solutions, and see

what kind of protection they provide and how.

Advertisment

Managed Security Services (MSS)



Managed security services means outsourcing an enterprise's security to an MSP
(Managed Security Provider). By outsourcing the network security tasks which are

crucial and require 24x7 support, monitoring and maintaining compliance,

enterprises don't have to worry about latest threats and can stay focused on

their core businesses. IPS and IDS management, firewall management and

monitoring, vulnerability management, log management, security risk profiling

are the most commonly outsourced services in MSS.

Another advantage with MSS is that security Experts will be monitoring your

infrastructure so you don't have to worry about hiring in-house experts. MSS

also gives security cost control as the enterprises don't have to worry about

making frequent investments as all that is the responsibility of the MSP.

Advertisment
Zero Day Solutions
Zero Day Attacks have been in the news of

late. Network security providers have started providing Zero Day

protection software, and almost all security appliances have started

offering Zero Day protection. The most popular technologies/methods are

application level firewalls and pro-active protection against Zero Day

Vulnerability Exploits. In app-level firewalls, the software/client

sitting on the machine constantly monitors app behavior and restricts the

application in case of a problem. In the proactive protection approach, as

soon as the vulnerability is released (even before the patch release by

vendor), the security vendor releases an alert and protection against that

vulnerability. In the latter case, even before the Zero Day Worm attacks,

you are already protected against it. 

Unified Threat Management



Security appliances made waves throughout 2006. Security software that we had to
install separately, can now be clubbed together and implemented as an appliance.

Currently leading appliances are firewalls/ VPN appliances, IPS, e-mail security

appliances and UTM (Unified Threat Management). UTM Appliances provide firewall,

gateway anti-virus, anti-spam, content filtering, IPS and VPN capabilities in

one box. These UTM devices use function specific ASIC's to provide better

performance and use stripped down and hardened versions of OS. Many UTM vendors

use application-specific ASICs to accelerate deep packet inspection at layers

3-7 to detect network threats. UTM devices use all sorts of technologies

including new and old to provide protection against various threats. For

firewall capabilities commonly used technologies are: Stateful Inspection, Deep

Inspection and Full Inspection. Full Inspection firewalls are comparatively new

and come with capabilities of simple, application layer and stateful firewalls.

Each capability analyzes a packet separately for threats, which ensures that a

suspected packet cannot pass through the firewall. For VPNs, UTM devices provide

support for IPSec VPN, SSL VPN, VPN Endpoint and clientless VPN using SSL. For

anti-viruses and anti-spam every vendor uses different techniques, but mostly

they are based on signature and hesturic analysis, and by looking up black and

white lists available online to detect spam.

Advertisment

Network Access Control



In simple terms, Network Access Control (NAC) is enforcing policies on a machine
and determining what level of network access to grant, depending upon the state

of the machine. NAC is termed differently by different vendors. Microsoft calls

it Network Access Prevention, Cisco calls it Network Admission Control as there

is no standard for NAC yet. A NAC solution gives a centralized view of security

policies and state of the network. If it finds an infected machine, based on the

defined policies, it can limit/ban access to that machine. To achieve this, the

machine has a client installed. When an infected client or a endpoint system

connects to the network, NAC device or software challenges the anti-virus state

of the endpoint device. Now, the agent installed on the machine sends anti-virus

details to the NAC control device. If the endpoint is non-compliant, NAC

solution makes the decision, on the basis of policies, whether the non-compliant

endpoint should be quarantined or given access.

Spear phishing
Spear Phishing is targeted at a specific

group or an enterprise where the e-mail sent seems to be coming from a

genuine employee with its headers and sending information spoofed. The

e-mail sent by the phisher is designed to look like it has been sent from

people who regularly send e-mail such as an administrator, and contains

details such as phone numbers etc. It usually takes the user to a fake

website which is made to steal company information from the user as

compared to normal phishing attacks which are designed to steal an

individual's information. So beware as spear phish mail can also contain

key loggers or Trojans.

Various software and appliances are available for enforcing NAC like Cisco's

NAC framework and MS NAP (Network Access Protection).

Advertisment

Image spam and solutions



This is spam that comes with an picture attachment with the message written on
the image. This beats traditional spam filters which are not built to decode

images. Barracuda Networks has come out with OCR and fingerprint analysis

methods to detect such spam.

OCR: With OCR, Barracuda Spam Firewall decode text in images and gives

it a score based on rule sets present in the device. This score is combined with

factors like how the message is constructed, its headers, etc to determine

whether to block the mail.

Fingerprinting: Spam fingerprints are collected from honeypots as well

as from other Bararacuda Spam Firewall users who opt to submit their spam for

analysis. Using this database, the solution can profile components of new spam

against known fingerprints and automatically detect spam based on a match.

Advertisment

Context Adaptive Scanning Engine (CASE): Ironport's CASE counters

image spam by looking at the full context of a message and analyzes who has sent

the message, 'Where' message is directing the recipient, 'How' the

message is constructed and 'What' it contains. It also looks for color

patterns within an image that can identify the presence of text within an image,

since majority of valid images sent through e-mail hardly contain a large

quantity of text.

Solution Vendors
MSS Vendors



Verisign: www.verisign.com


Secure Synergy: www.securesynergy.com


UTM Vendors



Cyberoam: www.cyberoam.com


Fortinet: www.fortinet.com

NAC Vendors



Cisco NAC: www.cisco.com


Microsoft NAP: www.microsoft.com/nap


Network behavior analysis



This is an additional layer of security that can be added to the existing
security infrastructure of an enterprise. An NBA solution continuously monitors

traffic in a network looking for unusual patterns, which could indicate the

presence of threats. They use this information to set a baseline for normal

network activity and then detect abnormal activity. The system builds a profile

of the behavior of systems, users and applications inside the network and

continuously monitors their activity, alerting operations teams of security

events, performance issues and policy violations. NBA systems profile every

system on the network, identifying clients and servers logged on, which ports

and protocols are used, etc. An NBA program has to be used in addition to

conventional security solutions for blocking malware and are not useful on their

own.

SSL VPN



SSL VPN Gateways enable secure access to data and applications residing on
networks from anywhere. SSL is used to encrypt to VPN tunnels over the Internet.

A user connects to the appliance through a Web browser and after authentication

from the appliance, gains access to the permitted applications and resources.

SSL VPN doesn't require clients on the user's machine compared to the

traditional IPSec VPNs- everything is Web based. Initially SSL was designed to

encrypt only Web traffic, Getting non-Web applications work through SSL requires

redirecting application traffic through the SSL tunnel. The appliance performs a

vulnerability check on the user's device to make sure device doesn't affect

corporate network.

Advertisment