by August 4, 2004 0 comments



There are two sides to an IT infrastructure. One is the deliverables or the rosy side of things, which cover IT solutions that provide benefits to your business. The other side is the investments you need to make to run them properly. Hardware, software, backup equipment, etc come here. On top of these lies the security element, which is meant to protect these investments. Greater the investments in the first two elements, greater are the security risks and the challenges associated with covering them. This starts from first defining a proper security policy for your network, and moves on to choosing the right equipment that will help you enforce that policy. 

Many interesting trends can be seen in network security today, which need to be kept in mind to devise a proper security strategy. On one side are an increase in the number of threats and the number of points of attack. The other side is about the solutions to counter each of these threats. Isrt’s important to know both sides in order to device your security strategy. 

Top
Viruses for June 2004
Rank Virus
Name
Percentage
1 Worm/Netsky.P 32.7
2 Worm/Zafi.B 8.8
3 Worm/Netsky.Z 6.8
4 Worm/Netsky.D 6
5 Worm/Netsky.Q 4.9
6 Worm/Bagle.AA 3.5
7 Worm/Netsky.B 3.3
8 Worm/Sasser 1.9
9 Worm/Netsky.A 0.8
10 Worm/Bagle.Z 0.7
11 Worm/Netsky.K 0.7
12 W32/Parite 0.6
  Others 29.3
(Source: 
Central Command)

Today, network security is not just about putting firewalls all over the place. Security threats can come through email or web. They can also come in due to unpatched systems. A disgruntled user sitting on your LAN also has enough free, yet powerful tools at disposal, which can wreak havoc. Now, LANs have been extended to mobile users through wireless connectivity, which opens another avenue for security compromises. 

Solutions are available to counter each of these threats, and can be broadly divided into four categories: 

1. Firewalls: To counter external threats
2. Patch Management:
To counter unmatched servers, desktops, and even manageable hardware devices like routers and
firewalls
3. Anti-virus/anti-spam:
To protect against malicious code
4. Intrusion Detection Systems: To protect against the internal threats 

Firewalls
There are many interesting trends on the hardware firewall front. One is that most vendors now have entry-level models for small offices, and at very attractive prices. Second, they’re increasing the number of functions that a firewall is capable of doing, which include VPN connectivity, embedded anti-virus software, and even intrusion detection capabilities. Even a basic, entry-level firewall today, comes with VPN and anti-virus functionality. Therefore, firewalls are becoming more of an appliance that comes pre-configured in a box. 

Do
we have the time?
Vulnerabilities
in 2003
4129
Time
reading advisory @10 min
=86
days
Download
of 20% patches @10 min
=17
days
Applying
and reconfiguring @30 min
=52
days
Total =155
days

On the software front, choice starts from freely available Linux based firewalls to commercial products. Both are very feature rich and require a dedicated machine. Commercial software can be pretty costly to setup, which makes the proposition of using free ones very attractive. 

But one must not forget the disadvantages associated with them, with the biggest one being lack of support. You’re on your own for everything. You need to acquire the technical expertise to install, setup, and configure them. You are then also responsible for finding the latest patches and updates and keeping the firewall up to date with them. These worries aren’t there with commercial firewalls, because it’s the vendor’s responsibility to provide you with regular updates. 

Top downloads
Ranking Downloads Name
1. Ad-aware55,898,936 downloads
2. Spybot — search & Destroy 
26,290,836 downloads
(source: download.com)

Despite all the functions provided by hardware firewalls, there’s one function that’s still not available in most–blocking P2P applications. The most difficult apps are those using the Gnutella protocol (Morpheus, BearShare, LimeWire, etc), and those using the FastTrack network like Kazaa. Most firewalls block ports to disallow access to various applications. Unfortunately, these P2P applications can change the ports they use dynamically, which make it difficult to catch them. Some firewall vendors like Fortinet are introducing this capability in their latest releases, but the effectiveness of that remains to be seen. There’s also plug-in software that can integrate with software firewalls to block P2P apps. 

Anti-virus/Anti-spam
Malicious code is the biggest worry in every security administrator’s mind today, and most of it comes in through email as attachments. A part of it can also come through the web, if your employees are downloading software they shouldn’t be. Unfortunately, the sad part is that despite all the development, most anti-virus technology is still unable to provide protection from unknown viruses. That’s why we still keep hearing news about how companies incur major financial losses every year due to virus or worm attacks. The sadder part is that despite all this, most companies still don’t keep their anti-virus software updated. Perhaps even the update technology needs a further push to make life easier for system administrators. 

Firewalls: Costs for entry-level software firewalls for small offices have come down. Firewalls have become more feature rich to include VPN connectivity, anti virus, intrusion-detection systems, etc
Anti virus/anti spam: Most anti-virus vendors are also providing anti-spam solutions, and the trend is towards merging these two functions into one software. Viruses, worms and spam continue to wreak havoc, and more robust solutions are needed to combat them
Patch Management: Everything requires patches and updates, whether it’s the OS, applications or network hardware like routers and firewalls. Therefore, it’s a challenging task, and more solutions are needed in this space. The process can’t be completely automated
Intrusion Detection: The level of security awareness in the industry isn’t enough, and intrusion-detection systems are highly complex. Therefore, more education is required for these devices to catch on

Even after a virus or worm has been detected, the current technology talks of putting it in the quarantine, but has anybody thought of simply disabling the network interface of the infected machine itself, so that the virus doesn’t spread? All these things can only happen if the IT implementers themselves demand such solutions from the vendors. Spam can’t be controlled by anti-spam solutions alone. 

There are major debates in the US government to create spam protection policies. Such things also need to happen here. So, choosing an anti-virus software isn’t difficult because most vendors in this space are well-known; what’s more important are the measures you use to keep it updated, and the policy you follow after an attack. The entire picture has to be seen. 

Intrusion Detection
Internal threats are equally or more critical than external threats. For instance, a disgruntled employee (who perhaps didn’t get a good salary hike) could wreak havoc on your network. Technology alone isn’t sufficient to combat this sort of a threat, but it can help minimize the damage. For this, you have to think of all the possibilities in which information can go out. Managing user rights and access control are extremely important here. Besides that, another major threat here are the freely available, yet powerful hacking tools. An intrusion detection solution would help detect such threats on your network. Plus, they would be able to detect any sort of suspicious activity happening on your network. Unfortunately, the level of security awareness in the industry isn’t enough, and intrusion detection systems are highly complex and therefore haven’t really caught on in the market.

“200 Known Spam Operations are responsible for 90% of your
spam” 
Ninety percent of spam received by Internet users in North America and Europe can be traced via redirects, hosting locations of web sites, domains and aliases, to a hard-core group of around 200 known spam operations, almost all of whom are listed in the ROKSO database. These spam operations consist of an estimated 500-600 professional spammers loosely grouped into gangs (“spam gangs”), the vast majority of whom are operating illegally, and who move from network to network seeking out Internet Service Providers (“ISPs”) known for lax enforcing of anti-spam policies. Spamhaus.org

Patch Management
This is another area, which perhaps causes as much havoc as viruses and worms. This is due to the sheer number of patches and updates being released every day, be it any OS, application, or even hardware that has firmware. The challenge is even greater for larger organizations, with hundreds of servers running in an equal number of branches. Even a simple router or firewall configuration update here could take ages, making the job a challenging one. Here again, most of the known solutions available are proprietary. Other commercial packages are either not so well known or too expensive. Patch management can’t be completely automated, so the solution would be a mix of using software and policies. Choice depends upon your network’s configuration. In case most of your routers are from Cisco, then it would make sense to deploy Cisco’s router management offerings. There are also freely available solutions such as Microsoft’s Systems Update Server, which can manage patches for Windows machines on a network. 

By Anil Chopra

IN BRIEF




Deploying network security is a mix of policy and technology. With so many vulnerabilities being discovered every day, it’s important to remain keep yourself updated with the latest news. Given below are a few useful portals for the latest security information: 

l portal.sans.org: Sans Institute
l cve.mitre.org: Common Vulnerabilities and Exposures Threats
l cwrld.com/nl/sub.asp: Computerworld Security Update 
l freelists.org/cgi bin/list?list_id= cybercrime-alerts:Cybercrime-Alerts

COMING UP




With the threats being spread across a network, so far companies haven’t had a choice but to implement different solutions for different types of security issues. You need anti-virus on your servers, desktops, mail systems, etc. You need anti-spam on your mail server, and a firewall on your Internet gateway. Then an intrusion detection system is needed for the network, and you also need a patch management system. The effectiveness of all these systems is based on how regularly you update them. Imagine the nightmare most network managers have to go through to manage such a diversity of systems. That’s why the latest trend in the industry is to build complete integrated systems that can do everything. So one security appliance will act as the firewall, anti-virus, anti-spam, intrusion detection system, proxy, and much more.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<