Protecting the boundary
By Kay Ewbank
Any computer system that is connected to the Internet is under constant attack. Kay Ewbank finds out what you can do to protect your borders.
HardCopy Issue: 47 | Found In: Security | Published: 01/02/2010 | Last Revision: 07/07/2010
Protecting a single computer against malicious threats such as viruses and spam is tough enough: protecting an entire network is much tougher. There are many ways your infrastructure could be attacked, and you won’t necessarily know that your defences have been breached until it is too late.
The first thing to work out is just what constitutes your boundary. This may sound obvious but things are more complicated than they might first appear. You have to know precisely which things you are protecting, and where ‘the rest of the world’ starts. You also need to know exactly how many ways into and out of your boundaries there are, so you can close off unnecessary gateways and make the others as secure as possible.
Identifying the boundary
It’s fairly obvious that any machines connected directly to the Internet are on the boundary, as are any laptops and portable machines that travel outside your network. Remember that mobile phones and PDAs are essentially computers too. If you have a wireless network, it is on the boundary. The people who attempt to use your bandwidth to avoid paying for their own connections are the least of your problems, and standard encryption methods for protected wireless networks come increasingly under attack.
Other points you may not have considered as potential vulnerabilities include machines in reception or public areas, and any machine that contractors or casual staff have access to. Finally, don’t forget that there are cases of printers, scanners, fax machines, CD duplicators and even vending machines being ‘hacked’. Many such devices have Web interfaces and embedded operating systems that can provide a route through your security boundary. What’s more, because they are usually shared devices, suspicious traffic can go unnoticed.
Many companies assume that if they have a firewall between them and the outside world, they’re essentially protected. Unfortunately, any form of communication across the firewall leaves room for attack. If users on a network open an email, download an application, click on a link on a Webpage, they may open the gate to malware. If they provide details of their personal or corporate details in response to a phishing attack, or even tell a ‘researcher’ their password, they open a route through your defences. The only truly safe computer is one that is not connected in any way to the outside world, but nevertheless, there are many precautions worth taking.
Identifying the targets
Having worked out the ‘where’ you’re protecting, you next need to be sure ‘what’ you’re protecting. Some areas for protection are obvious - your email system, for example, and any corporate databases that would be obvious targets. Other corporate assets may be less obvious.
A good rule of thumb is that data will be worth money to someone, so it will be a potential target. The Information Commissioners’ Office (www.ico.gov.uk), which used to be the Data Protection Agency, has some good advice on what constitutes data from a legal perspective; and don’t forget that the need for protection isn’t just about safeguarding your interests – it’s also a matter of legal requirements. If someone breaks through your boundary and steals personal data that you are storing, then you’re breaking the terms of the Data Protection Act and could face a large fine.
Questions of identity
Security software suites increasingly include authentication and identity management so you can be sure that a device that is connecting to your network is what it claims to be, and has the correct measures in place in terms of patches and anti-virus. The security software will also ensure the user is who they claim to be by using not only passwords but hardware security devices such as smartcards and biometric devices.
Safe emails
Most people encounter problems via their emails. Whether they’re harassed by unwanted emails (spam), tempted by fake requests for personal information (phishing), or sent viruses that look as though they’re innocent emails from personal contacts, the way those attacks arrive is in an email. If your company is large enough or has a high enough profile then it may suffer mail-bombing, which involves attackers sending vast amounts of email in an attempt to take down your email servers. You may also suffer directory harvest attacks, where the target is to gain valid email addresses that can be used for spam and other attacks.
Some studies suggest that as much as 95 percent of all emails sent to mail servers are spam, so the sheer volume presents a cost in itself. Ideally you will need a multi-layer method to deal with email attacks, involving lists of blocked senders, anti-spam methods to cut down on the number of messages that arrive in users’ inboxes, anti-phishing techniques, and anti-virus checking.
The anti-spam techniques used by the various products on offer start with blocking lists that stop any emails from people known to be spammers. The anti-spam then checks for key words and phrases to filter the most common spam messages, though this can have the side-effect of marking valid emails as spam. Some software offers the option to filter emails based on sender or recipient, and to authenticate the sender before emails are delivered. However there’s a fine balance between protecting the user and becoming a nuisance; techniques which require all email senders to authenticate themselves can irritate potential customers, for example.
Anti-virus
While spam is fairly easy to identify, viruses, worms, Trojan horses and other malware takes care to hide, so good anti-virus software is a real challenge.
Most anti-virus software starts by looking for patterns within code: so called ‘signatures’. This guards effectively against viruses that are already known, and can find variations of known viruses. For completely new viruses, however, signature detection is no use.
Most anti-virus software also uses heuristics, which relies on experience of how viruses behave. For example, if an unknown file wants to edit the system registry without any reason, that may be evidence of it being malware. Some packages open incoming software and run it or emulate it running in a safe environment before it is allowed to open on a user’s machine. Some AV software looks for evidence of a root-kit as well (a cloaking mechanism used to hide viruses from prying eyes).
Safe browsing
Some of the most productive attacks come from tempting visitors to Web sites to download the malware. If you can hide a virus behind what looks like an image, a software update or just a clickable link, you can get users to download the virus themselves, and perhaps bypass any security measures in place on the network boundary.
It’s quite hard to avoid this risk; if users feel they trust a Web site, they will probably ignore warning messages. Even if you restrict your Web browsing to legitimate Web sites, you can still be exposed to risk when cyber criminals infiltrate legitimate sites to place malicious code, or hijack Web addresses so the user thinks they are visiting a trusted site but are in fact viewing something quite different.
Web filtering software can help in the battle. The techniques behind Web filters are similar in some ways to anti-spam blacklists in that the security companies maintain lists of Web sites known to have malware or suspicious downloads. To maintain such lists requires considerable resources, and for such techniques to work the lists must be constantly maintained.
In addition to lists of sites that are untrustworthy, security software checks the content and code of Web pages visited by users to avoid problems arising from Web sites that are not on the blocked lists. The better packages will check even SSL traffic for malicious code that has been disguised by encryption.
Safe data
The techniques provided by security software for keeping data safe within the network generally start with encryption. This at least ensures that if data is stolen or accessed without permission, it cannot be read or used. You should look for software that lets you encrypt entire disks, folders or individual files on both standard and removable devices. If data is being exchanged via email, look for software that let your business users send and receive the data in encrypted format.
Another useful option offered by some software is automated checking of incoming and outgoing traffic to ensure data is not being sent or received when it should not be. For example, some software lets you check for specific words and phrases in documents that the user is transferring, or in Web forms. The administrator can choose to block the transfer or to log it. This is another area where it is important to get a balance between safety and convenience - it may be safest never to let users send a file, but it probably won’t result in a very efficient workforce.
So let’s take a look at what the major players in this area have to offer.
AVG
AVG 9.0 integrates a wide range of tools into a comprehensive protection solution.
AVG is well known as an anti-virus company, and the AVG Internet Security Business Edition builds on the AVG Anti-Virus Business Edition software to add firewall, Web security, anti-rootkit, anti-spam and data protection tools. It also comes with LinkScanner to protect users while they browse the Internet. AVG comes with a built-in firewall that has been redesigned in this version to reduce the number of false firewall alerts by using application whitelisting.
The client email scanner in AVG 9 checks both message attachments and links for potential problems, and the anti-spam filter protects against phishers as well as spam.
Asked what makes AVG security products special, UK Managing Director Mike Foreman told us: “Today, many malware attacks come from well-known Web sites which many people may use on a daily basis. Our research indicates that close to 60 per cent of sites launching ‘drive-by downloads’ are infective for one day or less. AVG’s LinkScanner software provides the most timely, precise and reliable protection for Internet users by analysing Web pages only at the time it matters: when the user is about to visit them.”
ESET
Smart Security ESET’s strength lies in its NOD32 anti-virus and anti-spyware engine, which has received much acclaim for its virus detecting abilities, topping both Virus Bulletin and AV-Comparatives.org charts. ESET Smart Security 4 combines this with a firewall and anti-spam technology to provide a complete security solution.
ESET Smart Security 4 is based on the company’s NOD32 anti-virus and anti-spyware engine, which has received high acclaim.
For this version, ESET has added the ability to inspect SSL-encrypted communication channels such as HTTPS and POP3S, and to scan compressed files for potential threats. The firewall has a new Learning Mode which automatically generates firewall rules according to the way in which you use your computer. The spam filter is more efficient and more effective, and the scanning of removable media such as USB sticks has been improved.
If you are infected, then new tools in the shape of ESET SysInspector and SysRescue help you analyse the nature of the attack, and create a bootable CD, DVD or USB drive that you can use to heal the infected machine. Furthermore, ESET Smart Security now includes technology that can detect and prevent attempts to corrupt or disable it.
ESET NOD32 Anti-virus is itself available in a Business Edition which can be installed on servers as well as workstations. It also supports remote administration and a ‘mirror’ facility that allows you to create an internal update server.
McAfee Total Protection
McAfee Total Protection combines anti-virus, anti-spyware, firewall, and SiteAdvisor Web filtering, along with data encryption. The malware protection also blocks spam and phishing attacks, along with content filtering to ensure compliance with your company’s rules.
McAfee SiteAdvisor uses the company’s Global Threat Intelligence network to warn of dangers on the Web.
Email and Web security are integrated, with the virus and spyware blockers scanning all Web downloads and email attachments at the network edge. Total Protection can also be used to encrypt data on desktops, laptops, tablets and other mobile devices.
Dmitri Alperovitch, vice president of threat research at McAfee, told us: “All McAfee products rely on Global Threat Intelligence, a comprehensive set of real-time cloud-based technologies that track the entire threat lifecycle and evolution as seen by McAfee’s global customer base, backed up by a McAfee Labs team consisting of more than 350 researchers in 30 countries.”
Microsoft Forefront
Microsoft is one of the more recent entries to the security market with the Forefront Security Suite. This includes Forefront Client Security to protect against malware; Forefront Security for Exchange Server to protect against threats contained in emails; and products to protect SharePoint and Office Communications Server.
The Forefront Threat Management Gateway is the replacement for ISA Server 2006. Threat Management Gateway gives URL filtering, anti-malware, and intrusion-prevention, along with application-layer and network-layer firewall and VPN.
Forefront Client Security protects against viruses, worms, Trojan horses, spyware and rootkits. The advantage of being a Microsoft product is that the software is well integrated with Microsoft technologies such as Active Directory; the drawback is that it is Windows-centric. It’s also worth pointing out that Forefront Client Security will be replaced in 2010 by Forefront Endpoint Protection. This will be integrated with System Center Configuration Manager, but is still under development.
Asked what’s special about Microsoft ForeFront, Michael Newberry, ForeFront Product Manager at Microsoft UK, said: “Microsoft’s Forefront product range provides security and identity tools that increase collaboration, sharing and access to information but do so while protecting assets and infrastructure. Frequently this needs to be addressed in the context of shrinking budgets and increased regulatory pressure. We see that as being unique to Microsoft.”
Sophos
Sophos security products start with Sophos Endpoint Security and Data Protection for larger companies. This includes anti-virus, anti-spyware, firewall, network access control, data leakage prevention (DLP) and encryption for Windows, Mac, UNIX and Linux based machines, with all environments administered from one central console. For smaller organisations, Sophos has Security Suite, a combination firewall, anti-virus and anti-spam product that provides simple protection for desktops and laptops that are Windows or Mac based, along with protecting file servers and Exchange servers. It also includes the Sophos Client Firewall.
Ciaran Rafferty, vice president of Sophos in the UK and Ireland, told us: “Sophos has been a trusted expert in the field of IT security for over 20 years. We’re the only vendor to be rated as a ‘leader’ in Gartner’s Magic Quadrant for both Endpoint Security and Encryption. We keep our customers secure with products that are powered by SophosLabs, a global network of threat research centres that offer 24/7 protection and support.”
Symantec
Symantec Multi-tier Protection consists of Symantec Endpoint Protection and Symantec Mail Security. Symantec Endpoint Protection provides anti-virus, anti-spyware, firewall, intrusion prevention, device and application control. The software uses a central Web-based management console and supports both Windows and Linux clients. You get extensive control over the policy to be applied to client machines, and can define policies at several organisational levels, making this a good choice for larger companies.
Derek O’Carroll, Head of Security Business Practice EMEA at Symantec, told us: “At Symantec we provide holistic security packages encompassing security, storage and systems management solutions, and we secure and manage more information against more risks at more points, more completely and efficiently than any other company.”