Skip over navigation

Main Navigation

Subnavigation Area

 

About Us > Know-How

PREMIER KNOW-HOW

 

New York, NY January 27, 2006

Premier Know How Image

Building a Multi-layered Security Defense

contributed by John Herron

According to Eugene Kaspersky, Head of Kaspersky Lab Virus Research, the lab receives between 200 and 300 new virus and trojan samples a day. Not all of those make their way onto your network, but it's a lot to keep up with for the poor guy or gal in charge of network security. In fact, as the number and variety of threats has increased our vocabulary to describe them has evolved to include malware, spyware, phishing, key loggers, worms, trojans, and spam.

Not only is the volume increasing, but the window between when a vulnerability is discovered and an exploit exists in the wild is getting smaller. In August 2005 the Zotob worm struck within 5 days of Microsoft releasing the OS patch. That's not much time for an administrator to download, validate, test, and distribute a patch before an attack occurs, even with automated patch management software. In December 2005/January 2006 we saw exploits before a patch was available for a vulnerability in Microsoft's Graphics Rendering Engine when rendering WMF (Windows Meta File) formatted images. It caused a bit of panic for worried administrators, causing some to apply a 3rd party patch as a precaution. Once Microsoft had a patch available, they were forced to release it a few days ahead of their regularly scheduled, first Tuesday of the month, patch release date. Administrators then needed to address the additional Microsoft patches released when the Tuesday rolled around.

Additionally, in the case of Zotob, many of the networks that were hard hit were not penetrated through their firewall defenses, but through laptops that were infected while off the corporate network and allowed to connect on the inside of the firewall, after being infected. These cases and other zero-day viruses highlight the need for administrators to combat these attacks at multiple layers.

So what are some of the methods being implemented today to shore up network defenses? That is in addition to keeping anti-virus software and software patches up to date.

Intrusion Prevention

Traditional anti-virus protection relies on a database of known virus signatures to detect and prevent viruses from infecting a machine. As long as you keep your virus signatures up to date, you are protected from most viruses, but what about a virus that hasn't been identified by your anti-virus software provider, also known as zero-day viruses? These can be combated by Intrusion Prevention Software, such as CSA (Cisco Security Agent).or McAfee Entercept.

As an example, Cisco's CSA monitors and blocks dangerous behavior, based on a set of rules provided by Cisco and modified as necessary by the local administrator. If CSA detects an email application attempting to write a file to a Windows folder, it can automatically prevent this action. If an Instant Messaging applications attempts to download and install an executable file, it can be blocked.

CSA comes with a standard set of rules for Windows Desktops, Windows Servers, and specialty servers, such as SQL, DHCP, DNS, and IIS Web. Generally, you select a pilot group of users on which to deploy the agent in test mode. Test mode logs the activity that would be blocked or allowed, but does not apply any restrictions. The pilot group should be diverse enough to cover all your applications and run long enough to cover most activities, such as processes that only occur at the end of the month. Once you have reviewed the logs, you can make adjustments to the policy to fit your environment and enable protection.

Behavioral based protection can defend against unknown viruses simply by blocking undesirable behavior. Typically a virus will attempt to modify files in the system directory and update key registry settings, so that the virus program is restarted after a reboot, so this behavior can be identified and blocked. When a new, undocumented virus strikes, it is prevented from deploying and spreading when it attempts to perform a disallowed action.

Limiting User Privileges

Intrusion Prevention is just one way to limit virus activity. Since the virus runs with the privileges of the user that is logged on at the time the virus launches, damage can be minimized by limiting the average user's privileges. In fact, this is what Microsoft plans to do with the forthcoming Windows Vista operating system, expected to be released in the second half of 2006. Users will run with limited privileges and need to supply authentication credentials to modify operating system configurations or install software.

Though it can be time consuming and difficult to get all your existing applications to run when users are members of the Users groups, rather than Power Users or Administrators, it is worth the effort from a security perspective.

Host Based Firewalls

You can also reduce the exposure of your network machines by reducing the ports that are open to outside connections. One way to do this is to disable unused services, but this requires knowledge of the services and the applications that use them and will disable the service completely. With a host based firewall you can limit access to the service port to just internal clients or just specific hosts. Microsoft added a host based firewall to Windows XP SP2 and Windows Server 2003 to help lockdown systems to allow just the necessary communications.

You may think that your corporate firewall should provide this protection and it does, but when an infected employee or guest laptop connects to the inside of your network the corporate firewall won't protect you.

There are also third party host based firewalls, such as Zone Labs Zone Alarm software, which provide two benefits. First they work on older operating systems that don't have a firewall, such as Windows 2000. Second they typically are two-way firewalls, where Microsoft's firewall only inspects traffic coming into your desktop or server. A firewall that inspects outbound traffic can limit the spread of a virus. For example, a user receives an email containing a worm. The user unknowingly installs the worm, which attempts to spread itself using a peer-to-peer file sharing port. Since peer-to-peer file sharing would not normally be allowed on your network, the firewall blocks the outgoing packets and contains the virus to the individual machine that opened the worm laden message.

Tighter Egress Control

Not only is it critical to look at outbound traffic from individual hosts, but also from the corporate firewall. Until recently many firewalls were configured to focus on stopping unwanted inbound traffic. When users were hogging bandwidth downloading MP3s or videos, these ports were shutdown, but often outbound traffic went unchecked. Now that zombie machines (ones that have been taken over and can be controlled by outsiders) can be used to send spam or viruses from your network, you'll want to strictly limit what is sent from your network and from what machines. The last thing you want is to find that legitimate mail is being rejected by one of your clients because your domain has been placed on a RBL (Realtime Blackhole List), because one of your machines has been sending out spam. Once you get on a list it can be difficult to get removed.

Content Filtering

As ports are blocked either at the firewall or host level, hackers will place more emphasis on ports that are allowed out, such as http. This creates a greater need for content filtering to block offensive or dangerous sites. You may also be required to protect employees and the company from offensive messages or images in both emails and web browsing. Solutions have been around for a number of years that pass your traffic through a gateway or an external service that scan the data for objectionable content and block the message from reaching its intended recipient.

Network Admission Control

It's important to continue to tighten the security defenses at the corporate firewall, but earlier I mentioned that Zotob was spread through laptops infected when offsite and then brought back to the inside of the organization. One way to defend against this type of problem is through Network Admission Control. NAC prevents a machine from joining the network until administrator managed policies are met. So that laptop that hasn't been on your network for months must have the latest security patches applied, the latest virus and spyware signatures and a clean scan before being allowed to connect to the network.

NAC relies on a set of devices to authenticate and scan the attached computer for compliance. If compliance is not met, the machine can be isolated to a quarantined VLAN, provided the network switching supports it, containing just the servers to remediate the situation, providing the machine with updated patches and signatures. Once the machine meets the policy requirements, it is allowed full access to the network.

Educate your Users

In addition to these technical solutions, it's important to educate users on the dangers that are out there, so they can behave accordingly, such as not opening attachments from unknown sources, or give out, post, or use easily guessed passwords. Having a written policy helps users understand the reasons and benefits of the sometimes inconvenient security measures, such as enforcing password changes or scanning laptops before they are allowed back on the inside network.

There are numerous ways your network can be attacked, so you need numerous defense systems and a cooperative user community to help you thwart those attacks.

more Know How

Contact Premier

OFFICE CONTACT INFO

Footer Navigation

Copyright © 2002- Premier Technology Solutions. All other trademarks property of their respective owners.