Future Blended Threats
On the face of it, the IT community is blessed with a competitive, customer focused and responsive anti-malware industry offering 24 hour operations centres, updates and patches to quickly block any new viruses or attacks. And even accepting that handling these patches in-house can be a bit of a nightmare for customers you can nonetheless say that this works reasonably well - can't you?
There is a problem with this view, and it stems from the tendency to put security protection into neat little compartments. Anti-virus updated - check - spyware protection in place - check - and when all the boxes are ticked you can relax and feel protected.
Except that threats don't always fit so neatly into well-defined packages. Blended threats are increasingly common, and need a holistic approach to block effectively. Blended threats use numerous ways of spreading, whether it's email, SQL, Netbios or whatever, and it requires a blended defence to stop them.
One of the more uncomfortable facts that we, as an industry, need to face is that the revenues being generated from 'compartmentalised' anti-malware applications can amount to a powerful vested interest- Vendors are frequently providing protection solutions against single threats or multiple solutions against multiple threats, and implying that customers are safe, when the real story is more complex.
In particular, the difference between viruses and spam grows ever smaller. Should phishing be classified as spam or as a virus? Is an email with links to offensive porn just spam, or should it be handled by your content filtering protection before it even gets to the user?
We've also seen virus writers using spamming techniques to speed the delivery of their viruses, and viruses used to create "zombie" PCs to help in spam distribution. The crux of the matter is that we don't want spam or viruses. If anti-virus and anti-spam protection is separated, some viruses and spam will fall between the two.
A well-configured firewall and up-to-date anti-virus protection can deal with many threats. However, if you have a service that you need to have open, such as HTTP, SQL or VoIP, then the firewall cannot work effectively, as this traffic must be let through.
In this case, the firewall and anti-virus are not enough. You now need to tie in intrusion detection/prevention (IDP) to prevent exploits like SQHell.
If you are running virtual private networks (VPNs), they need to be restricted and scanned in the same way that a physical port should be scanned and restricted. This means that VPNs should be integrated with a firewall, IDP, anti-spam and
anti-virus.
As well as coping with these blended threats, by linking together different aspects of security, the overall performance can be improved. For example, anti-spam protection works better if it has access to a database of suspect URLs that it can filter for. By tying the anti-spam engine to a content filtering database like SurfControl, its effectiveness can be enhanced.
Another headache for security firms has been the port hopping capability of peer-to-peer applications like Kazaa. If you block the port that Kazaa is using, it can simply move to use another port. In practice, this makes it very difficult to stop by simply blocking ports.
On more sophisticated appliances, intrusion detection capabilities can specifically block peer-to-peer applications. But even without this capability, an intelligent use of a quality of service (QoS) capability as part of your network defences can provide an answer to the port-hopping problem. Instead of blocking Kazaa all together, which it would recognise and port hop to bypass, the QoS can reduce the throughput to such a low level that the user no longer wants to use the peer-to-peer application - without triggering port hopping.
Finally, it's important not to overlook the fact that someone has to work out which anti-malware tools are best placed to counter the latest blended threat and to manage all of your security protection. By bringing together all the logging facilities of your firewall, IDP, email, content filtering and so on, reporting is clearer and fault finding is easier and quicker. It is also quicker and easier for signatures and defences to be updated and monitored.
So, if a unified approach to protection is the answer, how can this be implemented? It almost goes without saying that the best place to put this protection is at the network gateway - blocking threats before they get onto the network provides the most reliable solution. That's not to say there is not an on-going role for protection at the desktop and sever level, but it is to say that, for most networks, protection at this level should be the secondary and not primarily layer of defence.
Several vendors are now offering threat protection appliances that can provide the essentials of anti-virus, anti-spam, content filtering, IDP and VPN. The market has now matured to the point where such appliances can provide the same level of protection as stand-alone security components, without compromising on any particular aspect. About the Author
Simon Heron, Technical Director at Network Box (www.network-box.co.uk)
|