In-Depth

New ways to police the enterprise

Special Report

Gregg Pankake had a better reason than most to dread coming to work on Monday mornings. The network manager and his staff grappled with outdated network security at the Harrisburg city school district in Pennsylvania. When teachers plugged in their laptops after a weekend away, they would "bring all this wonderful junk—viruses and spyware—back to school," Pankake recalls. He routinely dealt with 500 or more "nasty bugs" each week. The old security solution, antivirus software running on servers, "would just get flooded and fail," he says.

Fortunately, Mondays have become far less stressful in the past year. The school district invested in about $650,000 worth of new network gear. Virus-related calls to the IT help desk now number only a handful, a steep reduction from the 30 or so per day that used to come in. "We used to get calls that entire buildings were down because one person infected multiple PCs or a network switch couldn't handle the broadcast traffic" generated by rogue software, Pankake recalls.

Like other institutions, the Harrisburg school district learned how to benefit from increasingly sophisticated intrusion detection and intrusion prevention systems.

Technology researcher IDC estimates sales of network-based detection and protection rose 39 percent in 2005. The IDS/IPS market is poised for another 27 percent gain this year, thanks to heightened interest in network protection and more accurate security products, the research company says.

"Network intrusion prevention acceptance is increasing as false alerts are reduced and as attacks become more damaging," observes Charles Kolodgy, research director for secure content and threat management products.

But IDS/IPS still isn't foolproof when it comes to spotting intruders or avoiding "false positives" that frustrate managers with unnecessary warnings. Another worry for managers is the flood of network activity and communications data that IDS technology routinely creates. Even automated systems that screen information before delivering alerts to security officers can quickly become overwhelming.

The problems have led some managers to temper their reliance on IDS. "[Use it to] cover your bases, but the best network security is when you don't really need to use your IDS because you have your anti-virus and operating system patched and updated," says Stephen Escher, network security manager, Hilton Grand Vacations Company, Orlando, Fla. "IDS is definitely a piece of the puzzle, but it's not the whole thing."

Who let the dogs in
The Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute in Pittsburgh decided, about a year ago, that intrusion reports were becoming too numerous to count. "With the advent of automated tools, a single perpetrator can hit a large number of sites virtually simultaneously, so discriminating whether you're seeing one incident or many got to be indefensible," explains Tim Shimeall, a senior member of the CERT technical staff. "The best evidence, however, is that both the prevalence and the cost of intrusions are continuing to rise."

Today's biggest threats include botnets, which are groups of remotely controlled computer resources that work together for malicious goals; sophisticated phishing schemes that spam a target with e-mails; and other machinations that mimic legitimate traffic. These threats keep corporate security managers and software vendors mired in a constant game of catch up, Shimeall says. See separate story, "Advice from the frontlines."

What to do? The perimeter protection capabilities of IDS/IPS watch for electronic evil doers from the outside and for employees performing unauthorized activities inside the firewalls. Vendors take two distinct approaches to thwarting break-ins. One approach scans for virus and worm signatures-essentially fingerprints of known threats that security vendors distribute. The other approach, known as anomaly detection, uses software sensors buried in network hardware to watch for suspicious activities, such as a large number of incoming messages aimed at a production server.

The venerable signature approach provides a reliable defense against known viruses and worms, which can cost companies millions of dollars in lost data and downtime. Signature proponents say this strategy remains a first line of defense against malicious code. "The majority of attacks out there are based on existing vulnerabilities. A lot of attackers simply leverage known vulnerabilities," says Patrick Wheeler, senior product manager for Symantec.

However, as hackers constantly change their modus operandi there's a danger that signatures can't be updated quickly enough to block every attack. The cost of this form of protection is another downside. Signature devices range in price from about $15,000 to $150,000 per dedicated server or surveillance point. Fortune 1000 companies—with dozens of Internet connections and hundreds of remote locations—might quickly strain budgets to secure every vulnerable entryway. As a result, companies often install the technology selectively on network edges, near firewalls, an Internet link, or the connections to partner Web sites.

The sensor strategy overcomes mass rollout problems because it requires only a small number of servers, which then collect activity data from the dozens of routers and switches installed across enterprise networks. Although analysis server prices are comparable to signature-scanning products, proponents say orgs require fewer analysis devices since they merely aggregate data sent from network gear.

The servers compare traffic patterns and other info from the network devices against a baseline of typical activity and scout for unusual patterns that may be a tip off to intrusions. "If [a server] detects that a worm is spreading or that a policy violation has occurred, it can instruct a router to block traffic from the offending source," says Adam Powers, director of technology for Lancope, a vendor of behavior analysis appliances, based in Georgia.

Advice from the frontlines
Special Report The Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute works on the front lines of cybersecurity. The team advises orgs how to protect their networks from today's threats and researches ways of coping with tomorrow's break-ins. CERT says a handful of security measures before trouble arises can help enterprises avoid or limit the consequences of intrusions.

First, establish a secure and usable network configuration. Almost every commercial technology, ranging from network hardware to operating systems, arrives with numerous default settings in place that may or may not be important to the organization.

"The basic rule is, if it's not related to your business, why support it?" says Tim Shimeall, a senior member of the CERT technical staff. "I might disable Microsoft file sharing from outside of a LAN segment or I might disable SQL Server traffic going to clients. In other words, attempt to connect to a client," he explains.

"I also might want to disable a variety of communication methods that are associated with the file sharing applications, particularly ones that are known to be somewhat promiscuous in the number of connections they make within and outside of the network," he says.

Next, IT managers should create a baseline profile of the IT environment. Shimeall advises orgs to capture any information that might be helpful for later comparisons to determine if someone has penetrated the system. One safeguard is to run and store the results of cryptographic checksums on important files. If IT managers suspect attempts have been made to modify the content of a program or a data file, they can refer to the master record file.

Orgs should also keep records of where network communications ports are located and which ones are disabled. These records can alert managers if intruders have found a way into the enterprise by opening ports that should have been disabled. "Opening a hole for himself is very typical of an intruder," Shimeall says.

Permanent records should also contain profiles of the roles and capabilities of each network server. For example, descriptions should explain which servers host e-mail communications and which ones are Web servers. "You can expect to see one set of behaviors if it's a server that is receiving e-mail and perhaps DNS traffic," Shimeall explains. Anomalous behavior can tip off breaches.

He also suggests that server profiles include content, hardware and software configurations, and which users are authorized to use each machine. "So if you suddenly see a new user account on the host, you can easily detect the problem," Shimeall says.

Because checklists and profiles add to the administrative burden of already stressed IT and security teams, the work often never gets done, Shimeall says. But he believes security planning is important. "There are some shops that believe this kind of effort isn't a priority," Shimeall says. "The feeling is, 'So long as our network is usable by us, why worry?' But those shops are setting themselves up for significant risk, because essentially they are saying that their ability to use their network is left in the hands of the attacker. And those are not friendly hands."
-Alan Joch

More sophisticated safeguards
Signature-based products are attempting to overcome some of the gains seen by anomaly detection technology. Using Cisco IDS technology, Hilton Grand Vacations' Escher instructs routers, firewalls, and other network components to block certain at-risk traffic, such as known worms. "If I did see a worm come out and there wasn't a signature for it, the security software has a nice wizard that lets you answer some questions about the type of traffic you are trying to generate an alert for," he says. "You can write your own signature and not have to wait," for vendors to formally distribute one.

Signature-based safeguards are also becoming more sophisticated. In addition to the traditional approach of quickly installing new definitions before a fledgling attack takes hold, vendors are working with operating system developers, such as Microsoft, to learn about vulnerabilities before hackers can base an attack on them. For example, if a certain type of buffer overflow potential exists in the code, "rather than trying to track every exploit tool to see how it might overflow the buffer space, we will write a single vulnerability-based signature," says Munawar Hossain, product line manager for IPS security products at Cisco Systems, San Jose, which offers both signature and anomaly detection products. "If something overflows the buffer by one character or a million characters, the signature will classify this as a buffer overflow. So no matter how you overflow the stack space, I will catch it."

In addition, signature-technology vendors are working to further mitigate vulnerabilities with technology that searches for pieces of malicious content carried by multiple packets. So if the dangerous code consists of the letters "FOO," a technique called regular expression analysis can find the three letters even if they're spread across separate packets. The security software "searches the packet header and payload to determine whether or not that regular expression is contained in there," Hossain says. The software "is sophisticated enough to detect if the 'F' is in the first packet, an 'O' is in the fifteenth packet, and the last 'O' is in the thirtieth packet."

Too much information
However, both the signature and anomaly-detection approaches can create data overload—one from too many profiles enabled, including benign signatures, and the other from overly detailed traffic analysis reports. "You really have to tune the system if you see a lot of false positives on a network," Hilton's Escher says.

Some vendors attempt to overcome data overload with threat-level indexes. If suspicious activity emanates from a single IP address, for example, the bar on an on-screen security thermometer rises to alert managers. "You don't want to overwhelm the administrator with summaries of hundreds of ping sweeps and port scans," two activities that sometimes presage an attack, Cisco's Hossain says. "You can set the sensor so that if it sees 300 of these events over a certain period of time, it summarizes the information into one single event and notifies [the manager] every 20 minutes."

A flexible security policy management tool, a component of anomaly detection systems, can be another antidote to data overload, says Symantec's Wheeler. "Look for a policy manager that can start with a predefined security setting and then help you quickly edit certain categories of signatures that you don't want to be alerted to," he says. "Just because you can detect 2,000 or 3,000 [signatures] doesn't mean you necessarily want to" see them all.

Cisco, Lancope and other vendors also let administrators create unique groupings of servers and network components to protect the most critical information. Sensitive security thresholds may apply to databases of financial information or those holding credit card numbers so that even relatively low levels of suspicious activities immediately sound an alert.

Smarter hardware
Some networking hardware vendors are moving IDS/IPS capabilities from standalone servers and embedding them directly into switches. This approach helps spread security policies across the network, says Mike McKinnon, security solutions manager, for the ProCurve Networking unit of Hewlett-Packard. The devices enforce security policies and user access rights, while also checking that the newly attached computers are free from problem code. "Are they running the right version of the operating system? The right security patches? The correct version of antivirus?" says Al Madden, ProCurve product manager.

The products also feature virus throttling, an HP technology for limiting viruses to the infected machine or small areas of the network. If a switch or router uncovers a worm, the hardware sends an alert to a central management station, which then launches a preset action, such as shutting down the nearest network port. "Viruses, worms, and other fast spreading code can be seen from their high data rates, so we detect all these connections being made," McKinnon says. "Virus throttling doesn't have to stop each and every packet and do deep packet inspection, so it doesn't impact [network] performance."

The Harrisburg school district replaced its old network hardware with 207 of the virus-protection-capable switches, which now provide 9,000 network connection points for teachers and administrators in 16 schools. To take advantage of the ProCurve virus protection technology, companies also need a hardware manager ($3,199 to support a hundred devices) and a policy and authorization manager ($5,499 for 500 users).

Network reliability has been the main benefit, Pankake says. Gone are the Monday morning virus injections that used to infect the old network. So too are the network security problems that resulted in the loss of grades, attendance information and remedial work that students were working on to qualify for graduation.

Now, each of the communications ports on the switches monitors traffic for patterns that might indicate virus or worm activity. The approach "is completely independent of daily downloads of signatures," Pankake says. "It looks at an overall pattern of how traffic is supposed to look."

If he receives an e-mail alert of atypical patterns: "We dispatch our local tech to that particular building. The PCs are all labeled so we know exactly where the computer is. The tech can go out and do an immediate eradication of whatever is wrong, and no one else in the building knows what's going on." It's one less reason to dread Mondays.