In-Depth
New ways to police the enterprise
Gregg Pankake had a better reason than most to dread coming to work on Monday
mornings. The network manager and his staff grappled with outdated network security
at the Harrisburg city school district in Pennsylvania. When teachers plugged
in their laptops after a weekend away, they would "bring all this wonderful
junk—viruses and spyware—back to school," Pankake recalls. He routinely dealt
with 500 or more "nasty bugs" each week. The old security solution,
antivirus software running on servers, "would just get flooded and fail,"
he says.
Fortunately, Mondays have become far less stressful in the past year. The school
district invested in about $650,000 worth of new network gear. Virus-related calls
to the IT help desk now number only a handful, a steep reduction from the 30 or
so per day that used to come in. "We used to get calls that entire buildings
were down because one person infected multiple PCs or a network switch couldn't
handle the broadcast traffic" generated by rogue software, Pankake recalls.
Like other institutions, the Harrisburg school district learned how to benefit
from increasingly sophisticated intrusion detection and intrusion prevention systems.
Technology researcher IDC estimates sales of network-based detection and protection
rose 39 percent in 2005. The IDS/IPS market is poised for another 27 percent gain
this year, thanks to heightened interest in network protection and more accurate
security products, the research company says.
"Network intrusion prevention acceptance is increasing as false alerts are
reduced and as attacks become more damaging," observes Charles Kolodgy, research
director for secure content and threat management products.
But IDS/IPS still isn't foolproof when it comes to spotting intruders or avoiding
"false positives" that frustrate managers with unnecessary warnings.
Another worry for managers is the flood of network activity and communications
data that IDS technology routinely creates. Even automated systems that screen
information before delivering alerts to security officers can quickly become overwhelming.
The problems have led some managers to temper their reliance on IDS. "[Use
it to] cover your bases, but the best network security is when you don't really
need to use your IDS because you have your anti-virus and operating system patched
and updated," says Stephen Escher, network security manager, Hilton Grand
Vacations Company, Orlando, Fla. "IDS is definitely a piece of the puzzle,
but it's not the whole thing."
Who let the dogs in
The Computer Emergency Response Team at Carnegie Mellon University's Software
Engineering Institute in Pittsburgh decided, about a year ago, that intrusion
reports were becoming too numerous to count. "With the advent of automated
tools, a single perpetrator can hit a large number of sites virtually simultaneously,
so discriminating whether you're seeing one incident or many got to be indefensible,"
explains Tim Shimeall, a senior member of the CERT technical staff. "The
best evidence, however, is that both the prevalence and the cost of intrusions
are continuing to rise."
Today's biggest threats include botnets, which are groups of remotely controlled
computer resources that work together for malicious goals; sophisticated phishing
schemes that spam a target with e-mails; and other machinations that mimic legitimate
traffic. These threats keep corporate security managers and software vendors mired
in a constant game of catch up, Shimeall says. See separate story, "Advice
from the frontlines."
What to do? The perimeter protection capabilities of IDS/IPS watch for electronic
evil doers from the outside and for employees performing unauthorized activities
inside the firewalls. Vendors take two distinct approaches to thwarting break-ins.
One approach scans for virus and worm signatures-essentially fingerprints of known
threats that security vendors distribute. The other approach, known as anomaly
detection, uses software sensors buried in network hardware to watch for suspicious
activities, such as a large number of incoming messages aimed at a production
server.
The venerable signature approach provides a reliable defense against known viruses
and worms, which can cost companies millions of dollars in lost data and downtime.
Signature proponents say this strategy remains a first line of defense against
malicious code. "The majority of attacks out there are based on existing
vulnerabilities. A lot of attackers simply leverage known vulnerabilities,"
says Patrick Wheeler, senior product manager for Symantec.
However, as hackers constantly change their modus operandi there's a danger that
signatures can't be updated quickly enough to block every attack. The cost of
this form of protection is another downside. Signature devices range in price
from about $15,000 to $150,000 per dedicated server or surveillance point. Fortune
1000 companies—with dozens of Internet connections and hundreds of remote locations—might
quickly strain budgets to secure every vulnerable entryway. As a result, companies
often install the technology selectively on network edges, near firewalls, an
Internet link, or the connections to partner Web sites.
The sensor strategy overcomes mass rollout problems because it requires only a
small number of servers, which then collect activity data from the dozens of routers
and switches installed across enterprise networks. Although analysis server prices
are comparable to signature-scanning products, proponents say orgs require fewer
analysis devices since they merely aggregate data sent from network gear.
The servers compare traffic patterns and other info from the network devices against
a baseline of typical activity and scout for unusual patterns that may be a tip
off to intrusions. "If [a server] detects that a worm is spreading or that
a policy violation has occurred, it can instruct a router to block traffic from
the offending source," says Adam Powers, director of technology for Lancope,
a vendor of behavior analysis appliances, based in Georgia.
Advice from the frontlines
The Computer Emergency Response Team at Carnegie Mellon University's Software
Engineering Institute works on the front lines of cybersecurity. The team advises
orgs how to protect their networks from today's threats and researches ways of
coping with tomorrow's break-ins. CERT says a handful of security measures before
trouble arises can help enterprises avoid or limit the consequences of intrusions.
First, establish a secure and usable network configuration. Almost every commercial
technology, ranging from network hardware to operating systems, arrives with numerous
default settings in place that may or may not be important to the organization.
"The basic rule is, if it's not related to your business, why support it?"
says Tim Shimeall, a senior member of the CERT technical staff. "I might
disable Microsoft file sharing from outside of a LAN segment or I might disable
SQL Server traffic going to clients. In other words, attempt to connect to a client,"
he explains.
"I also might want to disable a variety of communication methods that are
associated with the file sharing applications, particularly ones that are known
to be somewhat promiscuous in the number of connections they make within and outside
of the network," he says.
Next, IT managers should create a baseline profile of the IT environment. Shimeall
advises orgs to capture any information that might be helpful for later comparisons
to determine if someone has penetrated the system. One safeguard is to run and
store the results of cryptographic checksums on important files. If IT managers
suspect attempts have been made to modify the content of a program or a data file,
they can refer to the master record file.
Orgs should also keep records of where network communications ports are located
and which ones are disabled. These records can alert managers if intruders have
found a way into the enterprise by opening ports that should have been disabled.
"Opening a hole for himself is very typical of an intruder," Shimeall
says.
Permanent records should also contain profiles of the roles and capabilities of
each network server. For example, descriptions should explain which servers host
e-mail communications and which ones are Web servers. "You can expect to
see one set of behaviors if it's a server that is receiving e-mail and perhaps
DNS traffic," Shimeall explains. Anomalous behavior can tip off breaches.
He also suggests that server profiles include content, hardware and software configurations,
and which users are authorized to use each machine. "So if you suddenly see
a new user account on the host, you can easily detect the problem," Shimeall
says.
Because checklists and profiles add to the administrative burden of already stressed
IT and security teams, the work often never gets done, Shimeall says. But he believes
security planning is important. "There are some shops that believe this kind
of effort isn't a priority," Shimeall says. "The feeling is, 'So long
as our network is usable by us, why worry?' But those shops are setting themselves
up for significant risk, because essentially they are saying that their ability
to use their network is left in the hands of the attacker. And those are not friendly
hands."
-Alan Joch
More sophisticated safeguards
Signature-based products are attempting to overcome some of the gains seen by
anomaly detection technology. Using Cisco IDS technology, Hilton Grand Vacations'
Escher instructs routers, firewalls, and other network components to block certain
at-risk traffic, such as known worms. "If I did see a worm come out and there
wasn't a signature for it, the security software has a nice wizard that lets you
answer some questions about the type of traffic you are trying to generate an
alert for," he says. "You can write your own signature and not have
to wait," for vendors to formally distribute one.
Signature-based safeguards are also becoming more sophisticated. In addition to
the traditional approach of quickly installing new definitions before a fledgling
attack takes hold, vendors are working with operating system developers, such
as Microsoft, to learn about vulnerabilities before hackers can base an attack
on them. For example, if a certain type of buffer overflow potential exists in
the code, "rather than trying to track every exploit tool to see how it might
overflow the buffer space, we will write a single vulnerability-based signature,"
says Munawar Hossain, product line manager for IPS security products at Cisco
Systems, San Jose, which offers both signature and anomaly detection products.
"If something overflows the buffer by one character or a million characters,
the signature will classify this as a buffer overflow. So no matter how you overflow
the stack space, I will catch it."
In addition, signature-technology vendors are working to further mitigate vulnerabilities
with technology that searches for pieces of malicious content carried by multiple
packets. So if the dangerous code consists of the letters "FOO," a technique
called regular expression analysis can find the three letters even if they're
spread across separate packets. The security software "searches the packet
header and payload to determine whether or not that regular expression is contained
in there," Hossain says. The software "is sophisticated enough to detect
if the 'F' is in the first packet, an 'O' is in the fifteenth packet, and the
last 'O' is in the thirtieth packet."
Too much information
However, both the signature and anomaly-detection approaches can create data overload—one
from too many profiles enabled, including benign signatures, and the other from
overly detailed traffic analysis reports. "You really have to tune the system
if you see a lot of false positives on a network," Hilton's Escher says.
Some vendors attempt to overcome data overload with threat-level indexes. If suspicious
activity emanates from a single IP address, for example, the bar on an on-screen
security thermometer rises to alert managers. "You don't want to overwhelm
the administrator with summaries of hundreds of ping sweeps and port scans,"
two activities that sometimes presage an attack, Cisco's Hossain says. "You
can set the sensor so that if it sees 300 of these events over a certain period
of time, it summarizes the information into one single event and notifies [the
manager] every 20 minutes."
A flexible security policy management tool, a component of anomaly detection systems,
can be another antidote to data overload, says Symantec's Wheeler. "Look
for a policy manager that can start with a predefined security setting and then
help you quickly edit certain categories of signatures that you don't want to
be alerted to," he says. "Just because you can detect 2,000 or 3,000
[signatures] doesn't mean you necessarily want to" see them all.
Cisco, Lancope and other vendors also let administrators create unique groupings
of servers and network components to protect the most critical information. Sensitive
security thresholds may apply to databases of financial information or those holding
credit card numbers so that even relatively low levels of suspicious activities
immediately sound an alert.
Smarter hardware
Some networking hardware vendors are moving IDS/IPS capabilities from standalone
servers and embedding them directly into switches. This approach helps spread
security policies across the network, says Mike McKinnon, security solutions manager,
for the ProCurve Networking unit of Hewlett-Packard. The devices enforce security
policies and user access rights, while also checking that the newly attached computers
are free from problem code. "Are they running the right version of the operating
system? The right security patches? The correct version of antivirus?" says
Al Madden, ProCurve product manager.
The products also feature virus throttling, an HP technology for limiting viruses
to the infected machine or small areas of the network. If a switch or router uncovers
a worm, the hardware sends an alert to a central management station, which then
launches a preset action, such as shutting down the nearest network port. "Viruses,
worms, and other fast spreading code can be seen from their high data rates, so
we detect all these connections being made," McKinnon says. "Virus throttling
doesn't have to stop each and every packet and do deep packet inspection, so it
doesn't impact [network] performance."
The Harrisburg school district replaced its old network hardware with 207 of the
virus-protection-capable switches, which now provide 9,000 network connection
points for teachers and administrators in 16 schools. To take advantage of the
ProCurve virus protection technology, companies also need a hardware manager ($3,199
to support a hundred devices) and a policy and authorization manager ($5,499 for
500 users).
Network reliability has been the main benefit, Pankake says. Gone are the Monday
morning virus injections that used to infect the old network. So too are the network
security problems that resulted in the loss of grades, attendance information
and remedial work that students were working on to qualify for graduation.
Now, each of the communications ports on the switches monitors traffic for patterns
that might indicate virus or worm activity. The approach "is completely independent
of daily downloads of signatures," Pankake says. "It looks at an overall
pattern of how traffic is supposed to look."
If he receives an e-mail alert of atypical patterns: "We dispatch our local
tech to that particular building. The PCs are all labeled so we know exactly where
the computer is. The tech can go out and do an immediate eradication of whatever
is wrong, and no one else in the building knows what's going on." It's one
less reason to dread Mondays.