Latest (all topics)
Top stories
Hardware
All-in-One printer
Apple Mac
Audio
Backup
Book
Broadband
Camcorder
CD drive
Desktop PC
Digital camera
DVD drive
Gaming
Graphics card
Hard disk
Input device
Laptop
LCD
Mobile phone
Modem
Monitor
Motherboard
Multimedia
Networking
PDA
Printer
Processor
Projector
Scanner
Server
Tuning
UPS
Video
Web camera
Whiteboard
Miscellaneous
Software
Apple Mac
Audio
Backup
Business
Developer
Educational
Game
Graphics
Internet
Linux
Networking
Operating System
PDA
Security
Server
Utilities
Miscellaneous
 
Unified Perimeter Security
 
There is an increasing amount of news on rootkits, such as whether a company uses them in commercial software or if they can be bought to carry out direct attacks on someone. They are undoubtedly the latest craze.

The problem with rootkits is their detection and elimination. Various companies have announced the existence of certain technologies that enable the detection of rootkits in operation, in other words being hidden. The fact that they are concealed makes them dangerous: antivirus detection systems are not capable of finding the files that form part of the rootkit, which means they cannot detect them.

It is a long-standing problem resulting from a relaxation in programming systems. When viruses first arose, the “stealth” technique, which used different viruses to hide itself, was talked about. At that time the most rudimentary virus detection systems searched for file modifications. Consequently, if a file infected by a virus increased the size of the file, for example by 1000 bytes, a program that monitored file changes (or significant changes in the system, such as COMMAND.COM) could quickly warn of the danger.

In order to prevent such changes from being detected, the viruses intercepted certain system services, such as the antediluvian ‘interruption 0x13’ for disk readings. When another process wanted to consult any disk parameter (such as a particular file size) it would consult the falsified process instead of the system and receive information without the changes made by the virus.

But these were other times. When operating systems with user-friendly APIs started to become popular (Windows, OS/2), virus creators did not need to worry again about system interruptions, memory organisation or file management. Classic hacker traps were forgotten to give way to a simple, but more or less advanced, use of basic system tools.

A similar thing occurred with anti-viruses. The confidence in functions offered by API, together with less technical viruses and other malicious codes, meant anti-viruses were basically a fairly quick scanning system, as well as a good virus signature database. The resurgence of rootkits could be viewed as a step backwards in malicious code development, a return to hackers becoming more technical. Unfortunately though, this is not the case. Code creators no longer seek the type of notoriety they used to - their objective now is purely financial.

Once they realised that their creations ultimately served them no purpose, they started to look for economic benefit. It is unusual for a malicious code nowadays not to capture some type of important user information: the user’s bank details and current accounts, access passwords to the corporate network of their company and so on. The field becomes even wider and objectives clearly more criminal when separating what is strictly malicious code from fraud using social engineering techniques. A good example is phishing, since no knowledge of computer programming is required, only bad intentions and the desire to steal.

This new situation shows how malicious codes used for theft have come to the fore dramatically. These codes are designed to slip by undetected (at least by today’s security technologies) and steal money. Perfect. However, it is not all that simple. Although, as mentioned, malicious codes have become less complex, basic technologies no longer work. When thinking of an anti-virus, the image of a program designed to scan a file entering by e-mail is conjured up. But it is not just that, on-demand scanning is only a small part of everything else that goes on and what an intelligent intrusion prevention system actually does, with this being the correct name for an antivirus nowadays.

The IT system protection strategy may protect against malicious codes at many different system points. And malware can be stopped at each and every point, eliminating the danger. For example, imagine a large company in a corporate network with various offices in several cities (or even countries) and different buildings etc, in other words a large corporate network. Since certain code enters via the Internet, those bytes (or megabytes) will follow a communication circuit through different systems in which the code can be stopped. If it is not stopped, then the appliance in question, either the firewall or proxy, is not performing its functions properly.

When protecting a corporate network, the protection strategy should not be based on a division of functions or distributing tasks along different network points, even if things are done differently at different points. Consequently, even if the mail server is specialised in handling messages, why should it be the first line of defence against malicious codes? Nowadays, each corporate network service should be considered critical. A simple Proxy is vital for business continuity, as a result of which making the Proxy tackle extra tasks is a luxury that cannot be permitted.

As can be seen, there are two new problems which require new solutions: on the one hand, the appearance of new types of malicious codes (such as rootkits) and on the other, the need to tackle these codes directly. Lateral approaches, where front-end security tasks are added to systems designed for other functions can produce problems that affect the security structure.

The battle against malicious code must therefore be established at a first level highly specialised in the connection of networks to the exterior which directly attacks threats continuously. Having a system specialised in a task should not surprise network administrators, since ‘the server’ concept can be applied only to very small networks. Each PC concentrates on a service and, generally, each service has more than one PC (and even redundancy to assure continuity).

As a result, the installation of a system specialised in detecting malicious code will provide extra capability when protecting against Internet threats that arise in file form. However, there are other threats that are not just simple e-mails and against which a classic antivirus system can do nothing. For these types of threats a firewall is necessary, although a firewall cannot protect against everything, as a result of which it is necessary to move up a step to IDS (Intrusion Detection Systems).

Naturally a code that moves through the system has a destination where it will be opened, executed or displayed. The verification of this code with a virus signature database helps to eliminate malicious code, but what happens to unknown malicious content? Logically it is not going to be stopped as it has not been correctly assessed as dangerous. When this code reaches its destination, preventive scans can be carried out in execution time, even stopping the process considered malicious. However, in a firewall it is not possible to execute codes that return sufficient enough information.

More advanced prevention systems are capable of pre-assessing the danger of a file, so that additional security data is available in a subsequent scan status. Consequently, the frontal attack against malicious codes is completed very effectively.

With all of the above it is possible to draw up a small outline on what should be considered as true perimeter protection: an exclusive system (not ‘connected’ to other services) with active intrusion prevention systems (instead of a traditional passive firewall type system) and preventive detection of malicious codes. Once this system has been established, it will serve no purpose if, as is increasingly frequent, the administrators have already started to worry about the security of remote users setting up virtual private networks. Naturally, security levels might increase significantly, but they will also drop critically when looking for malicious codes.

If, as indicated above, the search for viruses and other threats is carried out at the Internet connection port directly, VPN management systems must be situated behind the security devices. This location will mean that all traffic (or at least part of it) will pass through the defence system along the VPN tunnel and will therefore be encrypted and completely incomprehensible for analysis.

One security system (VPN) may completely cancel another (code analysis). As a result, VPN management must also be included in the protection system, so that in the same device it is possible to encrypt and decrypt the communication to enable its analysis in the search for malware. Although these requirements may appear too demanding, this Unified Threat Management concept provides a true bunker in the first line of fire against threats. Thanks to these devices, your company’s perimeter security will be greatly enhanced and internal systems can concentrate on their main functions.

Fernando de la Cuadra, Panda Software




BIOS, Jun 02, 06 | Print | Send | Comments (0) | Posted In Security
Related Articles

Defending In Depth
Cyber Security & Other Games
Second Life, Second Identity?
Don't Choke In The Name Of Security
A Baker's Dozen Of Security Bytes
Patching Up Security
Webroot Software Spy Sweeper 5.3
PC Tools Spyware Doctor 4.0
How Cybercrime Operations Work
ZoneLabs ZoneAlarm Internet Security Suite 7

More...
   
     
© 2007 Black Letter Publishing Ltd. - Disclaimer - Terms - About - Contact - Advertise - Newsletter

Hosted By Gradwell - Powered By Eclipse Internet - Sponsored By Ipswitch & Microboards DVD Duplicators