Network intrusions. Database attacks. More sophisticated spam and phishing attempts.
Not every growing or emerging security threat to an enterprise makes the headlines. But they are out there and they are evolving—growing stronger and altering methods just enough to target what cracks remain in an IT infrastructure.
The CRN Test Center has spent the past several months analyzing more routine, but nonetheless dangerous, network threats through our own security test bed, or honeynet. The attacks come from places like China, or even the Midwest U.S. At times, there was almost nonstop 24x7 port scanning by nameless, faceless would-be network raiders looking for an entryway into our data center. We saw a surge of attacks against our SQL database toward the end of 2008. Malware infected one of our laptops, hijacking an attempt to reach an online banking account.
Had these attacks been directed against a health facility, supermarket chain or government agency, untold damage could have been inflicted through the theft of customer databases or destruction of records. Even small businesses that are up against these attacks face serious harm if, for example, a mail server is attacked, destroyed and takes thousands of dollars to repair. The better part of valor is to understand the attack points and send in the reinforcements.
Gone are the days when network security meant deploying a client/server antivirus security suite and keeping all machines updated with the latest signature files. Even incorporating a unified threat machine alone may not be enough to keep a network fully protected. A well-guarded network is no longer just about keeping up defenses, but about being proactive—for example, actively scanning ports for intruder attempts and monitoring any changes made not just externally but from within as well.
These are the reasons why, in today's threat landscape, the most secure network infrastructures implement not a single network security technology, but a multilayered comprehensive security strategy. In this issue, we've taken a look at key points of vulnerability throughout a network based on threats we've observed with our own eyes in our test bed. We've looked at key products that can protect those points and lock a network against malicious attacks, or even reckless employees. We looked at offerings from Guardium, Sophos, Trend Micro Inc., Sourcefire Inc. and Check Point Software Technologies Ltd.
We started by keying in on several main areas to safeguard in a typical corporate network: database security, intrusion detection/intrusion protection, end-point control, and malware and Web content management. There are several security products that focus on at least one or more of these key areas. Here is a look at some of the best products out there that can cover each of these areas:
SQL server attacks abounded last year, evidenced in the Test Center's threat reports of 2008. A relentless amount of SQL hacking attempts were logged as well.
Compromised databases accounted for many of the big computer security breach news stories in 2008. This is why a lot of companies are turning to database security solutions like Guardium. Guardium's database security and management appliance protects against inside and external threats. The appliance reviewed in the Test Center is a hardened Dell PowerEdge 1950 with 160 GB of RAM and features a patented data compression mechanism. Guardium's solution prevents database compromise by offering realtime monitoring and alerting, including the monitoring of privileged user accounts such as those of database administrators.
The Software TAP service is the agent that is installed on the same box on which the databases reside. Installation of the S-TAP is easy and quick. Even better, the S-TAP service is self-auditing and self-monitoring; an alert will be sent if an uninstall of the service is attempted.
A Web management console offers ease in configuring granular security policies. Whenever policy violations occur, Guardium offers a high level of alerting and remediation: In the event of a detected attack or data compromise, the device will provide detailed monitoring of attacks—from which IP, what was targeted, which tables were accessed and which application was involved. Information on the users who may have been compromised is provided as well.
Consider that a financial institution could have millions of user account records stored in a database. If some of that data is compromised, a solution like Guardium's can report on the exact user information that was affected. Such a detailed level of information would allow the business to communicate immediately with those specific customers, without having to send correspondence to all customers that their accounts may have been compromised.
An example of remediation capabilities: In the event of a password policy violation, Guardium can lock the account. Correlation alerts can be set up—these are alerts that are sent and actions that are initiated in case an event exceeds a certain threshold limit. One of the most common ways customers use correlation alerts is to detect a number of sequential login attempts in a short period of time, like less than 5 minutes. This is usually a good indicator of a hacking attempt. Guardium employs a sophisticated level of vulnerability assessment. This, along with database analytics and forensics, provides detailed information on what or whom is threatening or trying to threaten data. There is also the ability to prevent unauthorized access to sensitive data and to mask sensitive information in tables (for instance, a security officer may not want a system administrator to see customers' Social Security numbers.)
Guardium's database security may contain the most powerful compliance regulations tools that the Test Center has ever seen. There are templates and high-level, yet easy-to-work-with, best practice reports for PCI, SOX, OMB and data privacy. These templates can be customized easily to meet other regulations like HIPAA.
The device also guards at the "back door." The S-TAP resides on the database server itself, so the back door is monitored, including connections via named pipes or shared memory. Other security features include ensuring all current and relevant patches are applied and there is protection for front-end Web applications. SQL injection attacks are stopped by anomaly detection.
Another impressive feature is the lack of overhead with database performance when using the Guardium appliance. Logging and monitoring are all done on the appliance. This result uses way less overhead than using native database monitoring.
Intrusion protection and detection have become a crucial part of network security. Although many security products offer some watered-down IPS/IDS functionality as part of an all-in-one security solution, Sourcefire is a leading contender in the IPS space. The creator of SNORT—the open-source network IPS/IDS system—is the founder of Sourcefire and the company's high level of knowledge of this technology is apparent in Sourcefire's 3D system. This IPS/IDS is a three-layered solution: IPS, Adaptive IPS and Enterprise Threat Management are the components.
Installation is easy. Through an install wizard, a sensor is configured by providing network settings. Once the sensor is online, an administrator can choose one of the default IPS policies (which can also be customized). These polices protect against known and zero-day threats. The Web interface is called the Defense Center Management Console. The level of customization seems limitless; custom views can be created from a wide range of drag-and-drop widgets. Even RSS feeds from Sourcefire's site, or other Internet security news sites, can be added to keep an admin up to date on all the latest happenings with security. Intrusion events can be analyzed in detail. In the Test Center's review, Sourcefire detected a network Trojan as a high-priority event, as well as the IP addresses that were targeted. Once an event is detected, a right click on the event pulls up a menu that allows for the execution of a variety of actions against the event. In-the-box reporting is available or custom reports can be created. The system can do realtime alerting via syslog, e-mail or SNMP.
Adaptive IPS is Sourcefire's Realtime Network Awareness (RNA). It lets a user understand what they are defending. With RNA, a user can create a network map to gain realtime detailed information on the operating system, ports, services, protocols and a host of other things running on a network. Adaptive IPS also gives potential host vulnerabilities and can distinguish between physical and virtual machines. Another feature is automated IPS tuning—the system recommends which IPS rules should be applied to certain hosts depending on their placement and mission-critical status in an organization. As network changes are made, Adaptive IPS is always optimizing. Due to the end-point intelligence collected by RNA, Defense Center can analyze the impact and relevance of an attack. Enterprise Threat Management is comprised of intrusion prevention, user identity tracking, network behavior analysis and IT policy compliance.
Sourcefire's 3D System uses Realtime User Awareness to get a scope of user machines. For example, an admin can see if a client machine is infecting another client machine. Sourcefire's solution can baseline network traffic and spot anomalies such as the spread of malware across a segment of the network not monitored by IPS.
Sophos continues its stance as a proven leader in the security business. Sophos Endpoint Security and Control is its enterprise end-point security product. An agent is installed onto network end points that scouts for nasties like malware, adware, spyware and suspicious files. Sophos Endpoint Security and Control uses behavioral genotype and does application control as well as device control (rolled out earlier this year). The product protects laptops, desktops and servers. It enables administrators to control user installations or other user actions like running peer-to-peer software, games, IM or adding removable storage devices. Sophos Endpoint Security and Control serves the purpose of providing more functionality for the organization without slowing down an end user's machine. Endpoint Security is multiplatform and is compatible with Windows, Mac, Linux, Unix, Open VMS and several other platforms.
Sophos has an incredible ability to develop great security products while keeping a level of simplicity about the administration. From the Sophos Endpoint Security and Control console an administrator can perform different tasks like rolling out antivirus protection or policies to all end points. This centralized management allows system administrators to keep tabs on an infrastructure at one central point. The agent includes a client firewall: the agent and endpoint security works in tandem with Sophos' anti-virus. Sophos Endpoint Security and Control is a way to ensure that all end points are adhering to internal compliance policies. End users can be restricted from the network if they do not meet a predefined set of requirements that can include making sure antivirus is running, a client firewall is installed, ensuring Windows update service is enabled or making sure that the operating system has the latest patch and update level.
Sophos Endpoint Security and Control provides the ability to roll out antivirus protection to Windows-based mobile devices. On the road map is granular control of wireless, Bluetooth and infrared; however, the current version of Sophos Endpoint Security and Control allows for generic control over the interfaces—if you don't want someone to use the wireless NIC in the laptop, it can be blocked. Sophos placed an emphasis on simplifying the role for the administrator. Sophos Endpoint Security and Control integrates nicely with Active Directory so established policies roll out automatically to new employees or new machines; admins don't have to add them manually again in the console.
Malware/Web Content Management
Trend Micro's Worry-Free Business Security Advanced (WFBS-A), is Trend Micro's client/server/messaging security solution. Trend Micro likens the product to a "global neighborhood watch." WFBS-A protects Microsoft Exchange, Microsoft Small Business and Essential Business Server (available in version 5.1) Windows servers, client machines and laptops. InterScan Messaging Hosted Security Standard, is an availble online service that adds another layer of antispam protection via the cloud through IP reputation and e-mail content scanning. Because it is a hosted service, no additional resources are needed in the physical infrastructure. There is an easily navigable Web console for centralized management—from it an administrator can deploy client/server security agents to desktops, notebooks and servers, the Messaging Security agent to Exchange server, or combine clients into logical groups for easier management and configuration. The console is where antivirus and antispyware configurations are set and scans can be manually initiated or scheduled.
WFBS-A will send notifications about outbreaks or any malware detection. This is done using WFBS-A Security Server. The Security server scans for actively circulating and known threats. Some other features include a client firewall bundled with the agent and Web threat protection that evaluates the potential security risk of a requested Web page before displaying it.
TrendProtect can evaluate the security risk of hyperlinks on a Web page. WFBS-A employs Behavior Monitoring, Content Filtering and even Transaction Protector, which will do a check on the safety of Wi-Fi networks and has a keystroke encryption and a password clipboard; which is an on-screen keyboard for securely entering user names and passwords that hides text from keyloggers.
Unified Threat Management devices are aplenty. There are some products that are better than others, however. It's no wonder Check Point makes a quality UTM—this was the company that created the first commercial firewall in 1993. Check Point went from firewalls to VPNs and now its sole focus is on security. So much so, in fact, that Check Point's security appliances protect 100 percent of the Fortune 100.
Check Point UTM-1 Edge is a true out-of-the box turnkey device. The UTM-1 was designed for the SMB or as a branch office solution. It has a centrally managed firewall, antispam, NAC, Web filtering, IDS and VPN. The UTM-1 is available with wireless, or ADSL modem, or in an industrial model engineered for environments with extreme temperatures. The UTM-1 also does enhanced URL filtering and IM blocking. It also can do granular antispam filtering. Policies can be created across the enterprise and enforced.
These are all good ingredients in aiding solution providers in developing a security infrastructure. Forecasts predict no end in sight with regard to the amount of cybercrime that will be unleashed in 2009. Even with thinning budgets and lots of belt tightening, IT departments will be forced to invest in security technologies to keep that most precious of assets—data—safe.