In response to this article, we have been saying the precise same thing for 13 years now. The idea for UTM has always been that an effective response against blended threats can only come from blended security; and that there is absolutely no way to blend security when you are dealing with 10 different devices ~ most likely originating from 7 different vendors, with not a single one of them integrated with each other.
We must be clear from the onset ~ there is no such thing as “an email attack”, or “a web attack”. Attacks come in many forms, via the network, through emails, from the web; a sound network defense must be able to understand all that the attack is trying to do, and stop it with any and all the possible tools available.
A word of caution though; UTM or not, a protection device that is not properly configured is, simply put, useless. Yes, useless, no matter how good the technology is. Security is not, and never will be, just a device.
The market will grow, but if all we are doing is replacing our set of firewall/IPS/VPN/email scanning/web filtering with one device, yet still leaving them poorly configured, we have resolved nothing.
As the UTM market grows, it is increasingly crucial that the managed security services market grows as well, to ensure such devices are adequately configured by expert hands who understand risks and best practices, and can go a long way towards ensuring the successful protection of a network.
Is your network safe?
After a brief summer break, I start again this week with a weekly post; or so I plan.
This week, the topic revolves around antiviruses and the battle that all AV companies are inequivocably losing.
Traditional Antivirus Solutions
Traditional antivirus technologies focus on recognizing the threat, identifying it properly, and then stopping it. They rely heavily on human beings analyzing pieces of malicious code and creating “signatures.” The entire process of finding malicious code, analyzing it, creating the signature, testing it properly and deploying it can take between 4 and 12 hours. Hackers know this and are taking advantage of it by flooding the Internet with new code at a rate that we now calculate to be about 40,000 new pieces of malware per day. This is unprecedented and is causing the traditional antivirus companies to lose their battle against malware writers, by a very large margin.
To give you an idea of how dismal the situation is, we calculate that every day there are at least 80,000 pieces of malware that no one has signatures for. Which means, if one of these makes its way to your computer, not only will your AV not stop it, but it may not even recognize that a malicious piece of code was installed on your computer. Days later, when you perform a system-wide scan, if your AV has a signature, it may recognize that malicious code. Clean up is often out of the question; quarantining is likely the best you can achieve - assuming that code has not spread to other computers around you yet.
Obviously the traditional way of creating signatures is not working and needs to be revised. New approaches need to be invented; new weapons are needed for us to fight this battle and have some chance of turning the tables.
Network Box's Z-Scan
About a year ago Network Box announced a new AV, which we call Z-Scan.
Z-scan takes an entirely new approach, based on statistical observations, which allows us to automate the process of creating and releasing signatures, thus reducing the entire cycle to a few seconds. The idea behind Z-scan is that certain things are malicious in nature and it is irrelevant what they truly are.
Network Box has deployed an extensive network of malware traps around the globe;these are email addresses that do not belong to a person, and there is no reason why they would ever receive a legitimate email. Therefore, anything arriving to these traps is either spam or malware.
How Z-Scan Works
When a piece of code is stopped by one of these traps, it is analyzed with three different traditional antiviruses. If these do not find anything, the assumption is that this code is malware - but it is new, it is a zero day attack, by definition it is something no one has yet seen. Hence, the system automatically creates a unique identifier, a hash, and distributes that via our cloud system to all our regional centers.
When a Network Box customer, e.g. a bank, receives the same piece of code and the antiviruses do not find anything, this box creates the same unique identifier (same file, same algorithm yield same hash) and queries the regional center automatically with that hash. The regional center replies positively with a confidence factor that reflects how many times that same code has been seen. At this point, the bank box will block that code even though it does not know what type of malicious code it is. The reason why it blocks it is that this code was seen in a malware trap a few seconds earlier. The odds that it’d be legitimate are statistically zero and attaching an official name to that piece of code is irrelevant. What is, instead, very relevant is that it needs to be stopped - immediately. And that’s the approach Z-scan takes.
To provide an idea of the relevance of this system, one needs to keep in mind that once the traditional antivirus has the ‘official’ signature for that piece of code, the hash is removed from Z-scan, to ensure this is always running very fast. Therefore, the number of hashes in Z-scan is a measure of the number of pieces of malware in the wild that traditional antiviruses are not yet properly catching. If you click here, you can find the latest measures of the number of hashes. Scroll to item #7 and you will see the number of signatures running in Z-scan in real time. At the time I am writing this post, that number was above 150,000. This means that right now there are over 150,000 pieces of malware circulating on the Internet that traditional antivirus technologies are not yet catching. And hackers are counting on that to be able to bypass your security system(s). Z-Scan remedies that by stopping this malware with its new statistical approach.
If you’re a retailer, you know full well how tough it is right now in this economy. You’re constantly trying to find new revenue sources while keeping your current customers happy. And regardless of how big you are, data safety and data protection must remain top priorities if you hope to grow and expand.
Add to that, if your network billing and inventory apps aren’t available 24x7x365, you could realize significant financial and customer service risks. And if you want to comply with Payment Card Industry (PCI) standards, your security policies have to be defined and enforced. If you don’t comply, expect to get whacked with considerable financial penalties and sanctions!
Most retailers don’t want to spend a lot of time worrying about the aforementioned – they want to focus on their core business. But every day you read about a company that’s been hacked – and there are also numerous other Internet threats like Trojans, viruses, intrusion attempts, denial of service attacks that are becoming ever more sophisticated. And just having a firewall and software to guard against malicious content just doesn’t cut it today.
Ready to reach for that bottle of Tylenol, yet? There is a solution – a managed security service. In short, with a managed security service, such as what Network Box offers/provides, you can connect and secure multiple, geographically dispersed sites and important apps like inventory control and point-of-sale systems. Some other key benefits include:
- Safely/securely connecting multiple stores, branches, warehouses, remote sites
- Reduce operational costs by centralizing security policy management
- Reducing admin/operational overhead
- Protecting sensitive/confidential data and ensuring compliance with PCI standards
- Growing your network without sacrificing centralized control
So, there is light at the end of that retail tunnel – give me a call (832/242-5757) or send an email (firstname.lastname@example.org) and let’s discuss further how we can help your company not worry about security issues and get back to what you do best. You’ll also get a good night’s sleep!
Many companies greatly underestimate the security issues in the cloud and end up trying to protect their servers only with a firewall, if even that. Because the cloud is being approached as a way to save money by reducing hardware rather than by improving efficiency, the idea of deploying security in the cloud is too often overlooked as an expensive and unnecessary luxury. This is heaven for the hackers, who couldn’t ask for anything better than an environment full of servers that aren’t protected.
When Network Box started operations 11 years ago, security was generally seen as a firewall and, maybe, antivirus on the workstations. Over the years we have been telling our customers that this is not enough. IDS, IPS, and several other gateway protections have emerged. Network security today can be very strong; but too many companies are not adopting the same at the virtual level.
For one thing, in the virtual world you can’t install your own device. So you need to use what is available as a virtual solution. Some companies have virtualized their systems already; Network Box for example has a completely virtual version of its award winning hardware based solution. The two versions are identical under every aspect, including managing the system.
But most of the other offers, which customers can manage themselves, are just firewalls. And this poses a problem and a risk. A firewall is only a starting point, and definitely not the “entire” security you need to protect a network. IDS, IPS and much more is needed, just as it is in the physical world.
One solution we have seen does not even include the ability to create an IPSEC VPN. You need to install your own open source code, compile it, configure it. Where are the savings when your people need to spend so much time securing everything? And so it happens that security becomes secondary because it is seen as too expensive to be done properly.
What makes matters even worse is the generalized lack of appropriate processes and procedures to deal with the cloud. When you move your data in the cloud, you need to ensure that access controls are as strong as they can be; you also need to reinforce your database even more than when you have it in house; and you need to define very clearly who has access to what and why. The same processes and procedures you use inside your company need to apply to the cloud.
Because most of what is hosted in the cloud is servers running databases or backups, too often we see connections from the company to the cloud made via RDP, without any form of protection. My major concern is RDP exposes a login account to the Internet. And hackers have all the time they want to conduct any form of exploit – this could be a brute force password attack, but most likely it will be some sort of malformed packet that will run arbitrary code on the server. RDP should never be opened to the Internet at large. If no other option is available, it should at least be restricted to well specified source addresses.
The best way to protect your cloud is to adopt an integrated firewall/IPS/VPN solution; this will deliver the best security available in traditional environments, and allow for full protection of the cloud servers and data. Connection from the company’s network to the cloud should never be made other than through a VPN. Inbound access from the Internet to the servers should be tightly controlled, and allowed only from specific IPs if possible, and only if and when necessary.
Access outbound, to the Internet, should be controlled as well by opening only the ports that are really needed, which in most cases will be only domain, http, https and maybe a handful of ports to reach some authorization or authentication server, if really necessary (these should be restricted to the IPs of the remote servers).
The bottom line is that too many companies are adopting lackluster security postures in the cloud because they are trying to contain costs. In doing so they are putting their data in danger. At a minimum, their servers could become either zombies of botnets, or command and control centers of the same. But they could also lose their data and this could compromise the sheer existence of their company.
Do not underestimate the importance of security in the cloud; it is still your data, and it is still your company that could be at risk.
Whether your company is already using the cloud or is planning to do so during the next year, the security of your data is certainly one of your main concerns.
After managed security services, handing off the security of your data to someone else must be the single most important worry for anyone involved in securing a company's data.
Since this topic encompasses several different aspects, dealing with the various issues of security; I will try to offer thoughts around each of them in the weeks ahead, to ensure each topic is examined as needed.
The first topic we will analyze this week is data control.
Many companies are moving their email to cloud based hosted solutions -- Google, Microsoft, and many others offer this. Your workstations will connect to a remote server using an encrypted channel to download emails. Virtually, you have your own server and your own disks. But physically, your data is stored in the same disk with many other companies’ data and emails.
Some consideration must be given to how this data is protected, and not only from hackers.
Assume you have your own server in house. When the email is stored on that server, it’s under your complete control. Assume that one of your employees does something that requires law enforcement investigation and for that reason you need to hand out your data. If a law enforcement officer shows up at your doorstep without a court order, you can (and likely will) decline to hand over any data. You are not obliged in any way until there is a court order.
Assume now that you are hosting that data in the cloud; say your email is hosted with Google. Do you really think that they will take care of your data the same way you would? I would hope so, but I must be skeptical; after all, why would they anyway?
Now think of that same data stored on that same disk, sharing space with another company. Someone at that company is investigated and their data needs to be given to the authorities. Law enforcement does not take "copies". They take originals; so they show up and take the disk. So now your data is on a disk that is being used in a legal case against another company you have no ties with whatsoever; it is no longer stored in the privacy of that data center. You don't even know where it is and who is reading it anymore!
And what if the legal case if coming from another country? What if that disk is being handed over to Scotland Yard? Now your data is not only on a disk used in a legal case that is not yours; but is not even in the US anymore! And you have no control at all!
Is this something you should be worried about? I guess it depends on what type of business your company does, how sensitive that data is, how damaging it would be if it ends up in the wrong ends - be that the competition or the public! The answer can't be the same for every company; this is a consideration each company needs to make based on several parameters, but ultimately the most relevant of all is "what happens if the data ends up in the wrong hands"?
That question is the general question of security and is the reason why we have security in the first place. Moving your data to a hosted solution only adds to the uncertainty surrounding the security of your data, as it adds another layer of possible loss.
Selling Internet security is quite different than selling any other type of IT-related solution. The very mention of the word “security” raises several antennas at every level in every organization. The only debatable thing is: How do we get to a secure posture that is rock solid?
Too many organizations see security as a function of compliance, rather than the other way around. As security professionals, we cringe at this approach and try to teach our clients that, although security will make them compliant, compliance may not make them secure. Unfortunately, in most small and medium-sized companies, compliance is the big driver, with security being a nice thing to have that results from the compliance efforts.
Network Box Security Response Center
The idea of selling managed Internet security services was considered almost obscene 10 years ago when we started our company. Internet security was seen as something too top-secret to be delegated to an outsider, and yet no one was doing physical security in-house. That issue had already been overcome for many years; if an organization needed physical security, it delegated the task to a specialized company. Just what was so different about Internet security escapes me, but somehow customers thought something was different.
Today, the idea of managed Internet security is widely accepted. Industry analysts now calculated the managed security market is already around $5 billion and are forecasting it will grow to $12 billion by 2013 – certainly something you would want a piece of. Therefore, it’s time to gear up and learn whom to talk to and how to approach the subject.
We find that the chances of succeeding are higher if you talk to C-level people and present the proposition purely as a business one, showing them that they can save a large amount of money while increasing their security posture. After all, security is not a piece of technology but an ongoing, 24/7/365 task. Hackers never sleep, so neither can your potential customer; therefore, security needs to be done by a team, because one person cannot keep up.
The choice, then, is whether to increase in-house security personnel or outsource the task. A small to medium-sized company can’t hire a team of security specialists; it’s too expensive, and the specialists would not stay long anyway because the career growth opportunities would be too limited, and the learning opportunities might be even smaller. To achieve real security, outsourcing is really the only option, and the choice now is what to outsource.
The proposition we make at Network Box USA is:
- Outsource to us the details of your security, the mundane issues of watching over the edge of your network, upgrading and updating your software and signatures, making the necessary configuration changes, and so forth.
- Outsource as a consulting engagement the policies and procedures that will improve your security posture, but don’t outsource your overall security.
- Keep in-house the risk assessment; risk belongs to the customer, and a customer employee should watch over it.
This type of approach shows the customer how, over time, a managed security service can provide real and strong security at a very affordable price – a fixed, no-surprises fee. CFOs love this story; there is nothing they like more than a low price that will not become a surprise at the end of the year. The total cost of ownership (TCO) is always a compelling argument for C-level decision makers. When calculating this, you need to be sure to encourage them to also consider the time and money spent when such tasks are managed in-house.
Taking into account only the cost of the hardware involved is not a good measure of the TCO. The hardware, of course, is an important factor, be it a unified threat management (UTM) appliance (we sell Network Box’s own UTM, which includes numerous applications – firewall, intrusion prevention and detection, virtual private network, content filtering, anti-virus, anti-spam, anti-phishing, and anti-spyware) or individual devices. Whatever your customers choose, the hardware needs to be managed, monitored, and updated.
All this costs money, but outsourcing will save the company most of that money. The reason is that the service provider can spread its own costs over a number of customers, whereas a dedicated IT employee will bear the entire cost on the internal budget. Also, an employee needs vacation time, personal time, holidays, and other time away from the job. When these tasks are outsourced, this issue disappears as well.
Finally, here are some tips relating to the all-important firewall. Do not talk about replacing the firewall with a managed solution to the person currently managing the firewall, unless he or she also has several other tasks and will be happy to relinquish that particular one. Otherwise, that employee will feel as though you’re trying to threaten his or her job and will start putting obstacles in your way. In addition, explain that changing firewall port configurations is NOT a strategic task in the realm of security. Risk assessment is strategic; overseeing the entire security posture is strategic; changing the firewall rules is definitely not.
UTM seems to have become a misused term; anyone who puts together something more than a firewall in the same box calls it a UTM.
So what are the key elements? Read on:
1) Firewall – of course you want this, but in light of the other features that you will want, a packet filtering and proxy will be very useful as well; so your firewall must be a hybrid.
2) IDS/IPS – this today is a must; you can’t have edge protection without proper IPS, and it is ridiculous to buy a separate one after you have spent all the money for a UTM device. This feature should be fully integrated with the firewall, to achieve a next generation firewall protection, and should be INLINE with the firewall.
3) Email protection – should be much more than just an AV product. Should be policy protection, to block unwanted attachments, hidden, compressed or otherwise. Should be protection for the server, integrated with the firewall and IPS. Should be protection from vulnerabilities that affect the protocols and the servers.
4) Antivirus – protocols to be protected are, at a minimum: SMTP, POP3, IMAP, FTP, and HTTP.
a. AV is too generic a term; one single AV is no longer acceptable as no one can really keep up; best is to have more than one
b. Real time AV – this is an emerging technology; we already have it. But if you want to hope to block emerging threats, you need zero day protection, you need a real time AV
5) Antispam. Hackers use all kinds of ways to get in; you need to have protection against all of them. Antispam should have a proven record of at least 98% protection, should not be using old spam lists but should be based on more modern techniques, such as SPF check and many others. We still see too many systems that use old methods that cause way too many false positives and yield poor overall results
6) Web access policy – a company must be able to control where its employees are allowed to go on the internet, and this in turn enhances protection as it prevents users from landing on dangerous websites.
7) VPNs – modern devices should support IPSEC for compatibility, but should also offer SSL as a full VPN, with roaming AND site-to-site solutions. PPTP is still there, as it is free and inexpensive, but not mandatory at this point.
8) Updates – the Internet moves too fast for updates to be PULLed from the devices. PUSH updates are now a must; Network Box has had this for 10 years.
9) Monitoring/management – this is important because expert configuration is 50% of the protection.
A true UTM device should be seamless - the final result is stronger than the sum of the parts. The antispam should be able to communicate with the IPS, so that a spammer attacking your device will be blocked before the email is even delivered. The antispam should also be able to use the categorization abilities of the web access policy to see if a URL in an email should be allowed or not. The IPS and the firewall should be fully integrated.
There are many other functions that a UTM device can do for you. For example, our device can host DNS records for the company. It can act as DHCP server and NTP server. It supports VLANs (256 per interface), it can automatically create a signature for any outbound email (for legal statements mostly). We support advanced routing, any type of packet mangling, Quality of Service; we can set up a load balancer in the firewall; we can support multiple internet connections either in high availability or in weighed load balance.
Our devices can be set up in high availability or in load balance or in cluster. New functions that are emerging as required on the UTM this year are DLP and Vulnerability Scanning. These functions thus far have been done using separate devices; more and more companies are demanding to see them integrated with the gateway protection.
Lastly, it’s important that the technology offered for small offices is the same provided for the main office. For example, you want the same AV protection, nothing less. -- viruses don’t treat small offices any better than they treat your headquarters. With Network Box, you get the same exact protection whether your office has 1 person or 10,000!
Check out our Security Options Whitepaper
You’ve probably seen this term being used everywhere lately, but what exactly is a ‘next generation’ firewall?
According to the commonly accepted wisdom, such devices include an IPS and a firewall on the same device, closely integrated and working together. This is something that products like Network Box have had for a long time and certainly is not new.
A traditional IPS would be placed as an isolated device in front or behind a firewall – or, sometimes, you would place two – one in front and one behind. In this configuration, the IPS must assume that there is no other protection, and try to protect it all on its own.
This has a few drawbacks:
1) Since you can’t assume that the firewall is equipped to do certain things or that there even is a firewall in line, you need to keep all available signatures and block at ‘deep packet inspection’ level traffic that a firewall could block at the syn packet. For example, blocking traffic coming from knowingly infected networks is very inefficient with an IPS.
2) Since there is no connection to the firewall, once the IPS drops a packet, it will need to scan the next packet of the same connection because that connection cannot be dropped. And what if the next one does not look ‘suspicious’ and the IPS does not drop it?
If the firewall and IPS are closely integrated, things work in a very different way. The first line of defense becomes the firewall. Only traffic on open ports passes through. If a port is closed, traffic is dropped and there is no need to scan it. This alone reduces the need for the IPS to scan traffic as much as 90% in most cases. If you want to block traffic from specific subnets that are known to be sources of malware, do that in the firewall, at packet filtering level, rather than doing it in the IPS.
Because the two parts are working together, when the IPS drops a packet, it can communicate to the firewall to instruct it to tear down that connection – so the next packet does not come through at all — the IPS does not need to scan it, and there’s no chance that something could be missed and your network could become compromised.
And what about application filtering – is it useful and really necessary? In brief, this feature attempts to recognize a protocol independently from the port it is trying to use. For example, it would recognize HTTP even if it is not using port 80; or it would recognize Skype no matter what port is it using. To be able to recognize a protocol to know that a certain application is trying to use an alternate port and trying to bypass the firewall, it’s often necessary to allow a few packets through, back and forth, to properly recognize the protocol and not incur false positives. This alone can be a source of problems.
So in trying to solve an issue, you may be creating another one. Too many firewalls are configured considering the LAN a trusted network and all traffic outbound is allowed. Some old firewalls don’t even have a way to lock up outbound traffic. A well configured firewall will block such traffic simply because the ports are locked up and open only with specified sources and destinations. Traffic that does not fit the configuration is simply blocked.
The devices available in the market today offer nothing more than what illustrated thus far. They offer no AV filtering, no anti spam, no special routing features, nothing else but what I have outlined above.
So when you compare these to a UTM device, the UTMs offer a lot more integrated features and solve more problems than a next generation firewall does. As the UTM devices evolve to integrate the IPS and the firewall (as Network Box already does), they will certainly become even more competitive against the next generation devices and these new devices will need to either offer all the features (and become themselves UTMs) or disappear.
A few months ago, Network Box completed an extensive survey to determine what the priorities would be for IT managers next year. My UK-based colleague, Simon Heron, reported that the top two priorities will be unified communications and Multiprotocol Label Switching (MPLS).
The survey revealed a number of interesting facts. For instance, twelve percent of the 250 IT managers questioned expect to implement a unified communications system in 2011. Simon noted that “new ports and protocols must be used which can make networks vulnerable if the right precautions and protection are not put in place. Companies can find themselves vulnerable to Toll Fraud –if the right gateway protection is not implemented, the IP PBX is as vulnerable as any other server which no responsible IT manager would allow.”
Additionally, ten percent of IT managers plan to utilize an MPLS network in 2011. Simon added that in some instances, this might involve restructuring the corporate network. Implementing a network restructure without first considering the security implications can have drastic consequences for the company in the long term.
Simon summed it up quite succinctly:
“In the next few years, these technologies are going to bring massive advantages to the companies that deploy them. IT departments are going to have to move with this change, assessing the risks and providing the right protection to ensure their company is not vulnerable.”
Last week, we unveiled the new M-385, which is replacing our popular M-380, as part of the Network Box family of unified threat management (UTM) appliances.
So, why should you upgrade to the M-385? For starters, if you’re a current Network Box USA customer, it won’t cost you a dime – the appliance is lent to you for the duration of your contract and you only pay for the service. So, you don’t have to worry about any hardware purchases or amortizing it over time.
The new M-385 also triples the performance of the M-380 and integrates a wide variety of applications. Some of these include anti-spam, anti-phishing, anti-spyware, firewall, intrusion prevention and protection, and virtual private network. Users get a sophisticated hybrid of hardware and software so your enterprise can fight backdoors, hackers, worms and other online threats.
And there’s more – via our PUSH technology, updates are performed in real time. So whenever a new antivirus signature, security patch or software update becomes available, it’s pushed out to all Network Box devices worldwide in less than a minute.
Support is also provided for Network Box advanced services – such as load balancing, quality of service, and advanced policy-based routing – and the units are monitored from our Global Management System. In addition, they can be integrated with existing clusters and networks of Network Box UTM appliances.
The M-385 is sold through our reseller channel and remotely managed by Network Box USA. Any questions? Click here., call us at 832-242-5758; toll free at 888-315-8886, or inquire via email: email@example.com.