Posted on Sun, Feb 27, 2011
In my last post, I talked about how zero day vulnerabilities will continue to be a threat to small to midsize enterprises and also how mobile devices like tablets and smartphones will infiltrate the network.
In this post, I’ll extrapolate a bit on other areas that could cause security concerns for you this year:
The Internet is going to continue to be the application of choice for the delivery of malware. It provides so many options to infect systems, whether it is because a mobile device was connected at home, infected by a website and then brought into the office, or hackers taking advantage of poor programming on a website to install malware, the options are huge and the writing of websites has not developed so as to ensure that security is inherently built into the design.
The take up of social networking will continue to grow in 2011. This will lead to increased risk to data both personal and business related as websites like Facebook encourage their users to put more data in their supposedly secure site.
As more features and applications are provided, these provide vectors through which malware can transported. In addition, and not strictly security related, the productivity associated with time on social networks can be difficult to monitor and organizations need to be able to monitor who is using the sites and the time they are spending.
Any questions/concerns, call me at (832) 242-5757 or send an email to pierluigi.stella@networkboxusa.com
Posted on Sat, Feb 19, 2011
In my Dec. 17, 2010 post, I outlined a number of security trends to watch. I’m going to expand upon this a bit and talk about a few additional things to monitor:
Viruses: zero day vulnerabilities will continue to be one of the biggest threats to small to midsize enterprises as the majority of antivirus vendors take around five hours to provide solutions to new threats. Companies will have to investigate how protection can be provided faster. The continued use of multiple antivirus engines at the gateway and the desktop is one way of bridging this; fast updating technologies provide improved protection. Additionally, new technologies are being provided that can generate protection in under a minute.
Increased scrutiny will be required as viruses become more subtle, hiding more effectively. Scanning internal and external networks for installed malware will be more common, identifying malware that attempts to be unobtrusive. An example of this is the Conficker worm that sat quietly on infected systems, but responded on TCP port 445 enabling companies to remove the threat before it became active.
Mobile devices like tablets and smart phones will infiltrate the network. IDC predicts that by year end, mobile device shipments of new units will have increased by 55% and Gartner estimates that in the same year, 1.2 billion people will be using phones with rich web capabilities.
Increasingly, these are the devices that sales and business use to keep all their contacts, one contact point. They need to integrate with the desktop to transfer diary, address and back up which is the vulnerable moment for companies. The architecture of these systems is going to be critical, not all will have the push technology of phones like Blackberry, which can keep the systems secure and this must be a concern going forward despite the number of viruses for mobile devices currently being low.
As always, any questions/concerns, call me at (832) 242-5757 or send an email to pierluigi.stella@networkboxusa.com.
Posted on Sun, Feb 06, 2011
You’ve probably seen this term being used everywhere lately, but what exactly is a ‘next generation’ firewall?
According to the commonly accepted wisdom, such devices include an IPS and a firewall on the same device, closely integrated and working together. This is something that products like Network Box have had for a long time and certainly is not new.
A traditional IPS would be placed as an isolated device in front or behind a firewall – or, sometimes, you would place two – one in front and one behind. In this configuration, the IPS must assume that there is no other protection, and try to protect it all on its own.
This has a few drawbacks:
1) Since you can’t assume that the firewall is equipped to do certain things or that there even is a firewall in line, you need to keep all available signatures and block at ‘deep packet inspection’ level traffic that a firewall could block at the syn packet. For example, blocking traffic coming from knowingly infected networks is very inefficient with an IPS.
2) Since there is no connection to the firewall, once the IPS drops a packet, it will need to scan the next packet of the same connection because that connection cannot be dropped. And what if the next one does not look ‘suspicious’ and the IPS does not drop it?
If the firewall and IPS are closely integrated, things work in a very different way. The first line of defense becomes the firewall. Only traffic on open ports passes through. If a port is closed, traffic is dropped and there is no need to scan it. This alone reduces the need for the IPS to scan traffic as much as 90% in most cases. If you want to block traffic from specific subnets that are known to be sources of malware, do that in the firewall, at packet filtering level, rather than doing it in the IPS.
Because the two parts are working together, when the IPS drops a packet, it can communicate to the firewall to instruct it to tear down that connection – so the next packet does not come through at all — the IPS does not need to scan it, and there’s no chance that something could be missed and your network could become compromised.
And what about application filtering – is it useful and really necessary? In brief, this feature attempts to recognize a protocol independently from the port it is trying to use. For example, it would recognize HTTP even if it is not using port 80; or it would recognize Skype no matter what port is it using. To be able to recognize a protocol to know that a certain application is trying to use an alternate port and trying to bypass the firewall, it’s often necessary to allow a few packets through, back and forth, to properly recognize the protocol and not incur false positives. This alone can be a source of problems.
So in trying to solve an issue, you may be creating another one. Too many firewalls are configured considering the LAN a trusted network and all traffic outbound is allowed. Some old firewalls don’t even have a way to lock up outbound traffic. A well configured firewall will block such traffic simply because the ports are locked up and open only with specified sources and destinations. Traffic that does not fit the configuration is simply blocked.
The devices available in the market today offer nothing more than what illustrated thus far. They offer no AV filtering, no anti spam, no special routing features, nothing else but what I have outlined above.
So when you compare these to a UTM device, the UTMs offer a lot more integrated features and solve more problems than a next generation firewall does. As the UTM devices evolve to integrate the IPS and the firewall (as Network Box already does), they will certainly become even more competitive against the next generation devices and these new devices will need to either offer all the features (and become themselves UTMs) or disappear.