We live in a new era of blended threats, worm viruses and a host of new breeds of malicious mobile code that are more dangerous than ever.
Such viruses no longer simply damage user files, but can rapidly attack company networks, deface web servers and create distributed denial-of-service attacks. A good example was the worm virus Nimda which caused billions of dollars worth of clean-up costs in the fall of 2001.
The term blended threat refers to a piece of malware that combines the characteristics of viruses, worms, Trojan horses and malicious code. Blended threats exploit server and internet vulnerabilities to initiate, transmit and spread an attack. Using multiple methods and techniques, blended threats can spread rapidly, causing widespread damage. Blended viruses continuously scan the internet looking for vulnerabilities such as buffer overflows, http input validation flaws and known default passwords to compromise a system. Common attacks are embedding code in html files on a server, infecting visitors to a compromised web site, or sending unauthorized email from compromised servers with a worm attachment.
One of the reasons why there were many successful virus outbreaks over the past nine months is that traditional anti-virus software isn’t optimized to deal with rapid virus outbreaks efficiently. The latest worms/viruses are becoming more randomized in character making them harder to detect. Because of their tendency to spread rapidly without human intervention the most effective anti-virus solutions are those with the lowest time to detection.
Even the managed virus approach involving IT staff and expensive desktop, server and gateway anti-virus software packages that we find in most enterprises is fundamentally reactive in nature. It depends on human action to set the latest level of protection in place and requires 24-hour, seven-days-a-week virus monitoring.
Most anti-virus solutions check for updates on a daily basis. Such systems rely on receiving and responding to alerts via pager or phone call. Alerts are categorized as low, medium or high risk and it is down to the individual administrator to take action. Whether you choose to respond to all risks or just to medium and/or high risks, it still boils down to someone in the company having to take a conscious decision to install the updates. This method is all right until there is a rapid virus outbreak like Nimda, Code Red or Frethem. Keeping ahead of the blended virus requires updates to be pushed to customers without human interaction. Even a sophisticated virus management platform like McAfee’s Enterprise Policy Orchestrator, which allows you to plug vulnerable parts of the network from a central console, only deploys updates once a day and does not guarantee that the updates are enforced once they arrive.
Despite the expense, the technologies underlying such deployments typically do nothing more than ‘push’ an update to the hundreds of desktops and servers across the company networks, without a guarantee that such action creates a dependable anti-virus policy. The ‘push’ technologies, employed via management consoles, do little to protect against employees uninstalling the anti-virus client software, have difficulties passing through routers and firewalls, and are typically unaware of a system which programmatically fails to update, whether through operating system compatibility issues or even if the target system is powered off.
Most enterprises tend to use multiple layers of anti-virus protection – desktop, server and gateway. But none of them can enforce an anti-virus update in real time (the earliest might be the next day when the users boot up their machine in the morning). With multiple OS environments, remote sites, laptop users and telecommuters accessing the network, the task of closing the gap between exposure and protection is daunting and time consuming.
In a rapid virus outbreak situation the management software will to try to enforce an update, but if certain machines are off or behind a firewall, or if the update fails to reach its destination, there is no way to know whether those policy updates are enforced or not. Administrators may be left having to figure out what did not work, inspect all the potential security holes in person and, if necessary, plug them. In each instance, the staff is engaged more in plugging the holes in the system than managing the system itself. Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
Small and medium-size businesses are at even greater risk of virus infection due to their limited funds and lack of dedicated IT professionals. Anti-virus solutions for the small to medium size enterprise (SME) work in a similar way to those for large enterprises. Most lack any kind of management capability making the task of keeping up to date inherently more complicated.
There are three kinds of solution available for SMEs: high end solutions similar to an enterprise solution but without a management console; daily automated client updates; and manual – whereby anti-virus software is installed desktop by desktop, relying on staff to click for updates. The latter provides no real protection during a major virus outbreak. It only takes one member of staff to ignore the instruction to update and a virus could enter the company.
What is needed is a combination of enforcement and automation at the desktop level with flexibility, control and management at the server level. Automating updates at the desktop solves 80 percent of virus problems immediately.
One effective solution is to automate the update and enforcement process at the client and combine it with policy management at the internet gateway. End-users should not be able to access the internet unless their desktop is installed with the very latest anti-virus software update. During rapid virus outbreaks, instructions to enforce protection are delivered to appliances at every customer site. These appliances immediately begin implementing the new anti-virus policy, automatically updating clients and enforcing the latest policy via the internet. For example, SonicWALL has a communication protocol which forces the client to update itself, therefore eliminating problems caused by traditional ‘push’ technologies.
Perhaps even more important than reducing the cost and administration of client updates is that of ensuring that virus updates are enforced without delay. The latest anti-virus technology greatly improves the time it takes to protect against a new virus outbreak by reducing the amount of time to get the policy implemented. By simply stripping off virus attachments from incoming emails, appliances can block new viruses even before the signature update is available. In the early hours of a virus outbreak an appliance will be automatically updated with the latest filenames of known viruses. The appliance simply looks for the keywords in the filenames to match and discard the attachment without letting it into the network. In this way it is possible for protection to begin even before the signature update.
At the beginning of July 2002, a solution of this kind was able to protect customers from the Frethem worm outbreak within one hour of the worm sighting, and several hours before any anti-virus signature update was available. At available as a standard firewall/VPN appliance, this solution is finding a warm reception from the small and medium business market. It is also expected to be popular with the enterprise for ensuring its branch offices and telecommuter deployments are always adequately protected.
Dean Coza is product line manager, SonicWALL (www.sonicwall.com)