Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FCC chairman gives support for use of 'white spaces'
Cyber security threats grow in sophistication, subtlety and power
Ex-Google, Yahoo employees behind Hadoop startup
Ex-Enron Broadband exec pleads guilty to wire fraud
Quest's post-acquisition road map a killer for NetPro
Cisco rolls out TelePresence rental service
Willing to pay a 'Mac tax'?
Microsoft reveals critical holes in Active Directory, mainframe gateway
Intel reports record Q3 revenue
Federal employees lack tools for mobile work, study finds
Apple's new MacBooks carved from blocks of aluminum
How bad is U.S. broadband deployment?
Cisco iPrize goes to energy-efficient power grid
Cisco launches first-ever authorized CCIE training program
Novell buying Managed Objects for BSM


Security /
Send to a friend Feedback

Looking beyond firewalls for security

Can antivirus wares and content filters beef up your protection?

Related linksToday's breaking news
Send to a friendFeedback

By Betsy Yocom, Marc Frigo and Dan Van Derveer
Network World, 07/29/02

Security, according to Helen Keller, is a superstition. It's found nowhere in nature, but we keep trying to achieve it, and there are many products on the market to help us. The most common - firewalls - are widely installed and continue to evolve with features and functionality.

But firewalls, posted at enterprise network portals to limit access from the Internet, are only part of a comprehensive security strategy. They don't provide protection from viruses that enter through e-mail servers, for example. Nor do they offer protection against individuals downloading or e-mailing content that could put your company at risk.

To address these security risks, you can look at secure content management (SCM) devices, such as antivirus and content-filtering products.

Other content security angles
Questions to ask when selecting content security products

Forecast of secure content software revenue

According to IDC's recent assessment of the SCM market, worldwide revenue in this segment reached 2 billion in 2001, representing a 22% growth rate over 2000. That growth was because of the increasingly sophisticated techniques that are being used to exploit security vulnerabilities. Forecasts for the market show it reaching $4.8 billion in 2006 (see graphic).

Network World Global Test Alliance member Miercom last month kicked the tires of six antivirus products and six content-filtering devices to uncover vulnerabilities, assess features and determine how the products can be best deployed in corporate networks.

Overall, the products we examined worked well - detecting about 99.9% of the viruses we threw at them and blocking access to designated Web sites almost flawlessly.

But products that offered the most extensive security options were also harder to configure and use. We also uncovered some subtle vulnerabilities that, although not showstoppers, could pose some security risks.

Ease of use vs. granularity and features

Three trends were clearly evident among the products we examined (see product chart). First, security vendors are taking the ease of use issue seriously.

N2H2's Sentian FS/Red Hat Linux content-filter required only checking boxes to select blocked sites. SurfControl's Web Filter and E-mail Filter used simple drag-and-drop actions to define security rules.

Advertisement:

But the downside to ease of use results in a lack of scalability and granularity. The two products that were more time-consuming to implement, Symantec's Norton Anti-Virus Corporate Edition and the F-Secure Anti-Virus for Workstations/Servers, also offered far more security options and flexibility in setting and defining security rules. Some security expertise is definitely required to work with these products.

The third trend is that many vendors are incorporating multiple security functions, such as antivirus, content-filtering and intrusion-detection systems (IDS) into one system.

Fortinet's FortiGate-400 incorporates firewall, VPN, IDS, content filtering and virus scanning for Web and e-mail onto an appliance that allows real-time in-line scanning of HTTP, Simple Mail Transfer Protocol, Internet Message Access Protocol and POP3 traffic.

Mitel's SME Server is a network appliance incorporating SMTP gateway antivirus protection, a file server, content filter, Web server, FTP server, SMTP/POP3 mail server, Lightweight Directory Access Protocol server and an IP Security VPN.

CacheFlow's Security Gateway 800 was unique, incorporating content filtering into its Web caching and acceleration appliance. The product reduces the load on existing firewalls by absorbing and filtering content from Web servers by protocol, such as HTTP or FTP traffic, file type, such as executables, and Multi-purpose Internet Mail Extensions. It also supports third-party virus scanners.

We focused on the antivirus and content-filtering capabilities of these products and did not examine their other capabilities.

Antivirus products

Estimates of how many viruses are generated worldwide on a weekly basis vary widely - from hundreds to thousands. The truth is probably somewhere in between. But even a hundred new viruses per week is a lot to keep up with, and no antivirus product will catch every new virus that comes along.

Security experts disagree as to whether it's even necessary for antivirus products to offer protection against a large number of known viruses, especially if they're not widely dispersed. But all agree that it's more important to assess and quickly report those, such as the Klez virus, that are most likely to have more widespread dispersion or are particularly malicious. Klez specifically targets Microsoft mail products. It invades users' personal address books, mailing viruses to and from those on a personal mailing list, creating a chain reaction that spreads rapidly.

Some antivirus vendors recommend daily updates of virus signature databases. All antivirus products we examined support the ability to schedule updates to occur automatically at scheduled, off-peak times to limit the affect on network performance.

Some vendors, including GFI Limited and F-Secure, support more than one antivirus scanning engine, offering the ability to multiply the user's chance of catching viruses on one engine that could be missed on another. GFI's Mail Security supports three engines, which scan incoming mail sequentially. Users can change the order of the scan to take advantage of the efficiencies of one engine over another.

An alternative to choosing a product with multiple engines is to deploy antivirus products from different vendors at various places in the network, with, for example, one on client and server machines and another on an e-mail gateway. But the downside is no central management of antivirus resources. Doing this also could increase bandwidth usage as different products download multiple sets of virus signatures.

Also an issue with antivirus products is deciding where to deploy them. Using antivirus software on e-mail servers prevents viruses from getting to server and client machines. This reduces the number of alarms an IT team has to deal with because the viruses are blocked at the e-mail gateway.

But e-mail-based antivirus products won't prevent someone from introducing viruses into a client machine through an infected diskette. Securing an e-mail gateway also won't protect against Web-borne viruses.

The WildList

All the antivirus products detected almost all our virus attacks, which consisted of four major categories of viruses: Web-borne script viruses, Trojan Horses, worms and legacy viruses. The object of our testing was to launch a broad set of viruses against the machines to look for common vulnerabilities.

Before testing, we collected viruses from a variety of sources, including some we had received in our own network and some taken from vx.netlux.org, a repository of virus source code and executable code.

We cross-referenced our test viruses against the WildList (www.wildlist.org), a repository of known viruses, developed in 1993. The WildList is an industry standard against which many vendors test and certify their products. Our attack list incorporated about 20 selected viruses. They included Melissa, Klez H., HTML Party, Nimda.A, CodeRed A., EvilBot and LoveLetter.

We uncovered only a minor vulnerability, and in doing so stepped into a war concerning the use of legacy and variant viruses to test antivirus products.

The Sophos Anti-Virus and Fortinet FortiGate 400 products did not detect a legacy virus and a variant of that virus we ran, while the F-Secure, GFI, Mitel and Symantec products did.

Sophos, Fortinet and other security vendors base their known virus signature databases primarily on those listed on the WildList, contending that viruses not on the list (referred to as "zoo" viruses) pose little threat (because they're old or were not widely distributed) to their end users.

We ran a variant virus to check the products' pattern-matching (or heuristics) abilities. In a variant virus the source code of a known virus is slightly modified, only enough to let it slip by an antivirus filter. Using heuristics, an antivirus product detects a suspicious pattern in the code, and even though it might not be able to name it, it flags it. The products we tested all supported this feature - some, such as Symantec and F-Secure - to a more granular level than others.

The argument for testing against the WildList is sound, but be aware that there is nothing to prevent someone from using the same public resources to create and launch virus attacks based on older viruses or to create variants of known viruses.

Content filtering

The main function of a content filter is to assess the top sites accessed within the network and block access to Web sites that a company determines objectionable (such as pornography, hate organizations and gambling) or time-wasting (shopping sites, sports and entertainment).

How and why an organization decides to use content-filtering products shouldn't be taken lightly. Issues involving the rights of the individual vs. the company, along with other legal liabilities, surround their use. Companies should clearly define why, where, when and how they use content filters across their networks.

To test the products' filtering abilities, we first perused the Internet to create a list of Web sites, which were divided among a number of typically objectionable categories, including adult content, hacking, shopping and gambling sites.

Using an open source utility called wget that downloads an entire Web site, we created a script that downloaded 65 Web sites on our "block" list. We then had each content-filtering device download all the items on our list to determine which were blocked and which weren't.

Overall, the products performed very well. A few missed one site or another. Symantec's Web Security missed one adult site; N2H2's Sentian failed to filter one pornography site; CacheFlow's Security Gateway 800 missed one gambling site.

We also checked whether it was possible to circumvent the products' content filters. To test this, we resolved the IP address of a known blocked site via a ping and attempted to access the site by entering the IP address in a Web browser in place of the URL.

We gained access via IP address to one known blocked site that used load balancing to access multiple servers and, therefore, had multiple IP addresses. Some of these IP addresses were not on our content-filter lists. We also determined that the DNS reverse-lookup capability on the site had been disabled, preventing us from resolving the IP address to the URL, which could then be used by the content filtering prods checked against our filter list. To correct this, we created an additional rule on our content filters to block sites that could not be resolved to a URL.

A differentiating factor among content filters is their ability to filter based not only on a word but also on the context in which a word is used. Symantec's Web Security was the only product that supported Dynamic Document Review, which provides granular context-sensitive scanning of a Web page to check the context of questionable words that might otherwise be blocked by a content filter. This prevents blocking, for example, a page containing references to "sex education" or "breast cancer."

The content-filtering products were all fairly easy to integrate into our network with minimal downtime. We plugged the products inline, and they were functioning in less than 1 minute. Most products also easily integrated with directories and user groups that already were set up on our network.

We encountered an interesting deployment issue on Surf Control's Web Filter. The product, which resides between client machines and the Internet, passively captures traffic. If it detects a user trying to access a blocked site, it spoofs the blocked URL, sending an access denied message back to the user.

Because of the specific setup required on the Web Filter product, letting it capture and transmit data on the network, we could not use the device on our Extreme Summit 48 switch, which supports only receive transmission on its mirroring port. (We connected Web Filter to a hub.) Presumably, Web Filter would have worked on a switch that supported transmit and receive traffic on its port mirror.

While we typically think of content filtering in the context of blocking access to Web sites, it is also applicable to content leaving and entering a corporate network via e-mail.

SurfControl offers a product called E-mail Filter, which supports filtering and routing of e-mail based on a variety of rule sets. E-mail that doesn't match the rules invokes triggers that isolate, discard, allow or delay it.

The SurfControl E-Mail Filter we examined didn't support the capability of filtering internal e-mail, but the vendor offers a version of E-mail Filter that integrates into Microsoft Exchange and lets you scan incoming and outgoing internal mail.

One vulnerability on all the content filtering products is that there was nothing to prevent someone whose computer is blocked from accessing a certain site from using another person's computer to access those sites if that PC was not properly locked down.

The human factor

While content filters and antivirus products might play a key role in a company's overall security, it's also important to determine how people can circumvent even the best-laid security plans.

All the security products in the world won't protect a network against user error, lack of training on security procedures, improper configuration, incorrect use of passwords or malicious intent from within.

Humans have a knack for figuring out how to circumvent security devices, and many also like the challenge.

Forecast for Secure Content Software revenues

Related Links

Yocom is senior editor and Frigo and Van Derveer are test engineers at Miercom, an independent testing lab in Princeton Junction, N.J. They can be reached at byocom@mier.com; mfrigo@mier.com; and dvanderveer@mier.com.

Topics: Security

Technology Insider: Network-based intrusion-detection systems
Network-based IDSs are designed to sit on your network, monitor traffic and send alarms whenever suspicious behavior occurs. Sounds like a fairly simple marching order, but our monthlong test of eight of these products show that setting up IDSs requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone. Network World, 06/24/02.

IT pros share painful lessons
The age of terrorism ushered in over the past year has forced companies to rethink how to cope with emerging threats, including potentially more destructive cyberattacks. It also has encouraged IT security professionals to be more candid about their experiences. Network World, 07/15/02.

Out of sight, out of mind
Four companies share the tools and strategies they use to secure home offices. Net.Worker, 07/08/02.

Study: Internet attacks up 28% in 2002
The Internet is an increasingly dangerous place for companies, with cyberattacks up 28% for the first half of 2002 over the last half of 2001, according to a new report released Monday by security services company Riptech. IDG News Service, 07/08/02.

Study: Web more vulnerable now than ever
The recent publication of similar security vulnerabilities in the two most-used Web server software products makes the Web more vulnerable now than ever, Web server information company Netcraft Ltd. warned. IDG News Service, 07/02/02.

Security and Bug Patch Alert newsletter archive
Stay on top of the latest alerts and virus warnings with this free newsletter.

Corporate security and the climate crisis 10/2/2008
EU calls for help to protect IT infrastructure 9/16/2008
US border agency says it can seize laptops 8/1/2008
Powered by Inform

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.