Hunt for worms shifts to LAN traffic

Intrusion-prevention system vendors introduce devices for containing Slammer-like outbreaks.

Some makers of intrusion-prevention systems designed to actively block harmful traffic such as last month's MS-SQL Slammer worm are arguing that strategies should shift from guarding the corporate Internet perimeter to setting up IPS appliances deep within the LAN.

By deploying an IPS internally, a company can detect and automatically block any worm outbreak that might occur across the LAN if employees or business partners with internal access introduce one into the system. Silicon Defense and TippingPoint Technologies separately are introducing such products this week. The approach remains novel because companies are just warming to the notion that they automatically should block traffic at all, even at the Internet perimeter.

Managed security firm Ubizen recently produced a report on Slammer, noting that although the worm was "easily stoppable on the perimeter infrastructure," some of its customers were hit from inside "trusted parties," including dial-up links, roaming laptops and third-party connections.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Some makers of intrusion-prevention systems designed to actively block harmful traffic such as last month's MS-SQL Slammer worm are arguing that strategies should shift from guarding the corporate Internet perimeter to setting up IPS appliances deep within the LAN.

By deploying an IPS internally, a company can detect and automatically block any worm outbreak that might occur across the LAN if employees or business partners with internal access introduce one into the system. Silicon Defense and TippingPoint Technologies separately are introducing such products this week. The approach remains novel because companies are just warming to the notion that they automatically should block traffic at all, even at the Internet perimeter.

Managed security firm Ubizen recently produced a report on Slammer, noting that although the worm was "easily stoppable on the perimeter infrastructure," some of its customers were hit from inside "trusted parties," including dial-up links, roaming laptops and third-party connections.

'Worm containment'

Silicon Defense CEO Stuart Saniford advocates for what he calls "worm containment," which is what his company says its CounterMalice product can do.

"A worm is always going to get inside your organization, and you need worm containment inside," Saniford says. CounterMalice is an appliance with 500M bit/sec throughput that's supposed to be installed across LAN segments based on an analysis Silicon Defense would do for the company so a worm that has begun to spread can be immediately detected and blocked.

"You have to react within seconds, and you must have an automated engine," Saniford says. "Waiting for a systems administrator is hopeless. The goal is to contain it early."

Rather than use signature-based detection, CounterMalice blocks worm activity through a process largely based on recognizing aberrant IP traffic patterns - Saniford calls it "IP behaving badly" - which might be, for instance, an outburst of scanning typical of worms in search of a new victim machine.

CounterMalice, which starts at $25,000, has a rudimentary command-line interface, but that might improve by the time the product ships in April, according to Saniford.

TippingPoint's bid

TippingPoint, which already sells the UnityOne 2000 signature-based intrusion-prevention appliance that reaches 2G bit/sec, is introducing three IPS appliances for use inside corporate networks.

UnityOne 400 supports 400M bit/sec, UnityOne 1200 supports 1.2G bit/sec, and UnityOne 2400 reaches 2.4G bit/sec. Each has eight ports that support Ethernet, Fast Ethernet or Gigabit Ethernet speed internal LANs. The same management console can configure and receive reports from all three devices, which can block about 850 types of attacks. They cost $43,000, $65,000 and $97,000, respectively.

"The UnityOne 2400 is best for use inside a data center," CEO John McHale says. TippingPoint has added failover capability to the appliances so Layer 2 switching takes over if the in-line appliance fails. The devices support several routing protocols, including Interior Gateway Protocol.