Hunt for worms shifts to LAN traffic

Some makers of intrusion-prevention systems designed to actively block harmful traffic such as last month’s MS-SQL Slammer worm are arguing that strategies should shift from guarding the corporate Internet perimeter to setting up IPS appliances deep within the LAN.

Some makers of intrusion-prevention systems designed to actively block harmful traffic such as last month’s MS-SQL Slammer worm are arguing that strategies should shift from guarding the corporate Internet perimeter to setting up IPS appliances deep within the LAN.

By deploying an IPS internally, a company can detect and automatically block any worm outbreak that might occur across the LAN if employees or business partners with internal access introduce one into the system. Silicon Defense and TippingPoint Technologies separately are introducing such products this week. The approach remains novel because companies are just warming to the notion that they automatically should block traffic at all, even at the Internet perimeter.

Managed security firm Ubizen recently produced a report on Slammer, noting that although the worm was “easily stoppable on the perimeter infrastructure,” some of its customers were hit from inside “trusted parties,” including dial-up links, roaming laptops and third-party connections.

‘Worm containment’

Silicon Defense CEO Stuart Saniford advocates for what he calls “worm containment,” which is what his company says its CounterMalice product can do.

“A worm is always going to get inside your organization, and you need worm containment inside,” Saniford says. CounterMalice is an appliance with 500M bit/sec throughput that’s supposed to be installed across LAN segments based on an analysis Silicon Defense would do for the company so a worm that has begun to spread can be immediately detected and blocked.

“You have to react within seconds, and you must have an automated engine,” Saniford says. “Waiting for a systems administrator is hopeless. The goal is to contain it early.”

Rather than use signature-based detection, CounterMalice blocks worm activity through a process largely based on recognizing aberrant IP traffic patterns – Saniford calls it “IP behaving badly” – which might be, for instance, an outburst of scanning typical of worms in search of a new victim machine.

CounterMalice, which starts at $25,000, has a rudimentary command-line interface, but that might improve by the time the product ships in April, according to Saniford.

TippingPoint’s bid

TippingPoint, which already sells the UnityOne 2000 signature-based intrusion-prevention appliance that reaches 2G bit/sec, is introducing three IPS appliances for use inside corporate networks.

UnityOne 400 supports 400M bit/sec, UnityOne 1200 supports 1.2G bit/sec, and UnityOne 2400 reaches 2.4G bit/sec. Each has eight ports that support Ethernet, Fast Ethernet or Gigabit Ethernet speed internal LANs. The same management console can configure and receive reports from all three devices, which can block about 850 types of attacks. They cost $43,000, $65,000 and $97,000, respectively.

“The UnityOne 2400 is best for use inside a data center,” CEO John McHale says. TippingPoint has added failover capability to the appliances so Layer 2 switching takes over if the in-line appliance fails. The devices support several routing protocols, including Interior Gateway Protocol.

While TippingPoint still advocates deploying an IPS at the Internet perimeter to stop worms and other types of attacks, installing an IPS internally is an additional safeguard, McHale says.

One UnityOne customer says that is the approach he takes. At the University of Dayton in Ohio, it’s not uncommon for students to introduce computer viruses via their laptops onto the campus LAN, CIO Tom Danford says. The university uses UnityOne 2000 inside the LAN.

“There’s always the possibility we might be blocking legitimate traffic, but in our experience, it always ends up being malicious,” Danford says.

By May, TippingPoint expects to add ways to use the appliances internally to prevent copyright violations.

Most organizations today deploy what’s known as “passive intrusion-detection systems” that monitor and report suspicious activity, but don’t block it. IPS appliances, including those from IntruVert Networks, NetScreen Technologies, Internet Security Systems, Top Layer Networks and Check Point, are not widely accepted.

Expect to see more intrusion-prevention products from traditional intrusion-detection system (IDS) vendors.

“IPS are the next generation of firewalls at the proxying level,” says Martin Roesch, Sourcefire’s president. “We’re planning on releasing an IPS product, probably later this year. But we still think you will need both IDS and IPS as a surveillance and network-monitoring technology.”

Network World, the Tolly Group and NSS Group are among the organizations planning to test the active blocking capability of IPS products later this year.