Managed Security Services

Fire-Proofing Your Network With UTM,
Part 3: Layering on anti-X defenses

We continue our Unified Threat Management series with a guided tour of network-based virus, spyware, spam, and web defenses, demonstrating how they responded to threats during our tests.

by Lisa Phifer VP Core Competence, Inc. [December 31, 2007]

In this series, we examined the drivers behind Unified Threat Management and illustrated a small office UTM deployment using the IBM ISS Proventia MX1004, a multi-function network security appliance. Here in Part 3, we look at the anti-virus, spam, spyware, and web filtering features integrated into many UTM firewalls.

Preventing network intrusions
We touched on IPS in part 2, but let's take a closer look. IPS plays a significant role in network defenses, whether a threat originates from an external attacker, an internal virus infection, a spyware back-channel, or phishing e-mail.

Many threats combine attack methods—for example, spam laced with links that lead users to spoofed websites which steal identities or implant malware. Figure 3-1 illustrates an IPS alert triggered by HTML-formatted e-mail that opened a suspicious URL when the message was opened by the recipient. UTM can block these populous spyware and adware back-channels without relying on end users to notice or avoid them.

Depending upon risk and severity, you might want to take action to contain damage. Possible IPS responses include dropping offensive packets, resetting TCP connections, blocking future connections from a threat source, or quarantining the victim (e.g., stopping all traffic to/from a worm-infected host). For example, Figure 3-2 illustrates shows how the MX1004 responded to traffic indicating that an internal host had been infected with Back Orifice, a trojan used to remotely control hacked desktops.

The MX1004 is supplied with IPS policies that detect over 2500 known threats, carried by 137 protocols. However, the challenge for any IPS deployment is to avoid perceiving a threat where there is none (false positives) without ignoring dangerous traffic (false negatives). IBM ISS simplifies this huge admin headache by delivering default IPS policies that reflect X-Force recommended responses (Figure 3-3).

Those with limited time or security expertise will just use X-Force policies. However, you may need to make some exceptions, globally or for specific devices. In Figure 3-4, we over-wrote the default policy to react to Back Orifice pings by quarantining the victim for one hour. We also used filters to exempt a specified source/destination IP from another event that did not represent a true threat in our network. Making a lot of changes this way would be tedious, but the ability to make a few careful customizations is essential.

Multiple intrusion detection methods can cover more ground while improving accuracy—for example, the MX1004 combines signatures with behavior analysis to spot new attacks for which no signature has been defined. During one test, the MX1004 spotted almost all of the attacks we sent through it, blocking about half with X-Force responses. However, it did not object when we FTP'ed some hacker tools (e.g., UDPFlood) that were then quarantined by the client's host IPS. One could argue those programs were not intrusions until used, at which time the MX1004 alerted us to the traffic they sent. This example illustrates the benefit of layered defenses.

When choosing a UTM appliance, consider IPS breadth of coverage, rate of false positives / negatives, auto-responses, and your ability to view and control them. UTM appliances cannot do everything that purpose-built network IPSs can. For example, the MX1004 cannot integrate distributed sensor observations or replay traffic recorded during an attack. But UTM IPS can provide a solid foundation upon which to layer further defenses.

Go to page two: Scanning for viruses and spyware >