Tools take the offensive on network defense
- By William Jackson
- Jul 10, 2003
Monitoring, filtering and blocking were among the hottest defenses against network threats and faux pas at the recent RSA 2003 security conference in San Francisco. Gateway appliances offer more layers of protection against spam, one of the top villains of the networked world. Now that the enterprise perimeter is no longer the only line of defense, tools must keep an eye on internal and outgoing traffic as well as what's coming in. Plus, there are more mobile users to consider.
About 60 percent of new wireless phones are Java-enabled, said Shlomo Touboul, chief executive officer of Finjan Software Inc. of San Jose, Calif. Mobile gaming has been a strong driver for the devices, which can receive applets and run applications as well as provide phone service and e-mail.
'It's a nightmare for service providers' to keep up with all the phone-specific applications and extensions, Touboul said. So far, he said, no serious cell phone exploits have been found in the wild, although Finjan has developed hostile code for demonstrations. Service providers 'are telling us, 'We learned our lesson from the PC, ' ' he said. Finjan is extending its SurfinGate server-side scanner to protect cell phone vendors and developers. 'We put the server at the service provider's site,' Touboul said.
Filtering suites are appearing, too. The Content Management Suite from WebWashers AG of Germany resides on a gateway device. Besides filtering spam, it offers a choice of antivirus engines, uniform resource locator blocking and filtering of Secure Sockets Layer traffic. The spam filter uses several methods to control unwanted e-mail, including white and black sender lists, header content examination, lookup of senders and links, and a statistical filter with a dictionary.
The suite's SSL filtering stops encrypted traffic at the proxy level and initiates a second, secure session with the server. Unencrypted traffic is examined at the gateway and filtered according to user policies.
'There is a lot of interest in SSL filtering,' said Frances Schlosstein, WebWashers' vice president of business development. 'It hasn't been on anybody's radar screen before because it hasn't been available.'
Group Technologies USA Inc. of Milford, Mass., is adding new features to its SecuriQ.Wall filtering product for Lotus Domino and Microsoft Exchange e-mail platforms. It does lexical analysis of words, scans content, keeps black lists and white lists, and blocks and tracks e-mail. It will soon be able to scan compressed files and Portable Document Format files. The company also plans to introduce a self-learning engine that can recognize new spam by its content.Outgoing traffic
Company president Karl-Heinz Dahley said that although most users want to keep spam out, government users are more concerned about keeping confidential information in. He said scans of outgoing traffic are just as vital as scans of what comes in.
Version 2.0 of the Teros-100 Application Protection System from Teros Inc. of Santa Clara, Calif., sits in front of a Web server farm and inspects incoming and outgoing packets at the application layer. It comes programmed with hundreds of rules for what kinds of traffic and behavior should be blocked. After several days of monitoring, the Teros system picks up from the usage patterns which rules to enforce and which to waive.
A new, free module called SafeIdentity will keep an eye on Social Security numbers. 'All the heavy lifting is in the core processing,' chief executive officer Bob Walters said.
When SafeIdentity recognizes a Social Security number, it can apply rules to block, log or otherwise regulate it. That keeps confidential information from leaving an enterprise through unauthorized means and makes identity theft more difficult.
Nokia Americas Inc. of Irving, Texas, has come up with an e-mail firewall to add another defensive layer to the perimeter. The Message Protector appliance runs Nokia's Ipso-SX hardened operating system between the firewall and the e-mail servers, acting as a mail transfer agent. It inspects packets, scans for viruses, strips out macros, watches for malicious behavior, checks content and blocks spam at a rate of 120,000 messages per hour for e-mails averaging 14K in size.
Latency varies with the type and length of messages being examined, but because e-mail is a store-and-forward technology, delays are not critical.
'This box is configured to call home for updates' of its signatures for malicious code and spam, product manager Haig Colter said. It can unzip 62 layers to get down to the content, he said, and the same box can handle outgoing and incoming traffic.
Message Protector is available now for $15,000 per box, plus licensing based on number of users. There is government interest in the product, but 'procurement is not exactly an overnight process,' Colter said.
William Jackson is freelance writer and the author of the CyberEye blog.