Network tools stake out new defenses
- By William Jackson
- Mar 17, 2004
A pair of products add some new wrinkles to network defense.
Version 7.5 of the Antigen antivirus scanner from Sybari Software Inc. of East Northport, N.Y., can filter content in instant messaging traffic handled by Microsoft Office Live Communications Server 2003.
WormScout from ForeScout Technologies Inc. of San Mateo, Calif., identifies and isolates worms that have already penetrated perimeter defenses.
The popularity of instant messaging products from America Online Inc., Microsoft Corp. and Yahoo.com has outrun many organizations' control, resulting in perimeter security gaps. Although effective for communication, unchecked instant messaging can let in malicious code as well as open exit routes for sensitive information.
Antigen 7.5 for IM scans and enforces policy for traffic through Live Communications Server. Besides blocking malicious code, it also quarantines documents and files that violate policy. Users can filter documents by type, size and name. Administrators as well as users receive notification when Antigen finds malicious code and policy violations.
ForeScout starts with the assumption that despite the administrator's best efforts, perimeters eventually will be breached.
'A worm is going to get into your network anyhow,' marketing vice president Timothy Riley said. WormScout concentrates on isolating it to keep it from spreading.
The WormScout server works from the sniffer port of a switch, watching traffic between network segments for telltale signs of a worm on the hunt for vulnerable devices. When it detects what it considers a malicious scan, it returns a false response. If the source then responds with an attack, WormScout blacklists traffic from that IP address.
When blacklisted traffic tries to establish a connection with another address, WormScout blocks the connection with a TCP reset.
Servers running WormScout typically reside between a network and outside connections, and between physical or logical network segments, forming cells of protection. It could not protect devices within an infected cell but would prevent the infection from spreading outside the cell.
A central management server can manage multiple WormScout servers, propagating blacklists to stop hostile traffic.
Because WormScout responds to actual attacks and not to scanning traffic, it eliminates false positives and makes automatic blocking feasible, ForeScout chief executive officer T. Kent Elliott said.
One hole in the defenses, however, is WormScout's dependence on a worm to establish a connection to propagate itself.
The Slammer worm used connectionless User Datagram Protocol packets to spread itself, rather than scanning for victims to which it could connect.
WormScout would see the blast of UDP packets as a scan, but if they were not followed by an attempt to connect, it would not blacklist further traffic.
Riley said that sort of attack is an exception to the normal workings of a worm. He said an administrator could set WormScout to block malicious scanning traffic, thus stopping the spread of a Slammer-like worm.
Sybari's Antigen 7.5 for IM lists at $5,750 for 250 users under a two-year license.
WormScout starts at $9,950 per license for up to five licenses. The central management console for multiple servers costs $4,950.
William Jackson is freelance writer and the author of the CyberEye blog.