Locking down your networks

As VP Security for Radware Inc, Avi Chesla is responsible for defining the security roadmap of Radware’s Network Intrusion Prevention System, the theoretical basis for current and future security products, and research and design of the of the core algorithms of the product. He explained to FST how new behavioural based technology can aid in the fight against cyber crime.

FST. Network security is an ever-present concern for financial institutions. In recent months what types of new threats have you seen cropping up?
AC. We see all the time new threats, but I think the major ones over the last six months have been denial of service incidents. They’ve increased in frequency. These attacks are aimed typically at the network infrastructure, applications or core components like VNN services or certain critical applications in order to disrupt the business continuity of the organization, especially financial institutions.

In recent months we have seen an increase in the frequency of Denial of Service incidents aimed at organizations’ critical network infrastructure and application servers, thus imposing a major threat on the connectivity and business continuity of the organization. For financial institutions these kind of attacks have a significant impact as their customers rely on their services being reliable.

Network worms, as we saw last month with the outbreak of the W32.Rahack worm which targeted Windows based computers, continue to be a major threat because they spread faster than security device vendors can really ‘tag’ them.

Another type of threat which we see gaining momentum in the past six months is ‘bot’ attacks. These bots are malware that ‘silently’ infect personal computers and use their resources in order to generate different types of activities. The bots can be automatically controlled from outside the organization through communication channels that bypass most firewalls or other network security products. These activities include using the identity of the organization’s internal users to generate spam, distributed denial of service flood attacks and collecting confidential information and broadcasting it outside the organization. And of course this kind of activity can have a major impact on financial organizations, because it exposes the organization o serious liability and compliance issues.

FST. You mentioned ‘denial of service’ there, and ‘man in the middle’ attacks have also received some press recently – are these threats getting round existing defences?
AC. Yes they are. These types of attacks, although known for at least five or six years, are now integrated at a much higher level with totally legitimate forms of communication, requiring a higher standard of detection and prevention on the part of protection systems. These attacks exploit legitimate internet applications in order to establish hostile events. This means that the difference between malicious and legitimate communication has become fuzzy.

Besides the detection challenge of these attacks, blocking them is an even bigger challenge. Because these attacks look very similar to legitimate traffic, the capability to construct a mitigation rule that will be accurate enough to block the attack traffic while letting legitimate traffic pass without any disturbance, doesn’t usually exist – this inability renders the products useless as mitigation devices and lets through these denial of service and ‘man in the middle’ attacks, that today are getting a lot of press coverage.

FST. And how has the development of enterprise technology affected network security – has the growth in use of mobile laptops and PDAs made things harder to secure operations?
AC. Well there are more concerns right now, because we know that PDAs and smart phones, for example, use operating systems that have vulnerabilities. We know that all organizations are going to be using this kind of mobile working more widely, and the general information security market is very concerned about what will happen when this kind of application is exploited. And it has to be soon, we’d assume it will be in the next six months we’ll start to see an increase in this type of threat. So yes there are concerns, and there are no specific solutions right now for this.

The development of mobility causes the network perimeter, which is usually protected by gateway security devices, to ‘disappear’. Thus making it harder to maintain a secured network. Therefore, employees who are frequently out of the office and use laptops and PDAs, creates the opportunity for an attacker to create an attack that will be distributed very fast. If worms or malware are carried into the organization by company employees who bring their infected laptop computers and PDAs into the office, or alternatively over their remote connection, it allows network worms and other types of attacks to freely propagate into the "protected" network. Once the worm is inside the network, it is unimpeded and spreads quickly, replicating itself at an exponential rate.

FST. A trend in security software is to develop automated defences at the application level – could you explain what the advantages of this approach are, and how such technology operates?
AC. One of the most challenging expectations of intrusion prevention products is to prevent not only the known, but the unknown (zero-day) attacks in real time. This requires that products have some kind of decision engine that will be able to analyse traffic in the application level – at layer seven and above – and determine if there is some kind of unusual activity through the application. Right now firewalls are focused more on layer three and four, as an access control to devices. The newer firewalls have some access controls at the application level, but only as an access control. Which means they enforce the policy of the organization in terms of communication but not really detect if there is an attack or not.

The IPS until now has included only the signature based capabilities in the application layer, which means they can detect some attacks. But the expectation is that they will do this in real time and also detect new attacks, and this means a new technology is needed to analyse the behaviour of the application to establish some kind of application profile – we can call it a normal baseline. When a deviation from these baselines is indicated, the system’s decision engine raises an alert.
This is a necessity that needs to be accomplished by the market – it has already started to develop and over the next two years we will see this technology evolve.

FST. So this kind of behaviour based application technology is more like monitoring the application to pick up unusual behaviour once the firewall has been penetrated?
AC. Yes that’s correct. The typical deployment of this kind of technology can be in two places: in front of the firewall or behind the firewall. This kind of technology is designed to detect attacks that look very similar to legitimate traffic, which means the firewall will find it very hard because of its limited capabilities in understanding the behaviour of the user to decide whether it is a legitimate user or not. In this case the behaviour based defence takes responsibility – it has learnt the characteristics of the normal user, and can identify abnormal activities generated by new attacks and prevent it.

It can be infront or after the firewall. I think this kind of application is designed better to sit after the firewall – so the unauthorised users will be filtered by the firewall, and the authorised users will be inspected by the behaviour based technology.

Having said this, because the behaviour based technology uses statistical analysis, it must collect enough information before it can come into a robust description about the traffic behaviour. Therefore, application vulnerabilities that can be exploited through one or very few packets (these types of attacks are usually defined as ‘single bullet’ attacks) will usually not be detected by the behavioural approach. This brings us to the conclusion that behavioural-based and signature-based technologies are complementary solutions.

FST. Is this why Charles Kolodgy, Research Director at IDC, has said that security software that combines signature based approaches with advanced behavioural technology will have an advantage over signature based technology alone?
AC. Yes, the signature-based and behaviour-based security technologies form a complementary solution that covers more threats than each one can cover by itself. This is why, as Charles said, an advanced behavioural technology will have an advantage over a product that is based only on signature technology.

The behaviour-based technology detects new (zero-day) attacks such as denial of service, worms propagation, brute-force attacks, any activity that is part of pre-attack probes that the attacker generates before the attack. These activities are not detected effectively by the signature approach, because most of the time they spread so quickly and the signatures can’t be updated in time. As we mentioned though the signature-based technology can detect known ‘single bullet’ attacks that cannot be identified by the behaviour technology.

Charles’ point was that a security product which includes both signature and behavioural technologies and was designed to effectively divide detection ‘responsibilities’ between them, will achieve better security performance over a security product that implements just one technology.

Enterprises are targets for both known and zero-day attacks. Therefore the combination of technologies must be included in the security product that protects them.

FST. Do you have any final thoughts you’d like to add on your own solutions?
AC. Radware’s Network IPS (DefensePro) introduces a ‘smart’ balance between behavioural-based and signature-based technologies. As mentioned, it allows Radware’s DefensePro to be entirely independent of signatures for the detection of both known and zero-day threats. Because signature detection engines require deep packet inspection (DPI) operations that consume large amounts of CPU resources, large sizes of attack signature database lead directly to performance degradation. Radware’s solution is considered to be more scalable (in terms of performance) because it needs to maintain fewer signatures than other products. So we offer better security and better network performance.

Avi Chesla currently serves as VP Security for Radware Inc. Chesla is responsible for defining the security roadmap of Radware’s Network Intrusion Prevention System, the theoretical basis for current and future security products, and research and design of the of the core algorithms of the product. Avi has published a number of patent applications and articles in the area of Network Intrusion Prevention and traffic behaviour analysis.