Lessons from the field part two
This is part two of a series looking at real world problems customers are having with what has loosely been described as Web 2.0. I say loosely because a quick look at Wikipedia reveals some discussion as to what the phrase means. Wonderful for marketing folk who can claim almost anything as Web 2.0 equipped. Not so for us security folk. Whilst Skype, instant messaging and video streams smuggle viruses into our networks we are stuck with a phrase that could also mean your fridge has an internet browser built into it. So put aside the vague and come with me as I look at Web 2.0 in the real world.
Read Lessons from the field part one here.
This story is a newish customer who had come to us after a virus outbreak serious enough to warrant a hunt to find out why it happened. When you’ve followed the conventional wisdom, planned protection in depth and thought you were well positioned for a virus attack it’s a shock when it happens to you. The only honest response is to challenge the thinking that put you in the situation where the impossible, or extremely unlikely happened. Failure to examine the assumptions in the face of reality is the only other road to travel. It’s a luxury working in the computer industry does not afford us, technology placing us in a state of constant metamorphosis. We must accept that pride forces us in circles and be humble enough to accept our view of things might not be true.
This customer and I had several long discussions where I tried to lead things through a logical path. Looking at the traffic flow we see potential risk coming down the pipe from the internet going through a firewall, passing into a content filtering proxy and onto the desktop who requested it. That’s three points of control. Firewall, Proxy, Desktop. In lessons from the field part one I tried to explain why the Proxy layer of this chain isn’t quite what customers would hope, giving some control but being far from perfect, with almost all exhibiting major leaking. I would contend only one vendor product doesn’t leak and that’s quite expensive to buy and maintain. The logic simply put then is, if we judge one layer of this control to be porous, in this case the content filtering proxy, it raises the importance of the other two.
So the conclusion in part one was you need to review desktop protection. I pointed to research that shows which vendors handle new exploits best and suggested decisions should be made on the basis of that research rather than sales promises or vendor reputation. Next on the list therefore must be the need to add strength to the network layer.
Meanwhile, back at the customer we had arrived at this point in our discussion. I proposed the next area for the microscope was intrusion prevention on the network, probably using the existing firewall because that is usually most cost effective. What floored me was his answer. We’ve already got IPS, he said, we run a McAfee IPS box - have you heard of it? Turns out the box was outsourced to his ISP, who manages it for him. Being familiar with the device I discovered the management server wasn’t even on site, it was back at the ISP. Meaning if any kind of data filled his internet pipe the managers of the device would see nothing. This box is state of the art IPS of the highest quality, with signatures for network layer attacks, application signatures for almost everything and certainly a full compliment of anti virus signatures from McAfee. So I posed the obvious question. If you run a state of the art, multi processor specialist IPS box like the one you have - how on earth can you have had a virus outbreak nobody noticed?
Lesson number two. You need to improve both visibility and protection of the network layer and that means IPS.
But as the story shows network protection is a minefield. If you buy complex then outsource the complexity you might end up like this customer, in a three year contract with Rolls Royce equipment but a partner who isn’t motivated to create support tickets for themselves. If you buy cheap, we know of at least one SME firewall vendor who overstates their throughput by about 50% on the brochure. If you buy a product with an interface like a command prompt from 1982 you probably won’t be able to drive it and what’s the point of a visibility product you can’t run?
So my advice is: Buy something you can drive yourself. You could buy a Ferrari, but if you don’t know how to drive it you’ll be reliant on a chauffeur, even to put it in the garage. Don’t sign up to outsourcing deals with ISP’s. By all means ask for help but make sure you get a decent interface so you can see what’s going on for yourself. One of the primary goals of IPS is to give visibility, if you can’t see when you need to a visibility tool is useless.
Web 2.0 means threats your current systems probably don’t see. The traditional proxy middle man is becoming less effective and wasn’t designed for this challenge. My proposition to counter this is to review the effectiveness of your desktop anti virus solution and add IPS network later protection.
Comments
Post new comment