Guarding the gate: inside: how two enterprises are combating denial-of-service attacks and other...

Deploying its first network in 1999 brought the University

of Redlands a lot more than connectivity to support its 5,000 faculty, students and staff. It also triggered the onset of crippling denial-of-service (DOS) attacks that compromised the Southern California liberal arts and sciences institution's academic research and communications.

Launched as far away as China and Poland, the DoS attacks were cloaked in e-mail attachments that infected Redland's networked PCs. The menacing programs would then command the PCs to send a flood of traffic over the university's Internet portal, ultimately crashing Internet service at its main campus and seven satellite sites, plus its Web site.

At these times, students were hard pressed to complete assignments and research. Staff struggled to conduct routine administrative tasks, and no one could send or receive e-mail. Even the university's environmental systems, E-911 capability and important bank transactions were affected as IT personnel worked frantically to restore connectivity.

By the fall of 2004, as many as three DoS attacks a day penetrated Redlands' three Cisco firewalls protecting the school's local-area and wide-area networks. Even the virtual LAN (VLAN) the IT department established to segregate infected PCs and protect healthy systems failed to neutralize the attacks.

"We tried everything, from isolating switch-to-switch traffic, individual MAC addresses and infected PCs, to using access control lists," says Matt Riley, associate IT director, University of Redlands. "Our IT staff was constantly trying to fix infected PCs, which compromised our overall technical support."

With its firewalls clearly unable to combat the DoS threats, the Redlands IT department sought an alternative solution that would provide the comprehensive and pervasive protection it required, but with one important caveat: The security solution also had to interoperate seamlessly with the university's Cisco gigabit network. "Being a smaller institution with fewer resources than larger universities, we needed a solution to stop the attacks affordably, as well as effectively," Riley says.

At first, the IT department considered an intrusion-detection system from Cisco. The product, however, could only alert network administrators of an attack after it had violated the university's network. Ultimately, the IT department learned of the TippingPoint intrusion prevention system (IPS) from 3Com.

"The TippingPoint IPS has the capabilities and the track record we wanted at the affordable price point we needed," Riley says. "After surveying the field, we found it was the only product that could give us the proactive protection we required, but we still wanted to make sure."

To test the system, the university deployed a single IPS in November 2005 between its two core routers and behind the firewalls guarding its 15-Mbps DS-3 Internet connection. "Installation was 'turnkey' right out of the box. The IPS interoperates beautifully with our preexisting switches and routers, and the results were immediate and conclusive," Riley offers. "We knew we made the right decision as soon as we plugged it in."

Today, the TippingPoint IPS proactively protects Redlands' networks, applications, and inbound and outbound traffic from malicious packets at line-rate gigabit speeds. It blocks DoS attacks, spyware, worms, viruses, phishing and Trojans, while allowing legitimate traffic to pass uninhibited. It also protects all network components, such as routers, switches and VoIP systems, from targeted attacks and traffic anomalies

The system is built on TippingPoint's Threat Suppression Engine (TSE), a specialized hardware-based intrusion-prevention platform consisting of network processor technology and TippingPoint's own set of custom application-specific integrated circuits (ASICs). Through a combination of pipelined and massively parallel processing hardware, the TSE is able to perform thousands of checks on each packet flow simultaneously. The TSE architecture utilizes custom ASICs, a 20-Gbps backplane and high-performance network processors to perform total packet flow inspection at Layers 2-7.

The TSE architecture also enables traffic classification and rate shaping. Sophisticated algorithms baseline "normal" traffic, allowing for automatic thresholds and throttling so that mission-critical applications are given a higher priority on the network.

Most importantly, the days of crippling attacks have ended for the university. "Since we put in the IPS, we have not incurred even one successful DoS attack," Riley says. "The system provides us with complete in-line protection. Even if an attack starts internally, it may hit our switch, but the IPS will stop it."

The IPS also prevents the school's non-critical applications from degrading performance and impeding the flow of important voice, data and video communications. Concurrently, the TippingPoint real-time Digital Vaccine service ensures that the intrusion-prevention system is constantly updated to guard against the latest threats. The service automatically delivers new filters to Redlands' IPSs weekly or immediately in urgent situations, providing a layer of safeguards for servers and desktops and fully inoculating them in virtually every case before an attack.

"The service helps us prevent emerging attacks by recognizing patterns and blocking malicious traffic," Riley says. "It offers the extra measure of protection we need to secure our network."

In addition, because the solution features parallel processing, traffic moves through the IPS with latency of less than 215 microseconds, regardless of the number of filters applied. Thus, a large number of simultaneous incidents will not impede traffic flow, enabling the campus community to continue working without interruption.

"Our Internet connection is now free from intrusions and always available for our users," Riley says. In addition, the university's VolP solution, which it deployed at one residence hall location about the same time it began using the IPS, has not had one intrusion from a cyber attack, according to Riley. Eliminating attacks has saved thousands of dollars in remediation fees.

The solution also is boosting the productivity of IT staff, enabling them to better support the campus community. "At the height of our outbreaks, we were too busy troubleshooting and fixing infected PCs to help students with applications and other issues. Now we're always there when they need us," Riley says.

IT staff also is able to devote more time developing applications that benefit the university, Riley adds. The IT department, for example, recently installed virus protection with automatic updates on every university and student machine.

"The TippingPoint system has given us the freedom and time to re-evaluate traffic on a regular basis and give higher priority to high-use applications like VoIP," Riley says. "Most importantly, the system has allowed us to spend more of our valuable time helping the administration and serving the academic community."

For more information from TippingPoint: rsleads.com/607cn-262

Fine-tune your IDS/IPS

by Mitchell Ashley

Intrusion detection and prevention systems (IDS and IPS) are quickly becoming a staple of any enterprise security architecture. The use of prevention features in IPS is on the rise because of the inherent benefits of actually blocking attacks and suspicious traffic. Some fundamentals still apply to successfully rolling out and using IDS/IPS.

Signature-, anomaly and behavioral-based technologies present a confusing mix of technology choices, benefits and disadvantages. The reality is that the lines have become blurred, where products oftentimes are presented as one type of technology but actually use a blend of signature, anomaly and behavior techniques.

IDS/IPS projects can run into their first issues just getting into production. Most often, the issue pertains to accurately configuring and tuning the IDS/ IPS so that it presents the right depth of information and security alarms without overwhelming staff with additional workload and false positives.

Planning and tuning is essential. Out of the box, IDS/IPS products take the most "cautious" approach and identify any traffic that is a potential threat. Several techniques can help you quickly tune the IDS/IPS to your environment:

Accurate network information.

IDS/IPS rely on some essential configuration settings to tell the system about the network(s) they are monitoring. This also includes hosts and applications that should be ignored because specific traffic in these situations is allowable or should not be alerted. If this information is not correct, then a lot of time can be spent chasing down inaccurate information.

Baselines and wizards. The IDS/IPS will need a baseline of what is considered normal or expected types or traffic, and accepted applications. The manual portion of this effort is for the security administrator to tune the IDS/IPS to identify when traffic is out of bounds. Take into account time-of-day information, as this can affect what is considered normal behavior.

IDS/IPS can also create a baseline, but this will usually require additional tuning and configuration by the security administrator. Tuning wizards can assist by allowing the security administrator to define what is relevant traffic and what is not. If the organization is a Windows only shop, then Unix or Macintosh types of attacks can be deprioritized.

Alerts and notifications. The usual mistake is to set the alert thresholds to low, which overwhelms staff with too many IDS/IPS alarms. During the tuning period, spend time identifying what conditions would prompt a situation where operations or security staff would get involved. A denial-of-service attack typically requires intervention but attacks commonly blocked by the IPS do not. Spending time here will help ensure that everyone does not get desensitized to IDS/IPS alerts.

Many IDS/IPS deployments involve placing sensors at multiple locations throughout the network. Perimeter firewalls, core routers, network interconnections and remote sites are all prime locations. This adds an additional set of requirements for managing and operating an IDS/IPS infrastructure.

Aggregating all monitoring into one console is an obvious requirement, but the implications of managing a network of several IDS/IPS products requires more. Many of the configuration settings of each sensor are common. Profiling which attacks are relevant, which should be blocked and when alerts should be sent can be common across more than one sensor. Automatic signature or rule updates are also important so staff time needed to keep the sensors up to date is minimized.

Understanding what is relevant with all of the data that can be generated by an IDS/IPS is one of the greatest challenges, as well as what should be done about that data. Correlating outside information with IDS/IPS data can add some meaningful information to knowing what is happening and whether those attacks can actually do any harm.

Correlation is a process that typically happens outside of the IDS/IPS system. Data from the IDS/IPS is merged with logs from other devices, such as firewalls. It can also be correlated with vulnerability data to better understand what attacks could or may have actually compromised a system or network device.

New advancements in IDS/IPS have moved much of this correlation into the IDS/IPS itself. Vulnerability data is combined with network inventory data to identify which attacks are directed at devices and ports actually in use, and further, which attacks actually attempt to exploit any vulnerabilities present on devices. Advanced IDS/IPS can be configured to take action, block traffic and alert when these conditions occur.

Reporting is more than just searching, extracting attack data from a database and putting it into a presentable format. Security professionals have come to realize that communicating and demonstrating that the investment in security technologies and resources actually make an impact are necessary.

IDS/IPS reports should be the requirement of many targeted uses. Forensics data is needed to analyze events post fact. Drill-down reporting details are required to provide in-depth information needed to analyze attacks, patterns, and points of origin and destination. When multiple IDS/IPS sensors are involved, centralized reporting is required, but retaining the ability to analyze and break out data by sensor network location is important.

The most important report of an IPS is showing which attacks have been blocked and which potentially got through. Correlation of attacks with vulnerability data and device inventory data provides more intelligence about what is happening within the network.

Whenever examining new IDS/IPS technology, do not get caught up in the lure of big and faster boxes. While multigigabit support might be required on large internal core routers and switches, most network locations require less bandwidth.

While the IDS/IPS should be able to support the needed bandwidth requirements, do not overlook the underlying attack-detection, analysis and blocking capabilities. If the IDS/IPS is not accurately identifying and blocking the correct attacks, doing this faster does not accomplish the end goal.

Spending the time to accurately baseline and profile the network can lead to a much more successful IDS/IPS implementation. Managing a network of multiple IDS/IPS sensors requires enterprise management capabilities. Internal IDS/ IPS correlation can significantly increase the value of IDS/IPS. Understanding what data can best help communicate the value of IDS/IPS security investments makes the job of the security staff easier and appreciated more.

Mitchell Ashley is the CTO and vice president of customer experience at StillSecure, Superior, Colo.

For more information: rsleads.com/607cn-251

CLOSE THE SECURITY DISCONNECT

by Brian McCarthy

Phishing, pharming, spam, SPIT, social engineering, identity theft, viruses and other assorted nefarious threats to IT networks and operations continue to proliferate. In response, organizations across all sectors of the economy say they have heightened their security preparedness. Yet, a disconnect remains between talking the security talk and walking the security walk.

For the past three years, the Computing Technology Industry Association (CompTIA) has conducted a study of information security and the workforce. One alarming result has been consistent through each of the three studies. Human error, either alone or in combination with a technical malfunction, is responsible for the majority of information security breaches that organizations experience. In 2005, human error was blamed for four out of every five information security breaches.

Though security software has become increasingly more advanced in its ability to detect security threats, hackers are sophisticated enough to reverse engineer patches and launch counter-offensives to vulnerable systems within 48 hours. Even the most sophisticated security software solution cannot replace fully the need for IT security awareness and training in the workplace. Yet, organizations may not be doing all they can to counter the threats.

More than half of the respondents (53%) to the 2005 CompTIA survey indicated that their organization still does not have a written IT security policy. This lack of written IT security policies fosters gaps in security knowledge, especially among end-users. Even at organizations with written security policies in place, enforcement of security policies continues to be a problem for organizations in every sector. Thus, security assurance continues to depend on human actions and knowledge as much, if not more so, than it does on technological advances.

The recognition of professional security certifications can help to focus attention on best practices in IT security. The greater the number of IT professionals trained and certified in security best practices, the better organizations will be prepared to protect their data, intellectual property and investment in technology. According to the study, among those organizations that have invested in staff security training, 84% say that their security has improved, up 18% from two years earlier.

Seventy percent of those who have invested in IT security certification also say security has improved in terms of better potential risk identification, increased awareness, improved security measures and a generalized ability to respond more rapidly to problems. Further, 89% of respondents reported that major security breaches have been reduced as a result of IT security training.

Brian McCarthy is chief operating officer for the Computing Technology Industry Assn.

IPS protects ever-changing show floor

New York City's Javits Center is one of the nation's best-known convention and expo centers, its one million square feet of exhibit space playing host each year to hundreds of events. Since opening in 1986, Javits has hosted more than 2,400 events, nearly 1,400 of which were major trade shows or conventions. Over time, the expectation from attendees-and especially from exhibitors for whom these events are critical moments in their business-is the delivery of unimpeded, reliable Internet access. Javits provides this access as part of exhibition fees, so it is a major revenue source for the center.

Delivering unimpeded Internet access to Javits exhibitors can threaten network availability, and also endanger the hardware of other exhibitors. At first blush, this seems similar to any enterprise, but unlike most enterprises, Javits has zero control over the devices that are attached at each port.

Lou Martorella, Javits' network manager, was dealing with regular outages; on days of major events, these outages were numerous. "This was typically due to exhibitors unknowingly connecting infected machines to the network," Martorella says. "We would generally hunt down the offending device and block it, or physically remove it from the network."

During this non-stop hunt, however, network performance was degraded or completely stalled, frustrating other customers. Further compounding the issue, the network landscape would change from moment to moment, and a new offending device was usually presenting itself shortly. Commonly seen were pests such as SQL Slammer, Smurf and SYN-flood variants, and it was seemingly endless.

Martorella says he was literally playing "network cop"-sometimes five or six times a day-and countless hours were being lost hunting down and stopping malicious network traffic. Due to the technical and administrative issues this was causing, Martorella began searching for a comprehensive solution, in conjunction with Javits management.

Initially, Martorella deployed a firewall solution, but it presented administrative and management challenges. The needs and demands (by port, by protocol and by application) varied by exhibitor, by show, and even over time. This left out the considerations that even an authorized application on an authorized device can still become infected and wreak network havoc. So, Martorella realized a firewall was untenable.

Javits' network has a primary DS-3 Internet connection supplied by AT&T.

"The IPS (intrusion-prevention system) approach was very attractive," offers Martorella. "The idea of plugging a device inline that would inspect network traffic and drop malicious packets on the fly, before they bogged down the LAN, seemed the perfect approach for our ever-changing network." So, Martorella and his team began evaluating IPS solutions from several vendors.

Beyond the goal of assuring connectivity for exhibitors, their requirements included deep-packet inspection techniques, strong distributed-denial-of-service (DDoS) protection mechanisms, rich security logging, and fail-open capability, since the device would be inline. Additionally, they wanted to avoid any requirements, such as creating access control lists, due to the dynamic nature of the network and the impact on their switches and routers.

Essentially, the solution had to keep the network as flexible and unrestricted as possible and quickly mitigate attacks before they proliferated. It was also imperative that the network's performance not be degraded by the solution.

After the evaluations, Martorella's team decided to try a Top Layer Networks Attack Mitigator 3501 inside the production environment. The device was installed on the inside of the Javits router. "Configuring and installing the device was relatively easy and took about half an hour," Martorella explains.

No technical changes were required, as the device connected inline between the router and switch. After this production test, Javits decided to purchase and permanently install the device. Javits has since upgraded to the 5500 version of the product.

"The solution of using an inline device has been working very well overall," according to Martorella, "and has nearly eliminated any need to chase down network ghosts, while still giving exhibitors and other customers the free reign the), need over their Internet connectivity."

One glitch that presented itself was that exhibitors using remote SQL services to update remote databases sometimes triggered false positives on the device. This requires an administrator to add trust relationships to the device to prevent those false positives.

Taking the inline IPS approach has saved Javits money by considerably reducing the number of exhibitor refunds related to network outages. The approximate cost for the deployment was $35,000. The primary justification for the initial investment was the time and revenue being lost due to network outages. Javits also required a network that came as close to 99.999% reliability as possible for all users to help build the center's reputation for offering customers rock-solid network availability.

Beyond the actual vendor or device chosen, Martorella says the technical model of using an active, inline intrusion-prevention device proved to be the right approach due to the variability of the network environment and the total lack of control over the devices.

For more information from Top Layer Networks: rsleads.com/607cn-250