Modern networks can be attacked in a variety of ways, meaning that companies need different types of protection. This article explains some of the risks involved, and provides some easy ways to deal with them.

Consumerisation is a problem facing every IT department. Once upon a time, home and corporate computing were entirely separate. During the eighties, the PC was purely a business tool. Then, during the nineties, it became the primary machine for home use as well. During the following decade, the Internet took many applications into the cloud. Today, employees use the same computer and browser architectures at home, as they do at work. This has blurred the lines between computing at home and at work—and has created some unique security challenges in the process.

Dazzled by the Web 2.0 sites that permeate their lives at home, employees want the same comforts in the office. Modern web sites offer far more than the one-way Internet experience so common in 1995, where users simply read the information on web sites.

A new and dangerous web

Instead, today’s web offers a bidirectional, many-to-many experience, in which users are encouraged to participate by submitting their own content. Sites ranging from social networks to online photo sharing services invite users to submit their own information, and even to chat in real time. Facebook, LinkedIn, Wikipedia, Flickr and a panoply of other sites fall into this category.

These technologies have bought small to medium-sized businesses the same benefits as their larger counterparts. Online applications, advanced search capabilities, and real-time messaging technologies enable them to build scalable, highly-responsive technology infrastructures to support their businesses. Virtual teams of contractors can now be assembled easily with a collection of free instant messenger clients and a cheap account on a collaborative web site, for example.

However, these benefits come at a cost. Many web 2.0 sites have repeatedly been found wanting in terms of security. More functionality breeds more vulnerabilities, and attackers have been quick to exploit them.

Malicious software (malware) that infects computers and connections spreads via a variety of channels, including hacked web sites, email, social networks, and instant messenger programs. Even simple search results are being ‘poisoned’ by search engine optimisation experts who want to direct unwitting users to malicious web pages instead of legitimate ones.

The dangers extend to the unintended egress of information. Employees may inadvertently send sensitive data outside the company via several channels. Pasting customer information into an email is one example, although it can also be pasted into web 2.0 sites, or sent via instant messaging programs.

An example of the danger: real-time chat

The encroachment of real-time chat into corporate networks began as long ago as 1996-7, when Mirabilis launched the ICQ chat service, and AOL launched its Instant Messenger program. The software began creeping onto corporate desktops without IT’s permission.

That’s the problem with the corporate desktop; it is very difficult to manage effectively. For SMBs especially, who often have a surfeit of IT expertise, trying to lock down desktops is a challenging task. Even those organisations with the wherewithal to do it risk irritating employees who want those comforts on the desktop.

With instant messaging becoming an important work tool, it could even be deemed counterproductive for companies to ban it from the desktop altogether. AOL Instant Messenger, MSN Messenger, and Skype are all useful for business purposes, as are other programs such as Google Talk.

The irony underlying most instant messaging programs is that while legitimate, they act like malicious software. They are designed to get around network firewalls that might try to block them, by ‘port hopping’ - effectively trying different digital ‘doors’ separating a company’s network from the public Internet, until they find one that is unlocked.

The problem of real-time chat as a potential attack vector has been exacerbated with the introduction of web-based online chat mechanisms that need no desktop client at all. Facebook’s built-in instant messaging feature is a good example of this.

Defence in depth

SMBs with little resource to spare for complex IT security therefore find themselves battling not only real, external threats, but also their own well-meaning employees. They need simple, turnkey solutions to secure their networks, but as we’ve seen, the threats operate at multiple levels. For this reason, security products for SMBs should provide multi-layered protection (otherwise known as ‘defence in depth’ to protect all of the available channels.

Defence in depth goes beyond the traditional firewall, which has historically been the main method used to protect the corporate network. These devices did little more than block specific ports on a network to stop external attackers from using them to attack a company’s computers. They did nothing to analyse the actual content of the traffic passing over the company’s network connection.

Unified threat management appliances monitor the network for a variety of threats by combining smart firewall technology with email and web content scanning. They can be programmed with rules that stop employees from doing specific things on the Internet at particular times, and can look for suspicious traffic flowing over the network.

Protecting the network

Network security features heavily in UTM systems, which build on traditional firewall systems with a host of new features. Modern UTMs feature ‘stateful’ packet inspection, which not only monitors specific ports, but also watches what traffic passes through them over time.

This ability to watch the traffic passing across the network also allows modern network security products to offer intrusion detection and prevention (IDP) capabilities. The security device monitors network traffic activity to look for patterns that could indicate an attack.

An example of a malicious pattern might be a single PC in the organisation which suddenly begins rapidly contacting other PCs using a single port, which could indicate a rapidly spreading piece of malware. The IDP database is constantly updated with new patterns identified by the vendor of the device as new vulnerabilities and attacks appear.

Modern network security devices also feature application firewall capabilities. This uses a technique known as deep packet inspection to look inside the small ‘envelopes’ of data that flow over an Internet connection. By examining the content of these packets, a device can determine the type of traffic that they are. They may be video, VoIP, or web traffic directed at a particular application on the company’s network. By analysing the packets, the device can determine whether they are performing legitimate tasks.

Higher-level protection

Multi-layered devices also monitor the content of those packets for warning signs, enabling them to scan incoming and outgoing emails for suspicious content. This enables an organisation to stop spam messages from reaching recipients, using a mixture of spam signatures updated by the vendor, and intelligent heuristic techniques that allow the device to estimate the likelihood of a particular email being spammy.

Finally, web security works to protect users both at a content prevention and a URL filtering level. It watches the URLs that users attempt to visit, and can block known malicious sites (such as phishing destinations, or ‘drive-by download’ sites) before the user’s browser has a chance to download malicious or inappropriate content. URL filtering has the added benefit of enabling a company to implement policies controlling social network use. Perhaps managers only want users visiting Facebook pages during their lunch hour, for example.

Web security mechanisms will also scan content, watching for content such as pornography, and for malicious code contained on a webpage that might compromise a user’s computer.

Covering all your bases

It is easy to see how these functions work in unison with each other. For example, attackers often use email to send malicious URLs to users. These may be spotted by email protection functions within a unified threat management system or Internet security appliance. However, if they slip through, they will be caught by the web filtering mechanism, making it doubly hard for attackers to compromise users. Anti-virus mechanisms built into the device will also scan for malware separately, providing yet another level of protection.

Defence in depth is a crucial technique for any modern SMB that wants to protect itself against intrusion. Condensing multi-layered protection into a single device, updated by the vendor, provides the best protection for resource-constrained companies.

Modern Internet security is an exercise in probability. It is impossible to guarantee 100% security—a determined hacker may still be able to gain access to a company’s system. But the more points protection that a company covers, the more likely it is to fend off the majority of generic attacks on the Internet. Can you afford not to cover your bases?