Published: 01 Apr 2008
|A new breed of integrated technology takes Web-based malware off the menu.
"If we had a big problem, we would literally have to drive out to the location, spend a day or maybe even a night depending on how far away it was, to clean off the virus and get the machine back into operational state," Stump says.
And infested PCs were becoming all too common as employees took advantage of broadband access to surf the Internet, download MP3s and visit MySpace. Traditional antivirus software wasn't catching the malware that came with the unauthorized Web browsing. Each store has a PC, which among other things, 15 to 30 employees use to clock in and out on and managers use for email, reporting and other applications.
Today, though, malware outbreaks are rare and productivity is up. Two years ago, Roundtable began using ScanSafe managed services to control employees' Internet access and ward off spyware and viruses. "The first year, we saved about $100,000 in support costs...that was with 31 stores," Stump says. Roundtable now has 46 stores in Texas, New Mexico and Oklahoma, with plans for more.
The threat landscape has shifted in the past few years to Web-based malware, leading companies such as Roundtable to bolster their security with a newer breed of technology, Web security gateways. In much the same way antivirus gateways were overtaken by multifunction secure email gateways, Web security gateways combine several existing technologies and features offered by point solutions. Instead of having separate devices for URL filtering, malicious code filtering, instant messaging and other application controls, Web security gateways provide a single high-performance security gateway that shares a common threat database and policy management framework. The Web security gateway market is a mix of software and appliance vendors as well as managed service providers like ScanSafe.
A report by Google in February highlighted how risky Web browsing has become: during a period of 18 months, it found more than 3 million unique URLs on more than 180,000 Web sites automatically install malware. Even legitimate Web sites can distribute malicious code. The growing use of AJAX technology and third-party ads is increasing a Web page's attack surface and the chances that insecure content can be inserted into it. Since Web access requires network firewalls to leave HTTP port 80 open, it's an obvious entry point to launch an attack, and one that firewalls struggle to control.
For many network administrators, this increased risk is manifesting itself in increased bot infections and support calls from users struggling with spyware-infected machines. Also, if employees are hit by drive-by download attacks, the network quickly becomes infected, which can lead to the loss of corporate data and network resources. Combine this with various laws that make businesses liable for privacy, data protection and governance, and organizations are looking beyond URL filtering to improve the protection of their users and data.
Let's take a closer look at how Web security gateways work to provide comprehensive network protection against damaging and often automated threats.
A Web security gateway is a multifunction solution that filters unwanted software and malware from user-initiated Internet traffic while enforcing corporate policy compliance. To accomplish this, Web security gateways use URL filtering, malicious code detection and filtering, and controls for Web-based applications such as IM and Skype.
It's important to clarify the purpose of a Web security gateway: to protect clients on the internal network and their users from infection while surfing the Web and enforce company policies. This is different from a Web application firewall, which is designed to protect Web sites and Web applications from attack. Web application firewalls aim to prevent attackers from directly exploiting vulnerabilities within a Web application to upload their malware code, while Web security gateways provide an additional layer of defense for clients using vulnerable browsers open to malware exploits. Three main technologies provide an extra layer of defense:
ONE PRODUCT, MANY ADVANTAGES
Another big advantage with an integrated solution is that information can be pooled. The Web security gateways can cross-compare information to make a more informed decision as to whether traffic is potentially malicious. This makes traffic control, analysis and reporting far more effective.
|CAN THEY DELIVER?
So how viable are Web security gateways as a catch-all security solution? It's a tricky mix of services to get right, in terms of security, performance and ease of use. The challenge with deploying any Web gateway is that unlike email, which is asynchronous, the HTTP protocol is real-time and thus processing for a Web gateway must scale well. The analysis processes sit in the way of traffic and directly impact the end user's Web experience.
To be scalable, policy synchronization between devices and multiple network deployment options are necessary. Given the wide-ranging tasks of a Web security gateway, reliability will be a key factor too. At present, none of the products has been around long enough for there to be any reliable data to help with this decision. Certainly due to the volume of traffic on an enterprise network, only hardware or service-based models are real contenders.
Controlling applications such as IM, VoIP and P2P remains a challenge for Web security gateways. Proxy servers, long seen as the most secure solution to application control, just can't handle the all-ports and all-protocols requirement of a true Web gateway. The latency is too high, particularly when it comes to handling Web pages. There is also the overhead of configuring every client and every protocol to go through a proxy. The processing speed required to handle this type of deep-packet inspection is enormous, but many Web security gateway devices claim to handle enterprise-level volumes without a visible impact on network performance.
One of the big problems that Web security gateways must overcome in trying to provide blanket protection to network users is the issue of semantic interpretation: how to put the traffic it is analyzing into some sort of context. This problem is called "impedance mismatch." For example, the word "present" can have different meanings, depending on context. Regular expression matching, which most solutions use, is prone to impedance mismatch. Consequently, it's not completely effective when inspecting data for common signs of malicious code; it is both easy to evade and very prone to false positives.
Somehow, Web security gateways need to be able to interpret inbound data in the same way as the browser it is protecting. What is needed is a script engine so that the device will view the final executed code after any obfuscation is removed and in the same form that the browser would execute it. Hopefully, we will see this form of dynamic analysis in the next generation of security devices.
|PLUGGING DATA LEAKS
The increasing number of ways users can communicate or move data online makes controlling data leakage a key objective for most administrators. While information escaping the organization has always been a problem, the depth and breadth of the problem has changed dramatically. Data leakage can occur by accident or because of poor business processes, but increasingly, malware of some form or another is sending it out through the network.
Web security gateways can certainly help in this area by monitoring the types of files going through the network perimeter and scanning documents for phrases and terms that could potentially cause data leakage. Coordination of content policy across all communication channels is a lot more efficient when they're all passing through one box.
As part of the process of reducing data leaks, users need to be made aware of the risks of Web 2.0 in the same way most have been told of the dangers of email attachments from unknown sources. Web security gateways that capture traffic on all ports and protocols can produce an excellent evidence chain to help challenge risky user behavior. To do this, they need to provide clear and concise reports of consolidated data; an outstanding feature of Mi5's Web-gate are its reports. Another tool to stop data leakage, provided by Webgate and other Web security gateways, is identification and remote remediation of infected PCs.
One area that has always been a bit of a blind spot when it comes to data analysis is SSL traffic. SSL decryption requires that the SSL certificate is imported into the device so that it has the ability to decrypt and inspect SSL traffic. This obviously incurs heavy overhead. Most Web security gateways still require an SSL proxy engine to be added separately to handle SSL encrypted traffic.
The attraction of this approach is that it costs a lot less than trying to provide top-down security. But it requires a mature user base and may not fully address the data leakage problem. Web security gateways allow an organization to apply security policies to data on a network while still tackling the dangers of external threats. Out-bound traffic control is increasingly important, and for those who think deperimeterization is too bold, the Web security gateway has many benefits, particularly the convergence of security and systems management
Roundtable's Stump plans to roll out ScanSafe to the additional Dairy Queen stores the company plans to open in the coming months. The service is easy to manage over the Web, allowing him and his team to enable or disable URLs and types of Web sites, like social networking ones. Limited to little else than the company's domain, employees now have no choice but to comply with corporate policy. "We let them get weather and that's about it," Stump says.