NETWORK SECURITY: Slam It, Shut It, Protect It

VoicenData Bureau
Updated On
New Update

Typically, because a virus outbreak really only makes news when it reaches critical mass in terms of attacks, an important point is often overlooked: A business is at risk as soon as a virus is discovered, not just once a full-blown attack occurs.


Large-scale interruptions are a reflection of a full-blown attack. However, if enterprises nullify this threat proactively at the stage it is discovered, the window of vulnerability will be shortened considerably. ‘Window of vulnerability’ is the time period that elapses from the point of discovery to the time the fix has been deployed on all machines on the network.

Staff tasked with protecting their organization face a ‘double whammy’. Variant strains of a virus serve to maintain the window of vulnerability, while their increasing speed of spreading makes them harder to defend against. As an example of the latter, it is estimated that in 1991 it took the Michelangelo virus some six months to infect a network to a significant degree. By 2001, it took CodeRed/Nimda just an hour.

An examination of the recent SQLSlammer virus spread is also interesting. A group including CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE released a recent analysis on it. According to the analysis, the SQLSlammer worm (also known as Sapphire) was the fastest worm to date, requiring roughly 10 minutes to spread worldwide. In the early stages, the number of computers infected with the worm was doubling in size every 8.5 seconds. By comparison, Code Red doubled in size every 37 minutes.


At its peak, which it achieved approximately three minutes after it was released, SQLSlammer scanned the Net at over 55 million IP addresses per second. It infected somewhere between 75,000 and 250,000 servers, bringing down ATM machines, causing havoc for websites worldwide and causing packet loss of 20 percent on the Internet due to the volume of Internet traffic it generated.

The vulnerability in Microsoft SQL Server of which SQLSlammer took advantage was first discovered in July 2002. This means that the window of vulnerability was six months. Hence, the traditional, reactive response based on patching is no longer sufficient.

Proactive threat protection is the way out. Existing networks are frequently ‘hard on the outside and soft on the inside’. A network with proactive threat protection is sometimes described as ‘hard and crunchy on the inside’.


Under the existing model, the perimeter firewall continues to be critical to the organization. And, as is the practice, the gateway virus protection still blocks the majority of threats coming into the network. Should the threat get past these barriers, many organizations are wide open and vulnerable to attacks.

Let us step back a bit and understand how threats can get around the standard barriers. There are many ways. Wireless networks may allow unauthorized users access to your network. PDAs may synchronize more than their data. Mobile phones with built-in e-mail walk through the door past security with barely a glance. Even rogue computers, such as employee’s home laptops and visitors’ computers, can connect to the network while carrying a virus ready to wreak havoc on your network.

So how do we harden the network from the inside?


The ideal proactive threat protection strategy would be to add the following solutions: desktop firewalls that will limit the spread of non-email viruses within the organization; integrated viral vulnerability assessment that will find which servers and desktops are open to attack; intrusion detection that will find out where the hackers are getting in and finally forensics that will find out how they got in.

Other than this, the proactive threat protection strategy will be fortified further by using behavioral analysis and advanced detection. Among other things, this will enable the company to detect new malicious code, encrypt its server-to-server traffic and thereby protect its sensitive data and use spam blocking to block pornography and e-mails that waste employee time.

Further, and most importantly, it will limit the ability of rogue computers and wireless devices to connect to the network and add detection of those that try to.


On top of all of this, it is critical to have management level reporting to give a high-level picture of network vulnerability and clearly understand what needs to be done to protect the network.

There is still much work to be done. A recent survey of Asia-Pacific businesses reported that while 98 percent had anti-virus software, only 21 percent were using personal desktop firewalls. In organizations deploying them, they are often only protecting the most vital computers such as senior management, finance, and IT servers. Few organizations have deployed them throughout the network. This means the bulk of desktops are still exposed.

Just as ‘defense in depth’ works for the military, so it can work for organizations too. That will reduce the overall window of vulnerability.

Lee Boon Kuey, managing director (Southeast Asia and India), Network Associates