As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.
Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.
In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.