TopNav + search

Messaging Newswire

Bi-monthly email newsletters
on email security & collaboration

Latest Newswire Issue
Subscribe to Newswire
Newswire Back Issues
Advertise

Messaging News Magazine

Messaging News Magazine

Subscribe to Magazine
Back Issues
Advertise

Threat Evolution and the Changing Face of Network Security

By Peter B. Danzig, Ph.D.

Spam, viruses, spyware, and phishing all have one thing in common-they make profitable businesses. And these profits create incentive for innovation on the part of the perpetrators. As a result, the Internet community has experienced an escalating game of "spy vs. spy" in which network security companies introduce security technologies and, in short order, the threats grow in sophistication to find a new way into the network.

This threat evolution has led the development of network security devices. A modern network can now consist of layers of security including packet filtering firewalls, Intrusion Prevention Systems (IPS), and an emerging class of application layer devices known as security gateways. A security gateway is an application layer proxy, optimized for content inspection and analysis. An application layer proxy terminates the TCP connection originating from the client and initiates a new TCP connection to the destination server. Because it is a full application server, the proxy maintains complete awareness of the application and can evaluate the data stream in its full context.

SMTP Gateways

The most obvious use of gateway security is in email. The vast majority of email systems use a dedicated SMTP proxy, often referred to as a "relay" or MX (mail exchange), as a gateway device. Email is a natural protocol for a gateway device, because the store and forward nature of email allows these devices to easily perform the proxy function of accepting mail on behalf of a downstream server-such as Microsoft Exchange. There has been tremendous innovation in the security systems integrated with SMTP gateways-devices tuned to stop spam, viruses, phishing, and denial of service attacks.

However, as the defenses deployed at port 25 have improved over the years, the tactics employed by attackers have adopted increasing sophistication. In late 2005, the Federal Trade Commission issued a report that noted traditional spam volumes had leveled off compared to previous years, but the nature of the attacks had grown in sophistication and potency. The latest tactics use "blended threats"-which combine traffic moving across SMTP, HTTP, and other protocols such as instant messaging or FTP. A good example of this was the Sober-N and the follow-on Sober-Q variants.This attack involved an initial email with an attachment that appeared benign, as it lay dormant for some time. Then, at a set time, the infected PCs contacted an HTTP server and downloaded an executable that sent out targeted spam.

HTTP Gateways

To combat this trend, a number of vendors are developing high performance HTTP gateways that work in conjunction with SMTP gateways and their associated security algorithms. The challenge with deploying Web gateways is that unlike email, which is asynchronous, the HTTP protocol is real-time and thus processing for a Web gateway must scale well because the proxy is sitting in the data path and impacts the end-user Web access experience.

Interestingly, many of the technical challenges associated with a Web security gateway are similar to the issues addressed 10 years ago by the Web caching industry. The goal of a Web cache is to accelerate the delivery of content and reduce network bandwidth. While this is fundamentally a storage problem, the Web caches also required high performance file systems for getting content on and off disk, advanced techniques for transparent redirection, and TCP connection management. Much of this work stemmed from development of the Harvest project, an open-source cache that eventually became the widely deployed Squid Web cache.

The new Web security gateways build on these platforms of Web caches-but add highly granular access controls, high per-formance application aware content scanning, and simple policy management. The tug of war between innovation of security technology and adaptation of new threats seems likely to spawn an entire family of application gateway security devices. Email, Web, instant messaging and eventually VoIP applications are likely to have high performance security gateways that share a common threat database and a common policy management framework to provide comprehensive network protection.

A Note About Network Security Devices

It is important to note that these new security gateways will not replace existing network security devices such as packet filtering firewalls. A firewall performs a very important function in the network and addresses a broader range of traffic than the application-specific security gateways. To understand how these different devices will interact with existing network systems, it is useful to compare the strengths and weaknesses of each class of device.

About Peter B. Danzig, Ph.D.

Peter Danzig is an adjunct Associate Professor at the University Southern California and has taught classes at Stanford University for the past five years.

Danzig's research on Internet object caches became the reference implementation for Internet Web caches and the basis of the most successful commercial Content Delivery Networks, Squid, the Cisco cache engine, and Network Appliance's NetCache.

A former Vice President of Technology for Akamai Technology's west coast team, Danzig directed their engineering and business development. Prior to that, Danzig founded Internet Middleware Corporation to build the first industry grade Web caches, and sold the company to Network Appliance in 1997. Danzig served as Chief Architect and CTO of Network Appliance's NetCache division.

Danzig received his B.S. in Applied Physics from University of California, Davis and his Ph.D. in Computer Science from the University of California, Berkeley.