Honeypots, decoys, air gaps, exit controls, self-healing tools and DoS defenses.

posted onMay 31, 2001
by hitbsecnews

Lynn Haber, writing for Network
World discusses new security
techniques including honeypots,
decoys, air gaps, exit controls,
self-healing tools and
denial-of-service defenses

The running battle between hackers
and network security professionals
has moved beyond the perimeter
firewall to hand-to-hand combat at
individual Web and corporate
servers. And new security weapons
have emerged that use ingenious
methods to protect Web sites and
corporate networks from external
and internal security threats.
Here are some of the latest tools
at your disposal...

No exit

Turning the security paradigm on its head, Gilian's G-Server doesn't care how the hacker got in or what changes they may have made to your Web site. Gilian's Exit Control technology prevents the world from seeing the consequences of a security breach.

Gilian's G-Server sits between the Web server and the router or firewall that connects the Web server to the Internet, inspecting every piece of content that goes out. The Exit Control G-Server contains a collection of digital signatures made from authorized Web content during the publication process.

Each time the site's content producers publish a new or revised object, the G-Server saves a digital backup of the object along with a digital signature.

Signatures that don't match send up a red flag which triggers the G-Server to immediately replace a bogus page with a secure archived copy of the original, while simultaneously alerting appropriate personnel.

Tripwire, Inc.'s Tripwire for Servers is a similar data and network integrity product. However, Tripwire for Servers takes a different approach - its software is loaded onto the server that you want to protect. It monitors all file changes, whether they originate from inside or outside the company, and reports back if a change violates predetermined policies.

Honeypots or decoys

Honeypots are designed to lure and contain an intruder on the network. According to Fred Kost, vice president of marketing at Recourse Technologies, of Palo Alto, honeypots are decoy devices that can divert attacks from production systems and let security administrators study or understand what's happening on the network. Recourse and PGP Security, a Network Associates company, have commercially available products.

ManTrap, from Recourse, is an industrial-strength honeypot that's deployed next to data servers, if it's being used to deflect internal attacks, and located off the firewall in the demilitarized zone (DMZ) if it's being used against external threats. According to Kost, the majority of users deploy it internally to get suspicious activity under control.

In that scenario, a ManTrap server would be set up to look like a file server that stores intellectual property or business plans. According to Kost, a successful deployment of ManTrap depends on a variety of factors including quality, naming scheme, placement and security policy. For example, deceptive defenses are most effective when deployed in quantities equal to or greater than that of the production system. Honeypots can get expensive which is why companies must pick and choose the critical servers they want to protect.

What attracts an attacker to ManTrap is configuring it to make it look more vulnerable than other servers. Once the hacker is on the decoy server, security managers can log the hacker's activity and gain insight into what the intruder is trying to accomplish.

Fall into the gap

Air gap technology provides a physical gap between trusted and untrusted networks, creating an isolated path for moving files between an external server and a company's internal network and systems. Vendors include RVT Technologies, Spearhead Technology and Whale Communications.

Whale's e-Gap Web Shuttle is a nonprogrammable device that switches a memory bank between two computer hosts. The e-Gap Web Shuttle creates an air gap between the Internet and a company's back- office systems. Companies might use e-Gap Web Shuttle between an external service running e-commerce applications, such as online banking, and internal databases that might be queried by external users.

According to Joseph Steinberg, director of technical services at Whale, the e-Gap system consists of the e-Gap appliance that is attached to two PC hosts, one internal and one external. The internal host connects to the company's internal network and the external host sits in the DMZ in front of the firewall.

All URLs to Web pages are directed to a mock location on the external host. Pages do not actually reside on this host. The external host strips off the protocol headers, extracts only the content of the Secure Sockets Layer (SSL) traffic and passes it to the e-Gap Web Shuttle. The e-Gap Web Shuttle transports the encrypted data to the internal host using a toggling e-disk. The e-Gap internal host decrypts SSL traffic, authenticates the user and filters the URL content. It then passes the URL request to the company's production Web server that resides on the back-office network.

The fix is in

Security and vulnerability assessment tools, designed to be used in-house, can detect weaknesses in an organization's systems before problems occur and can fix those problems.

Retina 3.0, from eEye, scans, monitors, alerts and automatically fixes network security vulnerabilities. The product works on Windows NT 4.0 SP3 or higher and Windows 2000.

According to Mark Maiffret, chief hacking officer at eEye, the software is installed on any machine within the network. The network administrator types in a range of IP addresses to scan and pushes a button. The product scans the network for vulnerabilities, software flaws and policy problems and reports any vulnerabilities.

The product's "fix it" feature provides network administrator with a description of any found vulnerabilities, information on how to fix it, or access to a fix it button that can repair the vulnerability locally or remotely.

Demolishing DoS attacks

Perhaps one of the newest categories of security is products that target denial-of-service (DoS) attacks and more. By definition, DoS attacks make computer systems inaccessible by exploiting software bugs or overloading servers or networks so that legitimate users can no longer access those resources. The product category is so new that some products are still in beta test or on the cusp of entering the marketplace.

Going after one of the most malicious types of computer vandalism, the DoS attack, are Arbor Networks, of Waltham, Mass.; Mazu Networks, of Cambridge, Mass.; and Asta Networks in Seattle.

According to Phil London, CEO at Mazu, the company's solution to distributed DoS attacks works via intelligent traffic analysis and filtering across the network. A monitoring device, such as a packet sniffer or packet analyzer, evaluates packets on the network at speeds up to 1G bit/sec. A monitoring device then determines which traffic needs to be filtered out.

The good, the bad and the ugly

The good news about all of these new security techniques is that they theoretically offer companies additional layers of security protection, providing better overall security. What this ultimately means to businesses is that additional security mechanisms can succeed where others have failed. Another plus about some of the new products is that they're optimized for a particular application, such as integrity of the Web servers.

However, as with any technology, there are pros and cons to consider. In fact, there are some downsides to implementing these new security products, says Robert Lonadier, director of security strategies at Hurwitz Group. For example:

They're all incremental solutions, not replacements.

They require a certain amount of expertise.

Many vendors are start-ups and there's a risk as to how long they'll be around.

There's a concern, in many IT shops, about adding preventive controls because of associated overhead - a concern that can be easily remedied by investing in additional horsepower.

What's too much? When does a company run the risk of introducing security vulnerability because of having too many products to manage?

The bottom line is that security is never a done deal. It's a continuing process that a new crop of innovative vendors are making more interesting.

SNP.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs