Improve your Security #3: Online Protection

It is usually said that those who are behind a hardware router are protected from any danger. This is true in regard to the connections that come from outside but it is not true for the dangers which come from inside the local network. We must not forget that most of threats are landing on users’ computers via email or web traffic (either drive-by downloads or web bugs and exploits). Thus it is important to use multiple layers when it comes to online protection. For the sake of simplicity, I separated the protection layers in three areas: External area, Network and Personal area.

In each of these layers protection mechanisms have to make sure that each category of threats can be filtered before it produces some damages to the end user.

Layer 1

This security layer has to ensure that only the authorized applications are allowed to receive and send data to other computers in the Internet. It mustn’t filter any connections which are taking place inside the network area. This effect can be produced either with a hardware device or with software and, in general, with a combination of both. Hardware devices are hardware firewalls, routers, modems, NAT servers, and so on. Any device which can control the network traffic coming from or going to outside the network can be used here. Software firewalls installed on each device which connects to the network have also the same role.

Special devices
A special category of hardware which resides as this level is represented by proxies, network monitors and network intrusion detection devices.

Proxies are devices which take the responsibility from the user to communicate with the external network. This makes them extremely important, because if they fail, the user is directly exposed to the raw, unfiltered data coming from the Internet. Example of proxies are web proxies (Apache, Squid, IIS, etc.) and SMTP Servers.

Monitoring involves examining network traffic, activity, transactions, or behavior to detect security-related anomalies. In medium-large companies there should be special appliances or computers which filter and monitor the network traffic according to some policies. Monitoring can also be implemented per protocol, thus such functions can be found in Web Proxies, Mail proxies and so on.

A network intrusion detection system (NIDS) attempts to identify inappropriate activity on the network. It provides the same functionality as a burglar alarm system — in case of a possible intrusion, the system issues an alert. NIDS work on the principle of comparing new behavior against normal or acceptable behavior previously defined. Usually, a NIDS device listens the network traffic and when it founds something unusual it reacts accordingly:

– It creates a dynamic firewall rule to prevent a DoS
– Saves the packets for further analysis
– Informs various entities that an attack is taking place
– Terminates connections

So, if monitoring is the passive element, a NIDS is the active element in a network.

Hardening the devices
No matter how intelligent the devices at this layer are, they have the same problems as all other devices which operate at any layer: they have bugs which can be exploited. Bugs can be found in the software running on these devices as well as in hardware. This is why it is important to keep these devices updated and replace them as soon as a newer and better version is available. A very important factor which makes these devices heavier to exploit is to use only the minimum services which are required for the device to perform its functions.

Layer 2

On this layer reside various software applications which can filter the received data for malicious content. This includes web filters (filtering the protocols HTTP and FTP), Antispam and Antiphishing filters, IM filters, etc.

A special category of programs operating at this level are applications which monitor the behavior of other applications. They can be Host Intrusion Prevention Software or a special component in the operating system (like Data Execution Prevention in Windows).

Lately, because of the publicity made for tools like Firesheep a new category of programs started to become more popular: session encryption software. This kind of software can be integrated inside a browser and practically encrypts all the data transferred between the user and some websites. Since not all websites have the capability to encrypt the traffic, the effect of such tools remains limited.

Layer 3

This layer is the last and represents the end user. This can be a real person (usually) or a layer of software which performs some tasks automatically. Let’s assume that we have a user standing in front of his computer. No software can fully protect the user against all threats. The reason for this is not that the software is bad but because the security software is not allowed to operate in the same way as the malicious software does. This is why the last category will always have an advantage over the security software. What the malicious software does illegally, the security software has to do with a lot of work and intelligence.

So, the last barrier between the fraudsters which want to take control of the user’s computer and private data is the user himself. In cyber attacks the human factor plays a very important role: It can decide if an attack is successful or not. If the user makes sure that the data is correctly structured (not everything in one place) and protected (maybe not necessarily stored local, but at least encrypted), the damages which an external attacker can do can be close to zero.

If the user deactivates the security software for whatever reason, if he ignores the warnings he receives and provides all kind of information to any website he sees, then no software can prevent this.

Sorin Mustaca
Data Security Expert