Essential Technology: A GCS Blog

In my last posting I promised to explain the concept of Application Whitelisting. But before we get to that there is another reactive aspect of computer security I failed to mention...software vulnerabilities.

Viruses and malware don't just take advantage for trusting users to infect systems. Frequently these programs exploit vulnerabilities in your computer's operating system and applications.  And once infected other vulnerabilities can be used to spread the infection on your network. 

Security researchers work tirelessly to find these flaws and alert the software makers before the bad guys figure out how to use them.  But even if a flaw is discovered and disclosed before an exploit is developed, it takes time for the software vendors to build patches to fix the problem. A patch does not help until it is actually applied which falls on users and IT shops.  Even the best IT shops struggle to keep their systems patched. It is a never ending battle and as this reactive cycle plays out, your computers are left vulnerable.

As the number of bad programs grows, the reactive process of detecting, processing and tracking them becomes more inefficient. So what is an organization to do? Application whitelisting is a change of approach in computer security from the ways of antivirus.  Instead of trying to figure out all the programs in existence you don't want to run on your computer, you specify what programs you DO want to run.  And more advanced whitelisting applications can go a step further and prevent the programs you allow to run from doing things they aren't supposed to when a vulnerability is exploited.

There are many different approaches to tracking what software is approved.

·     Simple whitelisting programs use the file name and/or path to determine if a program is allowed to run. These systems can be bypassed by changing the name of a file or move it to a different directory. 

·     A more advanced method is to use a hash of the file, a string of characters generated by processing the file through a mathematical algorithm. If even a single bit of the file is changed the hash will no longer match. The problem with this method is that if a program is updated the hash must also be updated. 

·     More reputable software vendors now "sign" their programs with digital certificates very similar to those used to secure web pages.  This allows you to verify that the program was actually released by that company. Instead of using one of the above methods to approve of software, you can tell your whitelisting software to approve of any program signed by a particular vendor’s certificate.  Unfortunately not all code is signed.

Frequently a combination of the above methods is required to build a whitelist. Once a whitelist has been created and applied to a computer it will prevent any program not specifically listed will be prevent from executing.  This should prevent any malware from running, but if not done correctly it can also prevent legitimate software from running. The ability to manage a whitelist is almost as important as the ability to enforce it. 

In the next post on this subject I’ll introduce a couple application whitelisting products and explore the differences in how they work.

SonicWALL has recently refreshed it's successful TZ line of network security devices, aka firewalls, for the small office marked segment. For those unfamiliar with SonicWALL's network security devices, the term firewall is a misnomer. Beyond simple packet inspection and port forwarding these devices are capable of performing realtime anti-virus, anti-spyware and intrusion protection which SonicWALL refers to as Unified Threat Management or UTM.  

The new generation is made up of three devices: the TZ100, TZ200 and TZ210.  Despite the numerical decrease the entry level TZ100 is a step up from the TZ180 and TZ190, capable of over two times more UTM processing throughput.  Beyond performance improvements the new generation is now capable of:

• SSL VPN remote access (more on SSL VPNs in a future post)
• WAN (or Internet Access) and VPN failover standard. (Note: The 5.5 firmware release will support up to 4 WAN connections)
• Hardware failover (TZ200 and TZ210 only)
• Support for 3G mobile broadband USB modems as either the primary or a backup internet connection. (TZ200 and TZ210 only)
• Also, TZ210 offers an application firewall capable of blocking or throttling specific types of network traffic over allowed protocols. For instance, limiting the bandwidth that can be used to view YouTube.

In addition to the functional improvements, SonicWALL has made significant changes to how these devices are sold.

• First, SonicWALL no longer uses licensing to restrict the number of nodes that can pass through the device. All devices will allow an unlimited number of nodes. However, that doesn't mean these devices can actually support an unlimited number of users, they still need to be appropriately sized for the environment. But, this is a great change as the previous version would start to block internet access if the number of nodes exceed the license, such as when guest laptops were using the network.
• Second, The Enhanced SonicOS firmware is now standard in all devices. The "standard" SonicOS, which had limited funcationality, has been eliminated.

Both of these changes greatly simplify the purchasing process and reduce the need for a customer to add licenses to fully utilize the device. Still, some features such as Gateway Anti-Virus and Anti-Spyware still require subscriptions that must be renewed.

Like the TZ180 all the new models are available with or without built-in wireless. However, the wireless versions of these devices support the new wireless N standard capable of up to 300MB/s of wireless traffic, nearly 6 times the throughput of the wireless G standard.  Or instead of purchasing the integrated wireless, the new TZ series also support centrally managing between 1 (TZ100) and 16 (TZ210) SonicPoint wireless access points.  When combined with power over ethernet, SonicPoint wireless access points can be easily placed in the optimal location based on the layout of your office, rather than being forced to place it in the server closet because it's integrated into your firewall.

Finally, another new feature in the TZ series is called Comprehensive Anti-Spam Service (CAS).  CAS is designed to be a hybrid between device and cloud based spam filtering, and is positioned to be an alternative to Postini, MXlogic and Microsoft's cloud email filtering services.  Basically,  when CAS is enabled and the TZ device receives an email through SMTP it sends the message up to SonicWALLs spam engine "cloud" which performs the spam analysis with the latest possible signatures and then forwards the good messages back down to the TZ. The TZ then sends the message to the email server for final delivery. This process offloads the spam analysis processing from the device and doesn't require storing and updating signatures on the TZ. While I find this to be an interesting new service it doesn't provide all the features provided by the other cloud filtering services. For instance, because the other cloud filtering vendors are the initial point of contact for all external emails they can queue up messages if your email server is down. CAS is also inbound only for the TZ devices which means your IP address could still be blacklisted.  Still this is a promising new feature and it will be interesting to see where SonicWALL takes it as it develops further.