Freely subscribe to our NEWSLETTER

There will never be perfect security or one product to fix all risks. There are, however, solutions that target the more critical and/or vulnerable aspects of the enterprise network. This article focuses on virus propagation and DDOS on the ‘soft inside’ of corporate branch office networks and suggests how you can achieve:
• The benefits of a branch office MPLS Network IPS device
• Strong ROI by combing that functionality with Application QOS, Acceleration, Compression and Caching
• Extended security services such as identification, file encryption, virtual file caching and IPSec authentication

New Era of Networking and Virus DDOS Propagation

The corporate world is increasingly distributed. The majority of the personnel in an average enterprise now work outside of HQ. These days, the typical corporate enterprise has many locations and potentially thousands of remote users that it must serve. Application innovation then adds to the complexity of this distributed world.

The issue is that IP based applications have given rise to hundreds of recreational applications – from peer-to-peer to internet radio to instant messaging – providing new ways to distribute data, rich content, and voice and video across the Internet. New technologies like Web services promise to change the very way we think of software “applications” by fragmenting information and functionality in ways that can be reused efficiently. All of these trends increase the distributed security risk and are magnified by new corporate network topologies such as “hub and spoke” or “any-to-any” networking.

Hub and spoke topologies in the enterprise means engineering PVCs on Frame Relay or ATM links, or even point-to-point links, usually from branch offices to a few data centers or regional aggregation points. An enterprise could literally engineer bits and bytes to aggregate to a single point (or few points) before they are sent to their final destination. Hub-and-spoke topologies create an element of safety for the enterprise, but offer only a limited amount of flexibility and often frustrate attempts at quick provisioning. In an effort to address this dilemma MPLS-based services began to be employed, fundamentally changing the hub and spoke structure.

MPLS enables any-to-any networking for the enterprise. Diametrically different than the controls of a hub-and-spoke topology, MPLS enables enterprises to unleash the power – and risk – of IP networking. This meshing delivers site-to-site communications, opening new transit paths for applications like IP telephony and Service Oriented Architectures (SOA). This, however, is not the only type of traffic that can leverage the link.

Among Branch Office Security Evils: DDOS and Virus Outbreaks

Those same MPLS any-to-any paths are also now open to any application that is not otherwise controlled, including malicious traffic. If a laptop is somehow infected at home or while traveling, viruses and worms can use these same meshed topologies to spread quickly throughout the Enterprise. The impact can be a severe performance disruption to the network and key applications.

How bad is the potential problem? Consider these figures:

• Virus outbreaks and denial of service attacks are the #1 and #5 most costly security breaches (Computer Security Institute and FBI, 2006)

• 41% of Enterprises experienced a service outage or degradation due to zero day attacks; over 60% rated the impact as “High” or “Extremely High” impact (The InfoPro Networking Study, Nov 2006).

Cost is a Barrier, especially at the branch

For the branch office, there are several ways to mitigate the impact of attacks across branch office MPLS networks. The challenge is balancing cost justification with the effectiveness of any one approach. The chart below lays out the pros and cons of various methods.

Intelligent WAN Application Delivery Using application classification and user forensics to spot intrusions; QOS is used to maintain availability of key applications and contain traffic from infections.

Key Components of Branch IPS

Below is a suggestion of key capabilities that are required for branch office IPS and Intelligent WAN Application Delivery capabilities. The idea is not to study every potential threat, but to maintain availability of key applications while discovering and isolating potential threats.

The growing complexities associated with network traffic make sophisticated classification techniques a necessity. In the case of security threats, simple IP address or static port schemes fall short. Packeteer’s Intelligent Application Delivery classification detects dynamic and migrating port assignments, differentiates applications using the same port, and uses Layer 7 application indicators to identify applications. This classification system takes into account that a branch IPS system should allow you to verify that an application flow is what it’s supposed to be.

A high level of application classification is becoming more and more critical as clever hackers continually attempt to circumvent the road blocks that are erected. For instance, suppose employees have installed web proxy tools such as proxifier, proxster, and proxyshare that allow them to send application traffic like KaZaA, Morpheus and ICQ through an HTTP tunnel. Since HTTP (port 80) traffic can permeate the firewall, it is able to bypass the firewall rules. This is where application classification technology can really save the day.

In the above scenario, by using Intelligent Application Classification, enterprises are able to spot peer-to-peer traffic hiding inside an HTTP tunnel. The HTTP-Tunnel service automatically identifies and classifies traffic that is sent through an HTTP tunnel via an HTTP proxy server on the Internet. Once this traffic is classified, IT administrators can restrict this unsanctioned traffic by applying appropriate policies.

Unlike many point products and bulk application acceleration tools, Intelligent WAN Application Delivery/Optimization solutions have the ability to classify and validate traffic, offering both optimal application delivery and freedom from internal network security threats. Packeteer delivers branch office security alongside WAN application delivery technologies.

So, when choosing any solution, keep in mind these key components:

Intelligence to identify and validate application traffic
Advanced QOS to contain recreational traffic and protect key business processes when infections happen
Acceleration, Compression and Caching to help optimize performance and save bandwidth to build the ROI
Additional security services for the branch including Domain/Authentication security, file security, IPSec Authentication