Three Layers of Security

Like every industry, it seems that network security is filled with buzzwords.

The market is overrun with products that promise "network-layer defense", "application-layer protection", and "state-of-the-art kernel-level security". And almost every one of these products claims to be "anti-hacker", or "the end-all be-all of security solutions". Personally, if I was a Systems Administrator not completely up-to-date on my security lingo, I would probably be confused, frustrated, and definitely looking for some help when researching products.

So how are you going to be able to pick out the good from the bad in this storm of buzzwords? The first step is to understand the three "layers" in which security products can work to protect your servers. In an ideally secure server environment, there is a security solution protecting the network layer (where the data is passed into the server), protection at the application layer (where the data is passed to and from a vulnerable application), and security at the kernel or OS layer.

The following is a breakdown of each of the three types of layer protection that are currently available:

#1. The Network Layer

Network-layer security is one of the oldest types of protection used within security solutions today. A software or hardware product set up at the network layer provides the ability to analyze the data traveling to and from an Internet connection. Network-layer security products monitor the incoming data for attacks and, in some cases, stop the attacks from getting past the network layer.

Network firewalls and intrusion detection systems (IDSs) are the most common types of product that work at the network layer. These products provide a crucial first line of defense against attacks, and also provide valuable data about the traffic entering and attempting to enter your network.

Most network-layer security solutions are configured to allow or deny certain traffic, and many function by performing pattern matching on the incoming data in order to search out possible attacks. While these methods are effective under some circumstances, they can do nothing to stop "unknown" attacks that do not have signatures or that the software has not been configured to stop. Since new vulnerabilities and attacks appear every day, network-layer products are constantly playing a game of catch-up.

In addition, security products operating at the network layer are at a disadvantage since they have essentially no interaction with the applications they are trying to protect (e.g. your web server). Once data has passed through the network layer security, these products have no further interaction with the data and therefore cannot do any more to detect attacks or prevent them from taking place. So, in the end, you are left only with a network-layer log of the attack and the hope that the attack failed.

#2. The Application Layer

When attack data bypasses network-layer protection, it heads straight for the application that it was sent to target. A product that provides application-layer security can be a second line of defense against application or system compromise, and when implemented correctly can provide intelligent protection that is extremely difficult for any attacker to penetrate.

A product working at the application layer can view requests coming in from the network layer and also can see how requests are handed off to the kernel layer (and of course everything in between). An application-layer solution also works within the application it is protecting, not simply around it. This allows the security software to keep an eye on data as it is processed by the application. If at any time during the many levels of data translation the software detects a problem, it can take over and prevent any damage from being done.

Because application-layer products work so closely with the applications they are protecting, the software can be much smarter than other forms of security. It can see the "meat" of the data being handled by the application, not just the outside packaging (which network-layer products use to produce a unique "signature" for an attack). Thus if an attack is passed to the application, software at the application layer can see that there is potentially bad data inside without having to rely on a database of attack signatures, hence providing proactive security.

Why should we protect our applications? Not only do applications store our data, but also it is through takeover of an application that most system attacks occur. As we all know, application software is not 100% bug-free, and these bugs or vulnerabilities are all-to-often taken advantage of. For example, if an attack can exploit a vulnerability in your web server application and cause a "buffer overflow", the attacker can then gain control of your entire system.

#3. The Kernel Layer

Kernel - what do you know about it? Most IT administrators seem to understand the Kernel of the OS as being somewhat like the heart of it all. So it sounds really great when security product marketing says "Kernel Level Exploit Protection".

Now, if done right, it is possible to implement some great security solutions at the kernel level. However, most people who have dabbled with kernel-level security have gone about things all wrong, thus having ended up with a system that sounds secure and seems secure, but appears wide open to your average hacker.

In theory, security at the kernel-level would protect your system in the case that your applications were compromised. However, a closer look at this method of protection reveals some flaws. For example, some products that tout kernel-layer security are engineered to prevent an attacker from doing any "bad things" to a web server in the case that the server is compromised. But what if the web server is compromised with a buffer overflow or similar attack that gives the attacker SYSTEM level access (the highest level of access for NT)? At that point, all security system measures in the kernel can be bypassed or turned off. Even if such programs require passwords to deactivate security, it is widely known that passwords do not exist when running at SYSTEM level, plus bypassing a password is a moot point when it is also possible to bypass the security application as a whole. Thus, kernel-level security as we know it doesn't help a whole lot in protecting servers.

The key to security is to keep attackers out of your web server in the first place, something that few kernel level systems are able to do. Even when implemented correctly, a kernel-level solution alone would still only protect as well as a network-layer solution in the sense that it would not have the proximity or understanding of the applications it was trying to protect.

---

So, which types of security solutions should you implement? In the end it comes down to understanding what you are looking to protect. If you want to protect your network itself from network-level scans or random DoS attacks, then network-layer security will be adequate. If vulnerable applications reside on your servers, it is best to implement an application-layer solution rather than risk exposing your data or compromising the entire server. Keep in mind that producing an "end-all be-all" piece of security software is very hard to do. A combination of a network-layer solution and a true and tested application-layer solution will provide the most comprehensive protection, and is what we recommend.

Mark Maiffret
Chief Hacking Officer
eEye Digital Security

Newsbytes: Consumers Concerned About Internet Security - Poll
"In the wake of the Sept. 11 terrorist attacks, Americans are concerned about the security of both government and commercial electronic networks..." Full Article

SecurityFocus: White House CyberSecurity
"The commitment by the federal government to further computer security research may be laudable, but it fails to address the root cause of most security issues: bad software." Full Article

The Register: MS Rolls Out Security Obscurity Bribe Program
"MS has rolled out its Faustian bargain for security vendors." Full Article

The Register: IDS Users Swamped With False Alerts
"The number of redundant alarms and false positives generated by Intrusion Detection Systems (IDS) has come under fire from users attending an event designed to raise awareness about the technology." Full Article

Q: I recently upgraded my operating system and during this process I invalidated my eEye product license. How can I avoid this in the future?

A: eEye products use many checks to verify that an issued license key is installed on the correct computer. One of these checks is the version of the operating system that is running. Because of this, upgrading your operating system while an eEye product is installed will invalidate your license key.

Before upgrading your operating system, you must take steps to transfer your license. To do this, launch the product and select "License Management" from the Help menu. Next, select the "Transfer License" radio button, and click Next. You will then receive on-screen instructions on how to transfer your license.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Retina 4.7 Is Now Available
Retina 4.7 incorporates many new capabilities covering scanning technology, product features and user interface. It also flaunts a redesigned backbone architecture, improved documentation, and the ability to scan Class B networks. Full Article

Secure Computing Magazine Product Review - Retina
SC Magazine rates Retina as its "Pick of 2001" and "Best Buy". Read what they have to say about Retina and its CHAM technology. Full Article

Iris 3.7 Is Now Available
Iris 3.7 incorporates many new features, including added SNMP decoding, the ability to save Capture log reports and Packets as CSV (Comma Delimited Format) files, and automatic notification when new versions are available. Full Article

Notable Quotes on Security
In an article titled "Microsoft, Fix Your Software", writer John C. Dvorak shares his opinion on how the public should handle the recent slew of flaws in Microsoft's products. In his article he makes this statement:

"Microsoft apologists will tell you that Unix has many flaws, too. It's riddled with all sorts of holes. I'm not going to argue that point, but Unix is a legacy OS, not unlike DOS in its ancient heritage. And no Unix vendor has the resources of Microsoft. Microsoft is the world's biggest software company, period. It should act the part." - John Dvorak, for PC Magazine
http://www.pcmag.com/article/0,2997,s%253D1500%2526a%253D16639,00.asp

----
In an article titled "Bug Secrecy vs. Full Disclosure", Bruce Schneier gives his opinion on the highly publicized Full Disclosure debate. In his commentary, Schneier makes this intriguing point:

"In his essay, Culp compares the practice of publishing vulnerabilities to shouting 'Fire' in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless. Blaming the person who disclosed the vulnerability is like imprisoning the person who first saw the flames. Disclosure does not create security vulnerabilities; programmers create them, and they remain until other programmers find and remove them. Everyone makes mistakes; they are natural events in the sense that they inevitably happen. But that's no excuse for pretending that they are caused by forces out of our control, and mitigated when we get around to it." - Bruce Schneier, for ZDNet
http://www.zdnet.com/zdnn/stories/comment/0,5859,2824251,00.html

The Human Firewall Project
"People - the missing link to improving Information Security."

"The Human Firewall website strives to help managers and employees in all kinds of organizations increase their information security awareness, and promote behavior that will improve protection of critical information against internal and external threats." More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.