Malware - (mal´wãr) (n.) Short for malicious software, software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse. This recently invented term covers the entire taxonomy of nasty programs that you're sooner or later going to encounter over the life of your system. There are several broad classifications of malware and here, we're going to address some of the most effective ways to deal with it. These threats to your system's security cover the range from simple annoyances such as pop-up advertisements to viral system-wreckers to the more sinister and often unnoticed agents of identity theft in the form of certain Trojan horse programs.

The vast majority of malware makes its way into your system via a network connection of one sort or another. Sometimes, it takes nothing more than the simple exchange among friends of a CD that may contain downloaded music or other files to spread a particular virus or other nasty piece of work.

Layered Defense. Here's your picture: no single defense against malware is going to be 100% effective. You can't just install an antivirus package and call it good. The best defense is a layered defense, typically consisting of one or more antivirus packages (yes - I meant more than one), a spyware blocker/killer and a good firewall. That's your holy trinity: firewall - antivirus - antispyware.

Network Guardian. Generally speaking, the place to stop malware is at the periphery of your network - that is, stop it before it enters your network - not after. The role of network guardian in small networks is ususally delegated to a relatively inexpensive combination router/firewall/switch.  The protection offered by the least expensive of these devices is better than nothing, but can amount to little more than a speed bump with respect to a determined attacker or one of the more sophisticated viruses/Trojans. The very best of breed firewalls often incorporate highly effective antispam and antivirus engines that offer far more sophisticated protection than workstation-based packages. This comes at a price, however, but it is not as expensive as you might think.

Workstation-Based Defense. Just because you have a decent firewall that may even incorporate stateful antivirus and antispam engines, you're not off the malware hook just yet. You can think of workstation-based antivirus and antispam/spyware packages as your last-ditch defense against the legions of malware attackers. This is where you'll catch the 5% of the items that will inevitably slip past your firewall. Let's look at some of the scenarios that make workstation-based defenses an absolute necessity:

• The Inside Job.  No matter how well you defend your network periphery, all it takes is a floppy, CD or USB storage device to deliver the wide, wide world of threats right past all of your defenses. How about that compilation of  (God forbid) the Carpenter's Greatest Hits that you or an employee downloaded at home from one of those music-sharing sites? Chances are, within minutes of their popping that homemade CD in the drive of one of your business workstations, you'll have one or more 'passengers' setting up shop on each and every one of your workstations and servers. This is far less likely to happen if you have good-quality antivirus / antispam / antispyware packages running on all of your workstations.
• The Traveler. Mobile computing is great. It's a real boon to on-the-go entrepreneurs to be able to literally pick up the office - in the form of a laptop -  and deploy it wherever the business is. Trouble is, once you remove that laptop from the protective cover of your well-organized defenses, you've increased your vulnerability. And despite the best anti-malware packages you can run on your laptop, there's always that possibility that you'll bring something unpleasant back to the corral.

The bottom line is that if you can stop 98% of malware and intruders at the edge of your network, your workstation-based antivirus/antispyware packages will have less work to do and will be more likely to stop the other 2% of the nasty business that lurks out there.

So - let's take a look at what you can do to secure your business and personal data assets.

Anti-Spyware packages

Spyware may be close to the bottom of the malware taxonomy, but it can cause real problems for your business systems. Firewalls and antivirus packages generally won’t stop this type of intrusion, although some are getting better at it. This particular class of intrusion is one that is generally benign – more of a nuisance than anything else. But there’s a dark side to spybots and spyware that needs to be examined. This stuff  – most of the time – tracks your website browsing habits and sends that info back to certain web-based advertisers. That’s why you get those never-to-be-sufficiently damned pop-ups and other sorts of intrusive adverts. Someone knows where you’ve been and gears their advertising accordingly. Getting spam? Weird results from search engines? Home page redirection? This may be one of the reasons. If nothing else, once you've accumulated enough of these unwanted 'passengers,' your system's performance will suffer.

Anti-Virus packages - Virus, Worm and Trojan Scanners
 

The best way to protect your business against viruses is not to catch them in the first place. This is hardly practical, because in order to be 100%  virus-proof, your computer would have to remain isolated with no external input from anywhere. This means that accessing the Internet, using floppies and CD-ROMs are all verboten. Not too practical, I'm sure you'd agree. In an imperfect and sometimes hostile world, your next best bet is to use an industrial-strength commercial anti-virus package, such as GriSoft's AVG Anti-Virus. These scanners examine the files, folders, mail messages, and Web pages on your computer, looking for the distinctive patterns of viral code. When the scanner detects something that looks suspicious, it quarantines the suspect object and warns you about what it's found. But as good as some virus scanners are, there are threats against which they offer no protection at all. There are some things that they are simply not designed to do. The fundamental unit of network communication - the packet - is basically invisible to them. For protection at this level, you need a firewall.

Recommendations:

GriSoft's AVG Anti-Virus is a best-of-breed solution. Cheap. Robust. Effective. StarLAN Consulting Services is an authorized reseller for AVG antivirus products.

 

Products from Panda http://www.pandasoftware.com/home/default.asp and Sophos http://www.sophos.com/ are also quite good.

 

NOTE: All of the preceding antivirus products are substantially better than either Norton or MacAfee.

Firewalls

A firewall is the necessary complement to a good virus scanner. Without a firewall, your computer is operating under an "open door" policy. Bank account information. Passwords. Credit card numbers. Documents and photos that you don't want to share with the world. They are all available to anyone with bad intentions and basic computer skills. Hackers can get in, take what they want, and even leave open a "back door" so they can turn your computer into a "zombie" and use it to attack other computers. 

Think of a firewall as a traffic cop - it controls the flow of traffic going between two or more networks.  A firewall acts as a gateway that makes decisions about what kind of connections to allow or deny. Firewalls accomplish this by inspecting what virus scanners do not - the packet and its contents. By examining each and every packet that passes through them, a  firewall's programming can look at services, network addresses and even users associated with network traffic. If something suspicious occurs - that is, a violation of the rules set up in the firewall's programming - the firewall will drop that connection, usually before it can be made. Firewalls can be broadly classified in terms of the defensive methods they use: packet filters, stateful packet inspection and proxy-based firewalls.

Software Firewalls. Software-based firewalls such as  the one provided by Windows XP, Kerio's Kerio Personal Firewall and Zone Labs' Zone Alarm Pro represent the absolute minimum that you should use to protect your system. Here's a quick take on this type of firewall.

 

Win XP. The protection afforded by the original (pre-SP2) Windows XP built-in firewall is better than nothing at all, and its latest incarnation included in Service Pack 2 (SP2) does a far better job than its original release. The firewall included in Service Pack 2 for Win XP offers more choices for adjustment and configuration, but not all of the settings are intuitive. There may be some broadband services that are not compatible with it. 

Recommendation: While the SP2 firewall is better than nothing, you can do better.

 

Zone Alarm Security Suite offers far better protection. It is highly configurable, allows for some fairly sophisticated rules enforcement and is compatible with all broadband services. Better still, this package is offered as the Zone Alarm Pro Security Suite which contains an effective anti-virus engine. Zone Alarm Pro is frequently updated and provides a final layer of defense for your broadband connected workstation.

Recommendation: Excellent product for use on individual workstations. Marginal value on gateways. Check out http://www.zonelabs.com/store/content/home.jsp for more information.

 

Kerio Personal Firewall also offers very effective protection. It is highly configurable (more so than Zone Alarm), and is especially adept at intrusion detection and prevention. One of its best features will appeal to the more sophisticated user, as it offers a real-time view of incoming and outgoing traffic for each application and port. . Unlike Zone Alarm Pro, Kerio Personal Firewall does not offer an integrated security suite, but it does interoperate well with AVG Anti-virus from Grisoft. If you are already an AVG user and desire more information as to what's happening on your PC, then the move to Kerio Personal Firewall makes a great deal of sense.

 

Recommendation: Excellent product for use on individual workstations. Marginal value on gateways. Check out http://www.kerio.com/kerio.html for more information. StarLAN Consulting Services is an authorized reseller for Kerio products.

 

 

WinProxy Secure Suite. OSITIS/Bluecoat Software's WinProxy Secure Suite is perhaps the best of all the software-based firewall offerings. While WinProxy can be used on individual workstations as a highly effective firewall, it really comes into its own when it is used on a dedicated Internet gateway PC. When used in this manner, WinProxy's advanced firewall technology offers enterprise-grade system protection for your network.

 

WinProxy's firewall is one of the new generation of 'hybrid' firewalls, and the technology employed is similar in function to that used on dedicated products that sell well into the five and six figure range.. These firewalls are a synergistic combination of packet-level and application-level firewalls. The packet-level firewall inspects the headers of every packet. Decisions to allow or disallow the packet are based upon source and destination addresses as well as source and destination ports. This inspection has little to do with packet content or subsidiary headers like URLs. "Stateful" packet filters - like WinProxy - allow the firewall to correlate new packets with previous traffic as part of the decision process.

WinProxy's packet-level firewall lives 'close to the wire', between the network card and the TCP/IP stack. This firewall makes its decisions before the packets even reach the tcp/ip stack, and well before any applications might see them. The application-level firewall regulates the TCP/IP stack from above rather than from below. It cannot change how your system handles individual packets, but it is well-suited to making session decisions. Communication sessions can be limited by any number of rules, all of them available to the administrator. These can include decisions based upon the content of the packets.

WinProxy's application-level firewall thus allows virus scanning, site restrictions, caching, and a host of other features - all of which are available as plug-in engines. This allows you to select the type and level of protection that your business data security demands.

• Gateway antivirus protection
• Gateway antisoyware protection
• Gateway anti-spam filtering
• Gateway URL Filtering

Recommendation: Outstanding product for use on individual workstations, but it is best used on a dedicated Internet gateway. No other product comes close. http://www.ositis.com/index.asp StarLAN Consulting Services is an authorized reseller for WinProxy products.

Kerio WinRoute Firewall 6. This powerful package from Kerio sets new standards in versatility, security and user access control. Designed for corporate networks, it defends against external attacks and viruses and can restrict access to websites based on their content. Web content-filtering and antivirus screening plug-ins come at extra expense. This product is not recommended for the casual user, nor is it appropriate for individual workstation use. Typical applications involve small business networks with 10 or more users. Expert knowledge of network security issues is a prerequisite for taking full advantage of what this package has to offer. Policy-based NAT, user-based rulesets and many other features make this a highly flexible and desirable package for a corporate network.

 

Recommendation: Outstanding product for use on a dedicated network gateway, and not for the inexperienced user. StarLAN Consulting Services is an authorized reseller for Kerio products.

 

See the section on Anti-Virus and Anti-Spyware packages for a good overview of our recommendations

 

---

Hardware Firewalls. 

 

Generally speaking, hardware firewalls are harder to compromise than those that are strictly software-based - although there is one notable exception to this rule - WinProxy Secure Suite by OSITIS/Bluecoat Software. At the entry level, many manufacturers such as Linksys and Net Gear combine router and firewall functionality in a single box. So, when you take a look at the more affordable models, you will more than likely be looking at at a product that defines itself as a router first. Don't let this deter you. Look for the product that combines a router with good SPI firewall and Network Address Translation (NAT).  To pick the router that offers the level of security you want for your network, you need to know about the two levels of router security:

 

     

BASIC NAT Technology (Network Address Translation)  - Prevents hackers from seeing (and attacking) your network address while you're surfing the web. NAT technology translates IP addresses of a local area network to a different IP address for the Internet. Each computer on your network has a local IP address. When the router gets the data transmission to forward out to the Internet, the router puts a different IP address on the transmission. This way, whoever receives the data transmission doesn't know what the actual IP address of the computer is, so the computer is hidden, safe from prying eyes. But experienced hackers know how to spoof their way around a simple NAT-based firewall. So NAT alone is generally not sufficient to protect your network as well as it should be.    ADVANCED Stateful Packet Inspection (SPI) Firewall - Inspects packets of information coming into your system to make sure they are not an attack from a hacker. SPI is a type of firewall that inspects incoming data packets to make sure they correspond to an outgoing request. Unsolicited—and possibly harmful—packets are rejected. Virtual Private Network (VPN) - Enables communication with another computer or your company's network over the Internet with a secure, encrypted connection. When your data transmission leaves your local network, the data itself is not protected, unless you establish a VPN. When you use a VPN, you are creating a secure connection between your network and another one over the Internet. Setting up a VPN connection can be somewhat complex - it is definitely not a beginners' exercise. Another consideration is that of overhead - VPN connections require quite a bit more processing at each end of the connection — at least two layers of additional packet information and encryption have to be added to and peeled away from each and every packet passed across the connection. Not a problem if your systems can handle the additional overhead. Older systems may be be up to this task. VPNs are frequently used by businesses. Here are a few examples:   A branch office uses a VPN connection to function as if everyone were directly connected to the corporate headquarters office LAN. A telecommuter has a VPN connection from his home office to the local office. Using her laptop, a corporate trainer who's on the road has a VPN connection from the hotel room to the office.

 

Recommendations: This set of recommendations is a bit tougher to make. The needs of individual Small Office/Home Office (SOHO) operations and those of small to medium-sized businesses can and do differ widely.  Some small business operations are well served by some entry-level products, and there may some SOHO users who require enterprise-class security for their networks.  See the section on Hardware Firewalls and Routers for a good overview of the equipment and options. StarLAN Consulting Services can help you to determine which solution is appropriate for your business.

 

StarLAN Consulting Services is an authorized dealer and Medallion Partner for SonicWALL products and services. Please contact us for pricing, specifications and assistance with selection, installation and integration with your network.

Back to Top

  | Sat Services | Networks | Data Security | Products | Solutions |                                                | Educate Me | Home |