08-16-2017, 10:40 PM
[attachment=7268]
Security Cluster
Many organizations are working hard to secure themselves from the growing threats of computer viruses, Trojan horses, hacker agents, worms, and other malicious code. Yet the headlines are dominated with news of the latest computer related disaster more frequently than at any time before. This document intends to review this problem and propose several possible solutions. The antivirus industry has been responding to these threats with ever-quicker responses to the rapid onslaught of malicious code, while corporations establish strict virus protection policies. Yet the number of related disasters continues to grow with over $12 billion in damage in the first 6 months of 2000 alone. It is proposed that the problem may reside in the lack of more comprehensive protection measures.
Placing an organization s entire antivirus defense at the desktop level is similar to locking all of the doors in a house while leaving windows and other entry points open. While desktop antivirus is a necessary protection against the traditional computer virus that was typically transferred by floppy disks, CD s etc., and the primary virus security option for highly mobile laptop users, it is important to understand the limitations of this single point of defense. Virus writers have already seen this trend in protection, and have switched their strategies to leverage other entry points into the enterprise.
The International Computer Security Association (ISCA) recently published the results of it s annual Computer Virus Prevalence Survey 2000 , which indicates that 87% of all major virus infections are now transmitted through e-mail. And given the speed of this electronic communication, these newer computer viruses can spread much faster than the time required to update all of the desktop and laptop systems in a medium or large organization. Recognizing this change in behavior, Trend Micro developed patented technologies in the mid-1990 s to stop viruses transmitted through email and the Internet before they could reach the desktop. While protecting 54% of the world s Internet gateways, Trend Micro recognized the need for a scalable high-availability antivirus security solution, and has partnered with Stonesoft to help provide it. Stonesoft, building on the tremendously successful clustering technology of its StoneBeat FullCluster software, created the StoneBeat SecurityCluster product designed to provide the benefits of clustering technology to content security solutions such as Trend Micro s InterScan VirusWall. Together, the StoneBeat SecurityCluster and InterScan VirusWall provide a scalable, highperformance, high-availability clustering solution for antivirus and content scanning. These proven, award-winning technologies can meet the needs of the most demanding of environments, while their respective focus on manageability has automated many tasks and simplified administrative functions through easy-to-use interfaces developed through years of customer feedback.
The Security Threat
The Internet Age has arrived, bringing free flowing information to people and businesses throughout the world. And while it has unleashed new business, education, research, and communication opportunities, it has also introduced an explosion of new security threats. Many recent attacks have received worldwide attention including the Melissa virus, Love Letter, Bubble Boy, and numerous Denial of Service (DoS) attacks. Reuters reported that over $12 billion in damage was caused by computer viruses in the first 6 months of the year 2000 alone. According to Tippet s Law of Malicious Code , the virus problem doubles about every 14 months. Taking into consideration a number of figures from worldwide research along with its in-house numbers, Trend Micro estimates that the total number of viruses in 1999 was 30,000 (Figure 1). And research now shows that 87% of virus infections are contracted through e-mail.
Source: Trend Micro
The intranets, extranets, and e-commerce websites that carry business-critical applications continue to proliferate. As businesses build electronic relationships with suppliers, customers and partners, the number of entrance and exit points for mission-critical information in enterprises networks are burgeoning. The resulting complexity for IT managers attempting to implement thorough security measures, while maintain performance objectives, presents a potentially overwhelming task.
Viruses Attack Vital Resources
Computer viruses, Trojan horses and other malicious code are serious threats to worker productivity. Viruses are the most common of these threats, coming in five flavors: boot sector viruses, macro viruses, program file infectors, multipartite viruses and script viruses.
A Trojan horse is an apparently harmless program, often in the form of an e-mail message attachment, which contains malicious code. Once a Trojan gets into a computer or computer network, it can unleash a virus or other malicious code to take control of the computer infrastructure, compromise data or inflict other damage. For example, the infamous Melissa virus that struck on March 26, 1999 is a good example of a harmful Trojan. Attached to a harmless-looking e-mail message, the virus accessed Microsoft Outlook, replicated itself, and sent itself to many other users listed in the recipient s e-mail address book. The resulting e-mail flurry caused many Microsoft Exchange servers to shut down, while user mailboxes were flooded with bogus messages.
Malicious code, consisting of applets written in Java or ActiveX controls, is a new threat posed by the Internet. Code from these active content technologies often resides on Web pages and enters computer systems via the Internet to access user information. This access can facilitate legitimate business or other transactions or can execute malicious activities such as erasing data stored on hard disks or surreptitiously copying and transmitting data to eavesdropping third parties. If a virus infects a revenue-generating e-commerce application, resulting in downtime, the cost to the business could potentially reach millions of dollars. However, these threats not only compromise enterprise computers by rapidly infecting entire networks, they can also invite unauthorized access to sensitive enterprise information resources.
Beyond the Desktop
More desktops are protected today with antivirus software than at any other time. The vast majority of large corporations have implemented comprehensive antivirus security programs for their networked computers. Yet we have recently seen more widespread damage from major virus outbreaks than in any other time in history. Computer viruses represent the greatest security concern for IT managers today (Figure 2).
Source: Information Week Global Information Security Survey of 2700 Security Professionals, July, 1999
It is easy to see that desktop antivirus alone cannot address the overall threat. This is why IT managers are considering solutions at the gateway to block viruses before they can reach the desktop. They are doing this because they have identified the reasons that desktop antivirus has failed as a single, sole security measure. Desktop antivirus solutions, when properly installed and maintained, are highly effective protection against virus threats. However, in the real world, desktop systems are constantly changing with the installation of new software, software updates, and configuration changes. These can interfere with the antivirus software s ability to detect viruses by unintentionally deactivating or blocking portions of the software that would otherwise detect a particular threat. Most often the virus pattern files the database that the antivirus software uses to identify what is, and is not, a virus are out of date because the update mechanism has been interfered with. Since the antivirus software runs quietly in the background, the user is unaware when it stops running in the background until they get a virus. Part of the solution has been addressed through the development of office oriented solutions instead of desktop solutions. In addition to providing centralized management, these solutions incorporate a number of techniques that enable IT managers to verify the effectiveness of each desktop systems antivirus installation, force updates, block user access to the antivirus software and perform other functions to insure that each desktop system is current and running correctly.
Gateway Security
The largest challenge facing IT managers regarding virus security, particularly in large networks, is the response time required to update all of the networks PCs when a new virus outbreak occurs. When a threat like the Love Letter virus can spread around the world in less than one hour, the time required to update all networked PCs is completely inadequate. And such an inadequacy can cost a business millions of dollars in damage. On the other hand, a hand full of Internet and e-mail gateways can be updated in a matter of minutes. With the gateways monitoring all inbound traffic for potential threats, the desktop update process can take place to provide protection from the floppy disk or CD-ROM a user may receive tomorrow from someone with an infected system. IT managers need to have a complete antivirus security solution, but with the numerous virus outbreaks that have occurred recently, it is clear that they must implement security systems that give them the control and the ability to respond in a major disaster situation. The gateway has become the most vulnerable point for Internet based threats. But the gateway serves mission critical business functions. So IT managers have several key concerns about implementing such a gateway solution.
Stability Is the antivirus solution going to work smoothly with the other hardware, software, firewall and network systems?
Availability How will the antivirus solution provide scalability, maintainability, and overall availability of the core gateway function?
Performance With bandwidth at a premium, will the antivirus security solution impact the gateway s performance?
Scalability Is the solution able to grow with the company s needs? Can it do so without interrupting critical network services?
Many organizations can address these issues with minor investments in memory upgrades, configuration changes, or other common practices to support the addition of a new application on an existing system. Others may setup a dedicated antivirus system as a proxy device. But many others will need a more advanced solution to effectively support their current and long term business needs.
The Effective Security Solution
A truly effective Internet gateway antivirus security solution must be constantly active, current and in full force without causing disruptions to critical network services. A VirusWall must be stable and function transparently to the end user. Stability is achieved by gaining appropriate product expertise and through close attention to installation and configuration options. But transparency requires that the solution function without noticeably impacting the other network applications and services. Today s enterprise networks must take into account the high-availability expectations for critical network services and applications. The most effective antivirus security solution will support those expectations through performance, scalability, and maintainability. Given the complexity of many of today s enterprise networks even the top performing security solutions may soon become inadequate unless it addresses these issues.
Clustering for Gateway performance and availability
There is a limit to the high-availability, scalability, and maintainability that can be achieved with a single security gateway. Even the option of upgrading hardware (with more RAM, faster processors, etc.) will require the interruption of gateway services. Therefore, using computer-clustering technology to create a VirusWall Cluster can offer many immediate benefits.
1. A VirusWall Cluster solution provides an enviable quality of service level through system availability by eliminating the single-point-of-failure with redundancy. Even during scheduled shut-downs users will continue to receive the benefits and protection of the VirusWall, while individual servers within the cluster are taken off-line for maintenance or upgrades. And during normal day-to-day operations, a VirusWall Cluster solution, utilizing Stonesoft s StoneBeat technology, provides true dynamic load balancing across the cluster to optimize the use of all available resources.
2. A VirusWall Cluster solution provides the scalability to add to the number of servers in the cluster to support increased performance demands due to company growth or simply periods of increased traffic. An unexpectedly high response to a news or industry event, advertising promotion, etc. would benefit from the temporary addition of one or more servers rather than lose prospective business due to system bottlenecks .
3. Clustering solutions generally offer a straightforward economic advantage by allowing the IT manager to increase performance with commodity style PCs rather than invest in larger systems that have little function beyond the original purpose for which they were purchased. However, it is important to note that generic clustering products, while improving availability aspects, commonly create new problems for the IT manager. Therefore, it is important to choose a clustering solution designed to manage content . The Stonesoft SecurityCluster is the only scalable high availability solution dedicated to content scanning. This paper will further discuss the characteristics of a fully engineered, proven, secure high-availability solution.
Antivirus Clustering in Practice
In general, there are three different architectural options used to set up an antivirus cluster: Vectoring Configuration, Gateway/Proxy configuration, and a Split Gateway configuration:
Vectoring Configuration
A typical vectoring configuration places the antivirus solution security server in the DMZ, just behind a firewall (Figure 3). In this configuration the firewall sends any potentially harmful content or malicious code to the VirusWall for inspection before passing it on. Utilizing a dedicated communication protocol established between the firewall and the VirusWall.
Gateway / Proxy configuration
Another possible network configuration is the proxy configuration (Figure 4). In this topology the antivirus security server is on the trusted side of the network directly behind the firewall. This seemingly straightforward configuration has some evident downsides if not clustered.
Recursive decompression and antivirus scanning makes antivirus protection more CPU-intensive than firewall services, which means that the security server can potentially slow down all network traffic. Further, a single security server in this configuration will take the entire network down, in the event of a security server outage (planned or unplanned). However, the StoneBeat SecurityCluster solution makes this configuration option feasible because the single point of failure is now removed and the computational performance will no longer be an issue. In fact, thanks to clustering, this configuration becomes very appealing again since it relaxes both the firewall and the virus wall from using any additional protocols for inter-communication.