WHITE PAPER
OVERVIEW
Network security threats are becoming more frequent, and increasingly expensive. According to ZDNet, computer virus attacks cost global businesses an estimated $55 billion in damages in 2003-up between $20 and $30 billion in 2002. In addition to short-term financial loss, these disruptions can seriously damage an organization's prestige and customer goodwill. And in industries like healthcare and finance, where recent security legislation has been introduced, network security breaches can trigger expensive legal consequences.
To remain competitive, enterprises must be able to prevent network attacks and to control outbreaks of viruses and worms before they impact the business.
As organizations increasingly rely on their networks and add new applications, their vulnerability increases. Enterprises can no longer afford to combat these threats with point security products or reactive solutions. They require an integrated, end-to-end security solution that anticipates future attacks and protects every point of their networks, inside and out.
This paper discusses the scope of possible network security threats (known and unknown), the types of outbreak vectors and how they spread, and why outbreaks affect enterprises. This paper is appropriate for technical security operations managers and network operations managers in enterprise organizations.
A companion paper, entitled Preventing Worm and Virus Outbreaks with Cisco Self-Defending Networks details how to prevent, detect, react to, and restrict outbreaks and reinfection using the Cisco® Self-Defending Network strategy, which provides real-time defense from known and unknown worm and virus attacks.
OUTBREAK THREATS
The biggest security challenge facing enterprises today is how to minimize the impact of viruses and worm outbreaks. The most significant impact comes with the initial outbreak, which can be known or unknown.
• Known worms and viruses have previously been seen; signatures or definition files have been compiled to detect and prevent these types of infection.
• Unknown ("day-zero") attacks are much more difficult to detect and contain; they can propagate globally within hours or minutes.
While most worms and viruses target computing resources like servers and end-user desktop computing systems, some worms aim to disrupt network resources, such as, routers and switches. Most worms and viruses cause erratic behavior that results in buffer overflows and system crashes. Some viruses delete files, initiate denial of service (DoS) attacks, and leave Trojan horses, which are executable files that open "back doors" to a remote host. End users typically experience viruses and worms as irritating disruptions, but these outbreaks have begun to cause significant economic damage for enterprises. External security attacks have more than doubled in the past year. According to a 2004 Deloitte & Touche survey, 83 percent of respondents said that their systems had been compromised, compared to 39 percent in 2003. And 40 percent of the 2004 survey respondents said that they sustained financial losses.
WHY DO THESE OUTBREAKS "HURT" ENTERPRISES?
Outbreaks are costly to enterprises for two main reasons. First, viruses and worms are costly to manually isolate and remove. They force businesses and IT staff to spend time deleting large volumes of spam e-mail, reactively patching and cleaning systems, and loading hot fixes, service packs, signature files, and antivirus software. Although some patches are easier to apply than others, they still require a degree of testing before most enterprise customers will deploy them widely. This affects operational cost and productivity for enterprises of any size, which diminishes corporate profits.
Second, outbreaks disrupt business continuity. The worm propagation mechanism has the greatest impact on the health of the network. The damage stems from a worm's intense network scanning, which consumes end-system CPU resources and accessibility, network device processing cycles, and network bandwidth. The rapid rate of infection and the aggressive scan rate cause traffic congestion and network instability.
In network devices with flow-based ("on-demand") switching, flow-based hardware caches quickly overflow under the abnormally high number of flows established. The ability of the CPU to process control-plane traffic (using Enhanced Interior Gateway Routing Protocol [EIGRP], Open Shortest Path First [OSPF], or Bridge Protocol Data Unit [BPDU], for example) also suffers with the abnormally high flow rate. CPUs spike to 100 percent, router forwarding tables become overloaded, and extreme volumes of traffic cause packet loss.
Under the heavy load and exponential growth in network traffic, high packet-loss rates disrupt mission-critical systems, degrade application performance, and cause business applications and their associated services (airline, train, university, or financial services, for example) to become unavailable.
KNOWN OUTBREAKS
Outbreaks that have gained popularity and notoriety in recent years include Code Red, I Love You, Melissa, Nimda, SQL/Slammer, Blaster, SoBig, MyDoom, and Sasser. These outbreaks and their variants have already been detected, and signatures and antivirus definition files have been compiled to patch endpoint systems. While measures have been taken to protect networks against these known outbreaks, it is important to understand that these threats must not be overlooked-they can still cause damage. Many factors can cause organizations to be susceptible to known outbreaks, including:
Time Constraints
The sheer size of some organizations makes it difficult to patch all systems and endpoints. Many companies, even small ones, test patches before applying them-particularly for critical servers and applications. For systems that need to be regression-tested, the delay may allow a known infection to spread through the network. According to the SANS Institute's Internet Storm Center, variants of known worms are specifically designed to scan for and target systems that do not yet have the patch, or that have failed to close down a particular port on a firewall or gateway that provides an ingress point to the network.
Unprotected Systems
Known worms and viruses can make their way back into an enterprise on portable computers that have not yet downloaded the latest patches or definition files. Outbreaks can occur from uncontrolled devices, such as guest, temporary employee or consultant laptops, that are directly attached to the inside of the network. Worms and viruses may also gain entry into the corporate network through a trusted tunnel, such as a remote-access service (RAS) or a Virtual Private Network (VPN). In these scenarios, mobile or remote users inadvertently circumvent perimeter protection systems.
Risk of Reinfection
Some worms and viruses can reinfect machines even if the systems have the most up-to-date virus signatures and patches. Worms are difficult to remove because they often make numerous changes to registry and system files, including administrative shares and guest accounts, that can later be used to reinfect systems. This is critical in many service industries like airline and railway transportation, universities and financial institutions. You may have cleaned up a Slammer-like worm, cut off ports where infected hosts entered the network, and patched the infected hosts, when suddenly there is another outbreak on another part, or even the same part, of the network. Reinfection frequently occurs where a temporary access control list (ACL) that blocks a port (SQL, for example) has been lifted after the infection has been remediated or contained. Non-IT-supported parts of the network are particularly subject to reinfection.
Even if a worm is known, proper action must be taken to implement defenses that protect against reinfection, both at the main ingress points and inside the corporate network. An enterprise that has been patched and appears safe may still become infected or re¬infected by known worms or variants. Vigilant patching, frequent antivirus updates, firewalls, worm filtering gateways, and intrusion detection and prevention systems (IPSs) are essential, but offer only a partial solution. Implemented individually, they may not be enough to defend an enterprise against known threats and the damage associated with them.
UNKNOWN OUTBREAKS
Security functions have traditionally been reactive. Systems such as network IDSs and various forms of antivirus products are useful signature-based methods to identify known attacks; however, they do not always help with new exploits. These signature-based systems require an update before they can provide protection, and this opens the door for unknown outbreaks. The challenge for enterprises is how to prevent outbreaks until the relevant update is available.
Worms such as MyDoom, Code Red, and Nimda are demonstrating new outbreak vectors and fast-spreading outbreaks. These worms initiate blended attacks (combined outbreak vectors) with new vectors such as Linux attacks, peer-to-peer networks, and instant messaging. They use dynamic code updating from the Internet, or attack to disable antivirus software. Malicious payloads may be used to launch Distributed Denial of Service (DDoS) attacks, install keystroke-logging Trojan horses, or leave behind a DoS agent that targets a specific URL using TCP SYN floods. Although most worms and viruses target vulnerable endpoints, they can also overwhelm network links and equipment with high volumes of traffic.
Following its release on the Internet, an attack can spread in a matter of weeks, days, hours, minutes, or even seconds. Some undetected worms may lie dormant or cause no immediately noticeable damage, then suddenly probe other endpoints to propagate. Other worms infect a host, then perform a slow, almost undetectable scan of the network until they reach critical mass, at which time spreading rates become exponential. And many modern worms and viruses are polymorphic, changing easily, which makes detection much harder.
Once an outbreak occurs, the propagation rate of worms can be surprisingly fast, infecting vulnerable hosts within minutes or even seconds with small payloads. Some worms, such as CodeRed II, spread rapidly because they can scan random address blocks. The programming uses a random seed that does not differentiate between reserved and public address space. As a result, these worms can infect many more machines at randomly selected IP addresses-in less time and with little predictability. When Slammer was prevalent, there were approximately 54,000 scans per second of servers at various Internet peering points, which had a major impact on both server and network performance. Generating User Datagram Protocol (UDP) packets at wire-speed rates allowed Slammer to carry the worm at the maximum traffic rates. Viruses tend to propagate more slowly than worms, but modern viruses can still have a major impact in the first 24 hours. For example, the SoBig virus produced a million copies in a 24-hour period.
In most enterprises, the first indication that an outbreak (or critical mass) is occurring comes from the weakest links or bottlenecks in the network. The firewall may be overloaded trying to service connections. There may be high CPU utilizations on first Layer 3 hops adjacent to infected hosts. There may simply be high link utilizations. While these kinds of anomalous network behaviors signal possible outbreak problems, it is far more desirable to use a system that is designed to detect and signal network problems.
No single product can protect an organization from an outbreak. Prevention measures must be part of a comprehensive strategy that is properly implemented across the entire enterprise to create a complete line of defense. This strategy must include a combination of solutions and processes-as part of an established security policy-that mitigate the impact of an outbreak if an unknown worm or virus does manage to get inside the organization.
THE CISCO SELF-DEFENDING NETWORK STRATEGY
Cisco Systems provides a full suite of security products and features that work together to protect your network from potentially devastating outbreaks-from inside and out, deliberate or unintentional. The Cisco Self-Defending Network strategy is based on the unique collaboration of IP networking and security technologies and services that provide comprehensive security across the entire network. Through this collaboration, Cisco offers security that is integrated into all network platforms, including routers, switches, wireless access points, desktops, and servers. An analogy of network security to the, oftentimes, more familiar, physical security is provided (Figure 1). The similarities are surprising-emphasizing the need for implementing security as a system.
Figure 1. Comparison of Network Security to Physical Security
Proactive outbreak prevention helps ensure that servers and desktops remain healthy, that the infrastructure is protected, and that critical applications are available and accessible. Of the 3 solutions pillars within the Cisco family of integrated security products, Cisco Trust and Identity management systems and Threat Defense systems enable the identification, mitigation, and prevention of virus and worm outbreaks (Figure 2).
Cisco Trust and Identity Management systems, such as Cisco Access Control Server (ACS), 802.1X with Cisco extensions, and Network Admission Control (NAC) technologies, provide secure network access and admission at any point in the network, and isolate and control infected or unpatched devices that attempt to access the network. Cisco Threat Defense systems, using firewalls, intrusion prevention systems (IPSs), Cisco Security Agent, and URL filtering, also provide critical mitigation and prevention components in the overall outbreak prevention strategy.
Figure 2. Cisco's Self-Defending Network Strategy
Awareness of network activity and the ability to rapidly isolate sources of infection are crucial in the battle against worms and viruses. Cisco Threat Defense systems identify attacks to endpoints, applications, and the network infrastructure as they occur, and generate alerts as appropriate. Sink-hole routing provides early warning that an unknown worm is scanning the network. Cisco NetFlow and CiscoWorks VPN/Security Management Solution (VMS) tools provide a detailed view of traffic flow across a network, to help track and establish normal traffic profiles, and to provision security services appropriately.
Once a worm or virus has been detected on the network, Cisco Threat Defense systems provide the ability to respond both reactively and proactively, to minimize the attack's ability to propagate.
• The first line of defense is to proactively isolate infections by securing network endpoints using Cisco Security Agent (CSA). CSA prevents the worm or virus from infiltrating the endpoint.
• Outbreaks can be contained using firewalls and intrusion prevention systems (IPSs) to segment the network.
• Software-based network protection mechanisms are built into Cisco IOS® Software that is included in Cisco routers and Catalyst switches, including: Rate limiting, port-based anomaly detection, and traffic throttling minimize the impact of worm scans. Scavenger quality of service (QoS) helps ensure that normal traffic continues to receive service during an outbreak, while suspect traffic is stopped.
CONCLUSIONS
Worms and viruses will continue to be successful as long as computing resources have security vulnerabilities that can be exploited. To protect itself, an enterprise must implement a comprehensive, multilayered, enterprisewide security strategy that protects against both known and unknown outbreaks, simultaneously.
Only Cisco provides a comprehensive, enterprisewide security solution that hardens the enterprise from the inside out. Cisco provides investment protection for growth technologies such as wireless and IP telephony, together with flexible implementation strategies, through software, network appliances, and security integrated directly into the network. From providing threat defense, to ensuring trust and identity, to securing communications, the Cisco Self-Defending Network strategy helps an enterprise protect, optimize, and grow its business.
For more information on Cisco integrated security solutions supporting the Self-Defending Network, please visit:
For more information on how Cisco Self Defending Networks can uniquely resolve your business security challenges, please refer to the following white paper:
1. Outbreak Prevention Technology Overview-Details the security technology used to prevent the outbreaks described above. This overview identifies the need for a reinforced network infrastructure, with device-level and software resiliency built into the network architecture.
2. Outbreak Prevention Systems Overview-Details Cisco's comprehensive, enterprisewide "enterprise architecture" strategy to bring security intelligence into every location in the network infrastructure, including LANs, WLANs, campuses, metro area networks, the network edge, data centers, and branch offices.
THE OTHER WHITE PAPERS ARE CURRENTLY ENTITLED:
Preventing Worm and Virus Outbreaks with Cisco Self-Defending Networks
Preventing Information Theft With Cisco Self-Defending Networks
