Quarantine engine to defend enterprise network

Quarantine engine to defend enterprise network

Zatni Arbi, Contributor, zatni@cbn.net.id

One of the unwelcome repercussions of the escalating tension between Indonesia and Malaysia has been the explosion of cyber attacks. Hackers from the two neighboring countries have been increasingly active in attacking each other's websites.

This is completely undesirable because hacking and defacing websites will only deepen the resentment between the two countries. Even if a hacker from one country succeeds in defacing an official website of the other country, does that mean that the war is won?

Unfortunately, that is exactly what has been happening lately, despite calls from the more responsible members of the IT community to put an end to it.

However, the cyberwar also puts in the spotlight the fact that we are just as vulnerable in the cyberworld as we are at a busy intersection in Jakarta when the traffic light is red.

While hacking and defacing happen mostly during a period of animosity, more common security threats to our computing resources include viruses, Trojan horses, worms and denial of service (DoS) attacks. The targets vary tremendously.

Hackers may aim to create problems for the system administrators of their perceived enemies. A disgruntled employee may wish to take revenge by launching internal attacks on his company's own data center.

Recently, Alcatel, a company that is more widely known for its telecom products, showcased its latest network defense solution for enterprise computing. Called Automated Quarantine Engine, it focuses on preventing virus and worm attacks on enterprise networks and works seamlessly with third-party intrusion detection and prevention.

Prevention through containment

Perhaps not many people outside the IT industry realize that the French company also provides equipment for business enterprises, in addition to technology products for fixed and mobile telecommunications.

One of the widely used network gears in its offerings is the OmniSwitch, a series of intelligent network switches for workgroups and enterprises. Other network gears include OmniAccess for wireless local area networks (WLANs) and OmniVista Network Management System.

Alcatel's new solution uses Sygate's host integrity, protection, enforcement and remediation technology, along with 802.1x technology. It ensures that devices accessing the network are secured by antivirus software with updated virus definitions, a personal firewall, operating system service packs and patches.

To understand how the solution works, let us look at the typical scenario for an unprotected network. When a user receives a virus-infected e-mail message or accesses a virus-infected media such as a floppy diskette, for example, his computer will be infected.

The same virus will then spread to other parts of the network. When the virus attack is finally detected by the network administrator, he will try to identify the source of the virus and try to isolate the user with the tools that are available to him.

Unfortunately, by this time the infected area may have grown to cover a major part of the network. Cleaning up each of the computers on the network is a time-consuming task, despite the availability of powerful tools.

In the meantime, the user, whose access to the network is denied, may become very frustrated. He is likely to make a series of attempts to access the network before calling the help desk.

Now, with Alcatel's CrystalSec framework, each time an attack is detected, its Automated Quarantine Engine (AQE) will automatically isolate the user and put him in a virtual quarantine.

Here, the host integrity software will check the user's specific activity and determine whether it is a real attack or simply an unusual but benign activity. If a virus infection is confirmed, a remediation will be performed. If it turns out that the user was simply executing an activity that did not conform to the established policies but constituted no threat, then the policies may be modified slightly and the user can be released from AQE back to the network.

The strength of the AQE, as explained by Alcatel, lies in the fact that no human intervention will be required. Also, the OmniSwitch will require no additional hardware or software.

Proactive or Reactive?

In our business enterprises, investment in security measures may not receive the priority they should. There are reasons for this, budget constraints may be chief among them. Security solutions are not cheap and they have to be constantly updated to keep up with emerging security threats.

The second reason may be our general propensity to be reactive rather than proactive.

However, when the health of our computing resources determines the health of our business, this attitude toward security will have to change.