In-Depth

Case Study: Adopting Inverted Firewalls

How to safeguard an educational network when its users face few rules and resources don’t exist to police them closely

• By Mathew Schwartz
• 01/19/2005

What happens when a bunch of whiz kids inside an organization get unrestricted access to network resources?

No, this isn’t a question about the research and development department breaking lose. We’re talking about safeguarding an educational network when its users face few rules, and resources don’t exist to police them closely.

That was the question asked by Dan Scott, the senior systems engineer for the Round Rock Independent School District in Texas, with 47 facilities spread over 110 square miles. The distinct has 17,000 PCs, one fiber backbone, nine IT staff, and more than a few students with extensive computer knowledge.

“Most of our kids come from a high-tech community—Dell, IBM, and so on. They’re very sophisticated,” he says. “What we needed to do was find a way to mitigate internal attacks from worms—and even some viruses—students might try to test” on the network, he says. Another concern was the worms and viruses entering the school network via e-mail or teachers’ laptops.

Round Rock was already running network firewalls, antivirus software, plus an intrusion detection system (IDS) from Columbia, Md.-based Sourcefire Inc. In general, an IDS “let’s you know something is going on, but doesn’t let you do anything about it,” Scott notes.

What Scott needed was something to actually clamp down on problems until he had time to address them. For one thing, his staff of nine isn’t dedicated to fixing security outbreaks: two employees are systems engineers, three handle firewalls and general server and network maintenance, and four handle PC maintenance and software installation. Hence on the free-time front, “we’re pretty tight, so what we have to end up doing is working smarter.”

Scott began researching technologies to help control outbreaks. While he doesn't want to name all of the vendors he looked at, he eventually settled on CounterPoint, an inverted-firewall appliance from Austin, Texas-based Mirage Networks Inc. The product monitors endpoints and blocks suspicious activity.

“What I liked about Mirage is it works offline, like a sniffer, but it’s a lot more sophisticated,” he says. For example, “if it detects ping sweeps it will [just] go out and shut the system down,” by knocking the offending PC off the LAN. It does this by poisoning the PC’s address resolution protocol (ARP)—the link between an IP address and a piece of hardware in IPv4 Ethernet networking.

Scott was really sold on the new technology, however, when a demonstration unit detected a previously unknown network exploit. Someone had penetrated the school’s network DMZ and installed malicious software that was trying to send packets out of the network—luckily, via a port Round Rock kept blocked. "So they never knew they got in." Still, that “motivated us to go with new firewalls,” meaning the Mirage technology.

One feature he likes: CounterPoint works offline, so there's no worry about the device’s ability to maintain throughput—or else potentially fail—when network activity spikes.

For Round Rock, the end result is that when there’s a virus outbreak on a PC, “instead of having to go out and clean up 200 to 500 machines, we just have to go out and take care of that one. It saves us a lot of time, because we don’t have a staff to cover all the machines out there that are sometimes attacked.”

Inverted Firewalls Watch Endpoints

How exactly does CounterPoint work? “We proxy every packet that comes off that endpoint, and we decide whether we want to drop that packet or pass it on, and the same for incoming traffic,” says Toney Jennings, the CEO of Mirage Networks. CounterPoint can monitor e-mail, IDS and intrusion detection prevention (IDP) alarms, system logs, and the simple network management protocol (SNMP) traps—alerts—some software generates when suspicious conditions occur.

For detecting malicious activity, inverted firewalls use algorithms, not signatures. The advantage, says Jennings, is that the device can catch unknown attacks. “For example, at a large defense contractor, we installed it on a Friday, and the next day was Saturday, when the Sasser worm hit.” The appliance caught the Sasser worm “without any updates, just right out of the box.”

While inverted-firewall technology is relatively new, Jennings says he’s already seeing interest from the typical information-security early adopters—financial firms and some government agencies—as well as organizations with more open environments, such as law firms and schools. On the latter front, “what you have is endpoints you don’t control, all trying to control one another, and when they get infected, infecting each other.” Especially in those environments, from a total cost-of-ownership perspective, installing inverted firewalls “is a much easier proposition to get your hands around; I install a few boxes instead of multiple agents,” he says.

Round Rock had also begun its CounterPoint rollout when Sasser hit, and in “the places we’d installed the boxes we were able to significantly restrain the worm’s activity,” Scott notes. In general, however, internal threats are a greater concern, including teachers with laptops infected via a home-network connection that then infect the school’s network. People opening suspect e-mail attachments that turn out to be Trojan code (or worms) is also a recurring problem.

Then there are the computer classes with coding homework. “It’s interesting to see how some people write programs where they can sometimes make it look like a worm or a virus,” he says. “It’s usually poorly written programs, so we just have to make sure we can set” the appropriate threshold in CounterPoint to only knock real threats off of the LAN.

Beyond Reactive Endpoint Security

CounterPoint requires tweaking so only real attacks get blocked. Of course, IT managers would love it if quarantine and remediation were completely automated. “It’s something people would like to have, but it’s something that’s very difficult to do at this point,” says Jennings.

Today, CounterPoint tells a security administrator there’s a problem, and where the problem is, while dropping suspicious packets from the machine. So it can keep an offending PC off the network, though give the help desk direct access to it. For the next version of Mirage, “what we want to be able to do is notify both the user and the help desk that there is a problem,” Jennings says.

According to Jennings, Mirage will also eventually interoperate with quarantine and remediation software. For example, end users might require any PC requesting a network connection to first accept and run an ActiveX scanner, which checks the PC against antivirus or firewall policies. Connecting CounterPoint with these agents “will be another source of information for us to make intelligent decisions about whether we allow the endpoint to connect to the network.”

Scott, for one, wants auto-remediation. “Our main charge is to provide technology for our kids,” yet maintaining that “becomes a real challenge with some of the vulnerabilities” at large. To date, Round Rock hasn’t had to shut down its network to remediate an outbreak—and Scott hopes to keep it that way through technology such as this. “My take on it is any school district, or college, or university that doesn’t have something like this, their network is going to go down all the time.”

Related Articles

Untangling Endpoint Security Initiatives
http://www.esj.com/Security/article.aspx?EditorialsID=1230

Endpoint Security Grows But Interoperability Questions Remain
http://www.esj.com/Security/article.aspx?EditorialsID=1153