This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

Blocking Spyware at the Network Gateway

Originally published in Security Pipeline, reprinted courtesy of CMP Technology and Visit Dark Reading

Web www.corecom.com The Security Skeptic

Layered defenses have become standard procedure for blocking the current generation of security threats. To block against viruses, spam and intruders, organizations deploy countermeasures at the network gateway and again in individual client systems.

Until now, a layered defense against spyware was difficult or impossible. There are plenty of desktop anti-spyware products, but almost none that are server-based. But security vendors are moving to fill that gap. Security vendors are scrambling to enhance existing security gateway products and are introducing new gateway technology functionality targeting spyware specifically. And vendor marketing departments are calling attention to existing security gateway features that can detect and block some of the many forms of spyware.

Why Layered Defenses?

Layered defenses offer many benefits. The first and most obvious is that layered defenses provide multiple lines of defense to block attacks and defeat malicious code injection.

Layered defenses also provide security assurance. For example, antivirus gateways managed by IT staff are subject to more rigorous maintenance than desktops. They are less likely to fall out of synchronization with an AV vendor's signature updates. The antivirus gateway will block a mail-borne virus that might go undetected on a laptop that isn't configured to auto-update signatures daily.

Layered defenses can provide robustness. Organizations can deploy one vendor solution at a gateway and a different solution on clients and servers; in theory, at least one of the detection methodologies will defeat an attack.

Lastly, layered defenses can provide resiliency. If an organization uses different vendor solutions at gateways and clients, and one vendor's site is unavailable for malware signatures and program updates, the organization may be able to rely on the other vendor's update process to defend against a new attack.

The Many Faces of Antispyware Gateways

Don't expect to find a standalone antispyware security gateway, yet. Antispyware measures will be integrated into many multi-purpose security gateways. Application (HTTP) proxy servers and proxy firewalls are logical choices for implementing antispyware measures. HTTP proxies authenticate users, block malformed headers, and can make policy decisions (block, allow) based on HTTP message type, content and body content. Deep, stateful, and application inspection firewalls compare HTTP streams against spyware signature databases in real time, but vary in technique. Fortinet uses a combination of content reassembly, where fragmented and missequenced packets are assembled before scanning to thwart "evasion" attacks, and activity inspection, where packets are subjected studied using a "fuzzy logic" technique, to prevent misuse of protocols to hide malicious activity. SonicWall's approach compares "without reassembly." Since new threats appear constantly, vendors in this class update databases as soon as new signatures are available, much the way virus signatures are updated.

Secure remote access solutions, particularly SSL VPNs, have begun to address spyware as part of a bigger problem: protecting the organization from un-secured endpoint devices, including laptops, PCs and PDAs. Many SSL VPNs (Aventail, Juniper, Whale Communications) scan an endpoint device to confirm it satisfies a security profile before the device and user is allowed admission to the network. This endpoint control now includes measures to assure that devices are free of spyware. "A solid endpoint control solution to ensure that malicious code, including spyware, is not introduced to the protected network", said Chris Hopen, CTO, Aventail Corp., "and the interrogation should occur prior to authentication to keep keyloggers at bay."

Admission control techniques impose antispyware measures at the router-switch and remote access server (RAS). Cisco Network Admission Control and Microsoft Network Access Protection today evaluate endpoint devices to determine whether antivirus security measures are present and signature databases and patches are current before they are admitted to the network. If the device fails inspection, the user is redirected to a quarantine location for remediation or reduced access. It's only a matter of time before these solutions are extended to include scans for antispyware measures.

Gateway Antispyware Features

All gateway antispyware solutions share a common objective: block malware of all kinds, including spyware, before it is downloaded and auto-installed on client computers via the web or email. Accordingly, a baseline feature among gateway antispyware solutions is a signature-based antivirus engine that scans email messages and attachments as well as downloaded web content for malicious code used in worms and spyware alike, such as remote administration tools and keyloggers. While anti-virus engines primarily scan against viruses (of course), some are also starting to scan against some spyware. Some security gateways (Fortinet, Bluecoat) expand their signature databases to include commonly encountered spyware executables (e.g., hijacker programs).

Like their desktop antispyware counterparts, gateway antispyware doesn't rely solely on signatures. Some of the additional methods used by gateway anti-spyware vendors include:

  • Blocking auto-installation of ActiveX components. ActiveX is far and away the most common infestation vector for spyware. Antispyware gateways prevent the delivery of ActiveX controls. Certain products (e.g., SonicWall) allow administrators to permit and deny installation on a per program basis.
  • Block URLs according to classification. Gambling, pornography, and gaming sites are notorious hosts for spyware. Many multi-purpose security gateways incorporate the ability to block sites based the category of content by integrating a classification database into a URL filtering engine. Many multi-purpose security gateways (Watchguard, SonicWall, Juniper, Secure Computing) and proxy servers (WinProxy, Microsoft, Websense) use Secure Computing (SmartFilter, http://www.securecomputing.com/index.cfm?skey=85), SurfControl's (WebBlocker, http://www.surfcontrol.com/Default.aspx?id=375&mnuid=1.1), or Websense (http://ww2.websense.com/global/en/ProductsServices/WSSecuritySuite/) databases for this purpose; other (Fortinet, Blue Coat) build their own databases.
  • Block sites/URLs of known spyware affiliates. Individual users run IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm) to include known ad and spyware affiliate sites in the Restricted Sites Zone of their Internet Explorer browser. This security measure is incorporated into antispyware products like the WinProxy 6.0. Depending on the database used, security gateways that block URLs according to classification can also block known spyware sites. Surfcontrol, for example, blocks over 8,000 spyware sites if you prohibit categories containing what are generally considered to be "less than reputable" industries.
  • Whitelist and blacklist sites/URLs. Multi-purpose security gateways (Watchguard, Hotbrick, Microsoft) often provide a general URL filtering feature. Administrators can complement lists of known spyware affiliate sites with sites they suspect or determine to host spyware. This is a useful for organizations that prohibit software that is not strictly spyware, e.g., a commercial remote administration tool (RAT) such as Remote Anything or SpyAnywhere. It's also useful for organizations that are more aggressive in their definition of spyware than legislators. Suppose your organization disagrees with the 43 members of the Energy and Commerce Committee, who agreed to pass the Spy Act only after declaring web bugs legal. You can choose to blacklist sites that employ web bugs, even though your antispyware can't do this by default.
  • Block Content Types, Cookies, and Body Content Types in HTTP Responses. Content filtering plays an important role in defending an organization from the download of malicious code and spyware. Certain firewalls (Watchguard, Symantec, Fortinet, WinProxy) and HTTP proxy servers provide the means to prevent the delivery of body contents by type (e.g., zip/archive files, dynamic linked libraries, Windows executables and CAB archives) and MIME content type (image/*, application/*, ...).
  • Block "phone home" activity. Gateway antispyware (WinProxy, SonicWall) will prevent ad-tracking 'ware, RATS, and keyloggers on infested computers from communicating information back to ad servers, tracking/collection servers, and attackers. Generally, administrators can use firewalls to block many "back channel" activities by implementing strict outbound (egress) traffic filtering policies (see http://www.securityskeptic.com/egresstrafficfiltering.htm).
  • Filter URLs according to user authorization level (Policy Zone definition). HTTP proxies, SSL VPN appliances, and authentication-enabled firewalls (Watchguard, Aventail, Juniper) can provide a means of restricting what sites authenticated users or groups are authorized to visit.

Even this impressive list of countermeasures is probably not sufficient to guarantee your network will be insulated from spyware infestations. Like viruses, spyware is constantly altering to evade detection, and new methods of infesting computers are introduced as countermeasures prove effective. So while you can use this list as a reference point for gateway antispyware features, expect the feature set to expand in the future. Expect, too, that solutions will not rely entirely on signature-based detection.

Steve Fallin, Director of Watchguard Technologies' Rapid Response Team, explains that signature-based solutions are necessary, but not sufficient measures to combat malware in general, and spyware in particular. "Rather than rely solely on your ability to identify discrete patterns of every conceivable wrong or malicious application stream, why not give the administrator the power to write policies that allow only the limited number of streams known to be correct and appropriate?"

Future directions

Most multi-purpose security gateways now provide antivirus measures. Expect vendors of these products to expand their feature sets and upgrades to include some of the many detection and blocking measures organizations require to insulate their systems from spyware infestations. No single gateway solution available today provides every checklist item of even my modest list of spyware countermeasures. Even if one did, spyware will adapt and mutate as legislation is enacted and defenses improve and reduce the current set of attack vectors.

The good news is that gateway antispyware has become a marketing imperative for security vendors, and your organization can build a layered defense against the spyware threat. We have ample evidence that once installed, spyware can be a nightmare to remove. Deploying gateway antispyware helps keep spyware from being delivered and installed. Finding space in a security budget for "yet another gateway" may be challenging, but the opportunity to reduce spyware-induced productivity loss and spyware-related helpdesk calls alone can justify an investment in gateway solutions.