The next/alternative frontier in network security

(Thanks Ralf L for pointing this product out to me)

Ralf pointed out this alternative security box which the author refers to as the Kane Box. This is absolutely fascinating stuff and if you have anything to do with network security this is worth a browse:

The problem with almost all network security products in the marked today is their reliance on a single flawed methodology: signatures and patterns

Consider almost any product out there… firewalls: these work on predefined ports and IPs, application firewalls: these work on pre-defined byte patterns, IDS/IPS: these work on identifying signatures with network traffic streams, antivirus: these work on identifying file signatures. You see the pattern right? In my opinion, this is flawed, flawed, flawed.

Malware is ever changing and signatures are inherently static

Using signatures, any custom built malware which is not in widespread use (like target malware) can easily slip by defences because in all probability it will not match any of our signatures/patterns. New or zero-day malware and exploits have the same problem. Even just changing some lines of code in pre-existing malware can let it slip by some anti-virus systems. Apart from that, with the ever increasing number of malware, bad urls, so on so forth, we’re eventually going to end up with huge databases of signatures. These databases take a lot of computational power to store and reference, and customers need to have a fast and secure way of checking their traffic against these databases.

Most vendors including Sonicwall and BlueCoat, have harnessed cloud computing and community flagging to address the problem. Still… not enough. Take into consideration my previous post for example. Steganography. Relatively new with big implications for security. Not much stops it because signatures are quite useless. I still need to write about this (and implement it, still need porting my code to python). Steganalysis depends on statistical analysis of these pictures. Expand that thinking into all sorts of network traffic

In other words, instead of your security solution asking “have i seen this traffic before?”, it will be asking “is this traffic behaving normally?”. So even traffic with no signatures, or indeed traffic you’ve never seen before, can act strange and you can at least be alerted that something isn’t quite right…

This is what Kane Box would like to achieve. Any system based on behaviour analysis would use a combination of statistics and heuristics to classify traffic as normal or strange. I think this is the way forward

Mind you, not to say that such systems would totally replace our currently systems. The biggest problem these types of security boxes will face will be effective training. The boxes need a training time where they just sit and observer definite good/normal traffic so they can “learn” what normal traffic really is. Your network would be defenceless during this stage.

Regardless, there are several fields of engineering that can be used, such as neural networks, data mining and support vector machines which all tackle this very problem: Using a training set to define normal traffic, then detect abnormal traffic that doesn’t fit within what it learnt about normal traffic

Then there’s always the question of false positives and false negatives, but that is an issue any network security admin already faces and we should be quite good at working around this.