The holy grail, of course, is squashing an unknown virus before it activates. But this is tricky because there are few, if any, reliable detection engines for new forms of malware. This is where virtual computing may be just the ticket, and Norman Data Defense Systems is leading the way. The idea is to run downloaded content and watch for virus- or wormlike behavior, such as binding to network ports or accessing mail resources via MAPI. By running the code inside a virtual computer, run-time actions can be monitored and malicious activity identified. Of course, there are limits to the virtual PC. Simulating an operating system is relatively easy; simulating an operating system and an office application suite is not.

Danger: The perimeter is expanding
Solution: Enforce policy on remote systems

If remote users are attaching to the network over dial-up, VPN or wireless PDA, your perimeter is in constant flux. And though you can secure the endpoints and the traffic flowing between them using antivirus software, desktop firewalls, VPN software and SSL, having all these technologies deployed increases the burden of managing, maintaining and logging those remote applications.

By using security products on remote computers, you enforce your policy uniformly. Before you let users connect, make sure their antivirus signatures and firewall policies are up-to-date, allow only the access you permit, ensure their operating system and applications are at the proper patch levels, and check that unapproved services are not running. Desktop security packages offer varying capabilities to enforce a baseline of acceptable computer configurations and are improving over previous versions. Features--such as version control for executables and dynamically linked libraries, file hashing and validation, requiring that applications are current and active prior to a connection, and error messages telling users when their computers don't meet the requisite specs and how to fix them--should be atop your list of requirements.

This protection should be deployed within the internal network as well. Every entry point into your network is a possible avenue of attack, and your most successful strategy is to put controls closest to the threat.

Danger: Attackers targeting your applications
Solution: Get HIP to intrusion prevention

Intrusion prevention is all the rage. The theory is, if you block attacks before they reach their targets, you're golden. But the question is, can intrusion prevention deliver?

NIP (network intrusion prevention) products monitor traffic at key network points and attempt to block attacks dynamically while allowing legitimate traffic. Don't believe the hype. Unfortunately, these products rely on the imperfect detection methods used in NIDS (network intrusion detection systems), such as signature matching and anomalous traffic detection. Although many well-known attack signatures exist, new attacks using unknown methods are bound to rear their ugly heads. In addition, legitimate traffic may be blocked because of poorly written attack signatures flagging normal traffic as malicious.

HIP (host intrusion prevention), on the other hand, offers greater promise for blocking known and unknown attacks at the target. HIP enforces access control to the operating system and system services. By defining what an application can or cannot access, all manner of attacks that leverage operating system services can be thwarted because attackers exploit vulnerabilities that provide access outside the application's normal operating parameters. System calls trapped at the kernel level are matched to policy and, if denied, are stopped. Pure application-layer attacks, such as those that attempt to manipulate database tables and data but don't request system services, are not deterred by HIP, however, and developing and deploying HIP policies can be complicated and time-consuming. But given the increased protection, that's a relatively small price to pay. We expect HIP applications to become more robust and manageable over the next year as Okena, Computer Associates, Harris, Entercept and other vendors modify their protection applications based on user feedback and deployment experience.

Danger: A deluge of event data
Solution: Rely on SIM

Once your network security has gotten to a point where enough components, such as firewalls, IDSs and VPN gateways, are deployed or outsourced, you can spend time monitoring logs and mentally correlating events. Given enough experience and knowledge of individual systems, a seasoned administrator can make sense of the data and perform some real investigative work. Unfortunately, getting to that point is difficult and, let's face it, manually correlating data is time-consuming.

That's where SIM (security information management) data aggregation and correlation tools come in. Event aggregation is simple compared with event correlation because there are few formalized methods for accurately correlating disparate events into a single, related chain. But don't overlook the difficulties tied to event aggregation. As the number of devices feeding events into the SIM product increases, so do storage, bandwidth and horsepower requirements. And getting all these products to talk to each other is, well, daunting. The value of SIM diminishes if you can't get all your data sucked in.

Let's say you have data aggregated. Now you can begin to mine it for relevant events. That's the point of SIM, right? Separating the wheat from the chaff? Although there are some common event sets that can be applied to most networks, you can bet you'll be doing (or having done for you) a lot of customization. This is not a fire-and-forget technology by any means.

Is there a benefit to SIM? Sure. If your security administrators can work more efficiently and effectively, that's a big win for already overworked staff. But you have to determine whether the costs will justify the gains.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.