Beyond just simple web security
This week, a piece of security news was in the spotlight – the publication of a report commissioned by French governmental organization, Hadopi. What security and information systems managers expect from their firewalls was clear: to block the threats mentioned in this report. But let’s take a look at what more can be done.
The Hadopi blunder
HADOPI (“Haute Autorité pour la Diffusion des Œuvres et la Propriété Intellectuelle”), the French authority that governs the distribution of works and intellectual property, commissioned a report to assess the economic models of piracy. In this report, a list of the 25 most frequented streaming sites was given. Besides the methodology, which came under criticism, the presence of this list generated lots of comments on French blogs and on Twitter from IT journalists familiar with the subject, and went viral. It is indeed surprising that none of the editors of this report found this list “inconvenient”.
Following this publication, every CSO or CIO would start wondering about how his corporate network’s bandwidth is being used. Expectations are therefore clear – the firewall must flag the use of these streaming sites and offer the option of blocking them. Instinctively, one would think of a combination of the http proxy and URL filtering, which is obvious, since most of these sites are known and already referenced at the time of publishing.
What more can we then expect?
When a subject is under media scrutiny, the threat remains the same but the risk level increases. Indeed, a great number of new potential users may disrupt the monitoring of the network or affect performance.
Beyond pure and simple protection, security and information systems managers could do with a little help in these 2 forms:
- Greatly optimizing performance
- Facilitating analyses
Blocking sites via a web proxy consumes a lot of resources:
- Allowing and inspecting DNS queries
- Allowing and inspecting IP-level http traffic
- Decryption where necessary (for https)
- Transmission of data to the http proxy
- Comparison of the URL against a filter database
- Logging the http request
Needless to say, a good firewall would have what it takes to perform these operations and to do them well. But if we could save resources with an equivalent level of security, why not take advantage of it?
The good news is that the same level of security can be provided with much better performance. In our case, NETASQ’s threat prevention engine, embedded in the operating system, can intercept and block domain name server resolutions for several protocols, including DNS, 5 out of the 6 steps mentioned earlier are skipped as a result. This means resources being freed up for other more important tasks.
In risk management, visibility is often as important as protection itself. For a security vendor, it is always tempting (and often profitable) to “pump up” numbers by adding 25 “new” detections. This mode of functioning is not in anybody’s best interests, but is unfortunately the most frequently encountered.
To help the administrator to find his way through such information, it would be more relevant to group these 25 sites under a single protection mode. As such, it would be easier to look for and filter this event. Accuracy is not compromised as the targeted site corresponds to the destination of the alarm.
As the purpose of this is to facilitate operational follow-up, NETASQ’s watch teams have grouped these sites under a single protection category. To modify a configuration or to isolate this event, simply type “free streaming”, or look for your unique ID (tcpudp:hostname:17).
It’s so much simpler this way, isn’t it?