WHITE PAPER: ENTERPRISE SOLUTIONS. Multi-tier Security: The need for defense-in-depth

Transcription

1 WHITE PAPER: ENTERPRISE SOLUTIONS Multi-tier Security:

2

3 White Paper: Symantec Enterprise Solutions Multi-tier Security Contents Executive summary Introduction Role of in security Tier 1: Protecting the perimeter Tier 2: Mail server protection Multi-tier mail security solutions from Symantec Symantec s global security response Symantec s perimeter protection Symantec s mail server protection Introducing Symantec Mail Security Enterprise Edition Conclusion

4 Executive Summary Responding to today s challenges requires a multi-faceted approach: one that addresses protecting the perimeter while simultaneously protecting internal corporate mail systems. Defending one but not the other is akin to locking the car doors and leaving the windows open. A multi-tier approach to securing the infrastructure is needed not only to stop spam, viruses, and phishing attacks, but also to prevent unauthorized content from being transferred to the wrong hands, both inside and outside of the corporate walls. This white paper reviews the evolution of challenges facing today and demonstrates ways in which affects network security and business risk. The importance of implementing a multi-tier defense-in-depth approach to security is outlined in detail along with guidance in choosing the right perimeter and mail server defenses. Introduction Nearly a decade has gone by since the first mass-mailer worm attacked organizations worldwide. In 1997, Melissa changed the nature of -based threats from sending attachments containing an unintentional infection usually a Word document with a macro virus to using as a way of leveraging Internet near-borderless speeds to spread their malicious payload to millions of unsuspecting and vulnerable users. Since then, mass-mailers have continued to innovate and evolve, moving from exploiting vulnerabilities in the client itself, to running their own SMTP servers and bots to broadcast under the wire without causing suspicious traffic peaks on the infected network s mail server. We ve seen spam evolve from a minor nuisance that made up a small subset of all Internet to a scourge that now makes up the majority of legitimate sent around the world. Combining the social engineering of the virus writer with the distribution methods of the spammer, phishing has become the more threatening side of the spam problem, as phishers attempt to solicit and steal passwords, social security numbers, and identities of unsuspecting recipients. is now considered an essential and important communications tool. Its contents are often used to demonstrate compliance to industry regulations, as well as to serve as valuable evidence in legal proceedings. As a result, it becomes important to control the content of messages sent internally, between departments and employees, as well as externally. All of these factors highlight the importance of taking a more holistic approach to security to filtering for viruses, spam, and other unwanted or otherwise inappropriate content at multiple tiers of the network to ensure that all is scanned and controlled. 4

5 Compliance Phishing Spam Mass-mailing Worms Figure 1. Evolution of threats Role of in security The importance of security in the context of today s networking and business environments is that is one of two critical open doors (or ports) that we simply can t afford to close. Even the Web, the other open door (port 80), serves as a delivery mechanism for traffic, especially through popular Web-based mail services. The importance of as a ubiquitous and essential communications tool comes from the ease with which users can send and receive virtually any electronic data to any recipient in the world including spam, viruses, worms, and phishing attacks. When keeping secure, it is less about actually securing content from prying eyes, than preventing the wrong type of content from affecting business operations; for example: -borne threats such as mass-mailer worms can disrupt the network by infecting not just the recipient s desktop, but also other desktops and servers in the network. Mass-mailer worms themselves generate illegitimate and harmful traffic that typically targets addresses of other internal users, as well as partners, customers, and suppliers. Unfortunately, they often carry a company s name. Malicious payloads are typically multi-pronged, so they seek not only to spread infection, but also to compromise systems by affecting security settings, stealing information, and setting up Trojan horse applications and bots for future exploits. Proprietary and confidential company, customer, or user information can be accidentally or intentionally transferred to unauthorized persons inside or outside the organization. 5

6 content that violates corporate policy, such as inappropriate language or non-business attachments such as MP3 files, executable files, and others, can cause disruptions in the workplace. sent from disgruntled employees containing disruptive or inappropriate content to broad distribution lists, which should be cleaned from the message store to minimize employee exposure and company risk. Not all of the security risks we re defending the network against originate from the Internet. Viruses have many vectors of entry onto the network, including Web-based from free consumer services, as well as any form of removable media, such as a USB memory stick, CDs, DVDs, and others. In addition, early-stage threats will often slip by gateway defenses in the minutes and hours before they are discovered and virus definitions become available. As a result, security defenses need to be perimeter-based (usually the Internet [SMTP] gateway) and internal mail server based (usually Microsoft Exchange or Lotus Domino ). Tier 1: Protecting the perimeter Several measures can be taken to prevent unwanted Internet from reaching downstream servers, such as expensive message stores and data archives, as well as users. The two primary -borne threats and disruptions are viruses and spam. First, the most common virus content found in is the product of mass-mailer worms. These programs use addresses found on compromised systems and automatically generate s to replicate and distribute their payload to unsuspecting users and systems. Since mass-mailer worm s have no intrinsic business value, they can be deleted automatically without fear of legitimate data loss. Gateway-based antivirus scanners should be able to identify and distinguish mass-mailer worms and allow administrators to delete them. Often referred to as Mass-mailer Cleanup or Worm Purge, it is an important feature to look for in antivirus solutions. Second, mass-mailer worms usually rely on the same variety of data or file types to deliver the payload as an attachment. These are file types such as.scr,.pif, and.vbs, which are typically not found in regular business transactions, but may also include.exe files and will apply compression techniques, usually.zip. Based on these characteristics, further action can be taken to proactively protect the network environment from emerging, yet unidentified, mass-mailer threats. Attachment filtering can accomplish this through the creation of policy to delete messages when the presence of a suspect extension type, such as.scr and.pif, is found. 6

7 Also critical is the ability to identify these files within compressed containers, such as.zip files, and take the appropriate action. Third, spam content can be eliminated or removed from the internal mail streams to further reduce the burden on mail systems. Spam quarantines, generally housed on a server separate from the mail infrastructure, are ideal places to move unwanted spam content from active message stores (and consequently end-user mailboxes) to less expensive media, and they are far easier to scale and maintain. Quarantines are required because antispam systems cannot be 100% accurate. Since businesses cannot risk the loss of legitimate , users need a place to review spam-tagged messages. However, the reliability of the antispam system can play a significant role in reducing the amount of data that is held in quarantine and minimizing the amount of data requiring review by users. The standard metrics for antispam reliability are detection, i.e., spam catch rate, and accuracy rates against false positives (legitimate messages incorrectly identified as spam). One of the biggest challenges with many antispam systems is that detection and accuracy rates are often dependent variables, which can mean high detection rates at the expense of lower accuracy, and vice versa. It is important to look for an antispam solution that is not a collection of manual tools, but an integrated, frequently updated response mechanism with highly accurate spam definitions and techniques based on the latest spamming techniques. These best-of-breed antispam solutions ensure both detection and accuracy at the same time. The primary benefit the elimination of a large subset of spam messages that can be eliminated while in transit minimizes the burden on the spam quarantine and the end-user reviewer. Additional benefits include greater end-user confidence in antispam defenses. Finally, in order to maintain trust with customers and partners, it is also critical that an organization not be perceived as a source of inappropriate or malicious content. There are several ways to address this. All outbound should be scanned for viruses and inappropriate content. If company internal information is not to be shared with outside parties, it is important to identify this content and put the appropriate measures in place to filter the content at the mail server or gateway tier to keep it inside. Policy guidelines and employee education and awareness are also important. Since today s mass-mailer worms provide their own SMTP delivery services and no longer rely on popular programs and company mail architecture to distribute threats, it is important to put measures in place to stop unauthorized SMTP traffic (also referred to as Port 25 traffic). 7

8 These measures include network firewall rules that restrict Port 25 access to only authorized mail systems, as well as desktop firewall rules that prevent the use of Port 25 by end-user systems (end users send and receive Internet through the mail server, which is responsible for any actual SMTP transmissions). By implementing these measures, a large volume of data can be diverted or deleted from the mail stream, thus ensuring that downstream systems are not overtaxed by non-business content. This in turn leads to significant improvement in the overall operation of the infrastructure. Selecting perimeter form factors For SMTP perimeter protection, there are three ways to implement solutions. These are often referred to as form factors and can be described as follows: 1. Software-based solutions, which require installation of application software on the customerprovided hardware and operating system 2. Appliance-based solutions, where application software is pre-installed on a vendor-maintained operating system and hardware 3. Hosted service solutions, where the software and systems are located off-premises at a hosted provider and Internet mail streams are redirected through this environment to be scanned For all three solution scenarios above, the assumption is that the internal systems, for example, Lotus Domino and Microsoft Exchange environments, are located on the customer s premises, and are not managed off-site by a third-party service provider. For all three security form factors described, the administrator maintains full control over policy and flow of , whether it is in software, an appliance, or a hosted service. The availability of resources and expertise varies from company to company, even within larger organizations, so the choice of form factors becomes one of environmental situation and preference. There are advantages to each form factor, which can be categorized as follows: Software Appliance Hosted Complete control over entire environment, including choice of hardware and operating system Requires expertise and resources to maintain No operating system or compatible hardware to acquire and maintain No software to install Initial security hardening and subsequent patching provided by vendor No systems to maintain, so no internal expertise is required for day-to-day systems operation Burden of unwanted data, such as spam, is kept outside of the network 8

9 In addition to the key functional aspects required for perimeter protection described early in this section, there are form factor aspects to consider: Software: Deployment flexibility through support for multiple operating systems typically a range of operating system options, including various Windows, Solaris, and Linux environments. This allows companies to deploy and maintain flexibility and does not require specific operating system expertise in all geographic locations. Highly integrated: The fewer moving parts, the better. For emergency updates or upgrades, the fewer the number of components outside of the operating system and the mail security application, the easier it is to ensure compatibility and uptime. The vendor is responsible for both the technology and the security response components. This limits finger pointing between vendors and internal conflicts in the solution itself. Appliance: Hardening of the operating system for security non-essential operating system services are disabled, if not removed entirely, to limit exposure to system vulnerabilities Availability of a global support contract with four-hour hardware replacement Capacity for automated updates for application and operating system Hosted (proxy-based scanning vs. store-and-forward mail relay): The hosted provider should never take ownership of the message, with the exception of spam quarantining, which is accomplished by acting as a proxy between the sending server and the receiving server (on the customer s premises) holding the connection open long enough to complete inspection of the message, then closing out the transaction, as appropriate. Some hosted services function as store-and-forward relays, meaning they commit all messages to disk, as they are being processed. The exposure is twofold: (1) Catastrophic system failure can lead to loss of customer s, and (2) the confidentiality of s cannot be guaranteed, as they can be assessed through system or security compromise. Proxy-based hosting models prevent these risks to confidentiality and information loss. 9

10 Tier 2: Mail server protection Despite having solid perimeter protection in place, it is still necessary to inspect internal mail traffic. This is necessary for many reasons: Scanning for viruses that enter through other vectors, for example, personal Web-based , removable media such as USBs, remote laptop users whose virus definitions may not be current. No single tier of protection can offer 100% coverage, especially against new and emerging threats. Post-attack virus cleanup of message stores using the latest antivirus definitions is critical. Companies running the latest defenses at the SMTP gateway are often surprised when they are re-infected inside the network. Often the cause is lack of adequate virus cleanup at the mail server and even desktop tiers. Preventing authorized content from being sent to unauthorized users within and outside of the organization. Pains are often taken to secure internal Web sites for access by appropriate individuals or departments, but once downloaded to the desktop system, this information can easily be forwarded to virtually any individual within the company. Now, not only is there an exposure that unauthorized users gain access to confidential data, but they can also send that data outside of the company walls. Preventing leakage internally is just as critical as external or outbound data leakage. Preventing content from being accessed after it has been sent. Upon discovery of an inappropriate message, a rule can be created to block access to the message immediately and clean the message from the message store/database. Enforcing usage policies throughout the company, such as the use of inappropriate language in and the dissemination of unwanted or oversized attachment content such as MP3 files, executables, and others. Retroactive cleaning of message stores to remove older, unneeded content, for example, internal housekeeping memos. 10

11 As a result, mail server protection solutions should be able to inspect content in real time as is being committed to the message store, when it is being accessed from the store, and on a scheduled or on-demand basis to conduct sweeps of message store content based on updated virus definitions or specific content rules designed to identify suspicious or inappropriate content. In the case of most -borne threats, the initial outbreak stage leaves the company open to infection, as s enter the message store, where new infections are not yet detected by the current definitions. Once definitions have been updated, it is important to run periodic scans of the message store to eliminate any malicious content and prevent users from exposure. Multi-tier mail security solutions from Symantec Symantec is uniquely positioned in the security space as it offers customers the full range of solution form factors for perimeter SMTP protection, including broad platform support for its software-based solutions, as well as coverage of the two primary mail server platforms: Microsoft Exchange and Lotus Domino. To keep solutions up-to-date against the latest threats and disruptions including viruses, mass-mailer worms, spam, and phishing attacks, Symantec owns and maintains the largest global network of security, antivirus, and antispam research and response centers in the world. Symantec s global security response Symantec is one of only a few vendors that offers a truly global infrastructure for identifying and responding to the latest threats through security alerts and content updates. As the Internet knows no borders and time zones, neither should the response organization that provides ongoing updates for critical antivirus, antispam, and security scanning services on the network. 11

12 Dublin, Ireland Calgary, Canada San Francisco, CA Redwood City, CA Tokyo, Japan Santa Monica, CA Taipei, Taiwan Sydney, Australia Antivirus Labs Antispam Labs Virus Protection 6 Security Response Centers Digital Immune System Infrastructure Over 120M systems worldwide Over 45 Countries 24 x 365 Response Spam Protection 6 Operation Centers Over 2 Million Decoy Accounts Tens of Millions of Spam Processed Daily Over 20 Countries 24 x 365 Response Figure 2. Symantec Security Response global operations Global operations is critical, not just in terms of visibility into regional outbreaks, but also to provide customers with effective 24x7 response, wherever they have operations. With operations centers for spam and virus detection distributed across time zones, Symantec has security experts available 24-hours a day to view and process submissions and respond to the latest threats. Response to the latest threats can be updated via Symantec s robust, distributed network of LiveUpdate systems worldwide, reaching all customers, regardless of geographic location or time zone. 12

13 As part of that response network, Symantec receives suspect virus samples from over 120 million nodes located among its global customer base of consumer and corporate customers. Symantec also receives millions of new spam and phishing samples daily from its Probe Network, which is fed through its comprehensive ISP and enterprise customer base. All solutions in Symantec s multi-tier mail security portfolio are backed by Symantec Security Response, the world's leading antivirus and Internet security research and support organization. Symantec s perimeter protection Symantec s perimeter solutions span the key form factors (software, appliance, and hosted) as well as key operating systems (Windows, Solaris, and Linux), thereby offering flexibility in choosing the right fit for the unique needs of an organization. Software Installed on-premises using existing hardware, integrating with mail server. Internet Gateway Server Groupware Server Symantec Brightmail AntiSpam 6.0 Symantec Mail Security for SMTP Appliance Installed on-premises in a self contained appliance. Internet Symantec Mail Security 8200 Groupware Server Hosted Customer redirected to Symantecpowered data centers for filtering. Legitimate delivered to customer site. End users can optionally review off-premises spam quarantine. Internet Mail rerouted to Data Centers for filtering servers powered by Symantec Spam/Virus Filtering Quarantine for spam/ suspected spam Virus-free, spam-free Customer Site Groupware Server Symantec Hosted Mail Security Figure 3. Symantec Form Factors for SMTP Gateway Tier Protection 13

14 In addition, common to all solution offerings are: Symantec s industry-leading antispam technologies and response, which offer a greater than 97% effectiveness rate (Source: InfoWorld Product Review, 2004) and an accuracy rate of % (Source: Yankee Group Report, 2004), achieved through over 20 filtering technologies, Symantec s global Security Unit within Symantec Security Response infrastructure, and frequent 10-minute update intervals. In addition, Sender Reputation Lists leverage the Probe Network to identify known spam sources on the Internet to provide added certainty along with a stacked classification verdict system. Symantec s award-winning NAVEX antivirus technologies and response ensure consistent virus protection and updating across all supported platforms, using multiple detection technologies, including heuristics. Global Symantec Security Response operations centers provide support, with both schedulable and on-demand updating on a weekly, daily, and hourly basis. Mass-mailer cleanup capability to remove entire messages and prevent unnecessary virus notifications based on the presence of a mass-mailer worm. The ability to block by attachment name and extension and by message size, subject line, and message body content to assist in stopping early-hour attacks or to prevent the transmission of unwanted or inappropriate content. The flexibility to treat spam differently based on antispam engine verdict, i.e., deleting spam messages, but quarantining suspected spam messages for further review. Symantec s Web-based Spam Quarantine, which removes spam messages from the messaging environment, while making them available to administrators and end users for further processing and review. 14

15 The advantages offered through Symantec s different form factors are: Appliance Software Hosted Symantec Mail Security 8200 Series appliances Symantec Mail Security (with SPA), Symantec Brightmail AntiSpam Symantec Hosted Mail Security Pre-configured, hardened operating systems and mail relay Updating of operating system and application software provided by Symantec Acts as an firewall protecting against Directory Harvest Attacks, and based Denial of Service attacks Deployment flexibility across multiple operating systems Integration into existing mail gateway infrastructure (ex. Sendmail) or using integrated, proprietary mail relay technology. All SMTP traffic processed outside of your environment Spam Quarantine not housed in your network Symantec s mail server protection Where Symantec s perimeter protection plays a key role in minimizing the negative impacts of Internet traffic, Symantec Mail Security for Microsoft Exchange and Symantec Mail Security for Domino ensure that internal message traffic is also free of malicious or inappropriate content. Both solutions are tightly integrated into their respective mail environments, using vendorsupported APIs, ensuring maximum capability and minimum conflicts with the underlying messaging architecture. Similar to our perimeter protection solutions, Symantec Mail Security for Microsoft Exchange and Domino leverage the same core antivirus technology and response, as well as updating flexibility. For smaller organizations or even some larger organizations that have standardized from mail server to gateway using either a Domino or Exchange infrastructure, there is an added option of enabling the same Symantec Brightmail AntiSpam technologies and response as used in the perimeter protection solutions (to achieve 97%+ detection, % accuracy and updates every 10-minutes), further providing the flexibility in deployment required by diverse organizations. In addition to core scanning services, Symantec Mail Security for Microsoft Exchange and Domino also offer similar content inspection capabilities, such as subject line and message body filtering, attachment stripping, and restrictions on message size. These capabilities can be used to 15

16 enforce usage policies, as well as minimize exposure to regulatory penalties or even lawsuits resulting from inappropriate content being sent through internal . Symantec Mail Security for Exchange and Domino not only scan messages in transit but can also perform retroactive scans of the message store/database. This enables a mail administrator to use content rules to prevent access to a message that has already been sent. For example, if an employee sends a message with inappropriate or confidential information to a wide distribution list within the company, the administrator can create a rule to immediately prevent access to this message and remove it from the store. Similarly, when virus definitions are updated, the message store/database can be rescanned to ensure that internal mail is clean. Both products also provide the ability to create specific filtering rules depending on the transmission type (inbound, outbound, and internal messages). This provides a way to create targeted rules to: Prevent inappropriate content from being received within SMTP inbound messages Prevent confidential information from leaving the company via SMTP outbound messages Enforce internal policies via message store/database rules Introducing Symantec TM Mail Security Enterprise Edition Recognizing the importance of a defense-in-depth approach to security and the burden imposed on IT to identify and acquire the necessary technologies from multiple vendors, Symantec has developed the Symantec Mail Security Enterprise Edition, a licensing bundle that gives customers the flexibility to choose and use the form factor and platforms necessary to meet their evolving multi-tier security needs. Included in the offering are: Choice of perimeter protection using any of the three form factor solutions Symantec TM Hosted Mail Security Symantec Mail Security 8200 Series appliances Symantec Mail Security for SMTP (including Premium AntiSpam) Symantec Brightmail AntiSpam (including Symantec AntiVirus ) Choice of one or, for mixed or migrating environments, both mail server protection platforms Enablement and usage of both Symantec AntiVirus and Symantec Brightmail AntiSpam technology and response on any of the platforms, including the Exchange and Domino tiers Licensed per user (one license covers both security tiers) on an annual subscription basis 16

17 Gateway Tier Symantec Hosted Mail Security Symantec Mail Security 8200 Symantec Mail Security for SMTP Symantec Brightmail AntiSpam Mail Server Tier Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Domino Desktop Tier Symantec AntiVirus Corporate Edition Figure 4. Messaging tiers protected by Symantec Mail Security Enterprise Edition Conclusion Multi-tier security is a critical requirement in any Internet-enabled company, regardless of size, since has become such a mission-critical application in our business lives. Our increasing dependence on ensures that it will remain a primary target for virus writers, hackers, spammers, and phishers. It also means that controlling the flow of data within and outside the corporate walls becomes all the more important to prevent risk and exposure to the business itself caused by inappropriate or unauthorized content falling into the wrong hands. Symantec s ownership and dedication to the core solutions required for a defense-in-depth security strategy, as well as its global rapid response infrastructure to address and stay ahead of the ever-changing challenges plaguing , make it a key strategic partner to protect the enterprise, and to help contain IT costs. A single-vendor approach through Symantec s point solutions or Symantec Mail Security Enterprise Edition bundle offers customers the necessary flexibility and coverage, while at the same time simplifying the purchasing, licensing, installation, 17

18 About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free Symantec Corporation World Headquarters Stevens Creek Boulevard Cupertino, CA USA Symantec, the Symantec logo, Symantec Brightmail AntiSpam, Symantec Mail Security, LiveUpdate, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.. Domino and Lotus are trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Solaris is a trademark or a registered trademark of Sun Microsystems, Inc., in the U.S. or other countries. All other brand and product names are trademarks of their respective holder(s). Copyright 2005 Symantec Corporation. All rights reserved. Printed in the USA. 11/