Worm detector looks out for bad behaviour

Summary:Check Point's InterSpect appliance keeps a record of known vulnerabilities and looks for suspicious network behaviour that could be exploiting them

Firewall maker Check Point launched a security appliance on Tuesday that it claims will protect corporate networks from cyberattacks that exploit known vulnerabilities in LAN protocols and applications.

The InterSpect appliance works by having access to a regularly updated database of known vulnerabilities. When packets associated with a particular application start acting suspiciously, the InerSpect appliance takes over, quarantines the affected PC and warns the user that all network access has been temporarily revoked while the computer is being cleaned.

Nick Lowe, Check Point UK's managing director, told ZDNet UK that although companies are used to protecting their network's perimeter, problems occur when malicious code is introduced from the inside -- through an infected notebook PC, for example. Lowe said InterSpect allows a network to be segmented, so high risk areas -- such as a 'touch-down' zone, where lots of notebook users work -- could be quickly blocked off from the rest of the network in case of an outbreak.

"If a laptop infected with a worm is plugged into the touch-down area, InterSpect will physically stop that device from attaching to the corporate network. Instead, it will be connected to another part of the network that gives it access to the services required for fixing and cleaning the PC," said Lowe.

Lowe said that these kinds of safeguards are required because companies want to do a series of checks and tests before they deploy new patches, which gives malicious code writers a chance to exploit vulnerabilities. Lowe gave MSBlast as an example, where the vulnerability was announced in April 2003 and a patch was published in July. The MSBlast worm was released in August of the same year -- and although the vulnerability had been public knowledge for months, signature-based systems were punished. "Until that point, no signature-based system could detect the worm and afterwards, if the worm mutated, they would have to be updated again," he said.

Had InterSpect been available before MSBlast, said Lowe, it would have recognised that the vulnerability Microsoft had earlier published was being exploited. "We are not looking for known bad packets, we are looking for application behaviour that addresses those vulnerabilities. We can conclude it is not natural application behaviour; therefore the packet structure and flow is malicious, so we block it," he said.

Research firm IDC said the security appliance market is showing strong growth, but Check Point is likely to face tough competition from Cisco and NetScreen, who currently dominate with market shares of 27.7 percent and 20.8 percent respectively.

Check Point's InterSpect supports, among others, the CIFS, MS SQL, DCOM, Sun RPC, DCE RPC and HTTP protocols. The product will cost between $9,000 and $39,000 and is available immediately.

Topics: Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.