Worm detector looks out for bad behaviour

Worm detector looks out for bad behaviour

Summary: Check Point's InterSpect appliance keeps a record of known vulnerabilities and looks for suspicious network behaviour that could be exploiting them

SHARE:
TOPICS: Security
1

Firewall maker Check Point launched a security appliance on Tuesday that it claims will protect corporate networks from cyberattacks that exploit known vulnerabilities in LAN protocols and applications.

The InterSpect appliance works by having access to a regularly updated database of known vulnerabilities. When packets associated with a particular application start acting suspiciously, the InerSpect appliance takes over, quarantines the affected PC and warns the user that all network access has been temporarily revoked while the computer is being cleaned.

Nick Lowe, Check Point UK's managing director, told ZDNet UK that although companies are used to protecting their network's perimeter, problems occur when malicious code is introduced from the inside -- through an infected notebook PC, for example. Lowe said InterSpect allows a network to be segmented, so high risk areas -- such as a 'touch-down' zone, where lots of notebook users work -- could be quickly blocked off from the rest of the network in case of an outbreak.

"If a laptop infected with a worm is plugged into the touch-down area, InterSpect will physically stop that device from attaching to the corporate network. Instead, it will be connected to another part of the network that gives it access to the services required for fixing and cleaning the PC," said Lowe.

Lowe said that these kinds of safeguards are required because companies want to do a series of checks and tests before they deploy new patches, which gives malicious code writers a chance to exploit vulnerabilities. Lowe gave MSBlast as an example, where the vulnerability was announced in April 2003 and a patch was published in July. The MSBlast worm was released in August of the same year -- and although the vulnerability had been public knowledge for months, signature-based systems were punished. "Until that point, no signature-based system could detect the worm and afterwards, if the worm mutated, they would have to be updated again," he said.

Had InterSpect been available before MSBlast, said Lowe, it would have recognised that the vulnerability Microsoft had earlier published was being exploited. "We are not looking for known bad packets, we are looking for application behaviour that addresses those vulnerabilities. We can conclude it is not natural application behaviour; therefore the packet structure and flow is malicious, so we block it," he said.

Research firm IDC said the security appliance market is showing strong growth, but Check Point is likely to face tough competition from Cisco and NetScreen, who currently dominate with market shares of 27.7 percent and 20.8 percent respectively.

Check Point's InterSpect supports, among others, the CIFS, MS SQL, DCOM, Sun RPC, DCE RPC and HTTP protocols. The product will cost between $9,000 and $39,000 and is available immediately.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • worm detector isnt worth bothering ur time with how crap it is
    anonymous