Worm detector looks out for bad behaviour

Check Point's InterSpect appliance keeps a record of known vulnerabilities and looks for suspicious network behaviour that could be exploiting them

Firewall maker Check Point launched a security appliance on Tuesday that it claims will protect corporate networks from cyberattacks that exploit known vulnerabilities in LAN protocols and applications.

The InterSpect appliance works by having access to a regularly updated database of known vulnerabilities. When packets associated with a particular application start acting suspiciously, the InerSpect appliance takes over, quarantines the affected PC and warns the user that all network access has been temporarily revoked while the computer is being cleaned.

Nick Lowe, Check Point UK's managing director, told ZDNet UK that although companies are used to protecting their network's perimeter, problems occur when malicious code is introduced from the inside -- through an infected notebook PC, for example. Lowe said InterSpect allows a network to be segmented, so high risk areas -- such as a 'touch-down' zone, where lots of notebook users work -- could be quickly blocked off from the rest of the network in case of an outbreak.

"If a laptop infected with a worm is plugged into the touch-down area, InterSpect will physically stop that device from attaching to the corporate network. Instead, it will be connected to another part of the network that gives it access to the services required for fixing and cleaning the PC," said Lowe.

Lowe said that these kinds of safeguards are required because companies want to do a series of checks and tests before they deploy new patches, which gives malicious code writers a chance to exploit vulnerabilities. Lowe gave MSBlast as an example, where the vulnerability was announced in April 2003 and a patch was published in July. The MSBlast worm was released in August of the same year -- and although the vulnerability had been public knowledge for months, signature-based systems were punished. "Until that point, no signature-based system could detect the worm and afterwards, if the worm mutated, they would have to be updated again," he said.

Had InterSpect been available before MSBlast, said Lowe, it would have recognised that the vulnerability Microsoft had earlier published was being exploited. "We are not looking for known bad packets, we are looking for application behaviour that addresses those vulnerabilities. We can conclude it is not natural application behaviour; therefore the packet structure and flow is malicious, so we block it," he said.

Research firm IDC said the security appliance market is showing strong growth, but Check Point is likely to face tough competition from Cisco and NetScreen, who currently dominate with market shares of 27.7 percent and 20.8 percent respectively.

Check Point's InterSpect supports, among others, the CIFS, MS SQL, DCOM, Sun RPC, DCE RPC and HTTP protocols. The product will cost between $9,000 and $39,000 and is available immediately.