What do you consider a multi layered approach?

Hi all,

Throwing in some point of views. Hopes this fires up some discussion. I am interested in your opinions.

There is no certified integrated model of a layered security approach. Often network/endpoint security companies are using one with the network (and OSI layers) as the central theme, on the other hand there are the IT market watchers like Forrester Research, Gartner and Buttler with there own models on a more meta data level. Therefore I am using the attack/domain principles as a skeleton.

1. Risk and threat reduction
This are all the measures and applications which help to keep you out of dangereous places. Examples are web site authentification, phising protection, IP adress exclusion in you host file and community based web advisors (which registrate complaints and mark a site safe or dangereous).

Although this first step claims to be the most effective one (driving safely is more effective in traffic than having airbags), it is based on voluntary cooperation rather than regislation and it is also heavily based on user behavior. Frankly because I can not control the behavior of the others using this PC, I am not into this category.

I only use cookies prevention of Spyware Blaster (not IP addresses), I have turned of Phising prevention of my browser. Google is our most used search engine and will provide some warinings for free.

2. Reduction of vulnarable domain
These are all the measurements you can take to reduce the vulnarable/breachable parts of digital environment. Identification, password authentification and policy (rights) management are important area's. Note hardening and an up to date system (with known vulnabilities patched) also falls under this category.

I am a big fan of these kind of measures, starting with using log-ons, passwords, Mac addresses, network security/encription, running with limited rights (UAC) or using Policy sandboxes like DefenseWall and GeSWall. The only thing I do not use is data encryption on the PC's themselves. Reason for doing so is that the data only has value to ourselves (photo's etc) and do not contain private data (no funny video's). Also the extra usage threshold of data encryption is a reason for not implementing it.

3. Controling the attack vectors
This is all protection you can assemble to prevent the entry of malware or hostile coding on your PC. Attack vectors are often categorised per level. Lowest level being the network level, next the system wide process level or kernel level and last level the application or user level. A firewall and NIDS are obvious attack vector control mechanisme on network level, same as a classical HIPS is an example of attack control (intrusion) on the process level. The downside of atack vector control was the user interaction (and knowledge required) to set this up. The first software firewalls were a real pain in the ass to set up. Over the years these kind of applications have merged into each other. Examples are Comodo and Online Armor. By applying white and blacklists, the need for user interaction (and errorfull decisions)was greatly reduced. As said I never was a fan of these type of protection, but on stable PC the latest releases of both Comodo and Online Armor are easy to implement. I even implemented Comodo with D+ on my wife's PC. Using the clean PC mode and cutting down file protection, while adding some static registry protection (on a XP machine, on a Vista machine with UAC these warnings are obsolete anyway). The great thing about D+ in clean PC state is that it does not apply attack vector protection on the existing programs, just on the new arrivals. Some hardliners will argue that you are never 100% certain that you are 100% clean. The wife's PC has got DefenseWall and with her surfing habits I dear to say that this PC is 100% clean.


4. Damage containment
This contains all measurements to deminish the consequences of an intrusion. A classic example is the Antivirus software. Also virtualisation applications (e.g. SafeSpace/sandboxie) belong to these category, because they undo the damage done after a reboot or clearing the data pocket of that application session. Because policy sandboxes like GesWall and DefenseWall remember the status (untrusted/trusted) of data files downloaded by threat gate facing application, this is also a form of damage containment. A relative new category of containment applications not directed to data (like AV, Virtualisation or Policy sandbox), but processes are Behavior Blockers. In stead of popping up after a a single offense/intrusion like a claisical HIPS, they somehow rate the intrusions. Because they look at a sequence of actions they should have virtualisation/roll back capabilities. ThreatFire is the one and only true behavior blocker (hey I also got licenses of Mamuto and Primary Response Safe Connect, but there cure does not go any further than killing the malware, while TF has roll back capabilities). So when you drive to many red lights, you will lose your license. Vista and IE7 in protected mode even have some form of virtualisation and marking downloaded files as dangerous. The outbound software firewall is also a form of damage containment. Most of these containment applications are user friendly. Only down side is that they check your system consistently (TF uses much more CPU cycles than Mamuto, but TF can roll back to some extend). Classical AV's have evolved from being at the end of the row (writing a file on your PC), to pre-execution control of Web pages, incoming e-mail and providing a basic NIDS. Avast is an example of such a development. Other AV's are developing behavior like modules or are using active heuristics to trap malware before they are executed/can do damage.

On static PC's I tend to only use AV's which do some fore checking (Avast Web, Network and e-mail Shield) and forget about checks on execution or read or write to harddisk. Also I preferee a sandbox (DefenseWall) over a behavior blocker. On a dynamic PC attack vector control really is not an option on a process level, therefore we use policy management (UAC), softsandboxing (IE protected mode, HauteSecure) and behavior blocking )Primary Response Safe Connect). Because the gaming rig uses Raid 0 wich is cached at writes, Antivir checks on writes only of executables (so it won't effect gaming performance). On the gaming PC we do not do on-line purchase or banking, on the static PC we have DefenseWall and learned the habit of using th ebig red button before banking. That said in the Netherlands we have implemented a double public privet encryption measurement, which requires a token calculator, so I would doubt the risk of keyloggers.

Looking forward to replies and opinions of you all

 

I don't think security has to be complex. In dealing with home environments I use this guideline.

First I discuss with the person, the entry points of malware:

• Ports on internet
• Email
• Remote code execution (browser, email attachment, external media)
• Infected files, or malware piggybacks on files you download

Second I cover the bases. I start with the lowest layer, to use your term.

1. Backup of files to cover a worst case scenario - physical loss of computer by theft, fire, etc.
Backups and Copies of installation discs, manuals, other important stuff -- kept offsite

2. Working up tp next layer -- Protection of the Operating System. Many possibilities here with the various virtualization and reboot-to-restore applications available

3. Protection against Drive-by downloads or any otherwise unauthorized installation of executables, including those via the browser, external media, email attachments. Again, many possibilities here.

4. At the top -- Protection against entry via a Port: Router, Firewall.

---------------------------

Using this as a guideline, I can help someone setup their computer and select security products applicable to her/his computing environment.

In each of the categories, for example email:

First [policy] -- identifying possible threats, and safe procedures are discussed,
to include identifying spam, phish; dealing with attachments.

Second [technology] -- email application selected.

IMO it doesn't really matter what the application (program) is. It's how they are used that matters, what user preferences are, etc., and all of the current ones can be used in a safe manner.

Applying this procedure in each of the categories I can create a basic, safe computing environment.


----
rich

 

Yes, but it can reduce an attack surface. And nobody here are talking about a panacea

 

Rmus,

Yes it is a good way to start by identifying the threat gates. Off course backup recovery is the most important thing to organise. I had not mentioned it.

Technology is not a panacea for behavior control. Although this is true, there was a great difference in using an anti-virus or say one of the early releases of SSM.

From a usiability point of view, software based security relating to policy management (sandbox or UAC), behavior blocking and blacklisting are easy to use applications.

Point is that a lot of security aware colleques always focus on attack vector control like applications (HIPS/FW), while focussing on reducing the vulnarable domain and or increasing damage containment are more effective/straight forward ways of increasing security.

This 4-tier model also shows that attack vector control programs who combine HIPS with FW will be the true winners in this category. Also their user friendliness has improved enormeously (comodo Online Armor).

 

Well said - makes far more sense to me than the Michelin Man approach.

 

Is this aimed at companies? You mention endpoint companies in your first paragraph in your original post.

I had difficulty in following much of the discussion. For example, I don't know what "IP adress exclusion" and "community based web advisors" refers to.


----
rich

 

Sorry Rich,

IP address exclusion is what Spyware Blaster does, simple host file based protection. Community based web advisor for example (I think) is Mcfee Site advisor. When a central organisation gets complaints of users being infected after visting or downloading from a sit, it wil get a yellow or red warning.

Those 4-tiers are general risk management principles.
1. Stay out of risky places
2. Reduce the weak/vulnarable spots of the domain to be protected
(that is why a lot of old fortresses are build on hils or in loops of rivers)
3. Control the attack vectors (metal scanner on an airport = FW on a PC,
temporary workforce working authentification at an airport = a HIPS
ALLOWING TO SET A GLOBAL HOOK)
4. Reduce the possible damage (isolate hijackers of a plane)

 

1. Risk and threat reduction

HIPS in the form of EQSecure 3.41
Sandbox in the form of SandboxIE
Virtual Environment in the form of Power Shadow

2. Reduction of vulnarable domain

See the above, include snoopfree + Kerio 2.15 with custom rules

3. Controlling the attack vectors

See The above again

4. Damage containment

FD-ISR archives + Paragon/DriveSnapshot Images isolated from box
NOD32 for infection cleanup or deletion.

 

OK, Kees1958, thanks - - I re-read and it's clearer now.

For me, the usefulness in tiers, layers, categories -- whatever label you want to use -- is that I can simplify for someone the various ways viruses can get onto the computer, and the different preventative measures available. It helps the person to be more discerning and discriminating.

For example, if an article states that 2008 will see a 20% rise in virus infections, this can be dispensed with as useless scare propaganda, barring any meaningful analysis -- usually missing from general articles.

If another article points out the advanced capabilities of a rootkit or keylogger, the person can ask, OK, how does such a thing get installed/executed in the first place? Upon review of the entry points of malware, she/he may conclude that preventative measures are in place for such stuff, or may decide that other preventative measures are needed. It's a starting point, a template, if you will, for analysis and control of the computer.

As a template, it can be modified -- to add protection for a LAN, for example, if that is pertinent to the particular home environment I'm working with.


----
rich

 

Rich,

Thx for the input. These general principles should be combined with the flow of events of an intrusion (first pass the firewall, then data/code is received by a threatgate application, etc), like you do when you are helping someone.

Kees

 

What a lot of folks around here think is layered security is simply a ix and match approach to do exactly what a suite will do.

Furthermore, one of the most effective methods limited user account with software restriction policy is rarely used as many consider it to be too much trouble, but they opt for HIPS or very intrusive firewalls with HIPS features and run as administrators without a clue as to what all the pop ups they are seeing mean.

 

Hello,

I didn't answer here, so maybe I should.

I believe the multi-layered approach refers to security, but includes more than just plain security. And I think it expands outwards rather than inwards. In other words, network blocking is not first step but actually the last step.

I won't go into too many details because I'm not in the mood to type profusely yet, but if clarifications are needed I'll add them.

Layer 1: Data integrity - multiple backups, imaging
Layer 2: Outbound control for trusted apps
Layer 3: Inbound / outbound control for trusted network
Layer 4: Inbound for untrusted network

Additionally, there are processes / applications that ingress from Layer 4 to Layer 2 by user choice - IM, P2P, email, browser etc.

These need to be controlled in the following fashion:

Reduction of escalation vectors - scripting, plugins etc
Discipline - handling of attachments, links, images etc

That's about it.

All in all, this can be achieved with:

Layer 1: Imaging software
Layer 2-4: Firewall
Layer 4 to 2: Non-standard apps, with scripts disabled or limited, plain text message rendering, a few basic discipline rules (default deny).

Mrk