Tech Success: Worms, be gone
Fulton County, Ga., learns perimeter security isn't enough
Robert Taylor needs eyes in the back of his head to manage network security for Fulton County, Ga., home of the state capital Atlanta. The sprawling, 530-square-mile county, which includes an airport and a jail that rank among the busiest in the nation, has a similarly sprawling IT infrastructure.
More than 100 servers are running Microsoft Windows in Fulton County, and another 20 are running Unix. A self-healing, fiber-optic ring connects government campuses in the north and south of the county to their own Gigabit Ethernet LANs, while metropolitan Ethernet, frame relay and DSL connections link other county facilities to an institutional network.
Overall, said Taylor, county chief information officer, his staff operates a massive network connecting more than 6,000 PCs in 225 buildings.
Three years ago, the county's desktop computers were protected with Norton Antivirus. A hot backup site 20 miles from Atlanta could get the networks back up and running within two hours if the main county campus was brought down by disaster.
But in fall 2001, a little piece of software code -- a worm -- exposed holes in the network security. "Nimda brought our network to a screeching halt," Taylor said.
And Nimda was just the beginning. Taylor's team spent three months putting in a layered antivirus system, supported by daily updates broadcast from the county's servers to its desktops. For the time being, Taylor felt comfortable.
Then a new vulnerability emerged. In October 2003, an unprotected notebook carrying the Welchia worm was brought into the network and set off a packet storm that flooded the infrastructure. Only about 30 of the county's 6,000 PCs became infected, but Taylor said, no valid data could get in because of the data traffic that the worm generated.
The worm effectively shut down other operations, among them the jail's booking system, which meant that prisoners could not be released. The sheriff said he wasn't letting anybody go until Taylor's staff could get the network back up and running. The result was a public relations black eye and intense pressure to return things to normal.
"It took us four or five days to get those things under control," Taylor said. "I realized we had a problem. We had our walls up, but there was nothing inside that kept us from getting infected again."
The county turned to an intrusion prevention tool called Primary Response from Sana Security Inc. of San Mateo, Calif. Primary Response uses software agents that run on servers and recognize and block abnormal behavior, helping stop the internal spread of worms and squelch denial-of-service attacks from floods of packets. The software uses what Sana calls Adaptive Profiling Technology to learn the differences between normal and abnormal application behavior.
After Primary Response three months ago stood up to attacks on test servers, Fulton County cautiously began rolling it out.
"We started with the least critical servers and worked our way up," said Rod Smith, Fulton County's chief information security officer.
Then the county, which also wanted to protect its desktop machines, learned that Sana was working on Attack Shield, a lightweight set of intrusion prevention products for PCs. Worm Suppression, the first in the Attack Shield line of products for PCs, was announced in October, and Fulton County took it into its IT labs for testing.
Attack Shield WS works at the Windows operating system level to block code injection exploits, the largest class of risks from network worms. Like Primary Response, it blocks abnormal behavior, but Attack Shield WS looks only at interactions between applications and Windows core services.
Because it is behavior-based rather than signature-based, Attack Shield WS requires no updates or administration once it's been placed on the desktop.
"Attack Shield WS understands the fundamental proper behavior of Windows Services and tracks the operation to stop abnormal behaviors required for network worms," said Tim Eades, Sana's senior vice president of marketing.
Unlike some products that differentiate between normal and abnormal behavior, Attack Shield's narrow focus requires no learning time on the system and no exception handling. It's available as a self-installing add-on for PCs at about $10 per machine and can be embedded at the OS level by system vendors and integrators.
Companies such as Science Applications International Corp. have signed on to promote Sana's technology.
"Our large enterprise customers are asking for more automated, highly scalable security solutions that offer server and application protection against unknown, zero-day attacks," said James Smith, SAIC's Enterprise Security Solutions Division manager, in a June statement announcing a marketing agreement with Sana.
Count Taylor among those customers. "We've got Attack Shield in our lab now, and we're ready to start rolling it out," he said.
With Sana's products, Fulton County hopes to protect itself from malicious code that gets past the network perimeter while making its infrastructure less inviting to worms.
William Jackson is a senior editor for Government Computer News. If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Doug Beizer at dbeizer@postnewsweek