Tech Success: Worms, be gone

Fulton County, Ga., learns perimeter security isn't enough

IT solutions in action

Project: Network security upgrade

Agency: Fulton County, Ga.

Solution provider: Sana Security Inc., San Mateo, Calif. 

Goal: In 2001, a computer worm brought Fulton County's networks to a screeching halt. The IT staff immediately began implementing security measures to avoid further network disruptions.

Obstacle: Securing PCs and servers throughout the infrastructure was a significant step, but it didn't address the problem of portable devices accessing the networks.

Solution: Fulton County adopted intelligent intrusion detection software from Sana Security. The software learns what constitutes normal network activity and can cut off malicious attacks before they bring down the network. 

Payoff: While Fulton County continues to apply the necessary patches and virus definitions throughout its network, the Sana solution can protect its infrastructure from sudden, unidentified attacks for which no patch is yet available.

Robert Taylor needs eyes in the back of his head to manage network security for Fulton County, Ga., home of the state capital Atlanta. The sprawling, 530-square-mile county, which includes an airport and a jail that rank among the busiest in the nation, has a similarly sprawling IT infrastructure.

More than 100 servers are running Microsoft Windows in Fulton County, and another 20 are running Unix. A self-healing, fiber-optic ring connects government campuses in the north and south of the county to their own Gigabit Ethernet LANs, while metropolitan Ethernet, frame relay and DSL connections link other county facilities to an institutional network.

Overall, said Taylor, county chief information officer, his staff operates a massive network connecting more than 6,000 PCs in 225 buildings.

Three years ago, the county's desktop computers were protected with Norton Antivirus. A hot backup site 20 miles from Atlanta could get the networks back up and running within two hours if the main county campus was brought down by disaster.

But in fall 2001, a little piece of software code -- a worm -- exposed holes in the network security. "Nimda brought our network to a screeching halt," Taylor said.

And Nimda was just the beginning. Taylor's team spent three months putting in a layered antivirus system, supported by daily updates broadcast from the county's servers to its desktops. For the time being, Taylor felt comfortable.

Then a new vulnerability emerged. In October 2003, an unprotected notebook carrying the Welchia worm was brought into the network and set off a packet storm that flooded the infrastructure. Only about 30 of the county's 6,000 PCs became infected, but Taylor said, no valid data could get in because of the data traffic that the worm generated.

The worm effectively shut down other operations, among them the jail's booking system, which meant that prisoners could not be released. The sheriff said he wasn't letting anybody go until Taylor's staff could get the network back up and running. The result was a public relations black eye and intense pressure to return things to normal.

"It took us four or five days to get those things under control," Taylor said. "I realized we had a problem. We had our walls up, but there was nothing inside that kept us from getting infected again."

The county turned to an intrusion prevention tool called Primary Response from Sana Security Inc. of San Mateo, Calif. Primary Response uses software agents that run on servers and recognize and block abnormal behavior, helping stop the internal spread of worms and squelch denial-of-service attacks from floods of packets. The software uses what Sana calls Adaptive Profiling Technology to learn the differences between normal and abnormal application behavior.

After Primary Response three months ago stood up to attacks on test servers, Fulton County cautiously began rolling it out.

"We started with the least critical servers and worked our way up," said Rod Smith, Fulton County's chief information security officer.

Then the county, which also wanted to protect its desktop machines, learned that Sana was working on Attack Shield, a lightweight set of intrusion prevention products for PCs. Worm Suppression, the first in the Attack Shield line of products for PCs, was announced in October, and Fulton County took it into its IT labs for testing.

Attack Shield WS works at the Windows operating system level to block code injection exploits, the largest class of risks from network worms. Like Primary Response, it blocks abnormal behavior, but Attack Shield WS looks only at interactions between applications and Windows core services.

Because it is behavior-based rather than signature-based, Attack Shield WS requires no updates or administration once it's been placed on the desktop.

"Attack Shield WS understands the fundamental proper behavior of Windows Services and tracks the operation to stop abnormal behaviors required for network worms," said Tim Eades, Sana's senior vice president of marketing.

Unlike some products that differentiate between normal and abnormal behavior, Attack Shield's narrow focus requires no learning time on the system and no exception handling. It's available as a self-installing add-on for PCs at about $10 per machine and can be embedded at the OS level by system vendors and integrators.

Companies such as Science Applications International Corp. have signed on to promote Sana's technology.

"Our large enterprise customers are asking for more automated, highly scalable security solutions that offer server and application protection against unknown, zero-day attacks," said James Smith, SAIC's Enterprise Security Solutions Division manager, in a June statement announcing a marketing agreement with Sana.

Count Taylor among those customers. "We've got Attack Shield in our lab now, and we're ready to start rolling it out," he said.

With Sana's products, Fulton County hopes to protect itself from malicious code that gets past the network perimeter while making its infrastructure less inviting to worms.

William Jackson is a senior editor for Government Computer News. If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Doug Beizer at dbeizer@postnewsweek

tech.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!