Malware beware

Real-time scanning keeps malicious code at bay

Project Overview

Project: Gateway malware scanning.

Agency: Rio Blanco County, Colo.

Partners: CP Secure Inc. and Rio Blanco's multiagency network.

Goal: To protect the county's computers and network from viruses,
malware and spam.

Obstacles: Gateway protection can often slow a network and create
inefficiencies for an organization.

Solution: A stream-scanning appliance was selected that allows traffic to be scanned almost in real time.

Payoff: Malware, spyware and other attacks are being detected and
eliminated at the gateway level. Providers of critical county services can depend on their computers to operate efficiently at all times.

Keeping an organization's computers and networks running is a tough job for any information technology director. In Rio Blanco County, a remote western Colorado community, the land's vastness makes that task even more complex.

The county's municipal area network provides voice and data services to about 800 users, in 26 agencies and at 13 locations. The network serves institutions that range from town governments to area hospitals.

With so many groups depending on the network, it is critical that viruses, malware and other attacks are kept in check.

"After we implemented the municipal area network we were very concerned and saw the need for a hardware appliance at the head of our network to do antivirus and spam filtering," said Michael Lani, the county's IT director.

Even with antivirus software installed on every desktop computer, the IT department still saw a lot of malware and spyware floating around the network. The attacks were resulting in slow system performance and other problems, Lani said.

"So we decided what we needed was a multilayer defense system," Lani said.

That included a firewall, desktop virus protection and a final piece of defense, gateway antivirus and spam canning.

Rio Blanco officials picked a gateway scanning appliance from CP Secure Inc. of Cupertino, Calif. Instead of scanning traffic in the traditional batch-based way that has been done for years, CP uses a stream-scanning architecture. Batch-based scanning uses files as the basic unit for scanning. CP Secure's stream scanning further breaks that down, examining bits and bytes of data coming into a network, said Joshua Lin, director of marketing and business development for CP Secure.

"The results are we are able to use system resources in a very efficient manner," Lin said. "We also use a parallel processing architecture, so as the Internet stream comes in we're able to concurrently scan it and output it, which reduces the amount of latency because we are using system resources very efficiently."

The more traditional batch scanning came about in the mid-1990s when most attacks arrived in e-mail.

Gateway scanners in those days were designed to scan e-mail traffic. That worked well because e-mail isn't real-time traffic. E-mail could be paused at some point, scanned, and it would all happen fast enough that people wouldn't complain about e-mail taking a long time to arrive.

"But it is a whole different matter when you have malware that's attacking some Web traffic," Lin said. "If you're in an environment of a thousand or more users, people will start complaining about slow Internet connections, and long Web page load times. So when you're scanning http traffic, the problem becomes a latency issue."

CP executives said their appliance scans in real time, but that really means it's able to handle high throughput, with very low latency to the point where it's not noticeable to the end user.

Some techniques to make batch scanning faster can leave a network at risk, Lin said. Some do selective scanning, fast-tracking traffic that isn't likely to have malware. Others use reputation filters, which only scan traffic from Web sites deemed suspicious or malicious. Although that technique speeds things up, using it also means much Web traffic will never be scanned.

Also, using that technique is precarious because so much malware often is spread through Web traffic.

"We find that a lot of people tend to focus on threats they are aware of, so you may hear that spam is a big problem mainly because people deal with spam everyday in their inboxes," Lin said. "Other customers, like Rio Blanco, just knew that they were getting hit with viruses or malware, resulting in their IT help desk having to deal with problems at the desktop level."

In addition, dealing with those issues at the workstation level is
a reactive approach and very inefficient. Appliances such as CP Secure's stop those problems before they make their way to desktops, according to the company.
The appliance is an inline transparent bridge. Typically organizations deploy it behind the firewall to scan all the e-mail and Web traffic their firewall lets through, protecting all the users downstream of the firewall.

The gateway is not meant to act alone, and is designed to be a part of a layered defense that includes intrusion detection and desktop antivirus ware.
Officials in Rio Blanco didn't realize how big a problem they faced before they started scanning at the gateway.

"When we first hooked it up, we were most concerned with viruses getting into our network," Lani said. "What we quickly discovered, after reviewing the logs and report files, was we were getting a lot more malware and spyware trying to come in through http than really any other protocol."

That problem is critical because a wide array of agencies depend on the network and their computers. For example, Rio Blanco's hospital depends heavily on computers to transmit radiology reports and CAT scan information. A computer that's down could literally cause a life-and-death situation.

The same urgency applies for the county's 911 communications center.

"They're one of our agencies that we have to make sure that those workstations are stable and up and running and available 24/7," Lani said. "There's really very little room for error, and having a virus come in and wipe out your communications center is something no IT director wants to have to deal with."

Staff Writer Doug Beizer can be reached at dbeizer@1105govinfo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!