Real-time scanning keeps malicious code at bay
- By Doug Beizer
- Mar 24, 2007
Keeping an organization's computers and networks running is a tough job for any information technology director. In Rio Blanco County, a remote western Colorado community, the land's vastness makes that task even more complex.
The county's municipal area network provides voice and data services to about 800 users, in 26 agencies and at 13 locations. The network serves institutions that range from town governments to area hospitals.
With so many groups depending on the network, it is critical that viruses, malware and other attacks are kept in check.
"After we implemented the municipal area network we were very concerned and saw the need for a hardware appliance at the head of our network to do antivirus and spam filtering," said Michael Lani, the county's IT director.
Even with antivirus software installed on every desktop computer, the IT department still saw a lot of malware and spyware floating around the network. The attacks were resulting in slow system performance and other problems, Lani said.
"So we decided what we needed was a multilayer defense system," Lani said.
That included a firewall, desktop virus protection and a final piece of defense, gateway antivirus and spam canning.
Rio Blanco officials picked a gateway scanning appliance from CP Secure Inc. of Cupertino, Calif. Instead of scanning traffic in the traditional batch-based way that has been done for years, CP uses a stream-scanning architecture. Batch-based scanning uses files as the basic unit for scanning. CP Secure's stream scanning further breaks that down, examining bits and bytes of data coming into a network, said Joshua Lin, director of marketing and business development for CP Secure.
"The results are we are able to use system resources in a very efficient manner," Lin said. "We also use a parallel processing architecture, so as the Internet stream comes in we're able to concurrently scan it and output it, which reduces the amount of latency because we are using system resources very efficiently."
The more traditional batch scanning came about in the mid-1990s when most attacks arrived in e-mail.
Gateway scanners in those days were designed to scan e-mail traffic. That worked well because e-mail isn't real-time traffic. E-mail could be paused at some point, scanned, and it would all happen fast enough that people wouldn't complain about e-mail taking a long time to arrive.
"But it is a whole different matter when you have malware that's attacking some Web traffic," Lin said. "If you're in an environment of a thousand or more users, people will start complaining about slow Internet connections, and long Web page load times. So when you're scanning http traffic, the problem becomes a latency issue."
CP executives said their appliance scans in real time, but that really means it's able to handle high throughput, with very low latency to the point where it's not noticeable to the end user.
Some techniques to make batch scanning faster can leave a network at risk, Lin said. Some do selective scanning, fast-tracking traffic that isn't likely to have malware. Others use reputation filters, which only scan traffic from Web sites deemed suspicious or malicious. Although that technique speeds things up, using it also means much Web traffic will never be scanned.
Also, using that technique is precarious because so much malware often is spread through Web traffic.
"We find that a lot of people tend to focus on threats they are aware of, so you may hear that spam is a big problem mainly because people deal with spam everyday in their inboxes," Lin said. "Other customers, like Rio Blanco, just knew that they were getting hit with viruses or malware, resulting in their IT help desk having to deal with problems at the desktop level."
In addition, dealing with those issues at the workstation level is
a reactive approach and very inefficient. Appliances such as CP Secure's stop those problems before they make their way to desktops, according to the company.
The appliance is an inline transparent bridge. Typically organizations deploy it behind the firewall to scan all the e-mail and Web traffic their firewall lets through, protecting all the users downstream of the firewall.
The gateway is not meant to act alone, and is designed to be a part of a layered defense that includes intrusion detection and desktop antivirus ware.
Officials in Rio Blanco didn't realize how big a problem they faced before they started scanning at the gateway.
"When we first hooked it up, we were most concerned with viruses getting into our network," Lani said. "What we quickly discovered, after reviewing the logs and report files, was we were getting a lot more malware and spyware trying to come in through http than really any other protocol."
That problem is critical because a wide array of agencies depend on the network and their computers. For example, Rio Blanco's hospital depends heavily on computers to transmit radiology reports and CAT scan information. A computer that's down could literally cause a life-and-death situation.
The same urgency applies for the county's 911 communications center.
"They're one of our agencies that we have to make sure that those workstations are stable and up and running and available 24/7," Lani said. "There's really very little room for error, and having a virus come in and wipe out your communications center is something no IT director wants to have to deal with."Staff Writer Doug Beizer can be reached at firstname.lastname@example.org.
Doug Beizer is a staff writer for Washington Technology.