In Depth

The VigorPro Security Firewall featuring UTM - Unified Threat Management, protecting from many types of Network threat at the point of entry. In this document we explain some of the threats your network faces, and how the VigorPro helps defeat those threats.

Unified Threat Management

The online world is more extensive, useful and busy than ever, but with such ease of propagation, those with malicious intent have a far bigger ballpark with a greater variety and number of targets. A threat may not cause any damage, but is something you always want to avoid. There are various reasons why threats exist - some are deliberate, others not. All threats to your network or systems fall into one or more of the following six threat categories - these are the reasons for the threat existing (excluding circumstances where you deliberately stop or compromise your own network):

The Five Network Threats
1 Malicious	2 Mischeivous	3 Fraudulent	4 Consequential	5 Failure

Understanding each of the categories can be important in your network planning. Network border protection is just one aspect, and the one the VigorPro can help with (other protection includes physical security, such as door locks or alarms). The six categories can be descibed as follows:

Malicious	Intended to cause loss, embarrasment or inconvenience for spite or commercial advantage.
Mischeivous	Intended to cause damage or inconvenience for noteriety, publicity, entertainment or to test/expose vulnerabilities.
Fraudulent	Intended to obtain either financial/commercial advantage or access to priviledged information.
Consequential	Unitentenional loss, effect, exposure or damage as a consequence of omission or other activity.
Failure	The failure or loss of a system or connection.

 

The VigorPro provides many different types of threat detection and protection, each protection method covering one or more of the attack types mentioned above. Later on, we'll give examples of how each VigorPro defence method protects against each category. Of course, border control is not the complete solution - any installation should be coupled with prudent staff/household policies to protect data and hardware physically too but the Vigor's extensive range of protection methods goes a great way in helping to protect your network, data and resources.

Stateful Packet Inspection

In a plain routed connection, data passes freely from source to destination, across as many 'hops' as is required. As most Internet protocols are reciprocal (or connection-oriented) reply packets are sent, either as acknowledgement that the data was received, or a response requested in the originating packet. With a typical LAN, your PCs will not want to be left open to the outside world; an unsolicited and potentially harmful packet arriving at the WAN interace of your router should be blocked (discarded).

Note: If you are running a public service on a computer on your network, then you must allow unsolicited public access, but only on appropriate ports/services. For SPI here, we're referring only to PCs which are not intending to host public services.

In order to allow LAN users to access the internet, and get replies to page requests (for example) the firewall needs to distinguish between solicitied (requested) replies from the outside world, forwarding them back through to the LAN client, and incoming data which was not requested.

Deep Packet Inspection

Worms and viruses are typically contained within emails as attachments but attachments are normally encoded in several different protocol layers for transport; each layer serves a specific purpose. Examining the data stream is not sufficient to detect hostile content as it would not be recognisable; each encoding method changes the appearance of the data. The VigorPro's deep packet inspection technology breaks down the protocol layers beyond ISO Layer 4, up to Layer 7 (application). A standard firewall doesn't examine beyond layer 3/4. Decoding each encapsulation or encoding layer reveals the next until eventually you have the raw data.

In a data stream there is firstly the transport layer itself; the TCP/IP packets which consist of a header and, typically, a payload. At this layer (layer 3 & 4, according to convention), the VigorPro's DoS (Denial of Service) Protection examines and verifies the headers for any suspicious signatures or patterns, and stateful packet inspection and IP filtering will stop unauthorised packets but in order to detect malicious content, the Payload must be examined.

Only once the data stream has been decoded all the way down is the raw binary data visible, and any trojan or malicious code recognisable. In the case of email for example, a virus/trojan might firstly be contained in a ZIP (compressed) format, then UUEncoded for 7-bit transport, then MIME encoded for email attachment, then transferred using the POP3 protocol. The example of an email containing a malicious attachment in a ZIP file is illustated in the diagram below:

 

 

The VigorPro will decode each of these sequential methods in real time using DrayTek's patent-pending MSSI™ - Multi-Stack Stateful Inspection. With MSSI™, separate protocol stacks take care of each layer which allows for varied protocols and cross-packet inspection (where content is fragmented in transit). Most importantly, MSSI scans data inline in real time - there is no proxy and no file size limitation and thanks to the dedicated CICP (Content Inspection Co-Processor), active scanning adds no processing overhead to the VigorPro's main CPU.

In the above example, the trojan (or other malicious code) was contained in an email, but the VigorPro will also scan other common methods of transfer including HTTP, FTP, SMTP and IMAP and if you are using the VigorPro to create VPN connections too, the scanning engine will scan within the VPN tunnels as well as regular Internet traffic. The diagram on the right shows how cross packet inspection allows the VigorPro to detect content event when it is broken up or interrupted by packet borders. The VigorPro's Deep Packet Inspection can defend against Network Threat Categories 1 to 5.

Anti-Virus / Anti-Trojan

Using the above methods, the VigorPro scans connections for any virus or trojan signatures. On detecting a Virus, the VigorPro will destroy it; if the virus is in an email (IMAP/POP3/SMTP) that email is destroyed. If the virus is in a downloaded file (FTP/HTTP) then that file is destroyed. The VigorPro's response can be recorded via syslog. Instead of destroying the virus, the current connection can be reset, or even no action taken (other than logging), depending on your own preference. Where a an email file attachment has been removed, or destroyed, it is replaced with a harmless dummy file so that it's clear that something has been removed.

The VigorPro stores the current library of known threats. This is updated automatically by the VigorPro whenever a new signature library is available in order that your VigorPro is kept up to date. When you purchase the VigorPro, it includes 12 month's of Anti-virus/Anti-Intrusion updates from DrayTek Labs (D-SWAT Team). As an option, you can select Kapersky Labs virus signature file as an alternative at additional cost.

Anti-Spam

Spam (unsolicited bulk email) is one of the most serious threats to email productivity and also Internet bandwidth usage. It is estimated that a staggering 90 billion spam emails are sent every day and that over 80% of all email sent across the Internet is Spam. You can't stop it being sent so intercepting or identifying it before it reaches your PC at least reduces your wasted time, processing and annoyance.

The VigorPro uses a method called RPD (Recurrent Pattern Detection) for identifying Spam. RPD uses a signatureless method based on the spam's unique distribution patterns. This provides the ability to identify spam from zero-day distribution - i.e. before it has been widely distributed and recognised by specific content. This method also improves performance as it is not necessary for the whole message to be examined by a remote server. A VigorPro 5510 operating RPD anti-spam can process up to 180 emails simultaneously and process a single email in 200 milliseconds. By detecting spam at your network borders, the impact on local network bandwidth is reduced as well as the processing overhead on local resources (mail servers and clients etc.).

When the VigorPro determines that a message is likely to be spam or bulk email, the message headers (subject field) will be modified with a message string of your choice so that your email software or server can re-route or destroy the message as required.

DoS & DDos Attack Protection

Denial of Service (DoS) attacks generally and most commonly occur at Layer 3/4 - the TCP/IP protocol layer. Such attacks are intended to block, disrupt or slow a network's Internet access by either confusing or overwhelming the router with data patterns known to confuse some network devices. These attacks most often use deliberately corrupted packet headers.

A Distributed DoS attack (DDoS) is a DoS which is launched from several (even thousands) of different locations at the same target simultaneously. Normally the owner of the DDoS launch site will be an unwitting party, having had their network infected with the DDos code through a trojan, for example.

The VigorPro protects against DoS attacks firstly by having a robust TCP/IP stack - code which is designed not to be confused or act illogically by anomalous packet headers, secondly by recognising common DoS attack types by their telltale pattern signatures and thirdly, by helping to stop your own network being used as a DDoS launchpad by preventing infection from a DDos trojan. DoS atacks generally fall into Network Threat Categories 1,2 & 3.

Intrusion Detection

Whereas a trojan virus is malicious code which is transferred in latent form within an otherwise innocent email or file awaiting execution (triggering) once delivered, other exploit types are carried on their own self-instigated transport stream. These non-trojan types of exploit typically rely on flaws within operating systems, web protocols or Internet-facing servers (for example the 'CodeRed' Exploit). They can also be code accidentally downloaded when visiting an infectioous web site where the user allows the download of malicious code without realising. The VigorPro, using MSSI™, will decode HTTP streams in real time to detect the signatures of any known exploits. The VigorPro's instrusion library has several categories of Exploit/Intrusion including:

• General Intrusion Exploits

• ICMP

• I-Worm

• IRC-Inject/Infect

• Malware

• BO/RPC/Scan

• SQL-Inject

• Tunnel

• DDoS/DoS

• Web-CGI Exploit

• Web-Client

• Web-IIS/PHP

Such exploits can fall into any of Network Threat Categories 1 to 5, however these are just common examples. There are many other network intrusions which can occur and the VigorPro's library is constantly being updated.

Intrusion Prevention System (IPS)

IDS (Intrusion Detection System) is a method of detecting intrusions and alerting the system administrator; typically the detection is carried about by a 'sniffing' device or proxy method. DrayTek's IPS uses inline-IDS which means that as well as alerting the system administrator, the suspicious content is blocked by the VigorPro (by resetting the connection or dropping the packets).

Employee Internet Abuse - The Enemy Within

Internet Abuse - the unacceptable/unauthorised use of the Internet for non-work related matters during work hours - is an insideous problem which eats away at your company's effectiveness, harming your competitive edge and costing you money. Internet abuse is all too often overlooked by companies, and dismissed by the staff involved as insignificant. A little leeway and occasional use might be acceptable or tolerated, but there are some staff who will spend hours per week using the Internet instead of working. As well as the company time they waste, their usage can also impact of other people's legitimate usage, by creating unnecessary traffic on your Internet feeds. There is also the risk of exposing your company to embarrassment or litigation if a staff member uses access for any unlawful or immoral purpose (pornography, file sharing etc.). The problem of corporate espionage can also be exacerbated by weak AUPs or lack of enforcement (Network Threat 5).

Sometimes the problem exists because companies have not laid down AUPs (Acceptable Use Policies) for staff Internet Usage, but even where such policies exist, a minority of staff will still seek to abuse their employer's trust. Stealing company time can be as serious as stealing company property. Staff, or even household members who abuse Internet access are not only betraying their employer, but their colleagues too. This isn't the occasional checking of personal email, but sometimes hours upon hours of personal web surfing.

Whilst this might paint a picture that 'all' employees are betraying their employer's trust, thankfully it is only a small minority, but a small minority making serious abuses of company Internet access - perhaps hundreds of hours per year spent on personal Internet usage during work time - will effect the effectiveness of the whole team - cheating emloyers and hard-working colleagues alink. Of course, abuse of company resources isn't new - telephones and postage, for example, have been abused for years, but the Internet eats almost invisibly into your company's most valuable resource - people's time. Internet abuse can damage a company normally for one or more of the following reasons:

• Waste of Employee Time - If an employee if chatting in an instant messaging (IM) system, they are not doing thier job. IM in particularl has shown to be addictive and a real threat to employee effectiveness. Risk to Data - Uncontrolled or Unauthorised installed software, for example Peer-to-Peer software may have file sharing facilities or remote control which risk company data - risks which even the user may not be aware of.

• Risk to Security - The more exposure personnel have to unauthorised systems, external networks or proprietary software the greater the risk of exposure to uncontrolled network infections or trojans.

• Staff Relations - Whilst colleagues may be aware of someone's Internet abuse, they may be unwilling to report it, but might become resentful of the lack of team contribution from that person. This is bad for morale and will effect team effectiveness.

• Exposure to Litigation or Criminal Investigation - If a staff member conducts any illegal or immoral activity using company resources, this could lead to investigation into the company, even implicating the company. If a member of staff conducts any personal business affairs using company resources, this could also reflect on the company.

Some of the blocking methods can also be switched on and off according to time schedules, for example allowing access to employee's private email web sites during lunch times. The example screenshots to the right give an example of how easy it is to block content which is unacceptable to your company, for example instant messaging, file-swapping software or web sites. This can be specific web sites, for example, or categories of web sites (managed by the Surfcontrol™ database). IP filtering is also available to set up manual filters at the IP layer, for the more advanced sysadmin.

The VigorPro has several functional relating to Internet facility blocking. You can combine these to make a system which corresponds with your own staff access policies or AUP and help protect your company resources (Typically Threat Categories 3 & 5):

• IM (Instant Messaging) Blocking. For example MSN, Yahoo or AOL Instant Messenger services
• Peer-to-Peer software blocking. For example Kazza, Bitorrent etc.
• ActiveX/Java Applet Download blocking.
• URL Web Content filtering. Allow or block specific web URLS. Whitelist or Blacklist.
• Block 'browse by IP' - force all web access by URL/DNS lookup.
• Content Filtering / Parental Control. Block sites by category type.
• Syslog reporting of Web sites visited. Keep track of your user's access.
• Block File download by file type (executable, compressed, multimedia)
• Enable/Disable Web access by time schedule to block out of hours or inappropriate time usage.

Quality of Service (QoS) Assurance

Any Internet connection has finite bandwidth available and in an Enterprise/Corporate environment, different data will have different priorities. Company email, for example, might be most important, whereas general web browsing might be less important. The VigorPro's QoS management facilities allow you to select priority for different traffic types. The rules can be based on protocol, destination, source and various other factors. With QoS enabled, mission critical data will always be given the specified percentange or fixed amount of your available bandwidth. When the high priority application(s) doesn't need it, the bandwidth is made available for all other users. QoS helps against network threat No.4 - consequential problems of Internet use, in this case, delayed data due to sharing bandwidth with non-essential or low priority traffic.

WAN Failover & Load Balancing

The VigorPro 5510 has two WAN ports. These Ethernet ports are your connection to the outside world, via any Ethernet based Internet feed, for example a cable modem, ADSL modem or any other Ethernet based connection. In the simplest environment, you will have just one Internet connection in to the first WAN port.

• Single WAN Interace (WAN2 disabled)
• Load Balanced (WAN1/WAN2 enabled)
• Failover (WAN2 inactive except when WAN1 fails)
• BoD (WAN2 inactive until WAN1 exceeds threshold)

If you have multiple Internet feeds, you can connect both of them to the VigorPro to provide greater total bandwidth by using both at once; this uses load balancing to distribute the traffic evenly across both feeds, or you can set an uneven ratio. With failover backup, the secondary connection is normally inactive but is used automatically in the event of the primary connection failing. Bandwidth-on-Demand (BoD) is where the second WAN interface is used whenever the first WAN interface exceeds preset throughput thresholds. This flexible dual-WAN facility provides redunancy and fault tolerance to your mission-critical network (Threat category 5).

3G Modem WAN Failover

As well as the two Ethernet WAN ports, the VigorPro 5510 can connect to a 3G USB modem or suitable cellphone to provide additional wireless backup using the new 3G data networks (Vodafone, T-Mobile, Orange, 3 etc.).