From the Experts
From the Security Experts
June 04, 2009
Network Based Security is in Our Future
Chief Executive Officer, Nominum
Last month I wrote about the Conficker worm and made the point that it does not really matter what the Conficker worm ultimately ends up doing, the visibility surrounding its April 1 awakening raised concerns around the world and users took matters into their own hands. There were publicized statistics about the increase in downloads of expensive, fake, anti-virus software and other reports of highly trained IT staff that simply took their networks offline, clearly supporting the case that perceptions are just as important as reality.
Another important lesson that can be learned from recent experience is that it simply isn’t fair or realistic to expect that Internet users take complete responsibility for securing their Internet access. Securing a laptop (or phone, netbook, Internet aware TV…) is simply not that easy anymore. And this month I’d like to shift the discussion to how we can improve security protections on the Internet and ease the burden on the average user.
Internet security to date has primarily been focused on securing the devices that are used to access the Internet with specialized software. Vendors of end point solutions have delivered products as threats have evolved and we now have software that strives to protect users against viruses, worms, phishing, spyware, adware, and more.
Still, threats continually become not only more numerous, more diverse, and more sophisticated. Security software that requires users to constantly accept updates (separately for each kind of threat), or worse go online to download the latest updates, isn’t much of a solution. Even knowledgeable and diligent users who update their software regularly will sometimes lapse — and many users lack security software altogether or update intermittently. Moreover, some known threats trick users into downloading malicious software by masking it as security updates.
According to a report issued by Cyveillance earlier this year, browser-based security solutions detect on average only 37 percent of malware and 42 percent of phishing attacks. This situation is not likely to improve because updating hundreds of millions (soon to be billions) of individual devices is extraordinarily hard, especially when threats change constantly.
It’s time to consider alternatives. We all know the old adage ‘fighting fire with fire,’ and it fits the enduring Internet desktop security situation perfectly. Threats to all end point services are delivered over the network —so why not use the network to fight them? Service providers are extremely well positioned to offer network-based security protections because their networks contain the DNS servers that subscribers access for every Internet transaction. By leveraging the network ISPs demonstrate their commitment to providing a safe and secure Internet experience for subscribers. By leveraging the network they can also better address the increasing sophistication, scale, and constantly changing nature of today’s threats.
Moving security protections into the DNS and into the network has the obvious benefit of alleviating the end user burden to manage and constantly update multiple desktop security applications. But a more important benefit is that network-based protections can move security from a reactive model, where desktop software is activated after a user becomes infected, to a proactive model, where the user never gets infected in the first place because they are prevented from accessing malicious web sites. This is an extraordinary development and something that many ISPs are already exploring.
DNS and network-based security becomes even more attractive when you consider that any application: browsing, email, instant messaging, VoIP calls and more can be protected. Better still, security processing can be offloaded from subscriber devices, which is crucial for mobile devices where processor, memory, and battery resources are precious. Not sending continuous updates to mobile devices also saves valuable wireless bandwidth. Robust security software is not even available for most mobile devices, or many other IP enabled devices, so network-based protections can fill the void. Solutions that leverage the network are easy to activate, the user does not have to download and configure (and reconfigure) any software, which will drive higher adoption rates.
This new approach defeats another trick attacker’s use: constantly changing the IP addresses of their servers to evade detection. A network-based security solution can easily subvert this trick and take away a key advantage attacker need to succeed. Distributing constantly changing threat data to every device that accesses the Internet is hard, but distributing the same data to a relatively small number of enforcement points in a service provider’s network is very simple, and updates can be applied instantly so the attacker’s time window is dramatically reduced.
There are many other advantages to moving security protections into the network but it’s time to answer an important question. What is it going to take to make this a reality? A very strong case can be made that the DNS is the leading candidate to deliver these leading security capabilities and next month I’ll make that case. Then we can start down the path of delivering a Trusted Internet Experience that turns the Internet into what we really want it to be.