Network Edge

By far the most unstable, vulnerable and insecure portion of any network today is the loose agglomeration of systems that hang off the edge of the Internet.

By far the most unstable, vulnerable and insecure portion of any network today is the loose agglomeration of systems that hang off the edge of the Internet.

The millions of desktop PCs and servers that connect to the Internet and corporate data networks are susceptible to a long - and constantly growing - list of hacks, attacks, probes, worms, viruses, packet floods, outages, data sniffers, rogue employees and unreliable software. Security technologies and practices continue to evolve to minimize these threats. But as more computers get connected to the Net, the chaos at the edge could become even worse.

"We see the edge - all the way out to remote end-points - as definitely the most vulnerable point of the network," said Matthew Kovar, a Yankee Group analyst. "Thats the biggest problem out there, but it has been wildly ignored."

Just one point of proof: Last weeks Nimda worm outbreak, considered the largest-scale attack on Windows machines ever, disabled countless thousands of computer systems in a matter of hours (see "Nasty Nimda Nicks the Net").

While Nimda is a serious problem, able to give unauthorized users full access to a companys servers, security experts said its only a matter of time before some evil genius releases an even more powerful and destructive worm that steals, deletes or corrupts corporate data.

"A payload that actually goes after databases is completely possible. You could easily envision a virus that can zap an entire Oracle database," said Jim Reavis, chief marketing officer of Vigilant-e, a network vulnerability assessment software vendor.

This is particularly threatening to enterprise networks that have remote users who connect to the main office by modem or by tunneling in through a virtual private network. Often these PCs are not managed as part of a companys overall security policy. In some cases, malicious code is stopped at the perimeter, only to be introduced to the network by a remotely connected machine. Add up all the telecommuters and road warriors, and "you dont have one Internet connection in an organization - you have a thousand," Reavis said.

After the terrorist attacks on New York and Washington, D.C., some corporate security managers reviewed the state of their network security and decided to simply pull the plug on their remote access, Kovar said. They concluded that the security risk far outweighed the convenience of letting employees work from home.

But thats a short-term, head-in-the-sand approach, said Greg Smith, Check Point Software Technologies director of product marketing. Whats needed is a personal firewall for each remote users PC that can be centrally managed - such as those that Check Point can provide.

"The way to roll out and manage personal firewalls is not how people envision today," Smith said. "They imagine that the end user installs and manages that firewall. But that has to be done at a corporate level."

If you really want to take down a network operationally, though, nothing beats a distributed denial-of-service attack. Such DDoS attacks are simple to execute and effective in temporarily putting a network out of service. Basically, they overwhelm a network with multiple megabits per second of bogus traffic. Edge networks are especially vulnerable to DDoS attacks, since they typically have lower-bandwidth connections than service provider networks.

The distributed and open nature of the Internet makes it tough to defend against DDoS attacks. "The Internet and its protocols were designed and built to be cooperative," said Stefan Savage, co-founder and chief scientist of Asta Networks, which makes an anti-DDoS system. "But if someone doesnt want to play by the rules, they can do a tremendous amount of damage." And so far, theres no great defense.