Best way to stop malware from spreading in a large secure network

Question :What's the best way to stop malware from spreading in a large secure network with no internet connectivity and a multi-platform environment?

Even though the secure environment has no internet access and is on a controlled environment, external USB devices have been added to the network and viruses have been introduced. I'm trying to think of the best ways to stop such external threats being added to a secure closed network. I've got a few ideas bouncing around my head as I believe Antivirus software should be deployed on the workstations in case additional methods of malware introduction are given other that USB. The USB ports could be disabled on all workstations and then the external devices could be scanned before adding to the network. But I'm sure there could be other ideas so can someone offer some suggestions?

Answer:There are multiple approaches, but “the” best way will depend on the mix of your devices in your multi-platform environment (if you still have NT4s and ancient slackware linux copies the solutions you are looking at will be different) and your network status. If there is no internet connectivity naturally you should focus more on entry points (intranets, USB, CD, Floppy, Bluetooth, IR, Wi-Fi)

If you want to classify approaches, your solutions can be at 3 levels, host based, network based and hybrid.

1- Host Based:

a. Use a comprehensive “endpoint security” solution that will have

i. Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)

ii. Encryption (file, disk, mail), key/cert management

iii. Firewall

iv. IPS

v. Antivirus (http and SMTP)

vi. Antispam, Phishing, Malware control (http, SMTP, SMS)

vii. URL filtering

viii. Application control

ix. File integrity Monitoring

x. Remote device management (in a secure manner :)

xi. Biometrics/TPM/SSO/802.1x support

b. Lock down the environment. Do not allow end users to modify any system settings. (e.g. use group policies on windows environment, security blanket on Linux etc)

c. Use point solutions start with port control, anti malware, AV, IPS, firewall . Monitor system resource utilization you may kill endpoints by multiple clients

d. Get physical; super glue all USB ports, remove the CD Drives, break IR sensors, turn off the radios.

e. For old unsupported platforms, deploy file integrity monitoring on critical areas (e.g. tripwire)

f. Use a big brother monitoring tool like Raytheon Oakley’s SureView (check with legal first : )

2- Network Based:

a. Use IPS on the network. IPS will alert you on suspicious traffic you that you can take action faster. If the network traffic is encrypted, IPS will not be very helpful. You may consider decrypting traffic but the solution is a topic for another post

b. Use anomaly detection tools. I really like using these tools; they are my most favorite malware detection solutions. They can either sniff traffic over taps or get flow data. Good solutions are Q1 Labs, Mazu (now Riverbed Cascade).. But any netflow tool will help

c. Segment your network with firewalls

d. Do not allow all protocols (who needs IPX, NetBeui, AppleTalk, SNA anyway : )

e. Use ACLs on network devices. Only allow known ports, lock down network for SRC/DST APP based access rules

f. Monitor Airspace… Make sure that nothing flies out /comes in via wi-fi/Bluetooth et al. I can recommend several tools.

3- Hybrid

a. Use Network access control (NAC). You can have all the security in the world until the cable guy plugs-in his laptop to the Ethernet port in the cafeteria.

b. Use an agent-less scanning tool. Compare all hosts, applications vs your approved gold copies. Monitor all malware constantly from remote. My favorite is Promisec. But you can even use Microsoft SMS

c. Never forget the phones, the smartphones, VOIP phones are the new hosts for the virulent outbreaks/pandemic

If you have a specific question please let me know.

Regards,

- Yinal Ozkan