Security: How Much is Too Much? Security Experts Help Clear the Air

Yesterday, WatchGuard and TrendMicro announced the release of new/updated products. WatchGuard announced the release of the WatchGuard Gateway AntiVirus for E-mail for the Firebox X line of security appliances. This signature-based solution, combined with WatchGuard’s existing deep application inspection capability, is designed to provide comprehensive security against e-mail borne threats at an affordable cost. Deep application inspection capability provides zero-day protection, shrinking the window of vulnerability to a variety of new threats and variants until signatures become available.
TrendMicro announced the expansion of its award-winning Trend Micro(tm) Network VirusWall(tm) line of outbreak prevention appliances with the introduction of Trend Micro Network VirusWall 2500 and 300. These additions are designed to provide customers with greater flexibility in enforcing network security policies – across global, distributed enterprise environments or to single, mission-critical devices – to help stop the damaging effects of network worms.
But I wondered, with so many security solutions available, does one even need yet another tool such as this when many businesses (not all sadly) have an anti-virus software tool and firewall (some are freely available) on their computers.

Mark Stevens (left), the chief strategy officer for WatchGuard and Bob Hansmann, senior product marketing manager at Trend Micro give their insight
[] Why do businesses need a Gateway Anti-Virus service if they have an anti-virus product installed on their computers and often times a free firewall tool or one built into Windows XP?

[WatchGuard]WatchGuard’s Gateway Antivirus for E-mail provides zero day protection against unknown threats as well as signature based detection of known threats. Desktop and server based AV typically doesn’t?t include this capability. Commercial AV services use several AV vendors simultaneously to protect their customers as response times vary between vendors on an attack by attack basis. Having WatchGuard?s Gateway AV will provide a different response profile to your desktop software improving your chances of detecting and blocking threats as they emerge. Desktop AV is often not properly and routinely updated. Gateway AV provides protection to those machines which may be vulnerable from time to time. Just like no-one relies totally on desktop firewall, Gateway AV adds that layer of security to your network.
[TrendMicro]Network VirusWall is not just antivirus in a box, but a device specifically designed to address network worms, which have eluded these traditional solutions. It fills a security hole missed by current solutions.
It has been 4 years since the first network worms , Code_Red and Nimda, came on the screen. Yet, despite the heavy use of antivirus, firewalls, and even Intrusion detection/prevention solutions (IPS), recent network worms continue to wreak havoc and cripple networks. The ineffectiveness of these solutions can be attributed to several factors. 1) The unique nature of the network worm threat. Unlike traditional virus which travel as files or attachments, network worms are not dependent on any unique protocols and can travel as a single IP packet on the network. Traditional antivirus solutions do not scan at the packet level. 2) A lack of a “network worm” focus. Firewall and IPS offerings are targeted at ‘hackers’, not viruses. Despite their ability to catch a few of the more publicized viruses, they do not address all of the threats businesses face. 3) A lack of coordinated effort between the solutions. During any specific outbreak the antivirus may receive some updates to deal with certain aspects of the virus, but the firewall and IPS offerings may require manual configuration changes by the administrator… or their updates may come separately, days later. Even when all of these multiple security technologies are updated, their combined effectiveness is minimal because each solution ‘assumes’ that another solution will cover certain aspects of the attack which, in the end, results in a few attack vectors being left open and vulnerable.
IMPORTANT NOTE: Trend Micro Network VirusWall is not a ‘software antivirus solution in a box’, which is most common in today’s market. It does not duplicate the security efforts going on elsewhere. It was specifically designed to deal with a specific kind of network threat that could not be addressed anywhere else by applying firewall, intrusion prevention, and antivirus technologies to this new problem. This design is one of the results of the overall Enterprise Protection Strategy which espouses the philosophy that the security solutions throughout the servers, clients, gateways, messaging systems, and even the network of the organization must work together… doing the different things at different points within the infrastructure to effectively mitigate threats. This is the only way to provide the balance between “protection” and “productivity” that our customers require.
2. To enhance security should businesses change their browsers from Microsoft IE to Firefox?

[WatchGuard]Businesses should balance manageability, functionality and cost against security. Firefox is perceived as more secure primarily because it is less exploited. This may not remain true. WatchGuard?s Deep Application Inspection protects browser users against exploits by blocking malicious file types and looking for protocol anomalies.
[TrendMicro]It could help, but must be weighed against any business impact of the functionality lost by abandoning the browser most web sites are designed for. The safest thing to use is an obscure piece of software with just basics… like a text only email system. Therefore, one aspect of protecting yourself could involve using products that are less popular and less functional. As long as they meet your needs, this is a very viable tactic and should be considered as part of our overall security strategy.
Note: Microsoft products are not being attacked by virus writers because they are the most ‘vulnerable’. They are being attacked because they are the most popular and have a great many capacities that can be used for both productive purposes… and by viruses. My own “Bob’s Law” says: Popularity + Functionality = Vulnerability. When Apple was king, most of the viruses were designed to attack Macintosh systems. If Firefox gains significant market acceptance, it will come under attack next.
3. Since most viruses come via email and also as phishing is a security threat, is security enhanced by simply blocking email and using a “challenge response” system?
[WatchGuard] Challenge and response can help prevent Spam by asking the sender to confirm they actually sent the email in question. It doesn’t?t stop bad content getting to the system though.
[TrendMicro] “Challenge Response” has a lot of “pro’s” and “con’s”. For most of our customers, the daily effort required by the end user to use such a system would be prohibitive.
4. There are so many security layers a business can add, at times to the point of being technologically restrictive. What is some basic security every business should have and what is some they do not really need?
[WatchGuard] It really depends on the value of what they are trying to protect. If you only have low value assets and no public facing servers, desktop AV and Stateful packet filtering may be adequate. If you have public servers and higher asset values, then application inspection firewalls and Gateway AV become increasingly important. Larger networks may want to add IPS and more remote access technologies such as IPSEC or SSL VPN.
[TrendMicro] Antivirus use throughout the organization is critical. Firewalls at the gateway are a must, but should also be considered for clients, especially for mobile systems. And Anti-spyware solutions are becoming increasingly important. Intrusion Detection/Prevention devices are less valuable to smaller businesses, but may provide a reasonable ROI to larger organizations.