COMMENTARY--Computer viruses, worms, and hacker Trojan Horses are arriving with more frequency and with ever greater destructive power. Current systems are doing little to stem the tide. Something has to change, and the answer may lie in "fencing in."
In my home state of Montana, the law of the land is "fence out." That means that it is incumbent upon any ranch to keep his neighbors’ livestock out of his fields--he is not responsible for keeping his own livestock in. This mechanism dates from the time when most of Montana was open range land, and the occasional farms were responsible for keeping that free-range livestock out of their fields. In this day, when all the land has been claimed and cut up into contiguous ranches, this "fence out" rule seems a little anachronistic, but it remains the rule.
Currently, malicious software, collectively known as "malware," is countered by "fence out" methodology. Every individual system attempts to fence malware out, leaving it free to run around the network looking for just one system that fails to fence it out so it can propagate. This fencing out strategy is failing--recent reports claim that a third of all spam is being sent from home PCs unwittingly being used as relays, and now viruses and Trojan Horses are starting to use the same techniques.
But what if turned our strategy inside out? What if our primary defenses were focused on detecting infections, surrounding them, and preventing them from spreading? This strategy would allow us to take a more offensive posture in the war against malware. We are already seeing some "fence in" strategies starting to emerge.
At HP Labs in the UK, security experts noticed that a tell-tale sign of viruses was a large number of network connections being made by a single computer. They also noted that for standard business uses, computers extremely rarely need to make more than a few network connections at a time. So, by limiting the number of connections that any one computer can make, they were effectively able to slow down the ability of a piece of malware to spread, thus making it easier to detect and cut off from the network.
A fence in technique to catch hackers is the "Honey pot" strategy, which involves setting a baited trap. In this case, the bait is a computer that is purposefully made vulnerable to attack and that has what looks like valuable information on it (although the info is actually bogus). The Honey pot owners wait for hackers to take the bait, track their activities, learn from their tactics, and attempt to capture and prosecute them.
Fencing in techniques can also be used against spam. There is an open-source SMTP (e-mail) server called "Spamish Inquisition" (http://sourceforge.net/projects/spaminq/) that looks for spam as it is being sent and keeps open the socket from the sender and has a very slow error-filled SMTP conversation with it. If everyone had this, spam would be impossible to send and people providing open relays for spammers wouldn’t be able to send e-mail at all. It’s like keeping telemarketers on hold rather than hanging up.
Fencing out focuses on protecting individual computers, but fencing in requires us to think of the network as the system to protect. For this, we need cooperation between computers and perhaps between vendors to become really practicable, which means that it will take a while to come into its own. But it is a natural direction for the security industry. As the sports cliché goes: you can’t stop it, you can only hope to contain it.
biography
Philip Brittan (pbrittan@droplets.com) is founder and chairman of Droplets (www.droplets.com), which makes rich thin client technology for corporate network applications. Previously, he founded and ran software development firm Spheresoft, and before that he was lead developer and CEO of financial software firm Astrogamma.
