an actual exploit can take place. Let’s also look at how a NAC solution could prevent this from happening. Since everyone I talk to mentions that their biggest concern with letting outsiders onto their LAN is infection, let’s use that example.
There are two main ways in which unintentional malware infection can take place on a LAN:
Network worms Viruses
When talking about malware, many people generically call everything viruses. In reality, there are many different types of malware, such as viruses, worms, Trojans, spyware, and so on. While technically calling all of these things viruses is wrong, it’s a fairly common thing to do. Purists may try to correct you from time to time, but it really doesn’t matter. That notwithstanding, it is impor- tant to realize the difference between the different pieces of malware. Here are three really quick definitions on some of the major pieces of malware that will be important to understand for the purposes of this real-world example:
Viruses— Malware that spreads by human interaction, such as opening a file
Worms— Malware that spreads without human interaction
Trojans— Malware that is installed covertly during the execution of a host file
N O T E Malware can also be a mix of different types of malware. For example, a piece of malicious code could be transferred from one machine to another by sharing files via a USB drive. Once the code gets onto a new machine, it could then try to spread over the network without any human interaction. That multipronged approach would make the malware both a virus and a worm. Fun, isn’t it?
You’ll note that the main difference between these different types of malware is how it is spread. Worms can spread on their own, while viruses require human interaction.
84 Chapter 4 ■ Understanding the Need for LAN-Based NAC/NAP
When it comes to stopping malware, the first thing that comes to mind is antivirus software. I don’t recall ever talking to a company that didn’t have an antivirus solution deployed. The antivirus solution may no longer be running or up to date on the enterprise’s systems, but the enterprise did at least initially deploy it.
The kicker is that signature-based antivirus solutions (which use how a piece of malware looks to determine if it is a threat), don’t work very well against new threats. If a piece of malware contains the actual and unique text, ‘‘BigNate07,’’ as part of its code, then why not look for that text and that will determine if a threat is present. Pretty simple and actually, that’s the problem. It’s too simple. Change the text in that piece of malware to ‘‘BigNoah07,’’ and the threat would go undetected. Literally, that’s how it works.
Another issue with signature-based antivirus is that it is reactive instead of proactive. In order for the threat to be detected, it must first be known. To become known, the malware must have already infected enough machines to garner the attention of the antivirus software vendors. That seems like a bit of a Catch-22 — you’ll be protected once enough computers have become infected. Figures 4-3 and 4-4 give a graphical representation of how signature- based antivirus works.
A vulnerable configuration or code deficiency is
discovered.
A virus is written to take advantage of the
vulnerability.
The virus begins infecting devices.
Antivirus vendors create signature definition files to look for that specific virus
code.
on ^*:text:*:*: { if ((ins* iswm $1-) && ($target == $me)) DO SOMETHING elseif ((a* iswm $1-) && ($chan)) DO SOMETHING ELSE }
on ^*:text:*:*: { if ((ins* iswm $1-) && ($target == $me)) DO SOMETHING elseif ((a* iswm $1-) && ($chan)) DO SOMETHING ELSE }
Internet
Real-World Example of an Unintentional Threat 85
Devices install the AV updates and are protected against that
particular virus.
Previously protected machines are no longer
protected.
A slight change is made to the original virus code. on ^*:text:*:*: { if ((ins* iswm $1-) && ($target == $me)) DO SOMETHING elseif ((a* iswm $1-) && (Word)) DO SOMETHING ELSE }
Figure 4-4 Signature-based antivirus once updates are installed
So, now you have a basic understanding of the different types of malware threats and how antivirus helps to protect against these threats. Even if antivirus software doesn’t catch everything, it still does catch a lot of malicious items. Therefore, it is smart to have it installed, running, and up to date, and it is logical to have a NAC rule to look for it.
The first step in an outsider infecting the corporate LAN is for a machine to become infected. This isn’t very hard to do. The machine could get in- fected by:
Having received infected files Surfing the Internet
Being on the same network as another infected machine
However the outsider’s system became infected, it is infected and conta- gious. It also is about to connect to your LAN.
For this example, let’s say the infected system belongs to a contractor. He’s coming onsite to work on a project. Like many contractors, he uses his own laptop. This is an advantage to the contractor (because he will have all of his own tools and files) and good for the enterprise (since it does not have to provide a computer system). The contractor is shown to his guest work area, provided with an Ethernet connection, and given information to get connected
86 Chapter 4 ■ Understanding the Need for LAN-Based NAC/NAP
to the wireless LAN. He needs this access since he will be working on the same systems as the employees for the company that hired him.
How could the contractor unintentionally infect the LAN? There are at least two ways:
He can transfer over data that is infected with malware.
Network worms can automatically and actively try to infect the other systems on the network.