A year after the Conficker worm was first observed crawling through corporate networks, a Western Canada hospital administrator has installed an intrusion prevention system (IPS) to deal with such threats.
The Kelowna, B.C.-based Interior Health Authority, a part of the provincial government, includes 22 hospitals and other health facilities, including the cities of Kamloops and Cranbrook, plus 53 First Nations communities.
All of its network traffic goes through the main data centre, and in the past, its security system was designed to monitor traffic and detect threats, said Kris Jmaeff, IHA’s information systems security specialist.
Its security measures include Microsoft Corp.’s Forefront Client Security, plus a firewall from Check Point Software Technologies Ltd. of Redwood, City, Calif.
Jmaeff’s main concerns are viruses, Trojans, malware and data loss. When Conficker first surfaced, IHA had trouble identifying the machines that were infected, he said.
But then IHA started beta testing three IPS systems, including Sourcefire Inc. of Columbia, Md., IBM Corp.’s Proventia and TippingPoint, made by Marlborough, Mass.-based 3Com Corp.
IHA selected the TippingPoint 330 IPS appliance, which is designed to monitor traffic at up to 300 Megabits per second. 3Com says the 330 IPS can block a variety of threats, including worms, viruses, phishing and blended threats. It can also alert administrators to suspicious activity.
“We can see which machines are trying to connect to the internet,” Jmaeff said. “Any data that tries to leave our perimeter, we catch, we watch, we can stop and we can fix.”
“We provide a set of filters that catches all the permutations of Conficker,” said Craig Phelps, TippingPoint’s product marketing manager. “A firewall is really a port level (and decides) yes or no, should I let this traffic in through this port?’ We do deep packet inspection at Layers 1 through 7, crack open the payload and decide, is this a threat or not?”
Jmaeff said the ability to actually look at the payload of packets was one of the reasons IHA chose IPS. He added TippingPoint was selected partly because of the reports it can create.
When Conficker was first discovered a year ago, it was installing bots on infected PCs. At the time, Microsoft released a patch for Windows users.
A variant later began installing fake security software, or scareware, on to users PCs, designed to give them false warnings in the hopes users would then spend money on useless software.
Although Conficker’s e variant self-destructed earlier this year, other variants continued to give network administrators headaches.
Recently, researchers at the volunteer-run Shadowserver Foundation logged computers from more than seven million unique IP addresses, all infected by the known variants of Conficker.
Jmaeff said IHA is able to customize TippingPoint IPS to detect and stop certain threats.
IHA uses it to watch its Internet connection, DMZ and remote access.
“If we see attacks across our firewall, TippingPoint sees the actual packets going through,” he said. “It adds to our tools for our defences.”
IHA also uses TippingPoint’s Digital Vaccine service, which gives users updates twice a week, or more often in events the vendor considers emergencies. It includes filters designed to stop new threats and to detect unusual traffic.
