As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.
Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.
In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.
With respect to your traffic related argument, the problem lies not in that traffic, but in the vulnerabilities that “open the door” for exploits. At least a part of the solution lies in securing the asset rather than continuing to focus on the traffic as the problem. We all know that timely implementation of application level security is the only solution to the threats (e.g., MyDoom) that continue to plague large enterprise networks. Application based security vis-a-vis a real-time patch remediation solution with realistic roll-back/recovery mechanisms is the ultimate defense. Using a physical world analogy, thieves in that space, given the choice, will intrude on homes/businesses without a “protected by” warning more often than those with the means to catch them in the act or reduce their chances of success.
Yes, a major issue is having your backdoor left open. If you can prevent it from coming in the first place, it logically makes a ton of sense. Sitting in front of the router is a start. However, there is no silver bullet, and a layered, defense-in-depth strategy is a great way to go. Automated patch remediation and roll back/recovery via solutions like yours definitely helps find and stop the vulnerabilities that slipped through the perimeter.
There are many reasons for not putting Firewalls in front of the Edge Router. Some are related network performance, availability, releiability, multihoming, etc. Some related to effectively managing an enterprise network. For e.g., one wiil have to leave ICMP ports open, otherwise your management system won’t be able to communicate with remote devices. Traps and tgriggers from from remote sites will not get through and Network Managers will be left without any visibility.
These are few simple issues, then there are more complex Network Engineering issues.