Author Topic: Layered Security Architecture & Incompatible Issues (Explanation)  (Read 5404 times)

3xist

  • Guest
This thread I made is for educational use, And looks at how Anti-Virus simply does not work alone and as your first line of defense, and why you need a layered security architecture in your security in order to provide protection. It also looks how running different security software from different vendors can cause conflicts/issues for the user and why they aren't "designed" to work together.

SECTION 1 - You need 3 layers of security to protect your self

Videos by Melih Abdulhayoglu (Founder, CEO & Chief Security Architect of COMODO)
Is Your Security Good Enough
We Need 3 Layer Security to Protect Ourselves

Today, we protect our selves with "Detection based technologies" (Anti-Virus) The is a major issue here: Antivirus Software (Or any other detection based technologies) ONLY detect what they know Yes, Antivirus has heuristics, Family/Generic Signatures, But these are still based on detection technologies and are NOT enough to provide a decent enough protection for end users.

Let's look at an example: An Anti-Virus has 2 million (2.000.000) signatures in it's database to detect the malware it knows (Only knows 2 million malware), Then you have Heuristics, This looks for the characteristics of virus like behavior, Then Family/Generic signatures, Say 1 signature in the Antivirus database out of the 2 million it has, detects another 2000 malware (1 signature detects 2000 malware) And Family/Generic meaning a Trojan, Rookit, Rouge Antivirus, etc from the same family can be detected without making a new signature. A new malware comes, It's not in the database, Heuristics can't recognize it, Family/Generic doesn't recognize it from any family of malware. The Antivirus say's "Well, it's not in our database and we can't find any information that it is a virus, just let it in!" The malware then causes the damage and YOU are infected just because your Antivirus did NOT detect the malware. Here, We see an example Of Default Allow Protection - Meaning for the Anti-Virus, "I don't know you! Just come straight in, I won't Alert of a virus!" - This is a HUGE problem for the industry today, Anti-Virus would be fine 25 years ago, But we are here in 2009 and there is NO way Antivirus software can keep up with all the 30K-40K new malware on a monthly basis.

Thankfully, COMODO has created the paradigm shift in the way we protect our selves. Detection based technologies, Anti-Virus in other words, is only 1/3 layers of security you need to provide protection. COMODO has recognized this and created Comodo Internet Security, Which as of version 3.9, Works like this:

Layer 1 - First line of Defense.

PREVENTION: Defense+ (HIPS), Buffer Overflow Protection (Built into Defense+), Firewall.     

Layer 2 - Second line of Defense
DETECTION: Anti-Virus, Including Heuristics and the Memory Scanner based on BO-Clean.

Layer 3 - Third line of Defense.
CURE: NOTE: COMODO are currently working on the Cure layer, This cure layer will be Comodo Time Machine integrated into Comodo internet Security v4 (You can go back in time whenever you want ;)).

This concept is based on Default Deny Protection (TM).

Comodo has started this approach when they released Comodo Firewall Pro v3.0 on November 21st, 2007 - This came with the Firewall and Defense+ (PREVENTION). Then Comodo Firewall Pro turned into Comodo Internet Security v3.5 on October, 23rd, 2008 - This came with built in Antivirus (DETECTION). Then from v3.5-v3.9 introduced Heuristics, buffer overflow protection and Memory Scanner based on BOClean. It is unknown when v4.0 will be introduced which will bring Comodo time Machine (CURE).

So in conclusion, You need Prevention, Detection, Cure in your security in order to provide decent enough protection, REMEMBER - Nothing is 100%, Even this isn't! But Prevention must be your first line of defense and Comodo Internet Security does this for you, and for free!

SECTION 2 - Incompatible Problems when running different security software together from different vendors

http://www.wilderssecurity.com/showthread.php?t=243755&highlight=comodo

I will give this thread an example, From Wilders Security Forums. This particular person installed Firewall X and Anti-Virus Y (the actual product names  are mentioned in the original post) together. There is a vulnerability here - the Anti-Virus Y installed and acted as a proxy and all network traffic was routed through that, which was not controlled by Firewall X : These products are not designed to work together! How do people know to go and enable/tweak some obscure settings somewhere? Unfortunately, they don't.

Comodo Internet Security is designed to work in harmony, To work architecture together to provide protection. Such as:
1. You get an Anti-Virus Alert, You will not be alerted of a Defense+ (HIPS). Alert.
2. You get an Buffer Overflow Alert, You will not be Alerted by Defense+ (HIPS).

This makes user experience a lot more pleasant!

Whilst if you run a different Antivirus and a different Firewall, this MAY and can cause problems, Not just inconvenience problems like overlapping each other with Alerts but also incompatible problems like the above Wilders Thread. With Comodo Internet Security, Malware Vs Malware Usability is the same. You detect 40% of malware, and prevent the rest without overlapping each other and causing conflicts. Comodo Internet Security is designed to work in harmony, Without any issues. If your running more software from different security vendors in real time, this increases vulnerability further (Say you run a AV from Vendor A, Firewall Vendor B, HIPS Vendor C, and a Behavior Blocker Vendor D) - This is again an issue, and Alerts will be overlapped, etc.

This concludes layered security architecture and why CIS is designed to work in harmony. Anyone for free Security that works in harmony, CIS is your best friend! :)

QUESTION: WAIT A MINUTE!! But Josh! Why by default are some things disabled in Comodo Internet Security (Like under defense+ monitor settings?) People switch to "Proactive Security" Because it is indeed the highest security!

ANSWER: Ouch! Too bad! I was meant to run!!! :)

I would just like to further explain this configuration (Proactive Security) and why the default configuration when you install Comodo Firewall & Antivirus is good enough Internet Security. The reality is, Proactive Security is good enough for any experienced user. Proactive Security can REPLACE and Antivirus out there, including Comodo for a Advanced user. They wouldn't need the Antivirus in Comodo Internet Security or any other "detection" based solution, let a lone "prevention" solutions (There is very few prevention solutions out there, since security vendors/products rely on detection as first line of defense which needs to change). The only reason why a experienced user in Proactive Security would need an Antivirus is to improve USABILITY and reduce pop ups, but hey... We are talking about a experienced user here, So we can eliminate that assumption. Now for an Average user to use Proactive Security, it's a disadvantage for them compared to an experienced user - They will get more pop ups. I'll talk about this more later.

In Proactive Security, Everything is Enabled in Comodo Internet Security. For the default configuration, In the Internet Security Configuration, things are configured a little bit more differently. From Help File:

    * Image Execution Control is disabled.
    * Computer Monitor/Disk/Keyboard/DNS Client access/Window Messages
      are NOT monitored.
    * Only commonly infected files/folders are protected against infection.
    * Only commonly exploited COM interfaces are protected.
    * Defense+ is tuned to prevent infection of the system.

As you can see, Internet Security Configuration some things are disabled. A few more experienced users go "What! why are all these disabled? To reduce pop ups? To claim false sense security!" Well... Whatever /they /claim is NOT true. Let's look at Keyboard and why that is not monitored by Defense+, and what if AV does not detect the program (If a keylogger software is trying to install): All keyloggers try to install themselves permanently. If they try to do so, they will be prevented by CIS. Assume the keylogger is executed and by chance at the same time, there is banking information on a website, the Firewall will catch it anyway. Here the point is permanent damage needs to be prevented and checkpoints are kept to prevent this damage. Overall, All those checks (Image Execution, Disk, DNS Client, Windows Messages, Computer Monitors) are disabled because again, permanent damage needs to be prevented. When you have an AV installed, it is a HUGE difference and this allows Comodo to skip some checks in Defense+. Permanent damage prevented meaning checks like Protected Files, Registry Keys which MUST be and are protected by default, Point is; all viruses try to install them selves permanently. No exceptions, And CIS by default is there to prevent this damage, all the checkpoints are kept.

Now, there are 4 default configurations in CIS you might have noticed. All these configurations (whether you install just Firewall, just AV or both) are configured to suit the configuration chosen, You choose just Firewall then "Firewall Security" policy will be applied. So in any case, CIS is still strong. Proactive is for ADVANCED users. I also would like to point, because Image Execution Control is enabled in Proactive, Buffer Overflow Protection won't be the first Alert if a malware or legit app is doing BO. You will get a Image Execution Alert, If you allow that, THEN you get a BO Alert... It's just more pop ups for the average users, So really! default configuration is fine whether you install just the Antivirus, Firewall or both and WILL prevent damage, There have been NO reports of malware bypassing the default configurations.

So no matter what security setup you use, Comodo Internet Security or not, make sure you do have Prevention, Detection and Cure in your setup, Where Prevention is first, Detection is second, And Cure is third and try to avoid incompatible issues if possible!

Any other questions/comments can be directed to my self via PM. :)

Discussion Thread:    
Re: Layered Security Architecture & Incompatible Issues (Explanation) Discussion


By the way: It would help COMODO if you let us know in the thread:
How Compatible CIS is With Other Security Products: Your Opinion Needed

Cheers,
Josh
« Last Edit: June 17, 2009, 06:12:06 AM by Deadly Pawn »

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek