Halting Nasty Worms

A new approach from Mirage Networks stops damage from worms by watching for bad behavior

George V. Hulme, Contributor

June 4, 2004

2 Min Read

An Internet worm that makes its way onto a business network means big trouble. Network firewalls and antivirus software running on E-mail gateways serve as a defense for many companies, but they don't catch everything. And it's only after a worm gets inside that many businesses realize how vulnerable they really are.

Business-technology managers have a number of security tools they can deploy. But many require the deployment of software agents, the establishment of security policies, constant updating of threat signatures, or training security applications to recognize "proper" system behavior. And most of them are "in-line" or "in-band" technologies, meaning they watch traffic as it flows over the network. That means an intrusion-prevention system could make a mistake and stop legitimate network traffic.

Mirage Networks Inc. offers a different approach. The startup has a security appliance called the Mi40 Inverted Firewall that doesn't run in line. Instead, the network intrusion-prevention system runs "out of band" and monitors the results caused by network traffic, says Greg Stock, VP of sales and marketing for the company. The Mi40 doesn't use software agents or threat signatures or require customers to rearchitect their networks to stop worms.

Instead, the Mi40 looks at other factors to spot the presence of worms. That can include a spike in IP scans (something worms do to find targets to infect), bad packet headers, and attempts to connect to unassigned IP addresses. When the Mi40 spots this kind of behavior, it can block infected systems sending suspicious traffic without quarantining an entire network.

That type of defense would have come in handy last year when the IT systems owned by the city of Overland Park, Kan., got hit with a worm. While the city had a secure network perimeter, someone with an infected notebook made a connection to a wireless access point and "in minutes, hundreds of workstations were infected," says Randy Oehrle, network administrator for the city.

Oehrle decided to try the Mi40. "They ran a simulated worm attack on my network," he says. "The Mirage box stopped it in about 100 milliseconds." Since installation of the Mi40 earlier this year, worms haven't infected any of the city's 850 desktops.

About the Author(s)

George V. Hulme


An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights