Once every two weeks, I will try to write an in-depth blog post on an interesting topic within the security community. My first topic is why the client-server model should be abandoned for antivirus and host intrusion detection/prevention.
It always seems that malware creators are always 1 step ahead of the security community. Their methods for deploying and updating sophisticated botnets seems to be ever evolving, while the security community lags behind in technology.
Case in point - Conficker. This amazing piece of malware is protected by cryptographically signed updates using 4096 bit RSA keys, distributed through peer-to-peer updating, instead of the traditional client-server model using a centralized command center.
And yet, all home-based and enterprise virus scanner and host intrusion detection/prevention software suites rely upon the client-server model. While this decades old technology is tried and true, it contains one major flaw. Shut off access to the central command server(s), and the system no longer receives updates, or reports detected problems. The bad guys know this, and actually program their malware to disable updates by editing the hosts file of infected systems to redirect the domain names of common antivirus vendors to non-existant (or malicious) IP addresses!
I feel it is time to abandon the client-server model for antivirus and intrusion detection. The "bad guys" are using peer-to-peer technology, why don't we? It makes much more sense to me to create a cryptographically secure peer-to-peer update distribution system for definition updates, instead of relying on decades-old "primary/backup/tertiary" definition distribution servers. After all, we've already perfected the technology through BitTorrent, but it seems that technology is mostly perceived as being used for illegal purposes.
When the original Gnutella client was released, I was very excited. Not because it was a chance to obtain pirated music, but because it was innovative, and an exciting new way to distribute information and open source software. That was over 10 years ago. Peer-to-peer technology has drastically evolved in scalability and design, and yet has only been adopted by the games industry as a means of updating software (see World of Warcraft P2P Updating).
With a peer-to-peer update mechanism for antivirus and host intrusion detection, not only could detection updates be pushed across the network, but so could infection reports. Instant visibility across the network of the status of all systems connected to your peer-to-peer security network.
Only one question remains. Why hasn't anything like this been implemented yet?
No comments:
Post a Comment