Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Detecting infected devices on the network: Fortinet

AvantiKumar | March 29, 2013
Networking security firm's Southeast Asia and Hong Kong regional vice president gives five tips to spot and score bad IP clients.

George Chang - Fortinet's Regional Director for Southeast Asia & Hong Kong modified

Photo - Dato' Seri George Chang, Fortinet's regional vice president for Southeast Asia and Hong Kong.

 

Amid reports of increased cyber attacks, networking security solutions firm Fortinet has listed five ways to spot bad IP (Internet protocol) clients on enterprise networks.

"Identifying risky user and application behaviour represents the next step in protection against Advanced Persistent Threats [APTs]. Signature-based protection is no longer enough," said Fortinet regional vice president, Southeast Asia and Hong Kong, Dato' Seri George Chang.

"It's now important to build a complete, evolving and up-to-date picture of the behaviour of network clients," said Chang. "Client reputation and scoring is an essential component in ordering and understanding the enormous amount of security information available within organisations, and applying it to a dynamic, targeted security response."   

Fortinet has released a new whitepaper  'Detecting What's Flying Under the Radar: The Importance of Client Reputation in Defending Against Advanced Threats.'  "Fortinet's unique patent-pending client reputation capability is one of the hallmark features of its latest operating system, FortiOS 5," he added.

The top five ways to spot and score bad IP clients to detect an infected device:

1) Bad Connection Attempts
Typical malware behaviour often includes attempts to connect to hosts that don't exist on the Internet. While some bad connections may be due to user error or bad links, a series of bad connections could be a sign of malware infection.

2) Choice of Application
A host that installs a P2P file sharing application can be considered riskier than a host that installs a game. Some organisations may consider both actions problematic. The ability to add weights to each action allows each risk to be scored accordingly.

3) Geographic Location
Visits to hosts in certain countries can be categorised as risky behaviour, especially if there is a significant amount of traffic involved. Identifying such behaviour can be combined with a white list approach that identifies legitimate sites in such countries to help identify infected clients.

4) Session Information
When a device starts to listen on a port to receive a connection from the outside but does not initiate a connection, an APT infection could be the cause.

5) Destination Category
Visiting certain types of websites, such as gambling and adult sites as well as those known to contain malicious code, can also be a predictor of APT infection.

 

Sign up for Computerworld eNewsletters.