Open source software for perimeter defense.The host of a technology radio show in Boston recently tried to strike fear into the hearts of every systems administrator when he said, "You can't stop cyber-terrorism from attacking your network. What are you doing about it?" Although this topic has garnered a lot of national media attention, the talk show host didn't get many takers. Perhaps, he, instead, should have said, "How can you make your network more secure from the outside world?" The bottom line is this: You can't do anything about cyber-terrorism. On the other hand, for the past three years, systems administrators have been facing four basic security challenges. So, relax, and just focus on them: * Define your processes and educate your staff and your employees. * Secure your systems themselves. * Lock down the perimeters and enforce security guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. . * Never stop updating your security systems. If you do these four things, you'll probably be better off than most of the organizations in the world. The Value of Perimeter Security The more your organization depends on electronic communications via the Internet, the Internet, the, international computer network linking together thousands of individual networks at military and government agencies, educational institutions, nonprofit organizations, industrial and financial corporations of all sizes, and commercial enterprises more you have to lock down the perimeter or the border between your secure internal networks and any outside networks. Of course, you first want to lock down your internal networks and then think about opening them up for some services or opening up some ports to outside networks. You also need to continuously update all of your security systems that protect your perimeter. In fact, the majority of systems that get hacked Modified. Attacked. Having code altered. See hack and hacker. haven't been updated. For example, a year before the Slapper virus for the Windows SQL server An earlier relational DBMS from Sybase and from Microsoft. Sybase introduced SQL Server in 1988 for various Unix versions. In that same year, with help from IBM, Sybase created an OS/2 version that Microsoft licensed and branded as Microsoft SQL Server. made headlines, Microsoft had the patch available on its website. Few systems administrators took the time to get it and update their SQL server. A good perimeter security technology strategy focuses on six areas: * Access Control: Your different networks connect to a firewall which, in turn, acts as border control for who can access what and where. * Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. : This capability tells you who is coming to the firewall and verifies you are who you say you are. * Secure Remote Access: If you have a firewall at the perimeter, remote employees can't access the internal network because it is locked down. However, secure remote access capability enables employees to dial-up the firewall over the internet, and then have the firewall authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. their access to the internal network. * Content Security: Without this capability, the firewall allows employees to surf the Web, but doesn't control where they go. This capability equips the firewall with an application layer which scans and checks where employees go on the Web. This application layer can also scan for viruses, protect against spare and block employees from going to filtered URL's. * Traffic encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. : This capability secures remote traffic by encrypting the data between the remote location and the final network destination. * Alarming or Intrusion Detection See IDS and IPS. : This capability looks into your firewall to see if there are any traffic anomalies A deviation from the normal traffic pattern. An intrusion detection system (IDS) may look for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network. . If so, the systems administrator receives an alarm immediately. Evaluating Perimeter Security Technologies When it comes to evaluating perimeter security technologies, most systems administrators tend to concentrate on looking at hard parameters, such as features, performance, price, ease of use, third-party endorsement, and certification. But how many systems administrators fail to question how secure the product really is? Don't assume that all security products are really secure! While hard parameters are important, you should place equal, if not more, emphasis on evaluating soft parameters. These include product and author integrity, ease of update, ease of setup, and all-in-one security solution. Many companies quietly go about sealing holes in the security products by putting upgrades in the next product release. So, you might not be aware there's a problem unless a virus epidemic occurs. In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , if the vendor doesn't provide you an easy way to keep your product up to date, your systems can become prey to hackers. If you have systems running on different platforms, you'll need to spend time tracking updates for each platform, and then doing the maintenance work. Likewise, if you have trouble configuring a system, then expect to have questionable security. Tight IT budgets have forced many systems administrators to think total cost-of-product acquisition, rather than total cost of ownership. This thinking can result in poor, reactive choices. Today, you need a firewall to protect your perimeter. So you opt for the most inexpensive one. You'll worry about cost of ownership later. What about the other technologies you need for airtight air·tight adj. 1. Impermeable by air. 2. Having no weak points; sound: an airtight excuse. airtight Adjective 1. perimeter security? Products that handle all security functions, in the long run, provide a lower cost-of-product acquisition than the collective price of individual security solutions. An all-in product enables you to update all of your systems at the same time, thus reducing your total cost of ownership. Proprietary Security Software vs Open Source Security Software When it comes to selecting security software, you have your choice of either proprietary software or open source software. Commercial software vendors pay developers to write code, which is usually tested by both an internal quality assurance team and by some customers. Customers who buy the software can't damper damp·er n. 1. One that deadens, restrains, or depresses: Rain put a damper on our picnic plans. 2. An adjustable plate, as in the flue of a furnace or stove, for controlling the draft. with the code, thus the proprietary nature of the product. They wait for the company to issue updates or patches to fix problems. Often, customers do a good job of uncovering problems and telling the software vendor. To maintain profitability, most security software vendors strive to become experts in one area of security, such as firewalls, and, in torn, create brand loyalty for the product. The other type of security software belongs to a generic software (1) Ready-made software. Shrink-wrapped software. Contrast with "custom software." See shrink wrapped software and COTS. (2) (Generic Software, Inc., Madison, MS, www.genericsoftware.com) A company that specializes in software for IBM midrange computers. class known as open source, non-proprietary and free for the downloading from a website. About 20 years ago, the Open Source Software Foundation set up unofficial guidelines for developers who wanted to write and distribute open source software. Open source software usually begins with a project idea which an experienced Perl or C developer registers with the Open Software Foundation. The developer sets up a website and invites other developers to review the code and contribute code updates. Things get done according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a strict hierarchy of decorum DECORUM. Proper behaviour; good order. 2. Decorum is requisite in public places, in order to permit all persons to enjoy their rights; for example, decorum is indispensable in church, to enable those assembled, to worship. regarding who can contribute, and what gets posted for release. Professional camaraderie ca·ma·ra·der·ie n. Goodwill and lighthearted rapport between or among friends; comradeship. [French, from camarade, comrade, from Old French, roommate; see comrade. , not financial incentives, among developers becomes the motivation to make contributions to a project. Some projects can have thousands of developers reviewing and testing the code. Participating developers like the challenge of putting the software through it paces, and making changes that enhance the software's overall functionality. To this end, updates get made within days, not months, like with proprietary software. If you download the software for use, you can review the code; but, chances are, you don't have the expertise to change it or to understand it. Perhaps the most widely used and accepted open source product is the Linux operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , the first kernel The nucleus of an operating system. It is the closest part to the machine level and may activate the hardware directly or interface to another software layer that drives the hardware. OS that worked on X.86 hardware. By using this OS, hardware vendors such as Dell don't have to issue licensing fees for Microsoft OS. Another widely used open source software application that runs on Linux includes the Apache Web server See Apache. . In tact, about 60 percent of all Web servers run Apache Apache (əpăch`ē), Native North Americans of the Southwest composed of six culturally related groups. They speak a language that has various dialects and belongs to the Athabascan branch of the Nadene linguistic stock (see Native American , according to Netcraft, a technology consultancy firm. But what about using open source software for security? In a November 19, 2002 article for Business Week Online, John Pescatore, a security analyst with Gartner Group (company) Gartner Group - One of the biggest IT industry research firms. Address: Connecticut, USA. , said that as a result of Linux, more and more businesses and government agencies are getting comfortable with using Linux. He added that this trend is bleeding over into a lot more open security tools. You'll find hundreds of open source products in each of the six technology areas mentioned for good perimeter security. For example, when it comes to alarming or intrusion detection, millions of individuals have downloaded Snort An open source network intrusion detection system (NIDS) that is noted for its effectiveness. Developed by Martin Roesch, Snort can also be used just as a packet logger or packet sniffer. For more information, visit www.snort.org. See IDS. . In the Business Week Online article, Infonetics, a networking consultancy, said that Snort is one of the better programs in the $400 million intrusion detection market. Commercialization of Open Source Software "You get what you pay for" can apply to using open source security software. While products might be free, you'll still need to take the time to configure See configuration. (software) configure - A program by Richard Stallman to discover properties of the current platform and to set up make to compile and install gcc. Cygnus configure was a similar system developed by K. it, learn to use it, and continue to update it. You might enlist en·list v. en·list·ed, en·list·ing, en·lists v.tr. 1. To engage (persons or a person) for service in the armed forces. 2. To engage the support or cooperation of. v. the aid of a consultant. However, security products based on open source software have started to become a viable business. A flock of emerging companies have taken the best of open source security products and added a slick See SLC. user interface, technical support, and an updating service. These products usually cost less than comparable proprietary products. In some cases, a security vendor might sponsor an open source development team. This arrangement enables the vendor to communicate it customers' priorities to the sponsored development team. Differences Between Hard and Soft Parameters Despite the growing acceptance of open source security software, you should consider weighing the differences between hard and soft parameters for types of security software. Soft Parameters Reliability and Honesty * Proprietary: Although a vendor might have a very good reputation, the reliability of its product and the honesty of its developers can be hard to judge. You might not know who the developers are, nor can you find out any information about them. * Open Source: You know who are the developers are. You can go to their website and read comments about them. These developers have to offer reliable products and develop good reputations. If they don't, then word about them will spread throughout the open source community. A good de facto [Latin, In fact.] In fact, in deed, actually. This phrase is used to characterize an officer, a government, a past action, or a state of affairs that must be accepted for all practical purposes, but is illegal or illegitimate. product development team could have thousands of individuals constantly testing and updating a product. To this end, the product reliability is generally very good. Ease of Setup and Ease of Update * Proprietary: Vendors put a lot of time and money into packaging products so they'll be easy to use and easy to update. Usually these vendors put all updates in the next product release. * Open Source: These developers don't put a lot of effort into creating slick user interfaces. That's not their core competency A core competency is something that a firm can do well and that meets the following three conditions specified by Hamel and Prahalad (1990):
All-in-One Approach * Proprietary: Given the vastness of security products, you won't find a lot of vendors that offer a complete line of security products. This undertaking can be rather time consuming and expensive. Vendors tend to focus on one area of perimeter security. To this end, some vendors will bundle their products with those from another vendor. So you might not have a lot of choice, or you can shop around and buy one of this and one of that. This latter approach could cost you more in the long run. * Open Source: Once you've installed Linux on a server, you can download and install products for all of the perimeter security areas. But you'll have to configure each one and learn how to use it. On the other hand, you can look for a vendor that has created an all-in-one security product, based on several open source products. However, don't expect to find a lot of virus scanning products. Open source developers know better than to execute an .exe file (EXEcutable file) Pronounced "ex-ee file." The name given to a program in machine language that is ready to run in DOS, Windows, OS/2 and VMS. The name comes from the .EXE extension at the end of the program name; for example: XYZ.EXE. on a Windows desktop. In fact, they don't use a Windows desktop. Hard Parameters Security * Proprietary: Security products based on Microsoft's Windows have earned a reputation for weak security. Nothing compels a vendor to announce vulnerabilities in its software, unless a virus epidemic breaks out. * Open Source: Since things get posted on a mailing list An automated e-mail system on the Internet, which is maintained by subject matter. There are thousands of such lists that reach millions of individuals and businesses. New users generally subscribe by sending an e-mail with the word "subscribe" in it and subsequently receive all new , project development teams can't hide any security vulnerabilities in the software. Developers respond quickly to bugs and to quick fixes; however, there's nothing to stop a contributing developer from becoming hostile and writing damaging code. The U.S. federal government has given open source security software a boost. Top programmers at the National Security Agency have made public a security-enhanced version of the core Linux OS. The U.S. Dept. of Defense is funding a number of projects aimed at making open source software more secure. Since this research rapidly enters the public domain, it amounts to free research and development for commercial open source security companies. Features * Proprietary: These vendors develop features along strict marketing lines based on customers' demands. Failure to do so could result in sales lost to another vendor. Open Source: These developers like the challenge of developing highly advanced technical products. As innovators innovators people who will try new things. early innovators important figures in the farming or client community because they are the leaders in the introduction of new techniques and management systems. , they concentrate on new tools no one has thought of yet, or improved versions of existing ones. Their products can be loaded with neat features not found in proprietary products. Acquisition Price * Proprietary: Products from these vendors tend to be expensive. * Open Source: These products are usually free. A product from a commercial open source vendor might be less than a comparable product from a proprietary vendor. Performance * Proprietary: If you want really good performance, you can expect to pay for it, especially if it's a Windows-based product. * Open Source: Given the speed of Linux mad developers' attention to technical details, you'll get good performance from these products. Certifications * Proprietary: These vendors like to have their products certified See certification. by recognized security organizations such as the U.S. National Institute of Standards and Technology's Federal Information Processing Standards (standard) Federal Information Processing Standards - (FIPS) United States Government technical standards published by the National Institute of Standards and Technology (NIST). . * Open Source: Typically, these products don't come with certification credentials CREDENTIALS, international law. The instruments which authorize and establish a public minister in his character with the state or prince to whom they are addressed. If the state or prince receive the minister, he can be received only in the quality attributed to him in his credentials. from industry-recognized sources. However, since thousands of developers can test a particular product for months, you might consider this activity an unofficial form of certification. Conclusion Your can simplify your job of selecting security software by sticking to the four basics, considering the six technologies for good perimeter security, and weighing the differences between proprietary products and open source products. Elizabeth M. Ferrarini is an IT consultant from Boston, Mass. Reach her at iswve@aol.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion