Project Management

Keeping the door open...and shut

A Web server opens up your business to the outside world, so how do you keep out those parts of the world you don't like?

Authentication and Authorisation

Identity management is needed at a system-wide level, not on individual servers, says Alfarafi, or intruders will be able to move from one to another without detection. "None of this is new," he says, explaining that the industry is really just trying to replicate well-known mainframe procedures in distributed environments, where it is harder to achieve.

If parts of an intranet are to be made available on an extranet or via the Internet, authentication and authorisation are required, says Ferguson. But if any part of a site is public, it is unrealistic to rely on authentication, so protection at the application layer becomes essential, he says.

While a protocol and application-aware firewall helps secure the perimeter, there's also a need for internal security measures to protect against the possibility of attacks from within, with specific knowledge of the applications in use.

Strong authentication should be used when people need to modify data on a Web site, says Turner, or when they access important data. The more valuable the data gets, the need grows for more granular control and (for some users) stronger controls. For example, some parts of a Web site may be open to the public (so no authentication is needed); others may be restricted to registered press, analysts, or resellers (with access controlled by usernames and passwords); while some material may be only for employees' eyes only (with access controlled by some kind of token).

Without assured authentication, you can't be certain a person is who they claim to be, observes Hickin.

Risk and policies
The more visible the organisation, the more chance of a directed attack, says Mania. Smaller companies are more likely to be random targets, but they are less likely to have the in-house resources to adequately protect their servers. Either way, a hosting company has the staff, technologies, and expertise available to do the job, he says.

The Internet is a great productivity tool, but has risks that must be mitigated, says Ferguson. Security is an enabling technology that lets you deploy any kind of network and deploy services such as Web sites and Web Services.

Organisations must weigh the possible consequences of attacks against the cost of securing against them, says Ferguson. He notes that public companies must declare any incident that affects their ability to trade, and asks whether a serious attack on their Web servers would fall into that category.

"Security is no longer the deployment of a piece of technology," it's about corporate policies, he says. Organisations must identify what needs to be protected, then set priorities according to their importance and the budget. Maybe a firewall won't protect the elements considered most critical, so it might not be the most appropriate first step.

The changing value of data over time is an important consideration, according to Turner. For example, if the value decays quickly, you probably don't want to spend too much to protect it, in which case Web access control software can provide appropriate granularity with appropriate passwords.

He also points out the need for the enforceability of security policies from an employment perspective, so staff are in no doubt of their importance.

-Security is no longer the deployment of a piece of technology, it's about corporate policies."
--Scott Ferguson, Regional Director, Check Point
Organisations need an overall security policy, says Ferguson. It should be an extension of existing policies, "applying the same level of business philosophy to the IT infrastructure." In the US, he says, the role of chief security officer is emerging to address all aspects of security (including IT) and reporting to the CEO. In Australia, there are "only a couple" of examples, a bank and an airline: "security is a core competency of those businesses," says Ferguson. "IT is now the biggest capital expenditure" (in the US, around 55 percent of capital expenditure goes to IT), so "it's appropriate to get the right level of management attention," he says.

"Australian companies understand risk quite well," says Campbell. The UK and Europe are the most advanced, he says, with Australia a close second. For example, "government in Australia is mandating compliance with international security standards for government departments." He draws a parallel with the privacy acts, which first required government departments to comply with privacy standards, and around a decade later brought the private sector into the net. "I don't think you'll see a ten-year gap" before companies and other non-government organisations meet similar standards, he suggests.

In some other regions, Dimension Data finds it's hard to get companies to see the value in security auditing, as there is less awareness of the need for holistic security management. Most failures are the result of an organisation's approach to security, not because it failed to install a particular technology.

Outsourcing
If you cannot devote adequate resources to your Web server (or you don't have adequate internal resources), you can contract out instead, suggests Mania. This also provides economies of scale, so redundancy, disaster recovery facilities, and so on may become affordable.

Campbell agrees, saying that even if smaller organisations can afford skilled staff, they are unlikely to be able to retain them.

"Security can be an active role, and must be acknowledged as an important part of connecting to the public network," whether the role is filled in-house or by a hosting provider, Mania says, but in the latter case you need to satisfy yourself that they know what they are doing. Such firms should be able to describe their policies and practices, and why they have been adopted. For example, exchanging information with a customer should never be via unencrypted e-mail, and sound policies should be in place for managing changes to the status or configuration of servers, or for creating user accounts and changing passwords. "Most of the compromises are of a social nature," he warns.

Outsourcing does not mean you avoid responsibility for security. "You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt," counsels Cusack, "you've really got to watch you own backyard."

Hosting companies may operate many sites on one server without partitioning, warns Gordon, in which case any bad code on one site could compromise other customers' sites.

However, managed security services are justified when you can't justify employing a good administrator. "It complements managed networking from any networking provider," says Cusack.

Some consultants including large accounting firms have security practices that can advise on the selection of an outsourcing provider, but it's important to check customer references, Mania advises. Campbell agrees, warning that due diligence is essential when looking for a security provider: you must satisfy yourself that the company will be able to do a good job for you, he says.

-You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt. You've really got to watch you own backyard." "
--Patrick Cusack, CTO, Hothouse Interactive
When picking a security provider, organisations look first for strong brands and experience, and only then does cost come into the equation. Large companies are particularly attracted to firms they regard as having assured longevity.

Gardner says that while full service hosting is "an emerging trend," most large organisations are separating security from the rest of their outsourcing contracts. This is particularly true of banks and government departments, which are aware of the need to partition security and operations.

Audits
Third-party security audits are worthwhile whether you insource or outsource, says Campbell. When security duties are performed in-house, such an audit will keep the board and shareholders happy, or it will provide a check that the outsourcer is meeting your quality expectations. Gordon agrees, pointing out how easy it is for even an expert to miss a fine detail, even when a system of internal checks is in place. External audits show you made a best effort and were complying with best practice at the time of the audit, even if something does go wrong down the track.

Automated audits should be performed weekly, Campbell says, with two to four manual audits per year.

Products are available to perform automated audits as an alternative to outsourced services. For example, TruSecure's Risk Commander provides actionable insight into security effectiveness through measuring and visualising risk reduction and proving compliance with policies, standards and regulatory requirements, company officials claim.

Similarly, CA's eTrust Vulnerability Manager provides information to identify vulnerable machines, what to do to fix (or workaround), and what priority (need to balance that with the importance of the system). Companies don't have the resources to keep track of all this themselves, and some announcements are not fully validated, but CA checks all versions of software to see which are really affected, says Thomas.

The system is sold as an appliance that is updated online from CA's servers. An inventory service identifies exactly what software is running at the site in order to identify systems affected by new vulnerabilities.

While hosting may be seen as a way of avoiding security headaches, it does not remove the need for a rigorous approach to security, Campbell says, because in most cases here will still be a need for connections to corporate data stores and business logic. Again, due diligence and regular testing is necessary to ensure the hosting provider is doing the right thing, he says.

Alerting services "are really good," says Pregnell, especially when they are tailored to your particular combination of software.

Even a few hours notice of a threat may give you enough time to update the policy settings in the appliance (or IDS or content filter) to protect your systems until you can install the corresponding patch.

Managed security services, such as those offered by Symantec offer a range of monitoring and management services including the installation of patches, management of security devices and software, and disaster recovery. Since 20,000 devices around the world feed into Symantec's detection system, the company is able to quickly uncover and identify new exploits by correlating unusual activity with vulnerabilities, Pregnell says. Takeup of such services by Australian organisations

-Vigilance is the only thing that will save you in the long term."
--Andrew Gordon, Managed Services Architect, Trend Micro
has grown in the last 12 to 18 months, he says.

His colleague, Gavin Lowth (manager, MSS operations, APAC) says customers range from SMEs to large organisations and state government departments. Attractions include round the clock monitoring and response, charges fixed for up to three years, and support for all major security vendors' products.

"Vigilance is the only thing that will save you in the long term," says Gordon.

Recovery
Attacks sometimes succeed despite attempts to secure a Web server, so you need a disaster recovery plan.

As mentioned above, volume-imaging tools are one way of restoring a compromised server. One example is PowerQuest's V2i Protector, which takes scheduled point-in-time images, storing them on server-attached, network-attached or Fibre Channel SAN devices. This allows recovery to a point in time before the attack occurred.

"Our software provides a valuable safety net for situations in which viruses or worms slip past the anti-virus software," says regional director Greg Wyman.

One satisfied user is Brent Issaia, IT manager at Superfine Printing. "Our Web Servers not only perform marketing duties for customers to see who we are and what we do, but they also interact with our internal MIS structure to provide immediate management and sales reports," he explains. "We create incremental backup images during the day on all systems with no impact on the day-to-day use."

According to Issaia, V2i saved the company hours, perhaps days of work after a major failure, and the server was running again within 10 minutes after the repair. "If it only saves you once then it pays for itself," he says.

Executive summary

  • A good architecture helps to maintain security. Isolate different functions on different boxes.
  • Use firewalls to protect your servers from the Internet and from your LAN/WAN.
  • Configure servers with the minimum of services and privileges necessary for their purpose.
  • Keep up to date with patches. Vulnerability notification services can help.
  • It probably doesn't matter which of the major platforms you choose. Good configuration and management are more important.
  • Intrusion prevention systems provide an additional (and final, in the case of host-based IPSes) line of defence.
  • Authentication and authorisation systems will reduce the risk of illicit changes to your server and Web pages, without interfering with the work of authorised users.
  • Beware of damage caused by infected machines being connected to your network. Antivirus software and appropriately configured firewalls will help.
  • Security is about policies and business decisions, not technology. Senior executive involvement is needed.
  • Outsourced security services can be appropriate for many organisations, but take due care in selecting a provider.
  • Have a recovery plan in case your security measures fail.

Web security easy as ABC

The ABC has a very large Web site consisting of around one million static pages, plus plenty of streaming content. It attracts around 15 million visitors per week, and "is the third arm of the ABC's broadcasts," says Tony Silva, manager, information and support services.

"It's a part of our core business," he adds. "We have to ensure our data is protected from any attack." The ABC uses two firewalls, plus another between the servers and its internal network.

The primary Web servers are Apache on Linux; other systems such as forums and guest books run on Microsoft products.

Security concerns were part of the product selection process. For support reasons, "we didn't want to have something that wasn't widely used," explains Silva.

"We have a number of layers in place to protect us," he says, including maintenance contracts with software vendors (such as Microsoft Premium Support) to provide alerts of new vulnerabilities. "We don't apply every patch that comes out, we vet them in terms of our business risk," says Silva. According to the perceived risk, patches are either applied immediately or tested first. Patching usually begins with the gateway systems to help protect the overall network. So far the broadcaster has not had problems with patches, but it runs a test lab to see if there are any concerns before installing.

The Sidewinder firewalls from Secure Computing provide stateful packet filtering and application layer filtering, and are set up to protect systems by providing mail relaying and other services. "We were really looking for an integrated solution, redundancy, and capacity for growth," says Silva. "The Sidewinders gave us that consolidation."

Certain types of attachment are automatically stripped from e-mails, and antivirus updates are automatically applied. "Obviously we have internal security policies," he explains.

If your brand or corporate image is important, get outside help, Silva advises. "We have regular audits of our security." Getting an outside perspective is important, he suggests, "some advice could save you a lot of money...and credibility." When the firewalls were purchased, part of the deal was the provision of an expert from the vendor's US head office to help with installation. However, the ABC is not considering the use of managed security or hosting services.

Part of the problem is that Web site operators face a continuously changing and evolving environment. "You've got to keep monitoring and checking," he says, because there's always someone out there that you need to be protected from.

"Once you've put something in, don't sit back."

Subscribe now to Australian Technology & Business magazine.

Authentication and Authorisation

Identity management is needed at a system-wide level, not on individual servers, says Alfarafi, or intruders will be able to move from one to another without detection. "None of this is new," he says, explaining that the industry is really just trying to replicate well-known mainframe procedures in distributed environments, where it is harder to achieve.

If parts of an intranet are to be made available on an extranet or via the Internet, authentication and authorisation are required, says Ferguson. But if any part of a site is public, it is unrealistic to rely on authentication, so protection at the application layer becomes essential, he says.

While a protocol and application-aware firewall helps secure the perimeter, there's also a need for internal security measures to protect against the possibility of attacks from within, with specific knowledge of the applications in use.

Strong authentication should be used when people need to modify data on a Web site, says Turner, or when they access important data. The more valuable the data gets, the need grows for more granular control and (for some users) stronger controls. For example, some parts of a Web site may be open to the public (so no authentication is needed); others may be restricted to registered press, analysts, or resellers (with access controlled by usernames and passwords); while some material may be only for employees' eyes only (with access controlled by some kind of token).

Without assured authentication, you can't be certain a person is who they claim to be, observes Hickin.

Risk and policies
The more visible the organisation, the more chance of a directed attack, says Mania. Smaller companies are more likely to be random targets, but they are less likely to have the in-house resources to adequately protect their servers. Either way, a hosting company has the staff, technologies, and expertise available to do the job, he says.

The Internet is a great productivity tool, but has risks that must be mitigated, says Ferguson. Security is an enabling technology that lets you deploy any kind of network and deploy services such as Web sites and Web Services.

Organisations must weigh the possible consequences of attacks against the cost of securing against them, says Ferguson. He notes that public companies must declare any incident that affects their ability to trade, and asks whether a serious attack on their Web servers would fall into that category.

"Security is no longer the deployment of a piece of technology," it's about corporate policies, he says. Organisations must identify what needs to be protected, then set priorities according to their importance and the budget. Maybe a firewall won't protect the elements considered most critical, so it might not be the most appropriate first step.

The changing value of data over time is an important consideration, according to Turner. For example, if the value decays quickly, you probably don't want to spend too much to protect it, in which case Web access control software can provide appropriate granularity with appropriate passwords.

He also points out the need for the enforceability of security policies from an employment perspective, so staff are in no doubt of their importance.

-Security is no longer the deployment of a piece of technology, it's about corporate policies."
--Scott Ferguson, Regional Director, Check Point
Organisations need an overall security policy, says Ferguson. It should be an extension of existing policies, "applying the same level of business philosophy to the IT infrastructure." In the US, he says, the role of chief security officer is emerging to address all aspects of security (including IT) and reporting to the CEO. In Australia, there are "only a couple" of examples, a bank and an airline: "security is a core competency of those businesses," says Ferguson. "IT is now the biggest capital expenditure" (in the US, around 55 percent of capital expenditure goes to IT), so "it's appropriate to get the right level of management attention," he says.

"Australian companies understand risk quite well," says Campbell. The UK and Europe are the most advanced, he says, with Australia a close second. For example, "government in Australia is mandating compliance with international security standards for government departments." He draws a parallel with the privacy acts, which first required government departments to comply with privacy standards, and around a decade later brought the private sector into the net. "I don't think you'll see a ten-year gap" before companies and other non-government organisations meet similar standards, he suggests.

In some other regions, Dimension Data finds it's hard to get companies to see the value in security auditing, as there is less awareness of the need for holistic security management. Most failures are the result of an organisation's approach to security, not because it failed to install a particular technology.

Outsourcing
If you cannot devote adequate resources to your Web server (or you don't have adequate internal resources), you can contract out instead, suggests Mania. This also provides economies of scale, so redundancy, disaster recovery facilities, and so on may become affordable.

Campbell agrees, saying that even if smaller organisations can afford skilled staff, they are unlikely to be able to retain them.

"Security can be an active role, and must be acknowledged as an important part of connecting to the public network," whether the role is filled in-house or by a hosting provider, Mania says, but in the latter case you need to satisfy yourself that they know what they are doing. Such firms should be able to describe their policies and practices, and why they have been adopted. For example, exchanging information with a customer should never be via unencrypted e-mail, and sound policies should be in place for managing changes to the status or configuration of servers, or for creating user accounts and changing passwords. "Most of the compromises are of a social nature," he warns.

Outsourcing does not mean you avoid responsibility for security. "You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt," counsels Cusack, "you've really got to watch you own backyard."

Hosting companies may operate many sites on one server without partitioning, warns Gordon, in which case any bad code on one site could compromise other customers' sites.

However, managed security services are justified when you can't justify employing a good administrator. "It complements managed networking from any networking provider," says Cusack.

Some consultants including large accounting firms have security practices that can advise on the selection of an outsourcing provider, but it's important to check customer references, Mania advises. Campbell agrees, warning that due diligence is essential when looking for a security provider: you must satisfy yourself that the company will be able to do a good job for you, he says.

-You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt. You've really got to watch you own backyard." "
--Patrick Cusack, CTO, Hothouse Interactive
When picking a security provider, organisations look first for strong brands and experience, and only then does cost come into the equation. Large companies are particularly attracted to firms they regard as having assured longevity.

Gardner says that while full service hosting is "an emerging trend," most large organisations are separating security from the rest of their outsourcing contracts. This is particularly true of banks and government departments, which are aware of the need to partition security and operations.

Audits
Third-party security audits are worthwhile whether you insource or outsource, says Campbell. When security duties are performed in-house, such an audit will keep the board and shareholders happy, or it will provide a check that the outsourcer is meeting your quality expectations. Gordon agrees, pointing out how easy it is for even an expert to miss a fine detail, even when a system of internal checks is in place. External audits show you made a best effort and were complying with best practice at the time of the audit, even if something does go wrong down the track.

Automated audits should be performed weekly, Campbell says, with two to four manual audits per year.

Products are available to perform automated audits as an alternative to outsourced services. For example, TruSecure's Risk Commander provides actionable insight into security effectiveness through measuring and visualising risk reduction and proving compliance with policies, standards and regulatory requirements, company officials claim.

Similarly, CA's eTrust Vulnerability Manager provides information to identify vulnerable machines, what to do to fix (or workaround), and what priority (need to balance that with the importance of the system). Companies don't have the resources to keep track of all this themselves, and some announcements are not fully validated, but CA checks all versions of software to see which are really affected, says Thomas.

The system is sold as an appliance that is updated online from CA's servers. An inventory service identifies exactly what software is running at the site in order to identify systems affected by new vulnerabilities.

While hosting may be seen as a way of avoiding security headaches, it does not remove the need for a rigorous approach to security, Campbell says, because in most cases here will still be a need for connections to corporate data stores and business logic. Again, due diligence and regular testing is necessary to ensure the hosting provider is doing the right thing, he says.

Alerting services "are really good," says Pregnell, especially when they are tailored to your particular combination of software.

Even a few hours notice of a threat may give you enough time to update the policy settings in the appliance (or IDS or content filter) to protect your systems until you can install the corresponding patch.

Managed security services, such as those offered by Symantec offer a range of monitoring and management services including the installation of patches, management of security devices and software, and disaster recovery. Since 20,000 devices around the world feed into Symantec's detection system, the company is able to quickly uncover and identify new exploits by correlating unusual activity with vulnerabilities, Pregnell says. Takeup of such services by Australian organisations

-Vigilance is the only thing that will save you in the long term."
--Andrew Gordon, Managed Services Architect, Trend Micro
has grown in the last 12 to 18 months, he says.

His colleague, Gavin Lowth (manager, MSS operations, APAC) says customers range from SMEs to large organisations and state government departments. Attractions include round the clock monitoring and response, charges fixed for up to three years, and support for all major security vendors' products.

"Vigilance is the only thing that will save you in the long term," says Gordon.

Recovery
Attacks sometimes succeed despite attempts to secure a Web server, so you need a disaster recovery plan.

As mentioned above, volume-imaging tools are one way of restoring a compromised server. One example is PowerQuest's V2i Protector, which takes scheduled point-in-time images, storing them on server-attached, network-attached or Fibre Channel SAN devices. This allows recovery to a point in time before the attack occurred.

"Our software provides a valuable safety net for situations in which viruses or worms slip past the anti-virus software," says regional director Greg Wyman.

One satisfied user is Brent Issaia, IT manager at Superfine Printing. "Our Web Servers not only perform marketing duties for customers to see who we are and what we do, but they also interact with our internal MIS structure to provide immediate management and sales reports," he explains. "We create incremental backup images during the day on all systems with no impact on the day-to-day use."

According to Issaia, V2i saved the company hours, perhaps days of work after a major failure, and the server was running again within 10 minutes after the repair. "If it only saves you once then it pays for itself," he says.

Executive summary

  • A good architecture helps to maintain security. Isolate different functions on different boxes.
  • Use firewalls to protect your servers from the Internet and from your LAN/WAN.
  • Configure servers with the minimum of services and privileges necessary for their purpose.
  • Keep up to date with patches. Vulnerability notification services can help.
  • It probably doesn't matter which of the major platforms you choose. Good configuration and management are more important.
  • Intrusion prevention systems provide an additional (and final, in the case of host-based IPSes) line of defence.
  • Authentication and authorisation systems will reduce the risk of illicit changes to your server and Web pages, without interfering with the work of authorised users.
  • Beware of damage caused by infected machines being connected to your network. Antivirus software and appropriately configured firewalls will help.
  • Security is about policies and business decisions, not technology. Senior executive involvement is needed.
  • Outsourced security services can be appropriate for many organisations, but take due care in selecting a provider.
  • Have a recovery plan in case your security measures fail.

Web security easy as ABC

The ABC has a very large Web site consisting of around one million static pages, plus plenty of streaming content. It attracts around 15 million visitors per week, and "is the third arm of the ABC's broadcasts," says Tony Silva, manager, information and support services.

"It's a part of our core business," he adds. "We have to ensure our data is protected from any attack." The ABC uses two firewalls, plus another between the servers and its internal network.

The primary Web servers are Apache on Linux; other systems such as forums and guest books run on Microsoft products.

Security concerns were part of the product selection process. For support reasons, "we didn't want to have something that wasn't widely used," explains Silva.

"We have a number of layers in place to protect us," he says, including maintenance contracts with software vendors (such as Microsoft Premium Support) to provide alerts of new vulnerabilities. "We don't apply every patch that comes out, we vet them in terms of our business risk," says Silva. According to the perceived risk, patches are either applied immediately or tested first. Patching usually begins with the gateway systems to help protect the overall network. So far the broadcaster has not had problems with patches, but it runs a test lab to see if there are any concerns before installing.

The Sidewinder firewalls from Secure Computing provide stateful packet filtering and application layer filtering, and are set up to protect systems by providing mail relaying and other services. "We were really looking for an integrated solution, redundancy, and capacity for growth," says Silva. "The Sidewinders gave us that consolidation."

Certain types of attachment are automatically stripped from e-mails, and antivirus updates are automatically applied. "Obviously we have internal security policies," he explains.

If your brand or corporate image is important, get outside help, Silva advises. "We have regular audits of our security." Getting an outside perspective is important, he suggests, "some advice could save you a lot of money...and credibility." When the firewalls were purchased, part of the deal was the provision of an expert from the vendor's US head office to help with installation. However, the ABC is not considering the use of managed security or hosting services.

Part of the problem is that Web site operators face a continuously changing and evolving environment. "You've got to keep monitoring and checking," he says, because there's always someone out there that you need to be protected from.

"Once you've put something in, don't sit back."

Subscribe now to Australian Technology & Business magazine.

0 comments

Editor's Picks