Networking

Security: The next Web services battleground

The Web services movement is intensifying its focus on security--and additional vendors are now vying for a spot in the network security space. Not surprisingly, Microsoft is positioned smack in the middle of the fray.


As organizations begin to plan next-generation, Internet-connected, Web services-enabled systems, they face the issue of how to manage security. In the past, this meant working with a few companies that owned large segments of the market, including Check Point Software (the dominant firewall provider and VPN provider) and Cisco (which is adding security features to its existing lines of routers).

But competition for securing systems is about to heat up, as Microsoft and open source proponents position themselves to take advantage of the increased spending in the network security space.

Where Microsoft fits in
No discussion about the future of security systems would be complete without considering the company that owns the desktops upon which 90 percent of us run our systems every day.

You could argue that Microsoft is relatively new to the security game. Until it went through an exhaustive security screening process for all of its software in January 2002 (ordered by Bill Gates himself), corporations were loathe to use any Microsoft software that touched the outside world. But Microsoft has included security code in client operating systems for years. For example, every OS since Windows 98 has included a Point-to-Point Tunneling Protocol (PPTP) client. PPTP allows remote clients to initiate a secure, tunneled connection to any server that also supports PPTP, including not only Microsoft servers (starting with Windows NT 4.0), but also most third-party communications gateways and firewalls.

With Windows 2000, Microsoft began including an IPSec stack, which allows two networks to create a secure channel and pass traffic between them. Like PPTP, IPSec is an industry standard that’s implemented in a wide variety of hardware devices and software security systems.

Microsoft is binding some of its core operating system services to these security mechanisms. For example, the upcoming Windows .NET Server includes directory synchronization and replication using Active Directory and/or Kerberos across Internet channels secured by its own included IPSec software.

There is a robust market for these products because, although the Microsoft offerings provide basic implementations, third-party products have more features and are generally easier to configure and manage.

Microsoft has had much less success getting adoption of its security offerings outside of the operating system. Its only offering is the Microsoft Internet Security and Acceleration server (ISA). ISA is a software firewall and caching server designed to secure Internet connections and accelerate the browsing experience. But ISA has seen widespread acceptance in only two markets. Small businesses purchasing Microsoft’s Small Business Server use ISA because SBS includes it as part of the package and offers a configuration wizard to set it up properly. And Microsoft includes ISA as part of its standard Microsoft Systems Architecture (MSA) configurations—prebuilt and scripted installations of Microsoft software and partner hardware (primarily Compaq) that are designed to jumpstart the implementation of corporate and commercial Internet platforms.

In fact, off-the-shelf routers and gateways use their own processor and firmware loaded on electrically erasable programmable read-only memory (EEPROM) to perform most of the tunneling and firewall functions performed by Microsoft (and other) software. Small companies can get fairly complex firewall support, IPSec and PPTP tunneling, DHCP, and a host of other features from an off-the-shelf router costing less than $200.

Even larger companies generally prefer to have security software embedded in ROMs and running on dedicated devices, which makes it much harder to hack the systems, and system restarts or hangs are much less likely.

Of course this fact hasn’t escaped Microsoft either. This fall, Microsoft introduced a high-speed router with an advanced firewall primarily targeted at its MSN customers who want to share bandwidth. It's also available to small business customers. And as its Windows CE and Embedded Windows initiatives continue to move core Windows code from RAM to ROM, it’s only a matter of time before Microsoft introduces more advanced security products with significant portions of the code embedded into EEPROMS on devices.

Interestingly, Microsoft’s work with companies like Flextronics (the company that manufactures the XBox) has given the company some valuable insight into creating and supporting consumer level devices. The XBox Live! release this fall will give them a more fertile playground for learning how to distribute, manage, and secure software and user information between large numbers of users on a public network.

Open source security inroads
Microsoft isn’t the only company eyeing security products as a potential revenue source. Hundreds of companies using Linux have developed edge servers that support features like firewalls, intrusion detection systems, and VPNs.

Proponents of Linux claim it’s an ideal OS for these products because it performs well on low-end processors with limited memory and can manage a large number of network connections efficiently with its embedded TCP/IP support. And companies wanting to test drive open source security offerings have the advantage of being able to download and experiment.

Opponents of this approach claim that proprietary systems are inherently more secure because hackers can’t look at the software “blueprints” (aka source code) before planning their attacks. But given the widespread acceptance of open source packages like Apache—estimated to run on more than 60 percent of all the Web servers worldwide—Linux proponents could certainly argue that there’s widespread institutional acceptance that open source products can support secure platforms.

For instance, one of the most popular intrusion detection systems on the Web today is Snort. Snort runs on Linux servers and Windows servers and allows companies to set up rules that determine whether access to the system is an attempted breach and how to handle it.

This is but one example of the open source security products available. And the federal government is helping companies develop additional products by providing tax-subsidized research for small businesses with its security initiatives. These include a version of Linux with enhanced security features (SELinux, developed by the NSA) and research by the Department of Defense designed to make open source software (including Linux) more secure.

Who are the big losers?
Clearly, the security battle is shaping up much like the earlier proprietary vs. open source battles. The Wang word processor vs. the PC and the proprietary PBX vs. the programmable PBX battles also spring to mind immediately.

As you consider purchasing infrastructure to support your future Internet initiatives, it makes sense to review systems based on either de facto standards (like Microsoft) or industry initiatives (like open source) before committing to a single communication vendor’s proprietary systems.

Editor's Picks

Free Newsletters, In your Inbox