Who's responsible for building a secure network?
By Tim Landgrave
When I discussed this experience with some of my other corporate contacts, they assured me that this was not the exception, but the norm. In fact, most corporations are looking for ways to create and maintain secure networks without increasing the burden on their already-overtaxed network support and installation teams. A big part of that equation is installing and maintaining secure Windows desktops. Now more than ever, securing Windows desktops is becoming a joint venture among hardware vendors, software developers, and corporations.
For hardware vendors, one of the most important measures of profitability is the time it takes to build a base hard disk installation for the models they sell. Any change to this configuration (especially if it requires more disk space) takes money from the bottom line because it requires additional and costly engineering changes. This is why most hardware vendors ship their machines with the original versions of system and application software. The time it would take to update the image with the latest service packs and software updates would eat into their already slim margins.
The net effect of this phenomenon is that corporations end up either reinstalling software on the machines they receive or adding their own suite of security updates before deploying them. It adds time and effort to an already time-consuming deployment process.
But some hardware vendors have recognized that they may be able to charge more for PCs that have already been “hardened” with the latest security releases. For example, at a recent technical workshop hosted by the Federal Trade Commission, Dell announced that it would begin allowing customers to order PCs with a hardened Windows 2000 configuration. This configuration was recommended by the Center for Internet Security, a nonprofit association of public- and private-sector technology users based in Pennsylvania. Given that most attacks on workstations succeed because the machines are improperly configured or lack the latest updates, this goes a long way toward making the default configuration much more secure.
Moreover, last fall the National Security Agency released a study showing that 95.5 percent of the known vulnerabilities in Windows 2000 Professional edition could be eliminated by using the CIS recommended security settings. By responding to the corporate need for more secure configurations by default, Dell and other hardware vendors hope to use security services like these to generate additional service revenues and minimize the time between machine delivery and deployment for corporations.
The need for more secure default configurations is not lost on Microsoft. This is one of the key goals of the software giant’s Trustworthy Computing initiative. For example, the recently released Windows Server 2003 product comes with more secure default settings and fewer services installed by default. You must specifically install IIS 6.0 and then turn on the application server features to take advantage of them. Future products will have similar security measures. But for current products, Microsoft is relying on a combination of education and automatic updating. Microsoft’s TechNet site includes guides for hardening client operating systems such as Windows 2000 and Windows XP, as well as servers based on Windows 2000. Microsoft.com has a wealth of guidance and tools that allow network administrators to lock down the desktop and other key services such as Internet Information Services 5.0 on servers.
To facilitate automatic updating, Microsoft provides Windows Update for end users and small businesses and the corporate version of Windows Update called Software Update Services (SUS). SUS allows corporate administrators to download and test the patches, service packs, drivers, and other software updates from the Microsoft Windows Update site. When fully tested, the updates can be deployed from internal servers rather than requiring the internal machines to be connected to the Internet to receive the updates from the Windows Update site.
This facility works well for updating the base operating systems—as long as you’ve standardized on Windows 2000 or Windows XP. But it doesn’t include any client-side patches for products, such as Microsoft Office, or for any of the client access code for any of Microsoft’s key servers, such as SQL Server or Exchange. At Microsoft’s recent Tech Ed Show, a senior executive admitted that Microsoft now has 18 tools for updating its applications but is also committed to reducing that to two by the end of the year.
Ultimately, the responsibility for selecting more secure hardware configurations or learning and applying Microsoft guidance and tools still rests on the shoulders of the corporate IT staff. But with the information available, there’s no reason companies can’t create secure networks and maintain them. The bottom line for most corporations is whether the cost to maintain the security is greater than the cost to cure a breach. With Microsoft and its hardware OEMs focused on reducing those security maintenance costs, companies will be able to provide more secure networks for a much lower cost.
No messages found
No messages found
Requirement true but direction dangerous
Security always has been, and should remain, the responsibility of the user organisation yes the hardware and general software manufacturers have a responsibility to see that new products do NOT have known security holes in-built, but it should not be their responsibility to make the security policyor force security issues on clients. Companies that write sepcific security software have a legitimate reason to have their software extra secure etc.
All the large organisations (corporate and govt) that i have worked with in the past have always blown away the installed operating system. Yes they buy machines with an OS so that they have evidence of valid licences for them, but then they replace them with a ghost image built to specific corporate requirements that includes all the security patches, network settings etc that they want. They find it quicker to have one corporate image oaded on all the machines than having to set up the newtork and intranet settings on each. One tech can load up as many machines as he has ghost imaged drives etc for.
I have seen a corporate environment where no effort was made to upgrade the security of the desktop machines because they put a lot of effort into their gateway. Sure anything that made it inside could cause havoc, but getting it in was the difficulty. All machines were set to automatically update virus definitions daily (from a corporate server updated hourly), and to scan any floppy or cd file or downloaded content prior to opening. On top of this the gateway was set up with a proxy server anc cache flow box arrangement whereby all Intranet traffic was opened on a special box in the gateway and checked before be sent on to the user, same occurred with all the mail.
The system automatically deleted any file. mail, or attachment that it could not clear as perfectly harmless. yes some non-dangerous stuff got killed off. People sending stuff were always advised to use a set of specific formats. Anything special or outside the normal process could be brought in through the gateway administrators, they would getting onto a special machine within the DMZ and check it out then send it on if OK.
There corporate policy was that there was no way they could really police their staff and any staff intent on doing damage could do it regardless of the security. Thus they set up the desktops with a reasonable level of security and placed their major effort into policing the perimeter. They have had the gateway shutdown a few times due to being hit with a new virus, but nothing has reached the network since they set this up 4 years ago.
Good corporate policy and planning as part of their business planning strategy. The hadrware and software manufactures had no specific involvement, appart from some specific security based apps and devices for the gateway.
You can have the most secure network and the most secure application and the most secure OS... but without training staff - guess what it is all wasted capital ...
Phone call - "I am with network security we are testing a new application, could you give me your user id and password. I wish to attempt accessing this new service while you are online."
Bingo - hacker has made it into the system...
Who's responsible - everyone - Security isn't a technical solution - it is more - human - technical - training -
Where security belongs is with the business requirements of a company or organizations. Business objectives drive the business requirements, and one of these should be security. It needs to have sufficient definition to be measurable and achievable and a direct link to the business objectives being supported.
This now enables security to become an aspect of the technical objectives. Not the only aspect, not a bolt on, but an integrated business requirement linked to the technical objectives.
The technical objectives drive the technical requirements - physical, logical, and component design. Here the specific requirements of the security business requirements can be addressed in hardware, software, or external design.
An advantage to this approachis that a change in the business requirement such as a new legal security mandate is easily mapped through to the specific hardware, software, protocols, and topology of the IT systems.
There are no posts from your contacts.
Adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.