Host-Based Protection Protects Servers

For the past several years, we've called for a shift from perimeter to asset-based security. We began making that case in 2001 ("No Desktop Is an Island,") and strengthened it in 2003 ("Secure to the Core,").

Perimeter-based security fails because there is no longer a clearly defined perimeter. Wireless networks, remote users, encrypted communications, Web services, corporate spies, disgruntled employees, bribed administrators and socially engineered victims have seen to that.

That's not to say we advocate ripping out firewalls and gateway-content inspectors--layered defense is a fundamental tenet of information security. However, insider attacks can dwarf the damage done by outsiders.

Make the last lines of defense--the endpoints--your strongest. And be proactive. This is where HIP (host intrusion prevention) comes into play. By giving a program or user only limited access to the operating system, HIP products restrict the availability of functions like read, write and execute, as well as protect system resources like ports, files and registry keys.

One downfall of the major operating systems deployed today is that the root or administrator user has too much power. If attackers can exploit a process that runs as the administrator account, or can gain access as a super user, they'll have free rein over the entire system.The biggest hurdle to making HIP work is in setting policies correctly. Complex enterprise applications, such as relational databases and groupware, require large and complex policies, and subtle changes from one server to the next could require different policy files. Most HIP products will help you develop policies, but you'll still need to do a lot of heavy lifting. Moreover, installing service packs can break existing policies. We're not going to sugarcoat it: After testing HIP software for "Server Shields,", we found deployment to be a pain in the neck.

Then there's the cost: The least expensive HIP product we've seen runs around $1,000 per server. And that doesn't include the cost of training, maintenance, log analysis, and developing and deploying policies.Of course, figuring out the ROI for a security initiative is like computing the return on buying smoke detectors. If your house doesn't catch fire, does that mean you wasted money? A security ROI is not always based on how much you'll save, but on how much you won't lose if something bad happens.

For example, it came to light last month that BJ's Wholesale Club had at least 40,000 credit-card numbers stolen over several months. Other companies in this position have had millions of dollars in fines levied, but there's more to lose than just court settlements. Having your company's name plastered over the news for a week doesn't help you win customers.

At least BJ's came clean once the story of the thefts broke. Some companies have tried to hide security breaches. To combat this practice, California recently enacted a law whereby consumers must be notified if their privacy is compromised. Other states are considering similar legislation, and there's a push to have notification laws enacted at the federal level. Beyond legal compliance, the threat of public embarrassment is always a good motivator to enhance security.

HIP also can save you real money from an operational standpoint. How much did your organization spend cleaning up Blaster and CodeRed attacks? HIP products could have prevented many of the recent automated worms from downing servers. Does the issuance of critical patches force you to drop everything and go into red alert? HIP lets you roll out a patch in an orderly manner so you don't have to rush one out to 100 servers in 20 minutes and risk breaking your systems. (For help on selling a HIP product, see "Make Your Case," at the end of this story.)Bottom line: There's no technological silver bullet. No matter how many times a vendor claims to have good, great, unbreakable, bulletproof, watertight security, everything can be exploited. Security isn't a product, or a service you can outsource to someone else. It's an ongoing process defined by a policy. HIP products force you to develop a policy for your assets, defining exactly what can run, what it can do and who can do it. HIP may be the best security investment you can make.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs. Write to him at [email protected]

A purely perimeter-centric security stance is a disaster waiting to happen. You figure your firewall will stop most attacks, but even if some get through, you still have your antivirus gateway. If an attack eludes the gateway, your network IDS will pick it up. And the new patches that came out Tuesday will help, too, once you test and deploy them. But all these technologies become useless when a remote user comes into the office, plugs his or her laptop into the network and lets loose a worm. It only takes one.

Although perimeter defenses remain important, a proactive, host-based approach is vital. So in "Server Shields," we laid out a simple goal: Protect vulnerable servers from attack.

We used unpatched Windows 2000 servers and hit them with Blaster, CodeRed and other attacks that kept IT admins up late at night. As expected, we easily got root shells and compromised the servers. However, after we installed host-intrusion prevention products from Cisco Systems, Computer Associates, Platform Logic and Sana Security, it was a whole new ball game. Blaster and CodeRed failed, and our other attacks also were rendered useless.We've heard huge dollar amounts ascribed to a single break-in. These figures are believable when you factor in downtime, repair and productivity loss. For example, say your corporate e-mail system of 1,000 users is attacked and completely downed at 9 a.m. Assessing the damage, restoring the system and installing defenses takes eight hours. Productivity loss equals:

Number of hours downtime x number of users x time users lost.

Computing how much time is lost is difficult because you'd need to know how many hours a day users spend on e-mail. Conservatively, say an average user spends 10 percent of his or her time on e-mail and is paid $40,000, or $20 per hour. That works out to 8 x 0.10 x 1,000 users, or 800 hours, pegging the cost of downtime at $16,000 per day.

When selling any security system, remember these points: attacks will come in unexpected ways;p erimeter defense is not enough; endpoint security, your last line of defense, should be the strongest; and there is no technological silver bullet.