Network Computingwww.networkcomputing.com

The first time I encountered this situation was during an off-hour installation of Check Point's FireWall-1 software. We discovered that the licensing center was down for the weekend. Silly us! We'd actually expected an automated licensing procedure to have 24x7 availability. Next came our intrusion-detection outages. For the past five months, we have been ceaselessly pounding on the industry's top intrusion-detection products for an upcoming feature. When someone in Bosnia throws so much as a malformed fin packet at us, we have flashing lights and loud alarms going off 10 ways from Tuesday. Few things get past our IDS array -- except for about-to-expire license keys.

The first IDS to go was ISS RealSecure. The console refused to attach to the intrusion-detection sensor because of an expired key. Misery loves company, and CyberSafe Centrax, Enterasys Dragon and Axent NetProwler soon joined RealSecure. All had expired keys, all refused to monitor our network, and it all happened during off-hours.

Flat-lined intrusion-detection systems are one thing, but here's the most frightening story I've heard to date. It involves a pair of inoperable firewalls at a large corporation. The company was readdressing part of its network and had to obtain new license keys for some new IP ranges. A colleague of mine there is a professional FireWall-1 licenser and has been fully briefed on the advanced courses required to magically obtain FireWall-1 license keys. Having experienced a vast array of FireWall-1 licensing problems previously, she registered for the new keys ahead of time. Unfortunately, during the migration, things didn't go as planned -- FireWall-1 spit the keys back at her during the late-night move. She called Check Point support and tried to explain why the mission-critical firewalls were inoperable. After a long chat with the customer-advocacy folks, she was informed that this wasn't a support issue but a licensing issue. She was told that the licensing people had left for the day, and support was unable to help her. They advised her to call back the next day and ask for the licensing department.

If licensing is an operational issue, vendors had better start to treat it as such. Adding to the insanity is the ironic existence of illegal key cutters, written by members of the underground community. These gems enable vulnerability scanners, IDS, firewalls and an assortment of other products to work without going through proper licensing channels. Of course, no one talks about these taboo tools. The charade is beyond ridiculous -- I've actually seen customers use such tools simply to avoid licensing hassles.

This has led me to a revelation: License keys are now a prime-time single point of failure operating in a part-time support model. The next time you invest in a security product to watch your traffic, protect your perimeter or perform some 24x7 security service, make sure the vendor supplies a high-availability, fully redundant, bulletproof licensing system. Either that, or go find yourself a key cutter. You know, those product enablers created by the guys we're supposedly trying to protect ourselves against.