Host-Based Protection Protects Servers update from April 2004

Who says Americans aren't as soccer-adept as the rest of the world? We think the best matches take place not in the stadiums of Italy or Peru, but on fields in Everytown, U.S.A. In one recent barn burner, a kid charged straight toward the goal, and the goaltender lined up to deflect a direct kick. In a surprise attack, the player kicked the ball right, bouncing it off the forehead of his teammate and into the goal. The crowd went wild.

Corporate security administrators should take note. Mistake No. 1 is thinking that attacks will come from a single, defined and visible location: the Internet. In truth, strikes come from every angle, and attackers aren't going to storm the front gate without first trying all the windows. Case in point: When the MS SQL Slammer worm broke out, administrators thought they were safe if they'd blocked traffic to UDP Port 1434 on the firewall. Wrong. Remote laptop users picked up the worm and brought it into many organizations.

That brings us to the second point. Defense becomes exponentially more difficult when you're guarding multiple fronts. Most large enterprises have numerous firewalls, VPNs, remote-user authentication devices, IDS sensors, antivirus gateways and desktop software packages, and traffic shapers, making even something as seemingly simple as blocking a port or an IP address vastly complex. An attacker needs to find only one hole, and he or she is in.

For the past several years, we've called for a shift from perimeter to asset-based security. We began making that case in 2001 ("No Desktop Is an Island,") and strengthened it in 2003 ("Secure to the Core,").

Perimeter-based security fails because there is no longer a clearly defined perimeter. Wireless networks, remote users, encrypted communications, Web services, corporate spies, disgruntled employees, bribed administrators and socially engineered victims have seen to that.That's not to say we advocate ripping out firewalls and gateway-content inspectors--layered defense is a fundamental tenet of information security. However, insider attacks can dwarf the damage done by outsiders.

Make the last lines of defense--the endpoints--your strongest. And be proactive. This is where HIP (host intrusion prevention) comes into play. By giving a program or user only limited access to the operating system, HIP products restrict the availability of functions like read, write and execute, as well as protect system resources like ports, files and registry keys.

One downfall of the major operating systems deployed today is that the root or administrator user has too much power. If attackers can exploit a process that runs as the administrator account, or can gain access as a super user, they'll have free rein over the entire system.

The biggest hurdle to making HIP work is in setting policies correctly. Complex enterprise applications, such as relational databases and groupware, require large and complex policies, and subtle changes from one server to the next could require different policy files. Most HIP products will help you develop policies, but you'll still need to do a lot of heavy lifting. Moreover, installing service packs can break existing policies. We're not going to sugarcoat it: After testing HIP software for "Server Shields,", we found deployment to be a pain in the neck.

Then there's the cost: The least expensive HIP product we've seen runs around $1,000 per server. And that doesn't include the cost of training, maintenance, log analysis, and developing and deploying policies.Of course, figuring out the ROI for a security initiative is like computing the return on buying smoke detectors. If your house doesn't catch fire, does that mean you wasted money? A security ROI is not always based on how much you'll save, but on how much you won't lose if something bad happens.For example, it came to light last month that BJ's Wholesale Club had at least 40,000 credit-card numbers stolen over several months. Other companies in this position have had millions of dollars in fines levied, but there's more to lose than just court settlements. Having your company's name plastered over the news for a week doesn't help you win customers.

At least BJ's came clean once the story of the thefts broke. Some companies have tried to hide security breaches. To combat this practice, California recently enacted a law whereby consumers must be notified if their privacy is compromised. Other states are considering similar legislation, and there's a push to have notification laws enacted at the federal level. Beyond legal compliance, the threat of public embarrassment is always a good motivator to enhance security.

HIP also can save you real money from an operational standpoint. How much did your organization spend cleaning up Blaster and CodeRed attacks? HIP products could have prevented many of the recent automated worms from downing servers. Does the issuance of critical patches force you to drop everything and go into red alert? HIP lets you roll out a patch in an orderly manner so you don't have to rush one out to 100 servers in 20 minutes and risk breaking your systems. (For help on selling a HIP product, see "Make Your Case," at the end of this story.)

Bottom line: There's no technological silver bullet. No matter how many times a vendor claims to have good, great, unbreakable, bulletproof, watertight security, everything can be exploited. Security isn't a product, or a service you can outsource to someone else. It's an ongoing process defined by a policy. HIP products force you to develop a policy for your assets, defining exactly what can run, what it can do and who can do it. HIP may be the best security investment you can make.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs. Write to him at [email protected] 0