Shoring up security
New security techniques include honeypots, decoys, air gaps, exit controls, self-healing tools and denial-of-service defenses.
Review: Web access control market offers many options | Cover your apps |
| To infinity and beyond... |
| What does it mean to be a user today? |
| Why do you want web access control anyway? | How we did it |
| Check out a honeypot in action
The running battle between hackers and network security professionals has moved beyond the perimeter firewall to hand-to-hand combat at individual Web and corporate servers.
And new security weapons have emerged that use ingenious methods to protect Web sites and corporate networks from external and internal security threats. Here are some of the latest tools at your disposal.
No exitTurning the security paradigm on its head, Gilian's G-Server doesn't care how the hacker got in or what changes they may have made to your Web site. Gilian's Exit Control technology prevents the world from seeing the consequences of a security breach.
Gilian's G-Server sits between the Web server and the router or firewall that connects the Web server to the Internet, inspecting every piece of content that goes out. The Exit Control G-Server contains a collection of digital signatures made from authorized Web content during the publication process.
Each time the site's content producers publish a new or revised object, the G-Server saves a digital backup of the object along with a digital signature.
Signatures that don't match send up a red flag which triggers the G-Server to immediately replace a bogus page with a secure archived copy of the original, while simultaneously alerting appropriate personnel.
Tripwire, Inc.'s Tripwire for Servers is a similar data and network integrity product. However, Tripwire for Servers takes a different approach - its software is loaded onto the server that you want to protect. It monitors all file changes, whether they originate from inside or outside the company, and reports back if a change violates predetermined policies.
Honeypots or decoysHoneypots are designed to lure and contain an intruder on the network. According to Fred Kost, vice president of marketing at Recourse Technologies, of Palo Alto, honeypots are decoy devices that can divert attacks from production systems and let security administrators study or understand what's happening on the network. Recourse and PGP Security, a Network Associates company, have commercially available products.
ManTrap, from Recourse, is an industrial-strength honeypot that's deployed next to data servers, if it's being used to deflect internal attacks, and located off the firewall in the demilitarized zone (DMZ) if it's being used against external threats. According to Kost, the majority of users deploy it internally to get suspicious activity under control.
In that scenario, a ManTrap server would be set up to look like a file server that stores intellectual property or business plans. According to Kost, a successful deployment of ManTrap depends on a variety of factors including quality, naming scheme, placement and security policy. For example, deceptive defenses are most effective when deployed in quantities equal to or greater than that of the production system. Honeypots can get expensive which is why companies must pick and choose the critical servers they want to protect.
What attracts an attacker to ManTrap is configuring it to make it look more vulnerable than other servers. Once the hacker is on the decoy server, security managers can log the hacker's activity and gain insight into what the intruder is trying to accomplish.
Fall into the gapAir gap technology provides a physical gap between trusted and untrusted networks, creating an isolated path for moving files between an external server and a company's internal network and systems. Vendors include RVT Technologies, Spearhead Technology and Whale Communications.
Whale's e-Gap Web Shuttle is a nonprogrammable device that switches a memory bank between two computer hosts. The e-Gap Web Shuttle creates an air gap between the Internet and a company's back- office systems. Companies might use e-Gap Web Shuttle between an external service running e-commerce applications, such as online banking, and internal databases that might be queried by external users.
According to Joseph Steinberg, director of technical services at Whale, the e-Gap system consists of the e-Gap appliance that is attached to two PC hosts, one internal and one external. The internal host connects to the company's internal network and the external host sits in the DMZ in front of the firewall.
All URLs to Web pages are directed to a mock location on the external host. Pages do not actually reside on this host. The external host strips off the protocol headers, extracts only the content of the Secure Sockets Layer (SSL) traffic and passes it to the e-Gap Web Shuttle. The e-Gap Web Shuttle transports the encrypted data to the internal host using a toggling e-disk. The e-Gap internal host decrypts SSL traffic, authenticates the user and filters the URL content. It then passes the URL request to the company's production Web server that resides on the back-office network.
The fix is inSecurity and vulnerability assessment tools, designed to be used in-house, can detect weaknesses in an organization's systems before problems occur and can fix those problems.
Retina 3.0, from eEye, scans, monitors, alerts and automatically fixes network security vulnerabilities. The product works on Windows NT 4.0 SP3 or higher and Windows 2000.
According to Mark Maiffret, chief hacking officer at eEye, the software is installed on any machine within the network. The network administrator types in a range of IP addresses to scan and pushes a button. The product scans the network for vulnerabilities, software flaws and policy problems and reports any vulnerabilities.
The product's "fix it" feature provides network administrator with a description of any found vulnerabilities, information on how to fix it, or access to a fix it button that can repair the vulnerability locally or remotely.
Demolishing DoS attacksPerhaps one of the newest categories of security is products that target denial-of-service (DoS) attacks and more. By definition, DoS attacks make computer systems inaccessible by exploiting software bugs or overloading servers or networks so that legitimate users can no longer access those resources. The product category is so new that some products are still in beta test or on the cusp of entering the marketplace.
Going after one of the most malicious types of computer vandalism, the DoS attack, are Arbor Networks, of Waltham, Mass.; Mazu Networks, of Cambridge, Mass.; and Asta Networks in Seattle.
According to Phil London, CEO at Mazu, the company's solution to distributed DoS attacks works via intelligent traffic analysis and filtering across the network. A monitoring device, such as a packet sniffer or packet analyzer, evaluates packets on the network at speeds up to 1G bit/sec. A monitoring device then determines which traffic needs to be filtered out.
The good, the bad and the uglyThe good news about all of these new security techniques is that they theoretically offer companies additional layers of security protection, providing better overall security. What this ultimately means to businesses is that additional security mechanisms can succeed where others have failed. Another plus about some of the new products is that they're optimized for a particular application, such as integrity of the Web servers.
However, as with any technology, there are pros and cons to consider. In fact, there are some downsides to implementing these new security products, says Robert Lonadier, director of security strategies at Hurwitz Group. For example:
- They're all incremental solutions, not replacements.
- They require a certain amount of expertise.
- Many vendors are start-ups and there's a risk as to how long they'll be around.
- There's a concern, in many IT shops, about adding preventive controls because of associated overhead - a concern that can be easily remedied by investing in additional horsepower.
- What's too much? When does a company run the risk of introducing security vulnerability because of having too many products to manage?
The bottom line is that security is never a done deal. It's a continuing process that a new crop of innovative vendors are making more interesting.
Haber is a freelance writer. She can be reached at firstname.lastname@example.org.
Cover your apps
Your security plan may not be complete if you haven't protected your applications.
Online exclusive: Honeypots or decoys
Watch a hack attack in action, and see how honeypots and decoys are used to gather information about the bad guys and keep them out of your servers. Requires Flash.
Data integrity protection
Review: Web access control market offers many options
Securant Technologies' product tops the list with its management tools and ties to Check Point firewall.
How we did it
An explanation of how our tests were conducted.
To infinity and beyond...
Newest upgrades to the products we tested.
Why do you want web access control anyway?
The push for e-commerce has created a need for the ability to process transactions on the Internet securely.
What does it mean to be a user today?
Helpful explanations of some common terminology.
Interactive scorecard and NetResults: Web access control packages
Use our calculator to see what product would best suit your needs.