Vendors set to advance security plans

Latest Cisco news.

Vendors set to advance security plans

By Ellen Messmer

Network World, 03/08/04

Vendors are pursuing a variety of security initiatives intended to rein in the worst effects of problems such as worm attacks, which sometimes scan at ferocious speeds for vulnerable machines.

Sun recently gave a sneak peek into security features that will go into the next version of Solaris, promising customers a more fault-tolerant system and greater resistance to intrusions when Solaris 10.0 comes out by year-end.

Solaris 10.0 will use a fault-isolation technology called “n1 grid containers” intended to help keep multiple applications running smoothly, says Ravi Iyer, Sun’s group manager for software systems security. Each container will work like a mini-operating system for an application process, so that if the application’s mini-operating system fails, the entire operating system doesn’t go down.

“It’s a form of resource isolation,” Iyer says, noting that IBM and HP have made use of similar approaches.

IBM Director of Security Chris O’Connor says IBM’s mainframe and AIX operating systems have long had “multiple logical partitions, each representing a separate machine.” He notes that this not only helps in maintaining uptime when one partition and its application and operating system fail, but also allows for different security considerations in each partition.

Sun also intends to debut other security strengths in Solaris 10.0, including a cryptography framework that would support a variety of encryption algorithms that could be used with applications for authentication and encryption.

“We want application vendors writing to our cryptography framework,” Iyer says. A few years ago Microsoft introduced a Windows-based cryptography framework called Crypto APIs, which also required vendor support in applications.

Sun also will be adding what it calls “process rights management” to Solaris 10.0, a form of security protection already said to be built into Trusted Solaris, the hardened version of its operating system typically used by the U.S. Department of Defense or financial firms to process sensitive data.

Process rights management works by having a set of profiles in the operating system that limit access to the home directory, specific files or server by certain applications.

“If a process is compromised, such as a Web server by a buffer overflow, the attacker may have access to the system, but it limits the ability to move around,” Iyer says.

Meanwhile, Cisco’s Network Admission Control (CNAC) program, announced last November, is set to begin its first beta tests this month, says Jeff Platon, Cisco’s director of marketing for the product and technology group for security.

CNAC includes the newly developed Cisco Trust Agent, which is made up of a few hundred lines of code that resides on desktops and servers. With the agent, those devices can cordon off infected machines through interaction with Cisco routers and Access Control Server. The Trust Agent – which eventually will be integrated into Cisco’s Security Agent behavior-blocking software – is designed to interact with anti-virus software from Network Associates, Symantec and Trend Micro to enforce virus-signature updates. The Trust Agent also will check on the need for software patches.

Cisco has faced criticism that CNAC is too proprietary, and in response, the company is promising that the basic design specifications will be offered as a public standard. “All intellectual property [associated with CNAC] will be brought to a standards community, such as IEEE or IETF,” Platon says.

IBM, which this month announced it has joined the CNAC effort, strongly supports making CNAC-developed technologies more widely available. “We try to validate a concept with a trusted set of partners but we support pushing that work out into the open standards community for broader adoption,” IBM’s O’Connor says.

IBM, which intends to integrate the CNAC network quarantine technology into IBM Tivoli products, also is working on a new line of security-compliance software products “that will check the operating system and server health,” O’Connor says.

While IBM is expected to formally unveil this product line this spring, O’Connor’s preview indicates that the IBM compliance line will be able to inspect the operating system or application for a range of vulnerabilities or security-policy checks to indicate remediation requirements or a good bill of health.