[ISN] Securing The Center

From: InfoSec News (isnat_private)
Date: Thu May 16 2002 - 00:15:28 PDT

  • Next message: InfoSec News: "[ISN] Re: [defaced-commentary] Crackers deface Ferrari"

    Date: MAY 13, 2002
    Heightened concerns about cyberterrorism and the increasing need to
    open internal networks to outside access are pushing corporations to
    bolster data center security, both on the IT front and physically.  
    The goal is to add multiple layers of protection and redundancy around
    the data center infrastructure and software while still maintaining
    the levels of service demanded by the business.
    On the physical side, companies are boosting their business continuity
    and disaster recovery capabilities by buying and building redundant
    hardware and facilities and geographically separating their IT assets.  
    The technology effort, meanwhile, is focused on supplementing
    traditional firewall protection with newer intrusion monitors, access
    control tools and tougher IT usage polices.
    The need for such protection is being driven by cyberthreats and the
    growing use of the Internet to link companies with partners and
    customers, says David Rymal, director of technology at Providence
    Health Systems in Everett, Wash.
    "There is an increasing pressure to enable wide and unfettered access
    from our business units. We are getting so many requests to open up
    ports in our firewall that pretty soon it is going to look like Swiss
    cheese," Rymal says. "The more of them you have open, the more
    vulnerabilities you create."
    The whole notion of Web services, under which companies link their
    systems with those of external partners and suppliers, is only going
    to increase the need for better security, users say.
    Adding to the pressures is the growing number of remote workers and
    the trend toward wireless applications. This has meant finding better
    ways of identifying and authenticating users and controlling the
    access they have on the network.
    "You have to keep in mind that the minute you open your servers or
    services to the Internet, you are going to have bad people trying to
    get in," says Edward Rabbinovitch, vice president of global networks
    and infrastructure operations at Cervalis Inc., a Stamford,
    Conn.-based Internet hosting service.
    While it's impossible to guarantee 100% security, companies should
    make things as difficult as possible for outsiders or insiders to
    steal or damage IT assets, IT managers say.
    Cervalis' security, for instance, begins at its ingress points—where
    the Internet meets its networks. The company uses strict port control
    and management on all of its Internet-facing routers to ensure that
    open ports don't provide easy access for malicious attackers.
    Redundant, load-balanced firewalls that are sandwiched between two
    layers of content switches filter all traffic coming in from the
    Internet. Network-based intrusion-detection systems are sprinkled
    throughout the Cervalis network.
    Cervalis is beta-testing an anti-denial-of-service attack tool from
    Israeli start-up Riverhead Networks. The tool will let Cervalis
    quickly isolate denial-of-service traffic that's directed against a
    particular Web site or server belonging to a hosted customer, without
    affecting the rest of the network.
    Companies are also building "air gaps" between their outside-facing
    applications and back-end data. Providence, for instance, doesn't
    permit external Internet connections or wireless access to terminate
    on any internal machine. It's far safer to end such connections
    outside the firewall and then tunnel all requests through secure
    services, Rymal says.
    Antivirus and e-mail filtering tools are being supplemented in many
    companies with new measures aimed at reducing the risk of attack via
    "E-mail, to me, is always the weakest link, because you are open to
    just about anything and everything that comes over the [Web]," says
    George Gualda, CIO at Link Staffing Services Inc. in Houston.
    Link prohibits attachments of certain types and sizes on its network.  
    All Internet-based chatting is banned, and users aren't allowed to
    download and install software. Scripting functions are disabled to
    prevent unauthorized scripts from wreaking havoc, says Gualda.
    Link uses a secure virtual private network (VPN) service from
    OpenReach Inc. in Woburn, Mass., to connect its 45 remote sites. The
    OpenReach VPN provides firewall and encryption services, but Link
    placed an extra firewall in front of the VPN anyway.
    Compartmentalizing networks based on the services they run makes it
    easier to isolate and respond to security breaches, says Lee
    Robertson, chief of IT security at Schlumberger Network Solutions in
    Schlumberger used this approach—together with a slew of access
    control, user authentication, strict port management and
    intrusion-monitoring techniques—to secure the internal network at the
    Winter Olympics in Salt Lake City earlier this year.
    "If we saw an attack, we would have been able to rapidly shut off that
    portion of the network which was affected and bring the service back
    up [on a redundant network]," Robertson says.
    Good security also requires good systems configuration management,
    says Tony DeVoto, systems manager at Montvale, N.J.-based Volvo
    Finance North America. Breaches often occur because companies fail to
    securely configure systems, or stick systems with easily crackable
    default configurations out on the Internet. Volvo uses Enterprise
    Configuration Manager from Woodland Park, Colo.-based Configuresoft
    Inc. to monitor configuration variables from each of its Windows NT
    and Windows 2000 servers.
    Physical Security
    Companies are also boosting the physical security around data centers,
    especially after Sept. 11.
    Computer Horizons Corp. (CHC), a Mountain Lakes, N.J.-based company
    that offers human resources management software and managed hosting
    services for clients such as AT&T Corp. and Sabre Inc., has signed up
    to have Equinix Inc. host several of its managed application servers.
    Mountain View, Calif.-based Equinix maintains a series of fortresslike
    data centers called Internet Business Exchanges, where clients connect
    to high-bandwidth lines from a variety of service providers.
    Armed guards patrol each facility. Concrete bulwarks around each of
    the anonymous, warehouselike buildings protect the facilities from
    being rammed by vehicles laden with explosives. The walls of each
    Equinix data center - which are also hardened against earthquakes and
    fire - are lined with Kevlar, a material used in bulletproof jackets.  
    The facilities are also windowless to protect against scanning.
    "It would have been an enormous cost for us to have tried to do all
    this ourselves," says James Dipasupil, CHC's director of
    infrastructure services.
    Running a data center out of such hardened facilities can greatly
    increase the comfort level of people who want to do business with you,
    says Mike Colon, IT manager at Simpata Inc. Folsom, Calif.-based
    Simpata does human resources and salary-related processing services
    for employers.
    Simpata houses all of its data center equipment in a hardened facility
    managed by Intel Corp. Apart from extensive physical security, Intel
    also provides a suite of disaster recovery and backup services, Colon
    Like many other users these days, Simpata encrypts all data that flows
    from its hosted servers and client systems to protect against
    cracking. The servers are also constantly monitored against intruders.  
    The result is far better security and peace of mind, not just for
    Simpata, but for its clients as well, Colon says.
    Augmenting physical and electronic security measures with policies
    that are clearly articulated and enforced is also crucial, Gualda
    Link has a tough IT usage policy that employees must abide by. Failure
    to comply can result in termination, says Gualda, who has fired two
    employees for this reason in the past. To enforce the policy, the
    company uses monitoring and auditing tools to inventory employee
    computer usage.
    Securing operations also means regularly going through a checklist of
    maintenance items, IT managers say. Periodic reviews and external
    audits are also needed to ensure that there is adequate security.
    "There is never going to be a 100% security solution; there is always
    a theoretical way for someone to find their way through," Rabbinovitch
    says. "The task, therefore, is to make it as challenging as possible
    for the hacker."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 16 2002 - 03:54:15 PDT