Securing The Center

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,71121,00.html

Date: MAY 13, 2002
Author: JAIKUMAR VIJAYAN 

Heightened concerns about cyberterrorism and the increasing need to
open internal networks to outside access are pushing corporations to
bolster data center security, both on the IT front and physically.  
The goal is to add multiple layers of protection and redundancy around
the data center infrastructure and software while still maintaining
the levels of service demanded by the business.

On the physical side, companies are boosting their business continuity
and disaster recovery capabilities by buying and building redundant
hardware and facilities and geographically separating their IT assets.  
The technology effort, meanwhile, is focused on supplementing
traditional firewall protection with newer intrusion monitors, access
control tools and tougher IT usage polices.

The need for such protection is being driven by cyberthreats and the
growing use of the Internet to link companies with partners and
customers, says David Rymal, director of technology at Providence
Health Systems in Everett, Wash.

"There is an increasing pressure to enable wide and unfettered access
from our business units. We are getting so many requests to open up
ports in our firewall that pretty soon it is going to look like Swiss
cheese," Rymal says. "The more of them you have open, the more
vulnerabilities you create."

The whole notion of Web services, under which companies link their
systems with those of external partners and suppliers, is only going
to increase the need for better security, users say.

Adding to the pressures is the growing number of remote workers and
the trend toward wireless applications. This has meant finding better
ways of identifying and authenticating users and controlling the
access they have on the network.

"You have to keep in mind that the minute you open your servers or
services to the Internet, you are going to have bad people trying to
get in," says Edward Rabbinovitch, vice president of global networks
and infrastructure operations at Cervalis Inc., a Stamford,
Conn.-based Internet hosting service.

While it's impossible to guarantee 100% security, companies should
make things as difficult as possible for outsiders or insiders to
steal or damage IT assets, IT managers say.

Cervalis' security, for instance, begins at its ingress points—where
the Internet meets its networks. The company uses strict port control
and management on all of its Internet-facing routers to ensure that
open ports don't provide easy access for malicious attackers.

Redundant, load-balanced firewalls that are sandwiched between two
layers of content switches filter all traffic coming in from the
Internet. Network-based intrusion-detection systems are sprinkled
throughout the Cervalis network.

Cervalis is beta-testing an anti-denial-of-service attack tool from
Israeli start-up Riverhead Networks. The tool will let Cervalis
quickly isolate denial-of-service traffic that's directed against a
particular Web site or server belonging to a hosted customer, without
affecting the rest of the network.

Companies are also building "air gaps" between their outside-facing
applications and back-end data. Providence, for instance, doesn't
permit external Internet connections or wireless access to terminate
on any internal machine. It's far safer to end such connections
outside the firewall and then tunnel all requests through secure
services, Rymal says.

Antivirus and e-mail filtering tools are being supplemented in many
companies with new measures aimed at reducing the risk of attack via
e-mail.

"E-mail, to me, is always the weakest link, because you are open to
just about anything and everything that comes over the [Web]," says
George Gualda, CIO at Link Staffing Services Inc. in Houston.

Link prohibits attachments of certain types and sizes on its network.  
All Internet-based chatting is banned, and users aren't allowed to
download and install software. Scripting functions are disabled to
prevent unauthorized scripts from wreaking havoc, says Gualda.

Link uses a secure virtual private network (VPN) service from
OpenReach Inc. in Woburn, Mass., to connect its 45 remote sites. The
OpenReach VPN provides firewall and encryption services, but Link
placed an extra firewall in front of the VPN anyway.

Compartmentalizing networks based on the services they run makes it
easier to isolate and respond to security breaches, says Lee
Robertson, chief of IT security at Schlumberger Network Solutions in
London.

Schlumberger used this approach—together with a slew of access
control, user authentication, strict port management and
intrusion-monitoring techniques—to secure the internal network at the
Winter Olympics in Salt Lake City earlier this year.

"If we saw an attack, we would have been able to rapidly shut off that
portion of the network which was affected and bring the service back
up [on a redundant network]," Robertson says.

Good security also requires good systems configuration management,
says Tony DeVoto, systems manager at Montvale, N.J.-based Volvo
Finance North America. Breaches often occur because companies fail to
securely configure systems, or stick systems with easily crackable
default configurations out on the Internet. Volvo uses Enterprise
Configuration Manager from Woodland Park, Colo.-based Configuresoft
Inc. to monitor configuration variables from each of its Windows NT
and Windows 2000 servers.

Physical Security

Companies are also boosting the physical security around data centers,
especially after Sept. 11.

Computer Horizons Corp. (CHC), a Mountain Lakes, N.J.-based company
that offers human resources management software and managed hosting
services for clients such as AT&T Corp. and Sabre Inc., has signed up
to have Equinix Inc. host several of its managed application servers.

Mountain View, Calif.-based Equinix maintains a series of fortresslike
data centers called Internet Business Exchanges, where clients connect
to high-bandwidth lines from a variety of service providers.

Armed guards patrol each facility. Concrete bulwarks around each of
the anonymous, warehouselike buildings protect the facilities from
being rammed by vehicles laden with explosives. The walls of each
Equinix data center - which are also hardened against earthquakes and
fire - are lined with Kevlar, a material used in bulletproof jackets.  
The facilities are also windowless to protect against scanning.

"It would have been an enormous cost for us to have tried to do all
this ourselves," says James Dipasupil, CHC's director of
infrastructure services.

Running a data center out of such hardened facilities can greatly
increase the comfort level of people who want to do business with you,
says Mike Colon, IT manager at Simpata Inc. Folsom, Calif.-based
Simpata does human resources and salary-related processing services
for employers.

Simpata houses all of its data center equipment in a hardened facility
managed by Intel Corp. Apart from extensive physical security, Intel
also provides a suite of disaster recovery and backup services, Colon
says.

Like many other users these days, Simpata encrypts all data that flows
from its hosted servers and client systems to protect against
cracking. The servers are also constantly monitored against intruders.  
The result is far better security and peace of mind, not just for
Simpata, but for its clients as well, Colon says.

Augmenting physical and electronic security measures with policies
that are clearly articulated and enforced is also crucial, Gualda
says.

Link has a tough IT usage policy that employees must abide by. Failure
to comply can result in termination, says Gualda, who has fired two
employees for this reason in the past. To enforce the policy, the
company uses monitoring and auditing tools to inventory employee
computer usage.

Securing operations also means regularly going through a checklist of
maintenance items, IT managers say. Periodic reviews and external
audits are also needed to ensure that there is adequate security.

"There is never going to be a 100% security solution; there is always
a theoretical way for someone to find their way through," Rabbinovitch
says. "The task, therefore, is to make it as challenging as possible
for the hacker."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.