- by Jack Bryar -
Open Source Business -
We have an Internet security problem. Everyone
agrees about this. However, there's a great deal of disagreement about
what type of security problem we have. Is the Internet too secure from
government snooping? The last few days have generated scare stories about terrorists using the Web to coordinate their
activities. At the same time, many business leaders and ordinary citizens are
worried that their Internet messages are not secure enough. There's lots of new
technology coming on line, especially from the Open Source community,
that is likely to complicate the discussion about where and how to draw the
line between privacy and security.
Following the catastrophe in New York and Washington, there's been a
lot of talk about the Internet and security. A lot of that talk has
focused on suggestions that world governments lack the tools they need to
identify suspicious messages from among the billions of communications exchanged
around the world. A good example of those suggestions was the
recommendation by U.S. Senator
Judd Gregg (Republican-N.H.), to ban any encryption system lacking a backdoor
to enable government snooping. Coming from a state that employs a
larger percentage of its workforce in high technology than anywhere else in
the United States, Senator Gregg's comments were technically naive as well as more
than a little alarming to civil libertarians. According to most security pros I
have talked to, the total volume of messages and the
lack of language skills among U.S. security pros is a far bigger concern than
encrypted emails by bad guys.
Most businesses would probably suggest that the biggest problem with
Internet security is that there isn't enough of it. A recent survey
completed by InfoWorld revealed that the number one factor retarding acceptance
of Web-based services was a lack of security. That perception may have
shifted, along with our perception of many other things during the last
week. One element of security is how well a system survives disaster.
In many cases, Web-based services were up and running well before basic
telephone services were re-patched together in lower Manhattan.
Nevertheless, recent events are going to heighten everyone's
concerns about the integrity of their electronic messaging infrastructure
and its ability to withstand disruption or interference by outsiders,
whether those outsiders come from some script kiddie, or Al-Qa'ida. It is
a valid concern. For a system originally conceived as a means for
communicating during a national crisis, it is surprising how little attention has
been paid to the issue of Web and IT security generally.
One of the biggest vulnerabilities of the 'Net and the enterprise
computing environment has been the development of a technical monoculture. Today
most companies deploy identical hardware and identical operating
environments across the entirety of their enterprise. While that may generate
efficiencies for administrators, it also means that a company's infrastructure can
be taken down just as efficiently. Any virus or hack capable of
taking down one Windows configuration is likely to be able to take down
thousands of others. Diversity in the back end is one of the best guarantees of
safety. This is hard for a lot of IT pros to understand, but its true.
The connection to the Internet is the place where most enterprises
are the most exposed. Today, Web security systems are built around a
combination of public key encryption and use of the Secure Sockets Layer. Present
systems are neither efficient or hack proof. The protocols for managing the
exchange of public keys are particularly awkward. This is beginning to change.
One important open
standard being developed to address public key exchange issues is called XKMS
(The XML Key Management Specification). XKMS describes a process for
exchanging public keys via XML transactions. Combined with another security
standard being developed by the XML standards consortium OASIS, called SAML
(Security Assertion Markup Language), XML is being used to add
intelligence and efficiency (and added security) to the public key system.
Virtual Private Networks are part of any intelligent approach to
security over the web. However, VPNs are easy to screw up, and the Windows 95/98
IP stack unnecessarily complicates the process of setting up and
managing a VPN compared to Unix or Linux. There are a number of good VPN
solutions developed on Open Source platforms. One of the better shrink-wrapped
VPN Server platforms has been developed on a Red Hat Linux platform.
Developed by NetMAX, this package provides
users with a Linux-based, IPSec compliant VPN server, firewall, router and
proxy server. Prices begin at around $500. Trilogy's
AdmitOne Server for Linux is another emerging VPN package coming onto
the market. Do-it-yourselfers can go to sites like Infomax
Consulting Services and learn how to configure Linux VPN elements
IP masquerade to their own systems. For integrators who really want
to get their hands dirty, Net Integration Technologies, formerly
Worldvisions, has LGPLed both a proxy
server and a VPN software program called Tunnel
Although government agencies may hate it, peer-to-peer systems may
be the best security solution of all. Because peer-to-peer eliminates the
need for central servers, this defeats any server-level strategy for
intercepting or auditing messages between trusted systems. Admittedly, the use of
peer-to-peer networking may defeat government oversight of electronic messaging, but
it is worth remembering that not all government oversight is benign.
Technologies that complicate oversight by the FBI also complicate oversight by the
Ministry of State Security.
Today, there are an estimated 300 vendors in the marketplace featuring
P2P based products. The P2P market is still in its infancy. It is
clogged with niche players and closed proprietary standards, but that is
beginning to change. Currently there are two groups promoting Open Source P2P
protocols. The JXTA project is
by Sun Microsystems. Intel
has been sponsoring the Peer-to-Peer
That group has focused its efforts on developing a peer-to-peer
Trusted Library (PtPTL) based on the OpenSSL Toolkit. While both projects are
still in the early stage of development, they promise a future
networking environment that is far more redundant, and secure from disruption or
supervision. Whether you think that is a bad thing or a good thing, it is
inevitable, and security types and public officials will have to understand that
and deal with it.