December 4, 2002

Pogo was a prophet

Author: Peter Galli

Chet Heath, VP and CTO of Omnicluster, says a company's own worst enemy when it comes to security is itself. In this paper, he describes the implementation of server specific security.Pogo
Was A Prophet

"We
have met the enemy and he is us" thus spoke Pogo.

Pogo
was not an ancient Greek, but an opossum like cartoon creature that
spoke political wisdom and satire from more than three decades of
American newspapers. While the specific quote above related to the
antics of a particular Senator who saw communist conspiracies in
every corner of the culture, it has been applied to many other
scenarios.1
The generic message is that while it is convenient to see threats to
security as organized from the outside, they are just as likely to be
internal. This is true for server security in the data center as
well.

Perimeter
security has been the historical hallmark of protection for the data
center. Like the Maginot line and Great Wall of China before it,
perimeter security assumes all threats are external and there are no
creative ways to get behind it. It also assumes that there is no
enemy within. However, in 1997 the FBI found that 80% of all
intrusion in the data center comes from inside. There are countless
recent examples of insidious worms and viruses that prove disruptive
innovation of a criminal nature cannot be predicted, or defended from
a single point. To say it directly: "dependence on perimeter
security alone is obsolete; it is false security!"

Q:
So what does this "enemy within" have to do with Linux?

A:
Linux is within the solution.
Read on to understand why.

Pogo
may have been speaking of the McCarthy Era, but it applies to the
Post-Enron Era as well. Today CEOs and CFOs are required by the SEC
to sign that they and their subordinates have not misused
financial results by insider trading or premature disclosure to
others. And with good reason as the consequences of misuse are now
part of history and the economy. CEOs have seen how their peers, who
crooked the system, consequently destroying the stock value of the
companies they led, left millions out of work and/or destitute. The
once powerful are paraded on the evening news: convicted and
sentenced to lose all their remaining wealth and freedom. These are
hard lessons for hard times!

Certainly,
99+% of corporate leaders are dedicated to honest progress and profit
for their company, their employees and lastly themselves. Still, they
are at risk from an enemy within who may be a computer literate
janitor, summer hire, disgruntled employee or even an opportunistic
trusted associate. Sadly, a covenant of lifetime commitment between
employer and employee typically no longer exists; transient
connection to the enterprise is now the rule. So, if anyone can get
unauthorized access for personal gain, then the entire corporation,
and especially its leaders are exposed. Effective security is the
only key.

The
Burton Group2
defines a "Virtual Enterprise Network" solution for
security. It is really a strategy, where the "Perimeter"
layer of traditional external access management encloses the
"Control" layer C. Layer C imposes identity and access
management services as well as security and policy management
internal to the data center. Layer C then encloses the "Resource",
or R-layer of servers and their data. The layer C is distributed to
individual regions or servers. It is a 3-layered approach for
protecting servers, analogous to 3 layers of clothing to keep out the
cold and keep the warmth in.

Specific
protection is placed at critical points of vulnerability and made
proportionate to the damage that disclosure and intrusion would
create.
3

What
this means is that while the perimeter layer still has a job to do,
individual servers, and groups of servers, require individual
firewall and intrusion detection. The firewall rules will vary with
the defined server function, authorized access list, and the allowed
interaction with other systems in the group. Looking outward, each
individually protected server only sees the holes punched in the
firewall for its required services. It is not exposed to the dozen or
more holes for services of the entire data center that the perimeter
firewall would pass. Then taken to the extreme, every server in the
data center requires protection.

Indeed,
when many servers share a common access point and have no
intra-server protection defined, this is an invitation to a worm like
Nimda or Code Red to spread without check. A concept called a
"FireDoor" illustrates what server specific firewall
protection can provide. Each individual firewall is fitted with
appropriate inbound rules, as well as outbound rules that will
contain an infection to that server alone.

The
rule-set defines that:

  1. The
    server may not initiate a transfer; it can only respond.

  2. It
    may not communicate with other servers within its perimeter
    protection.

Quite
simply, this will stop a worm in its tracks. While an unanticipated
access path may compromise one server, it cannot spread the infection
to its brothers and sisters. The FireDoor can even alert systems
management to block further like intrusions and invoke a recovery
service for the lone infected server. Like the surgical mask on
hospital personnel, it blocks the internal spread of infection.

And it
works! A FireDoor system set up at the recent SANS convention in
Washington DC was not defeated, despite the ardent efforts of an army
of professional hackers. You can only do this if you have server
specific protection down to the individual server box. Potentially,
this means a FireDoor / firewall for every server.

Economically
this is not as bad as it may sound. Smaller individual firewalls
scale down in price as they scale down in capacity requirements.
However, space to put all the new firewall systems in the right place
is a real issue. No one wants to take out a screwdriver and move all
the systems around in racks to a "1 U" firewall adjacent to
each protected server. If adding these systems means spare space in
racks is exceeded, then it is time to plan for expansion, or it is
time to pour concrete for more facilities.

This
can be avoided with minimally disruptive solutions4
like Appliance Blades that place firewalls, IDS, virus screens and
URL filters inside the systems they protect. Appliance Blades are
security elements in PCI card format that install inside existing
servers. With this one can put down the screwdriver and send the
cement truck elsewhere. They aren't required.

Another
real exposure is availability of the individual servers
and the data center collectively. As each server now has a gateway,
the availability of the server is now the combined availability of
both the firewall and the protected system. With a firewall per
server, the number of CPUs in the data center could nearly double and
the number of operating systems likely will double.

Enter
Linux to the rescue.
The renowned stability, simplicity,
resilience to attack and ability to be hardened that Linux provides,
thereby permits the number of OS environments to double without
serious impact to general availability of the data center. As an
aside, a fellow techweenie friend of mine at a major ISP talks often
of Linux systems taken out of service, basically for cleaning, that
have not skipped a beat since installation half a decade ago. In
Internet years, this is the 4th century BC.

The
other half of the equation is hardware stability. A modern Intel
platform with memory has a typical mean time to failure of 125,000
hours, or more. If an Appliance Blade is operated "diskless",
then the common disk system is used primarily for initialization. And
if there is no concept of file swapping to exercise the disk (Linux
again), then it is reasonable to expect the hardware to keep on
ticking for a decade too. Further, if the server's power is backed-up
and redundant, then the security elements are also provided for. Net:
we are at a point in time where server specific security is practical
in terms of implement-able hardware and software technology and Linux
is part of that equation.

There
are other topics beyond the issues facing CEOs and CFOs that
demonstrate the same need for server specific security, but it must
be agreed that security is a growing issue in an unstable world and
that the three letter folks (CEO, CIO, CTO) do often control purse
strings and power in the enterprise. The forces on them are forces on
all of us, and solutions provided to them will get attention.

It
also isn't to say that there aren't other stable industry standard
foundations besides Linux; but with Linux the price is right and
widespread deployment is not a major economic or legal barricade.
Linux, combined with a minimally disruptive hardware platform for
uniform deployment of security protection, means that intruders from
within, as well as those from without, can be easily controlled.

Pogo
would be proud that we learned from his wisdom.

Chet
Heath - VP and CTO

OmniCluster Technologies

Boca Raton, FL 33433

cheath@omnicluster.com

About
the author:

Chet
Heath, Vice President and Chief Technical Officer - OmniCluster

Cofounder
and inventor of OmniCluster's unique technology the Gigabit Modular
Network, Chet Heath has 35 years of experience in technology design
and development at Bell Labs and IBM. He has been involved in the
earliest prototypes for cellular telephone, long-range underwater
sound technology and was instrumental in the design for three
generations of minicomputers and early PCs and PS/2 systems.

As
a senior architect for the IBM PC Company, Chet was the lead
Architect for the PS/2 and Micro Channel Architecture, and
represented IBM in PCI and Infiniband joint industry development.. He
has earned 20+ patents, three of which are enabling to Plug and Play
and X86 Bus Steering and internal CPU controls used by almost all
modern PCs. He has 71 Published Articles and White Papers.

While
at IBM he received Division Quality, Publication, Outstanding
Technical Achievement/Outstanding Innovation Awards and the IBM
Corporate Award for Innovation (IBM's highest award) twice. He was
selected for IBM LSI Institute at University of Vermont and won the
IBM Academy New Products Symposium for new products proposals.

Mr.
Heath is well recognized in the PC industry. Author of Micro Channel
Architecture, published by Simon & Schuster, he was named as one
of the "Ten most significant contributors to Personal Computing
" by PC User Magazine in the United Kingdom.

1A
simple search on Yahoo for the term shows over 200 adoptions from
the first usage. It was first an offhand comment of Pogo, (prior to
Edward R Murrow's direct confrontation from the fourth estate) in
the early 50's that seemed to summarize the McCarthy era. Twenty
years later Walt Kelly, Pogo's alter ego, adopted it again to speak
of pollution on Earth Day. The image of that cartoon
http://www.nauticom.net/www/chuckm/whmte.htm
makes the point that we fail to see when the source of a problem is
close to home, especially when it is ourselves.

2Securing
the Virtual Enterprise Network - Burton Group
http://www.burtongroup.com/techfocus/iamch.asp

3Appliance
Blades www.omnicluster.com

4See
Critcal Point Security www.omnicluster.com

Click Here!