As organizations deploy mission-critical network centric information systems,
managing the security of such systems becomes critical. In 1999 alone, financial
losses due to breaches in computer security amounted to over $100 million for
the third straight year. Since 1999, number of companies spending over $1
million for information security management has doubled worldwide. In India too,
businesses have become serious about information security deployment.
Information security infrastructure includes firewall; content inspection,
virus protection and intrusion detection systems; virtual private networks (VPNs),
and so on. Building and managing a security infrastructure can be quite
expensive. For example, the widely acclaimed Checkpoint Firewall-I begins at
about Rs 1.5 lakh for a 25-user license. An intrusion detection system such as
RealSecure from Internet Security Systems costs another Rs 4 to 8 lakh. A
content management system such as Interscan E-Manager is priced at about 3 lakh
for a 300-user license.
The above estimate does not include the hardware cost, which includes
high-end servers running Linux or the Windows NT operating system. Moreover,
existing routers may have to be updated with new operating system that contains
latest security features. Network switches in the existing LAN too may need to
be upgraded to support a virtual LAN (VLAN) configuration.
In effect, the bill for setting up a sound security infrastructure could run
as high as Rs 25 lakh to Rs 1 crore, depending on the size of the information
technology infrastructure of the organization. Apart from the hardware and
software, trained manpower is needed to install, configure and manage the
security infrastructure. This is a big-budget item and with the awareness of
security management still at a nascent stage in India, businesses have to think
twice before embarking on such a project.
Open-source Way
One way to reduce the infrastructure cost is to look at open-source software,
which is available for free or at a nominal price. While open-source
technologies may not provide a comprehensive security solution, they help reduce
the total cost of ownership by providing components that can fit into your
security infrastructure.
Firewall: This is one of the main components in the security
infrastructure. Firewall solutions can start from simply installing a latest
version of Linux on public servers on the network and hardening the operating
system to reduce vulnerabilities. On the higher end, there is Check Point’s
Firewall—I, which integrates all security functions. Businesses should choose
an appropriate firewall technology, depending on the security risk the
organization is facing.
IPChains is a widely used tool to configure Linux-based firewall. It
interacts with the OS kernel and tells it what packets to filter, and controls
all outgoing and incoming data packets, based on a defined rule set. It is
possible to block traffic from or to certain address space, and block access to
certain services. IPChains also includes features such as network address
translation and port address translation to masquerade the true addresses of
network servers within a network.
Then there is Astaro (www.astaro.com), an
integrated firewall solution available from the Germany-based Astaro AG. This
provides all the firewall services of IPChains, including a hardened operating
system, and a high-performance packet filter. It also includes application
proxies, content filter and virus protection services built into it. Astaro
contains application-level proxies that are normally in-built. The proxy
interprets every packet and guesses at the intentions of the client or the
server. If the action is not legal according to the pre-defined security policy,
the packet can be dropped. The content filter scans, and if required, blocks the
traffic passing through application-level proxies. Astaro can also do link-layer
filtering which is a rare commodity even in commercial firewalls.
Yet another freeware product is the FireWall Tool Kit (FWTK), available at
www.fwtk.org. FWTK is a tool kit that enables different freeware tools, such as
tripwire for checking files, tiger/cops for auditing, and kerberos/ssh for
secure access methods to be integrated. It requires an expert to configure each
component of the tool and assumes a good knowledge of Unix security. In terms of
functionality, it is inferior to Astaro as it does not support features such as
VPN tunneling and content management services.
Table 1 shows the features available in Astaro which are not present in
FWTK.
Table 1: Astaro versus FWTK |
||
Feature |
Astaro | FWTK |
VPN tunneling |
Yes | No |
Content management solution |
Yes | No |
Remote |
Yes | No |
Snort (Freeware) IDS integration |
Yes | No |
Inbuilt port scan detection |
Yes | No |
Application gateway |
Yes | Yes |
Stateful inspection |
Yes | No |
Web-based administration tools |
Yes | No |
Installation procedure |
Easy | Difficult |
Documentation |
Good | Average |
Inbuilt proxy | Yes | No |
Intrusion Detection System: The second-most important component in a security
infrastructure is the intrusion detection system (IDS). Intrusion is an
unauthorized usage or misuse of an information resource. An IDS is the security
technology that attempts to identify intrusions against a computer network. It
uses techniques such as pattern matching, expression matching, or bytecode
matching to detect any intrusions. It analyses the raw network data for an
attack signature. An attack signature is a known pattern in a packet that
matches a model of a possible attack. This analyzing is done in real-time using
IDS’s attack recognition module. Once a possible attack is discovered, the IDS
will take action ranging from sending an alert to the console of security
administrator to initiating a connection kill to close the intruder’s network
connection. An IDS, if integrated with the firewall, will reconfigure the
firewall such that the intrusion leak can be plugged. IDS logs can be
periodically analyzed for so that preventive security action can be taken.
A popular freeware IDS is Snort (www.snort.org).
Snort is a lightweight IDS, capable of performing real-time traffic analysis and
packet logging on IP networks. It can perform protocol analysis, content
searching/matching and can be used to detect a variety of attacks and probes,
such as buffer overflows, CGI attacks, OS fingerprinting attempts and much more.
Snort uses flexible rules language to describe traffic that it should collect or
pass, as well as a detection engine.
Front-end analysis tools such as Guardian, Demarc and ACID can watch the
output of Snort reports and send alerts. If integrated with the firewall, these
front-end tools will add rules to the firewall rule-base on the fly as Snort
detects and reports an attack.
Why Commercial Software?
If all the security features are available in open-source software then why
bother about expensive commercial software at all?
The main disadvantage of open-source software is the possible incompatibility
with certain hardware and software. Although Astaro provides a list of hardware
that are supported, at times you may end up with a list of existing network
interface cards and SCSI drivers that are not supported. Most of these free
products also rely on security experts for installation and configuration.
Documentation is minimal for non-expert to make much of headway.
Compared to free software, commercial software come with the support of a
wide array of hardware and software and has experts trained in the
configuration. Moreover, under the GNU public license, freeware comes with no
warranty whereas CheckPoint gives warranty for its Firewall-I solution. And if
the number of users, requests and packets escalate, you can’t expect good
performance with freeware products. Performance tuning of freeware products is
also less possible as compared to commercial products.
Weighing Scale
Some are of the opinion that since open-source software does not hide the
source code, it is inherently vulnerable. But the open-source software movement
believes in producing a product, which can be tested by millions around the
world. If no one breaks in, it is an assurance that it is stronger than it
otherwise would be. All freeware mentioned above have discussion lists and user
forums, where the worldwide user community shares its experiences and problems.
Solutions for trouble shooting or enabling a new feature that is not mentioned
in the documentation can be found out through these forums almost
instantaneously.
So it is worth looking at free security solutions before taking a plunge into
the commercial software space. Depending on the risk level your organization is
facing, you might be able to survive any possible security threats without even
spending a rupee.
Freeware-based security solution is ideal for small- and medium-scale
organizations. However, organizations having a large IT infrastructure may not
be able to put in place a pure freeware-based solution but may still be able to
integrate some freeware components.
What about Outsourcing?
Be it freeware or commercial software, different components of the security
infrastructure have to be installed, properly configured, and maintained.
Information security management includes defining security policy statements for
the organization, implementing security management systems, assigning
responsibilities for security monitoring and controlling and maintaining the
security of systems in view of new vulnerabilities. This is a continuous
process, where new vulnerabilities act as a feedback mechanism.
These tasks involve intensive technologies and require highly skilled and
trained security specialists. The enterprise must recruit, train, and retain
employees with unique skills to provide upkeep and maintenance of the security
systems. With little expertise available in this area, businesses can outsource
the security management services to a new breed of companies known as security
service providers (SSPs).
Table 2: Security Service Providers Offer... |
||
Service |
Description | Deliverables |
Assessment service |
Survey of existing security infrastructure and help preparing security policy |
Information security policy |
Advisory service |
Up-to-date information about vulnerabilities on customer infrastructure |
Vulnerability and patch release notification, virus warnings, and recommendations |
Scanning service |
Scanning of networks, systems and databases, and to do audit security |
Periodic scan reports |
Penetration testing |
Simulation of real intruder’s attacks in a controlled and safe way to discover any vulnerabilities in the system |
Periodic penetration test reports |
Online intrusion detection |
Protecting the network by analyzing the information from a variety of system and network sources for signs of intrusion and responding to containing these intrusions |
Incident reports, forensic analysis reports, event summary reports, intrusion trend report |
Security services implementation |
Installation and configuration of firewall, intrusion detection system, content management and virus wall services |
Working security services |
Remote Firewall Management | Remote support and management of firewalls, managing and maintaining firewall policies, firewall log analysis and auditing, firewall incident reporting |
Remote policy management reports and log analysis report |
Outsourcing service provisioning is not a recent concept. Since the birth of
LANs, many network operating system resellers tried offering remote network
management service to corporate clients. Major hardware and software companies
such as HCL, IBM, HP and Wipro have been offering infrastructure support in the
form services. But management service provisioning goes one step further in
providing a complete array of sophisticated services including security
management. Information security management services typically provided by an
SSP include advisory services, such as vulnerability testing, security policy
development, performing security audit, intrusion detection, forensic analysis,
security policy revisions, firewall log monitoring, and VPN services.
The security service provisioning industry, however, is still evolving even
in the US. In India, Bangalore Labs started the practice, followed by Global
Tele Systems, HCL Comnet, Wipro.Net and Satyam Infoway. The value proposition
that these SSPs offer is economical, turnkey security management services. The
complete list of security services is provided in the Table 2.
Among the security management services listed in Table 2, advisory services,
scanning services, penetration testing, online intrusion detection, and remote
firewall management can be done from an off-site network operations center (NOC),
maintained by the SSP. The firewalls at the customer’s premises and the one at
the MSP’s NOC are configured to provide secure tunneling using the IPSec
protocol. Periodic vulnerability testing, firewall and IDS log analysis for any
intrusion, system integrity checks, firewall software updates, virus signature
updates, and configuration of firewall and IDS can be done remotely from the NOC.
These services can be subscription based, on a pay-per-use basis.
Outsourcing security management obviates the need for developing an in-house
expertise in a highly sophisticated service area. The parameters that
organizations should look at before outsourcing include the technology used by
the SSP to support the service, availability of key infrastructure, such as
Internet connectivity and NOCs, comprehensiveness of services
offered, any partnerships that the SSP has with telecommunication companies,
ISPs and companies that produce security tool (such as Checkpoint, Interscan),
and finally the price and value of service offerings.
With vulnerabilities to information resources on the increase, businesses can
possibly reduce the total cost of ownership by adopting open-source security
solutions and outsourcing security management to expert agencies.
Dr V Sridhar is associate professor, information technology and systems
group, Indian Institute of Management, Lucknow and Ravikiran Bhandari is
consultant (security), Bangalore Labs.