Securing your network used to be a simple concept: get antivirus software. Well, that's what the antivirus vendors said, anyway. Then came the realisation that antiÃ,Âvirus software was not enough to guard against all threats, although it remained a vital part of any network security plan. So then the concept changed. Get antivirus software and a firewall and you're in tip-top shape. Well, that's what the firewall and antivirus vendors said, anyway. Then came the realisation that firewalls weren't enough to guard against all threats either.
This scenario repeated itself a few times, with intrusion detection systems, vulnerability scanners, penetration testing, SSL and so on, until it dawned on the more progressive IT managers out there that securing a network wasn't about any one product, or even a set of products. There's no checklist, and there never will be; the tools are always changing.
So what's out there for the IT managers of 2004? Here's a shopping list of the range of security technologies currently being recommended by vendors.
Vulnerability scanner
Vulnerability scanners have been in common use for considerable time. Companies such as eEye Digital Security and Internet Security Systems offer commercial variants, but there are many open source tools available that do a similar job.
The idea is, you set one loose on your LAN or your servers; the scanner probes them for common vulnerabilities and provides a report at the end of its run. It can tell you which systems in your network are vulnerable to which types of attack.
While they are continuously evolving, vulnerability scanners are mostly useful for telling you which patches haven't been run on a machine yet. If you have your patch management under control, they are of limited use.
Famed white-hat hacker Rain Forest Puppy wrote an early vulnerability scanner, Whisker, although it's no longer maintained. Nessus, from nessus.org, is a popular choice, and there are other niche scanners such as Nikto, which will scan a Web server for vulnerable or undesirable Common Gateway Interface (CGI) scripts.
If you're running custom applications, especially those that are accessible from the Internet, like .NET, J2EE, or PHP scripted applications, then these scanners will not audit your code for you to find design flaws. Simple design flaws have been found in some of the most popular Web sites out there, and can be as simple for an attacker as entering a dodgy URL into their browser.
Penetration testing and code auditing
While penetration testing has fallen out of favour with many organisations -- due to less-than-skilled "pen-testers" scanning for basic vulnerabilities that can be eradicated through proper patch management -- penetration tests are still useful in many situations, particularly for businesses where their Web site is a large component of their business model.
A good penetration tester, a rare breed, can prod and poke at your company's defences to find a way in. If they way in is through a known vulnerability affecting one of your company's machines, then it's of limited use.
But if the way in is through some old machine connected to the network that everyone has forgotten about, or through a design flaw in one of your company's custom applications, then the information could be worth its weight in gold.
The problem with penetration testing is finding a person or company good enough to tackle the work. It's an expert field, and let's face it, any manager skilled enough to know if a penetration tester is doing a good job could probably do it themselves. If you want to hire someone, ask around. Big consultancies charge mega-bucks for these types of services, but there are smaller players and freelance contractors that can do this work.
Chris Wysopal (also known as Weld Pond), the current chief technology officer of US-based security consultancy @Stake, had this advice for Technology & Business readers who want to survive a good penetration test.
"Not many places with data worth protecting have zero in-house-built code. Once you write a line of code you probably just wrote a vulnerability," he says. "[Write] secure code."
"Turn on that [Windows] XP firewall... this is one of the best defence-in-depth techniques I know," he adds.
"For the paranoid, run alternative architectures. Sure you are running Linux or OpenBSD but if you are running them on an Alpha processor there is little chance Johnny's [security exploit] will work."
Contents
Authentication and Single Sign-On
Patch Management
Case study: When security software goes wrong
3%
2%
