The threat Today security is a bigger problem than ever before. PCs are everywhere; every organisation has some form of Internet access, and home users have permanent connections through broadband, but user education is still relatively limited. This is partly due to the multitude of attack methods and the frequency of attacks. Users are required to use and maintain anti-virus programs to protect against viruses transmitted over networks, via email, via dangerous ActiveX components and through a host of other transport methods. With the growth in Internet use, a large number of organisations have adopted Microsoft’s IIS web server; and with large-scale adoption come large-scale attacks. Increasingly, IIS web servers are being attacked by worms that exploit their security weaknesses. Worms are programs that spread without any human intervention. Once a worm is released onto the Internet it will automatically try to find other vulnerable hosts and infect them. The most dangerous forms of Internet worm are those that attack web servers. Unlike the average Internet connection, these systems have network connections with large amounts of bandwidth. After an infection, a worm can use the bandwidth to spread itself to other web servers. Equally, the organisation operating the web server may base a large percentage of its revenue on traffic from its website, and the site outage could cause a largescale financial impact – not to mention the impact on customer confidence. All worms follow the same general scheme outlined below.

Infection Infection involves the worm sending a malicious request to a web server, trying to exploit a known security vulnerability. If the web server is vulnerable, the worm infects the machine, executes its payload and then continues to spread to other machines. Some web servers, such as Microsoft IIS, run in privileged kernel space because it can result in large performance improvements. Unfortunately, together with the increased performance comes a very serious security risk. A web server that does not run in kernel space, such as Zeus, restricts the impact that an attacker could have because the web server is generally operating under the control of a non-privileged user. Therefore, if an attacker is successful in compromising a web server that runs in user space, the attacker must then try to break into an administrative or other privileged account before any serious damage can be done.

Any security exploit used against a web server that operates in kernel space (such as Microsoft IIS) is extremely dangerous. The worm does not need to break any security barriers to get access to the core of the operating system; the compromised web server immediately allows it access to the highest user/kernel privilege. The many complex layers of APIs and extended functionality within IIS create a number of possible weak points to exploit. Traditionally, one of the major strengths of the UNIX operating system has been the integrity of the kernel; however, even organisations in the UNIX market have started to create kernel-based web servers to try and gain a performance edge over user space applications.

Install a spreading mechanism Once a Microsoft IIS server has been infected with a worm, the worm’s code can make use of software available on the system and, furthermore, even download additional software from other systems. During this phase the worm installs itself on the machine and starts to work independently. Optional: Install or modify other services Some worms install backdoor services to give hackers access to machines. They are then able to control the system remotely and use it for future exploits, such as distributed denial of service attacks. ‘Code Red’, for example, checks if the web server is running with the English (US) language pack installed and then defaces the website with a banner saying ‘Hacked by the Chinese’. This is a relatively obvious payload and one that is likely to be detected relatively quickly. A potential payload could be far more sinister and could surreptitiously transmit important data, such as credit-card details, to a remote machine.

Search for new systems In order to be able to infect other systems every worm needs some form of reproduction mechanism. It needs to find new servers to which it can spread by investigating the addresses of potential targets. Due to the very unbalanced nature of 1Pv4 address space it would make very little sense to work through the entire Internet in a step-by-step process. Worm developers have been creative when it comes to engineering an efficient algorithm to find as many likely targets as possible. Currently, the most efficient mechanism is to write a program that is able to behave differently on every infected host; ideally every infected host would have completely different lists of hosts it tries to attack. Most search algorithms are based on the infected host’s IP address and network. Code Red focused on attacking servers on the same subnet, which created large amounts of traffic across backbone networks. In a number of cases this surge in traffic created denial of service attacks. Another interesting approach would be to use external resources that gather details of web servers such as MediaMetrix or Netcraft to find as many web servers as possible – this was suggested by Nicholas Weaver in a recent paper on Internet worm propagation. Optional: Attack other systems Many worms have built-in attack routines. For example, Code Red tried to perform a distributed denial of service attack on an IP address belonging to the White House website (www.whitehouse.gov). The target server was moved to a different location after the worm was dissected by forensic security analysts, with the result that the attack failed. However, the worm could easily be rewritten to dynamically gather attack data from a number of sources that would overcome this limitation. Far more dangerous are worms that install a distributed denial of service slave that goes instantly to ‘sleep’ and does not affect other local services on the machine. These slaves can then be activated by remote controllers, thereby causing large floods of attacks within a few seconds.

Business implications The web is a vital component of an organisation’s infrastructure. Companies cannot afford downtime, public defacement or leakage of confidential customer and company information. The financial implications can be enormous and the impact on customer confidence can be catastrophic.

The solutions As with the security for your business premises, an intruder will always look for the easiest way in; if you can make it sufficiently secure then they will go elsewhere. Internet security is not a matter of installing one system, but of looking at all the components in your systems to see if they offer any holes. Installing systems that are secure in the first place obviously means less work than installing insecure ones and then trying to secure them. Over the past 24 months there have been so many high-profile attacks on Microsoft IIS servers that Gartner has advised organisations that take their web infrastructure seriously to look at migrating away from IIS. More recently, worms have been released to attack Apache servers running under UNIX. If your business relies on its website, then you should talk to an organisation like Zeus Technology who specialise in advising organisations about their Internet infrastructure, including issues of security. Don’t wait to install the locks until after you’ve been burgled! Zeus Technology is the world’s expert on hosting automation and web infrastructure solutions. Zeus provides software that leads the industry in performance, scalability, reliability and security, combined with support and consultancy services that provide best-of-breed solutions for business-critical Internet deployments for leading web-hosting, content providing and e-commerce companies. Zeus has created a highly scalable and robust line of software products including the multi-award winning Zeus Web Server, Zeus Load Balancer and Zeus Mass Hosting Application. Zeus boasts an impressive customer and strategic partner base, which includes world-class companies such as eBay, HP, IBM, AMD, Sun Microsystems, SGI, Sprint, Cable & Wireless, Telefonica, Telewest, NEC Biglobe, THUS/Demon and Qualcomm, which has enabled the company to achieve consistent growth since its formation in 1995. For further information contact: Sam Green, Zeus Technology, Tel: +44 (0)1223 525 000; Email: sgreen@zeus.com; Website:http://www.zeus.com

Network vulnerabilities Network technology is being turned inside out from a security perspective, writes Peter Crowcombe, EMEA Marketing Manager of NetScreen Technologies, Inc. Extranets and wireless networks make organisations inherently more vulnerable to attack. Basic security tenets have changed very little over the past decade. Protecting the confidentiality of corporate information, preventing unauthorised access and defending against malicious or fraudulent attacks from external sources: these continue to be the major concerns of IT professionals today. To defend against such threats, IT managers have traditionally deployed security solutions at the periphery of their network. Now, however, networks are being turned inside out from a security perspective. For example, more and more organisations are turning to wireless local area networks (WLANs) to connect to the public Internet; extranets are becoming an increasingly popular way of linking to and communicating with partners, customers, consultants and suppliers. Such developments make an enterprise’s network inherently more vulnerable to attack and more readily breached. The ‘bad guys’ are becoming smarter too, in terms of capitalising on these vulnerabilities. Worms, trojan horse attacks and viruses that lie dormant and then launch themselves from within the network are commonplace nowadays. Intrusions from hackers may sabotage or gain control of network servers, data files and other resources such as databases. Additionally, the Internet exposes organisations to security risks such as denial of service attacks that can cripple e-business applications and jeopardise both revenue streams and customer goodwill.

Disgruntled and dishonest employees are also becoming more ‘computer savvy’, capable of perpetrating mischievous and illegal acts in order to damage corporate data on the network. In just one example from many thousands of incidents, a clerk in a broker’s firm altered computer records, illegally changing the ownership and price of 1,700 shares. People working from home – telecommuters – and employees who are connecting to the network whilst travelling – road warriors – can also open up ‘holes’ in a network’s boundary that can be easily exploited. Even well-meaning, but careless or ill-informed, employees surfing the public Internet can compromise the entire organisation’s data integrity. In short, the periphery of the network is no longer the only place to secure it; the so-called ‘trusted’ part of the network – that is, the part that lies behind the boundary with the outside world – has disappeared. To compound the threat posed by these developments, networks are also operating at much higher speeds. Of course, increased speed is a great advantage when legitimate data is traversing the network, but it also means that illegitimate traffic can traverse and attack the network with equal speed. So the security solution must be smarter and more pervasive within the network, be able to match the speed of the network infrastructure, and be easily adapted to the security requirements of emerging technologies.

Better ways to resolve network vulnerabilities The fundamental key to an effective security solution is a properly deployed network security device that increases security without jeopardising performance. To meet the many and varied threats already outlined, multi-functionality within a single platform can ease network design and maximise effectiveness. Solid inter-operability with other security products, such as user authentication and anti-virus applications, will also prove invaluable. Software security solutions – those that perform firewall and Virtual Private Network (VPN) functions via a processor on a dedicated, but standard PC, or dedicated processor hardware platform – have been the traditional ‘legacy’ solution. However, in this new generation of varied and increasing security threats, they are widely regarded as too slow. This causes two problems: first, they cannot keep pace should an attack on the network occur; and second, they have to slow down legitimate data in order to check it, causing a bottleneck or chokepoint. This largely negates any investment made in a high-speed network infrastructure and creates a great deal of frustration on the part of users. A security solution running on a PC either has to rely upon the third-party operating system, or have the operating system ‘hardened’. The former makes the whole solution extremely vulnerable, as the workings of most standard PC operating systems are very well known to the hacker community worldwide and are, therefore, easy to breach. The latter approach makes it more difficult to breach a system, but it only slightly increases protection and also creates extra work and expense each time a new security device is brought online into the network.

Another problem with the software approach to security is that the software and the processor together mean two points of potential failure – or twice the risk of something going wrong and leaving the network unprotected. From a management point of view, the software approach to security can be complex – individual users of the software that has been brought online have to be licensed and this must be renewed annually. Of course, this means renewals are staggered randomly throughout the year, creating a complex and laborious task in maintaining them all. A new generation of security devices based upon Application-Specific Integrated Circuit (ASIC) technology – in other words, microchips that are programmed to perform security functions such as firewalling and VPN encryption – has emerged to address the vulnerabilities present in the legacy approach. ASICs can be built into dedicated security platforms with multiple functions. ASIC-based solutions can operate at high speeds, easily keeping pace with the surrounding infrastructure and performing various security-related tasks simultaneously. As they function from within a dedicated, ‘closed’ platform, ASICbased solutions have a proprietary, or tailor-made operating system that is not common knowledge in the outside world and therefore less vulnerable than prior designs on standard PC/server platforms. Another advantage of the hardware approach is that the correct hardware device is deployed to fit the capacity of users from the outset, so individual licences are not required.

Protecting the ‘trusted’ network Once a network security solution that addresses the fundamentals of performance and reliability is identified, it then has to be evaluated for its ability to provide pervasive internal protection. In essence, identifying a security solution that provides the ability to segment a network and establish security zones is critical to protecting against emerging internal threats. Establishing security zones enables protection of distinct network segments (eg those servers handling marketing, sales, finance and human resources). For instance, an employee in the marketing department who is curious about other people’s salaries will not be able to access human resources data; they will be denied access from within the network, just as a snooper would be externally. Segmenting the network into distinct security zones also limits the potential damage by an external hacker who has been successful in breaching the boundary of the network. If network servers are kept separate from one another (from a security perspective), any illegal incursion can be contained within just one zone. Similarly, VPN tunnels can be directed into a specific security zone, so that any network links with external parties can be terminated and secured in the appropriate zone, avoiding unnecessary risk for other zones’ data and servers. A ‘virtual’ approach to establishing security zones is required to efficiently enable segmentation. Selecting security devices with virtual system capabilities can reduce the overall number of devices in a network and thereby streamline security management, reducing the total cost of ownership. With certain virtual system-enabled devices, different policies can be applied to different zones, depending on each department’s need for access to sensitive information, the type and number of employees, etc. So, in conclusion, although basic network issues have remained largely the same, new business practices and emerging technologies are making protection against these threats more challenging than ever before.

Changing levels of trust, constantly evolving external threats, and computer-literate employees with potential grudges, are collectively putting the enterprise on edge. The careful selection, deployment and management of best-in-breed network security technology that helps reduce costs without sacrificing performance can provide a realistic and effective answer to the challenge.