The big buzz in security these days is the need for end-to-end security – not just security at the firewall, the network or the server.
But there are still times when the server is a critical point of vulnerability that deserves its own protection. Examples include, most obviously, Web servers because they are exposed to the public, application servers because they could give intruders a pathway into other sensitive corporate systems and database servers because they hold customer records and/or critical financial information.
This roundup focuses on recent security enhancements to server operating systems, a product category that has been around since the '80s, and on appliances that use a hardened operating system or its equivalent to protect a server. Many vendors sell appliances that protect applications by filtering Web or network traffic – I'll cover those in a future roundup.
I'll start with two of the biggest operating system vendors, whose most recent offerings enforce common sense by turning off unused services unless they are needed.
Microsoft Corp.'s recently released Windows Server 2003, for example, ships with more than 20 services either turned off completely or running with reduced privileges. Among other security improvements, it does not automatically install the Internet Information Services (IIS) 6.0 Web server. When IIS is installed, its default setting is to accept only requests for static files unless it is specifically configured to serve dynamic content. Microsoft offers an overview of Windows Server 2003 security features.
Sun Microsystems Inc. is taking a similar approach, polling users to determine which services in its Solaris OS "are not widely used," says Ravi Iyer, group marketing manager of Solaris marketing at Sun Microsystems Inc. "We will turn that service off by default," he says. Sun also offers the Solaris Security Toolkit to help administrators create and deploy secure Solaris implementations.
Sun also recently announced two new versions of its Trusted Solaris operating system for the SPARC and x86 platforms, with prices starting at $999 for the standard edition. For $2,495, customers get the Trusted Solaris Certified Edition that has been certified under the government-run Common Criteria Certification process. Both versions include integrated firewalls, as well as role-based access control that allows administrators to more closely define which actions specific users may take.
Other hardened operating systems are available from vendors such as Argus Systems Group Inc. with its PitBull line and from the open-source community through The Trusted BSD project. The National Security Agency also offers a trusted version of Linux.
For those who want even more protection, vendors such as Cyber-Ark Software Ltd. offer dedicated security appliances that take unusual approaches to protecting servers. Cyber-Ark's patented "vaulting" technology abstracts the multiple protocols that can be used to access data (such as Windows-based file systems, SNMP or remote procedure calls) into its own proprietary protocol. It then defends that single protocol with 10 layers of security that include a firewall, a virtual private network and encryption of the data on the server should someone get in over the proprietary protocol.
The Cyber-Ark vault runs on a dedicated server running either Windows 2000 or Solaris, "throwing 90% of [the OS] away and using only the file and disk access functions," says senior director of marketing Richard April. Pricing for the Network Vault, designed to protect sensitive departmental data such as payroll records or planned layoffs, ranges from $25,000-$30,000. The Inter-Business Vault, designed to protect enterprise-level data or information shared among business partners such as plans for possible mergers, ranges from $50,000-$75,000.
One limitation: Cyber-Ark does not protect the database or application server itself, but only static or flat-file data that has been generated by an application or database and transferred to the vault. Cyber-Ark is considering creating a vault that would allow for real-time access to databases, he says, but has not decided whether or when to do so.
Another unusual approach comes from Bodacion Technologies in Barrington, Ill. Where Cyber-Ark throws away 90% of Windows or Solaris, Bodacion's $48,000 Hydra Internet server uses no part of any commercial operating system, instead using a hardened embedded kernel that performs constant internal checks for viruses, buffer overruns and other types of attacks. Its most unique feature, though, is its use of "biomorphic mathematics" to authenticate users, identify sessions or create digital signatures.
According to Bodacion, biomorphic mathematics consists of algorithms typically used to model complex biological growth patterns. HYDRA uses those algorithms to produce seemingly random numbers called "bodacions" that are virtually impossible to guess. Hydra ships as an appliance that runs without a keyboard, mouse or display and can be used in place of a firewall between the Internet and a company's application and database servers. The company currently has about eight customers, a spokesman said, most of them in the military.
And, of course, don't forget the cheapest, most effective security there is: Make you're your servers are updated with the latest security patches, and turn off any services or ports that aren't being used. That at least will give you some protection until the bodacions arrive to help you.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.