On the road to prevention

Networking and security vendors steer toward granular control

Even though it happened late in the year, 2004 will probably be remembered as the year that Microsoft’s Internet Explorer slipped. Mozilla’s Firefox browser finally reached release status in early November, and by early December had made a noticeable dent in IE’s market share. The main driver for Firefox’s success is not necessarily its innovative features, but rather the lack of easily exploitable security holes. It seems that the serious flaws in Microsoft’s browser finally led many users to decide it’s time for a change. 

In addition to more critical security issues in IE last year, Microsoft also brought us Windows XP SP2 (Service Pack 2). Hailed from Redmond as a security blanket for XP, it was soon clear it was also an application killer, rendering hundreds of applications unusable following installation. Microsoft subsequently removed SP2 from its automatic update service, but continues to remind users to install SP2 whenever they visit the Windows Update site. All this trouble and fuss for a service pack that many admins believe merely treated some symptoms but didn’t address the real problems.

On the Linux front, the release of the v2.6 kernel brought some significant changes in core-level security. The official inclusion of the SELinux (Security Enhanced Linux) code base into the v2.6 kernel introduced much-needed granularity to controlling privilege elevation on Linux systems.

A few layers below these events, Cisco and Microsoft were not-so-quietly planning a joint effort to combat viruses, worms, and intruders, announcing that they were working to bring toge-ther Cisco’s NAC (Network Admission Control) and Microsoft’s NAP (Network Access Protection) technologies to provide for simplified system patching, policy adherence, and problem resolution before potentially destructive systems are permitted normal network access. Although nothing is likely to be released for at least a year, it’s a step in the right direction -- if you’re a Microsoft and Cisco shop.

Across all the layers, a shift was definitely felt in the intrusion detection space. In 2004, IPS products found their footing, and IDS vendors saw the writing on the wall, and began incorporating inline blocking capabilities into their products. It’s always been nice to know when abnormal events have occurred on your network, but the capability to prevent them from doing any harm is the ultimate goal.

Network managers received plenty of encouragement to block threats in 2004, a year in which several security breaches affected millions of innocent people. The October break-in at the University of California, Berkeley netted a cracker roughly 1.4 million names and Social Security numbers. Utah State University unwittingly exposed 7,000 Social Security numbers and names of students, faculty, and staff on its Web site for an extended length of time, correcting the problem in October. Universities weren’t the only targets, of course. In March, Equifax announced that criminals posing as credit issuers illegally accessed the credit files of 1,400 Canadians.

Of course, good security goes beyond keeping the bad guys out. More mundanely, it requires granular and manageable access control; and on that front, 2004 saw a few breakout products in identity management. The high point perhaps came from Oblix, which put together the first true SAML-compliant, cross-domain identity management platform, permitting companies to control access to applications served from partners.

Speaking of securing access, 2004 may also be remembered as the year SSL VPNs pushed traditional IPSec VPNs aside. The relative simplicity and resource-level control of the SSL VPN seems to be proving hard to match for general client access, although IPSec will continue to be widely used for site-to-site connectivity.

All considered, network security made some gains, but it also took some losses. Yet another year went by without a standard means of ensuring our Windows client systems are protected against the ever-growing array of worms and viruses. The Cisco and Microsoft efforts will hopefully bring some needed defenses, but it may be years before we see the results. For the moment, vigilance is the only solution.