With businesses, organizations, and government agencies exploiting
interactive Web-based technology to deliver online services to
employees, customers, and suppliers, Web servers have become the pivot
point that connects authorized users to databases and internal network
applications. Unfortunately, Web server architectures are exceedingly
susceptible to security attacks, especially those Web server
architectures that are built on universal OSes.
Intrusion detection systems and firewalls do not adequately reduce the
security hazards presented by applications that implement dynamic
content or transaction services. Firewalls impart basic protection for
services such as FTP and SMTP, but they were not designed to protect
hosted applications. In addition, firewalls offer little security
against manipulations of HTTP traffic.
Nor were intrusion detection tools designed to address Web server
security issues. Although most security measures are based on a
reactive model to electronic hostilities, companies can take proactive
measures to secure their applications against attacks.
Trusted operating systems
Enter the resurrection of the TOS (trusted operating system), a relic
from the early '80s developed for military and government security.
Considered by many to be too expensive and complicated to implement and
maintain, TOSes failed to catch on when introduced to the commercial
sector and instead were pigeonholed into the financial industry. With
today's corporate Web servers serving as the gateway to mission-
critical e-business applications and information, however, IT
departments should take a hard look at the new generation of TOSes.
View illustration, "Compartmentalization is the key."
A TOS is simply a security-hardened version of a standard OS. TOSes
come in a variety of flavors, including Sun Solaris, Hewlett-Packard's
HP-UX, IBM AIX, Linux, and Microsoft Windows NT. Trusted versions of
these operating systems isolate key OS functions into separate
compartments, limiting the ability of intruders to access and control
critical parts of a computer system, as well as preventing
administrators from making inadvertent, harmful changes.
Naturally, TOSes cost more than their standard OS counterparts, and
they are more difficult to administer. But because they provide a level
of protection beyond firewalls and intrusion detection systems, they
are suitable for e-commerce systems that are key to your business and
its relationships with customers and business partners.
Then and now
Early TOSes were marketed entirely in the government arena. Designed to
solve military problems associated with information auditing, these
systems were rigid and nearly impossible to integrate with commercial
applications. However, the need for secure e-commerce has ushered in a
new generation of TOS products, such as Argus Systems' PitBull and
Hewlett-Packard's WebEnforcer, which are more intuitive and easier to
integrate into commercial applications that were not designed for use
in an extended security environment.
Another stumbling block for first-generation TOSes was the cost
associated with having one. Only large financial institutions that
required rock-solid security had the resources to buy and support
But modern TOSes won't necessarily break your budget. Argus Systems'
PitBull, a security add-on available for Solaris, AIX, and Linux
systems, starts at $5,000 for a single-processor system; $50,000 buys
an enterprise edition. Hewlett-Packard's VirtualVault, a trusted Web
server platform built on a hardened version of HP-UX, starts at
$15,000; but HP's WebEnforcer software, which monitors Windows NT
servers and plugs security holes, runs $3,000 per server. The most
economical of all the TOS products on the market is WatchGuard
Technologies' WatchGuard ServerLock, which hardens Windows NT and
Windows 2000 servers and costs just $1,295 per server.
TOS vendors are continually improving their products' ease of use via
wizards, knowledge base updates, and professional services to help
speed adoption of the technology. Security measures will continue to
evolve, but compartmentalization will always be the core feature of a
Nuts and bolts
TOSes are based around the idea of compartmentalizing information. This
functionality also applies to subsystems. For example, because most
ASPs (application service providers) service multiple clients on a
single back-end network, entry can be gained to all clients via the
application level. With a TOS, ASPs can isolate individual clients,
guaranteeing that if security was breached through one customer, no
others would be affected.
Off-the-shelf operating systems typically provide a single
administrator or superuser account with complete access to the entire
system. A TOS takes stock of all the OS services that users may need to
access and isolates them into individual compartments, providing
separate administrative accounts for each. For example, an
administrator may have the access necessary to perform backups but not
be able to add or delete other users or alter applications. Other
administrators -- or at least separate administrator log-ins and
passwords -- would be required for these functions.
The concept of compartmentalization also pertains to networks. With a
TOS, a user who enters a private network via the Internet could be
placed in a compartment that would never allow access to any
administrative commands. If the same user entered via a VPN or an
internal network, then the user may be allowed to access administrative
functions, depending on the criteria set for access. Authorization for
administrative access or for system changes to be implemented can be
based on conditions other than traditional user authentication. Today's
generation of TOSes also applies the theory that, when a system is
operational, absolutely no changes can be made that could undermine the
stability of services.
Because TOSes impose security restrictions at the operating-system
level -- where access to applications, files, network interfaces, and
other system resources is granted -- they guard against attacks that
firewalls and intrusion detection systems can't prevent. If your
business depends on secure Web applications, a TOS could help
management and IT staff rest a little easier.