In-Depth

Defending the Faith

A hardened operating systems brings security to the Bahá‘í International Community's Web site.

• By Mathew Schwartz
• 05/01/2002

Running the Bahá‘í International Community (BIC) Web site was a big job, and Thane Terrill wasn't sure he wanted to do it.

For one thing, Terrill's existing job as BIC's network administrator was already demanding, requiring frequent travel between the organization's New York City and Geneva, Switzerland offices; keeping the Web servers secure would take time he didn't have. And budget for security staffing just wasn't in the cards.

And the sites were too important not to worry about their safety. The eight BIC Web sites help the The Bahá‘í International Community, a non-governmental organization (NGO) at the United Nations, connect more than five million members of the Bahá‘í faith, communicating issues such as human rights and environmental concerns.

The BIC sites not only contain news and information, but also store names and e-mail addresses. "It's more than a defacement issue, it's also an issue of the privacy of users' data—which is a magnitude of importance higher," says Terrill. Restoring a version of the site after it's been defaced is easy, but once data is stolen, restoring users' privacy is impossible.

But somehow, Terrill had to make the time. So he began looking for technology that could help him shoulder the load. "I looked at firewalls, which of course I use, but I realized that I'm still opening up a couple of ports, which could be overrun through buffer overruns and that sort of thing," he says. (Ports allow application logic to connect to servers and computers.)

Terrill nixed intrusion detection systems (IDSes), which alert the network administrator when there's been a breach, because he might not be there to repair the servers. But while perusing government journals, he became intrigued with trusted operating systems.

The "Trusted Computer System Evaluation Criteria," also known as the "Orange Book," is a set of standards first compiled by the Department of Defense (DOD) in the 1980s, intended for use by the DOD and intelligence communities to create completely secure computing environments.

Yet despite the obvious security advantages, trusted computer systems never really got off the ground. "They were so complex—and applications wouldn't run on them—that the intelligence community wouldn't even use them," notes John Pescatore, an analyst with Gartner Inc., based in Stamford, Conn.

Security experts, however, recognized the need and gradually evolved the trusted operating system into a new concept: the hardened operating system (OS). Instead of taking the full-blown Orange Book, the highest level of which includes having the server under armed guard, hardened operating systems simply limit what the OS can do.

A default installation of any OS on a server results in well-known root passwords, enabled Web protocols, and all sorts of things that make it easy to break into. Every OS has the built-in capability for someone to gain root access, or control of the entire machine.

So hardened OSes replace the kernel, the small amount of code that is the core of the computer, with a new kernel that limits what someone with root access can do. Even if there's a break-in, the thinking goes, the computer can't be used to launch buffer overruns or other types of attacks, and applications can only perform a restricted number of actions.

It's a lesson that draws from what mainframe experts have known for years, but can have trouble applying to an enterprise that includes mission-critical material on smaller servers, especially Web servers.

Companies have come out with so-called hardened operating systems, including PitBull from Argus Systems Group Inc., Virtualvault from Hewlett-Packard Co. and Trusted Solaris from Sun Microsystems Inc. (To learn more, see "Hardened Operating Systems.")

"It's a paradigm I was looking for," says Terrill. No matter his security knowledge, he'd worried, there was always the chance that he could misconfigure the servers; a common problem. "You really need to have the OS protecting you against yourself," he says.

Terrill evaluated several offerings and eventually settled on PitBull from Argus Systems Group Inc., based on its price and functionality. Before taking control over the Web servers, he told management he wanted a hardened OS, and he got it. "I'm glad I stuck to my guns, because as you see the level of activity, it's higher than I thought it would be," he says.

Defense & Depth
Terrill's approach to security follows the "defense and depth" paradigm: Create a good defense, then—should a breach occur—limit the degree of damage that can be done.

"You try to keep the bad guys out, but if they do get in, you try to make sure there's nothing they can do. If they're experts, they can still break in, but that's where you need to get Argus to be like, ‘Okay you broke in—so what?'" he says.

Terrill checked the BIC Web logs and was surprised at the intensity and frequency of attacks on his servers. It was, he says, "kind of like the weather—there's always something going on." Often, he notes, the attacks are the work of Internet scripts not aimed at anyone in particular.

"We had 3,000 attacks in a three-day period on one server. Now, those were Code Reds—I was getting something like four to five a second at one point," he says. (Code Red is an Internet worm that launches buffer overflow attacks on servers from servers it has infected.)

So PitBull had plenty of would-be attackers to chew on. So far, there's been a lot of that, and the defenses seem to be holding. Of course, PitBull is no silver bullet against computer criminals. "I'm still not going to throw out my firewall, but I'm not as nervous as I was," about user data getting stolen, says Terrill.

But will hardened OSes be adopted by the masses? For large companies, a hardened operating system's total cost of administration has been a barrier to its adoption, notes Gartner's Pescatore. Here's the problem: Making sure every new server is configured properly, because if even one is not, it can compromise the rest. And for small companies, Pescatore cautions that there might not be the requisite security knowledge for administering hardened OSes.

Places that are a good fit for hardened OSes, he says, are "the regulated areas"—high-end banking, futures, healthcare and classified government environments, as well as managed hosting environments, for whom any downtime is lost revenue.

The average company probably won't spend the money to mitigate risk with hardened OSes, says Pescatore, because when balancing risk versus revenue, they'll opt for the latter. But there will always be the companies that say, "We will spend more than the industry average on security, no matter the cost, because it's a cultural thing for us," he notes.