BrickServer Offers Protection Without Patching

r

BrickServer Offers Protection Without Patching
r

r

r

By Rawlson O’Neil King
r

r

March 8, 2004 – Security continues to be
r

the predominant concern among service providers and enterprises that
r

deploy mission-critical IT applications. The frequency and
r

sophistication of network attacks are growing with the use of automated
r

hacking tools, worms and viruses that inflict worldwide damage over the
r

Internet in just a few hours.
r

r

Trend Micro (trendmicro.com),
r

the world’s third-largest anti-virus software provider, recently
r

estimated that computer virus attacks cost global businesses $55
r

billion in damages in 2003. The firm expects the economic and financial
r

impact of worms and viral attacks will continue to climb in 2004,
r

following an established trend. Companies lost roughly $20 billion to
r

$30 billion in 2002 from virus attacks, up from about $13 billion in
r

2001, according to various estimates.
r

r

To combat associated losses in time and
r

data due to network attacks and server vulnerabilities, enterprises and
r

service providers are increasingly adopting pre-emptive measures.
r

r

The global market for secure content management, which, according to market research firm IDC (idc.com),
r

includes anti-virus software, message security and Web filtering, is
r

expected to reach $6.4 billion in 2007, representing a compound annual
r

growth rate of 19 percent. Spending will also be focused on identifying
r

and nullifying network vulnerabilities.
r

r

IDC notes that security attacks from
r

worms and hackers, and industry regulations such as the Health
r

Insurance Portability and Accountability Act (HIPAA) and the Financial
r

Services Modernization Act, will drive the market for vulnerability
r

management to more than 30 percent growth over the next five years.
r

r

One leader in the field of vulnerability assessment is Qualys, Inc. (qualys.com). The firm is a market-leading Web service provider that offers on-demand network security audits.
r

r

Qualys’ flagship service, QualysGuard
r

automates network security audits and vulnerability management. More
r

than 1,300 organizations use QualysGuard for reliable protection from
r

worms and hackers and for third-party certification of network
r

security. QualysGuard enables organizations to measure vulnerability
r

risk and their security posture; enforce industry and enterprise
r

policies; and comply with regulations and enterprise requirements.
r

r

QualysGuard vulnerability management
r

provides reliable protection from worms and hackers through: continuous
r

discovery of hosts, services and unauthorized devices; continuous
r

assessment of online assets for the full range of vulnerabilities;
r

continuous analysis of vulnerabilities, trouble tickets and trend
r

reports; and remediation based on prioritized policies. Once
r

vulnerability assessments are conducted, QualysGuard’s network security
r

audits deliver third-party certification of network security with
r

tamper resistant audit trails that record: when the security audit was
r

performed, what vulnerabilities were detected, how to fix them, whom
r

they were assigned to; and if they were remedied.
r

r

QualysGuard leverages a foundation of
r

automation to solve the biggest challenges in security auditing. This
r

foundation includes immediate and up-to-date knowledge of
r

vulnerabilities, high scalability of scanning in a distributed fashion,
r

and complete accuracy and reliability of network audits.
r

r

The system is appealing to use because it
r

employs remote Web services, which means that enterprises and service
r

providers are not compelled to maintain sophisticated software or
r

hardware in order to conduct assessments, though Qualys scanner
r

appliances are available.
r

r

The major issue with the system however
r

is that IT staff within the organization must act to correct or “patch”
r

all found vulnerabilities. This can be a daunting task since the
r

QualysGuard scanning system over the past 23 months has found literally
r

millions of network vulnerabilities. Qualys itself even acknowledges
r

that patching can be an inefficient process. The firm conceded at the
r

RSA Security Conference held in San Francisco in February that patching
r

software flaws is still far too difficult for many organizations,
r

leaving them vulnerable since they have not applied all necessary
r

critical updates to their system. The patching method can also be
r

problematic due to the expenses associated with maintaining staff to
r

monitor and react to vulnerability assessments.
r

r

As a result, organizations will want to
r

be apprised of the new, emerging breed of “patch-less” systems that
r

attempt to exclude vulnerabilities from IT architecture. Sage Inc. (sage-inc.com), a Texas-based Web security firm, offers a secure Web appliance entitled the BrickServer that entirely eliminates patching.
r

r

“The necessity for patching is precluded
r

since all table information and other software packages are hardwired
r

into the kernel of the operating system,” states Louis Jurgens, an
r

executive vice president at Sage Inc. “As a result, our system is safe
r

and simple to use.”
r

r

The appliance, which contains
r

pre-configured Web/FTP software and a custom-built email server, is
r

secure because no alterations can be made to the software. The server
r

packages are all hardened, and allow for no alterations. As a result, a
r

BrickServer provides worry-free maintenance.
r

r

The appliance supports SSL, SSI, PHP,
r

Perl , PYTHON, and TCL supports. The appliance also supports database
r

calls via MySQL, PostgreSQL and SQL libraries, and permits for
r

multi-domain hosting and Virtual IPs.
r

r

“The appliance is quite unique and
r

because of this we don’t have competition in the technical sense,”
r

states Jurgens. “Our competition are those people who choose to build
r

hardened Web servers by themselves. Though our box is quite
r

restraining, the benefit is that you don’t get hacked and you don’t
r

have to patch. We have had various versions of this product out in the
r

marketplace for over four years and no one has broken into our boxes.”
r

r

Jurgens also notes that the BrickServer
r

product is quite popular because it reduces costs. “We have spoken with
r

a number of good-sized IT shops and received overhead estimates about
r

patching. We know that between 12 percent and 50 percent of IT
r

resources are allocated to this task. We estimate that most
r

corporations and service providers can save 20 percent of IT overhead
r

and time if that patching task was eliminated. Our product aims to do
r

this.”
r

r

The BrickServer utilizes a security model
r

called process-based security that replaces user-based or discretionary
r

access with mandatory access controls that invoke rules of least
r

privilege and separation of duties. Consequently, the device prevents
r

unauthorized access to system level function, creating a secure Web
r

appliance.
r

r

“Our device is a system administrator’s
r

most frustrating product, because he actively cannot make modifications
r

to it — but that’s why it is so secure,” states Jurgens.
r

r

While such a system might be constraining
r

to those requiring constant updates to their Web server, US government
r

departments and e-commerce shops that require static and secure
r

deployments have in contrast embraced the system to eliminate network
r

and server vulnerabilities and decrease costs.
r

r

Sage Inc. is actively working on
r

de-coupling its hardened operating system from its BrickServer device,
r

in order to license it to Web hosting firms. The company believes that
r

a value-added marketplace might emerge around hardened servers for
r

outsourced hosting customers as IT security becomes a top concern
r

amongst mid-sized enterprises.
r

 
r

r

r

r

About the Author
r

Rawlson O’Neil King is a contributing editor and analyst at the Web
r

Host Industry Review. Before joining theWHIR, Mr. King was Director of
r

Corporate Communications at WebHosting.Com. During his tenure there he
r

established ineedsupport.com, the first branded destination customer
r

care site in the shared hosting industry. He has prior experience as an
r

IT consultant who served non-profit organizations, government and
r

private industry. He holds a Bachelor of Journalism degree from
r

Carleton University.
r

No related posts.