r
BrickServer Offers Protection Without Patching
r
r
r
By Rawlson O’Neil King
r
r
March 8, 2004 – Security continues to be
r
the predominant concern among service providers and enterprises that
r
deploy mission-critical IT applications. The frequency and
r
sophistication of network attacks are growing with the use of automated
r
hacking tools, worms and viruses that inflict worldwide damage over the
r
Internet in just a few hours.
r
r
Trend Micro (trendmicro.com),
r
the world’s third-largest anti-virus software provider, recently
r
estimated that computer virus attacks cost global businesses $55
r
billion in damages in 2003. The firm expects the economic and financial
r
impact of worms and viral attacks will continue to climb in 2004,
r
following an established trend. Companies lost roughly $20 billion to
r
$30 billion in 2002 from virus attacks, up from about $13 billion in
r
2001, according to various estimates.
r
r
To combat associated losses in time and
r
data due to network attacks and server vulnerabilities, enterprises and
r
service providers are increasingly adopting pre-emptive measures.
r
r
The global market for secure content management, which, according to market research firm IDC (idc.com),
r
includes anti-virus software, message security and Web filtering, is
r
expected to reach $6.4 billion in 2007, representing a compound annual
r
growth rate of 19 percent. Spending will also be focused on identifying
r
and nullifying network vulnerabilities.
r
r
IDC notes that security attacks from
r
worms and hackers, and industry regulations such as the Health
r
Insurance Portability and Accountability Act (HIPAA) and the Financial
r
Services Modernization Act, will drive the market for vulnerability
r
management to more than 30 percent growth over the next five years.
r
r
One leader in the field of vulnerability assessment is Qualys, Inc. (qualys.com). The firm is a market-leading Web service provider that offers on-demand network security audits.
r
r
Qualys’ flagship service, QualysGuard
r
automates network security audits and vulnerability management. More
r
than 1,300 organizations use QualysGuard for reliable protection from
r
worms and hackers and for third-party certification of network
r
security. QualysGuard enables organizations to measure vulnerability
r
risk and their security posture; enforce industry and enterprise
r
policies; and comply with regulations and enterprise requirements.
r
r
QualysGuard vulnerability management
r
provides reliable protection from worms and hackers through: continuous
r
discovery of hosts, services and unauthorized devices; continuous
r
assessment of online assets for the full range of vulnerabilities;
r
continuous analysis of vulnerabilities, trouble tickets and trend
r
reports; and remediation based on prioritized policies. Once
r
vulnerability assessments are conducted, QualysGuard’s network security
r
audits deliver third-party certification of network security with
r
tamper resistant audit trails that record: when the security audit was
r
performed, what vulnerabilities were detected, how to fix them, whom
r
they were assigned to; and if they were remedied.
r
r
QualysGuard leverages a foundation of
r
automation to solve the biggest challenges in security auditing. This
r
foundation includes immediate and up-to-date knowledge of
r
vulnerabilities, high scalability of scanning in a distributed fashion,
r
and complete accuracy and reliability of network audits.
r
r
The system is appealing to use because it
r
employs remote Web services, which means that enterprises and service
r
providers are not compelled to maintain sophisticated software or
r
hardware in order to conduct assessments, though Qualys scanner
r
appliances are available.
r
r
The major issue with the system however
r
is that IT staff within the organization must act to correct or “patch”
r
all found vulnerabilities. This can be a daunting task since the
r
QualysGuard scanning system over the past 23 months has found literally
r
millions of network vulnerabilities. Qualys itself even acknowledges
r
that patching can be an inefficient process. The firm conceded at the
r
RSA Security Conference held in San Francisco in February that patching
r
software flaws is still far too difficult for many organizations,
r
leaving them vulnerable since they have not applied all necessary
r
critical updates to their system. The patching method can also be
r
problematic due to the expenses associated with maintaining staff to
r
monitor and react to vulnerability assessments.
r
r
As a result, organizations will want to
r
be apprised of the new, emerging breed of “patch-less” systems that
r
attempt to exclude vulnerabilities from IT architecture. Sage Inc. (sage-inc.com), a Texas-based Web security firm, offers a secure Web appliance entitled the BrickServer that entirely eliminates patching.
r
r
“The necessity for patching is precluded
r
since all table information and other software packages are hardwired
r
into the kernel of the operating system,” states Louis Jurgens, an
r
executive vice president at Sage Inc. “As a result, our system is safe
r
and simple to use.”
r
r
The appliance, which contains
r
pre-configured Web/FTP software and a custom-built email server, is
r
secure because no alterations can be made to the software. The server
r
packages are all hardened, and allow for no alterations. As a result, a
r
BrickServer provides worry-free maintenance.
r
r
The appliance supports SSL, SSI, PHP,
r
Perl , PYTHON, and TCL supports. The appliance also supports database
r
calls via MySQL, PostgreSQL and SQL libraries, and permits for
r
multi-domain hosting and Virtual IPs.
r
r
“The appliance is quite unique and
r
because of this we don’t have competition in the technical sense,”
r
states Jurgens. “Our competition are those people who choose to build
r
hardened Web servers by themselves. Though our box is quite
r
restraining, the benefit is that you don’t get hacked and you don’t
r
have to patch. We have had various versions of this product out in the
r
marketplace for over four years and no one has broken into our boxes.”
r
r
Jurgens also notes that the BrickServer
r
product is quite popular because it reduces costs. “We have spoken with
r
a number of good-sized IT shops and received overhead estimates about
r
patching. We know that between 12 percent and 50 percent of IT
r
resources are allocated to this task. We estimate that most
r
corporations and service providers can save 20 percent of IT overhead
r
and time if that patching task was eliminated. Our product aims to do
r
this.”
r
r
The BrickServer utilizes a security model
r
called process-based security that replaces user-based or discretionary
r
access with mandatory access controls that invoke rules of least
r
privilege and separation of duties. Consequently, the device prevents
r
unauthorized access to system level function, creating a secure Web
r
appliance.
r
r
“Our device is a system administrator’s
r
most frustrating product, because he actively cannot make modifications
r
to it — but that’s why it is so secure,” states Jurgens.
r
r
While such a system might be constraining
r
to those requiring constant updates to their Web server, US government
r
departments and e-commerce shops that require static and secure
r
deployments have in contrast embraced the system to eliminate network
r
and server vulnerabilities and decrease costs.
r
r
Sage Inc. is actively working on
r
de-coupling its hardened operating system from its BrickServer device,
r
in order to license it to Web hosting firms. The company believes that
r
a value-added marketplace might emerge around hardened servers for
r
outsourced hosting customers as IT security becomes a top concern
r
amongst mid-sized enterprises.
r
r
r
r
r
About the Author
r
Rawlson O’Neil King is a contributing editor and analyst at the Web
r
Host Industry Review. Before joining theWHIR, Mr. King was Director of
r
Corporate Communications at WebHosting.Com. During his tenure there he
r
established ineedsupport.com, the first branded destination customer
r
care site in the shared hosting industry. He has prior experience as an
r
IT consultant who served non-profit organizations, government and
r
private industry. He holds a Bachelor of Journalism degree from
r
Carleton University.
r
