The Worst That Could Happen

• By theWHIR.com , July 16, 2004

•   Digg
    Delicious
    Reddit
    Newsvine
    Stumbleupon
    Twitter
  Facebook

  (close)

  From:

  To:

  (close)
  Share | Send | Print | Comments (0)

The Worst That Could Happen

By Wayne Epperson

This story appeared in the June 2004 issue of Web Host Industry Review magazine. Click here to subscribe for free.

July 16, 2004 -- (WEB HOST INDUSTRY

REVIEW) -- Any discussion by an assemblage of network security

practitioners is sure to include the latest technologies and effective

best practices for keeping infrastructures up and running in the face

of hackers, viruses and all manner of other electronic threats.

It's an ongoing dialogue Web hosts could

be expected to attend to closely, but the rash of virus and worm

attacks that have menaced Web hosting providers in recent months - in

some cases bringing networks offline - seems to indicate that some

companies out there aren't getting it right.

Any security discussion must examine how

a layered approach of firewalls, intrusion detection and prevention

systems and antivirus systems can protect business. But for a seasoned

specialist fighting cyber crime and preparing for the next attack, the

business of security demands a first-things-first approach.

"People tend to build security and then

try to stuff policy into it, and it doesn't work that way. It's the

other way around," says Patrick Gray, director of X-Force operations,

the national emergency response and penetration testing practices unit

at Internet Security Systems (iss.net),

located in Atlanta. "Before we start deploying and thinking about best

practices, we have to assess our own risk if you are a hosting

provider."

The first thing Gray's staff generally

discovers on emergency response engagements to companies and hosting

providers is an exceedingly idle approach to the issues of policy that

surround network security.

"Policies, procedures and standards ought

to be documented and documented extremely well in how you do things.

That's when you can take into consideration your security

architecture," says Gray, a retired special agent with the FBI where he

headed a cyber crime task force. "Once we have our defense-in-depth in

place, we need to understand that something bad will happen. Not may

happen, but will happen. In this ever-changing environment, hosting

providers need to understand that and have procedures for responding to

an incident, be it a worm or virus outbreak or an internal problem," he

says, adding that plans need to be tested in practice drills.

"A worm appears and you are hosting

somebody's server farm and there's a Web site going down. You need to

know exactly what to do right then and there as opposed to running a

fire drill like chickens with their heads cut off. It is incredibly

important that you have emergency response procedures on the books and

know exactly what to do."

One hosting provider that Gray says has security figured out is Inflow Inc. (inflow.com) Based in Denver, Colorado, Inflow has 13 data centers across the United States.

Lenny Monsour, general manager of

Inflow's hosting and infrastructure services, echoes Gray's comments

about policies. "When I look at the way we handle any type of security

issue," he says, "an important principle is to make sure that you

address the process and policy issues first, because it has got to be

driven from the business and the business has to support the

investments they are going to make from a security perspective."

Patch management and email security are

two big concerns for Internet-based customers, and Inflow has

initiatives to address them, Monsour says.

"We just recently rolled out our

iServerCare services. There is a component of that service that helps

customers deal with the challenge of keeping up with patches and helps

them not just identify when critical patches come out, but be able to

audit their servers to figure out which patches aren't on them."

Inflow's service automates the tracking of patches, audits the software and on demand pushes patches to selected servers.

"We have actually pushed a patch out to 400 different servers, all Windows machines, and we did it in two hours," Monsour says.

Among the company's many security

offerings is a managed email service for Exchange environments. By

managing Exchange servers, filters and antivirus software, Inflow helps

companies implement spam and email attachment scanning to remove

attachments before they reach a user's desktop.

"For a lot of our customers who are more

security conscious, we will implement intrusion prevention

technologies, a service we base around the ISS Proventia platform,"

which includes 24x7 monitoring by a security team, Monsour says.

Joshua Chen, chief technology officer at

St. Louis-based Internet hosting center Cybercon, recommends a

three-layer approach to best security practices.

"We recommend the use of multiple

security devices, not just a firewall. We use a combined approach with

Cisco routers with package filtering, NetScreen firewalls and the Top

Layer Attack Mitigator for intrusion prevention. Each device works on

specific situations to give a broad range of protection," Chen says.

Cybercon, like Inflow, provides managed

security services. "We purchase hardware, we install it, we monitor it

and we fix it. With all of this security equipment installed, servers

have to be updated. I find that a lot of problems with worms is that

servers are not patched and that can give hackers an opportunity to get

in."

One of Chen's customers is Chicago Webs (chicagowebs.com),

a Web hosting company that recently relocated its network to the

Cybercon data center from another provider's facility near Chicago.

Pat Stangler, president of Chicago Webs,

knows first-hand the damaging effects that such an an attack can have

on an unsuspecting Web hosting company.

It started around 6 a.m. on the last

Thursday in July 2003 when the same strain of a distributed denial of

service attack that hit Microsoft, CNet and a handful of other large

sites over a two-day period targeted Stangler's operation.

"We were getting hit with over 100 megs a

second and over a million SYNs a second. It was pretty intense. For a

day and a half we were down," Stangler says.

The incident response team for the

company providing Chicago Webs with data center space at the time

wasn't able to resolve the problem and told Stangler he needed to

deploy an intrusion prevention system to stop the attack. They referred

him to Top Layer Networks of Westboro, Massachusetts, for its Attack

Mitigator IPS.

By then it was Friday, and the earliest

Stangler could have the device delivered would be Monday. He flew from

Chicago to Boston Saturday morning, picked up the IPS and caught a

return flight back to Chicago.

"I had it implemented within 45 minutes

of hitting the ground and in another 30 minutes our network was back

up. The box is awesome; we haven't had one second of downtime since

putting it in," says Stangler, whose Chicago Webs mainly caters to the

development community and boasts of clients in every time zone.

To Stangler, a secure network means "the

livelihood of my clients. Period. That's our business. We are not in

the ‘security' business, but we have to be these days."

It took a disaster, but Stangler got the

message. To those hosts that might prefer a faster, easier road to

understanding, Gray offers the abridged version.

"Tell them not to be comfortable," he says. "Something bad is going to happen. Just be prepared for that."

• Print | Comments (0)

OLDER:  Spam Growth Fuels Antispam Market

|

NEWER:  Outblaze Offers Complete Messaging Package

• (0) Comments
• View Post