r
The Worst That Could Happen
r
r
By Wayne Epperson
r
r
This story appeared in the June 2004 issue of Web Host Industry Review magazine. Click here to subscribe for free.
r
r
July 16, 2004 — (WEB HOST INDUSTRY
r
REVIEW) — Any discussion by an assemblage of network security
r
practitioners is sure to include the latest technologies and effective
r
best practices for keeping infrastructures up and running in the face
r
of hackers, viruses and all manner of other electronic threats.
r
r
It’s an ongoing dialogue Web hosts could
r
be expected to attend to closely, but the rash of virus and worm
r
attacks that have menaced Web hosting providers in recent months – in
r
some cases bringing networks offline – seems to indicate that some
r
companies out there aren’t getting it right.
r
r
Any security discussion must examine how
r
a layered approach of firewalls, intrusion detection and prevention
r
systems and antivirus systems can protect business. But for a seasoned
r
specialist fighting cyber crime and preparing for the next attack, the
r
business of security demands a first-things-first approach.
r
r
“People tend to build security and then
r
try to stuff policy into it, and it doesn’t work that way. It’s the
r
other way around,” says Patrick Gray, director of X-Force operations,
r
the national emergency response and penetration testing practices unit
r
at Internet Security Systems (iss.net),
r
located in Atlanta. “Before we start deploying and thinking about best
r
practices, we have to assess our own risk if you are a hosting
r
provider.”
r
r
The first thing Gray’s staff generally
r
discovers on emergency response engagements to companies and hosting
r
providers is an exceedingly idle approach to the issues of policy that
r
surround network security.
r
r
“Policies, procedures and standards ought
r
to be documented and documented extremely well in how you do things.
r
That’s when you can take into consideration your security
r
architecture,” says Gray, a retired special agent with the FBI where he
r
headed a cyber crime task force. “Once we have our defense-in-depth in
r
place, we need to understand that something bad will happen. Not may
r
happen, but will happen. In this ever-changing environment, hosting
r
providers need to understand that and have procedures for responding to
r
an incident, be it a worm or virus outbreak or an internal problem,” he
r
says, adding that plans need to be tested in practice drills.
r
r
“A worm appears and you are hosting
r
somebody’s server farm and there’s a Web site going down. You need to
r
know exactly what to do right then and there as opposed to running a
r
fire drill like chickens with their heads cut off. It is incredibly
r
important that you have emergency response procedures on the books and
r
know exactly what to do.”
r
r
One hosting provider that Gray says has security figured out is Inflow Inc. (inflow.com) Based in Denver, Colorado, Inflow has 13 data centers across the United States.
r
r
Lenny Monsour, general manager of
r
Inflow’s hosting and infrastructure services, echoes Gray’s comments
r
about policies. “When I look at the way we handle any type of security
r
issue,” he says, “an important principle is to make sure that you
r
address the process and policy issues first, because it has got to be
r
driven from the business and the business has to support the
r
investments they are going to make from a security perspective.”
r
r
Patch management and email security are
r
two big concerns for Internet-based customers, and Inflow has
r
initiatives to address them, Monsour says.
r
r
“We just recently rolled out our
r
iServerCare services. There is a component of that service that helps
r
customers deal with the challenge of keeping up with patches and helps
r
them not just identify when critical patches come out, but be able to
r
audit their servers to figure out which patches aren’t on them.”
r
r
Inflow’s service automates the tracking of patches, audits the software and on demand pushes patches to selected servers.
r
r
“We have actually pushed a patch out to 400 different servers, all Windows machines, and we did it in two hours,” Monsour says.
r
r
Among the company’s many security
r
offerings is a managed email service for Exchange environments. By
r
managing Exchange servers, filters and antivirus software, Inflow helps
r
companies implement spam and email attachment scanning to remove
r
attachments before they reach a user’s desktop.
r
r
“For a lot of our customers who are more
r
security conscious, we will implement intrusion prevention
r
technologies, a service we base around the ISS Proventia platform,”
r
which includes 24×7 monitoring by a security team, Monsour says.
r
r
Joshua Chen, chief technology officer at
r
St. Louis-based Internet hosting center Cybercon, recommends a
r
three-layer approach to best security practices.
r
“We recommend the use of multiple
r
security devices, not just a firewall. We use a combined approach with
r
Cisco routers with package filtering, NetScreen firewalls and the Top
r
Layer Attack Mitigator for intrusion prevention. Each device works on
r
specific situations to give a broad range of protection,” Chen says.
r
Cybercon, like Inflow, provides managed
r
security services. “We purchase hardware, we install it, we monitor it
r
and we fix it. With all of this security equipment installed, servers
r
have to be updated. I find that a lot of problems with worms is that
r
servers are not patched and that can give hackers an opportunity to get
r
in.”
r
r
One of Chen’s customers is Chicago Webs (chicagowebs.com),
r
a Web hosting company that recently relocated its network to the
r
Cybercon data center from another provider’s facility near Chicago.
r
r
Pat Stangler, president of Chicago Webs,
r
knows first-hand the damaging effects that such an an attack can have
r
on an unsuspecting Web hosting company.
r
r
It started around 6 a.m. on the last
r
Thursday in July 2003 when the same strain of a distributed denial of
r
service attack that hit Microsoft, CNet and a handful of other large
r
sites over a two-day period targeted Stangler’s operation.
r
r
“We were getting hit with over 100 megs a
r
second and over a million SYNs a second. It was pretty intense. For a
r
day and a half we were down,” Stangler says.
r
r
The incident response team for the
r
company providing Chicago Webs with data center space at the time
r
wasn’t able to resolve the problem and told Stangler he needed to
r
deploy an intrusion prevention system to stop the attack. They referred
r
him to Top Layer Networks of Westboro, Massachusetts, for its Attack
r
Mitigator IPS.
r
By then it was Friday, and the earliest
r
Stangler could have the device delivered would be Monday. He flew from
r
Chicago to Boston Saturday morning, picked up the IPS and caught a
r
return flight back to Chicago.
r
r
“I had it implemented within 45 minutes
r
of hitting the ground and in another 30 minutes our network was back
r
up. The box is awesome; we haven’t had one second of downtime since
r
putting it in,” says Stangler, whose Chicago Webs mainly caters to the
r
development community and boasts of clients in every time zone.
r
r
To Stangler, a secure network means “the
r
livelihood of my clients. Period. That’s our business. We are not in
r
the security’ business, but we have to be these days.”
r
r
It took a disaster, but Stangler got the
r
message. To those hosts that might prefer a faster, easier road to
r
understanding, Gray offers the abridged version.
r
r
“Tell them not to be comfortable,” he says. “Something bad is going to happen. Just be prepared for that.”
r
r
r
r
