February 28, 2000

Printer ready

Act Now To Protect Your Data
Look for gaps in network security--and plug those holes--to keep cyberthieves at bay

By Aaron Weiss

Related links from our sister publications:

InternetWeek Getting Serious About Security Starts With The Fundamentals (2/21/00) TechWeb White House Presses Industry For Security (2/15/00) Network Computing E-Commerce Security: Security Blanket Has a Few Tatters (1/24/00)

Send Us Your Feedback

our company's data seems like a glaring target for intruders, and rightfully so--but it's not the only lure. Only a fraction of digital attacks are aimed at known and precious information; more often, attacks are the result of "pawn maneuvers," wherein your site is used as a way station for launching unrelated attacks against others. Unfortunately, any of these attacks can result in disruption of your network, possible downtime, and even loss of data.

Three tiers of vulnerability--the operating system, the application server software, and application design choices--have an impact on your Web applications, and there are different paths to follow in addressing each tier. A network, from a security standpoint, is much like a house--a large one, with many doors and windows. But digital attackers are considerably more agile than common burglars, so one must imagine a house that is also exposed by its air vents, chimneys, ducts, and even cracks in the foundation. A cybersnoop needs only to find a digital crack into which malice can be wedged, and your data is in danger.

The recent denial-of-service attacks on Amazon.com, eBay, Yahoo, and other Web sites targeted vulnerabilities at a higher level in the IT architecture than addressed here--but these attacks were launched from hijacked computers, and any machine, including a Web application development server, is susceptible to being compromised in this fashion.

The foundation of your Web application is the operating system atop which everything runs; it's the bottom tier of the three. For many Web servers, this is a Unix-derived operating system such as Sun Solaris or Linux, but there are a significant number of Microsoft Windows NT machines as well.

Though it may seem off-topic to examine your operating system in the context of Web application development, the relative security of your operating system lays the groundwork for all other endeavors, including Web applications. In fact, many attacks on Web-server applications ultimately involve weaknesses in the underlying operating system, whether used as an entry point or as a means to an end.

Your operating system is probably your weakest link. Every major operating system to date has a history of being riddled with security holes that have been patched and repaired piecemeal by scrambling vendors. Consider that in 1999 alone, Red Hat Inc. issued 31 security advisories for its Linux distributions, while Microsoft issued 61 advisories for its various server and client technologies, including Windows NT. These may sound like terrible performance statistics, but these numbers are par for the course, meaning that several new security flaws are discovered every month for all major operating systems.

Nearly all security within an operating system revolves around modes of privilege. Imagine if each window and door in your house had its own lock and its own key. Not all operating systems are equally capable of, or configured to, individually locking each file or resource, but that's the basic idea. Typically, Unix operating systems such as Solaris and Linux possess finer-grained access control than the Windows operating systems.

Many security advisories, in turn, relate to ways in which outsiders can obtain or fake their own privilege--in essence, forging their own keys--and use these privileges to gain access to certain areas within your operating system. This privilege is often used to leverage more-powerful privileges once in the system, taking advantage of the fact that few operating systems are thoroughly locked down because each and every door doesn't--and often can't--have a unique key.

Operating systems are the castle walls, and as such need constant care. A staff member familiar with the operating system in use should be assigned the role of monitoring security advisories--nearly always available from the operating-system vendor's Web site--and applying known fixes on a monthly, or even weekly, basis.

Undergirded by the operating system, your Web applications are nonetheless more closely related to the server software that executes them. For many Web applications, this is your Web-server software, or at least involves your Web server, possibly in combination with other pieces of software. Taken together, the set of software that executes your Web applications makes up the middle tier of security.

In a simpler time--the early 1990s--Web servers simply delivered static pages of data across the Internet. Doing so invited few security risks, other than those contained in the content of the data itself.

But Web pages have grown into Web applications--and for the most part, that's a good thing. However, during that evolution, much more power and responsibility have been shifted onto the Web-server software, necessarily giving Web apps more access to your overall operating system so that they can perform their dazzling feats.

continued...page 2, 3

Illustration by Ken Orvidas

Back to This Week's Issue
Send Us Your Feedback
Top of the Page

---