TitchOnline.com
600 South Dearborn Street
Suite 1902
Chicago, IL 60605 USA
1-312-922-3772
Steven Titch,
Editor-in-Chief
titch@titchonline.com
Sharon J. Watson, Managing Editor
Links to companies and
organizations mentioned in this article
Arbor Networks
430 Bedford Street
Suite 160
Lexington, MA 02420
781-684-0900
Check Point Software
Technologies
3 Lagoon Drive
Suite 400
Redwood City, CA 94605
650-628-2000
Mazu Networks
125 Cambridge Park Drive
4th Floor
Cambridge, MA 02140
617-352-9292
Sana Security
2121 South El Camino Real
Suite 700
San Mateo, CA 94403
650-292-7100
IBM's Tivoli Systems
11301 Burnet Rd.
Austin, Texas 78758
512 436-8000
Webscreen Technology Ltd.
Index House
St. George's Lane
Ascot
Berkshire, U.K. SL5 7EU
+44 1344 636 339
Carnegie Mellon University's
Computer Emergency Response Team (CERT)
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
24-hour hotline: 412-268-7090
The Personal Information Technology Report
January 14, 2003
In this issue:
Network security takes center stage
Network Security takes center stage
The story in brief: Corporate IT departments, along with the managed service providers and outsourcing companies they turn to, are under more pressure to demonstrate they can safeguard networks against intrusion and attack without degrading performance or making it difficult for e-commerce systems to work properly. At one time, it was enough to erect a firewall and go online. Today, quality security requires immediate adaptability to new threats and a response mechanism that detects and confronts an attack before any damage occurs.
The relative simplicity of
Internet Protocol (IP) networking, the spread of e-commerce tools to
small- and medium-sized businesses, and the fast uptake of technologies
such as wireless local area networks (WLANs), have all contributed to
greater vulnerability of enterprise networks. At the same time, there
is heightened concern about attacks on the larger network
infrastructure from loosely organized hackers to outright terrorists.
There is no doubt that attacks are increasing.
Carnegie Mellon University's Computer Emergency Response Team (CERT)
Coordination Center received 73,359 incident reports in the first three
quarters of 2002, compared to 21,756 received in all of 2001.
In separate incidents in 2001,
the Melissa virus and Code Red Worm infected hundreds of thousands of
servers. What gave network engineers greater pause was the October
attack on nine of the 13 Internet root servers -- the machines that sit
at the top of the Internet hierarchy and manage IP assignations to keep
traffic moving. The attacker attempted to overwhelm the root servers'
processing capabilities with a flood of bogus IP messages, with the aim
of choking off legitimate Internet packet traffic. On other occasions,
the attack strategy, known as distributed denial of service (DDoS), has
shut down specifically targeted websites, including MTV.com and
Amazon.com. While the Internet root servers weathered the attack well,
it was a pointed reminder that no one's immune.
The security boomlet
General IT spending is expected
to grow slowly in 2003, but enterprise customers say security systems
will get the bulk of the investment, creating something of a boomlet
amid an otherwise slow market. Worldwide spending on Internet security
will go from $6.2 billion in 2001 to a projected $8.5 billion this
year, according to UBS Warburg.
Security strategies are
changing, too. As e-commerce and Web services make closer links between
servers necessary and desirable, firewalls cannot be as effective as
they once were. Web services platforms, such as Microsoft's .NET, are
designed to bring together Internet resources on a case-by-case basis
to support electronic transactions. Depending on the circumstances, an
organization may want a particular Extensible Mark-Up Language (XML)
command from an outside server to go through its firewall; at other
times, it may not.
Therefore, network security is
moving away from the fortress model to one more analogous to community
policing. The fortress model, using firewalls and intrusion detection
systems, keeps intruders out, but creates bottlenecks. Intrusion
detection systems, erring on the side of caution, will often "cry wolf"
or prevent legitimate e-mail and documents from the field from getting
to their destination.
The new security model assumes
bad elements will sometimes get through, but like a constable on the
beat, aims to identify and remove them before they can do any damage.
Hence, a shift toward more
dynamic methods of intrusion protection systems that monitor the
network continually and make intelligent, pro-active decisions to
thwart and contain potential attacks.
______________________________________________
Security means more than
a firewall
An organization's
information systems can be compromised in a number of ways for a number
of reasons. Each involves different motives and calls for different
countermeasures. Here are three specific security issues.
Theft of resources
Intruder uses fake or
stolen passwords, or exploits poor control of access, to gain
unauthorized use of bandwidth, storage or processing power. A typical example is wireless "wardriving,"
where an unauthorized user attempts to gain Internet access through
unprotected corporate wireless LANs. Countermeasures include
password-protection, VPN tunneling to bolster basic firewalls.
Theft of data
Intruder's motive is
profit or gain, either through capture or diversion of proprietary
information, customer data or financial transactions. Intruder operates
like a burglar, using high degree of stealth and programming skill to
avoid both detection and identification. Intruder seeks to exploit
security weaknesses in servers and databases that lie behind firewalls.
Countermeasures include dynamic password protection, tokens, data
encryption, and strong policy management.
Vandalism/Terrorism
Intruder's goal is
wholesale disruption or destruction of network resources and/or data.
Weapons include worms, viruses and denial of service (DoS) attacks.
Attacker needs moderate programming skill required to get past initial
intrusion detection systems, but the approach is hit-and-run and
targets can be widely scattered. Countermeasures include up-to-date
antivirus software, effective server back-up and redundancy and
intrusion protection systems that identify real-time deviations in
traffic and take pro-active action.
______________________________________________
A new generation of security
software from start-ups such as Mazu Networks, Sana Security, Arbor
Networks and Webscreen Technologies is hitting the market now.
Meanwhile, more established vendors, such as Check Point Software and
IBM's Tivoli Systems, are adding new security components into their
existing product lines.
In addition to large
enterprises, all these companies are looking for sales among managed
service providers, to whom businesses and organizations of all sizes
are turning over Internet and Web operations. For example, not only is
Tivoli's access management software a major component of AT&T's
internal security platform, it's part of the managed services AT&T
provides for customers such as Coca-Cola.
Telus Corp., the top managed
service provider in western Canada, uses software from Arbor Networks.
Mazu Networks, which counts MTV Networks and the New York Mercantile
Exchange as customers, has been in discussions with Cable &
Wireless's Exodus Communications, which hosts Netflix, Yahoo! and
Nintendo.
Intrusion Prevention
The new systems build
statistical models of normal network traffic and usage. These models
extend to tracking levels of packet traffic from various other servers,
say an e-commerce partner, which may rise and fall regularly throughout
the course of a day or month. Should the system suddenly start
receiving large volumes of packets from heretofore-unknown addresses,
as they would in the event of a DDoS attack, the systems take
corrective action, in most cases filtering IP traffic from a potential
DDoS source. Each vendor has its proprietary approach. Sana Security
compares its method to biological immune systems: the system surrounds,
isolates and neutralizes attacking packets. Mazu Networks' PowerSecure
software can be configured to monitor deviations from network usage
patterns within organizations. This is especially important as a great
deal of computer crime involves inside access. For example, Mazu
software will set off alarms if a PC in the purchasing department shows
marked increase in transactions with a server in payroll.
System security may be service
providers' major selling point through 2003. Too often a user's
approach is to put in a solution and revisit it only occasionally, if
at all. Security these days is more than an annual or semi-annual
installation or upgrade. Since new attacks are constantly appearing,
and no network is without weakness, service providers are in a great
position to bring the dedicated attention required to stay up-to-date
on new problems as well as the resources to keep their own server farms
updated with the latest defenses.
It's another strength that
managed service providers bring to the equation.
***************
First [the Dodo] marked out
a race-course, in a sort of circle, and then all the party were placed
along the course, here and there. There was no "One, two, three, and
away!" but they all began running when they liked, and left off when
they liked, so it was not easy to know when the race was over. However,
when they had been running half an hour or so...the Dodo suddenly
called out "The race is over!" and they all crowded round it, panting,
and asking, "But who has won?"
This question the Dodo could
not answer without a great deal of thought, and it stood for a long
time with one finger pressed upon its forehead...while the rest waited
in silence. At last the Dodo said, "Everybody has won, and
all must have prizes."
--Lewis Carroll, Alice's
Adventures in Wonderland
The Story in Brief: In their race for local exchange customers, are the Baby
Bells, AT&T and WorldCom just running in circles while the market
turns to cable and wireless companies for broadband service? And, like
the Wonderland racers, are they just waiting for the FCC to declare
everyone a winner and start distributing prizes in the form of
protected franchises?
We can be certain that Lewis
Carroll did not have U.S. telecommunications policy in mind when he
described the Dodo's caucus race, but possessed of a keen sense of
satire, he would have appreciated its applicability to the recent
policy battles in Washington on local exchange competition.
Last week, Federal
Communications Commission Chairman Michael Powell proposed major
changes in the unbundled network elements platform (UNE-P), the
wholesale pricing structure that requires the regional Bell holding
companies to lease network access to would-be competitors. The
proposal, which would change federally-mandated pricing policies for
central office switch access, had been expected for several months and
appears to be a response to stepped-up Bell lobbying for changes in
UNE-P, which the companies claim forces them to rent network components
-- such as switching ports and physical copper lines -- below cost.
Competitors such as AT&T
and WorldCom, which have begun to make inroads in local markets against
the Bells, say they would not be able to compete -- and consumers won't
benefit -- without the UNE-P structure, which was mandated by the
Telecom Act of 1996. While the FCC has leaned toward the Bell point of
view, competitors have tended to get a more sympathetic hearing at the
state and local regulatory levels. So Powell's action could set up an
extended policy battle between federal and state policymakers.
Each side has reasons for
either keeping or dumping UNE-P. But the arguments are all specious.
AT&T and WorldCom claim that UNE-P keeps rates low. True, but only
in the sense of a pyramid scheme. Regulators force the incumbent Bells
to lease at low prices. Competitors buy discounted network elements
under this pricing scheme and pass these discounts onto their retail
customers. The improved profit margin comes not from competitors' use
of better technology or more efficient use of network resources
(unlike, say, VoIP service providers), but from government meddling
with the wholesale/retail model. The difference is made up in higher
prices for other services, taxes, subsidies and "surcharges" that are
collected by all service providers.
The perception of competition
So to some extent, it's true
what the incumbents say, competition under UNE-P is not competition at
all, it's just a jerry-rigged set-up that creates the appearance of
multiple players while doing little more than redistributing a limited
pool of revenues. Also true is that UNE-P gives competitors an
advantageous ride on network facilities in which they never invested
and are not responsible for maintaining. Whether this was the intention
of the Telecom Act is debatable, but the facts are hard to argue with.
Despite all their professed eagerness for local competition since 1996,
AT&T and MCI did not move into local exchange markets until last
year, when the Bells finally began complying with UNE-P in order to get
approval to offer long distance.
At the same time, the Bells
have used UNE-P as an excuse to stop all network investment, especially
in broadband DSL, claiming that selling facilities below cost provides
no incentive for expansion. This is easier than admitting to a chronic
inability to understand the forces driving the broadband market.
Where the Bells' argument
begins to come apart is when they say that every competitor should
build and own its own network. Powell apparently has embraced this
notion, stating this opinion at a Goldman Sachs conference last October
in New York, according to a report in The Wall Street Journal.
Here's where complicated
logical circles begin to appear. The long-distance companies answer
this argument by noting that building out networks comparable in scope
to the Bells would be financially impractical. They are correct. But
then again, in 2003, who would want to?
Slouching toward irrelevance
The incumbent phone companies' only advantage in local service is ubiquity: they operate a well-maintained network that reaches just about every home and business in the country. But this network is only good for one thing -- point-to-point voice telephone calls.
Meanwhile, the market has begun to
respond to integrated broadband networks that can support various
aspects of personal information technology. In this environment, the
incumbents' networks, despite their ubiquity, are less and less
meaningful. This is reflected in numbers that show dial-tone access
lines steadily declining while broadband connections to U.S. households
this year -- in the midst of an industry downturn -- are expected to
increase to 20 million from 15 million.
This ultimately begs the
question as to why AT&T and WorldCom are investing so much time,
money and policy energy into gaining the right to use a thin copper
wire that each day becomes less valuable. Add to that the question why
so much policy energy is wasted on companies that are bent on
marginalizing themselves from the future. It's all the more stunning
considering the fight over UNE-P reform is expected to go on for
another two years.
Competitive networks are
being built. Cable companies are doing a far better job of meeting
demand for broadband than anyone right now. Next-generation wireless is
expanding and new wireless consortiums, like Cometa Networks, are
posing business models for public Wi-Fi. AT&T and WorldCom had
ground floor opportunities in both. Instead, AT&T spun off wireless
and sold its broadband cable TV operations. WorldCom ignored every
strategic wireless and broadband opportunity and instead focused on
pure size. Now both are down to the bets they've made on UNE-P and
local dial-tone competition. What they want is a free ride. But in the
end, like lots of things that come free, the ride isn't going to amount
to much, especially by this time in 2005.
As for the Bells, they made the
same bet, only on the opposite outcome: that as former monopolies they
would be guaranteed some piece of the telecom future no matter what.
Now they have fallen seriously behind in terms of network technology
and broadband services. The argument that they will begin to spend once
given the incentive of "fair" competition rings hollow. Every chance
they have had to be proactively competitive in other areas --
enterprise networking, web hosting and phone retailing -- has consisted
of token efforts followed by retreat. These companies will not lead the
revival the industry.
In the end all that's left at
the incumbents and the long distance companies is an enormous
entitlement mentality that shouts: "We're big! We were here first!
Therefore we deserve prizes!" even if they've done little in the last
six years but run around in circles.
-- Steven Titch
***************
A reminder to readers: The Personal Information Technology Report is a paid subscription service of TitchOnline.com. Unauthorized copying, reproduction and reposting of contents are prohibited under subscriber Terms of Use. For information on fees for reprints and PDFs for TitchOnline.com material, please contact reprints@titchonline.com.
***************
We invite your feedback. Please write to us at feedback@TitchOnline.com with questions, comments or if you'd like us to offer a trial subscription to a colleague. Thank you very much!
Copyright
©2003 Expert Editorial Inc.
All rights reserved. Unauthorized reproduction prohibited.