With businesses, organizations, and government agencies exploiting interactive Web-based technology to deliver online services to employees, customers, and suppliers, Web servers have become the pivot point that connects authorised users to databases and internal network applications. Unfortunately, Web server architectures are exceedingly susceptible to security attacks, especially those Web server architectures that are built on universal OSes.
Intrusion detection systems and firewalls do not adequately reduce the security hazards presented by applications that implement dynamic content or transaction services. Firewalls impart basic protection for services such as FTP and SMTP, but they were not designed to protect hosted applications. In addition, firewalls offer little security against manipulations of HTTP traffic.
Nor were intrusion detection tools designed to address Web server security issues. Although most security measures are based on a reactive model to electronic hostilities, companies can take proactive measures to secure their applications against attacks.
Enter the resurrection of the TOS (trusted operating system), a relic from the early '80s developed for military and government security. Considered by many to be too expensive and complicated to implement and maintain, TOSes failed to catch on when introduced to the commercial sector and instead were pigeonholed into the financial industry. With today's corporate Web servers serving as the gateway to mission-critical e-business applications and information, however, IT departments should take a hard look at the new generation of TOSes. View illustration, "Compartmentalization is the key."
A TOS is simply a security-hardened version of a standard OS. TOSes come in a variety of flavors, including Sun Solaris, Hewlett-Packard's HP-UX, IBM AIX, Linux, and Microsoft Windows NT. Trusted versions of these operating systems isolate key OS functions into separate compartments, limiting the ability of intruders to access and control critical parts of a computer system, as well as preventing administrators from making inadvertent, harmful changes.
Naturally, TOSes cost more than their standard OS counterparts, and they are more difficult to administer. But because they provide a level of protection beyond firewalls and intrusion detection systems, they are suitable for e-commerce systems that are key to your business and its relationships with customers and business partners.
Then and now
Early TOSes were marketed entirely in the government arena. Designed to solve military problems associated with information auditing, these systems were rigid and nearly impossible to integrate with commercial applications. However, the need for secure e-commerce has ushered in a new generation of TOS products, such as Argus Systems' PitBull and Hewlett-Packard's WebEnforcer, which are more intuitive and easier to integrate into commercial applications that were not designed for use in an extended security environment.
Another stumbling block for first-generation TOSes was the cost associated with having one. Only large financial institutions that required rock-solid security had the resources to buy and support trusted systems.
But modern TOSes won't necessarily break your budget. Argus Systems' PitBull, a security add-on available for Solaris, AIX, and Linux systems, starts at $5,000 for a single-processor system; $50,000 buys an enterprise edition. Hewlett-Packard's VirtualVault, a trusted Web server platform built on a hardened version of HP-UX, starts at $15,000; but HP's WebEnforcer software, which monitors Windows NT servers and plugs security holes, runs $3,000 per server. The most economical of all the TOS products on the market is WatchGuard Technologies' WatchGuard ServerLock, which hardens Windows NT and Windows 2000 servers and costs just $1,295 per server.
TOS vendors are continually improving their products' ease of use via wizards, knowledge base updates, and professional services to help speed adoption of the technology. Security measures will continue to evolve, but compartmentalization will always be the core feature of a TOS.
Nuts and bolts
TOSes are based around the idea of compartmentalizing information. This functionality also applies to subsystems. For example, because most ASPs (application service providers) service multiple clients on a single back-end network, entry can be gained to all clients via the application level. With a TOS, ASPs can isolate individual clients, guaranteeing that if security was breached through one customer, no others would be affected.
Off-the-shelf operating systems typically provide a single administrator or superuser account with complete access to the entire system. A TOS takes stock of all the OS services that users may need to access and isolates them into individual compartments, providing separate administrative accounts for each. For example, an administrator may have the access necessary to perform backups but not be able to add or delete other users or alter applications. Other administrators -- or at least separate administrator log-ins and passwords -- would be required for these functions.
The concept of compartmentalization also pertains to networks. With a TOS, a user who enters a private network via the Internet could be placed in a compartment that would never allow access to any administrative commands. If the same user entered via a VPN or an internal network, then the user may be allowed to access administrative functions, depending on the criteria set for access. Authorization for administrative access or for system changes to be implemented can be based on conditions other than traditional user authentication. Today's generation of TOSes also applies the theory that, when a system is operational, absolutely no changes can be made that could undermine the stability of services.
Because TOSes impose security restrictions at the operating-system level -- where access to applications, files, network interfaces, and other system resources is granted -- they guard against attacks that firewalls and intrusion detection systems can't prevent. If your business depends on secure Web applications, a TOS could help management and IT staff rest a little easier.
Sandra Kay Miller (Sandra @elixir.com) has implemented Internet technologies in a number of corporate IT departments during the past 12 years.