Denial of Security Holes Can Lead to Denial of Service - Page 2
Authentication and authorization has become increasingly important to protect specific resources. Traditionally, this has been as simple as issuing and monitoring passwords, but authentication has reached increasingly elaborate proportions with technologies such as smart cards and biometrics.
An added concern is Virtual Private Networks. What happens when a formerly secure network is connected with an unknown -- say a supplier or customer network? What vulnerabilities do they have? What is their administrator doing to make sure their network is secure?
Timothy J. Shimeall of the Software Engineering Institute Networked Systems Survivability Program and senior member of the technical staff at CERT, says "The security issues with VPNs are not with protocols or applications. They are with the VPN itself." Assumptions are that these are relatively secure networks. However, they aren't perfectly safe. The issue is trust. "Is that trust warranted? Is it in most cases?" This is a difficult issue according to Shimeall.
Several organizations routinely publish timely and useful security information online. Administrators would be well-advised to check with sites including CERT.
For example, the Federal Computer Incident Response Center (FedCIRC) released a comprehensive paper in late 2001 aimed to help administrators enact defensive maneuvers against Distributed Denial of Service (DDoS) attacks -- either before and during attacks. For instance, defending against a SYN flood, a type of DoS attack, entails reconfiguring the router or firewall to intercept packets before they reach the client.
Tools designed to monitor networks for DoS attacks, such as StealthWatch by Lancope Inc. and Arbor Networks' Peakflow DoS, have an added benefit. These tools can examine bandwidth usage and discover other network traffic anomalies, which can result in added savings.
Hartmann and others say it is vital, but often difficult, for system administrators to ensure software running on clients run is the very latest software. This includes all patches to protect against vulnerabilities. "During the CodeRed or Nimda outbreak, we quickly learned that there are literally thousands of unpatched systems or default installations," he says. "Our suggestion to administrators is to identify the vulnerable systems and then start to close one security hole after another."
Shimeall says software vulnerabilities have grown by 850 percent, "which is staggering." He says this taxes administrators who typically have to deal with some five security patches per day, on average. These security problems are preventable. "If you don't need it, don't have it," he says. "There is an upkeep expense associated with everything you have not just with those things you use. It's not a small expense."
As for automating tasks such as authentication, there are some third party services -- such as Passport or iChain -- designed to help. There are also admin tools such as Authentication Suite 4.0 from BioNetrix Systems designed to comprehensively provide means to secure networks.