This story appeared in the June 2004 issue of Web Host Industry Review magazine. Click here to subscribe for free.
July 16, 2004 -- (WEB HOST INDUSTRY
REVIEW) -- Any discussion by an assemblage of network security
practitioners is sure to include the latest technologies and effective
best practices for keeping infrastructures up and running in the face
of hackers, viruses and all manner of other electronic threats.
It's an ongoing dialogue Web hosts could
be expected to attend to closely, but the rash of virus and worm
attacks that have menaced Web hosting providers in recent months - in
some cases bringing networks offline - seems to indicate that some
companies out there aren't getting it right.
Any security discussion must examine how
a layered approach of firewalls, intrusion detection and prevention
systems and antivirus systems can protect business. But for a seasoned
specialist fighting cyber crime and preparing for the next attack, the
business of security demands a first-things-first approach.
"People tend to build security and then
try to stuff policy into it, and it doesn't work that way. It's the
other way around," says Patrick Gray, director of X-Force operations,
the national emergency response and penetration testing practices unit
at Internet Security Systems (iss.net),
located in Atlanta. "Before we start deploying and thinking about best
practices, we have to assess our own risk if you are a hosting
provider."
The first thing Gray's staff generally
discovers on emergency response engagements to companies and hosting
providers is an exceedingly idle approach to the issues of policy that
surround network security.
"Policies, procedures and standards ought
to be documented and documented extremely well in how you do things.
That's when you can take into consideration your security
architecture," says Gray, a retired special agent with the FBI where he
headed a cyber crime task force. "Once we have our defense-in-depth in
place, we need to understand that something bad will happen. Not may
happen, but will happen. In this ever-changing environment, hosting
providers need to understand that and have procedures for responding to
an incident, be it a worm or virus outbreak or an internal problem," he
says, adding that plans need to be tested in practice drills.
"A worm appears and you are hosting
somebody's server farm and there's a Web site going down. You need to
know exactly what to do right then and there as opposed to running a
fire drill like chickens with their heads cut off. It is incredibly
important that you have emergency response procedures on the books and
know exactly what to do."
One hosting provider that Gray says has security figured out is Inflow Inc. (inflow.com) Based in Denver, Colorado, Inflow has 13 data centers across the United States.
Lenny Monsour, general manager of
Inflow's hosting and infrastructure services, echoes Gray's comments
about policies. "When I look at the way we handle any type of security
issue," he says, "an important principle is to make sure that you
address the process and policy issues first, because it has got to be
driven from the business and the business has to support the
investments they are going to make from a security perspective."
Patch management and email security are
two big concerns for Internet-based customers, and Inflow has
initiatives to address them, Monsour says.
"We just recently rolled out our
iServerCare services. There is a component of that service that helps
customers deal with the challenge of keeping up with patches and helps
them not just identify when critical patches come out, but be able to
audit their servers to figure out which patches aren't on them."
Inflow's service automates the tracking of patches, audits the software and on demand pushes patches to selected servers.
"We have actually pushed a patch out to 400 different servers, all Windows machines, and we did it in two hours," Monsour says.
Among the company's many security
offerings is a managed email service for Exchange environments. By
managing Exchange servers, filters and antivirus software, Inflow helps
companies implement spam and email attachment scanning to remove
attachments before they reach a user's desktop.
"For a lot of our customers who are more
security conscious, we will implement intrusion prevention
technologies, a service we base around the ISS Proventia platform,"
which includes 24x7 monitoring by a security team, Monsour says.
Joshua Chen, chief technology officer at
St. Louis-based Internet hosting center Cybercon, recommends a
three-layer approach to best security practices.
"We recommend the use of multiple
security devices, not just a firewall. We use a combined approach with
Cisco routers with package filtering, NetScreen firewalls and the Top
Layer Attack Mitigator for intrusion prevention. Each device works on
specific situations to give a broad range of protection," Chen says.
Cybercon, like Inflow, provides managed
security services. "We purchase hardware, we install it, we monitor it
and we fix it. With all of this security equipment installed, servers
have to be updated. I find that a lot of problems with worms is that
servers are not patched and that can give hackers an opportunity to get
in."
One of Chen's customers is Chicago Webs (chicagowebs.com),
a Web hosting company that recently relocated its network to the
Cybercon data center from another provider's facility near Chicago.
Pat Stangler, president of Chicago Webs,
knows first-hand the damaging effects that such an an attack can have
on an unsuspecting Web hosting company.
It started around 6 a.m. on the last
Thursday in July 2003 when the same strain of a distributed denial of
service attack that hit Microsoft, CNet and a handful of other large
sites over a two-day period targeted Stangler's operation.
"We were getting hit with over 100 megs a
second and over a million SYNs a second. It was pretty intense. For a
day and a half we were down," Stangler says.
The incident response team for the
company providing Chicago Webs with data center space at the time
wasn't able to resolve the problem and told Stangler he needed to
deploy an intrusion prevention system to stop the attack. They referred
him to Top Layer Networks of Westboro, Massachusetts, for its Attack
Mitigator IPS.
By then it was Friday, and the earliest
Stangler could have the device delivered would be Monday. He flew from
Chicago to Boston Saturday morning, picked up the IPS and caught a
return flight back to Chicago.
"I had it implemented within 45 minutes
of hitting the ground and in another 30 minutes our network was back
up. The box is awesome; we haven't had one second of downtime since
putting it in," says Stangler, whose Chicago Webs mainly caters to the
development community and boasts of clients in every time zone.
To Stangler, a secure network means "the
livelihood of my clients. Period. That's our business. We are not in
the ‘security' business, but we have to be these days."
It took a disaster, but Stangler got the
message. To those hosts that might prefer a faster, easier road to
understanding, Gray offers the abridged version.
"Tell them not to be comfortable," he says. "Something bad is going to happen. Just be prepared for that."
