To ensure the tightest security, look over what's been overlooked
- By John Breeden II
- Aug 01, 2002
John Breeden II
'When exactly did we lose control?'
This was the question I asked in the GCN Lab a while back, when a secure network integrity test seemed to spiral out of control. Nasty viruses shot across an overlooked bridge between the test bed and the secure network core. A thin-client system was mistakenly connected to both the test bed and the secure network, forming a path our management software missed.
A dejected technician, while frantically shutting down noncritical systems, answered, 'I'm not sure we ever really had control.'
It's a common situation. Security is on everyone's mind these days, but it has been overlooked in most network infrastructures. When government officials talk of regaining control of their networks, I wonder if they ever had it to begin with.
Security is more than just putting passwords on systems to stop unauthorized remote users. A good security plan is a multitiered system with both passive and active security functions.
One tier sometimes overlooked is at the local access point. The GCN Lab recently tested the Phantom Security System from Gianus Technologies Inc. of Milan, Italy, which splits the hard drive and creates a virtual hard drive that remains invisible unless activated by an authorized user.
With Phantom OS installed, the Lab staff, along with $60,000 worth of monitoring software and three engineers from Westinghouse Electric Corp., could not detect it, other than a trace element or two. Yet once activated, an entire system that had been hidden behind the main OS was available to us. That's pretty impressive for local-level security: Don't give the hacker a reason to even know data is there.
Some token security methods also can work, such as radio ID badges that force a log-off if a user moves too far away from the computer.
Another overlooked area is storage security. One way to secure stored data is with portable storage devices. If these devices are used in conjunction with an overall plan, users can move important data off-site'but only if the transport and storage of the files are closely monitored.
A third tier that is overlooked, sometimes more so than storage, is power.
If your network is under attack, you can, strictly speaking, make it secure by cutting all power to it. But that's rarely an option for government systems.
I recently had a look at PowerStruXure from American Power Conversion Corp. of West Kingston, R.I., an example of a high-availability architecture product that can fill this niche. It lets data center managers quickly meet the needs of their facility, including rack power density, voltage requirements and even a change in location.
Security planning is a race that is never won, once and for all. It's a constant struggle to stay ahead of your competition, which is anyone who wants to do your network harm.
Oh, and the cascade failure in the recent test at the lab? It was halted because we had a plan in place to deal with the problem. The viruses that hopped over the bridge were quickly zapped by our virus shields. We shut down all connecting systems as a precaution.
Because we hoped for the best but planned for the worst, we never really lost control. And with a good plan in place, you won't have to either.
John Breeden II is a freelance technology writer for GCN.