Page Two

By Timothy Dyck  |  Posted 2002-12-02 Print this article Print

: OpenHack Wrap">

None of the other four, more serious test challenges—discovery of application source code, Web page defacement, theft of credit card data and ability to issue arbitrary SQL commands to the database—was accomplished.

Oracle and Microsoft both had hardening carte blanche, as long as they stuck with production software and kept the basic structure of their applications similar to the original.

Clearly, the hardening done by both companies was good enough to get their respective installations through the OpenHack gauntlet largely unscathed, but some readers questioned how realistic it would be for IT security staff and developers to harden an application to the degree that Microsoft and Oracle hardened the OpenHack application.

As one reader wrote, "First, how many companies are going to be able to afford to have a staff of Microsoft and Oracle people come to their site and lock it down? And how many companies have a staff of senior Microsoft and Oracle programmers writing the software? ... I would like to see a real test. That is, two systems are shipped in from the manufacturer; the systems are set up; and a new Microsoft Certified Systems Engineer or Oracle Certified Database Administrator has four hours to lock it down. Then open it up to the public. This is a real test. This is the real world."

As much as possible, we hope to test technology rather than people, but the human resources available will always play the main role in whether an organizations IT systems are secure.

We dont consider the steps taken by either vendor unusual or beyond the reach of a careful administrator, but one thing we have learned from past OpenHack tests is that nearly any system can be made extremely secure while still retaining adequate functionality when the right person is at the keyboard.

We felt that it took relatively few steps to harden to acceptable levels the operating systems and Web servers on the Unix systems used in the test. Individual developer and security staff experience will, of course, vary widely, given individual backgrounds.

In general, Microsofts ASP (Active Server Pages) .Net Framework and Visual Studio .Net tools provided significant development time and application security benefits over the JSP (JavaServer Pages) platform Oracle used. However, Microsoft also took security precautions (such as extensive use of IP Security and virtual private networks) that Oracle did not, something that made the Microsoft setup more complex and tricky to manage right from the start.

Both companies took advantage of standard tools to make system hardening simpler. Windows 2000s security policy tools made it easy to apply a wide variety of security changes to the operating system once a policy file had been written. Use of standardized security policies and hardening scripts is also a very effective security methodology. (Oracle used the free Bastille Linux hardening scripts on its servers.)

Both Microsoft and Oracle have written detailed white papers describing their precise hardening processes. These are posted at OpenHack 2002 Downloads, along with several other OpenHack resources.

As weve seen before in our OpenHack tests, IT security is a global concern. The first two OpenHacks were brought down by the same hacker, Lluis Mora, who hailed from Gibraltar. The top 20 attackers of OpenHack 4, as detected by IntruVert Networks Inc.s IntruShield 2600 IDS monitoring the site, were from eight different countries across four continents (click here to see map).

While running, the site weathered almost 53,000 attacks. The most common attacks detected by the IDS were primarily standard Web server attacks based on URL encoding and Web directory tree escape attacks using directory traversal attempts. Other common attacks included low-level TCP/IP pokes and probes of various kinds. (Click here to see top 20 attack types.)

Most of the Web server attacks were just background radiation from all the Web server worms now eternally circulating, looking for easy prey. Any Web server kept up-to-date on patches is safe from these attacks, and our OpenBSD-based firewalls effortlessly rebuffed the TCP/IP-level attacks.

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel