Focus on Identity

By Peter Coffee  |  Posted 2002-09-09 Print this article Print

Focus on Identity

Enterprise IT architects in the year since Sept. 11 have also been hard pressed to cope with a flood of urgent items in more familiar domains, such as network operating systems, firewalls, virtual private networks, intrusion detection systems and anti-virus tools. The following trends are apparent.

Perimeter defense, as a viable strategy, is dead. Wireless and nomadic laptop devices, with external network connections, make it impossible to define even the physical location of the network edge. Web services make the logical location still harder to characterize.

Network protection must, therefore, focus on identities and privileges of authorized users, using tools such as Zone Labs Inc.s Integrity. During our review this spring, we found the product (priced at $80 per user with volume discounts) effective in controlling client devices Internet access on an application-specific basis.

The pervasive network can be its own worst enemy in the ease with which it propagates virus attacks. Enlisting the network in its own defense are products such as Network Associates Inc.s McAfee Security VirusScan ASaP, which uses peer-to-peer technology.

Meanwhile, key IT vendors have been addressing concerns about out-of-the-box insecurity with a long-overdue shift toward more secure default configurations. In our tests last month of Microsoft Corp.s Windows .Net Server Release Candidate 1, for example, we found that the installer utility detected our failure to run the Internet Information Services Lockdown Wizard and automatically disabled IIS.

Our pleasure was limited, though, by the discovery that restarting the server did not trigger any further notice of our exposures—notably, the many default extensions retained from our previous Windows 2000 installation. On the plus side, installation of .Net Server on a bare machine gave us ample warning of bad practices, such as leaving an Administrator password blank.

Poor administrative practices wouldnt be such an open invitation to attackers if systems didnt grant unrestricted superuser status. We remain strong advocates of the trusted-system architecture in products such as Argus Systems Group Inc.s PitBull, the only technology that has yet survived one of our international Openhack events unscathed—though a successful attack on the underlying operating system kernel, specifically on a version of Solaris 7 x86, did succeed in a challenge late last year.

The message here is that every security technology—regardless of architectural merits—demands continued vigilance. That vigilance is embodied in state-of-the-art intrusion detection in products such as OneSecure Inc.s Intrusion Detection and Protection appliance. Rather than merely relying on known attack signatures, the $16,495 OneSecure device (which we reviewed last month) uses various heuristics to detect previously uncharacterized attacks. By developing a model of normal traffic and using sophisticated analysis of attack patterns, the Intrusion Detection and Protection appliance can identify new threats while minimizing the time lost to false alarms—the goal, were sure, of every IT administrator a year after Sept. 11.

Technology Editor Peter Coffee can be reached at The reviews cited in this story can be accessed at

Related Stories:
  • Special Report: Rebuilding for Tomorrow
  • Still Much to Learn from Sept. 11
  • Locked Down, Planning for the Worst

    Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developersÔÇÖ technical requirements on the companyÔÇÖs evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter companyÔÇÖs first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel