All locked up and no way in?

There's no such thing as a secure network - just ask Microsoft! So if Bill Gates' crew is vulnerable what about the rest of us?...

There's no such thing as a secure network - just ask Microsoft! So if Bill Gates' crew is vulnerable what about the rest of us? Frank Booty finds out.

How secure are the Unix and NT/W2K platforms for e-business? Do note first that no system can be guaranteed to be 100 per cent secure. Certainly not business involving use of the Internet. All an organisation can do is to make it as difficult as possible for anyone to break in. But even then, believe me, they'll still try.

The Internet is far from realising its full potential. Business-to-consumer e-business is far from active with but 8 per cent of the EU's population aged 15-plus ever having made a purchase over the net. The promise lies with B2B. Over 70 per cent of today's Internet activity is limited to e-mail, the current killer application, and information research (source: i4NET).

With up to 59 per cent of business Internet usage said to be not business related, and given the opening comments, the Internet doesn't seem like fertile business territory. Analysts have been having a field day with projections and mind-boggling market valuations. Forrester Research forecasts 'many trillions of dollars' for e-business by 2004. Aberdeen Group believes companies are realising savings of up to 70 per cent in time and costs by moving purchasing online. Yankee Group expects e-sourcing to become the primary IT buying strategy for mid-sized companies by 2004. It's left to IT analyst Martin Butler to cool expectations saying it could take 20 years for e-business to become integral to the business arena rather than the four hitherto expected.

Security is one of the key stumbling blocks preventing the widespread and wholesale take-up of e-business and Internet trading. Now, the Internet Security event is planned for 23-25 October at London's ExCel exhibition centre, its timing validated by this summer's public Internet security blunders by Barclays Bank and the Consumer Association.

Chunk of the internet
Unix servers make up a large chunk of the Internet (80 per cent of ISP applications are delivered over Sun hardware, and 15 of the top 20 ISPs run on the Sun platform), NT sits at department level and W2K at enterprise level. Talk is of 'over 314' holes in both NT and W2K, with scant reporting of the Unix situation.

Earlier this year, BT Ignite president Vernon Irvine said his organisation chose to work with Sun 'because of its reputation for delivering Internet solutions with the highest levels of reliability, availability, scalability and security'. The Abbey National bank consolidated NT servers from its mix of mainframe, Sun Unix, NT4 and Windows desktop platforms on a ratio of 15 NT servers to one W2K advanced server. The more servers there are, the more support staff are needed, the higher the maintenance costs - and the greater the security risk. Reducing the number of servers ('server sprawl') helps ease, but doesn't solve, security issues.

According to defacement-tracking site NT received 54.41 per cent of all recorded OS attacks between August 1999 and April 2001. Some of the lesser-known OSs made up for as little as 0.1 per cent of all OS attacks.

'But despite the difference in number of attacks, companies that employ alternative Unix based systems could well be at greater risk,' said Entercept Security Technologies Euopean vp Iain Franklin. 'It's no secret NT is the hackers' favourite OS.'

Reasons for the great difference? 'Microsoft is the better known of the systems, and it has more known vulnerabilities, more enemies,' said Franklin. 'The paradox is qualified systems and security staff are much easier to find for Microsoft products. Unix qualified resources are more difficult to find, and are generally more expensive. Consequently Microsoft has become the platform of choice, not because it's more secure, but because people understand how to run it. It fulfils the basic commercial need of having people around who can manage the systems, understand them, and are available.'

Franklin said Unix based OSs are not often targeted in Web defacement attacks, as they're not outward-facing, and tend to sit in the background serving databases and running back-end applications. 'If a hacker has the knowledge to get into these systems, it's more than likely he'll know how to access everything running on it. Here, a hacker accesses a server, knows exactly where to go to get what's needed, and be out of the system without anyone ever knowing. This is where the most damage can occur; confidential company data can be altered, poisoned or deleted, credit card details obtained,and confidential customer information exploited.'

Analysts at IT watcher Xephon looked hard into e-security in late 2000. 'We asked corporate users how they rated the security of data on S/390, Unix and NT,' said director Mark Lillycrop. 'On our scale of 0 to 10, the mainframe rated just under 9 out of 10, Unix 6.7 and NT 5.5. But the interesting thing was that while the mainframe scores were pretty consistent, Unix and NT both varied widely, from very good to pretty poor.'

Good products
Xephon believes there are some good security products available for all these platforms, but they're not necessarily well implemented. The S/390 has always operated like a fortress, with RACF, ACF2, etc, guarding the entrance. Unix has gained some of that security mentality as it has matured in the business world, but NT for many years was delivered and acquired with scant regard for security. W2K is much more secure, but because of the enormous legacy of older NT systems out there, new vulnerabilities are exposed, as quickly as the old ones are repaired.

'Microsoft assumes that users will dutifully install every security patch and upgrade it cares to issue, but this presents some enormous asset management problems for customers. That's one of the reasons why a lot of companies are tending to consolidate their e-business systems onto larger, more secure systems.'

'The relatively unknown quantity here is Linux,' said Lillycrop. 'Its supporters say it is virtually virus-free, but that's only because it hasn't had the exposure of Windows. Again, Linux has good security tools, but they need to be rigorously implemented.

'The secret, whatever platform you choose, is a good, formal e-business security policy, cascaded throughout the company from the board down,' said Lillycrop.

There are issues with every type of OS, although some aren't so obvious as others. 'While most people in the industry associate Microsoft systems with poor security, sometimes unfairly, it seems the exact threats may not be as damaging as those faced by other systems,' said Franklin.

Anti-virus specialist Sophos' senior technology consultant Graham Cluley said: 'As of September there are some 70,000 viruses out there. The good news is most are not 'in the wild', and most are not successful. But with the numbers increasing by 1,200 every month, it's important companies do use anti-virus software, do pick up techniques and tricks from Web sites for free, and do train users. The weakest link is still the users. One person could receive a dubious e-mail, double click and then destroy the data at his server. Damage can ensue to the company through the e-mail being passed to other companies and customers, who would react adversely against the sending company. That's much worse than destroying data.'

Dangerous belief
But users must realise that even anti-virus software isn't perfect. It's dangerous to believe otherwise. Just as it's dangerous to believe viruses only cause problems when they're featured on TV's 'News at Ten'. Every day, servers are being hit by viruses.

Original Software, meanwhile, has a bee in its bonnet over testing. It believes exposure for companies in e-business is not so much because of lax security, but more often because of simple human error. Many companies give security the consideration it rightly deserves, but often miss the obvious exposures in more basic areas, which can have a much higher impact. Just face it, we all make mistakes; the trick is to spot and eliminate them before they become public. Every week there's a news story about another Web site gaff, and most are down to poor testing.

Franklin asserted businesses need to be knowledgeable, and aware of the threats and remedies available for the systems they deploy. The strongest OS for the business will only fulfil its potential if complemented with an awareness of its vulnerabilities. The company Access 360 puts on a neat spin with its 'security is a process not a product' philosophy.

Remember - nothing can be guaranteed to be 100 per cent secure, especially where the Internet is involved.

Case studies
Web server protection software from WatchGuard Technologies is aimed at sites running Microsoft IIS on NT and W2K servers. Known as AppLock/Web, and costing £423, the software comes with a one-year subscription to the LiveSecurity Service, providing electronic technical support and software updates (sold through the channel, resellers are listed at The software stops unauthorised changes to protected resources and prevents damage. It prevents changes and reconfiguration of the OS and IIS application, the entry points for most hacks. System administrators must first unlock the web site through AppLock/Web before any changes can be made.

Boston Architectural Centre (BAC) is using the software to protect its Web site and was attracted by the simplicity of the approach. Network and system administrator Arthur Bright said: 'I was impressed the installation of a security product could go so quickly.' Royalblue Group PLC, global developer of help desk software, is using AppLock/Web to lock down its US customer support Web site. IT manager Daniel Amatulli said: 'Soon after installation, we discovered our site was getting hit by hacks. The software stopped them from doing any damage and really opened my eyes to the vulnerabilities of IIS.' IDC's security research manager Charles Kolodgy said: 'The fundamental building block for security is contained within the OS. Effective security processes need to be protected from manipulation at the OS layer. WatchGuard is addressing this need through its kernel-level approach to preventing Web site defacement. Its automatic configuration and one-button interface should make this an attractive product to the large IIS installed base.'

Gartner's research director Richard Stiennon opined that 'hardening and protecting OSs is a fundamental security measure all enterprises should take for all their servers, particularly those publicly accessible via the Internet', adding: 'Large enterprises require security solutions with unified management support across Microsoft and Unix platforms'. No surprises then that Watchguard has come up with products to protect Solaris 7/8 environments, working in tandem with products for Microsoft platforms.

Security products
1. TECS, the encyclopaedia of computer security, has some 900 products covering all platforms detailed in its free online security products database, so listing them all here would take up about 1,000 pages. Each entry in the database provides a description and list of key features, as well as pricing details and a link to the vendor's web site. Intrusion detection, vulnerability scanning, secure e-mail, access control and firewalls are all listed. The database can be found at or tel: 01626 836838.

The database does feature a 'platforms' section, which has to be manually searched. Editor Kevin Townsend said: 'We are introducing an electronic buyers' guide which enables full text searches to be carried out. For a fee of £20, special to readers of IT TODAY (the normal rate is £30), users can download the guide.' The site gets over 30,000 different new visitors every month, increasing every month for the past 18 months. 'We're also introducing an 'asktecs' facility, allowing visitors to the site to ask questions to which free answers will be provided from the 100-plus security experts we have signed up around the world,' said Townsend.

2. Organisations should practise safe computing by drawing up a set of guidelines. An example can be found at Sophos also offers a reference guide Computer viruses demystified which explains the practical measures managers can take to protect computers, describes the different kinds of computer virus, and looks at the exploits of hackers. A pdf file version of the book is available at

Read more on Business applications