Security Team Goes to School of Hard Knocks

Jude learns the hard way how disappointing vendor training programs can be

Last week, I complained about how dull the courses I was attending were. This week, my frustration got the better of me and my staff walked out - and one-third of the people in the course followed me.

I've been training on some products supplied by Atlanta-based Internet Security Systems Inc. (ISS). Last week, I discussed Internet Scanner (very good) and System Scanner (good product, poor interface), both of which scan systems to find security holes. This week, our training was on RealSecure, intrusion-detection software from ISS.

1pixclear.gif
1pixclear.gif
1pixclear.gif

This Week's Glossary

Primary domain controller (PDC): In a Windows NT network, this is the domain server that contains a master copy of the security system, user accounts and computer databases that are used for authenticating users. Each domain has only one PDC, although several backup domain controllers may stand ready to take over if the PDC fails.

DMZ: The "demilitarized zone" is a segment of the corporate network outside of the firewall that separates public-facing machines such as Web servers, SMTP servers and file transfer protocol servers from the private corporate LAN. Any connections between these public servers and the internal LAN must pass through the firewall. This protects the networks inside the firewall from being attacked from the public servers if they ever were to be compromised.

LINK:

Bethesda, Md.-based SANS Institute's recently released "Expert Predictions for Security Trends in 2001" report is fascinating reading — and definitely a better learning experience than my recent training class.

1pixclear.gif

RealSecure is an interesting product for any security manager. In the same way that virus scanners scan all passing data to look for predefined virus signatures, RealSecure's agents scan all passing network data or all activity on their server to search for predefined attack signatures.

In effect, RealSecure acts as a burglar alarm for your systems - and it's one of the most flexible and adaptable burglar alarms you'll ever see.

Interface Problems

Although the product itself seems to be very good, the interface sucks. Just as with System Scanner, I encountered a host of little problems that don't cause too much trouble individually but combine to render the product quite difficult for me to use.

These problems are relatively minor if you just run a small installation of RealSecure. For example, RealSecure installs agents on each server or network segment that you wish to monitor and then sends all the alerts to a central console. To get an agent to report to a console, all you need to do is click the mouse four times and wait a couple of seconds.

That's a trivial operation if you're looking at four agents, but 400 is a completely different story. Just to cap that off, every time I shut the console down and reopen it, the agents disappear. Time to start again: click, click, click, click, wait . . . one. Click, click, click, click, wait . . . two.

In fact, of the two large RealSecure installations I've seen, neither one uses the RealSecure console. Luckily, ISS provides a command-line facility so you can bypass much of these design flaws. This should make the product quite usable.

Incidentally, the manager of one of these large installations describes ISS as very responsive to criticism. He says ISS has met every commitment it's made to him, which sounds like no vendor I know.

So why did I walk out of the training course? Two reasons: First, it was on Version 3.2.1 of the product; we use Version 5.0. The first time we heard of the difference was on Day 1 of the course. That's not exactly managing expectations.

But we could have put up with that if the course had more to do with the product. Instead, it started with the usual marketing spiel. Why bother when we've already bought the products? Then the trainer launched into a basic tutorial on security - policies, passwords and so on. It was all stuff you really ought to know if you're going to be doing security work, but it had little place in a product-specific training course. All of my staff at the course already knew this material - in some cases, much better than the trainer.

Again, I could have put up with that, but my frustration boiled over when the trainer admitted that there were about two hours of product-related content in the two-day course.

We had five staff members at the training course, two of whom had taken trans-Atlantic flights to get there. Add the opportunity costs of lost work and the training costs per person for the two days, and suddenly those two hours become some of the most expensive bits of tuition I've ever seen. This is a textbook example of how to sour a customer relationship in one easy lesson.

Overall, my impression of ISS is that the company is run by highly focused, highly technical people who design products for people like themselves, perhaps without enough thought to training. That's great if that describes you, but a better description of me is that of a busy manager who wants a simple life. I have a feeling this product is going to cause me headaches.

And a word of warning for anyone hiring staff to work on ISS products: If your prospective employees start boasting about ISS "certifications," I wouldn't take too much notice.

The System Scanner and Internet Scanner certification tests are open-book, 25-question multiple-choice exams, with the trainer on hand to answer any questions that you can't. Those people who did manage to get a question wrong had their papers handed back for another go. Not exactly a rigorous test.

Rolling Into the DMZ

Training disappointment aside, now it's time to plan the rollout on our systems. We're going to be using Internet Scanner to look at all our networks from publicly accessible points, such as the Internet gateway and Remote Access Server, so that we can see the same security vulnerabilities as any attacker might see.

We'll then install System Scanner agents on all high- and medium-risk servers, such as primary domain controllers, servers in our DMZ, Web servers and so on, plus one more agent on a representative standard-build Windows NT server and one agent on a standard-build Unix server. That way, we'll have all our important machines explicitly covered and a fair idea of what's happening on our file and application servers.

Finally, we'll install RealSecure on all network segments, plus one agent on the inside of the firewall and another on the outside. We can then double-check what our firewalls are stopping and what they're letting through.

Because of the limitations of the System Scanner and RealSecure consoles, we'll put each on a separate NT server in our machine room and access them remotely, so we can leave them in as steady a state as possible.

We also have to classify our servers by risk, so we know exactly which ones to monitor, and work out where on the network we need to put the RealSecure network consoles.

Although Internet Scanner can be used through a firewall, it will probably give better results if we attach it directly to the network segments we want to scan. Otherwise, if we scan a network segment through a firewall and the scan shows that a particular vulnerability isn't present on that network, we don't know whether that's because we've already secured the network segment or because the firewall's blocking the scan attempt.

So for portability, we'll put it on a laptop and physically take it around to our target networks. I must remember to make sure that every scrap of data on that laptop is encrypted at all times - I don't care to think of the fuss if we lost that laptop.

That makes three purchase requisitions, one piece of network topology and a minor risk assessment to do. Who knows, in a few months, I might be ready to start up the software itself.

• This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager - let's call him Jude Thaddeus - better solve security problems. Contact Jude at jude.t@lycos.com or click on Computerworld.com's Security Watch community forum to participate in discussion topics.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon