JUNE 2004 (Vol. 37, No. 6) p. 4
0018-9162/04/$31.00 © 2004 IEEE
Published by the IEEE Computer Society
Published by the IEEE Computer Society
|A ROADMAP FOR ENTERPRISE SYSTEM IMPLEMENTATION, PP. 22-29|
|Computer Security in the Real World|
|Worm Epidemics in High-speed Networks|
|Making the Gigabit IPSEC VPN Architecture Secure|
|A Quantitative Study of Firewall Configuration Errors|
PDFs Require Adobe Acrobat
A ROADMAP FOR ENTERPRISE SYSTEM IMPLEMENTATION, PP. 22-29
Diane M. Strong and Olga Volkoff
An enterprise system has the Herculean task of seamlessly supporting and integrating a full range of business processes by uniting functional islands and making their data visible across the organization in real time. If organizations can endure the implementation cost and pain, they are rewarded with large increases in both efficiency and effectiveness.
Such an integrated system, built on one database, lets everyone instantly see data entered anywhere in the system. Drawing on five years of enterprise system implementation observations, the authors developed an informal roadmap that can help managers achieve both technical and organizational objectives and reap an enterprise system's considerable benefits.
Computer Security in the Real World
Butler W. Lampson
Despite many computer security successes over the past 30 years, the security of the hundreds of millions of deployed computer systems remains terrible. A determined and competent attacker could destroy or steal most of the information on these systems. Even worse, an attacker could do this to millions of systems at once.
The chain of trust offers a sound basis for securing systems by logging and auditing access control decisions. Principals with hierarchical names are especially important. A parent can delegate for all of its children. Rooting name spaces in keys avoids any need for a globally trusted root. The basic scheme can be varied as well by, for example, changing how it stores and transmits bytes, collects and summarizes evidence for links, expresses sets of statements, and structures compound principals.
Worm Epidemics in High-speed Networks
Thomas M. Chen and Jean-Marc Robert
Ever since Melissa struck Microsoft Windows users in late March 1999, computer viruses and worms have become common and persistent. For various practical reasons, many machines remain unprotected by up-to-date software patches or antivirus software, and the Internet's emergence has made it easy to shut down many vulnerable systems either directly or indirectly. In particular, worms have become more prevalent as online connectivity, including always-on broadband access, has become ubiquitous.
Ironically, emerging high-speed networks will likely accelerate the spread of worms, especially those like Code Red and SQL Slammer. As network rates increase, the time available to respond to worm epidemics may shorten to seconds before the entire vulnerable population is saturated. Defense against such threats will require a comprehensive automated defense.
Making the Gigabit IPSEC VPN Architecture Secure
A virtual private network uses IPsec to achieve its security. IPsec provides VPNs with confidentiality, data integrity, and end point authentication. Additionally, the VPN provides for data compression, which increases Internet performance between sites.
Until now, IPsec VPN implementations have either used software to perform all VPN functions or added a lookaside security processor that interfaces to the host network processing components through an auxiliary control bus. These devices still require that the network processing components handle many tasks related to security functions.
To provide network equipment manufacturers with a more complete, efficient, low-risk architecture that adds powerful security processing functionality, security processors must be placed directly in the data path by using a flow-through security architecture.
A Quantitative Study of Firewall Configuration Errors
Firewalls are the cornerstone of corporate intranet security, yet network security experts generally consider them to be poorly configured. This assessment is indirectly affirmed by the success of recent worms and viruses like Blaster and Sapphire, which a well-configured firewall could easily have blocked.
A study of real configuration files, or rule sets, for a variety of corporate firewalls establishes a quality measure based on "misconfigurations" that violate established best practices. The study correlates the quality measure with other factors—specifically, the operating system on which the firewall runs, the firewall's software version, and a rule-set complexity. The results clearly show that corporate firewalls are often enforcing poorly written rule sets; they also offer some useful observations for improving rule-set quality.