Need for server-level protection heightens

Much has been written about perimeter security using tools like firewalls, virus walls, intrusion detection, VPNs (Virtual Private networks), and DMZs (De-militarized Zones) as frontline defense. While organized external attacks receive the majority of media attention and security dollars, servers still lie vulnerable to insider attack.

Much more attention needs to be paid to issues of secure physical, software, and operational design which form the stable platform upon which to build truly secure computing platforms.

Paying attention to such issues in the design of a server at the heart of a Web application can yield a machine that is highly resistant to attack, with less reliance on the data center's perimeter defense or the secure processing capabilities of the local hardware security module alone.

Properly designed secure servers could be the base for deploying fully trusted nodes, moving the industry closer to realizing the full potential of highly distributed Web-based computing.

Although perimeter-based security techniques combined with strong password authentication, and encryption offer effective protection against external attack, they are no match for a determined inside attacker. What will be required if server-based computers are to remain the core element in the new net-centric computing environment is a shift to the multi-layered security employed in the ultra-secure world of cryptographic processing.

Over the past twenty years, computers have evolved from terminals connected to mainframes, to client/server models, to desktop machines and portable devices connected to sophisticated, multi-layer server architectures communicating across TCP/IP networks. Information processing applications have evolved into complex, interactive application modules distributed across multiple computers, linked across the Web.

One of the most critical design considerations of a highly distributed system is the requirement for each node to rely on other nodes to perform various tasks. In an open systems environment, it's important to be able to establish and rely on the identity of all the nodes in the network.

The need to reliably identify network nodes led to the creation of security protocols such as SSL and IPSec, to provide identification, authentication, access control, confidentiality, integrity and non-repudiation. These protocols rely on proven cryptographic algorithms to provide trust in a distributed network. Although these algorithms provide good protection against direct brute-force attacks, security vulnerabilities can occur in the key management systems that protect the keying material- the security provided by the algorithm is only as good as the security provided to its keying material. Therefore it is imperative to ensure that cryptographic keys are protected and managed with extreme care. The standard approach is to use a Hardware Security Module (HSM).

As the computing and networking worlds converge, the need for heightened server-level protection within the data center is increasing. A security model derived from the world of high-security cryptographic processing can be used as the basis for the design of a secure server platform resistant to all forms of attack. This model addresses three dimensions of security: physical (or hardware and facilities) security; software security; and operational Security - policies and procedures.

In addition to addressing these fundamental security requirements, a secure server also needs to offer at least four capabilities. First, scalable processing is necessary with enough power and flexibility to accommodate a variety of applications, yet still capable of offering solid security environment controls. Second, absolutely the best cryptographic processing security is needed, as well as the best possible performance. Third, it will be necessary to have comprehensive management tools for controlling the platform functionality. Finally, the development environment for applications needs to incorporate best practices security design

Designing a secure server

A secure server design can be patterned after a cryptographic hardware security module since an HSM is just a dedicated, single-purpose secure computer. The challenge is to identify how to apply the proven secure computing mechanisms of an HSM to a larger computing problem-namely that of a data center server.

A well-secured data center protects its servers with hardened physical security like extra strong doors, hinges, locks and reinforced walls. By analogy, a cryptographic HSM employs welded metal packaging and tamper detection mechanisms that will disable the device in the event of unauthorized physical access.

A secure server similarly needs to be protected against physical threats. These threats include physical removal from its operating environment, or disassembly to modify internal components, for example by replacing the internal hard drive or BIOS boot ROM. Therefore, a secure server requires specialized mechanical packaging modeled after a cryptographic HSM making it difficult, or impossible, to probe, disassemble, or modify components within the enclosure. The Federal Information Processing Standard (FIPS 140), used to measure the security of specialized cryptographic processing machines, can be used as a guide for the physical security design of a more general secure server machine.

Data centers employ perimeter security to defend servers within their walls against external electronic hacking. However, if a hacker is able to defeat the data center's perimeter defenses they can gain access to the unprotected servers behind the firewall and easily defeat them.

Most servers rely on simple userID/password authentication for access control. However, passwords are fundamentally weak and can be cracked to gain high-level access to a computer. In a matter of minutes, a motivated hacker can gain access and wreak havoc within a supposedly secure data center, without physically touching a single machine. During an attack, a hacker can load malicious code onto servers, delete files, or copy sensitive data such as credit card numbers.

This is precisely the type of environment HSMs are designed to protect. For example, the public key infrastructure (PKI) root keys contained with an HSM are among the most sensitive pieces of information stored in a data center. A secure HSM only allows its internal configuration to be modified through carefully designed APIs, to limit interaction between the HSM and the external world.

These controls are so stringent that it's virtually impossible to hack into the secure computing environment within the HSM. The operating system is carefully configured to eliminate any opportunity to tamper with the runtime environment. Cryptographic applications inside the highest security HSMs are loaded using PKI signed modules, cryptographically validated against the manufacturers' digital identity every time they are executed.

These mechanisms, used to safeguard the software environment of an HSM, can be applied to secure the operation of a server. For example, when properly configured, the use of a trusted operating system such as Security Enhanced Linux provides a runtime environment with excellent security properties. However this alone is insufficient.

Three additional mechanisms creates a secure computing environment, highly resistant to electronic hacking. First, there is a need for a secure boot process that uses cryptographic mechanisms to verify the integrity of the operating system on every boot to prevent execution of malicious code and to ensure the server always boots into a known runtime environment.

Second, digitally signed code establishes trusted application vendors and verifies digitally signed operating system modules and application code to eliminate the possibility of unauthorized applications running on the server. Third, a process authentication mechanism requires authentication of all system and application-level processes before they can be executed, and implements access policies that determine what system resources can be accessed by each process.

In a high-security data center, authentication, access control and specialized operational procedures are paramount to prevent unauthorized access to servers. Data centers also use data, access, and video logs to record the activity of equipment and employees, to maintain constant monitoring and auditing capabilities.

In addition, it may be a security requirement to have multiple authorized people in a room at the same time as a deterrent to unilateral, malicious activity. Similarly, cryptographic HSMs can require multiple security technicians to be 2-factor authenticated as a group, before sensitive configuration operations are allowed.