Put a filter on it.

The Supreme Court ruled 6-3 on Monday that the Childrens Internet Protection Act (CIPA) is constitutional. This law, passed in 2000, requires libraries that receive federal funding to install filtering software that will automatically block content that is deemed obscene or harmful to minors.

News.com
Supreme Court decision

Reaction from librarians was swift. The American Library Association, which is the biggest organization representing libraries and librarians, condemned the ruling. Findings of fact clearly show that filtering companies are not following legal definitions of harmful to minors and obscenity, the ALA said in a statement.

ALA called for vendors of filtering software, such as N2H2 (purveyors of Bess), NetNanny, and SurfControl, to disclose more information about what sites or content they block, and why something the software companies have been extremely reluctant to do. The vendors claim its a matter of protecting their intellectual property. But the librarians argue that they cant make informed purchase decisions about these products unless they know more about what they do.

Thats a valid complaint. Web content filtering software has been shown to be extremely inaccurate, often letting content through thats clearly objectionable, while blocking educational or research content that happens to use a proscribed word (penis for example). In some cases the software even prevents access to content thats merely controversial, or runs counter to the political views of the filtering software vendor. Peacefire.org, a site aimed at promoting and preserving freedom of expression for people under 18 years old, has detailed information on many filtering products and their histories.

A recent survey by the Electronic Frontier Foundation shows that filtering software used in schools blocks way more than pornography: In fact, the software frequently blocked access to research resources that would be helpful to students studying topics mandated by their state curriculum. The study found that blocking software overblocked state-mandated curriculum topics extensively — for every web page correctly blocked as advertised, one or more was blocked incorrectly, the EFF reports.

Whats the ultimate impact of this ruling? Its too soon to tell. The Supreme Court, in writing their opinion, felt that CIPA was constitutional in part because it allows librarians to turn off content filtering when an adult requests it. But the New York Times notes that CIPA doesnt require librarians to turn off filtering on request, it only permits them to do so. The NYT story also gives a hint of the Courts divided opinions. Justices Kennedy and Breyer, both in the majority, also expressed reservations about the First Amendement implications of CIPA and suggested it might be subject to review if implementing it proves too burdensome.

Some libraries can evade the impact of CIPA by turning down federal funding, but thats not much of an option for many libraries who are already running on less than shoestring budgets.

Probably the best hope is a local one: That individual librarians, operating within the context of their particular schools, towns, or counties, will choose to implement or circumvent filtering in ways that are appropriate for the communities they serve. Thats how filtering decisions should be made, anyway: In real time, in context, and by human beings.

The bottom line? The Supreme Court goofed on this one. They, like the Congress that passed CIPA in the first place, failed to understand the limitations of filtering technology. They placed undue faith in softwares ability to protect children and failed to appreciate the degree to which it hinders information discovery and research. The ruling is a boon for filtering software vendors, but its a dismaying setback for librarians, library patrons, and for democratic values.

Fortunately, the ALA, EFF, Peacefire, and others are continuing to put pressure on the filtering vendors, and the constitutionality of CIPA may yet be revisited. The Supremes have ruled but the storys not over yet.

Put a filter on it.

Defensive Postures

THE SQL SLAMMER WORM began its rampage shortly after midnight on Jan. 25, 2003. Within days, the insidious piece of code had infected more than 120,000 computers, slowed Internet traffic, crashed sites and even disabled ATMs, costing companies an estimated $1 billion in lost productivity worldwide, according to analyst firm Mi2g. The irony? Slammer exploited a vulnerability in SQL Server for which Microsoft had already issued a patch—six months earlier.

It’s not that IT administrators are lazy or negligent—it’s that locking down operating systems and applications has become an almost unmanageable job. The CERT Coordination Center recorded 417 security vulnerabilities in 1999. By 2002, there were 4,129 new vulnerabilities.

This situation makes the newest class of security technologies—intrusion prevention systems (IPSs)—look pretty good. Supplementing patches, firewalls and other traditional approaches to security, an IPS can provide security at the most fundamental levels: the operating system kernel and the network data packet. An IPS can also be cheap insurance: Host-based systems can cost as little as a few thousand dollars per server, while network-based IPS appliances typically cost between $10,000 and $90,000, plus ongoing support fees.

“It makes sense to protect the host so that if all else fails, it will have a better chance of standing alone on its own two feet,” says Bill Stevenson, information security officer for New Century Mortgage. His company has been using host-based intrusion prevention from Entercept since late 2000 as a major part of the back-field defense for its servers. So far, it’s worked: New Century’s IPS successfully repulsed Slammer.

Don’t Tell Me, Fix It!
Interest in intrusion prevention is increasing, thanks in part to a growing disenchantment with intrusion detection systems (IDSs), which notify administrators of attacks but don’t actually stop those attacks. Market maturity is also a factor, as demonstrated by the acquisition of IPS company OneSecure by Netscreen along with planned acquisitions by Cisco (of Okena) and Network Associates (of Entercept and Intruvert).

These factors should spark significant growth in the IPS space. Market research company Infonetics estimates the combined intrusion detection and intrusion prevention market will grow to $1.6 billion by 2006, with IPS accounting for the majority of the growth.

Market Confusion
Intrusion detection vendors, such as Cisco, Internet Security Systems and SourceFire, are retooling their products to proactively stop network attacks. CheckPoint and NetScreen are adding IPS capabilities to their firewalls. And dozens of smaller vendors are touting security add-ons, secure Web servers and even ordinary firewalls as “intrusion prevention systems.”

Network-based intrusion prevention can be useful in situations where host-based protection is impractical and firewalls aren’t effective.

The result is a confused marketplace. “Since there are so many different ways to detect an attack, it’s very unclear what you mean when you use a term such as intrusion prevention,” says Pete Lindstrom, research director for Spire Security, an independent analyst company.

Lindstrom and other analysts differentiate true intrusion prevention systems from older technologies, such as firewalls and IDSs, that have been updated with new “prevention” features. Broadly speaking, the new crop of IPS products fall into two categories: host-based intrusion prevention (HIP) products such as those offered by Entercept, Harris and Okena; and even newer network-based intrusion prevention appliances offered by companies including Intruvert, OneSecure and TippingPoint.

Locking Down the Host
A HIP product protects servers and workstations through software agents that sit between applications and the OS’s kernel. It intercepts system activity on the lowest level—disk read-write requests, network connection requests, and attempts to change the registry and write to memory—and either allows or denies the activity based on predetermined rules. For example, an application would not be able to modify certain files or change data in the system registry. A HIP system can also block behavior that is clearly malicious, such as rewriting OS executables. The upshot is that most security exploits simply won’t work. Attackers might be able to get through your network defenses to a server, but they couldn’t actually do anything once they got there.

Locking down operating systems and applications has become an almost unmanageable job.

For Stuart McClure, president and CTO of Foundstone, host-based intrusion prevention is a much-needed stopgap measure. Foundstone, a security software and services company, uses Entercept to protect its servers against known vulnerabilities without having to install security patches first. This lets the company test and install patches on a monthly schedule instead of rushing to install them as soon as they are released.

A HIP benefits from contextual information about the server being attacked, which can make it more efficient than blanket network security. “You can get a microscopic analysis of what’s going on,” says Ed Skoudis, vice president of security strategy for Predictive Systems, an IT consultancy that works with both Okena and Entercept. A HIP system on a Solaris box can safely ignore attacks aimed at Windows systems, for instance. And because they focus on behavior, HIP systems can resist never-before-seen attacks, whereas network-based IDS and IPS systems require constant updates to identify the latest worms, viruses and exploits.

There are downsides to host-based intrusion prevention, however. It’s useless against intrusions aimed at your network in general—such as denial-of-service attacks. You also need to install it on every system you want to protect, which can create a deployment headache. (HIP vendors have only recently started adding enterprise-level management tools to their products.) HIP also uses some system resources, although McClure estimates only 2 percent to 5 percent of CPU time.

What’s more, HIP systems truly are the last line of defense. “They only function when things have gotten seriously out of hand,” says Martin Roesch, founder and CTO of security services provider SourceFire. “Every car should have airbags, but wouldn’t it be nicer to avoid the accident in the first place?” Still, for providing an additional layer of security on critical hosts, HIP is a compelling option.

Network-Based Protection
In general, network systems sit “in line,” intercepting network traffic, scanning it for suspicious activity, and either blocking it or passing it along. Such systems use a range of techniques, from IDS-like signature scanning (looking for telltale strings of bytes) to protocol anomaly detection (figuring out when a packet of data is trying something not ordinarily permitted by its data transmission protocol).

Some network intrusion prevention systems take more devious approaches to network protection. ForeScout’s ActiveScout, for instance, responds to suspicious activity (such as port scanning) by sending a specially coded, “tagged” response. If the attacker then tries to act on the tagged information, ActiveScout immediately recognizes that an attempted attack is in progress and can shut off the connection before any damage occurs.

Network-based intrusion prevention can be useful in situations where host-based protection is impractical and firewalls aren’t effective—for instance, against attacks that originate within your own network. University of Dayton Associate Provost and CIO Thomas Danford, like many higher education IT executives, has to deal with students bringing worms and viruses onto the internal network regularly. “Before you know it, we’ve got worms slamming around all over the place,” says Danford, who calculates that the university receives 3,200 attacks on an average day. The solution: TippingPoint’s UnityOne IPS, which Danford installed behind the firewall to shut down suspicious traffic. When the Slammer worm hit in January, says Danford, “we didn’t experience any problems at all.”

Many IT managers, however, are reluctant to trust network-based intrusion prevention, in part because of the risk of service interruption. If your IDS misidentifies legitimate traffic, the false alarm is merely annoying; but an IPS that shuts down a customer connection by mistake could hurt your bottom line. “When people need to get to your system to trade, a couple of seconds of downtime could get you a seriously irate customer,” says a chief security officer at a financial services company who declined to be named. “For automated blocking, we think [intrusion prevention] systems are not mature enough to rely on yet.”

To the extent that network-based systems rely on signatures to identify attacks, they’ll need to be updated—and they may have difficulty stopping brand-new attacks. It’s also important to consider the impact on network performance when installing an in-line system—if it can’t support your network’s maximum bandwidth utilization or introduces significant latencies, it will be a bottleneck. For that reason, many vendors are moving toward appliances (some of which support gigabit speeds), rather than software.

Where IPS Fits In
Almost no one claims that any type of intrusion prevention system will replace firewalls and other mainstays of network security outright. Instead, analysts say, these systems make the most sense as part of a layered security strategy that makes use of several different technologies at multiple points in your network.

Nor will IPS kill the intrusion detection market, at least in the short term. If an attacker makes it past your other defenses (including the IPS), an IDS provides the information you need to contain the damage and prevent future attacks.

Ultimately, predicts Richard Stiennon, a research director at Gartner, network-based IPS capabilities will be integrated into firewall appliances. The host-based IPS, say Spire Security’s Lindstrom and other experts, will likely become more agent-based, centrally managed and ubiquitous—perhaps as part of an enterprise’s overall systems management strategy. But one thing is certain: As the number of attacks and vulnerabilities continues to grow, so will interest in intrusion prevention technologies of all kinds.

“Return on security investment is something that’s very, very difficult to show,” says New Century’s Stevenson. “But you pick up the paper every couple weeks, and to know that we’ve bypassed the latest critical worm or virus that’s on the Internet—that’s return on investment.”

Intruder Alert!

Technology Intrusion prevention systems

Anticipated benefit Adds security to networks and computers by intercepting attacks before they do damage.

Hurdles Network-based systems may inadvertently block legitimate traffic. Host-based systems are ineffective against denial-of-service attacks.

Estimated cost $5,000 to $90,000

Vendors

Host-based systems:

* Entercept Security Technologies
www.entercept.com
(Acquisition by Network Associates pending at press time.)

* Harris STAT Neutralizer
www.statonline.com

* Okena StormWatch and StormFront
www.okena.com
(Acquisition by Cisco is pending at press time.)

* Sana Security
www.sanasecurity.com

Network-based systems:

* Captus Networks
www.captusnetworks.com

* Cisco Systems IDS
www.cisco.com

* ForeScout ActiveScout
www.forescout.com

* Internet Security Systems RealSecure Network Protection
www.iss.net

* Intruvert Networks
www.intruvert.com
(Acquisition by Network Associates pending at press time.)

* NetScreen Technologies IDP
www.netscreen.com
(Formerly OneSecure IDP.)

* TippingPoint Technologies UnityOne
www.tippingpoint.com

Dylan Tweney (dylan@tweney.com) is a freelance writer based in San Mateo, Calif.

Link: Defensive Postures

Link broken? Try the Wayback Machine.

Defensive Postures

Parallel P2P.

More on Kazaa and Altnet: the two companies are creating a secure P2P network that will operate in parallel with the public Kazaa network — and will pay users to host files on the new network. This looks like an attempt to build a robust distribution network that will support digital rights enforcement, without having to actually buy servers and bandwidth — instead, offer users prizes in exchange for ponying up their own bandwidth. Because it supports digital rights enforcement, content creators such as the record labels will presumably be more comfortable distributing their files this way.

My assessment: It sounds complicated an unwieldy, like a 1999-era business plan. What consumers want in the online music world is something simple, easy to understand, and reliable. That’s what Apple understands. I’m not sure Kazaa and Altnet do.

Parallel P2P.

Books on the floor.

When I was first learning about the Web, in 1994, one of the first analogies I came across was that the Internet is like a huge university library with millions of books and journals and newspapers — except that there’s no card catalog and all the books have just been dumped randomly onto the floor.

That was a pretty handy metaphor back in those days, when Yahoo was far from comprehensive and Alta Vista didn’t even exist. It’s less apt now, but still useful in giving some sense of how decentralized and disorganized the Internet is, considered as a whole. (Of course it’s probably not even correct to consider the Internet as a “whole” any more than “the electrical grid” is a whole. The Internet is defined by its protocols, not its content or its organization. Those protocols are used in a wide variety of places, some public and some private. And even in the public parts, there are zones and dividing walls and spheres of influence. But still.)

At any rate, this page has an interesting discussion on the origins of that “books on the floor” analogy. Surprisingly, it seems to go as far back as 1992, at least, and the earliest person cited as using it is Ed Krol, in a Nov. 3 Newsday article by Josh Quittner.

At the bottom of that page, there’s a motto: “Teach a man to use the Internet, and he will leave you alone.” Now there’s a maxim that’s still valid today.

Books on the floor.