Tuesday, June 26, 2007

Database security: protecting sensitive and critical information

Bankers would be considered negligent if they locked a bank's outer doors and left the vault's doors open at night. Likewise, it doesn't make sense for an enterprise to lock down the network and leave databases vulnerable. Selectively protecting the most sensitive data that is at rest in databases from unauthorized access is critical, since that is where 90 percent of sensitive information resides. There is an important distinction between network security and data security. Database security does not supersede other security technologies, such as network-layer firewalls, network monitoring, SSL-secured communications, operating system and application hardening. But data protection needs to be in place as the core element of a complete enterprise security infrastructure. There is a growing awareness of encryption technologies to protect critical corporate data. Often companies do not realize the potential amount of risk associated with sensitive information within databases until they run an internal audit which details who has access to sensitive data. Imagine the financial damage to a company that could occur if an internal employee, such as a database administrator (DBA), who has complete access to database information, conducted a security breach regarding a secret formula, confidential business transactions, or personal customer identifiers and financial information. Also, the negative impact of media coverage about any security breaches can be severely damaging to a company's reputation, sales, customer confidence, and stock price.
Deploying cryptographically enforced access control to information in the database at the bank ensures that authorized senior-level bankers can obtain the data they need. However, the encryption keys and access are not available to DBAs or other employees in the IT department. The database security solution also protects information on back-up tapes that are stored off-site. The bank secures and stores in encrypted form root-level administrative passwords and passwords to other applications and systems (e.g. operating systems, email). When considering ways to protect sensitive database information, it's important to ensure that the privacy protection process does not prevent authorized persons from obtaining the right data at the appropriate times. It is important that your database security solution is application transparent. This means there is no need to make any changes to the underlying applications. The benefits for deploying application-transparent database security are faster implementation and low support costs. A key issue to consider when purchasing a database security solution is making sure you have a secure audit-trail for tracking and reporting activity around confidential data. Additional topics that must be addressed when selecting a database security technology are fast performance, the ability to work across applications, and how easy it is to implement. IT security experts often recommend selectively encrypting and securing sensitive database information at the data-item level to ensure excellent performance. You want to wrap each individual data item in a protective security, rather than simply building a firewall fence around the database. Once a firewall fence is penetrated, or if the security breach occurs from the inside, all of the data is immediately vulnerable. One of the best ways to develop an effective database security is recognizing that securing data is essential to a company's reputation, profitability and critical business objectives. For example, as personal information such as Social Security, credit card or bank account numbers exist in more databases; there are more opportunities for identity theft. Law enforcement experts now estimate that employees commit more than half of all identity theft cases with access to large financial databases. Banks, companies that take credit cards and credit-rating bureaus have to place greater emphasis on safeguarding and controlling access to proprietary database information. Audit committees have become stringent about protecting customer-related information and corporate sensitive data. Many companies are required to comply with data-privacy regulations, best practice requirements and industry guidelines regarding the usage and access to customer data.
The 2002 Computer Security Institute (CSI) Computer Crime and Security Survey revealed that over half of the databases have some kind of breach on a yearly basis and the average breach is close to $4 million in losses. This percentage is staggeringly high given that these are only the security problems that companies are reporting. Organizations don't want to advertise the fact that their internal people have access to customer data and can cover up their tracks, take that data, give it to anybody, and stay undetected and employed while a crime is committed.
There is much more illegal and unauthorized accesses to databases than corporations admit to their clients, stockholders and business partners, or report to law enforcement. According to Gartner, an estimated 70 percent of unauthorized access to information is committed by internal employees, as are more than 95 percent of intrusions that result in significant financial losses. The insiders who commit database intrusions often have network authorization, knowledge of database access codes and a precise idea of the valuable data they want to exploit. You can assign all sorts of rights, logins, roles and passwords to restrict queries and application usage. However, if someone can simply access the database files directly (either on the server or from backup media) they can see everything and anything. Most database applications, even the most sophisticated high-end ones, store information in 'clear text' that is completely unprotected and viewable. Business executives are collectively acknowledging that the security and confidentiality of information needs to be a lot deeper than protecting only the perimeter. Implementation time can be as fast as one to three days with negligible performance considerations. Security products are most effective when they segregate the responsibilities of access to sensitive information between the security officer and database administrators. Protecting confidential database information is not just an IT function - it is a business necessity that is critical to an organization's mission.

Monday, June 18, 2007

“School On the Internet (SOI)”, an online Internet Education Project in Asia
Online education is an education training delivered primarily via the Internet to students at remote locations, which encompasses any kind of learning that, can be done exclusively online. Sometimes this learning is through free, self-study websites. Often, though, students learn through virtual universities such as the WIDE University and others. Here, I am just going to focus about the school of internet project under WIDE University running since September 1997. WIDE university is an experimental University to research about the new form of higher education on the Internet infrastructure whose sole objective is to share lectures within Asian countries.

What is school of internet?
"School of Internet" is the studying environment to learn about the Internet on the Internet. It is difficult for just one educational organization to gather enough teachers that can teach about this whole new subject and also provide sufficient educational environment for people who want to learn about the Internet systematically. The establishment of "School of Internet" will be an important guideline to set up this new educational field by coordination of different universities of Asia. SOI ASIA Project utilizes satellite based Internet to provide Internet environments in a less expensive, easy to deploy, and more feasible way for the universities located in the regions where Internet environments are insufficiently developed; conducts research and development of the necessary technology for IT human resource development in Asia while using the environments; and proposes, through field experiments, a new educational methodology for universities in Japan as well as educational institutions abroad. As of April 2007, the SOI-ASIA project has 28 partner organizations in 12 Asian countries including Nepal.
Basic working principle of the project:
The Central control system of this online class is located in Shonan Fujisawa Campus, Keio University Japan. 28 universities of aisa are interconnected through satellite network and all member universities have client server control room and SOI lab to conduct virtual class using two way video conferencing. Professors from different universities from the world and experts from different companies (like Intel corporation, etc..) are requested to provide class about new technologies. Almost classes are conducted from SFC Japan but it can also be conducted from other universities also. The basic functions of SOI are:
Entrance registration
Course registration and authorization
Lecture archive and distribution
Q&A and students communication
Submitting reports
Tests and grading
Course survey
Class and conference from distance
( http://www.soi.wide.ad.jp/aboutsoi/aboutsoi_e.html for details)
Tribhuvan University is one of the partner organizations of this project. Center for Information Technology (CIT), Institute of Engineering (IOE) is handling this project as a member. CIT has SOI server control room and SOI lab to conduct virtual classes. Series of lectures (eg: Advanced Internet Technology, Object Oriented Software Development, Disaster Management, Bio-energy etc…) are being conducted. (Follow http://www.soi.wide.ad.jp/soi-asia/lecture.html to see all lectures conducted till now). Each site has more than two formal operators well trained by the project with responsibilities to handle SOI server and conduct classes. Operators announce class time and course title to students, lecturers and professors through notices. The presentation is being broadcasted live from the central (any one member university, mostly from SFC Japan) to all universities and at the end of the presentation; students can join to the question/answer section through audio and video conferencing. Students, teachers, professors from any universities, schools and campuses can join on this class.
Technical Part:
This project is supported by several ministries of Japanese government, and ran mainly by WIDE Project, AI3 (Asian Internet Interconnection Initiatives, http://www.ai3.net/ ) Project, Keio University and Asia-SEED Institute. The official lecture providing partners include Tokyo University of Fisheries and Marine Science, Agricultural Department of Tohoku University, Japan Advanced Institute of Science and Technology, Keio University and WIDE Project

In order to develop Internet infrastructure in low cost and short span in the partner sites, and develop distance education environment on the infrastructure, SOI Asia project designed
1) Lecturer site
2) Gateway site and
3) Student site
The lecturer site can be built anywhere as long as it has sufficient bandwidth to carry lecture video and audio in good quality to the gateway site.
The Gateway site is at Keio University, Shonan Fujisawa Campus so that it has 10Gbps connection to Japanese network backbone and also has AI3 project's C-band satellite antenna that can deliver Ethernet packets in 13Mbps.
Receive-only satellite antenna has been used at the student site using UDLR (UniDirectional Link Routing, RFC3077) technology. This technology enables the Ethernet packets to go through 13Mbps AI3 link and come back through existing Internet infrastructure such as telephone line or ISDN. This technology is realized by using special UDLR box and normal router based on FreeBSD. By using this environment, it is possible to deliver good quality video and audio to the student site, and get feedbacks from the student site through various applications based on their Internet infrastructure.
Mirror servers using Linux system are placed at the student site so that they can refer to their mirror servers when seeing the archived lectures, hence they don't have to connect to remote/overseas original server. Figure below shows the network configuration overview.

Application Configuration:
Three points in application design:
1) The stream can be multicast so that we can deliver lecture stream to multiple partners in Asia 2) The stream can be delivered to places without existing Internet infrastructure and
3) Interactive session based on student site's Internet connection is possible.

DVTS (Digital Video Transport System, RFC3189) or Polycom (video conferencing system) has been chosen for the connection between the lecturer site and the gateway site, and Windows Media Player or VIC (VIdeo Conference Tool) / RAT (Robust Audio Tool) for the connection between the gateway site and the student site. Various applications are being used such as VIC/RAT, Internet Relay Chat, Bulletin Board, MSN Messenger for the feedback from the student site to the lecturer site. The student site can decide which application they will use based on their Internet infrastructure.

Importance in developing countries
This is a call for a "Grand Challenge" project for achieving truly global connectivity. For over a decade, this project has hypothesized that the Internet could raise the quality of life in developing nations. Internet infrastructure is rapidly growing in Nepal. Growth in Information and Communication Technology would definitely improve the education quality. This is the age of globalization. So world’s education standards must globalize. Such projects have major contribution to globalize world’s education standards by conducting online live education which includes technologies of developed countries and share different countries education standards.
This is not to say the activity of the past decade has been a waste. The project has demonstrated the value of the Internet and raised awareness. The United Nations and the administrations of nearly all nations have acknowledged the potential of the Internet. The way has been paved, and it is time to act on what we have learned.


Thursday, June 14, 2007

SOFTFLOWD, a flow- based Network Traffic Analyzer

Softflowd semi-statefully tracks traffic flows. Upon expiry of a flow, its statistics are accumulated and reports them to a designated collector host using the standard NetFlow protocol. Currently the statistics collected are summaries only: min/max/avg/total bytes, packets on a aggregate or per-protocol basis.

Softflowd can export using NetFlow version 1, 5 or 9 datagrams and it is fully IPv6 capable: it can track and report on IPv6 traffic and flow export datagrams can be sent to an IPv6 host. Any standard NetFlow collector should be able to process the reports from softflowd.

As softflowd watches traffic promiscuously, it is likely to place additional load on hosts or gateways on which it is installed. However, this implementation has been designed to minimise this load as much as possible. Alternately, softflowd can read pcap save files recorded from tcpdump and friends.

Unless reading from a traffic dump, softflowd run as a daemon. A "remote control" program (softflowctl) is included which allows runtime control and extraction of statistics from a daemonised softflowd.

Softflowd is developed on Linux and OpenBSD. It requires libpcap and its associated headers to build, these are available from tcpdump.org, or from your operating system vendor. As of version 0.9, there is some support for Solaris but this is still experimental.

to downlod softflowd please follow the link: http://www.mindrot.org/files/softflowd/softflowd-0.9.8.tar.gz
PGP Signature is: http://www.mindrot.org/files/softflowd/softflowd-0.9.8.tar.gz.asc

Thanks Damien Miller for such tools necessary for network/system engineers like me.