News

Is it Time for a Mainframe Security Model?

The circumstances which attended the IIS vulnerability that Microsoft Corp. patched this week served to highlight the vast differences that still exist between Windows 2000 and the Big Iron mainframe, which to this day is viewed as a reference standard in most segments of enterprise computing.

The vulnerability - which requires the presence of not only IIS itself, but also of an optional meta-search facility if it's to be effectively exploited - probably shouldn't have affected most Windows NT 4.0 or Windows 2000 installations. Yet eEye Digital Security, the Internet security firm that first identified the vulnerability, estimates that as many as 50 percent of existing Windows NT 4.0 or Windows 2000 installations could be affected.

What gives? The answer is simple: Both IIS and the optional meta-search facility in question - dubbed Index Server 2.0 in the Windows NT 4.0 space, and called simply the "Indexing Service" in Windows 2000-speak - are enabled by default during the configuration or installation of either operating system. To be precise, IIS 4.0 and Index Server 2.0 ship with, and are enabled out-of-the-box by, the Windows NT 4.0 Option Pack, while IIS 5.0 and the Indexing Service are installed by default with Windows 2000 Server/Advanced Server.

Administrators can choose whether or not they want to install either service, actually, but based on dire prognoses from eEye and from other quarters, it would appear that such an option is rarely exercised. Consequently, industry watchers say that many IT organizations may unintentionally have deployed Windows NT 4.0 or Windows 2000 systems with Web and meta-search services installed - and are now seriously at risk as a result.

"I would suspect that the number is much higher than 50 percent, and I'm not sure where eEye got that number, actually," avers Russ Cooper, editor of the Windows NT Bugtraq Mailing List. "To test for whether or not this thing is out there is a difficult process, but it's also something that's installed by default."

Needless to say, most services and features are not enabled by default in mainframe environments. According to Ted MacNeil, a consultant with IBM Global Services' strategic outsourcing services who is attached to Scotia Bank in Toronto, the mainframe security model is in many respects diametrically opposed to that of Windows NT/2000 and to most other "open" systems.

"I believe the mainframe model is better than the mid-range, PC, LAN and Open Systems environments, simply because it follows the standard: 'All that is not expressly permitted is forbidden,'" he comments. "The other platforms, from what I have seen, follow the standard: 'All that is not expressly forbidden is permitted.' This makes users responsible to protect themselves, often without the necessary skills, and little, or no, help from the vendors. This leaves a lot of holes."

In mainframe environments, then, administrators must painstakingly - and laboriously - configure and customize most system services.

In the same way, suggests Jim Keohane, president of Multi-Platforms Inc., an IT consultancy in Levittown, N.Y., which provides software development expertise for mainframe and for other platforms, some mainframe operating environments make it difficult for administrators to install the services and features that they actually want.

"It is so difficult on a mainframe, especially [on an] MVS or OS/390, to do even what you have the authority to do, so that trying to do what you are not allowed to do starts off being difficult even without security."

Conversely, Windows NT/2000 - and even many Unix and Linux operating systems - ship with oodles of system services and other potentially dangerous features enabled straight out-of-the-box.

"With Windows 2000 and Windows NT 4.0, the default is a very enabled system, which requires the administrator to secure the system," explains Roger Seielstad, a senior network administrator with consulting and infrastructure management specialist Peregrine Systems Inc. "It's notable that the default installs of Sun Solaris and Red Hat Linux function much the same way, with many potentially dangerous services starting by default."

Microsoft could go a long way towards making its next-generation Windows platforms - Windows XP Professional and Windows 2002 Server/Advanced Server - more secure simply by restricting the services and functionality that the operating system installs by default. But according to NT Bugtraq's Cooper, such would to a certain extent alienate the very groups that have spurred Windows NT 4.0 and Windows 2000 adoption in the first place.

"What's the name of the IT guy in the department of four people who wants to do some printing and file sharing?" He asks, rhetorically. "The truth is that there isn't one, and that [often] there aren't sufficient resources so that they can start with this totally secure installation."

The announcement of yesterday's vulnerability - and the continuing preponderance of denial-of-service (DoS) attacks and of exploits that literally let attackers take complete control over mission-critical information systems -clearly demonstrate the extent to which Windows NT/2000 lag behind Big Iron in other significant respects, as well.

"How many mainframe programmers do you know who can actually bring down the whole mainframe system?" Challenges Sunil Misra, managing principal of the worldwide security practice for Unisys Corp.. "The problem with open systems is that they are new, and [that] the information on how to compromise them is more easily available today."

Conversely, DoS and other attacks are nearly impossible to successfully perpetrate on mainframe systems, Big Iron advocates like to point out. Indeed, IBM's zSeries mainframes boast a technology - dubbed LPAR - that lets administrators define logical partitions for different workloads (test, production and Web serving, for example) in a mainframe environment. This has the effect of securely isolating data and applications from one another - even if they're hosted on the same system. And zSeries mainframes also leverage a feature called - "program execution states" - which can prevent programs or services from accessing or executing pre-determined system commands.

The nearest approximation of such functionality is provided in the Windows 2000 space courtesy of Unisys and its ES7000 servers, which boast advanced system and workload partitioning capabilities, in addition to enhanced security features.

In the final analysis, most observers agree that if change is to occur, it'll be driven by end users and by software vendors alike.

"I think that there will be a behavioral change [among users], and that it'll also come in combination with changes to software and documentation," NT Bugtraq's Cooper comments. "As peoples priorities shift from functionality to security, developers will change the focus of their software and the way that their software works to make security more functional and more easily managed."

Peregrine Systems' Seielstad agrees. "Microsoft still focuses their development on features, in terms of enhancing the user experience, over quality. These features are one of the reasons they have become the dominant software vendor in their markets," he observes. "Increasingly, corporations will demand better quality over flashy features." -- Stephen Swoyer