US PROTECTING CONSUMER DATA BY COMBINING SOFTWARE AND HARDWARE SECURITY DEVICES
Protecting Consumer Data on the Cheap;
A mandate to protect individuals personal data in the agencys databases isnt accompanied by any extra funds. By C.J. Kelly

C.J. Kelly

In my last column [QuickLink 53861], I discussed how I was called upon to do a fiscal-impact analysis of a privacy bill that was going before our state legislature. The bill is expected to pass soon and become law. And when that happens, state agencies like the one I work in, as well as private businesses, will be held accountable for any disclosures of individuals' personal information.

Despite my conclusion that complying with this law would require several hundred thousand dollars for just my agency, we and other state agencies might not receive any additional funds to comply with the mandate. So how do I go about protecting all the personal information that resides in our databases and servers and traverses our network?

No single hardware device or software application will be adequate. My best option is to use open-source tools and existing hardware to configure and install an intrusion-detection system. The IDS will let us monitor network intrusions and attacks and investigate the possibility of data such as Social Security numbers leaving or traversing our network in plain text. At least it's a start.

Do-It-Herself

In all my previous, private-sector jobs, I managed the people who configured and installed such systems. Although I have analyzed the data from these systems, correlated the information with output from other sources, given direction to staff and approved plans related to the placement of network taps, network monitoring appliances, firewalls, VPN concentrators and other security devices, I have never built such a device with my bare hands and put it into production. I am unaware of anyone within the state system who has walked down this path before. But that could be a case of the right hand not knowing what the left hand is doing; state agencies are fairly autonomous, and while efforts are under way to improve collaboration and the pooling of talent in the security arena, there doesn't appear to be a strategic plan. So people like me just muddle along, trying to do the right thing.

I'm a bit hesitant. Can I do this? To master the software I have selected -- Red Hat Inc.'s Fedora Core 3, Snort, MySQL and BASE, as well as Apache, SSL and PHP -- I will have to rely on my little-used *nix (Unix and Linux) skills, as well as white papers and how-to articles written by those much more experienced than me in the nuts and bolts of all this. I can also consult newsgroups and call on many friends and colleagues. And I know that help will be readily available from the open-source community, perhaps the most collaborative group of people on the planet.

For those of you unfamiliar with these particular pieces of software, here's a short primer: Fedora Core 3 is Red Hat's free distribution of Linux. Snort can be described as a lightweight network IDS capable of performing real-time traffic analysis and packet logging for IP networks. ("Real-time traffic analysis" is a bit of a misnomer. The type of IDS I intend to build is a passive system; it will watch network traffic and be able to send alerts when rules are violated, but it will depend on a human being to watch for the alerts and react accordingly. In contrast, an intrusion-prevention system sits in-line and either passes or denies traffic based on a configurable rule set.)

Snort can also perform protocol analysis and content searching/matching, and it can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, Common Gateway Interface attacks, Server Message Block probes and operating system fingerprinting attempts. It uses a rules-based language to describe the traffic that it should be collecting, and it has a real-time alerting capability.

MySQL is a multiuser, multithreaded SQL database server that comes bundled with Fedora.

PHP, a widely used general-purpose scripting language that's well suited for Web development, and Apache Web server software (utilizing SSL -- Secure Sockets Layer -- for security) are available with Fedora Core 3.

BASE, for Basic Analysis and Security Engine, is based on the Analysis Console for Intrusion Databases(ACID) project code and is now recommended as a replacement for ACID. This application provides a Web front end to query and analyze the alerts coming from the Snort IDS system.

Once I decided on the software, I had to find hardware capable of running it and performing the network monitoring and analysis. I had to take what I could get, though. I found a Dell desktop that wasn't in use. It had an 80GB hard drive, 256MB of RAM, a Gigabit Ethernet network card and a 1.6-GHz CPU. From what I have read, this should be adequate, but there's no way of knowing until the system is tested in real time.

I decided to concern myself only with intrusion monitoring for headquarters and not the branch offices, simplifying the number and placement of sensors. I had already requested that a span (mirrored) port be configured on the primary switch, and I tested it using Ethereal packet analysis software. I know this isn't the perfect scenario, but again, it's a start and better than nothing.

Before beginning the software installations, I looked for a how-to guide (instead of my usual approach, which involves installing software, making mistakes, reinstalling and so forth). The fellow who wrote the guide, Patrick Harper, will surely hear from me, since he states that his document is for the "Linux newbie, as well the Snort newbie." I will let you know how this turns out in a couple of weeks, and I challenge any interested security managers to do this with me -- all by yourselves. Don't let the engineers have all the fun. What do you think?

This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussion in our forum: QuickLink a1590

To find a complete archive of our Security Manager's Journals, go online to:

computerworld.com/secjournal