|
OS
Guard Dog Can you afford to get Argus Systems's PitBull? Can you afford not to? Argus Systems Group Inc. (www.argus-systems.com) offers a product that-depending on who you are-may or may not revolutionize your entire approach to security. Not bad for a company you've probably never heard of. It's called PitBull, a software solution that the Savoy, Ill.-based company markets as a high-performance, high-security platform for Internet-based e-business processes. The product transforms the Solaris 7 operating system into a secure OS and a suitable platform for e-commerce. "PitBull is as much about solving real problems in the e-commerce space as it is about security," says Jeffrey Thompson, an Argus staffer whose business card actually reads "Software Evangelist and Visionary." Argus launched PitBull in 1993 to secure the Solaris platform for government clients, but soon realized that the product (then named Gibraltar) provides a complete solution that meets the e-commerce need for a secure OS. Gibraltar became PitBull five years later, when Swiss banks wanted the platform and Argus revised it for commercial use. Today, the original standalone version of PitBull (called PitBull Foundation) has grown into what Argus calls the PitBull .comPack, a software suite that adds modules and enhancements in ease of application and configuration. The less expensive PitBull Foundation is still sold separately. Reviews of PitBull have been mixed. Few people question the growing importance of OS kernel-level security, which is where PitBull and similar products--such as Hewlett Packard's Virtual Vault-place their focus. Even fewer question PitBull's robustness and suitability to this task. On the other hand, some question PitBull's high price tag and installation/configuration complexity. The verdict seems to be:T his is a great product, but for whom? Security Space(s) The connection of networks into ever larger and more complex configurations has changed the "space" in which we do business. Complexity must be managed in ways that ensure an appropriate level of security to clients, customers and partners. The gray area in which easy access and usability conflict with the need for secure boundaries is growing larger by the day. Given this evolving landscape, Argus is betting the farm that a secure operating system will be deemed a necessary (not just desirable) component of enterprise security…and that PitBull will be seen as the preferred means of achieving it. Traditional security measures functioning at the application level can be bypassed if an attacker gains access to the operating system. By securing the OS itself, PitBull isolates an attacker inside a cul-du-sac of the specific component they penetrate, rendering them as helpless as a scorpion on a sticky pad. When you install PitBull, you overwrite the commercial Solaris kernal with a Solaris kernal modified for security (the product also works with AIX, UnixWare and Linux). PitBull becomes the OS, but it's still a commercial Solaris 7 kernal, not a derivative. In other words, the fundamental security layer is moved down to the OS level, where decisions are made about access to file systems, devices and processes. This allows the system to deny or allow access to specific Web pages or fields in a database record. PitBull's approach to the problem of OS security naturally raises a number of questions:
Value Proposition PitBull has been tested for several years in the real-world marketplace. Jim Michler, formerly an employee of Autodesk and Argus, and now an account executive with software giant J.D. Edwards, says that Argus perceived critical shortcomings in Hewlett Packard's Virtual Vault, PitBull's chief rival. "The Europeans saw the issues first," Michler says, "and Argus secured the entire Swiss banking system, including Credit Suisse and the United Bank of Switzerland. "No one else offers B1-level [military grade] operating system security," Michler adds. "That level of security is very complex and not for the weak or faint of heart. Argus executives spent 20 years developing OS security for the military and intelligence communities," experience they ported to the commercial application, Michler says. The old Orange Book ratings such as B1 have been replaced by Common Criteria.PitBull is currently under evaluation by Computer Science Corp., and Argus expects that by October this year it will be certified as EAL4 (Evaluation Assurance Level 4), which means certification at a level of assurance that also includes a feature set that would have been rated B2.1 Argus says that no otherompany is certified at EAL4, and that PitBull is the only operating system currently in Common Criteria certification. HP Virtual Vault, according to Argus CEO Randy Sandone and several PitBull users interviewed for this story, is an older and much less flexible means of transforming the OS kernel into a trusted operating system-in HP's case, the HP-UX kernel. Sandone-a self-described "airborne ranger-infantry type, a knife-in-the-teeth kind of guy" who worked in aerospace before moving to computers-brings an aggressive approach to pitting PitBull against its larger rival. Virtual Vault, he says, uses an "old trusted operating system design paradigm." Installation of Virtual Vault, he adds, requires the hard drive to be reformatted, forcing the sysadmin through a complicated process. "That was appropriate for older-generation technology," Sandone says, "but when it came time to commercialize the technology, they dumbed it down, stripping away complexity to make it more commercially appealing. In the process, they made it inflexible. It does a couple of things well, but you have to use the product exactly as it is. "We wanted to keep the strength and functionality of Solaris," Sandone adds, "but make the OS secure. PitBull provides flexibility with features you can use or disable as you like. Flexibility and usability are critical." Naturally, representatives of HP disagree with Sandone's assessment. "To say that we made Virtual Vault inflexible in order to make it commercial is a contradiction in terms," says Benny Benegal, senior security consultant in HP's Advanced Technology Center. "To make it commercial is to make it flexible. VV is integrated with other packages and solutions, and that's where our flexibility comes into play. The integration of third-party components with VV is simple because of binary compatibility." Craig Rubin, senior architect in HP's Internet Security Division, says that"businesses want a complete solution, not just security. We will not even do a hard, stringent ITSEC-type evaluation for Virtual Vault, because it's not necessary. A smaller company might try to achieve credibility through the evaluation process, but that adds rather than reduces complexity. Future modification to the system would necessitate repeating the entire evaluation procedure. "The marketplace is moving away from the ITSEC or Orange Book models of security," Rubin adds. "Today, people want a better mix of usability and security. Buying an individual operating system is not the comprehensive solution that a business needs." Sandone maintains that the proof is in the plug-in. Any commercial application that runs on Solaris will run on PitBull, he says. But, out of the box, the default settings in these apps provide too much privilege. If you want to install a commercial app, Sandone says you first need to install PitBull, then install the app and give it PitBull root. Then, simply execute a command and you'll get a listing of all the least privileges needed by an app to execute. Another command sets those privileges on that application, removes PitBull root, and you're done. "We made the whole process almost braindead easy," he says. No Free Lunch While few question the power of PitBull, many would dispute Sandone's "brain-dead easy" claim. Habib Lowe, a founder of the Bay Area PitBull Users Group, has used PitBull in two business ventures. One required customers to be isolated from each other, while the other needed to protect stored client information. Lowe agrees that PitBull does what it claims to do-and does it much better than its rivals do. Trusted Solaris, Lowe says, can be made to do the same things, but only after an exceedingly complex, tedious process. Virtual Vault, he says, has a static setup process that makes the product inflexible. Lowe likes PitBull's ability to provide file-based compartmentalization. He even says he has been unable to reach a limit to the number of compartments he can create. But installing and using PitBull is no walk in the park. "PitBull requires much greater expertise on the part of systems administrators and architects than you often find," Lowe says. "For the average sysadmin to move from standard Solaris 7 to PitBull requires a 'head upgrade.' You need to be much smarter about the system to use it effectively. The sysadmin must spend a significant amount of time to achieve high-end engineering solutions." If you want to work with PitBull, there has to be a basic conceptual shift, Lowe says. "This is one case where 'paradigm shift' is the right term. A sysadmin has to rethink how the OS talks to components and applications. You can do it," he concludes, "but the program asks a lot. PitBull is no free lunch." Ben Kavanagh, chief security architect at Bigvine.com, an online barter and exchange Web site, agrees that the term "easy to use" is relative. "If you want to build a complex, secure operation, then yes, PitBull is easy and straightforward," Kavanagh says. "The architecture is clearly defined. Some dummy who only knows how to point and click, however, is not going to be able to do it. But for old-school coders and sysadmins who are up to the challenge, it's the best of breed." Real Power Kavanagh's response leads to a deeper question: Who will make the decision to buy and use PitBull, and on what criteria will that decision be based? Kavanagh believes that infrastructure and application builders tend to rely too heavily on other people to solve problems for them. "They want a panacea for security problems, and it just doesn't exist. PitBull provides command-and-control security for every single level of the system, and it allows separate components to have separate levels of access on the box. That's real power. "Data is money," he adds, "but not all businesses understand this yet." In this light, the demands of a program like PitBull might seem excessive. But "when people come to understand the consequences of poor security, they'll see they need products like PitBull," he maintains. Security consultants like Carole Fennelly of Wizard's Keys, a Tinton Falls, N.J.-based security consultancy, are not so sure. Fennelly suggests that if a sysadmin can function at the level Kavanagh deems necessary to get the power out of PitBull, they're probably already building security at the OS level on their own. "Many sysadmins prefer to harden their own systems," Fennelly says. Fennelly also says that PitBull's price--$16,000 per license per machine for Pit-Bull Foundation, and $50,000 per license per machine for PitBul.comPack-may scare away the upper management side of the IT house, who don't know as much about the technical merits of the software and may be more comfortable spending that kind of money on a big name vendor like HP. "In large installations, that $16K per license adds up fast," Fennelly says. An organization with thousands of systems is more likely to use the "cloning approach"-that is, dedicate full-time sysadmins to OS security, thereby replicating the functions of PitBull through sheer grit and elbow grease. "It pays for them to have a very talented staff who can do this in-house," she says. Dale Coddington, a security engineer for eEye Digital Security, thinks that, price aside, products like PitBull have an even chance of changing this way of thinking. After all, why place faith in a sysadmin when you can get "a certified military-grade secure operating system, no matter how expensive it is?" Coddington says. The question, then, concerns not the intrinsic value of the product, but fundamental issues of TCO and on-staff expertise. No one disputes that an OS must be secure. So how much are people willing to pay to secure it? How much are they willing to trust their own team? How much risk are they willing to accept? In the end, those who use products like PitBull must be comfortable with a high level of accountability and responsibility. "The modular approach used by PitBull," says Bigvine's Kavanagh, "pushes responsibility down to everyone on the box, so it is not one person's responsibility. PitBull insists that everyone using the box confronts what security really means." Will sysadmins whose skills are not up to the challenge be better off using a less flexible/less adequate solution just to buy time? Perhaps, said Kavanagh, but only for the short term. "It's a dead-end because the security curve is inexorably moving toward rigorous accountability at all levels. Sooner or later, a business will pay the price for not accepting that level of responsibility," he says. Kavanagh's comments speak to the all-important, all-pervasive gray area in today's security space, an area in which security needs meet the real world of business priorities. Both "Security Guy" and "Business Guy" have expanded their awareness and depth of understanding of the other guy's responsibilities and constraints, giving birth to a new kind of hybrid thinking. Ted Julian, former lead security analyst at Forrester Research and now VP of marketing and business development at @Stake, describes it this way: "Mudge [of the hacker group The L0pht, now the research arm of @Stake] and I are exchanging DNA on a daily basis. I understand security issues at a much deeper level, and Mudge has greater appreciation for marketplace realities." Julian does not question the power of the PitBull package. But he does question whether the marketplace is ready for it. Abner Germanow of market analyst firm IDC thinks the marketplace is ready…if the solution is suitably simple. "When you install software with standard configurations, you need to do a hundred tweaks in order to use it," Germanow says. "If Argus can make PitBull part of that standard process and be a checkbox on that process for leading banks or b-to-b e-commerce sites, PitBull will emerge in the foreground of the marketplace. "The typical IT guy says, 'I have a job to get done.' If this will let him deploy faster and result in a more trusted OS, then Argus will experience a huge demand for their product. But, if it slows the process down, it will be a tough sell." Future Tense Sandone, of course, believes the future belongs to PitBull. "There is a significant move toward high-assurance, trusted platforms from trusted Web server appliances all the way up to big commercial enterprise-class transactional systems," he says. "The marketplace will inevitably move away from the complexity of today, in which security architectures consist of a patchwork quilt of point products--firewalls, intrusion detection, authentication tokens-toward simplicity and high assurance. Businesses don't just want or need security features; they will need an independent validated product that guarantees assurance so they can justify their choice to risk-management people and insurance underwriters." A security consultant/hacker in Atlanta (who requested anonymity for this story) says he wants to get his hands on the source code for PitBull. "Lots of us are writing our own scripts to lock down our boxes," he says. "Maybe you call it paranoid, but I don't want anything going in there that I can't examine. Besides, how can I tweak the code to make it do exactly what I want?" Paul McNabb, CTO of Argus, says the source code is available-but only on their own premises. "Our feature set is a valuable trade secret," he insists. "Anyone concerned about security holes or back doors can examine the source code as much as they want. They just can't take it with them. If they want additional features or options, they can give us that feedback. "That's why a rating of EAL4 is so important," he concludes. "At some point, we have to trust others in this complex process." Can the conflict among market forces, conflicting priorities of decision-makers, and the need for "appropriate paranoia" converge in one solution? It's hard to say whether PitBull can carry this much weight on its shoulders. But one thing is certain: This is not a marketplace for the weak or faint of heart. And what has it taken for the knife-in-the-teeth airborne ranger Randy Sandone to get this far? "Guts, grit and sheer luck," he says. Perhaps the only safe call is that Argus will need guts, grit and sheer luck to make it in this space, too. Footnote 1. Common Criteria evaluates both the security features of a product and its assurance level--that is, how trusted it is in the security environment, how well it fares in vulnerability and penetration testing, and so on. This assurance check evaluates not so much what the program does, but rather how much assurance clients can have that it does what it says it does. Originally appeared in the May 2000 issue of Information Security Magazine (infosecuritymag.com). Copyright (c) 2000. All rights reserved. |
|
©2001 Richard Thieme. All Rights Reserved. |