Internet security is a process, not a product. eWeek Labs' Openhack project is designed to help e-businesses
make this process work better in complex, heterogeneous computing environments.
Openhack is an evolution of last year's interactive Hackpcweek.com test, in which we pitted Linux and the Apache
Web server against Microsoft Corp.'s Windows NT and Internet Information Server 4 to see how each would fare in
a hostile Internet environment.
With Openhack, we'll be taking the concept of interactive testing a step forward: We invite crackers to take their
best shots at the Openhack.com site. Examining the number, type and targets of these attacks will allow us to measure
the security --and vulnerability --of a variety of computing platforms in a simulated e-business environment.
The project's public Web server is www.openhack.co, where you can find a log with the latest updates.
The Openhack equipment is in the IP range from 38.144.162.2 to 38.144.162.15 --anything in that space is fair game.
This is an open challenge to hackers, and we've upped both the difficulty and award antes. Cracking into Openhack.com
will return bounties ranging from $500 for defacing the Web server to $1,500 for compromising the e-mail server
to $2,500 for cracking into the database server. No prizes will be given for DDoS (distributed denial-of-service)
attacks, which are often used as diversionary tactics.
The purpose of this project, which begins June 26, is to arm eWeek readers with as much information as possible
to strike the right balance between tight security and open communications. Therefore, we must receive details
on how successful hacks were carried out (including any code used) before awarding prize money. These details and
an analysis of project results will be published in a future issue of eWEEK.
Test evolution
The emergence of technologies and business practices adds complexity and often vulnerability to state-of-the-art
e-business sites. This is reflected in the significantly more complex Openhack environment, where we've put the
emphasis not on one platform's securability vs. another's but on testing how well different platforms coexist in
a secure environment.
Openhack.com includes multiple subnets for hosting e-mail and directory services, an e-commerce application, and
a back-end enterprise-class database. Used heavily in the server farm are Sun Microsystems Inc.'s hardware and
Solaris operating system, as well as Linux, OpenBSD, NT and Windows 2000. Compaq Computer Corp. and Dell Computer
Corp. also provided servers.
The Openhack site is physically located at PSINet Inc.'s Toronto data center. We set up the site working with consultants
from Guardent Inc., a pure-play Internet security consulting, assessment and managed services company based in
Waltham, Mass.
In addition, security experts from Sun and Microsoft were on site to assist in hardening their respective operating
systems. Guardent consultants assisted in hardening the open-source operating systems.
The Openhack site is fortified primarily by Raptor firewalls from Axent Technologies Inc. running on a pair of
Sun Ultra 10 servers. To ensure that the site will be able to withstand constant attacks, the firewalls have been
clustered using load-balancing hardware from Radware Ltd.
We will be using Internet Security Systems Inc.'s RealSecure 5 intrusion detection system outside the firewall.
Targets for attack
Behind our formidable firewall cluster are three targets. The first is the Web server, running MandrakeSoft's Linux
Mandrake and the Apache Web server. We'll be using Axent's NetProwler intrusion detection system to monitor the
activities on the Web server subnet.
The second target is an e-mail subnet hosting the latest build of Exchange 2000 running on Windows 2000 Advanced
Server. (This test will be a baptism by fire for the soon-to-be-released messaging platform.) Because Exchange
2000 uses Microsoft's Active Directory as its directory service, we will have a separate Advanced Server system
hosting an Active Directory tree in the Exchange subnet.
The final target is the Oracle8i database running on a Sun Enterprise E4500 server. This server is running the
Solaris 8 operating system and has the added protection of an OpenBSD IP filter in front of it. A Network Flight
Recorder intrusion detection appliance will be watching over this subnet.
The Openhack test will run through July 21, or until all the prize money is paid out. We are giving away a total
of $2,500 for successful documented intrusions. In the case of multiple submissions for the same type of crack,
the first documented submission sent to us by e-mail will win.