Security escapes from the lab

As security threats increase, HP's researchers concentrate on management and active countermeasures

Despite IT's image of being invented by wild-eyed loners in pizza-fuelled bedroom frenzies, by far the greater part of research and development takes place in well organised laboratories staffed by teams who can easily pass for normal human beings. A good example of this approach to R&D can be found in Bristol, where HP has one of its most significant research efforts -- and where yours truly was invited last week to look over some of their work.

The laboratories -- the first HP opened outside the US -- investigate a mix of practical and theoretical developments. These range from quantum information technology through to camera design, location-based services and grid computing, but the focus of this visit was security -- as evidenced by the movie posters up in the lab windows promising to "save the Earth from the scum of the universe".

That focus is further sharpened by what HP calls the 'increasing threat velocity'. One of the first real-world dangers for commercial IT was the boot sector virus. Invented some eighteen years ago, this hops onto files on hard disks whenever the computer tries to boot from an infected floppy. It could and did spread widely, but only at the speed at which people shared floppy disks. Email-borne viruses came along 10 years later, and could spread globally in days: now, worms that attack software weaknesses can propagate through broadband-connected PCs in minutes. This connected vulnerability, together with vast increases in system complexity, attacker motivation and available resources, has fuelled a thousand-fold increase in reported incidents over the past 10 years.

One technology that HP has developed is Active Countermeasures, where the company scans for and uses security holes to deploy its own payload to vulnerable machines. This payload doesn't propagate like a worm -- it remains under the control of the company's security policy -- but can take the target machine off the network, if necessary. Before that, it warns the user to download a patch, or can restrict access to just email or a similar, safe subset of services. HP has used this idea since the Code Red worm hit in 2001, and claims great success -- it has remained relatively untouched by subsequent malware.

In particular, Active Countermeasures are good at dealing with non-compliant people who don't bother to patch, and return very accurate statistics about the state of the network. In HP's case, the company reckons it has around quarter of a million devices connected to its corporate network worldwide, plus or minus about 15,000 daily: automating the detection and quarantining of vulnerable systems is a good thing. Machines that sporadically connect via VPNs, such as those out on the road or at people's homes, have their network connection restricted to a secure area while the computers are scanned -- only when a patch has been downloaded and the computers can pass muster are they allowed into the full network.

HP is big on security management. It demonstrated an early prototype of its Enterprise Security Modelling Tool (ESMT), which creates a global model of an existing network and applies "what if" questions -- what happens if a server is added or a firewall reconfigured. It can then show paths of access and levels of protection through different routes within the infrastructure, applying information from a knowledge of how each component is configured and any known vulnerability issues. This is particularly powerful when combined with utility computing, where resources on a network are reconfigured according to job requirements, even farmed out to clients.

This, like the VPN-aware vulnerability scanning, adds weight to HP's thesis that you can no longer run companies like corporate fortresses. IT managers don't have physical control over all their network devices, and firewalls are typically peppered with holes to allow different services through -- and no company wants to give up the opportunity to sell or use new services.

The only way to make this work, says HP, is to have trust at the endpoints, where each device can unambiguously and irrefutably identify itself and its permissions for access. This will happen when trusted computing hardware and software is finally available and deployed -- a process the company sees kicking off in 2005/2006, with a properly trustworthy infrastructure appearing at around the end of the decade. A lot will depend on components being available for the next upgrade cycle together with software support from Longhorn and others.

Is this a Big Brother scenario? HP says not, although the company's close co-operation with many of the UK's most secretive agencies sits interestingly with its push to manage security at ever greater range and with ever-increasing detail. There's not much room to argue with HP when it points out that there's little alternative to taking this direction: while threats increase daily, the responses must scale accordingly if we're to continue to grow IT.