Trials and tribulations of building an e-commerce server In part two, we take an in-depth evaluation of the design and implementation of a secure Internet commerce facility. Plus Bug of the Month focuses on eject and password bugs

April  1997

The secure Internet commerce facility project continues. This month's column includes design decisions made, the implementation (the good, the bad, and the ugly), and the valuable lessons that working on such a project imparts.

Also in Pete's Wicked World this month: the bookstore has information on a hot new newsletter, an Internet privacy consortium, and an article on the future of Internet security. In the buglist, more buffer-overflow-causes-root-execution bugs. Also, word of interesting conferences and potentially-interesting products. And, if you have Solaris security questions, visit the newly-updated Pete's Security FAQ. (2,600 words)

Mail this article to a friend

Dedication: To Skip Rochford. We miss you.

Last month I described a proposal my company received from a major East Coast bank and our response to that proposal. The proposal was for the implementation of a secure Internet facility that would allow bank customers to retrieve private information, well, privately. Included in last month's column was our proposed architecture and discussion of its features. The column generated some interesting reader feedback...you were worried about me. Worried about my legal status and how I'd survive impending lawsuits. The lawsuits would occur, of course, when the facility was cracked and bad things happened to customer accounts and the bank's money.

This month I hope to assuage your fears. I'll describe the final architecture that we implemented and the steps we took to assure that it was "uncrackable." We also hit some roadblocks that are worth discussing, and learned a little about project management.

The road to hell is paved with works-in-progress.

--Philip Roth

The bank decided that my company would do the architecture and integration. We also brought in a subcontractor to do the application development and database implementation. The application work consisted of writing CGI scripts and SQL code. This code was needed to maintain the state of each customer's interaction with the facility, among other things. More details on the application later.

After several meetings with the bank (including product, marketing, and security personnel), the marketing company, the subcontractor, V-One, and Xenos, we hammered out an architecture that everyone could live with. Figure 1 shows the final architecture.

A comparison with the original proposed architecture in Figure 2 shows quite a few changes.

These were the major changes, and their reasons:

• There are now two firewalls, in series. The bank felt unable to manage an Internet firewall and audit it 24 hours a day, so they purchased the BBN Site Patrol solution. With Site Patrol, BBN installs, manages, and monitors the firewall on a 7x24 basis.

• The direct connection to the bank's mainframe was removed. The bank felt uncomfortable allowing any facility to both communicate with the Internet and with its corporate computers. Instead, data is interchanged between the facility and the mainframe via 3480-format tapes. The data sent to the mainframe is simply a list of customer IDs. The information sent back from the mainframe is the account information, and the statements images, for each of those customer IDs. There is very little room for fraud with this arrangement.

• The Raptor Eagle firewall was removed. The Authentication Server (running V-One's SmartGate) was turned into a firewall by running V-One's SmartWall firewall software. Unfortunately, this software is based on the TIS Gauntlet firewall, so two essentially identical firewalls were placed back-to-back. A better solution, from the security point-of-view, would have been to have two different firewalls.

• The facility was networked with token ring instead of Ethernet because the bank used token ring as its standard network medium.

• The Database/Web server ran the Oracle Web server instead of Netscape. Oracle's Web server has SQL hooks in it to more efficiently integrate with the Oracle (or other SQL) database. With Netscape, at the time we were building this facility, all database calls would have had to be written as CGI scripts, with an order of magnitude less efficient.

• In the first approach, each Sun machine was going to be secured manually by stripping the installation and adding tools such as tripwire, tiger, tcp_wrappers, etc. While the systems would have been secure, they would have been difficult for the bank to manage. Instead, we used the SeOS product from Memco to secure the machines. (SeOS has been discussed in previous columns.)

The application itself was quite complicated. It ended up including the following major pieces:

• Shell scripts to read customer data and statement images from the mainframe tapes
• Shell scripts to write the customer list to tape for mainframe processing
• CGI code to capture the V-One POST and GET information from the HTML data stream to identify the customer
• SQL code to generate preference forms for customers to set look-and-feel information and to select which accounts they want accessible online
• SQL code to generate dynamic Web pages for the customer, based on the information in the database, the marketing-message engine, and the customer's preferences
• SQL code to generate administration pages (only for users identified as administrators by the V-One information) to allow customer service representatives to enable and disable customers, retrieve several types of status reports, and debug customer problems

To finish a work? To finish a picture? What nonsense! To finish it means to be through with it, to kill it, to rid it of its soul, to give it its final blow . . . the coup de grāce for the painter as well as for the picture.

--Pablo Picasso

Ah, the delays
In the introduction I mentioned that I would discuss the "ugly" parts of the project. Unfortunately, the project went over budget and was late. Although this is not uncommon on large integration projects, it also did not make anyone happy. The reasons for the delays were many, including:

• Bugs in software, including Oracle's Web server, SeOS, and SmartGate. These bugs resulted in temporary workarounds being implemented to allow the project to hit rollout deadlines. When the bugs were fixed the workarounds had to be removed, and the proper code was implemented. Then all the code had to be re-tested. In retrospect, we could not have done much differently. Because the bugs were in a variety of tools, the workarounds were needed in each tool to allow us to exercise the other tools. Just waiting for bug fixes in one tool would have delayed finding the bugs in the other tools. Perhaps waiting six months before starting the project would have allowed all of the tools to be more mature.

• The use of the BBN-managed firewall delayed implementation of network connectivity and made the entire debug cycle more difficult. BBN does not allow access to its machines, so any changes in rules and any connectivity debugging had to be done with BBN participation. It's difficult enough to debug a new application/facility when one firewall is involved. It is much more difficult to debug when two firewalls are involved and only one is managed locally.

• The largest delay resulted from miscommunication. Due to internal changes at the bank, there were frequent changes of bank personnel on the project, and some periods of time when there simply was no liaison from the bank to monitor the project and to track the bank's participation. Also, there was no one person, from any participating company, who was "the boss." For instance, when a design or implementation decision was made, it was occasionally unclear who should sign off on that decision. The lack of strong management lead to several instances of redesign, including two extra iterations of the database schema.

• Because of the bleeding-edge nature of this project, no one on the project had experience with integrating all these technologies. SmartGate was still under development when the project started, SeOS was fairly new, and the Oracle Web server was in its first release. A lack of some key programming skills also delayed the implementation.

While the project was being implemented, I wrote the facility security policy in conjunction with the bank's security personnel. The policy laid out the details of access to the facility, management of the facility, problem escalation, and change management. The facility was independently audited by SAIC (as described in a previous column) and found to be among the most secure they had seen.

Every man is the son of his own works.

--Miguel de Cervantes

Overall, the project took more time and money than expected because we had underestimated the effort needed to bring multiple, new technologies online and the difficulties involved in rolling out a first-of-its-kind facility. The facility was brought online in February with little fanfare. Because the bank is merging with an even larger bank, and because this is a new offering to customers, it has lower priority than other bank projects. The banks are merging their computing facilities, and this project will be forced to shut down during the merger. It will be brought back online after the main systems are merged. Until that merger completes, the bank won't advertise this facility. Nevertheless, through Web-based ads, this facility already has 4,000 customers, and that number is growing at the rate of 150 per day. On the whole, everyone is pleased with the state of the facility and the project that implemented it.

Bug of the Month
Club

The time is right for a program scanner. This scanner would search through C source code and watch for code that improperly allocates memory without guarding against overflow. Unfortunately, I don't know of any tools that provide this feature. I've reached the conclusion about the need for such a tool based on bugs reported in eject and passwd. Yes, eject is the program that simply ejects the floppy or CD-ROM from its drive. This program is set-uid root to enable any user to be able to eject the media (eject does a umount). Unfortunately, it doesn't check its buffer allocation in the media_find routine. This routine is used to check command-line arguments and determine which media it is that the user wants to eject. By overflowing this buffer, eject can be made to execute an arbitrary program, as root.

Cristian Schipor, on the Computer Science Faculty in Bucharest, Romania, discovered the problem and has written exploits for Solaris 2.4 and 2.5.X. The quick fix is to disable the set-uid bit on eject. To regain the eject functionality, you can write a quick set-uid root C program that invokes eject with the proper arguments. This information and more is included in the eject bug report.

The passwd bug, similarly, results from a lack of bounds checking within the program. The result is the arbitrary execution of programs, as root, on any Solaris 2.3, 2.4, or 2.5 system. The bug report, and fix information, is included in AusCERT report 97.09

CERT is getting very antsy about INN. INN is a common news server, and version 1.5 of it is actively being attacked via well-published techniques. The solution is to upgrade to INN 1.5.1 as soon as possible. The details are in the CERT advisory.

The Bookstore
If you're like most systems people -- too little time and too many interests -- then you should know about the SANS Network Security Digest. What this column does for Sun computers (in case you didn't know, it tries to keep you informed of everything Sun security related), the SANS digest does for computer security in general.

The March issue includes information on Microsoft Internet Explorer bugs, Solaris passwd buffer overruns, and bugs in 4.4BSD, FreeBSD, INN, httpd, among other useful information. Here's the info:

The SANS Network Security Digest is published via e-mail approximately eight times a year. Its purpose is to help busy sysadmins and security professionals gain confidence that they are aware of the important security vulnerabilities and what can be done to resolve them. Subscriptions are always free for all who attend SANS and Network Security conferences. Others may also subscribe at no cost as long as their subscriptions are received before April 30, 1997. Free subscriptions entered before April 30 are effective through the end of next year (1998).

To subscribe, send e-mail to sans@clark.net. In the Subject: SANS Network Security Digest. In the Body: name, title, organization, preferred e-mail address, and, if you also want an updated network security roadmap wall poster, your surface mailing address.

If you are concerned (as I am) with the rampant, uncontrolled exchange of private information on the Internet, then you'll be pleased to hear about ETrust. ETrust is a global initiative to create consumer confidence in electronic information exchange. It's set to roll out, in mid-1997, a set of seals-of-approval. The seals will be given to sites that abide by ETrust's rules of privacy. For more information, check out the ETrust home page (see Resources below).

The January 1997 issue of IEEE Computer includes several interesting articles on the Internet and security. Perhaps the most interesting to readers of this column is the article by Randall Atkinson, of Cisco, entitled Toward a More Secure Internet. This article spends a little time analyzing current Internet protocol security threats (ICMP, ARP, DNS, and IP itself). The rest of the article describes techniques, methods, and protocols that are being implemented to solve the security weaknesses of these protocols. Required reading.

Conferences
April brings with it a conference that should not be missed by security professionals (and systems people with a security interest): SANS '97 promises to be better than ever. This year the conference is concentrating on case studies. If fact, I'll be presenting the secure bank facility described in this column in a talk there. I'll also be presenting a couple of sections of the "Security in a Melting Pot" workshop, which is designed to help people who work on security on multiple platforms keep those systems under control and secure.

If you're interested in Sun computers and their security, then you should add The Sun User Group Conference and Expo to your calendar (it's June 2-4, in Boston, MA). This conference will have tracks on security, system administration, the Internet, and one for developers. It will also have exhibits. I'll be teaching my Solaris Administration tutorial there and giving a couple of talks about Sun security. Hope to see you then.

Potentially interesting
products Single sign-on continues to be one of the holy grails for systems managers. Every year, we hear that the perfect product is a year away. Well, there's another product that is taking a shot at solving the problem. The product is FirstStep SSO by Millennium Computer Corporation. I haven't tried it, but if you're looking for a single sign-on solution, this one looks worth checking out.

Resources

• Eject bug report
  http://www.math.pub.ro/Solaris_holes.html
• AusCERT report 97.09
  ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
• CERT advisory
  ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
• ETrust
  http://www.etrust.com
• SANS '97
  http://www.sans.org/
• The Sun User Group Conference and Expo
  http://www.sug.org/index.2.html
• Millennium Computer Corporation
  http://www.millenniumcc.com
• "The SeOS security blanket"
  /sunworldonline/swol-07-1996/swol-07-security.html
• Other Security
  /sunworldonline/common/swol-backissues-columns.html#security
• Also check out the SunWorld Site Index for stories on Web server security
  /sunworldonline/common/swol-siteindex.html#websec
• Related network security stories
  /sunworldonline/common/swol-siteindex.html#netsec
• Peter Galvin's recently-updated Solaris Security FAQ
  /sunworldonline/common/security-faq.html

About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at Peter.Galvin@sunworld.com.

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-04-1997/swol-04-security.html
Last modified: