The Server Room Blog

You May be Attacking Someone, Thanks to Botnets

james.j.greene@intel.com — Wed, 28 Oct 2009 15:04:59 GMT

Do you ever wonder where Spam comes from? I have no idea where the meat-like version of Spam comes from (nor do I wish to ponder that mystery). But it is pretty well established that a huge component of the e-mail and IM Spam that we all know and hate is generated by automated programs (bots) installed on thousands or even millions of unsuspecting systems. These bots are remotely controlled via command-and-control or even peer-to-peer networks (botnets) to do the bidding of the bot developer—such as propagate Spam or other malicious software or generate denial of service attacks against designated targets. And all of this could happen without most people even knowing their system is doing anything.

Botnets are the end result of many malware exploits—as viruses, worms, Trojans, drive-by or click-through attacks may deliver and propagate the bot payload. They are also a crystal clear example of how the objective of attacks have changed from hit-and-run high-profile grabs for fame to instead focus on stealth and establishing and retaining control of assets. Botnets are an ideal tool for the nefarious—they can command huge numbers of widely distributed systems at trivial costs. While it is hard to estimate how many systems are part of a botnet, the potential is staggering. For example, the much-publicized Conficker worm is estimated* to have placed more than 4 million unique IP addresses under the control of “bot-masters”. And this huge resource base allows the bot-masters to rent control of these resources to spammers or other agents looking for ways to generate attacks or other nuisances with low risk of being detected. In essence, they are allowing criminals and spammers to outsource the generation of their malicious activities. It is a frightening business model indeed.

It is also a difficult challenge for IT. Thanks to botnets, it is possible for an IT manager or CIO to get a call from out of the blue asking why their systems are attacking some other company or government entity’s systems. Or discover a botnets of 100’s of computers with their company. These type of events can happen to the best IT departments (even Intel or the US Government). Clearly, IT needs tools to help prevent such scenarios, and the antivirus and intrusion detection/prevention industry is working hard to keep up with the rapid growth in the delivery vehicles for bot code. The other weapon for IT managers is traffic analysis – looking for strange patterns of activity (such as bursts of e-mail traffic from selected systems or floods of network traffic generated against specific targets) that falls outside of business norms to determine if there is another business being conducted with their assets. While being part of a networked world has wonderful, powerful benefits, it is not without enhanced risk. A botnet is not a network you ever want a member of.

Intel technologies like Trusted Execution Technology (TXT) and instruction set optimizations such as STTNI can be part of these solutions. Intel® TXT can be used in solutions that help protect systems from software attacks which provide the malware payloads to compromise systems. In fact, Intel TXT (to be available with Westmere server systems) provides an entirely new protection capability for most systems—providing evaluation of the launch environment and enforcing “known good” code execution. This is important because most malware tools execute only once the system is booted—so Intel TXT provides a valuable complementary protection. And to help with the growing burden of run-time malware and attack analysis, new (with Nehalem) instructions that accelerate string manipulation can boost content inspection software ability to detect anomalies. And research and development will ensure Intel continues to develop and deploy building blocks to help IT address today’s challenges and tomorrow’s.

We can do that most effectively only if we’re trying to solve the right problems. Are your systems under attack? (yes, they are). What types of solutions are most effective for you? Where is the greatest exposure? Is the pain in stopping attacks or cleaning up after them? This is certainly worth thinking about—before some Government agency comes calling asking why your systems are sending them so much spam!

*http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

Data Center Security

ken.r.lloyd@intel.com — Sat, 19 Sep 2009 21:09:36 GMT

Even the name is a sort of a misnomer. Not that there isn’t a lot of physical security around most data centers. The doors are locked and not even regular employees have access. This is necessary, and if someone gained physical access they could really mess things up. But, this is not where the big risk typically occurs.

The growing challenge is data security – i.e. protection from threats that come across the wire. With ubiquitous networks, and data moving everywhere, protecting the crown jewels is a full time job. Hackers, malware, employee abuse, and other threats can lead to data exposure that is potentially devastating, and almost undoubtedly embarrassing for the IT manager.

Gartner recently declared IT security the number one worry of fortune 1000 companies. This is not surprising when a report from Symantec showed exponential growth in internet security threats.

There is no silver bullet, and there is no system that can never be defeated. We need to do the best we can with the tools we have. Doing anything less could be seen as negligent.

Like security in the physical world, data security is a combination of business process and technology. Neither can be effective alone. Business processes must make clear what roles deliver data access, data steward ship, data ownership, and data disposal.

<sidebar>Data disposal is going to be one of the biggest challenges to the promises of cloud computing. If we consider a hosted app like “gmail” to be part of the cloud, then we either must accept privacy policies like “all data belongs to the host” or try to stick to using internal systems. </sidebar>

The other half of the security solution is technology. Intel, and others, are delivering new technologies to the server to assist with security enforcement. New string accelerator functions dramatically speed content scans for malicious data. Technologies like execute disable & SM range registers provide improved protection against buffer and cache attacks. The next generation of Intel server processors will introduce new features that can validate that code is un-altered and remove much of the overhead from encryption.

Security can not be an occasional focus any longer. Every security manager will need to be up to date on the state of technology and tools, and have the social skills to drive good data practices into the work environment.

IDF: Something for Everyone

james.j.greene@intel.com — Wed, 16 Sep 2009 06:41:58 GMT

It has been a couple of years since I’ve had the opportunity and pleasure of attending an IDF, but I remember the experience well. While I had been in the technology industry for many years and was familiar with major tradeshows like Comdex, Interop, CeBit, etc, I recall being amazed that a single company could be the catalyst for such a huge event. But as I experienced it, it made more sense: after all, Intel sells a very broad line of products to a huge array of customers. And our products are among the most technologically advanced and complex in the world—yet they are only critical components to solutions that require a wide range of complementary parts—system boards, test tools, compilers, software, BIOS and integrators—to name just a few. And IDF is the critical venue to galvanize this huge and surprisingly efficient cadre of fellow travelers that will help build upon and deliver our technologies to the world. It is where we educate, communicate and differentiate, and it is a great showcase for Intel.

This year, I’m excited to be able to participate. As I wrote a few weeks ago, I’m looking forward to being able to use this showcase to help establish Intel’s focus on server security. We’ve got a couple of key new features—Intel® Trusted Execution Technology (TXT) and Advanced Encryption Standard new instructions (AES-NI) for encryption processing—that promise to make secure processing for servers more complete and efficient. You can get a glimpse of what Leslie Xu and Michael Kounavis will cover for AESNI. I’ll be working with Mahesh Natu and some friends in the fellow traveler community to help introduce TXT for servers. Like many others, we’ll be using this opportunity to: conduct training for developers (session ECTS002); show the technology in action in a really cool Server Zone demo (Booth #517), and generally help build awareness for TXT and security in general. I’m really looking forward to the demo. It is one thing to offer a cool feature, but it is a whole new level of anticipation when one can so clearly visualize how this technology can be deployed to make users’ environments better.

I know that we’re eager to share our enthusiasm and engage the developers and customers that will make our technologies a success. I’m also keen to get to see other great things coming out of Intel and our fellow travelers. What are you eager to see and hear about at IDF?

Submarines, Stealth Fighters and Evolving Needs of Information Security

christopher.p.peters@intel.com — Wed, 09 Sep 2009 05:08:46 GMT

New Server Security Technologies Are Coming & Why We Need Them

The other day I had the opportunity to talk with Jeff Casazza and James Green from Intel’s Server Platform Group. The topic? server security. Our conversation was focused on the introduction of some new security technologies that are on their way and why we need them. During our discussion, I found myself thinking back to my days in the US Navy, where security was a core topic of everything we did. The introduction of submarines transformed naval tactics and the stealth fighter changed aviation tactics.

So, why does IT put so much emphasis on information security? … because the cost of a data breech is extremely high. Imagine if a data breech of your IT systems resulted in losing employee social security numbers or customer information – the cost to recover that data (if possible) and the legal costs (penalties from regulatory agencies) is very, very high. Jeff and James mentioned that business models are also exposed if these types of information escapes happen – a company’s brand, business and employee relationships could be at risk given the nature of trust and integrity that circle throughout our business.

Security always ranks high in importance, especially when we feel at risk. As I have transitioned into my new role inside Intel IT, I have found a significant focus on security solutions especially as new threats (for profit attacks), new usages (client / server virtualization, cloud computing) and new collaboration tools (social media) challenge our existing paradigms of information security.

During my discussion, I learned about two technology standards that Intel is implementing for servers that reduce security risks and address the changing nature of information security attacks happening today and expected tomorrow.

Stealth Fighters Attacking Your Data: The nature of security attacks have changed. Previous generation hackers used to target broad wide spread attacks on corporations or the worldwide web trying to disrupt business, gain notoriety with the ability to affect tens of thousands of people. The newer generation attackers are seeking a smaller target .. a single laptop or a single server. These new for-profit attacks are aimed at both industrial (business) or government entities and only need a single penetration into your infrastructure to get enough information to create a serious issue for your business.

Encryption: A solution to defend against the stealth fighter point attack on your data is increased encryption of data. Data encryption is not new. Secure Sockets Layer (SSL) encryption for communication over the internet, harddisk encryption and enterprise application encryption are all standard methods IT shops use to protect information. Unfortunately, encryption is not free, and I’m not talking about purchase cost .. but rather compute cost. Encryption is a compute intensive process that consumes processing cycles. Intel is planning on introducing new instructions for Advance Encryption Standards (AES-NI) that are intended to dramatically improve the efficiency of encryption in a future version of it’s processor micro architectures.

Submarines Seeking Your Data From Under Your Hypervisor: Much of the anti-virus and security protection that resides on servers and client machines resides and is run through either the Operating System, Hypervisor or Application layer. New malware software and root kits are targeting systems at startup before the hypervisor and/or OS boot up undermining the protection you have at the higher levels of the application stack.

A new server technology from Intel, called Intel® Trusted Execution Technology (Intel TXT) works to ensure your system can boot up to the secure, protected environment you have deployed through your software stack. In doing this, TXT ensures that your anti-virus software “perimeter” is secure and has not been compromised by a root kit “submarine”. TXT has been available in Client Intel® vPro™ processor technology-based platforms since 2007.

Tune into the upcoming Intel Developers Forum (www.intel.com/idf) to learn more about plans for securing your server’s data and many other technology innovations from Intel.

Chris

Security in virtual environment

radhakrishna.hiremane.shridhar@intel.com — Mon, 24 Aug 2009 17:20:56 GMT

I have written in the past about key IT considerations while implementing virtualization.

One of the key elements that change going from a non-virtualized environment to virtual environment is the security model. The security model needs some additional considerations going to virtual environment.

I and a few of my colleagues who meet with IT end customers deploying virtualization on a regular basis have realized that there are some frequently asked questions/concerns and also misconceptions about protection in virtualized environment.

We also did a bit of research on types of documents available to help IT understand the topic of security model in virtualized environment better, but found most articles to be either outright dismissive of security concerns or took a very opposite theoretical and conservative view on lack of security.

So with the help of our architects we developed the below white paper with an intent to help IT managers, strategists and implementers understand resource protection in virtualized environment better. We also address some of the frequently asked questions and typical misconceptions with security in virtual datacenter.

The white paper essentially takes a balanced view and provides an overview of security model changes, challenges and considerations that organizations must address when implementing virtualization. It introduces hardware, software, and policy measures available to help address those challenges, including their strengths and limitations and then closes with a brief discussion of some key issues associated with security in emerging cloud computing usage models.

Let us know what you feel.

Fall Intel Developer Forum Server Technology Blogs – What Do You Want To Hear About?

david.e.jenkins@intel.com — Fri, 31 Jul 2009 16:59:17 GMT

54 days to Fall IDF in SFO! Perhaps I should be a bit less enthusiastic, as during the course of the next two months, I will be extremely busy working on courses, presentation, demos, web updates and new collateral pieces highlighting Intel’s contributions to server and data center instrumentation, data center efficiency and eco-technology. In addition to those responsibilities, I have taken on ownership of driving a technology blogging program at IDF, with server technology experts sharing their insights here on Server Room – an opportunity that I am very excited about, but I need your help.

My question to you today is – what would you like to see covered in the technology blogs from IDF? I am starting the process of recruiting “volunteers” to participate, and understanding what you want to see discussed will help me to get the right people to cover the topics that are compelling to you and hopefully facilitate an interesting dialog that will help you to better understand server technologies. Since its easy to self-recruit, you will definitely see a blog from me covering instrumentation, Intel Intelligent Power Node Manager and other related technology news @ IDF.

So what do you specifically want to see covered in the IDF blogs? I look forward to you inputs and hope to see you at IDF!

Dave

IPsec Offload: Meet Microsoft* DirectAccess*

benjamin.r.hacker@intel.com — Sat, 16 May 2009 15:18:18 GMT

Manageability, security, and performance are always hot topics in the computing world. At times the focus shifts between them as needs and technologies change, but these areas have remained key vectors of enterprise computing for a long time. However, in many cases these usability vectors conflict with each other. IT managers’ desire for security and manageability may lead to extra applications and process hoops for end users, which can decrease performance. Increasing the ability to remotely and seamlessly manage a pc almost always adds security headaches that must be dealt with. Enterprise IT design is always about finding the right tradeoffs and improving the process over time.

One technology that has been around for quite a while to help improve security is IPsec (aka, IP Security). IPsec is a set of protocols for securing and authenticating IP packets by encrypting their contents in an end-to-end manner. Most people are familiar with IPsec as the underlying technology for facilitating Virtual Private Network (VPN) connections from the outside of an organization’s LAN to inside the network. IPsec secures the Internet to Intranet tunnel in this case.

Using IPsec to set up a VPN can be a bit of a pain because you have to key in an access code or password and it’s far from seamless. On the IT manager’s side, this setup does not eliminate security problems because the VPN tunnel only secures the network pipe once it is established. There is nothing stopping the end user from browsing the web on their work computer or somehow exposing it to a virus before connecting to the corporate network in a secured way. This has a few downsides from a manageability perspective. First, the security is compromised because of potential infections transferred from an insecure network to the corporate network due to lack of continuously active protection. Second, the manageability of this solution is lacking because enterprise systems outside of the corporate network are not manageable until the user manually connects to the VPN gateway.

So while using IPsec to help create a VPN connection provides functionality that is secure and provides outside-in access to the corporate network, it requires additional configuration by the end user, is not seamless for either user or administrator, and is generally provided by an additional application running on the system. This is all non-optimal.

Enter Microsoft* DirectAccess*. In Windows* Server 2008 r2 for servers and Windows* 7* for clients Microsoft* will be supporting a seamless IPsec support layer called DirectAccess*. What this will provide is the ability to integrate the encryption/authentication of IPsec directly into the Operating System so the end user connects securely outside and inside the corporate network to the systems and applications they need via IPsec. Because this is integrated into the OS, the set up of the security and connection details are more seamless from both an IT person and end user perspective. Initial configuration is obviously required, and each IT organization must set up the security policies to their own specifications, but once that is done the system is up and running.

Microsoft*’s implementation of this functionality at the OS level, so each application can have its own secure IPsec tunnel. This can provide secure access both outside and inside of the corporate network. Up until recently, using IPsec internally has not been of much focus, but recent estimates suggest 80% of successful attacks come from internal threats, so encrypting and authenticating internal data is now in focus for IT administrators. Microsoft* DirectAccess* allows for this new seamless security model.

Now this all sounds well and good… but what’s the catch? Well, a key angle here to note is that IPsec is a highly CPU intensive technology. Encryption and decryption of IP packets in real time can easily swamp a CPU core when attempting to push much more than a few hundred megabits of network data. For a typical end user system, a few megabits of data across a few IPsec connection applications will likely not cause much heartache, but for network servers that are hosting potentially thousands of simultaneous IPsec connections while trying to drive multiple Gigabits of I/O the performance results will be much more… uhh, what’s a nice way to say ‘unimpressive’?

In order to solve this issue, Intel networking products offload the computationally expensive encryption engine (AES-128) onto the LAN Controller while the IPsec configuration, management, policy creations etc all remain in the OS to keep usability simple. Intel offers both dual port 1 and 10 Gigabit networking solutions that support not only solid performance on standard networking workloads and advanced virtualization features, but also the ability to offload IPsec in hardware to improve system performance under large IPsec I/O workloads.

For companies looking to enable IPsec into their network environment using DirectAccess*, they have the potential to improve security, reduce complexity, and enhance manageability of their end clients. They just need to remember that in order to make this all work seamlessly on the server side without choking off processing performance, offloading the IPsec workloads to I/O hardware will be a requirement.

Intel® Ethernet® can deliver this support in adapter or down on motherboard form factors while supporting a wide range of Enterprise class performance and virtualization features. So is this a way to improve security and manageability without impacting performance? It seems that way to me.

-----

Ben Hacker

For more information on DirectAccess* -- http://www.microsoft.com/servers/directaccess.mspx

Identity Theft - It really makes me mad when my integrity is on the line

heung-for.cheng@intel.com — Wed, 11 Mar 2009 17:56:27 GMT

As usual, after swimming in the morning, I thumbed through my Blackberry. On the small glass screen, I saw the email from a friend, “Hi, For: Did you send this email to me?” I was very puzzled by what she meant that I quickly scrolled down to see the full text below her message: “Dear friend, I would like to introduce a good company who trades mainly in electronic products…” I looked at the “From” line. It is from my personal email account! I knew immediately that some hacker hijacked my address book and used my email name to send out spam email. But how did that happen? How could I clean up this mess? I suspected that my not-so-strong password was hacked and I corrected it right away. Since the send box identified who were the recipients. I then sent an email to explain the situation. My sister-in-law shot me an email afterward: “I though it was a little strange. ”

This cyber identity theft really makes me mad at the intruder and myself not taking more precaution measures. I use my web email account everyday, save my personal data in the “cloud”, and provide my VISA card number to purchase online. With the social media network, I may disclose even more personal information on the web. This incident wakes me up that I need to protect myself diligently by adopting caution behaviors such as using the strong password or making sure confidential data are encrypted. I also realize how much trust I have put in the datacenter and service provider that I may not even realize until I am personally affected. Do the servers enforce strong passwords only? How do I know the communication between my personal computers and the servers are secured? Can the service provider be trusted? It takes both the consumer end and the service providers together to create a secured environment. Service provides have the fiduciary duty to protect their customers and their investors by focusing on datacenter security issues. It may take only one security compromise to shake up the trust of the customers.

I have been with Intel’s server group for the last 13 years and experienced many server technologies from form factor to power saving that have transformed the datacenters. With our upcoming server platforms, we will be placing more focus on helping datacenters to secure their infrastructure. We would like to see a day that no one will need to send an email to their friends to say: “I didn’t send that spam!”

What is your story and resolution regarding security issues in cyber space and datacenters?

Live from "Intel Premier IT Professional Event"-Denver

william.h.lea@intel.com — Thu, 26 Jun 2008 20:59:18 GMT

I'm blogging here today from the Intel Premier IT Professional (IPIP) event in Denver, Colorado. This is a really amazing setting at the Center for the Perfoming Arts in downtown Denver. There are some 200 industry professionals here networking and sharing best practices around client and server technologies with some of the main topics including Intel's technology roadmap, security, client and server virtualization. For those who couldn't be here, check the IPIP Website for event details and to download the presentations. In addition to updates on this blog, Josh Hilliker and I will have an event wrap-up on Blog Talk Radio, stay tuned for the details. Check back to this blog for event updates as they occur.

Wm. Hank Lea

Community Manager

Open Port-The Server Room

2pm- Event Update

Here's some cool video of XEON 7300-series(4P)running a database transaction application:

And another video showing the XEON 5400-series (2P) running the Black-Scholes Option Pricing benchmark:

And a third demo showing the XEON 5400-series in a workstation configuration running 3D rendering application:

Virtual Appliances – the next application development and deployment model?

raghuram.yeluri@intel.com — Tue, 04 Dec 2007 22:28:00 GMT

Server virtualization is becoming widely accepted and vendors and customers are beginning to explore usage models beyond support for legacy applications and server consolidation. Virtual Server load-balancing, disaster recovery (server and data center), dynamic creation and migration of virtual machines, to name a few, are fast becoming widely prevalent.

One of the newest uses for server virtualization that is beginning to garner attention is application portability, packing and distribution, a concept that is becoming more concrete with the advent of virtual appliances. Like the computer/HW appliances like TiVos, firewalls, IPS/IDS and NetApp filers, virtual appliances come pre-configured with applications and just enough operating software needed to perform their tasks, and delivered to the customer as a virtual machine file(s) ready to run atop a hypervisor. Every component of the virtual appliance is pre-configured and optimized and tested by the ISV who has the deepest understanding of the application, thereby eliminating interoperability issues and resulting in a better end user experience. Unlike hardware appliances which typically need specific hardware, virtual appliances run on top of any x86 hardware that has a hypervisor.

Could this be beginning of ‘Virtual-Appliance oriented architectures'? Too early to call, but in a virtualization-enabled world, the promise of an easy application deployment, distribution and maintenance/support is surely enticing. Just like any new technology or application model, there are a lot of challenges that ISVs and customers have to overcome with virtual appliances. We will get into details of these in the next set of blogs, but here is a quick summary of some questions customers and ISVs have to comprehend as they innovate in this space. We will also look at what Intel's doing here with its broad Virtualization Technology (VT) initiative.

- Security - Do you consider Virtual appliances as black boxes from a security perspective? Would you trust the ISV with both the app and the OS testing? Would there be any back doors? Will ISVs offload testing to third parties?

- Heterogeneous hypervisor environments - How do you package the virtual appliances for deployment and distribution on multiple hypervisor environments? OVF is a clear direction here.

- Performance of virtual appliances - Are there issues with virtual appliances sizes as we deploy and distribute business applications in virtual appliances? How do you deal with dependent appliances? Would there versioning issues with virtual appliances? Will there be a need for multiple versions of virtual appliances executing side-by-side?

- Software licensing - How does software licensing work in a virtual appliance model? How do you buy Microsoft OS licenses? Ubuntu, RedHat, etc are releasing stripped down versions of Linux for Virtual appliances usage. How would the Open source model evolve?

What do you think? You buy into the Virtual Appliance model? Will it work for you? Have you done anything with it yet? Let us know.