|
Guardians
of the firewall
NetShapers
battles to keep computer barbarians out of company networks
and on their side of the moat
By Patrick Courreges
Business Report staff
Computer hackers often do what they do for fun, or just because
they can.
That is, they invade and disrupt the systems and Web sites
of companies and organizations, either to create a little
random havoc or for motives of malice or profit.
The homegrown tech talent that drives Baton Rouge-based NetShapers
Inc. gets some joy out of what it does, too.
NetShapers is in the business of disrupting and creating havoc
for hackers.
The local Internet development and consulting company, founded
in February 1998, does the jobs usually associated with Web
developers--Web design and hosting, e-commerce and database
development--but has made network security its market positioning
point.
That niche has helped the young company make solid growth
gains with some fairly high-profile clients, including the
Louisiana District Attorney's Association, local fast-food
chain Raising Cane's, Hollingsworth Court Reporting, Louisiana
Companies, Industrial Specialty Contractors and the law offices
of Keogh, Cox and Wilson.
And in keeping with that niche, NetShapers has recently released
a firewall program called FrontDoor--sort of an electronic
junkyard dog of its own design to patrol the fence lines and
gates of client systems and keep the techno riffraff at bay.
Firewalls are programs or system setups that allow strict
control of who and what gets into a system via the Internet.
NetShapers President and CEO Peter Sygula likens firewalls
to a moat and drawbridge protecting a company's network castle.
His company also designs virtual private networks, or VPNs,
for clients. VPNs use encryption to make Internet communications
as secure as internal network systems, and NetShapers' FrontDoor
can also serve as the controlling system for such a network.
The Web development end of the business also boasts some recognizable
names, including Casino Rouge, the Louisiana Association of
Insurers and Financial Advisors, the Greater Baton Rouge Association
of Realtors and Southern Medical Corp.
The security aspect is key in that part of the business, too,
as Sygula has passed up contracts when companies wanted to
skimp on the security of their Web site design.
"There's no reason for us, as professionals, to do that,"
he said. "People pay us a good bit of money to use our expertise."
The company, made up of four partners, two employees and three
regular subcontractors, also brings in some of its money working
the other side of the fence, in a way.
NetShapers from time to time takes on the trappings of its
hacker and cracker foes to do a little electronic breaking
and entering.
But only at the behest of the break-and-enteree.
Such contracts, in which companies hire NetShapers to test
their existing network security, could never be the full basis
of the business, since they come along only about three to
four times in a given year.
They are, however, opportunities for NetShapers to view what
the Internet criminals and pranksters of the world see when
they size up a system for attack.
Role
playing
NetShapers'
security assessments take two forms: open and covert.
Open analysis does not involve as much poking and prodding,
and is more of a general look-see into potential weaknesses
in a network, Sygula said.
"Those are not normally as effective as the covert, in which
no one knows what's going on except the administrator who hired
us," he said.
The initial step in the covert process is one of the standard
scouting measures hackers employ. "The first thing we would
do, which we would do with any security contract, is do a port
scan," Sygula said.
"Ports" are the individual addresses in a network, which hackers
can check for weaknesses vulnerable to programmed exploits.
Exploits are packets of data camouflaged as routine user requests
or responses, but coded to do such things as crash servers or
gain access to the system.
"On a covert hire, you're looking for one hole that's going
to get you in a system," Sygula said.
If the initial break-in doesn't work, NetShapers pulls out the
stops, making use of the great low-tech tool of the hacker--social
engineering. Social engineering is the current term for conning
employees of a company into giving up passwords or other key
information useful for breaking into a network.
The methods range from pretending to be the systems administrator
to rummaging through the company dumpster to getting personal
information about employees to make educated guesses about their
likely passwords and system IDs, Sygula said.
"Nine times out of 10, that's how you get in," he said. "It
works like a marvel."
Sygula calls the dogs off on such contracts before they get
too personal. "Once you gain access to the servers, that's where
we usually call it quits."
Though the companies contracting with NetShapers are paying
Sygula to do his best to get in, the clients are often more
annoyed than appreciative when his team succeeds.
"They kind of feel cheated," Sygula said.
Many administrators hire NetShapers to either check behind another
company's completed work or on the assumption that the networks
in place are airtight, and they do not like being disabused
of that belief.
For the most part, though, NetShapers' stock in trade is beating
the bad guys, not being the bad guys.
Know
the enemy
Hackers,
oddly enough, freely provide some of the best information on
the methods and the e-tools of the trade.
They circulate underground magazines dedicated to sharing the
latest tricks and weaknesses in common security systems and
even exchange information on secret Web sites.
"These guys have conventions," Sygula said.
The underground Web sites are often protected by a security
firewall, which users must defeat to establish their hacker
credibility before entering.
"The Internet becomes a very handy tool for us, especially its
anonymity," Sygula said.
Just as systems with security weaknesses allow hackers to move
through a company's network masquerading as legitimate users,
so, too, does the anonymity of the Web allow NetShapers' security
designers to travel through the underground sites masquerading
as hackers.
Those who spend their time breaking into the systems of others
are quite touchy about their own security. Hackers are also
more focused on securing their own systems than anyone else
on the Internet, Sygula said.
"Hackers are more paranoid than the people they attack," he
said. "Knowing that has helped us with our system."
Hackers' fears of being found out make them skittish when their
own tools are turned against them, Sygula said. They almost
always have an intrusion detection system set up, and a simple
return port scan will generally chase them off, he said.
For more persistent intruders, Sygula has a nasty little trick
called a "honey pot." In setting up a honey pot, NetShapers
will take the real system under attack off-line and replace
it with a system that appears identical to the electronic invader.
The twist in the faux system is it traps attackers by holding
the Internet connections linking the hacker to the network longer
than the legitimate system would, allowing the security watchdogs
to track back to the originator of the attack, line by line.
"That gets exciting," Sygula said. "That's when you know somebody's
kicking at the door."
Most intruders will be able to break the connection before they
are found out, but knowing an intended target has the power
to identify a hacker is usually enough to push them to seek
easier prey, he said.
If Sygula's company has become a pain for some hackers, they
have only themselves to blame, because, while Sygula always
had a bent for computers, it was chasing e-foxes out of the
techno-chicken coops that gave him the direction his career
has taken.
Getting
bloodied
Sygula
was still a student at Louisiana State University when the security
bug bit him good and hard.
"It started off with me working for a company called Data Research
Unlimited," he said.
Sygula was systems administrator for the company in the heady
dot-com days of 1997. "The two years from '97 to '99 is where
the Internet experienced its biggest boom. We were dealing with
servers that were processing a lot of traffic."
And, in the world of the Web, more traffic equals more danger.
"We were getting hacked on a regular basis, and I had to do
the forensics on attacks," he said.
In early 1998 Sygula decided to strike out on his own with fellow
LSU student Jerry Barnett, a friend since their days at Scotlandville
Magnet High School, and a third partner, Ryan Hebert.
"The three of us decided we had enough skill sets to make a
go of it," Sygula said.
NetShapers was born as a Web design company and started, in
stereotypical fashion, in the spare bedroom of Sygula's apartment.
"We basically went broke pretty fast, because four grand doesn't
go very far," he said.
Business picked up enough by May 1998 that the fledgling company
did not have to join the ranks of the dot-corpses.
But again, as traffic picked up, so did interest from Internet
nasties. "We started to see some attacks on our network server,"
Sygula said. "That's when I started dwelling on security."
December 1998 saw NetShapers get enough business to move into
an office without a bed in it, but revenues began declining
in early 1999.
The partners worked to reposition NetShapers as an Internet
development company and picked up a few clients with high-security
needs, including Hollingsworth Court Reporting, with its nearly
20 million records, Sygula said.
"They were the first project that came up with a real need for
a firewall," he said.
Sygula tried to develop a firewall system of his own, but was
hampered by the fact he was still in school and the company's
growth was stalling. "We had our up months and our down months,
the standard new company blues," he said.
NetShapers' business was at an ebb in December 1999, when Hebert
left the company to pursue an opportunity in Houston.
"Losing a partner with sales a little bit down was kind of a
blessing, because it helped us meet payroll," Sygula said.
NetShapers was still fading in the early months of 2000, as
the two partners found themselves trying to build a business
by word of mouth, with no real marketing plan.
"You don't get that synergy, working with only six clients,"
Sygula explained. "It's hard to get that seventh."
The original NetShapers team was big on technological talent,
but had trouble selling it.
Enter the new faces.
The
other half
If
NetShapers was a product in search of marketers, Adam Swales
and Scott Zeigler were marketers in search of a product.
High school chums Swales, a marketing major from Northwestern
State University, and Zeigler, a finance major from Southeastern
Louisiana University, had started their own Web design company,
aptly named Swales & Zeigler, about the same time NetShapers
was getting off the ground.
The pair were casting about for what to do with their newly
earned college degrees when they decided to put their Internet
knowledge, which had mostly been a hobby, to some use, Swales
said.
"This came to Scott one day and we said, 'Hey, let's go for
it,' " Swales said. "We were green and naive, but we marketed
well enough to where we got on our feet--but we were limited."
Swales & Zeigler racked up a tidy group of customers, but could
do little for them beyond brochureware static Web sites, Zeigler
said.
"We were doing good, but basically we were stuck doing low-end
kind of sites," he said.
The Web design business was growing stagnant when Swales and
Zeigler ran across NetShapers while the two companies were both
doing work for Louisiana Companies in the spring of 2000.
"We had a knack for bringing in business, but we were limited
in what we could do," Swales said. "NetShapers can do anything,
but their weakness was bringing it in."
Louisiana Companies was actually the first to suggest that the
two companies link up to take advantage of their complementary
skills. A lunch at The Chimes restaurant to compare philosophies
was the start of a revival for both companies through merger
into a single entity.
"There's a lot of business out there in Baton Rouge for us to
tackle," Swales said. "We felt we had a connection."
The talks began in May 2000, and the merger went through in
July. "Officially, Swales & Zeigler bought us out," Sygula said.
"From that point on--when we merged--things picked up."
The influx of new talent freed each of the partners to do what
he did best, without having to force himself into an arm of
the business world he was not comfortable in. Swales turned
to marketing and selling as chief marketing officer, Zeigler
to handling the books as chief financial officer, Barnett to
Web and graphic design with a sideline as chief operating officer,
and Sygula, serving as president, attacked the languishing FrontDoor
firewall project.
"I was able to finally buckle down and spend two to three weeks
on the system," he said.
Sygula had the system, a hardware and software combination installed
on the client's site, fully developed by September and sold
the first box that same month.
"Soon after that, we hooked up with LDAA (the Louisiana District
Attorney's Association), and we negotiated a deal for a 13-node
virtual private network for them, using our system," he said.
The nodes are individual offices linked by the virtual private
network.
The new NetShapers partners were also glad to make the merger
happen, but had to take a crash course in Sygula's and Barnett's
abilities.
"We're still in a learning process, learning what all they can
do," Zeigler said. "It's kind of amazing that we made it this
far. I feel a lot better being with these guys."
The toughest part of selling NetShapers' products and services
is that Louisiana is picking up the tail end of the technology
train, and some companies don't even understand what NetShapers
offers, Swales said.
"Peter is ahead of the curve, even in Silicon Valley," he noted.
Local companies sometimes do not know good work from slapdash
services, he said. "They don't know quality; they believe their
brother's nephew can do it," Swales said. "They would never
dream of giving their taxes to some kid instead of an accountant."
Trouble
coming
Sygula
believes network security will not be a simple matter of outwitting
freelance hackers and the pranks of the joyriding amateurs known
as script kiddies in the next few years.
The Internet will become, and possibly already has begun to
be, a platform for corporate dirty tricks and competitive espionage,
he said.
Nasty rumors have already begun to circulate that some of the
attacks on purely Web-based companies such as Yahoo and Excite
were not the work of malicious hackers operating on their own
hook, but planned assaults by competitors looking to damage
their victims' businesses, Sygula said.
"I think the next organized crime wave will be digital espionage,"
he said. "A perfect example is insurance company bids. If you
know what the other guy's bidding, the game's over. It's got
to be happening right now, even though it's hard to pin down."
The wide-open spaces of the Internet, with so many sites and
systems running unprotected or underprotected, are also the
perfect breeding ground for kids with a gift for computer manipulation
to grow from script kiddies to full-fledged hackers, Sygula
said.
More security would mean fewer script kiddies, thus fewer hackers,
he added.
Those who remained would be sharper, but cutting their numbers
would shrink the talent pool for potential criminal activity.
"If we don't do anything about it, those script kiddies could
eventually become good hackers," Sygula said. "The level of
security awareness is going up. I think it can be slowed down
to where it's no longer a nightmare."
|
|
About
Us : Articles