Here is a relatively new player in network security space for small and mid-sized businesses (SMBs). A friend of mine that does a lot of work with SMBs is encountering this solution more and more. And is there any wonder why when it is portrayed as a God send for SMBs. On the Atom AMPD Web site, they explain their Kwick Key solution.
“Kwick Key™, a USB flash drive, is the delivery device behind the AtomOS. The Kwick Key is bootable and plugs into nearly all servers. Kwick Key users experience a significant savings achieved with a high quality “one key” solution for their networking needs.
Simply install the Kwick Key into an internet-connected server, display the web interface, configure the features and you’re done. The server is transformed into a multi-functional networking and communication device.
The underlying operating system behind the Kwick Key AtomOS is Linux. The content stored on the server is also backed up on the Kwick Key. Once configured, the Kwick Key can be transferred to new equipment while maintaining its configuration, providing portability in the event of equipment failure. A redundant option is also available.”
What is wrong with this picture?
If you said, “Too good to be true,” you would be correct. There are no silver bullet solutions to security. However these sorts of “all in one” security solutions are being marketed to SMBs all of the time as a cost saving way to be secure. And since SMBs do not typically have any significant IT personnel, they are always looking for ways to reduce IT workload and save money. However, if you need to be PCI compliant, this is not a solution for your organization. Why?
If you read the Savings page on their Web site, they state:
“Your current IT infrastructure is likely requiring multiple boxes to serve your network and communication needs. This likely includes multiple boxes supporting firewalls, content filters, routing and VoIP applications; each requiring individual training, maintenance, and ongoing licensing fees. The AtomOS provides just one platform, one interface, one operating system. It brings to bear the BEST practices via a convergent technology. All modules are tied together by our proprietary user interface.”
That “all in one” solution approach violates PCI DSS requirement 2.2.1 which states:
“Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)”
The reason for requirement 2.2.1 is to leverage the concept of “defense in depth”. Defense in depth relies on multiple layers of defense such that if one layer develops vulnerability, the other layers still can provide some security and mitigate for the vulnerability until the vulnerability is fixed. Under the Atom solution, vulnerability anywhere potentially creates a situation where the whole solution is at risk because of one part’s failure.
As a result, in order to be PCI compliant, it will require you to purchase multiple Kwick Keys. I would assume that multiple keys will result in costs that negate Atom’s cost advantage over other PCI compliant solutions.
Then go to the solution’s product page for Kwick Key. Take a look at all of the firewall features that are available. Looks pretty good until you realize there is one notable feature missing – stateful packet inspection (SPI). Basically, Atom has implemented port filtering which comes standard on Linux distributions. Not that this is not secure, but it does not comply with requirement 1.3.6 which explicitly requires that SPI be implemented.
There are ways to add SPI to this solution. However, that will mean you will have to support it yourself and the whole point of the Atom solution is to get out from under supporting such a solution for your organization.
My assumption is that with an appropriate wireless adapter in the system running Kwick Key that the solution will serve as a wireless access point. Under requirement 1.2.3, wireless is required to be segregated from an organization’s cardholder data environment (CDE) by a firewall. Given that the wireless is operating on the same device, it is questionable if compliance with this requirement could be truly accomplished.
The same concerns with wireless would exist with the virtual private network (VPN) solution. Having the remote access to the internal network also running on the same system is not a best practice. And how secure such a situation would be on this device is questionable.
You need to remember, this is not a purpose built networking device, this is a repurposed computer running Linux. It is potentially susceptible to any number of Linux-based attacks and vulnerabilities depending on the services running. And the more services you pile onto this device, the more potential for vulnerabilities.
Then there is the ability to add a voice over IP (VoIP) call manager solution. Seriously? What a silly and very dangerous idea. Why? VoIP protocols are primarily stateless (i.e., UDP) which means that they cannot be protected by today’s firewall technology which only work with stateful protocols (i.e., TCP). I have actually had vendors correct me on this because VoIP call set up (pick up the handset) and tear down (hang up the handset) are conducted using TCP. What these folks always miss is that the actual conversation is conducted over UDP so that the conversation can be streamed between the phones in use which is the bulk of the activity with a telephone call. And it is not just one or a few UDP ports that can be open; it is typically a range of thousands of UDP ports that are open to support telephony. Talk about a target rich environment.
Adding a VoIP call manager on top of your firewall is probably the most dangerous thing an organization could do because VoIP is so easy to attack due to the stateless nature of its protocols. By implementing VoIP on a firewall you are essentially negating the firewall. Running VoIP on anything but its own dedicated server on its own dedicated network is the only way VoIP should be configured for security, regardless of a need to be PCI compliant.
Finally, there is no pricing provided for the USB “key”. I always get concerned about “wonder” solutions that do not provide pricing without contacting the vendor’s sales operation. Nine times out of ten, all this does is force potential customers to then be contacted relentlessly by sales people until they purchase the solution which is likely overpriced.
This post is not to say that this solution is not appropriate for other organizations. However, if you need to be PCI compliant, this solution is not for your organization if it is implemented as the vendor describes.