Is Windows NT right for your security department?

Sep 1, 1998 12:00 PM, GLEN GREER

If you are contemplating a new integrated security system, your IT department will almost certainly tell you to consider only Windows NT-based solutions. If you have an existing system that runs under Unix, QNX or another operating system, you will be coming under pressure to upgrade it to an NT system. You need the support of your IT department, and you want better integration with other departments, but is this "one size fits all" solution right for your security operation? In the past, the arrival of a new integrated security system was not always a welcome event for the corporate IT department. The new system rarely ran on the same operating system as other corporate systems. Even when the security department made an effort to conform to the IT department's preferred operating system, the problem was not always solved. For example, the fact that a product runs under Unix does not mean the system will automatically integrate easily into the corporate system. There are many flavors of Unix, both using the Unix name itself and variations on the name - QNX and AIX are both Unix-based operating systems. There is no broad standardization. In the past few years, there has been a sea of change. Microsoft Windows NT has virtually taken over as the preferred operating system in the corporate security world. It has also become the de facto standard operating system for security systems. Should the security department welcome this development? Have we given up anything in this transition, and how should the security director, looking at an impending change or upgrade to the integrated system, view this opportunity? While solving many problems, what new ones does it add to the security director's list?

changing operating systems In the early days of computers, every computer manufacturer developed its own operating system. After years of being locked into a single vendor for hardware and software support, system upgrades and even applications, the corporate world was ready when standard operating systems appeared. Unix made the most initial headway, along with Novell NetWare for the specialized network operating system. Now Windows NT (which is both an operating system and a network operating system) has moved broadly into the market built by these two systems, as well as continuing the conquest of the proprietary IBM, DEC and other environments. Most IT departments are strongly pro-Windows NT, or at least ready to accept it into their system. As a result, Windows NT has rapidly become the operating system of choice for integrated security system suppliers.

The change has been good for vendors Suppliers of integrated systems adopted Windows NT because they saw which way the wind was blowing some years ago. Bruce Addleman, senior product manager at Honeywell Home and Building Controls, Minneapolis, says, "Our Excel Security Manager product was first written to run under Unix because of customer demand for networking capabilities when Unix was the most common operating system. That situation changed rapidly over the past few years and now we find that most of our customers want new applications on the corporate network to be Windows NT-based. We created a Windows NT version of Excel when we started to see this trend. Today we have both Windows NT and Unix products, but customers are overwhelmingly choosing the NT product." A perfect example of a supplier being responsive to its customers, right? But had anything been given up? Was the new system as stable and secure as it had been under Unix? "We were initially worried about some of those issues," says Addleman, "but they were all resolved in the course of the development. We have been very happy with the performance of the product, and while you may read about weaknesses in Windows NT security in general corporate networks, there are tools to take care of such problems. Our most security-conscious clients, including casinos and government departments, have evaluated our NT solution and have been happy to adopt it." Addleman was frank about issues raised by technical specialists when comparing NT and Unix. "There are technical performance issues to do with speed and system resources that would suggest an NT product would not perform as well as a Unix one," he said. "While of interest to a software engineer, these are absolutely imperceptible to the user and not valid reasons for choosing one operating system over another." ABM Data Systems, Austin, Texas, provides software systems for managing security command centers and central stations. System performance and uptime are critical parameters. Steve Cunningham, director of business development, says that ABM chose NT for its Phoenix product before the decision was forced upon them by the market. "The big problem with Unix is variety and lack of standards. We also felt that the available development tools would let us evolve our product more rapidly in response to customer needs," he says. However, he points out that not all NT applications comply fully with NT standards. "To get the full benefit of running under a common operating system, you need to have applications that follow NT standards fully," he says. ABM was surprised by the speed of adoption of its NT product "We expected a 50/50 split between our Unix and NT products for some years," says Cunningham. "Already we see 95 percent of our customers opting for the NT product. For us there have been multiple benefits. We don't have to sell or support hardware any more - our customers use what they have in the corporate system. Perhaps more importantly, the NT solution is always less expensive for the customer than the equivalent Unix system and that is especially true with database applications." Past concerns with the performance of Windows NT predate the current version (4.0), which most experts agree brings NT into serious contention with Unix for the first time. With 5.0, due next year, the general feeling is that Windows NT will move clearly ahead of Unix and other operating systems to become as dominant in the corporate network world as Windows 3.1/95/98 is on the desktop. Some vendors, such as ABM, are already making end of life (EOL) plans for their older operating systems products, and in some cases, have included Unix in this category. Others, such as Simplex, Gardner, Mass., plan to continue to support their legacy systems, while believing that most customers will migrate to the NT product of their own volition. At Simplex, supplier of the NT3400 Security Management Information system, the decision to standardize on the Microsoft platform was made six years ago, says Cameron Queeno, director of security product planning. "Even though, in our case, most of our installations still operate on a separate security network, and not on the corporate LAN/WAN, we and the customer have gained substantial benefits from choosing Windows NT," he says. "Our customers do not yet want full database integration, but they have to be able to exchange information with corporate systems, such as human resources. We also find that in spite of available in-house IT expertise, our customers still value the support of a company that can help them fully exploit the capabilities of their new integrated system, providing expertise in security as well as in computing."

Are Windows NT and Unix incompatible? While the two operating systems appear to be pitted in a head-to-head competition, they can actually coexist peacefully. The place where this coexistence is most commonly seen is on the Internet. The majority of Internet servers are running a type of Unix. However, the majority of the "clients" that access the Internet are running Windows 3.1, 95, 98 or NT with a minority running Apple, DOS or another operating system. The fact that the server is running Unix is transparent to the user, who operates with a familiar graphical user interface and is unaware that Unix commands are being generated in the background. Some security system vendors use this approach, with the server running Unix and the workstations running Windows NT or 95. Should the security system run on the corporate network? Ed Merten, director of marketing at Group 4 Securitas Technology, Carson, Calif., says, "We strongly encourage the use of separate security networks for the server and workstations for security, reliability and bandwidth reasons. But we recognize that with spare capacity on the corporate network, a new investment in a separate network can be hard to justify. With Windows NT, we have no problems running on the corporate LAN where we have to." Most security directors have to assume as they look at today's integrated systems that the corporate LAN/WAN will be part of the design. This raises the problem that compliance with corporate network standards puts data security in the hands of the IT department. However, it is the security director's decision as to how far the security system should be exposed on the network, whether server configurations can be accessed remotely, or whether only data is transferred. In addition to ensuring that the IT department has taken the necessary steps to secure the network, the use of encryption to protect the security data is advocated by Tom Giannini of Simplex. He points out that the most recently publicized "hack" of an access control system occurred in a Unix-based system. "Security doesn't depend on whether you use Unix or NT, but on the steps you take to protect your system," he says. Regrettably, it appears from a recent Simplex survey, that security directors do not find it easy to persuade the corporation of the need to invest additional money and effort in network security. Security directors need to work in conjunction with the IT team to convince management of the reality of the threat and the consequences of a security failure. The future The computer world is rapidly evolving and highly competitive, but one constant in recent years has been the success of Microsoft in each market it has targeted. The corporate operating system and network operating system are firmly the targets for Windows NT, and most players agree that Microsoft is set to succeed. Integrated security system suppliers have migrated to NT, are happy with their decision, and feel they are serving their customers better as a result in terms of performance, price and responsiveness to new needs. It appears in the corporate world that even where Unix is still the operating system in the enterprise applications, the IT department will not object to integrating an NT system. The reverse is no longer the case, and no vendor contacted for this article could think of a single instance of a non-NT solution being insisted upon by the IT department.

Harmony? At Integrated Security Solutions, Kanata, Ontario, which specializes in large integrated systems, David Baird, president, finds that NT is mandated in virtually all jobs. But, he adds, "The old distrust of the IT department by the security department seems to have gone away. Security directors often used to insist on a separate security LAN to avoid being potentially compromised by security attacks from those with access to the standard corporate LAN. But as the corporate LAN has grown in size and complexity and been extended into the WAN, this posture has become impossible to maintain. And, in fairness, network security has improved markedly, with firewalls, virtual private networks, secure socket layers and such tools now available. " By and large, the adoption of Windows NT has been a satisfactory experience for integrated system vendors, and so it should be for security directors, because it can bring the hardware and software of the security system into sync with the views of the IT department. The security director may have to take a hard look at network security, and start to learn about hacking, encryption and firewalls. He or she should use the IT team to verify that the new security system does not just run under Windows NT, but fully conforms to Windows NT standards. As the fog clears, it just may be "the start of a beautiful friendship."

Sidebar Comparing Windows NT and Unix

An operating system keeps track of different devices attached to the network and performs primary tasks such as file and print sharing. In addition, an operating system maintains data communication between a server and its workstations and guarantees the network's security. The operating system provides resources to the applications. In the case of Windows NT and Unix, this includes permitting an application to run on multiple processors in a single machine, so enhancing speed and reliability (multiprocessing). They can also permit the application to use more than one computer to do processing tasks (clustering). In both these areas, experts feel Windows NT has yet to equal Unix, though the coming version 5.0 is expected to remove these concerns. Both Windows NT and Unix perform as network operating systems, a function, which, in the past, might have been handled by a separate network operating system such as Novell NetWare. One of the demanding features of a network operating system is to promote an open network system which allows a high degree of connectivity and interoperability for access by not only client workstations, but also other computer networks.Windows NT has an edge over Unix in the number of protocols it supports. Security is one of the most vital features that a network operating system should have. Since major business transactions are taking place on the network, maintaining and protecting the quality and privacy of information has become crucial. The network operating system and operating system have to control which machines and which users have access to which functions in the system. Issues such as encryption of password files are critical here. In its basic form, experts see Windows NT as inferior to Unix as far as system security is concerned. There have been a number of high-profile "hacks" of Windows NT, including one last year that revealed how to access the full password list. However, there are tools available that eliminate these weaknesses, and part of the security system implementation should be ensuring that these tools have been implemented at the corporate network level.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue