The Internet. It's the largest shared data network in the world.
It provides your organization with unprecedented access to information around the globe. It also provides outsiders with access to information you want to supply to the outside world.
Growing at the rate of 100 percent per month, this two-way sharing of information offers excellent opportunities. The Internet has become the gateway for individuals, departments and organizations to tap into a myriad of services and resources around the globe. It also produces significant data security challenges for professionals.
Open Infrastructure The beauty--and the problems--of the Internet can both be attributed to its very open infrastructure. At the outset, it was designed to facilitate communications, not restrict them. When you communicate over the Net, your traffic travels through networks that are controlled by a number of different autonomous organizations. Thanks to the open infrastructure, the Internet provides some of the most comprehensive services available:
* Terminal service -- dialup access to a multi-user machine, often called a host account. This type of service is very good for small to mid-size firms or collaborative work with customers, suppliers and internal staff members.
* Dialup IP -- complete TCP/IP access on a dialup basis requiring SLIP or PPP software. This is excellent for casual family users, home office applications and personnel who travel the globe but still need to stay in contact with their offices.
* Dedicated high-speed access -- dedicated IP access which is typically established for medium to large organizations that use the Internet extensively and support their own Web presence.
Sometimes called a catanet model, the Internet provides global communications capabilities by connecting local area networks (LANs) to medium area networks (MANs) and MANS to wide area networks (WANs). The regional WANs are connected to national backbones and the national backbones are connected to inter-continental backbones. All computers that participate in the Internet have globally unique addressees and can be reached by other participating computers around the world.
The demand for Internet connection first came about because of e-mail, which provides near-instantaneous communication on a global basis. With e-mail, companies are now able to connect and communicate with outside sales people, suppliers, customers and individuals who travel regularly. Users have to be continually told that Internet e-mail isn't secure and they shouldn't post anything this is highly sensitive unless it is encrypted.
Web Excitement One of the reasons companies have become so INet enthusiastic is the World Wide Web (WWW). Here, people can browse home pages to find information on companies, products, services and applications that they
may want to buy, lease or contract. The Web is where all of the action is for on-line advertising.
Organizations of every shape and size are spending tens and hundreds of thousands of dollars to present colorful graphics, interactive databases and volumes of information for people who browse at their own pace. On the Web, three-person niche application software firms can look as stable and as large as the industry giants. For a fraction of the cost of conventional advertising, companies can reach prospective buyers all over the world.
With visions of huge sales and profits for a modest investment, it's no wonder we look at WWW as a killer application. Most IS and network managers simply view the Web as a disaster that is waiting to happen ...a disaster that will eventually strike their organization's information.
Security Breaches The truth is, no network is secure. While most organizations consider the Internet a major threat to their data security, the fact is that most security breaches are inside jobs. According to a U.S. study by Ernst & Young, 70 to 80% of all computer crime is carried out by insiders; and of the firms that reported security breaches, the average financial loss was $100,000, although a number of firms suffered losses of more than $1 million from a single incident.
The only way to fully protect yourself from this type of disaster is by dismantling your network and placing each computer in a locked room that can only be accessed by authorized individuals. Obviously, such a move in today's business environment is impractical, since rapid access to information can provide a strategic and competitive edge in the marketplace.
Internally, the key is to provide computer and network security that doesn't impair productivity. To protect your organization from outsiders, the same approach must be taken. Fortunately, there are user-proven solutions that can be implemented to protect your vital network data from unwanted outside access that are also cost-effective.
Most attacks that occur on organizational networks come about by password guessing and snooping, exploitation of faulty or misconfigured code and the use of Trojan Horse programs or worms.
Initial Protection Steps To protect your vital data, develop a process of reliably verifying the identity of anyone (or anything) that attempts to access your network. The first stage is accomplished by having well developed, password- and address-based authentication program that is strictly enforced and consistently monitored.
User IDs and passwords represent the first line of defense against intrusion and they're a necessity for an organization's remote-access users. To make even a basic password system more robust, the system administrator can assign different access privileges based on the password used. Administrators can also require that passwords be changed regularly, can set time-outs and can specify minimum password length or require that passwords be composed of mixed alphanumeric characteristics.
These techniques make the password system even more secure. Unfortunately, according to remote-access experts, most users don't take passwords seriously. They use passwords that can be easily guessed, they are reluctant to change them, and they readily share their passwords with others.
To strengthen the password system, your organization can use tokenized passwords. Tokens are typically credit-card-sized devices that act as keys to computers. They can be easily installed and are much more reliable than reusable passwords. Products such as smart cards are available that display a randomly generated, unpredictable access code that changes every 60 seconds. This token is synchronized with a similar device installed in your network's server.
The result is a one-time password that is usable only for the duration of a particular log-on session.
Another approach that is becoming increasingly popular is the software token. Token programs, which can be loaded on laptop systems, save the users from having to keep track of and use a separate device. The problem is, they're less secure. If the laptop is stolen (a tempting target for thieves), the token is also stolen.
A number of remote access server products have incorporated routine dialback capabilities in their products. With dialback, the user dials into the system, and provides a user ID and password. The security device hangs up the connection and immediately calls the user back, generally at a predetermined number. This approach, while initially disruptive, provides an added degree of remote-access security.
Firewalls To provide reasonable protection of your network from unwanted attack, your organization will want to install a firewall system. A combination of hardware and software, firewalls are designed to permit the flow of desired information while protecting designated resources. They create narrow
channels through which information flow can be tracked and controlled. Firewalls will deter most would-be attackers and will also give you early warning of an attempt or attack. Most individuals and organizations that develop, install and maintain firewalls follow a single, simple philosophy: Everything not explicitly permitted is denied.
For best protection, the firewall should be installed on a dedicated high-performance network workstation that is located outside the LAN but inside the router link to the Internet. All network traffic should pass through the firewall, whether from the inside to the outside or from the outside to the inside. With a firewall, only authorized traffic will be allowed to pass through the firewall and the firewall should be immune to unauthorized penetration.
Firewalls consist of three techniques: packet filters, application gateways (Bastion hosts) and circuit gateways.
Packet Filtering Packet filtering is usually carried out by the router as data packets pass through the router's interface. When the router receives a packet, it examines the Internet Protocol (IP) destination address in the packet header and forwards the packet to the next stage, closer to the final destination. By examining the source and destination IP addresses and TCP/User datagram Protocol source and destination ports, it can determine if the packet should be moved along or disallowed passage.
Packet filtering is usually the first line of defense between the network and Internet, since organizations need a router to connect to the Internet. As a result, it is relatively easy to filter out unwanted traffic at the router. Packet filtering is standard with most routers that are available today using TCP/IP protocols to allow or deny traffic access.
Bastion Host Next, an organization will want to implement an application gateway or Bastion Host which screens incoming data based on more than just the packet header contents. They funnel approved users to the appropriate application server. According to the National Institute of Standards and Technology (NIST), the Bastion Host provides benefits over direct applications access because the information is hidden unless access is authorized by the server.
It also provides very robust authentication and logging of accesses and access attempts and is generally inexpensive to maintain, since third-party software and hardware only need to reside on the application gateway. In addition, the application gateway, which is positioned between two routers that do packet filtering is less complex (expensive). By combining packet filters with application gateways, network managers can have a very sophisticated security system.
Because all traffic flows through the Bastion Host, it becomes a point for extensive traffic monitoring, allowing you to activate software that will warn you of potential intrusion. One type of alarm software can check the integrity of files on the computer system. If intruders have penetrated the system and modified portions of a program with hidden back doors called Trojan horses, a simple checksum of all executables will pinpoint a difference between a known clean file of the program and the modification.
Other alarm systems can be used to warn network support personnel when a specific services is being probed for weaknesses. Alarms can also be established on packet filters to announce when a specific packet has been dropped.
Firewall Monitors Firewall system monitors can also be implemented to detect potential problems before they become major. One will log Bastion Host usage to report who is using the system and what they are using it for. In addition to providing a level of security, it also assists network managers with capacity planning.
Another monitor checks the security of passwords (which by their very nature are insecure) to ensure that all of the passwords on a given system are secure.
For most organizations that implement, test and monitor their security procedures, the above steps will be sufficient. However, there are creative and persistent hackers who can penetrate even these robust outer defenses. Occasionally, a hacker will take on a firewall as a personal challenge. Most firewall software includes logging capabilities to record connection attempts, source and destination IDs and similar data. It is
important that network managers continuously check the logs for attempted break-ins.
Encryption If your data requires absolute protection and security, the solution is to encrypt your data so that even if data is stolen, it is useless. Encrypted data cannot be read without the proper "key."
Depending upon the sensitivity of your information, there are three levels of encryption which can be employed--application, network and link levels.
Application-level encryption encrypts data in the application, making it useless without the proper software key.
Newer firewall products incorporate secure mail standards so that offices using the same firewall products can efficiently and effectively transmit secure information across the Internet without having to worry about interception and possible unauthorized use. Currently, the two most widely used secure mail standards are PEM (privacy enhanced mail), MIME (multipurpose Internet mail extensions) and PGM (privacy graphic mail). PEM adds encryption, source authentication and integrity protection to ordinary messages. PGP uses public key encryptography and can be used for both e-mail and files.
Network-level encryption tunnels encrypt the entire communications between two networks across the Internet. This implementation enables organizations to use the public telco infrastructure for private and secure communications. A number of major firewall products and Internet server producers offer and implement these encryption tunnel techniques in their products.
Link-level encryption products encrypt across digital lines by providing encryption in the network routers prior to transmission. Encryption is also available with today's leading fast-packet devices that are produced to support Frame Relay and ATM communications.
Even after implementing all of these processes, procedures and products, there are few IS and network managers who are comfortable with inviting the world to their Internet server. Make certain that you understand the points of vulnerability of your Internet connections. Depending upon the security implementation, the vulnerability may or may not be an issue.
Weighing the Risks After examining all of the pros and cons, and comparing them with your needs and objectives, consider your alternatives. If your organization wants the benefits of providing information to and receiving information from global Internet users, consider third-party options such as Web hosting services that are available from the leading Internet service providers.
A well-developed and carefully implemented Internet connection/security program can open up worlds of information for your users, customers and strategic partners. However, in order to be effective, users have to be properly trained in all areas of Internet access, use and abuse. In addition, it will add another level of service that will require ongoing management.
# # #
Box ESTABLISHING INTERNET SECURITY POLICIES Rather than simply running out and buying/installing Internet security products, it is important for an organization's management to understand the issues and establish a solid LAN security policy.
IS and network management need to make certain that the information stored in their computers is accurate and insulated against accidental or deliberate change. They need to ensure that their computerized information is only seen by authorized users. Finally, they need to make certain that the computers and information are always available when it is needed.
While organizations may have some level of security policies in place, the policies will have to be revised where the Internet is involved. This will include:
* Teaching and enforcing Internet etiquette to avoid claims of defamation, sexual harassment, and the generation of offensive communications.
* Implement confidential authorization codes or passwords with customers, suppliers and others who connect with your network as well as with employees who are authorized to conduct business on the Internet on the organization's behalf.
* Track activities on internal accounts and the amount of time spent connected to those accounts.
* Establish a policy that prohibits or places limits on employees surfing the Internet and accessing bulletin board systems and chat corners.
* Warn employees that electronic mail may be monitored.
...more * Avoid potential copyright infringement liabilities by informing employees that downloaded information is for internal use only.
* Update software agreements to cover employees working at home or other remote locations on company business.
* Establish in writing that unauthorized Internet usage and the sharing of confidential codes and passwords may be grounds for termination or legal action.
Advise network users to:
* Choose passwords that cannot be found in the dictionary. A combination of letters and numbers. The easier it is for people to remember passwords, the easier it is for someone to guess.
* Never give passwords to anyone over the computer network no matter how official the request.
* Change passwords frequently, at least once a month and if you must write them down to remember them, don't keep them near the computer.
* Unless the communications is protected or encrypted assume that any message sent via e-mail is available to the public.
* Don't leave your computer unattended when connected to the network.
IS and network managers need to:
* monitor connections * monitor the hacking community which is becoming increasingly sophisticated * develop a clear-cut security policy * secure host systems * research and understand your organization's security risks * make security an integral part of the hardware/software purchasing decision
Sidebar THE LANGUAGE OF SECURITY Following are commonly used Internet Security terms.
Authentication: The process that validates a user's log-in information. Authentication usually involves comparing the user name and passwords to a list of authorized users. When a match is found, the user can log in and access the system according to his or her assigned rights or permissions.
Digital signatures: Data that can be attached to a document without compromise that verifies authorship and control. A secure digital signature cannot be forged, nor can documents bearing that signature without leaving a trail.
Electronic Commerce: Buying or selling goods or services through the Internet. It may also involve ordering, payment and even the delivery of goods and services.
Electronic Data Interchange: A method of electronically exchanging corporate documents, including bills of materials, purchase orders and invoices.
Encryption: The transformation of data into a format readable only with a proper decryption key or code.
Firewall: A barrier that protects the network via a router, through which broadcast messages cannot pass.
Keys: Tools that come in public and private form for both encrypting and revealing the contents of digital information.
Secure HyperText Transport Protocol (SHTTP): Extensions to ensure privacy and authentication of data as it crosses the Internet.
Secure Sockets Layer (SSL): The protocol developed by Netscape Communications Corp. for encryption data at the applications level.
# # #
Box INTERNET SECURITY INFORMATION RESOURCES The following is not intended to be a definitive guide to Internet security information sources. However, it will provide sufficient information to assist you in establishing your security program.
* Firewalls and Internet Security: Repelling the Wiley Hacker (Addison-Wesley, 1994) by William R. Cheswick and Steven M. Bellovin * Network Security: Private Communications in a Public World -- Kaufman et al. Prentice-Hall, PTR, 1994 * majordomo@greatcircle.com -- email and subscribe to firewalls * isoc@nrl.reston.va.us - Internet Society * tansu.com.au/Info/security * coast.cs.purdue.edu * cerf.net/security/
* Computer Emergency Response Team (CERT) -- Carnegie Mellon University in Pittsburgh (cert@cert.org). for CERT advisories, send to cert-advisory-request@cert.org. For tools, contact cert-tools-request@cert.org.
* National Computer Security Association (NCSA) - CompuServe on-line services which can be accessed by typing GO NCSAFORUM * National Institute of Standards and Technology (NIST) Publication 800-10, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, by John P. Wack and Lisa J. Carnahan (301) 975-3058 * Newsgroups, including comp.security.announces, misc.security, alt.security # # #
SECURITY, ACCESS ON THE INTERNET - To learn more about this author, visit Andy Marken's Website.
Like this article? Share it with your friends
 |
Related Articles |
|
 SECURITY CLEARANCES
|
| |
In the US, while conducting your job search, you may come across job descriptions with the statement Secret clearance required or TS-SCI required. This means that the successful candidate must either already posse...
|
|
SME's - the importance of communications for SME's in Africa
|
| |
A look at why communications are important for African SME's
|
|
Your Firewall Could Get You Delisted
|
| |
Some web sites in the latest Google update were removed from top positions on Google that had been there for years. Webmasters were trying to figure out what had happened and couldn't figure it out. After further a...
|
|
Secure your Wireless Access Point
|
| |
This year, make sure that you spend five extra minutes to secure your Internet Connection. If you cannot do it yourself, then please be sure to call someone else to assist you. The connection that you secure can p...
|
|
1.12 Ensuring incomes and basic social security: Working Out of Poverty
|
| |
The Declaration of Philadelphia and a number of international labour
standards recognize access to an adequate level of social protection as a basic
right for all.
|
|
![[Get Copyright Permissions]](http://license.icopyright.net/images/icopy-w.gif){kind=small}
