White Paper: Combatting the hidden dangers of global networking

As e-commerce takes over, the next five years will see dramatic changes in the way that business is carried out. But there are...

As e-commerce takes over, the next five years will see dramatic changes in the way that business is carried out. But there are security issues to consider

Technologic has published A Corporate Firewall Primer for companies and individuals who need to educate themselves about firewalls; what they are, how they work, and where they fit into a corporate network security strategy. Demand for firewall information is being driven by increased commercial interest in global networking, primarily through the Internet. Commercial Internet usage is growing at an exponential rate, and the growth is expected to continue for several years. Interest from corporations is fuelled by substantial profit opportunities made available through network communications. The primary risk associated with connecting to global networks is that of intrusion by outsiders. Strong security measures are necessary to repel both the casual and the persistent unauthorised user. When you are connected to the rest of the world, the world is also connected to you.

The opportunity

US business is on the verge of unlocking the commercial potential of computer networking. National and global networks will provide the foundation for operational efficiencies that will create meaningful opportunities for businesses to cut costs and increase revenues, with considerable profit impact.

Businesses foresee the ability to cut product development costs through efficient improvements ( as demand information and sales forecasts are combined in real-time with resource availability and pricing from vendors. Real-time sales data from point-of-purchase systems will be routed to the warehouse for stocking and staffing requirements, and will then feed back to manufacturers to support demand-driven production decisions. Internal paperwork flow will collapse from days (or weeks) to hours. Network communications will transform order placement, payment and collections from labour-intensive, error-prone processes into highly automated, efficient transactions. Communications between employees, vendors, customers and prospects will improve dramatically. Business research information, formerly gathered through inaccurate, time-consuming or expensive methods, will be immediately available to the desktop of the network-connected executive.

The potential economic value of these changes is considerable. Many corporations are taking the first steps now. For most companies, that includes a connection to the Internet, the dominant global network. By connecting to the Internet, a business links itself electronically to every other business on the Internet, and to universities, organisations and individuals throughout the world.

Of course, if you are linked to everyone else on the Internet, that means that everyone else is linked to you ( and therein lies the security problem.

The danger

For inter-networking to have value, companies must provide access to information from their internal networks. But how do you provide access to authorised entities and, at the same time, exclude unwanted intruders? How can you tell one from the other when they come knocking at your network's door?

Most corporations are not sure how to characterise their risk. Some are so paranoid that they refuse to participate in internetworking for fear of intrusion. At the other end of the spectrum, some businesses naively doubt the extent of computer crime and the consequences of a breach of security. There should be no room for doubt, the risks are real and are well documented.

The corporation's internal network contains corporate assets: information. Information assets include marketing strategies, product roll-out plans, personnel records, financial data, privileged internal correspondence and more. Business success often depends on the privacy of internal information, and it is vitally important to protect it.

The belief that the corporation's information assets are threatened by a young high school or college student sitting at home casually searching for a vulnerable system is no longer accurate, if it ever was. The threat can come from a careless or malicious employee, a competitor, a foreign government, a computer terrorist, or an opportunistic hacker. In any event, threats to your information resources undeniably exist, and if you have useful or interesting information on your internal systems, the intruders will be constantly testing your defences.

Network security fundamentals

Fortunately, a company can guard its information assets without having to sacrifice the benefit of connectivity. Computer security measures, if properly designed, implemented and monitored, can be highly effective. Most large corporations are familiar with the techniques and technologies used for securing information on their mainframe information systems. Network security, however, is different.

When access to corporate information is granted in the mainframe world, a user typically receives permission from the MIS department. MIS controls who is authorised to connect. In an enterprise network, the MIS department has far less ability to control access to corporate data resources. Not only is information stored on many computers instead of just one, but the capability to connect is now available to anyone who has a PC and a network interface. And, as corporate reliance on remote computing grows, network connections can originate from almost anywhere.

It is often difficult to determine the true identity of a network user. A mainframe user can be identified because he or she is usually directly connected to the computer via a cable or (secure) modem hookup. The identity of a user requesting information on a network is more difficult to verify ( and can be falsified by a clever individual.

Another exposure of networks is that data is often transmitted in plain text, where it can be viewed, captured, altered, or destroyed. Information on the network may include confidential corporate data, passwords, and sensitive system information.

To add greater complexity, a network connection is not necessarily of the human-to-computer variety. The connection may be a computer-to-computer exchange triggered by a client/server application program.

All of these variables create an environment that is more difficult to secure. The trade-off for the power and interoperability of a network computing environment is the increased security requirement. The organisation's goal is to implement security that protects its network without restricting its usefulness.

The Internet

The Internet is a large and growing collection of interconnected networks. The network provides a vehicle for direct computer access between all connected entities. Originally conceived for university and military research, the economic potential of the Internet is being discovered by virtually every corporation.

An Internet connection demands fail-safe network security. Companies that rely on enterprise networks require strong network security even if they aren't Internet-connected. But, once you are attached to the Internet, excellent security is required. A penetrable corporate network is a prime target for network break-ins.

The firewall

The most effective method for securing a connection to the Internet is a firewall. A firewall is a system comprised of hardware and software designed to protect your network from untrusted systems and unauthorised users. The firewall, when used in conjunction with effective security policies and procedures, is the foundation for a highly secure connection.

A firewall is also used to segment corporate networks. Even within a company's internal network, there are legitimate reasons to protect sensitive segments from the enterprise at large. Firewalls can be configured to protect specific network domains from general access by unauthorised users.

What is a network firewall?

The firewall system protects your private networks. The firewall is often configured to shield your internal networks and systems from the outside world. This helps prevent intruders from logging into machines on your network. Well-designed firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. Firewalls provide a single choke point where access controls and auditing can be imposed.

Firewalls can't protect against attacks that don't go through them. Corporations that connect to the Internet are justifiably concerned about proprietary data leaking out of the company. The firewall is only one key component of an effective corporate security strategy. Firewall policies must be realistic and reflect the level of security in the entire network. The firewall cannot replace security-consciousness on the part of your users.

How the firewall works

A firewall should:

( Provide the only path for traffic between the protected and unprotected networks

( Enforce the corporate security policy by allowing only authorised traffic to pass

( Be immune to penetration or compromise

The firewall shields internal hosts from the external network. This is necessary because most internal hosts are not secure. Most computers in an organisation are installed to perform specific business functions. To do their job, they may use features that create security exposures. Administration of these systems is typically performed by someone who is not primarily concerned about security, and who may not be formally trained in security.

Sometimes, organisations will protect their internal networks using a router that provides filtering capabilities. Although the filtering router will provide a degree of protection, it still exposes internal hosts to the Internet. Networks protected by a filtering router alone are less secure from the outset.

The firewall machine, on the other hand, is installed specifically to provide network security. It utilises very few system features. Unnecessary (insecure) services can be completely removed from the machine. Administration of the firewall machine is focused. As a dedicated security device, firewall administration is not likely to be compromised by user demands that tend to weaken security. Its administration can be performed by an individual who recognises the firewall's sole function as a network guardian.

There are two schools of thought on firewall design. One allows through all network traffic unless it is explicitly blocked. The other blocks all traffic unless it is explicitly allowed. Corporate firewalls should subscribe to the second school. By blocking all network traffic to and from the Internet, the corporation establishes a secure starting point for building useful capabilities into the firewall in a way that provides a known level of security. As with most systems, the best advice is to keep it simple. Because, as the firewall becomes more complex, its susceptibility to compromise increases.

A firewall should adhere to the following standards:

( Security ( protect the information and resources of the business from the outside

( Convenience ( provide corporate users with convenient access to the Internet

( Reliability ( once connected, downtime becomes unacceptable

( Maintainability ( a well-designed firewall delivers maintainable security and usability

( Performance ( the firewall should not degrade network performance

( Cost Effectiveness ( security and usability must also meet budget constraints

Logic dictates that increasing firewall security reduces user convenience, and vice-versa. But for the basic services, it is possible to provide a high level of security without sacrificing user convenience. This is especially true of the most commonly used Internet services: email, ftp, telnet and the World Wide Web.

The Internet advantage

Of the three most common Internet services, email is the most widely used. Although email has been around for a long time, it has not deeply penetrated corporate operations as a standard mode of communication. Its acceptance is now growing rapidly. One of the reasons for increased growth of email communication is the corporate push for Internet connectivity. The ability to communicate outside your own organisation via email significantly improves its value and appeal.

Email is faster, easier and more convenient than fax communication, overnight deliveries, mail and voice mail for a wide variety of business communications. Advances in email technology will soon allow companies to conduct business transactions with the confidence of complete privacy, and in a way that provides for legally binding agreements, through the use of encryption and digital signatures.

The Internet is a vast source of information. The ability to bring that information from the network directly to your desktop can be a powerful business advantage. The Internet information base is multi-faceted. It consists of reference information stored on university and government computers. It includes product and corporate information from companies that are connected. It also includes direct access to the knowledge and opinions of network connected "experts" in almost every possible area of interest. A question or problem posted to an electronic bulletin board or discussion group will elicit information and advice from all over the world within minutes.

Accessing information stored on computers connected to the Internet can be accomplished by using a software tool known as File Transfer Protocol (FTP). With FTP you can request the transfer of files from a remote computer to your own ( a great way to retrieve manuals, product information, articles, video, audio and software programs.

Connecting directly to another computer is accomplished using telnet. Telnet places you in control of a remote computer from your desktop. This can be very useful for research, software development, or testing when a company doesn't have direct access to a certain type of computer or software program.

The application that has ignited commercial growth of the Internet is the World Wide Web. Information on the web is accessed using a desktop software package called a "web browser." The web provides a vast source of information and is a powerful medium for corporations to reach prospects, customers, vendors and employees.

A well-designed firewall can permit the full use of email, FTP, telnet, WWW and other services while providing a very high level of security for the corporation.

The firewall is an essential component when a company decides to use the Internet to make information available to the rest of the world. Providing limited access to corporate information and resources while preventing unauthorised access is its role. The firewall can provide the outside world with a "public view" of your enterprise while protecting the organisation's network.

A company can recognise immediate benefits by making information available through the network. Company profile and shareholder information can be accessed by interested parties via the Internet, improving the company's responsiveness to requests and removing the employee overhead associated with the traditional approach of taking information requests by phone and fulfilling them manually.

Compiled by Craig Hinton

(c) technologic inc 1999

Read more on IT risk management