Biomedical Engineering Reference
In-Depth Information
password, which is compared to the current number generated by a program running the server. If
the sequences match, she is allowed access to the server. Otherwise, she is locked out of the
network. Because the number displayed on the ID card—and in the server—changes every 30
seconds, the current password doesn't provide a potential intruder with a way in to the system. The
major security hole is that a secure ID card can be stolen, which will provide the thief with the
password, but not the username.
More sophisticated methods of user authentication involve biometrics, the automated recognition of
fingerprint, voice, retina, or facial features. Authentication systems based on these methods aren't
completely accurate, however, and there are often false positives (imposters passing as someone
else) and false negatives (an authentic user is incorrectly rejected by the system) involved in the
process. In addition to errors in recognition, there are often ways of defeating biometrical devices by
bypassing the image-processing components of the systems. For example, fingerprints are converted
into a number and letter sequence that serves as the key to gaining access to network assets;
anyone who can intercept that sequence and enter it directly into the system can gain access to the
network.
A researcher employed by a biotech firm to analyze nucleotide sequences probably has no need to
examine the files in a 3D protein visualization system in the laboratory a few doors down from his
office. Similarly, payroll, human resources, and other administrative data may be of concern to the
CFO, but not to the manager of the microarray laboratory. Authentication provides the information
necessary to provide tiered access to networked resources. This access can be controlled at the
workstation, the server, and firewall levels to limit access to specific databases, applications, or
network databases.
Firewalls
As introduced in the discussion of network hardware, firewalls are stand-alone devices or programs
running on a server that block unauthorized access to a network. Dedicated hardware firewalls are
more secure than a software-only solution, but are also considerably more expensive.
Firewalls are commonly used in conjunction with proxy servers to mirror servers inside a firewall,
thereby intercepting requests and data originally intended for an internal server. In this way, outside
users can access copies of some subset of the data on the system without ever having direct access
to the data. This practice provides an additional layer of security against hackers.
Encryption
Encryption, the process of making a message unintelligible to all but the intended recipient, is one of
the primary means of ensuring the security of messages sent through the Internet and even in the
same building. It's also one of the greatest concerns—and limitations—of network professionals.
Many information services professionals are reluctant to install wireless networks because of security
concerns, for example.
Although cryptography—the study of encryption and decryption—predates computers by several
millennia, no one has yet devised a system that can't be defeated, given enough time and resources.
Every form of encryption has tradeoffs of security versus processing and management overhead, and
different forms of encryption are used in different applications (see
Table 3-4
).
Of the encryption standards developed for the Internet, most are based on public key encryption
(PKE) technology. One reason that PKE is so prominent is because it's supported by the Microsoft
Internet Explorer and Netscape Navigator browsers. PKE is a form of asymmetric encryption, in that
the keys used for encryption and decryption are different. Aside from the added complexity added by
the use of different keys on the sending and receiving ends, the two forms of encryption and
decryption are virtually identical. As such, the illustration of PKE in
Figure 3-12
assumes symmetric
encryption for the purpose of clarity.
