There are many options in network protection, from simple user passwords to sophisticated biometric technologies and vulnerability scanners. Virus protection is also important—particularly to those with Internet connections—because rogue code can spread undetected throughout an organization and cause extensive damage.
Password Protection
Password protection is the most common means of securing network data. Passwords provide a minimum level of security and do not require special equipment such as keys or identification cards. Most passwords associate users with specific workstations and designated shifts or working hours.
The most effective passwords are long and obscure, but easily remembered by users. The primary drawback of password protection is that users do not always maintain password confidentiality. For example, the longer and more obscure a password, the greater chance the user will write it down—typically somewhere near the workstation where it can be accessed easily by anyone, including unauthorized users.
Several rules of thumb guarantee that passwords will remain private. First, they should be changed frequently. Second, a strict policy of unguessable passwords should be enforced—for example, discouraging the use of names of spouses and children as passwords. Finally, a multilevel password-protection scheme helps ensure confidentiality.
Network security administrators should keep a master password file on disk and survey it periodically. Any password in use for over one year should be changed, and passwords belonging to individuals who have left the organization should be rendered unusable immediately. Whenever a security breach is suspected, security administrators can review password use and potential risks. Many network management and security packages are designed to perform some of these tasks automatically.
Maintaining passwords in mixed-system environments is more difficult, if only because users have to remember several passwords. Several utilities now synchronize passwords necessary for accessing UNIX and Windows NT servers. Syntunix Technologies, for example, offers a utility that, when installed on the server, allows users to employ the same password for both UNIX and NT without having to install any client software. It offers the additional benefit of being able to change both passwords when one is changed, greatly easing the password management burden for administrators.
When users want to change their password, Syntunix uses existing Windows mechanisms and transparently synchronizes the passwords. The server intercepts the password change request from the operating system without user intervention, encrypts the change request, and propagates the change to one or more remote servers.
User Groups
User groups provide a security extension beyond password protection. Making network users part of user groups is a method administrators can use to control users’ access to network applications, data, and LANs throughout an enterprise. Administrators can add and remove users from a group as needed. User groups are especially useful when dealing with company project teams.
User groups are also useful when implemented on virtual private networks (VPNs). The closed user group capability provided with the VPN service lets businesses limit incoming or outgoing voice-data calls to members of a group. At the same time, businesses can quickly and efficiently add (or remove) users to their IP services without having to install or change remote systems such as access servers and modem pools.
Smart Cards
Magnetic card systems allow users to access data on any available workstation by inserting a card into a reader attached to the workstation. The card key system allows access-level definition for each user, rather than for each workstation. Most automatic teller machines use this type of security combined with password protection (i.e., personal identification number or PIN).
Smart cards, which contain embedded microprocessors, accomplish a range of security tasks. For example, they perform online encryption, record time-on/time-off logs, and provide password and biometrics identification. Using smart cards for password entry means that users need not remember their password; the result is an extra degree of security. Smart cards are a viable security option for both local and remote access control. Some key/card setups require that two individuals perform an entry procedure before admittance is granted; this is similar to safe-deposit box access at most banks.
Sun’s vision for the ultimate in thin-client computing includes a Java-based smart card that mobile employees would simply carry around to access all their files via the Web with a browser. The use of Java-enabled chips increases the information capacity of smart cards, allowing for more information and additional functions to be included—even allowing them to be upgraded and loaded with new applications after they are issued.
Biometrics
Biometric identification devices use an individual’s unique physical attributes to secure data, such as fingerprints, handprints, voice recognition, and capillary patterns in the retina of a person’s eye.
One drawback to biometrics is that pattern-recognition processing can take a long time—especially if the user database is large. Some systems decrease the processing time by using passwords before the biometric scanning occurs. When passwords are combined with biometrics, the security system compares the scan only with the image stored under the password entered.
The novelty of using biometric products to safeguard corporate networks has raised questions about how well the technology really works. To answer that question, the International Computer Security Association (ICSA) conducted a wide range of security product tests in early 1998 and approved several products after they passed a round of rigorous ICSA tests conducted in both laboratory and customer environments. Among the approved products was Touchstone, from Mytec Technologies, a fingerprint-matching device used for secure network access, electronic commerce, e-mail encryption, and database management. Another was Citadel Gatekeeper, from Intelitrak Technologies, a voice-print gateway server used to verify users’ network access rights.
Data Encryption
Data encryption is a method of scrambling information to disguise its original content. It is the only practical means of protecting information transmitted over communications networks, but it can also be used to protect stored data. Since intruders cannot easily read encrypted data, intercepted information is more likely to remain safe if it falls into the wrong hands. Encryption methods come in two forms: hardware or software. Of the two, hardware-based encryption provides more speed and security.
There are two popular encryption methods: public key and private key. Public key encryption uses a publicly known key to encrypt the data, and a second private key to decrypt data. Private key methods uses a single-key algorithm known only to the sender and receiver. These methods work only as long as the key is kept secure. The advantage of public key encryption is that the private key need never be transmitted. It does not matter if the channel is insecure because the data can be decrypted only with the recipient’s private key. Private key systems require that the secret key be transmitted to the recipient in order to decrypt the data.
The security of encrypted data is linked to the number of bits of the algorithm and key. The current standard is 128-bit security, but 256-bit key algorithms are available through software doubling. The larger the number of bits, the more key combinations are possible and the more computing power is required to break a key. The US. government closely regulates encryption methods for export. Encryption methods may or may not be allowed for export depending on the particular encryption technology and its intended use.
An example of a private key encryption system is Kerberos. With this system, every user’s key is stored on a secure central server and kept secret. Kerberos authenticates the identity of every user and every network service via plain-text passwords. If one person compromises the server, all user keys are changed.
Developed for UNIX systems and slanted toward the open systems environment, Kerberos is an Internet standard. IBM, Apple, and Novell are currently developing a Kerberos-based security method for the OpenDoc specification. Because Kerberos has been adopted into commercial encryption products, it has become the de facto standard for remote authentication in client/server environments.
Firewalls
This is an umbrella term that encompasses any number of security techniques designed to prevent unauthorized access to a company’s Internet-aware network. Most firewalls isolate an internal network in one of two ways: they deny the use of unsafe services on a front-line Internet server, such as an applications gateway or proxy server, or they use packet filtering to prevent traffic from passing to an internal network from anywhere other than predefined trusted sites. Some of today’s firewalls can even filter out unsigned Java and ActiveX applets or viruses embedded in compressed e-mail attachments.
A typical packet filter checks IP address and service information to determine if traffic is coming from a trusted location. Packet filtering is transparent to users, provides a single point of entry and exit, and can disable services that have been inadvertently enabled on networks machines. Packet-filtering capabilities are widely available in commercial and freeware routing products; some router and firewall vendors bundle their products into a single Intel-based workstation.
Virus Scanners
The ever-increasing number of computer viruses makes virus protection a necessary security measure. Because workstations communicate with the network file server to obtain shared programs and data files, a virus can spread to every computer that logs onto the network. Viruses present a major threat to security because of the damage they can do to network information; viruses can corrupt data, delete files, slow system operations by spawning processes, and prevent applications from saving files. The new macro viruses that reside inside the document files of word processing and spreadsheet applications are especially difficult to detect.
Antivirus software packages recognize a multitude of known viruses, and most are updated frequently as new viruses are discovered. Network Associates, for example, offers Total Virus Defense, which includes an AutoImmune feature. It automatically extracts possible viruses and sends them to Network Associates for detection and cleaning. The product also includes Anti-Virus Informant, a customizable, Windows NT-based reporting tool that lets users monitor virus outbreaks and analyze data over time. It can track the number of machines running antivirus software or detail the number of virus instances and how fast they were eradicated.
Scanning e-mail for viruses is harder to do. Most antivirus programs on the market are limited to working with particular e-mail programs like Pegasus and Eudora, or with particular server platforms such as Windows NT. However, Panda Software’s Antivirus Platinum software scans for viruses and malicious code at the application and IP layers. The software can detect and eradicate real-time viruses found in SMTP, POP3, HTTP, FTP ActiveX, and Java code. The software also automatically updates itself by pulling down new signature files from Panda’s Web site each day.
Antivirus software is available for firewalls and proxy servers, eliminating the need to load and maintain software on every client.
Vulnerability Scanners
Regularly scanning a corporate network for security vulnerabilities is just as important as scanning for viruses. Security vulnerability assessment tools are available from several vendors, including Network Associates. The company’s CyberCop Scanner allows network administrators to proac-tively scan their networks for security weaknesses in much the same way that antivirus products scan for viruses. CyberCop Scanner can detect more than 500 known network vulnerabilities and security policy violations.
The product can even update itself when new security vulnerabilities are discovered by the company’s researchers. Reporting and charting capabilities allows LAN administrators and managers to quickly audit their networks on a regular basis and prioritize detected vulnerabilities. In addition to detailed technical reports, CyberCop Scanner features graphical executive summary “snapshot” charts, displaying findings in several Web-based and 3-D interactive formats. Metrics can be tracked on a regular basis through summary reports, enabling managers to watch for trends and ensure that vulnerabilities are addressed in a timely manner.
Intelligent agents are autonomous and adaptive software programs that accomplish their tasks by executing preassigned commands remotely without explicit activation at a management station. An agent can be assigned to monitor the network for a specific event or set of events, which trigger the agent to respond in a predefined manner. Agents are used for a variety of tasks, including security management. The following capabilities of intelligent agents can help discover holes in network security by continuously monitoring network access:
MONITOR EFFECTS OF FIREWALL CONFIGURATIONS By monitoring post-firewall traffic, the network manager can determine if the firewall is functioning properly. For example, if the firewall was just programmed to disallow access of a specific protocol or external site but the program’s syntax was wrong, the agent will report it immediately.
SHOW ACCESS TO/FROM SECURE SUBNETS By monitoring access from internal and external sites to secure data centers or subnets, the network manager can set up security service-level objectives and firewall configurations based on the findings. For example, the information reported by an agent can be used to determine whether external sites should have access to the company’s database servers.
TRIGGER PACKET CAPTURE OF NETWORK SECURITY SIGNATURES Agents can be set up to issue alarms and automatically capture packets when external intrusions or unauthorized application access occurs. This information can be used to track down the source of security breaches. Some agents even allow for a trace procedure to discover a breach’s point of origination.
SHOW ACCESS TO SECURE SERVERS AND NODES WITH DATA CORRELATION This capability reveals which external or internal nodes access potentially secure servers or nodes, and identifies which applications they run.
SHOW APPLICATIONS RUNNING ON SECURE NETS WITH APPLICATION MONITORING This capability evaluates applications and protocol use on secure networks or traffic components to and from secure nodes.
WATCH PROTOCOL AND APPLICATION USE THROUGHOUT THE ENTERPRISE This capability allows the network manager to select applications or protocols for monitoring by the agent so the flow of information throughout the enterprise can be viewed. This information can identify who is browsing the Web, accessing database client/server applications, or using unauthorized software on the network, for example.
One example of an agent that is capable of taking action based on the nature of the security threat is Intruder Alert from Axent Technologies. The product uses a real-time, manager/agent architecture to monitor the audit trails of distributed systems for “footprints” that signal suspicious or unauthorized activity on all major operating systems, Web servers, firewalls, routers, applications, databases, and SNMP traps from other network devices. Unlike other intrusion detection tools, which typically report suspicious activity hours or even days after it occurs, Intruder Alert instantly takes action to alert IT managers, shuts systems down, terminates offending sessions, and execute other commands to stop intrusions before they damage important systems.
NetProwler, a network monitoring component for Intruder Alert, provides network-based intrusion monitoring. Together, the two provide host-based and network-based protection using a single management interface, allowing organizations to protect themselves against the widest range of existing and evolving security threats for the price of a single solution.
Security Services
By taking advantage of independent or vendor-supplied professional consulting services, companies can leverage their investments in security technology. Consulting services can help IT staff integrate various security products into the organization’s security management practices. The integration process usually includes a simulated attack to ensure that the products function as expected. The results can be used to help fine-tune the products’ settings to meet specific security needs.
Another consulting service that is becoming popular is security vulnerability assessment. Unlike security audits, which assume an organization already has a security policy in place, security vulnerability assessment helps companies determine where the security holes are. It then provides a blueprint for a policy to shore up those and other security weaknesses.
Last Word
The ideal network protection strategy combines multiple security procedures for optimal data protection, but does not create resistance that may result in overt attempts to circumvent the security strategy. An often overlooked aspect of network security is that employees are responsible for as much as 80 percent of break-in attempts. While much of this activity is inadvertent or harmless in the overall scheme of things, the proverbial “disgruntled employee” is the real danger. These individuals, perceiving themselves to be wronged by the company in some way, often steal sensitive information or inflict significant damage to databases and other resources. Security works well only when employees are educated about the importance of safeguarding corporate information. New employees should be trained from the start to honor the security mechanisms that are in place and to identify security violations when they occur so appropriate and timely corrective action can be taken. Periodic refresher sessions for supervisors and managers can help leverage corporate investments in security tools and reinforce top management’s security policies.
