[../topElectronics.htm]



Buying guides
  Antivirus Software
Broadband Internet
CD Writers
CPUs
DVD Writers
Database Servers
Desktop PCs
Digital Cameras
Digital Home
Digital Video Cameras
Entry Level/Workgroup Servers
Graphics cards
Inkjet Printers
Laser Printers
MP3 Players
Media Centres
Messaging Server
Mobile Phones
Motherboards
Notebook PCs
PC Security
PDAs
Scanners
Secure Internet Access
Server O/S
Sound Cards
UPS
Voice over IP
Wireless Networking
 
MORE TO EXPLORE
 
  Books
  Music
  DVD
  Video
  Kitchen & Housewares
  Toys & Games
  Baby
  Tools & Hardware
  Automotive
  Software
  Computer & Video Games
  Home & Garden
  Magazines 
  Apparel 
  Jewelry & Watches 
  Sports & Outdoors 
  Cell Phones 
  Computers 
  Camera & Photo 
  Office Products 
  Health & Personal Care 
  Outdoor Living 
  Gourmet Food 
  Beauty 
  Musical Instruments
 

Secure access over the Internet Buying Guide


Buyers' Guide to Secure access over the Internet Contents
 

------------------------------------------------------------------------------------

Modern enterprises use public networks to conduct private business. The Internet is a great medium for data exchange, whether that be using Web sites for customer interaction; enabling e-mail or XML data exchange between organisations; or creating Web front ends to existing databases so sales staff can check list prices while mobile. PSTN (Public Switched Telephone Network) and ISDN (Integrated Services Digital Network) are used in similar ways to provide dial-in access to public and private resources to customers and mobile staff.

 

Both of these solutions give computer systems a tangible address in the physical world, whether it be a phone number or a fixed Internet address. This connection comes at a price. Even though computing resources may be locked in high-security data centres, the security guards can do nothing to stop an electronic assault by someone using a network address to access the system. The age of data connectivity demands consideration of overall system security.

To best understand the tasks ahead, we'll first define some common scenarios where corporate resources are commonly coupled to the public networks and then see how they fit with the security methods we'll discuss later.

 

Scenario One: The customer Web site

Public Web sites no longer consist of just simple, static content such as product information. When that was the case, the primary security concern was avoiding denial of service (DOS) attacks, where hackers would 'flood' a site with requests to make it unavailable to other customers, and site defacements, where pages on a site would be removed or replaced with potentially offensive or embarrassing content.

 

In order to get closer to their clients, many organisations now build Web applications that integrate into their database systems to allow customers to change their orders, view or modify personal data and otherwise interact with business systems. This has increased the importance of protecting the public Web site, both to ensure internal databases are not modified without authorisation and to meet legal requirements to keep customer information confidential.

Scenario Two: Linking remote offices

The cost of dedicated leased data links between any two sites is high enough within the same city. When the requirement is to link two offices across the globe, it becomes prohibitive for many companies. Many companies are looking to use the Internet to move data between sites.

 

Scenario Three: Road warriors and telecommuters

Providing staff with the tools to make them more productive has become standard practice in recent years. It makes sense to provide sales staff with up-to-the-minute information on pricing and availability. Giving staff access to their e-mail and other network resources encourages them to check in while away from the office. What started as providing Web-based e-mail is now about providing all the resources of an in-house desktop to a multitude of devices and locations.

 

Scenario Four: Business-to-business data exchange

 

Data exchange between organisations doing business together takes many forms. These can include e-mailing documents, creating Web portals, or creating direct data exchanges, using older systems such as EDI (Electronic Data Exchange) or newer options such as XML (Extensible Markup Language). In all these scenarios, nobody wants their competitors to know what they are doing.

 

Why worry?

The amount of computer crime is escalating. All it takes is one disgruntled person to start a Denial Of Service (DOS) attack and an organisation can be crippled for days. Hackers seeking vulnerable but well-connected systems as a base for their attacks need look no further than the growing number of PCs constantly hooked up to broadband connections.

 

Some hackers like the challenge, ex-employees may hack for revenge and others hope to find something valuable they can sell or trade through the computer underground. No matter how trivial the Internet resources exposed by a company, they will be probed within hours of becoming 'live', and if interesting, attacked soon after. The best hope for securing systems is to make them so hard to access relative to their perceived value that nobody will bother, and ensure that in the time it takes to break in the alarm bells will be set off, allowing administrators to counter the intrusion.

 

The basics

There are five primary concerns in maintaining the security of any system:

 

  • authentication;
  • authorisation;
  • confidentiality;
  • data integrity; and
  • auditing.
To ensure security in any of our four scenarios, each of these areas must be properly addressed.

 

Authentication is about establishing the credentials of the person or system attempting to access a resource. Authorisation flows from authentication - once the basic credentials have been confirmed, we can check if the user is allowed to access this particular resource.

 

Confidentiality means ensuring that people who aren't meant to be involved in a data exchange can't 'eavesdrop', and often means using encryption technologies, which 'scramble' messages so they're meaningless to unauthorised parties. One of the most common encryption technologies you will encounter is SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), which are used for secure Web-based transactions.

 

Data integrity requires that we make sure data hasn't been tampered with en route, while auditing is the process of keeping track of who has used a network. Identifying discrepancies during auditing may point to security problems.

 

Good security practice requires both a sensible methodology and making good use of available technologies. The best known and most widely deployed security technologies are firewalls and VPNs (Virtual Private Networks). Other options include enhanced authentication solutions such as biometrics, which use biological data such as fingerprints; auditing systems such as intrusion detection systems (IDSes), which monitor network activity for unauthorised activity; and data integrity solutions such as file integrity checkers, which use algorithms to ensure the contents of files haven't changed or been misplaced in transmission.

 

When applying these technologies, it is useful to consider the problem of secure network access in three areas: network access and perimeter security; resource control and system security; and system auditing.

 

Outside in - perimeter security

Perimeter security uses both logical and physical controls to make sure the only network traffic reaching a destination (such as a network file server) is traffic which has been authorised and permitted. Perimeter security is vital in all four of our access scenarios, and encompasses components of all five of our basic security considerations through the use of firewalls, VPNs and DMZ (Demilitarised Zone) networks. (Those areas of a network which have been secured for public access are often referred to as being within the DMZ.)

Firewalls

A firewall filters and controls network traffic, ensuring that unauthorised traffic is stopped from reaching its intended destination. It can be either a specialised router moving data between networks or a bridge transparently operating on a single network. Most organisations put firewalls between their internal networks and the Internet to ensure only standard protocols such as HTTP (Web), HTTPS (SSL/TLS encrypted Web), FTP (file transfers) and SMTP (e-mail) are allowed through to the right locations. This makes it much harder to attack a system from the Internet, and much easier for the administrators to keep those external services which are exposed up-to-date with patches and properly secured. Firewalls are often integrated with authentication solutions to provide authorised access to resources, and are often used as the endpoints of a VPN. They are also used to create DMZ networks for public access.

 

A DMZ network (see Figure One) is a network kept isolated from an internal corporate network in order to segregate the types of network traffic travelling around it. A typical scenario is to have a single firewall system with three interfaces protecting a small organisation from the Internet. The first interface is plugged into the Internet, the second into the protected internal LAN and the third into the DMZ. Rules on the firewall might be set to allow only mail to the e-mail server, file transfers to a public file server and HTTP/HTTPS to the Web server. All three of these systems will be located in the DMZ.

Click to enlargeMore sophisticated systems can also be created. For instance, internal users on a network might be allowed to access all these Internet services, and also be given access to internal-only services such as direct access to a database or use of advanced network protocols for network management. Rules for the firewall would prevent traffic in this second category from being allowed via Internet connections.

 

Systems can never be fully secured, so organisations need to understand that any Internet hosts in the DMZ could be compromised at any time and make sure that firewalls are installed to minimise the impact of such an attack. The details of how these systems would be implemented varies between each of our four scenarios.

 

Scenario One: The customer Web site

Our public Web site needs to be located on a DMZ network (this could be achieved by using an off-site hosting provider). No matter how well the system is secured, a hole might be discovered one day that allows it to be compromised and it is vital that the system be segregated from internal resources.

 

As well as using firewalls, a useful addition is to install a reverse proxy server. A normal proxy server is used to enhance Web performance by allowing requests for a Web site to be provided by multiple servers, rather than just a single machine. A reverse proxy server uses similar logic, but with the aim of ensuring that a single server can't be taken down by an attack.

 

Scenario Two: Linking remote offices and Four: Business-to-business data exchange

Firewall rules are used to ensure only traffic from authorised remote sites and business partners are permitted to access internal systems.

 

Scenario Three: Road warriors and telecommuters

Firewalls are used to limit remote users to accessing permitted resources, such as a Web e-mail client, rather than being able to attack desktop PCs via their remote access nodes.

Virtual private networks

Virtual Private Network (VPN) is a blanket term used to describe any system which creates an encrypted data transfer between two networks or between a client and a network. The 'classic' VPN is like a tunnel created between two networks that encodes the data using a common encryption key at both ends. Increasingly the term is being used to describe any encrypted access scenario; especially the use of SSL-encrypted Web sites to access corporate resources (see Figure Two).

 

Encrypting the data is important, as anyone along the way could read and record what is being transferred. Network sniffer programs are a great demonstrator of this fact. All that is required to terrify most IT managers is to plug a hub or network tap to a central router then run a password sniffer and watch as usernames and passwords appear in real-time on the console. Encryption eliminates this possibility, as the information is useless unless you have access to the keys and passwords used in the encryption process.

Click to enlarge

Scenario One: The customer Web site

Access to any confidential data or any usernames and passwords should be encrypted using SSL or TLS. This requires you to set up your Web server to use SSL certificates (which guarantee the identity of the server to anyone accessing it). Companies can act as their own certificate authority (CA), but this is only useful for internal applications. For public Web servers, you will need to purchase a certificate from a commercial CA such as Baltimore, Thawte or Verisign. Installation of these certificates is a simple process, and costs start from around $US120.

 

Scenario Two: Linking remote offices

Links between remote offices can be easily secured using off-the-shelf encryption solutions. Most firewalls have VPN modules either included or available for additional licensing costs; alternatively, dedicated hardware VPN devices can be purchased.

 

Scenario Three: Road warriors and telecommuters

Either traditional VPNs with client software or Web applications using SSL/TLS will provide secure access to internal resources for remote users. The same SSL/TLS certificates used for the Web server in scenario one can be used on mail servers to ensure mail can't be intercepted. A small amount of money and a very small amount of time is all it takes to encrypt mail and Web applications.

Remote VPN clients cost a little more and require more effort, but encrypt all traffic and allow remote PCs to act as though they are on the LAN to access file servers, printers and application servers. Low cost off-the-shelf solutions are readily available to suit any small-to-medium sized organisation. 

Scenario Four: Business-to-business data exchange

Data transfers such as XML are transferred in plain text form and as such encryption is vital. SSL between the transferring servers should suffice. Application servers such as Weblogic and Websphere support SSL, and Web servers used for XML exchange generally support SSL as a matter of course.

 

Alternatives to Internet access

Secure Internet-based solutions aren't necessarily the right solution to every organisation's remote network requirements. For many organisations the time and trouble of maintaining such systems can be dispensed by utilising other telecommunications products such as ISDN lines or Frame Relay dedicated links.

Scenario Two: Linking remote offices and Four: Business-to-business data exchange

Dial-on demand ISDN links are perfect for intermittent data transfer between offices or companies, and as long as sufficient passwords and system configurations are maintained they can be used to link to sites without needing Internet connections or firewalls. Dedicated links such as Frame Relay connections which travel across the switched networks in their own private virtual circuits should be used in conjunction with firewalls controlling traffic when the link is between two separate organisations.

Scenario Three: Road warriors and telecommuters

Telecommuters can be given access to the LAN using remote access servers, regular telephone lines and modems. While this isn't sufficient for travelling staff, global communications providers can provide RAS services for organisations with global point-of-presence (POPs). Ensure adequate firewalls exist to protect resources from misuse from these external connections, and use them in conjunction with a strong authentication solution for any publicly accessible connection.

 

The soft, gooey centre problem

Encrypting network access and controlling network traffic aren't of much use if they are let down by poor password quality, wrongly configured software or systems which haven't been updated with the latest security patches. All it takes is an easily guessed password and a system which hasn't been updated against a widely publicised flaw and all your systems may be vulnerable.

The problem of secure perimeters that break because of some little flaw to reveal vulnerable networks is often called the "soft, gooey centre" scenario. The only way to counter this is through in-depth security -- hardened systems and strong authentication and authorisation.

 

Authentication

The single biggest gain an organisation can make in securing systems is to ensure password quality. The difference in time a password cracker takes to try out every possible seven digit password as compared to a six digit password is enormous, but if those passwords are never changed it gives the attacker with patience plenty of time to spare.

Passwords should have a mix of upper and lower-case letters, numbers and special characters, should be at least seven digits long and should be changed every few months. Using common words and short passwords makes it very easily for attackers to find a way in. Account lockout policies (which stop an account being used after a certain number of incorrect passwords) should also be used to prevent automated attack systems from continually trying to gain access.

The problem with enforcing strong passwords is often that the users can't cope with remembering they need to use 'x6%%4dfh' to access the LAN, '88skfhe$$' for their Web applications and '@edt&&y8' for their VPN client. As a result, they write them on post-it notes under their keyboards or call and abuse helpdesk staff for making their lives difficult.

The answer lies in integrating authentication across all platforms. Firewalls, Web applications and VPN services can all be tied to internal authentication systems such as Active Directory or NDS, either directly or through extra add-on software. Simply ensuring the users only have to remember one username and password from anywhere makes the task much simpler.

For areas requiring a very high level of security, such as providing complete LAN access via VPNs, devices are available to ensure that learning the password isn't enough. Biometrics can be used to replace the password with a fingerprint or a retinal scan, though takeup of these technologies hasn't been strong to date. Another common secure password solution involves using a token-based system.

An example of a token-based system is SecureID, where a user carries a card or a fob on their key ring that electronically displays a six digit number that changes every few minutes. The authentication server knows which user has which token and what digits will be showing on it at any point in time. The user authenticates by entering a username, and then a password which comprises a PIN followed by the digits. This ensures the password is different every time it is used, but doesn't require the user to remember all the new passwords.

 

Scenario One: The customer Web site

The best authentication solution for public Web sites is to use plain usernames and passwords over a strong SSL link. Password quality should be enforced wherever necessary, but this can impact on the user experience if they have to request a password reminder every time they use the site.

 

Scenario Two: Linking remote offices

VPN users and networks don't always authenticate with each other, more commonly they already have a password or encryption certificates in common that are used to encrypt the data.

Scenario Three: Road warriors and telecommuters

Dial-in users and VPN clients connecting to an internal network should be using very strong authentication options; ideally this would be one-time-passwords, but a strong password policy will generally suffice.

 

Authorisation

Once the identity of a user is established using strong authentication methods, the concept of authorisation is used to control their legitimate activities on the network. It should be understood that most misuse of computer systems occurs within an organisation - doesn't everyone want to sneak a peek at the payroll database before their next performance review?

 

Authorisation can be as simple as maintaining good file system permissions to protect sensitive documents, or it can involve firewalling critical systems and requiring users to authenticate with the firewall just to gain a network connection to the service. New products in this area are appearing on the market constantly and there is no one answer for any organisation. Instead a common-sense approach should be used to ensure any one user only has access to what they need to do their jobs throughout a network. This will limit the damage an attacker can do should they figure out that Betty from Marketing has been using her son's date of birth as her password for the last ten years.
 

Hardening systems

All the firewalls, VPNs and authentication systems in the world can't keep a public system secure if it has holes in it. The most widely reported security flaws are with Web server systems. The reason for this is that almost every organisation has a path through their perimeter to access the Web server, and as they are the most commonly available and attackable systems the most flaws are found in them. Usernames and passwords can't be used to prevent access to a public Web site, so the system must be secure on its own. The same approaches should be used for internal systems as well - the people inside your organisation can be as much of a worry as the faceless attackers of the Internet.

The first step to securing a system is to ensure all software patches are loaded and regularly checked. Most well-publicised security incidents such as the Code Red worm use well-known but often ignored security holes and could be avoided if administrators kept all their systems up-to-date.

The next step is to harden the system. Hardening means to remove unnecessary services so there are fewer things that could go wrong, and setting user privileges to applications and files at as minimal a level as possible so to minimise potential damage. Unix systems have the useful ability to run applications such as Web servers as unprivileged users in 'jails', which restrict the application to carefully controlled portions of the file system. For Windows, using unique service accounts for each application and granting those accounts minimal access to resources is essential. Options which make life easy for the administrator often also make life easier for the hacker.

 

Audit and IDS

If due respect has been paid to each of the security principles discussed so far the systems can be considered secure, but only at this point in time. Access to each network resource is tightly controlled and correctly authenticated. The data travelling from server to server or client to server will be encrypted, which will prevent anyone from eavesdropping and recording passwords or manipulating the data along the way. The hosts involved are all hardened and patched so as to provide defence in-depth but security is never foolproof. New vulnerabilities are found all the time and often they are used for months in the wild before being discovered by a security researcher who informs the relevant vendors or user groups instead of utilising the flaw themselves. To maintain security over time it is vital to have systems in place that can alert staff that there has been a break-in, and to track what has been done so the systems can be restored from backups and secured to counter whatever flaw was exposed. This is the realm of data integrity and auditing systems.
 

Data integrity

There are many products and technologies available to ensure data integrity. A commonly used technology is to use hashing algorithms to take a cryptographic snapshot of the current system state and to compare this with a database of what the same system looked like at a known point in time. Software such as Tripwire fulfils this role, alerting administrators when something suspicious happens such as security configuration files changing overnight.

Another simple option is to use read-only media such as CD-ROMs for static content -- a Web site serving files from a CD-ROM can't be defaced. For our remote access scenarios, data integrity solutions should be used to ensure hosts such as the firewalls and VPN servers haven't had unauthorised changes to their configurations or additional software installed.

 

IDS and system auditing

There are two types of Intrusion Detection Systems - host-based and network-based. Host-based systems are comparable with system auditing methods and are often closely aligned. They keep track of unusual events on systems which could be indicators of attack, and are useful for reconstructing what happened and when if a system is compromised. Many also include reactive capabilities and as such can provide an additional layer of defence against misuse. Network-based systems watch network traffic looking for tell-tale signatures of attack methods and react according to rules defined by administrators.

 

Summary

Just installing a single layer of security isn't enough to ensure secure remote access to network resources. At the network layer, encryption technologies such as VPNs and SSL or private links via telecommunications providers should be utilised to make it very difficult for anyone to intercept usernames, passwords or sensitive data in transit. Access to all resources should be tightly controlled using firewalls and strong authentication solutions, and all resources should be patched and hardened to protect from malicious authorised users and to provide defence in-depth should any of the other layers fail. This might all sound complicated, but for most small organisations making sure they aren't a victim of attack in each of the scenarios discussed just means using strong passwords, buying a simple router and appropriate client software, setting up logging capabilities and running the latest security patches for their operating systems.

[../browse/bottomNav.html]