Corporate networks and Internet: how much security is enough?An increasing number of today's computer users are finding that they require Internet connectivity to perform various business functions. Almost always, the first question they ask is, "is it safe?" The answer is not a simple one. Increasingly, our time in network consulting is spent developing security solutions. We offer the following as a primer on Internet/LAN connectivity and security. When computers talk over a network, they use special languages or "protocols" to communicate. The protocol in use on the Internet is Transmission Control Protocol/Internet Protocol (TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. ). On top of TCP/IP are a host of other higher-level protocols used for things such as e-mail, Web browsing, FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to , Push technologies, and even video and video conferencing See videoconferencing. (communications) video conferencing - A discussion between two or more groups of people who are in different places but can see and hear each other using electronic communications. . The downside to all this communication is that with the new openness also comes exposure to risk. How then do we enable these new communications without unduly risking theft, vandalism or destruction of our corporate data? Typically, a LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. connects to the Internet through a single connection. This connection is in the form of a router. The router is a device that has one connection to the LAN and another to the Internet Service Provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. ). One way of defending against unauthorized access is by using router-based packet filtering See packet filter. . Packets are the pieces of data coming into or going out of a LAN. These packets are usually a small part of the overall communication. For instance, an e-mail message sent from a computer on a LAN to another computer on the Internet will likely be broken down into several small packets. These packets are then sent to the destination host, where they are then reassembled into the original message. Packet filtering consists of a set of rules that either grant or deny access to or from a network based on simple features of the packet itself. Packet filtering can defend against certain kinds of simple attacks, but most security schemes do not utilize it as the primary means of perimeter defense A defense without an exposed flank, consisting of forces deployed along the perimeter of the defended area. . Today's networks are more commonly protected by more sophisticated devices called "firewalls." A firewall is usually a computer running special software. Most of today's firewalls employ a technique called application proxying. When a request for a connection comes to a firewall, it inspects the request to find out if the packet is considered a valid request. If so, it then initiates a communication on behalf of the requesting machine. When the firewall receives a response, it passes the response along to the original requesting machine. For example: A user sitting at her desk wants to look at a site on the World Wide Web. That user starts her browser software and types in a Uniform Resource Locator See URL. (World-Wide Web) Uniform Resource Locator - (URL, previously "Universal") A standard way of specifying the location of an object, typically a web page, on the Internet. Other types of object are described below. (URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. ), or web address. The browser software sends a request for that web site to the firewall. Depending on how the firewall is configured, it can then determine whether that user or even that computer has permission to browse the web. If permission is granted, the firewall then makes the request to the particular web site on behalf of the requesting client. This effectively hides the original user's machine from anyone who might be listening to that traffic on the Internet. When the web site sends back the requesting pages, the firewall accepts them and then forwards the information to the original requester. While firewalls are often used to limit the internal user's access to the Internet, its more important role is in protecting the internal network from unauthorized access. This access can range in kind from simple eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. to actual data manipulation Processing data. . A company must ask itself how important it is to avoid each of these types of activities. It is estimated by the Computer Emergency Response Team (CERT), an international organization dedicated to network security, that most unauthorized accesses go undetected by those managing the victim network. Keeping your data private and undisturbed can be done by means of implementing a security plan which includes an Internet firewall. Most firewalls have early warning systems. If the firewall detects someone trying to probe it for weaknesses, it can generate an alert to the appropriate systems administrator to take note. Additionally, a firewall can log every single activity that takes place across it. While no perimeter defense can truly be called 100 percent secure, today's firewalls are in most cases strong enough to deter all but the most determined hack attempt. If the Internet is in your future, avoid potential problems by making the connection a secure one. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion