The basics (Back to contents)
There are five primary concerns in maintaining the security of any system:
- data integrity; and
To ensure security in any of our four scenarios, each of these areas must be properly addressed.
Authentication is about establishing the credentials of the person or system attempting to access a resource. Authorisation flows from authentication - once the basic credentials have been confirmed, we can check if the user is allowed to access this particular resource.
Confidentiality means ensuring that people who aren't meant to be involved in a data exchange can't 'eavesdrop', and often means using encryption technologies, which 'scramble' messages so they're meaningless to unauthorised parties. One of the most common encryption technologies you will encounter is SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), which are used for secure Web-based transactions.
Data integrity requires that we make sure data hasn't been tampered with en route, while auditing is the process of keeping track of who has used a network. Identifying discrepancies during auditing may point to security problems.
Good security practice requires both a sensible methodology and making good use of available technologies. The best known and most widely deployed security technologies are firewalls and VPNs (Virtual Private Networks). Other options include enhanced authentication solutions such as biometrics, which use biological data such as fingerprints; auditing systems such as intrusion detection systems (IDSes), which monitor network activity for unauthorised activity; and data integrity solutions such as file integrity checkers, which use algorithms to ensure the contents of files haven't changed or been misplaced in transmission.
When applying these technologies, it is useful to consider the problem of secure network access in three areas: network access and perimeter security; resource control and system security; and system auditing.
Outside in - perimeter security (Back to contents)
Perimeter security uses both logical and physical controls to make sure the only network traffic reaching a destination (such as a network file server) is traffic which has been authorised and permitted. Perimeter security is vital in all four of our access scenarios, and encompasses components of all five of our basic security considerations through the use of firewalls, VPNs and DMZ (Demilitarised Zone) networks. (Those areas of a network which have been secured for public access are often referred to as being within the DMZ.) Back to top
Firewalls (Back to contents)
A firewall filters and controls network traffic, ensuring that unauthorised traffic is stopped from reaching its intended destination. It can be either a specialised router moving data between networks or a bridge transparently operating on a single network. Most organisations put firewalls between their internal networks and the Internet to ensure only standard protocols such as HTTP (Web), HTTPS (SSL/TLS encrypted Web), FTP (file transfers) and SMTP (e-mail) are allowed through to the right locations. This makes it much harder to attack a system from the Internet, and much easier for the administrators to keep those external services which are exposed up-to-date with patches and properly secured. Firewalls are often integrated with authentication solutions to provide authorised access to resources, and are often used as the endpoints of a VPN. They are also used to create DMZ networks for public access.
A DMZ network (see Figure One) is a network kept isolated from an internal corporate network in order to segregate the types of network traffic travelling around it. A typical scenario is to have a single firewall system with three interfaces protecting a small organisation from the Internet. The first interface is plugged into the Internet, the second into the protected internal LAN and the third into the DMZ. Rules on the firewall might be set to allow only mail to the e-mail server, file transfers to a public file server and HTTP/HTTPS to the Web server. All three of these systems will be located in the DMZ.
More sophisticated systems can also be created. For instance, internal users on a network might be allowed to access all these Internet services, and also be given access to internal-only services such as direct access to a database or use of advanced network protocols for network management. Rules for the firewall would prevent traffic in this second category from being allowed via Internet connections.
Systems can never be fully secured, so organisations need to understand that any Internet hosts in the DMZ could be compromised at any time and make sure that firewalls are installed to minimise the impact of such an attack. The details of how these systems would be implemented varies between each of our four scenarios.
Scenario One: The customer Web site Our public Web site needs to be located on a DMZ network (this could be achieved by using an off-site hosting provider). No matter how well the system is secured, a hole might be discovered one day that allows it to be compromised and it is vital that the system be segregated from internal resources.
As well as using firewalls, a useful addition is to install a reverse proxy server. A normal proxy server is used to enhance Web performance by allowing requests for a Web site to be provided by multiple servers, rather than just a single machine. A reverse proxy server uses similar logic, but with the aim of ensuring that a single server can't be taken down by an attack.
Scenario Two: Linking remote offices and Four: Business-to-business data exchange Firewall rules are used to ensure only traffic from authorised remote sites and business partners are permitted to access internal systems.
Scenario Three: Road warriors and telecommuters Firewalls are used to limit remote users to accessing permitted resources, such as a Web e-mail client, rather than being able to attack desktop PCs via their remote access nodes.
Virtual private networks (Back to contents)
Virtual Private Network (VPN) is a blanket term used to describe any system which creates an encrypted data transfer between two networks or between a client and a network. The 'classic' VPN is like a tunnel created between two networks that encodes the data using a common encryption key at both ends. Increasingly the term is being used to describe any encrypted access scenario; especially the use of SSL-encrypted Web sites to access corporate resources (see Figure Two).
Encrypting the data is important, as anyone along the way could read and record what is being transferred. Network sniffer programs are a great demonstrator of this fact. All that is required to terrify most IT managers is to plug a hub or network tap to a central router then run a password sniffer and watch as usernames and passwords appear in real-time on the console. Encryption eliminates this possibility, as the information is useless unless you have access to the keys and passwords used in the encryption process.
Scenario One: The customer Web site Access to any confidential data or any usernames and passwords should be encrypted using SSL or TLS. This requires you to set up your Web server to use SSL certificates (which guarantee the identity of the server to anyone accessing it). Companies can act as their own certificate authority (CA), but this is only useful for internal applications. For public Web servers, you will need to purchase a certificate from a commercial CA such as Baltimore, Thawte or Verisign. Installation of these certificates is a simple process, and costs start from around $US120.
Scenario Two: Linking remote offices Links between remote offices can be easily secured using off-the-shelf encryption solutions. Most firewalls have VPN modules either included or available for additional licensing costs; alternatively, dedicated hardware VPN devices can be purchased.
Scenario Three: Road warriors and telecommuters Either traditional VPNs with client software or Web applications using SSL/TLS will provide secure access to internal resources for remote users. The same SSL/TLS certificates used for the Web server in scenario one can be used on mail servers to ensure mail can't be intercepted. A small amount of money and a very small amount of time is all it takes to encrypt mail and Web applications.
Remote VPN clients cost a little more and require more effort, but encrypt all traffic and allow remote PCs to act as though they are on the LAN to access file servers, printers and application servers. Low cost off-the-shelf solutions are readily available to suit any small-to-medium sized organisation.
Scenario Four: Business-to-business data exchange Data transfers such as XML are transferred in plain text form and as such encryption is vital. SSL between the transferring servers should suffice. Application servers such as Weblogic and Websphere support SSL, and Web servers used for XML exchange generally support SSL as a matter of course.
Alternatives to Internet access (Back to contents)
Secure Internet-based solutions aren't necessarily the right solution to every organisation's remote network requirements. For many organisations the time and trouble of maintaining such systems can be dispensed by utilising other telecommunications products such as ISDN lines or Frame Relay dedicated links.
Scenario Two: Linking remote offices and Four: Business-to-business data exchange Dial-on demand ISDN links are perfect for intermittent data transfer between offices or companies, and as long as sufficient passwords and system configurations are maintained they can be used to link to sites without needing Internet connections or firewalls. Dedicated links such as Frame Relay connections which travel across the switched networks in their own private virtual circuits should be used in conjunction with firewalls controlling traffic when the link is between two separate organisations.
Scenario Three: Road warriors and telecommuters Telecommuters can be given access to the LAN using remote access servers, regular telephone lines and modems. While this isn't sufficient for travelling staff, global communications providers can provide RAS services for organisations with global point-of-presence (POPs). Ensure adequate firewalls exist to protect resources from misuse from these external connections, and use them in conjunction with a strong authentication solution for any publicly accessible connection.