Secure access over the Internet

 

 

The basics (Back to contents)

There are five primary concerns in maintaining the security of any system:

  • authentication;
  • authorisation;
  • confidentiality;
  • data integrity; and
  • auditing.

To ensure security in any of our four scenarios, each of these areas must be properly addressed.

Authentication is about establishing the credentials of the person or system attempting to access a resource. Authorisation flows from authentication - once the basic credentials have been confirmed, we can check if the user is allowed to access this particular resource.

Confidentiality means ensuring that people who aren't meant to be involved in a data exchange can't 'eavesdrop', and often means using encryption technologies, which 'scramble' messages so they're meaningless to unauthorised parties. One of the most common encryption technologies you will encounter is SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), which are used for secure Web-based transactions.

Data integrity requires that we make sure data hasn't been tampered with en route, while auditing is the process of keeping track of who has used a network. Identifying discrepancies during auditing may point to security problems.

Good security practice requires both a sensible methodology and making good use of available technologies. The best known and most widely deployed security technologies are firewalls and VPNs (Virtual Private Networks). Other options include enhanced authentication solutions such as biometrics, which use biological data such as fingerprints; auditing systems such as intrusion detection systems (IDSes), which monitor network activity for unauthorised activity; and data integrity solutions such as file integrity checkers, which use algorithms to ensure the contents of files haven't changed or been misplaced in transmission.

When applying these technologies, it is useful to consider the problem of secure network access in three areas: network access and perimeter security; resource control and system security; and system auditing.

Back to top

 

Outside in - perimeter security (Back to contents)

Perimeter security uses both logical and physical controls to make sure the only network traffic reaching a destination (such as a network file server) is traffic which has been authorised and permitted. Perimeter security is vital in all four of our access scenarios, and encompasses components of all five of our basic security considerations through the use of firewalls, VPNs and DMZ (Demilitarised Zone) networks. (Those areas of a network which have been secured for public access are often referred to as being within the DMZ.) Back to top

 

Firewalls (Back to contents)

A firewall filters and controls network traffic, ensuring that unauthorised traffic is stopped from reaching its intended destination. It can be either a specialised router moving data between networks or a bridge transparently operating on a single network. Most organisations put firewalls between their internal networks and the Internet to ensure only standard protocols such as HTTP (Web), HTTPS (SSL/TLS encrypted Web), FTP (file transfers) and SMTP (e-mail) are allowed through to the right locations. This makes it much harder to attack a system from the Internet, and much easier for the administrators to keep those external services which are exposed up-to-date with patches and properly secured. Firewalls are often integrated with authentication solutions to provide authorised access to resources, and are often used as the endpoints of a VPN. They are also used to create DMZ networks for public access.

A DMZ network (see Figure One) is a network kept isolated from an internal corporate network in order to segregate the types of network traffic travelling around it. A typical scenario is to have a single firewall system with three interfaces protecting a small organisation from the Internet. The first interface is plugged into the Internet, the second into the protected internal LAN and the third into the DMZ. Rules on the firewall might be set to allow only mail to the e-mail server, file transfers to a public file server and HTTP/HTTPS to the Web server. All three of these systems will be located in the DMZ.

Click to enlarge
Figure One: a simple firewall and DMZ network

More sophisticated systems can also be created. For instance, internal users on a network might be allowed to access all these Internet services, and also be given access to internal-only services such as direct access to a database or use of advanced network protocols for network management. Rules for the firewall would prevent traffic in this second category from being allowed via Internet connections.

Systems can never be fully secured, so organisations need to understand that any Internet hosts in the DMZ could be compromised at any time and make sure that firewalls are installed to minimise the impact of such an attack. The details of how these systems would be implemented varies between each of our four scenarios.

Scenario One: The customer Web site Our public Web site needs to be located on a DMZ network (this could be achieved by using an off-site hosting provider). No matter how well the system is secured, a hole might be discovered one day that allows it to be compromised and it is vital that the system be segregated from internal resources.

As well as using firewalls, a useful addition is to install a reverse proxy server. A normal proxy server is used to enhance Web performance by allowing requests for a Web site to be provided by multiple servers, rather than just a single machine. A reverse proxy server uses similar logic, but with the aim of ensuring that a single server can't be taken down by an attack.

Scenario Two: Linking remote offices and Four: Business-to-business data exchange Firewall rules are used to ensure only traffic from authorised remote sites and business partners are permitted to access internal systems.

Scenario Three: Road warriors and telecommuters Firewalls are used to limit remote users to accessing permitted resources, such as a Web e-mail client, rather than being able to attack desktop PCs via their remote access nodes.

Back to top

 

Virtual private networks (Back to contents)

Virtual Private Network (VPN) is a blanket term used to describe any system which creates an encrypted data transfer between two networks or between a client and a network. The 'classic' VPN is like a tunnel created between two networks that encodes the data using a common encryption key at both ends. Increasingly the term is being used to describe any encrypted access scenario; especially the use of SSL-encrypted Web sites to access corporate resources (see Figure Two).

Encrypting the data is important, as anyone along the way could read and record what is being transferred. Network sniffer programs are a great demonstrator of this fact. All that is required to terrify most IT managers is to plug a hub or network tap to a central router then run a password sniffer and watch as usernames and passwords appear in real-time on the console. Encryption eliminates this possibility, as the information is useless unless you have access to the keys and passwords used in the encryption process.

Click to enlarge
Figure Two: SSL encrypted Web site

Scenario One: The customer Web site Access to any confidential data or any usernames and passwords should be encrypted using SSL or TLS. This requires you to set up your Web server to use SSL certificates (which guarantee the identity of the server to anyone accessing it). Companies can act as their own certificate authority (CA), but this is only useful for internal applications. For public Web servers, you will need to purchase a certificate from a commercial CA such as Baltimore, Thawte or Verisign. Installation of these certificates is a simple process, and costs start from around $US120.

Scenario Two: Linking remote offices Links between remote offices can be easily secured using off-the-shelf encryption solutions. Most firewalls have VPN modules either included or available for additional licensing costs; alternatively, dedicated hardware VPN devices can be purchased.

Scenario Three: Road warriors and telecommuters Either traditional VPNs with client software or Web applications using SSL/TLS will provide secure access to internal resources for remote users. The same SSL/TLS certificates used for the Web server in scenario one can be used on mail servers to ensure mail can't be intercepted. A small amount of money and a very small amount of time is all it takes to encrypt mail and Web applications.

Remote VPN clients cost a little more and require more effort, but encrypt all traffic and allow remote PCs to act as though they are on the LAN to access file servers, printers and application servers. Low cost off-the-shelf solutions are readily available to suit any small-to-medium sized organisation.

Scenario Four: Business-to-business data exchange Data transfers such as XML are transferred in plain text form and as such encryption is vital. SSL between the transferring servers should suffice. Application servers such as Weblogic and Websphere support SSL, and Web servers used for XML exchange generally support SSL as a matter of course.

Back to top

 

Alternatives to Internet access (Back to contents)

Secure Internet-based solutions aren't necessarily the right solution to every organisation's remote network requirements. For many organisations the time and trouble of maintaining such systems can be dispensed by utilising other telecommunications products such as ISDN lines or Frame Relay dedicated links.

Scenario Two: Linking remote offices and Four: Business-to-business data exchange Dial-on demand ISDN links are perfect for intermittent data transfer between offices or companies, and as long as sufficient passwords and system configurations are maintained they can be used to link to sites without needing Internet connections or firewalls. Dedicated links such as Frame Relay connections which travel across the switched networks in their own private virtual circuits should be used in conjunction with firewalls controlling traffic when the link is between two separate organisations.

Scenario Three: Road warriors and telecommuters Telecommuters can be given access to the LAN using remote access servers, regular telephone lines and modems. While this isn't sufficient for travelling staff, global communications providers can provide RAS services for organisations with global point-of-presence (POPs). Ensure adequate firewalls exist to protect resources from misuse from these external connections, and use them in conjunction with a strong authentication solution for any publicly accessible connection.

Back to top

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

PC World Staff

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?