USA India
Home Articles UserTV Press Releases Dictionary Books Education Careers B-Channels Resources Forums Blogs Classifieds
Sunday 6 Jul, 2008 eNewsletter Register Login
Archives
Articles By Date
Articles By Category
 
 
 Archives >> Details
Network lockdown
Firewalls are only the first car in a long train of security best practices.
Posted by : Joe Rudich
Networking hed: Network lockdown dek: firewalls are only the first car in a long train of security best practices. dek: firewalls work best when they can discriminate broadly. dek: the stronger the encryption key, the less likely it will be broken. by Joe Rudich

Long before the Information Superhighway, America was linked by the Iron Roadway. Like the Internet, it was virtually impossible to accurately gauge its value or its cost. And like the engines of the Internet, the steam engines that plied the transcontinental railroad had their own security problems. They even used firewalls to solve some of them.

Firewalls of the Computer Age are devices that filter data packets sent to a private network from the Internet. Their purpose is to block unwanted packets, such as viruses or probes from hackers. The Age of Steam's firewall was a thick iron wall separating the engine compartment from passengers (the killer application). The firewall was needed because packets-or, grains-of coal dust could infiltrate the engine compartment and start a fire. Note, however, two key features of those iron firewalls: They did not cure every security problem (such as raids by bandits), and they did not protect the engineers within the locomotive.

The latter may be an especially interesting analog for today's network administrators: Even with a firewall in place, you can get burned. "I don't think you can rely on any one security technique," says Michele Delio, a security analyst for Wired Magazine. "A multitiered approach to security is far more effective. If one of your defenses falls, it's good to have some backup defenses that can halt, or at least slow, the activities of a malicious hacker."

"Too many companies install a firewall, and then are lulled into a false sense of security," says Michelle Drolet, CEO of Conqwest, a Holliston, Mass.-based Internet security firm. "Firewalls alone only do about 75 to 80 percent of the job. The rule of thumb is, if you want to make sure it gets between person A and person B, and no one in between can use it, encrypt it."

"Firewalls have given the corporate world a false sense of security on the Internet," claims Bruce Schneier, founder of Counterpane Internet Security. "They are an important part of any company's network security, but they can't do it all. Important, yes. A panacea, no."

Cracks in the firewall

Ten years ago, many CIOs found the Internet more frightening than thrilling, and security risks were the chief reason. Somewhere between then and now, something allayed those fears. In most business organizations, the firewall is what soothed the nerves of CIOs. There are more than 100 different firewall products currently available, and more are introduced all the time. Firewalls have become essential equipment for private LANs, and the cornerstone of many data security plans.

The firewall idea and products deserve the high esteem they command. Isolation (or one-way isolation) of private LANs at the protocol (TCP/IP) level has proven highly effective in thwarting network attacks. A firewall is a good security cornerstone; it may only prove to be a vulnerability if it is relied upon as the only stone in that defense. Unfortunately, some LAN administrators seem to read about new operating-system exploits and think, "We won't be affected because we can rely on our firewall."

In many ways, the appeal of the firewall is its nearly universal power. By their nature, restrictions on specific computers or transactions are specific in their scope. Their deployment, configuration, or maintenance must be performed repeatedly in any LAN environment. IPSec, for example, a powerful security/encryption system, requires configuration on each and every computer. Set up a firewall, though, and all an administrator needs to do is place every computer "behind" it.

Think about the analogous problem with railroad fires: It could also be solved by installing some sort of fireproofing, like an asbestos lining, around every car in the train. As with using IPSec for computer security, each car added to a train would require fireproofing. Install the firewall and there is no limit to the number of cars it will protect, so long as it is between them and the fire.

A network firewall, like the train firewall, is simple in concept and powerfully effective against the problems it was designed for. Yet there are flaming attacks that can defeat firewalls. Many firewalls act as routers modified to filter out certain types of packets based on where they originated, what type of packets, the type of program operating, or other factors. They work best when they can discriminate broadly, rejecting applications like FTP and Telnet and all but one-way Web browsing.

As uses and expectations of the Internet have expanded, firewalls have been forced to gain the intelligence and flexibility to determine how to deal with complex communications like Java applets, cookies, stateful transactions, and secure e-commerce. Firewalls have adapted to the added functionality demands with complex management software and filtering tools, but extra flexibility means new vulnerabilities.

"There are three basic ways to defeat a firewall," says Schneier. "Go around it, sneak something through it, or take over the firewall. These aren't necessarily easy, hackers can find them if they are persistent."

Perhaps the easiest circumvention of a firewall is to start out behind it: A Computer Security Institute study completed in 1998 reported that 70 percent of all successful computer attacks are generated from within the private LAN.

Fireproofing with encryption

A firewall is not a security system that should be replaced, but one that should be augmented. Many security technologies can add to that protection, including demilitarized zones (DMZ), intrusion detection monitors, and vulnerability scanners like SATAN (Security Administrator Tool for Analyzing Networks). Like firewalls, all of those consider security from a network-wide approach. Individual computers, even specific communication sessions, can be secured by encrypting the data being exchanged.

Data encryption is a form of cryptography, or writing in codes. Cryptography does not need to be a substitution code, only a secret; the U.S. Army used the Navajo language, unaltered, as code during World War II, and it worked because no Japanese code breakers understood the language.

While a firewall accomplishes security by keeping intruders away from data and resources, encryption does not care if an eavesdropper listens in, because they are unable to understand the communication. A hacker cannot take control of a server if the server has been configured to accept only encrypted commands from a confirmed source.

"Over 60,000 Web sites last year were publicly defaced. Many of them had firewalls," says Chris Klaus, CTO of Internet Security Systems, an Atlanta-based security consulting firm. "The greatest threat to corporate LANs is to not address security as a real priority."

To decipher any coded transmission, a recipient-intended or unintended-must possess the key, or sequence of numbers that describes how to interpret a message. For a hacker, there are two means of obtaining a key: cracking, or processing a message by brute force interpretation of (potentially) all possible keys, and stealing a copy of the key.

The difficulty of cracking a key depends on its complexity, which is ultimately determined by its numeric length. Key strength is expressed by the number of bits used to store it, and doubles with the addition of each bit, so a six-bit key is twice as strong as a five-bit key. Some encryption systems use keys as large as 512 bits.

Symmetric and public key encryption

As encryption keys grow larger and stronger, forcibly cracking any key becomes a more difficult task. As a result, most hackers try to break encryption by illicitly obtaining a copy of the key.

Encryption technologies are divided into two categories, based on the means by which they distribute their keys. Every German U-boat in World War II possessed the key-generation device for reading and writing the Enigma cipher. Technically, Enigma was never cracked; Allied code breakers were able to read it only after Enigma machines were captured.

Codes like Enigma are classified as symmetric because keys are identical at both ends of a communication. Symmetric-key data encryption systems include S/MIME (Secure Multipurpose Internet Mail Extension), used specifically for encrypted e-mail; TLS (Transport Layer Security), and SSL (Secure Sockets Layer). The latter two secure Web-based transactions.

In terms of key strength, symmetric-key encryption is just as strong as asymmetric; its weakness is in securely distributing keys. For the German navy, that distribution method consisted of bringing the vessels to port periodically and handing out code books. Network users, let alone Internet customers, aren't likely to come into your office to receive keys. Yet if the code key is transmitted through the network, it must be sent as plain, unencrypted text, and is likely to be intercepted by anyone trying to eavesdrop on transactions. The encryption key itself is the most vulnerable component of any code.

Public-key encryption utilizes a two-part key, with one half held by the sender and one half by the receiver; both halves are required to read a message. There are actually four keys involved in client-server communication: a publicly known and privately held key for each party. The key algorithm has been constructed to function with a specific combination of these. In transmitting data, a sender uses the recipient's public key, and that data can only be translated using the recipient's private key. It is not necessary for both sides of a communication to know the full key combination, and every key is unique.

PGP (Pretty Good Privacy) popularized the PKE idea (as well as the U.S. government's encryption restrictions) in the late 1980s and early 1990s, and remains an excellent means of encrypting e-mail. Commercial PKI (Public Key Infrastructure, including the key generation systems and public key storage repositories) systems are offered by VeriSign, Entrust, Microsoft, and other vendors.

IPSec

One encryption and general security technology that every network administrator should be familiar with is the IP Security standard, commonly known as IPSec. IPSec is not an encryption methodology per se, but a standard that can be used to mandate the use of security requirements (including encryption) by all computers in a network. IPSec actually provides three security enhancements:

Mutual authentication of communicating computers Agreement between the two computers that defines packet-level restrictions Encryption of transmitted data IPSec depends on agreement between communicating systems through predefined policies. If a computer is configured restrictively with IPSec, it will only be able to communicate with other systems configured similarly. IPSec configuration must be performed on all of the systems that will communicate; even the lack of a policy on a system acts as a form of design-an effective "No Policy" configuration.

IPSec is likely to become one of the most widely used network security tools, if only because it is such a rigor to guarantee the uniform application of security at each computer within a network. During the past few years, when firewalls came to be considered the only network security needed, LAN administrators may have gotten away from using distributed security configuration, so IPSec will be invaluable in guiding their renewed configuration efforts.

The best defense

Whether a network uses a firewall, encryption, IPSec, or any other security technology, system administrators must avoid the temptation of complacency. "Virtually every report of a hack attack that I read says, 'The hackers used a known exploit for which a security patch was released,'" notes Wired's Delio. "That's why a big part of a system administrator's job is to read all of the security alerts, mailing lists, and newsgroups to find out what patches have been released and what effect they are having on other systems."
 
 
Archives by Date
 
 
 
 
 
Copyright © 2008 ComputerUser Inc.
About us | Terms of use | Privacy Policy | Legal | Trademark/Copyright | Awards | Advertise | Writer guidelines | Sitemap | Contact | FAQ's | Feedback  | Link to us

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services