Protect and survive

In the mainframe age, network security meant locking the computer room door. Today the perimeter of a local area network is difficult to define, and connecting a business to the Internet makes the boundary even fuzzier.

The situation was memorably summarised by firewall guru Bill Cheswick, who described the modern network as 'a crunchy shell around a soft, chewy centre'.

Many believe the growth of the Internet has spawned the current rash of attacks, but research indicates this is a myth. According to the American Society for Information Security, 74% of current security breaches come from internal sources. Often it is the work of a disaffected employee, but not always.

Phil Benge, sales and marketing director at security software vendor Reflex Magnetics, believes that 'about 57% of security breaches are accidents and not malicious'. Such 'accidents' can be just as costly as a malicious attack, but maybe not quite as expensive as the three high-profile viruses that crippled companies earlier this year.

Ecommerce specialist mi2g Software estimates that the global cost of Melissa, Chernobyl and the fatal Explore.Zip has already exceeded $2.5

billion (£1.6bn). Mi2g predicts businesses across the globe will shell out $20 billion on tackling viruses during 1999.

Despite the financial repercussions, Melissa and Explore.Zip may have helped to boost the profile of network security. 'These viruses were really a blessing in disguise because they made companies take the issue of security seriously,' says Helen Flynn, senior research analyst at GartnerGroup. 'Risk is increasing all the time and companies have less control over their networks, thanks to factors such as outsourcing and third-party service providers.'

The corporate network is an easy target. Researcher Datapro estimates that only 54% of businesses have a security policy.

'Most firms are in what psychologists call deep denial,' says research director William Malik.

Taking security seriously

The lack of multi-platform solutions that handle every variable on a network is one factor that inhibits companies from taking stronger measures.

Cost is another. Security spending is difficult to justify in traditional cost/benefit terms, because what should happen is nothing.

According to Simon Gardner, professional services manager at Secure Computing, reactive security spending is usually greater than the funds allocated for proactive measures. 'Companies have to suffer a significant breach of security before they take the issue seriously,' he says.

One of the main issues is a misconception about the nature of effective network security. It is a management problem with a technology solution.

Usually businesses that consider information a valuable asset have a positive approach towards securely maximising the benefit of their information.

'Most IT managers think of security in terms of just another checklist item like printers or disk drives,' says Phil Ryan, product marketing manager at security specialist Peapod. 'The truth is that security is a discipline covering the entire IT infrastructure and, from a strategic viewpoint, should be an integral part of every piece of IT planning.'

Good security begins with companies identifying security needs and establishing workable policies. This has to include things such as sexual harassment or protection of intellectual property. 'Many companies won't implement a coherent security policy because they don't think they're at risk. We usually find they are,' says John Carr of the information security group at Cap Gemini. Once a security policy has been decided on, it must be effective. Consultants recommend that every organisation should set up its own computer emergency response capability and establish clear roles and responsibilities, plus points of contact and procedures for when an incident occurs.

Human resources also has a role to play in security. Experts believe most security breaches can be avoided through adequate training aimed at fostering a security culture within the business.

Declaring war

'Network security isn't a battle, it's a war, an ongoing process of refinement and improvement,' says Benge. And it is essential that a company goes into war fully-prepared, with an arsenal of weapons.

A firewall is usually the first security mechanism deployed at the point of external entry and exit to a corporate network. It is used to protect a trusted network from an untrusted network, enforcing access policies between the two.

The most basic type of firewall performs packet filtering. All Internet traffic, including email and attached documents, travels in data packets.

Filtering consists of examining incoming or outgoing packets and allowing or preventing their transmission according to configurable policy rules.

Packets can be allowed or disallowed on the basis of the source IP address, the destination port or the protocol employed.

Circuit relays are more secure. These validate connections before allowing data exchange. As well as scrutinising packets, they determine the validity of the connection between networks according to configurable rules. Only when the rules are satisfied do they permit traffic from the allowed source.

Another and still more complex approach is the application level gateway.

It acts as a proxy for applications, performing all data exchanges with the remote system on their behalf. It can allow or disallow traffic according to very specific rules, for instance, permitting some commands to a server but not others, limiting file access and varying rules according to authentication.

Application-level gateways are generally regarded as the most secure type of firewall. They are, however, complicated to set up and maintain.

There is also a shift towards creating a multi-layered approach that involves setting up firewalls inside a corporate network, preventing one department getting at the corporate assets of another.

Content screening provided by products such as MIMEsweeper is a popular feature of Internet firewalls. 'Companies are staggered when they analyse their network traffic,' says Catherine Jameson, European general manager at Content Technology. 'A multi-national customer monitored its email traffic over eight months and typically found 600,000 emails per month contained some profanity, while 200,000 had binary attachments.'

At the other end of the spectrum is anti-virus software, which is primarily a detection-and-response mechanism. This desktop software, even with less than complete coverage in an organisation, is useful and effective in preventing the spread of viruses within the business.

A newer family of prevention-and-response system is the class of products called intrusion-detection systems. These come in two flavours: monitors and scanners. Monitors are static analysis tools that look for known problems such as bad passwords or missing security patches. They can also check for changes to important system or data files. Scanners are dynamic analysis systems that look at events as they are happening.

A further security technology is application-level encryption. Here, users can lock documents stored on disk or messages sent by email. Easily integrated into software and assigned for use to individuals, encryption software provides individual accountability, company-wide authority and confidentiality.

Conclusion

Finding a balance between locking down your system until it is unusable and creating a satisfactory solution takes hard work. But above everything, the issue of security requires the backing of the board, both for funding and implementation. Researcher Frost and Sullivan predicts the security products market in Europe will be worth more than £24 billion by 2005.

Compare this with £1.13 billion in 1998. At a time when information is regarded as the corporate crown jewels, no business can afford to be lax about its security arrangements.

SECURITY TOP 10 THREATS

- Casual mistakes

- False sense of security

- Disgruntled employees

- Viruses

- Email

- Hackers

- Unauthorised modems

- Third-party connections

- Portable PCs, which expose data in a public environment

- Remote access through dial-up connection

Source: Unisys UK

BLOOD GROUP UNDER THE MICROSCOPE

The National Blood Authority (NBA) is the sole provider of blood supplies in the UK and uses Internet technologies to ensure that hospitals have enough plasma on tap.

In 1994 the NBA assumed responsibility for 15 regional blood transfusion centres and inherited computer systems from a number of suppliers. The NBA standardised the systems, but an ongoing issue was ensuring the new network had tight security controls and supported effective communication across all sites.

'Due to the critical nature of the service the NBA provides, we have to ensure our network services are both secure and resilient,' says Neil Hogg, technical manager for the NBA. Security specialist Integralis Network Systems was hired for that job. It installed FireWall-1 from Checkpoint and configured it to provide secure web access and email to support staff and suppliers. Supplier dial-in access to NBA network resource was achieved through a 3Com Total Control enterprise hub connected to both ISDN and analogue phone lines. Integralis installed, configured and extended the firewall product creating a de-militarised zone (DMZ) to securely house the hub. All other external links use the DMZ as a clearing house for incoming and outgoing data.

Security Dynamics' SecurID is implemented on the firewall, allowing authenticated users remote access to network resources over the Internet.