-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home > Cover Story

Security for the enterprise
By Shubha Murthy

Data and network security is a high concern area for the connected enterprise. Here is a peek into various aspects concerning security including issues about implementing a security policy

Enough has been said about the fact that it is information, the magic wand that augurs success to businesses in the e-economy. But as the saying goes, greater the wealth of information generated and accumulated by a business, the more insecure the CIOs and IS mangers become about safeguarding it. In this scenario protecting all of this data, most of which is mission critical and proprietary from leaking out, is what is giving CIOs and IS managers sleepless nights.

Businesses, as they are metamorphosing from a brick and mortar model to one that is a synergy of online and offline processes, are generating huge amounts of data from the various domains of interaction such as with employees, partners, suppliers (B2B) and customers (B2C). Consequently, the distinction between the private and the public network is fast collapsing, making an enterprise network, be it an intranet or extranet or a VPN, susceptible to intrusion more than ever. All this points to one fact enterprises can no longer be complacent about security issues.

A recent KPMG fraud survey found that 17 percent of the Indian companies surveyed had experienced some kind of security breach, including system crash, website defacement and virus attacks.

Even as enterprises are waking up to the reality of loopholes in their security policies, the Gartner Group predicts worldwide information security market to reach $13.1 billion by the end 2001. V Pradeepan, technology consultant, security, Select Technologies, Bangalore, substantiates this when he says, "Awareness of network security is spreading like wild fire. It is being addressed as the top priority in enterprises."

Though awareness is spreading, "Indian corporates are still confused when it comes to applying security solution. Each security solution needs to be customized to a company's existing network and specific requirements," points out Swapan Johri, GM, emerging services, HCL Coment, New Delhi.

He adds, "As a result, security has become more of a reactive solution-based plan to overcome problems rather than a consistent plan to monitor and analyze vulnerabilities."

Levels of network security
Building a virtual fort around a company's network to insulate it from unauthorized and illegal intrusion has become the prerogative of CIOs and IT managers in all enterprises, big or small.

Security infrastructure deployment is no longer a one-time affair. Even as data networks are expanding, so are newer security loopholes being discovered. Therefore, what is of critical importance apart from deploying security solutions and policies, is conducting regular audits and penetration tests on the network and management of all the above by skilled personnel. Since this is an onerous and expensive task to achieve in-house, several enterprises, particularly from the mid-market segment are outsourcing these services to Managed Service Providers (MSPs).

An enterprise has to be monitored for breaches and intrusions at various levels such as access, server and per user. However, security is not just network security. As Milind V Dikshit, practice head, security consulting, Bangalore Labs, Bangalore points out, "An organization has to be secure at all layers network, operating systems, applications and databases.

Besides the practices and processes also need to be necessarily looked into."

In other words, the various levels of network security that an organization has to be careful about are directly related to the various levels of threat that an organization must guard against.

However, securing a network from external threats alone is not sufficient. M Srinivasa Rao, general manager, operations, Network Solutions Ltd, Bangalore explains, "A strong security with a firewall doesn't mean that internal host security is no longer needed on the contrary, most successful attacks come from insiders!"

Vishwajeet Deshmukh, country head, Network Associates, Mumbai, warns that 70 percent of security breaches occur internally from disgruntled employees. "Hence a firewall at the perimeter cannot take care of internal threats to information security," he adds.

Firewalls for perimeter security
Though firewalls can be termed as the first step towards network security, as Girish Karanth, systems consultant, Sun Microsystems, Bangalore, avers, "Security needs to be approached as a building block vital to the success of the enterprise and needs to be architected as such and firewalls are an integral part of this architecture."

Firewalls offer security at the perimeter of a network either as a remote access server, or inside the intranet to segregate departments or are deployed on an existing application or data server to control access and provide encryption services.

Firewalls provide stateful inspection of packets that maintains a session table for each connection and for each protocol type.

Since this happens between the data link and the Network layers, all processing happens in the operating system kernel, which makes such transactions faster than other kinds of firewalls such as packet filtering firewalls (routers) and application layer firewalls (proxies).

Key security threats an enterprise should look for

  • Passive Eavesdropping/Packet Sniffing-Attacker uses a packet sniffer to glean sensitive information from data streams between two sites or to steal username/password combinations, either on a private carrier or a public network. Even if applications such as Lotus Notes were to encrypt traffic within their own streams, a sniffer could still detect sites using Notes in a form of traffic analysis. The attacker could then concentrate on transmissions involving that application.
  • IP Address Spoofing-An attacker pretends to be a trusted computer by using an IP address that is within the accepted range of IP addresses for an internal network.
  • Port Scans-An active method of determining to which ports on a network device a firewall is listening. After attackers discover the "holes" in a firewall, they can concentrate on finding an attack that exploits the applications that use those ports.
  • Denial-of-Service Attack-Differs from other types of attack because, instead of seeking access, the attacker attempts to block valid users from accessing a resource or gateway. This blockage can be achieved through SYN flooding a network resource to exhaustion through using half-open sessions (sending TCP packets with the SYN bit set from a false address) or by crafting packets that cause a resource to perform incorrectly or crash.
  • Application-Layer Attack-Takes many forms, exploiting weaknesses in server software to access hosts by obtaining the permission of the account that runs an application. For example, an attacker might use Simple Mail Transfer Protocol (SMTP) to compromise hosts that run older versions of send mail using undocumented commands in the send mail application.
  • "Trojan horse," - Whereby the user is induced to run a malicious piece of software by being misled into believing it is something other than what it really is. More advanced application-layer attacks exploit the complexity of new technologies such as HTML, Web browser functionality, and the Hypertext Transfer Protocol (HTTP). These attacks include Java applets and ActiveX controls to pass harmful programs across a network and load them via user Web browsers.

Courtesy: Cisco

Hardware Vs Software Firewalls
While the primary difference between hardware and software-based firewalls is dependent on the kind of operating systems they run on, both are equally secure if the network design and configuration are impeccable. "While software based firewalls, are secure enough if the operating system they run on are fine-tuned to plug all the vulnerabilities," points out Srinivasa Rao of Network Solutions, "hardware firewalls are built specifically for the purpose of 'firewalling', and hence, they do seem to have an edge over software based firewalls."

A hardware firewall is sturdier in its ability to support more number of connections simultaneously as compared to a software firewall, but is more difficult to manage. Since hardware based firewall devices run on proprietary operating systems, they do not carry the vulnerabilities of software firewalls, which run on general-purpose operating systems such as Unix and Windows NT. "Here even if the firewall software is secure, the underlying security holes in the operating system can allow a hacker into a protected network," explains SV Ramana, vice president, systems engineering, Cisco India, New Delhi.

As Dikshit from Bangalore Labs informs the number of attacks through software-based firewalls is five times more than hardware-based firewalls, which use proprietary integrated software.

Need for a Comprehensive Security Policy
The disadvantages of firewalls do not lie so much with the products per se but with the fact that still a lot of enterprises believe that by deploying a firewall, they have built an impenetrable iron grid around their network. However, what many IS managers fail to realize is that firewalls are only one of the many important components that go into making an enterprise's security infrastructure. Yet it is the most expensive security component. As Binod Kumar Panda, country manager, Apara Enterprise Solutions Pvt. Ltd., Bangalore, says, "Firewalls are the biggest piece of investment any company makes on the security front." A single firewall implementation could cost anything between Rs. 50, 000 to 15 lakhs.

Firewalls, besides securing a network, also help an enterprise implement an access control policy. "Information security plans, and their associated policies, are a crucial part of the planning effort," explains Ramana of Cisco

This brings us to security policies, a set of comprehensive guidelines to ensure that corporate networks or servers are protected against the latest security loopholes.

The following segments are increasingly looking at firewalls as a security solution:

  • Transaction oriented e-business websites
  • Large multi-locational enterprises running many applications in their backoffice combined with some web infrastructure
  • The banking sector and other financial institutions (NBFIs), which are Web enabling all their processes and transactions
  • XSPs

Typically, a security policy involves the following modules:

  • Needs analysis (identification of information assets and threats to them)
  • Management procedures (authorizations and policies that require particular approvals)
  • Operational procedures (software, updates, etc.)
  • Computer user policies (guidelines for users on appropriate use of information assets)

Disaster recovery planning and elaborate information access schemes that determine who can view particular files or types of data are also included in more sophisticated policies.

Says Ramana of Cisco, "In addition to access control, an Internet firewall provides a natural focal point for the administration of other network security measures." A firewall also monitors all traffic entering and leaving the private network, and alerts the IT staff about any attempts to circumvent security or patterns of inappropriate use.

Network Address Translation (NAT), a service that re-addresses data packets as they pass the firewall, is another important function it performs. "This not only simplifies address management by allowing a single external address to be used for all internal users; it masks the true addresses of internal computers and servers from prying eyes outside," adds Ramana of Cisco.

Thus the functioning of any security hardware or software is impingent on the policy that is chalked out and its effectiveness in the real world application. Dikshit of Bangalore Labs points out, "The firewall is as secure as the host on which it resides and the policy applied on it."

If the policy is designed and applied appropriately it will provide a list of accessible hosts, devices and specific services allowed both inward and outward.

Besides, clarity and transparency are also vital to a security policy. An enterprise should put in writing exactly what measures are currently in place and what information assets they are meant to protect. All users of organizational computer systems should be aware of any guidelines established for passwords (and sharing them), transfer of data between computers, using anti-virus software, and encrypting correspondence, along with any other controls that are imposed on individual computer use.

"Policies involving the use and misuse of passwords and user accounts have to be strictly enforced. These are management issues that should be raised during the planning of any security policy and cannot be solved with firewalls alone," explains Johri of HCL Comnet.

Speaking about effective application of policies, Ramana of Cisco says, "IT departments should work with the company's human resources departments to develop policies that define these behaviors specifically and also define the consequences of deviating from them."

Advantages of Firewall l Implement access policy and permission/restriction rules between two networks. l Stop confidential information from leaving the network and attackers from entering. l Provides detailed statistics on communication between networks (who uses what service and how often). l Provides logging and audit trail of communications; analysis of logs can be used to detect attacks and generate alarms. l Reduces risk of attacks from curious and malicious hackers, commercial espionage, accidental disclosure of company data (i.e. customer, employee and corporate data) and denial-of-service attacks. Disadvantages l Firewalls are not very effective against viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them. l Trusted users/disgruntled employees who intend to affect the organization's productivity and who do not pass through the firewall itself. l Cannot protect data traffic that does not pass through the firewall. l Cannot prevent individual users with modems from dialing into or out of the network. l The firewall may not able to handle threats that can arise by misusing new technologies like Java applets, Microsoft's ActiveX, etc.

Security for everyone
Initially it was the larger organizations that deployed firewalls as part of their security initiatives. Two or three years ago, the cost factor, the complexity of installation and the need for dedicated and skilled personnel deterred small and medium sized enterprises from installing firewalls. Besides, SMEs went about networking individual departments, which remained isolated, and hence the need to share data digitally was minimal.

But the scene is changing now. With SMEs Web-enabling their businesses, intra and extra connectivity has become the order of the day.

Karanth of Sun Microsystems reiterates this when he says, "There is this mindset that firewall deployments tend to be very complex, expensive and time consuming. But there has been a change, with more and more companies realizing the benefits of doing business on the Net and being a part of a supplier/vendor network or extended intranets being hosted by larger enterprises. In such circumstances, the first, and sometimes the only, security measure that SMEs undertake is the installation of a firewall." It is important to note that the purpose for which firewall is used, cannot be substituted by any other solution.

With the emergence of plug and play type of firewall solutions such as the ones from NetScreen, for instance, complexity is no longer an issue. Dikshit from Bangalore Labs cites the maintenance and monitoring of firewalls i.e. assessing their effectiveness on an on-going basis, as the more daring challenge for enterprises.

Ramana of Cisco points out, "It is true that many SMEs are wary of dealing directly with firewalls. However, with specialized security service providers offering solutions in India, this should not be a concern for them."

The bottom line is, as Anurag Mehrotra-general manager, business solutions and services, Wipro Infotech, Bangalore says, "Any enterprise leveraging the Internet for its business is an ideal candidate for firewalls."

Pradeepan from Select says futuristically, "We will see firewalls at the gateway of every network, essentially those hosting websites, e-commerce companies, in a nutshell all those who are or would be using the Internet in a big way."

Shubha Murthy can be reached at shubha_m24@hotmail.com

<< >>
- <Back to Top>-  
© Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD