> Cover Story
for the enterprise
and network security is a high concern area for the connected
enterprise. Here is a peek into various aspects concerning
security including issues about implementing a security
has been said about the fact that it is information, the
magic wand that augurs success to businesses
in the e-economy. But as the saying goes, greater the wealth
of information generated and accumulated by a business,
the more insecure the CIOs and IS mangers become about safeguarding
it. In this scenario protecting all of this data, most of
which is mission critical and proprietary
from leaking out, is what is giving CIOs and IS managers
Businesses, as they are metamorphosing
from a brick and mortar model to one that is a synergy of
online and offline processes, are generating huge amounts
of data from the various domains of interaction
such as with employees, partners, suppliers (B2B) and customers
(B2C). Consequently, the distinction between the private
and the public network is fast collapsing, making an enterprise
network, be it an intranet or extranet or a VPN, susceptible
to intrusion more than ever. All this points to one fact
enterprises can no longer be complacent about security issues.
A recent KPMG fraud survey found that 17 percent of the
surveyed had experienced some kind of security breach, including
system crash, website defacement and virus attacks.
Even as enterprises are waking up to the reality of loopholes
in their security policies, the Gartner Group predicts worldwide
market to reach $13.1 billion by the end 2001. V Pradeepan,
consultant, security, Select Technologies, Bangalore, substantiates
this when he says, "Awareness of network security is
spreading like wild fire. It is being addressed as the top
priority in enterprises."
Though awareness is spreading, "Indian corporates are
still confused when it comes to applying security solution.
Each security solution needs to be customized to a company's
existing network and specific requirements," points
out Swapan Johri, GM, emerging services, HCL Coment, New
He adds, "As a result, security has become more of
a reactive solution-based plan to overcome problems rather
than a consistent plan to monitor and analyze vulnerabilities."
Levels of network security
a virtual fort around a company's network to insulate it
from unauthorized and illegal intrusion has become the prerogative
of CIOs and IT managers in all enterprises, big or small.
Security infrastructure deployment is no longer a one-time
affair. Even as data networks are expanding, so are newer
security loopholes being discovered. Therefore, what is
of critical importance apart from deploying security solutions
and policies, is conducting regular audits and penetration
tests on the network and management of all the above by
skilled personnel. Since this is an onerous and expensive
task to achieve in-house, several enterprises,
particularly from the mid-market segment are
outsourcing these services to Managed Service Providers
An enterprise has to be monitored for breaches and
intrusions at various levels such as access, server and
per user. However, security is not just network security.
As Milind V Dikshit, practice head, security consulting,
Bangalore Labs, Bangalore points out, "An
organization has to be secure at all layers network, operating
systems, applications and databases.
Besides the practices and processes also need to be necessarily
In other words, the various levels of network security that
an organization has to be careful about are directly related
to the various levels of threat that an organization must
However, securing a network from external threats alone
is not sufficient. M Srinivasa Rao, general manager, operations,
Network Solutions Ltd, Bangalore explains, "A strong
security with a firewall doesn't mean that internal host
security is no longer needed on the contrary, most successful
attacks come from insiders!"
Vishwajeet Deshmukh, country head, Network Associates, Mumbai,
warns that 70 percent of security breaches occur internally
from disgruntled employees. "Hence a firewall at the
perimeter cannot take care of internal
threats to information security," he adds.
for perimeter security
firewalls can be termed as the first step towards network
security, as Girish Karanth, systems consultant, Sun Microsystems,
Bangalore, avers, "Security needs to be approached
as a building block vital to the success of the enterprise
and needs to be architected as such and firewalls are an
integral part of this architecture."
Firewalls offer security at the perimeter of a network either
as a remote access server, or inside the intranet to segregate
departments or are deployed on an existing application or
data server to control access and provide encryption services.
Firewalls provide stateful inspection of packets that
maintains a session table for each connection and for
each protocol type.
Since this happens between the data link and the
Network layers, all processing happens in the operating
system kernel, which makes such transactions
faster than other kinds of firewalls such as
packet filtering firewalls (routers) and application layer
security threats an enterprise should look for
Passive Eavesdropping/Packet Sniffing-Attacker uses
a packet sniffer to glean sensitive information from
data streams between two sites or to steal username/password
combinations, either on a private carrier or a public
network. Even if applications such as Lotus Notes were
to encrypt traffic within their own streams, a sniffer
could still detect sites using Notes in a form of traffic
analysis. The attacker could then concentrate on transmissions
involving that application.
IP Address Spoofing-An attacker pretends to be a trusted
computer by using an IP address that is within the accepted
range of IP addresses for an internal network.
Port Scans-An active method of determining to which
ports on a network device a firewall is listening. After
attackers discover the "holes" in a firewall,
they can concentrate on finding an attack that exploits
the applications that use those ports.
Denial-of-Service Attack-Differs from other types of
attack because, instead of seeking access, the attacker
attempts to block valid users from accessing a resource
or gateway. This blockage can be achieved through SYN
flooding a network resource to exhaustion through using
half-open sessions (sending TCP packets with the SYN
bit set from a false address) or by crafting packets
that cause a resource to perform incorrectly or crash.
Application-Layer Attack-Takes many forms, exploiting
weaknesses in server software to access hosts by obtaining
the permission of the account that runs an application.
For example, an attacker might use Simple Mail Transfer
Protocol (SMTP) to compromise hosts that run older versions
of send mail using undocumented commands in the send
"Trojan horse," - Whereby the user is induced
to run a malicious piece of software by being misled
into believing it is something other than what it really
is. More advanced application-layer attacks exploit
the complexity of new technologies such as HTML, Web
browser functionality, and the Hypertext Transfer Protocol
(HTTP). These attacks include Java applets and ActiveX
controls to pass harmful programs across a network and
load them via user Web browsers.
Vs Software Firewalls
the primary difference between hardware and software-based
firewalls is dependent on the kind of operating
systems they run on, both are equally secure if the network
design and configuration are impeccable. "While software
based firewalls, are secure enough if the operating system
they run on are fine-tuned to plug all the vulnerabilities,"
points out Srinivasa Rao of Network Solutions, "hardware
firewalls are built specifically for the purpose of 'firewalling',
and hence, they do seem to have an edge over software based
A hardware firewall is sturdier in its ability to support
more number of connections simultaneously as compared to
a software firewall, but is more difficult to manage. Since
hardware based firewall devices run on proprietary operating
systems, they do not carry the vulnerabilities of software
firewalls, which run on general-purpose operating systems
such as Unix and Windows NT. "Here even if the firewall
software is secure, the underlying security holes in the
operating system can allow a hacker into a protected network,"
explains SV Ramana, vice president, systems engineering,
Cisco India, New Delhi.
As Dikshit from Bangalore Labs informs the number of attacks
through software-based firewalls is five times more than
hardware-based firewalls, which use proprietary integrated
Need for a Comprehensive Security Policy
disadvantages of firewalls do not lie so much with the products
per se but with the fact that still a lot of enterprises
believe that by deploying a firewall, they have built an
impenetrable iron grid around their network. However, what
many IS managers fail to realize is that firewalls are only
one of the many important components that go into making
an enterprise's security infrastructure. Yet it is the most
expensive security component. As Binod Kumar Panda, country
manager, Apara Enterprise Solutions Pvt. Ltd., Bangalore,
says, "Firewalls are the biggest piece of investment
any company makes on the security front." A single
firewall implementation could cost anything between Rs.
50, 000 to 15 lakhs.
Firewalls, besides securing a network, also help an enterprise
implement an access control policy. "Information security
plans, and their associated policies, are a crucial part
of the planning effort," explains Ramana of Cisco
This brings us to security policies, a set of comprehensive
guidelines to ensure that corporate networks or servers
are protected against the latest security loopholes.
following segments are increasingly looking at firewalls
as a security solution:
Transaction oriented e-business websites
Large multi-locational enterprises running many applications
in their backoffice combined with some web infrastructure
The banking sector and other financial institutions
(NBFIs), which are Web enabling all their processes
Typically, a security policy involves the following modules:
Needs analysis (identification of information assets
and threats to them)
Management procedures (authorizations and policies that
require particular approvals)
Operational procedures (software, updates, etc.)
Computer user policies (guidelines for users on appropriate
use of information assets)
Disaster recovery planning and elaborate information access
schemes that determine who can view particular files or
types of data are also included in more sophisticated policies.
Says Ramana of Cisco, "In addition to access control,
an Internet firewall provides a natural focal point for
the administration of other network security measures."
also monitors all traffic entering and leaving the private
network, and alerts the IT staff about any attempts to circumvent
security or patterns of inappropriate use.
Network Address Translation (NAT), a service that re-addresses
data packets as they pass the firewall, is another
important function it performs. "This not only simplifies
address management by allowing a single external
address to be used for all internal users; it masks the
true addresses of internal computers and servers from prying
eyes outside," adds Ramana of Cisco.
Thus the functioning of any security hardware or software
is impingent on the policy that is chalked out and its effectiveness
in the real world application. Dikshit of Bangalore Labs
points out, "The firewall is as secure as the host
on which it resides and the policy applied on it."
If the policy is designed and applied appropriately it will
provide a list of accessible hosts, devices and specific
allowed both inward and outward.
Besides, clarity and transparency are also vital to a security
policy. An enterprise should put in writing exactly what
measures are currently in place and what information assets
they are meant to protect. All users of organizational computer
systems should be aware of any guidelines established
for passwords (and sharing them), transfer of data between
computers, using anti-virus software, and encrypting correspondence,
along with any other controls that are imposed on individual
involving the use and misuse of passwords and user accounts
have to be strictly enforced. These are management
issues that should be raised during the planning
of any security policy and cannot be solved with firewalls
alone," explains Johri of HCL Comnet.
Speaking about effective application of policies, Ramana
of Cisco says, "IT departments should work with the
human resources departments to develop policies that define
these behaviors specifically and also define the consequences
of deviating from them."
of Firewall l Implement access policy and permission/restriction
rules between two networks. l Stop confidential information
from leaving the network and attackers from entering. l
Provides detailed statistics on communication between networks
(who uses what service and how often). l Provides logging
and audit trail of communications; analysis of logs can
be used to detect attacks and generate alarms. l Reduces
risk of attacks from curious and malicious hackers, commercial
espionage, accidental disclosure of company data (i.e. customer,
employee and corporate data) and denial-of-service attacks.
Disadvantages l Firewalls are not very effective against
viruses. There are too many ways of encoding binary files
for transfer over networks, and too many different architectures
and viruses to try to search for them. l Trusted users/disgruntled
employees who intend to affect the organization's productivity
and who do not pass through the firewall itself. l Cannot
protect data traffic that does not pass through the firewall.
l Cannot prevent individual users with modems from dialing
into or out of the network. l The firewall may not able
to handle threats that can arise by misusing new technologies
like Java applets, Microsoft's ActiveX, etc.
Security for everyone
it was the larger organizations that deployed firewalls
as part of their security initiatives. Two or three years
ago, the cost factor, the complexity of installation and
the need for dedicated and skilled personnel deterred small
and medium sized enterprises from installing firewalls.
Besides, SMEs went about networking individual departments,
which remained isolated, and hence the need to share data
digitally was minimal.
But the scene is changing now. With SMEs Web-enabling their
businesses, intra and extra connectivity has become the
order of the day.
Karanth of Sun Microsystems reiterates
this when he says, "There is this mindset that firewall
deployments tend to be very complex, expensive and time
consuming. But there has been a change, with more and more
companies realizing the benefits of doing business on the
Net and being a part of a supplier/vendor network or extended
intranets being hosted by larger enterprises. In such circumstances,
the first, and sometimes the only, security measure that
SMEs undertake is the installation of a firewall."
It is important to note that the purpose for which firewall
is used, cannot be substituted by any other solution.
With the emergence of plug and play type of firewall solutions
such as the ones from NetScreen, for instance, complexity
is no longer an issue. Dikshit from Bangalore Labs cites
the maintenance and monitoring of firewalls i.e. assessing
their effectiveness on an on-going basis, as the more daring
challenge for enterprises.
Ramana of Cisco points out, "It is true that many SMEs
are wary of dealing directly with firewalls. However, with
specialized security service providers offering solutions
in India, this should not be a concern for them."
The bottom line is, as Anurag Mehrotra-general manager,
business solutions and services, Wipro Infotech, Bangalore
says, "Any enterprise leveraging the Internet for its
business is an ideal candidate for firewalls."
Pradeepan from Select says futuristically, "We will
see firewalls at the gateway of every network, essentially
those hosting websites, e-commerce companies, in a nutshell
all those who are or would be using the Internet in a big
Shubha Murthy can be reached at email@example.com