There is no shortage of security tools for enterprises today. But as many IS managers have learned, these tools often come with disclaimers. by Graeme K. Le Roux

During the dark ages of IT, computing data was sheltered in machines which were locked in basements, along with operators and user terminals. The operators were the only ones who used the terminals, and they read from and wrote to either punch cards, paper tape or fan form paper. There were no connections to the outside world.

Was this real security? Well, no. During those times, users submitted jobs on paper and were given answers on paper. These stacks of fan form paper, while inconveniently bulky to sneak out of the building in a brief case, were easy enough to fall into the hands of the wrong people. In the absence of shredders, these piles of fan form also stuck out like a sore thumb in a garbage bin.

Back then, security was totally reliant on users and operators being aware of the risks and acting responsibly. Today, we have many more security tools but are we using them correctly?

Who are you?

User authentication forms the basis for any security setup. Other than the commonly-used password and ID, token-based systems are becoming an important attempt to accurately identify users.

Token-based solution typically comes in the form of a company ID which features a magnetic strip or smart card. Users log in with both token and password, and the token can often be used for both workstation and building access. More recent token-based authentication systems make use of devices which plug into USB ports.

Token-based systems work pretty well, with caveats. For instance, if users choose—out of convenience or laziness—to leave their authentication token in the reader attached to the user's workstation all day (or for weeks), it negates the scheme's benefit. And of course cards can be lost, left at home, stolen, etc.

The second reasonably successful solution is to use fingerprint identification schemes, like the Identix solution that was licensed to Compaq. Essentially, your finger print substitutes as your password. Fingerprint readers are available in PCMCIA card format as well as for desktop ports which makes them an option for laptops as well as desktops.

Fingerprint readers are one example of biometric authentication. Other examples are retinal scanners, which are still too expensive for general use. Another biometric solution is voice-activated authentication, which requires that voices are accurately sampled.

Unfortunately none of the current systems are proactive. An authorized user still logs in once and from then on, the system assumes that any activity at that workstation is that of the same authorized user.

Several other biometric systems are currently under development which address this problem, with perhaps the most promising being facial recognition technology.

The idea is when an authorized user sits in front of a workstation, the workstation recognizes him and logs him in. If the face changes, the system logs the original user out and logs the new one in provided that the new person is an authorized user. As you can imagine, the complexities of this kind of fuzzy technology is incredibly high, and not here yet—at least not in commercial deployment.

So in practical terms, we have to live with the limitations of simple username/password-based authentication. Although lined with loopholes, this is not a bad system, provided you audit your system. This is done with firewalls and server-based logging.

Fire Sentry

The classic method of deploying a firewall is to place it between your network and the outside world. The problem is that just about every case study of network security breaches has shown that most security violations are a result of the actions of local users.

A better way to deploy firewall technology is to apply it to secure "zones" in your enterprise. Essentially, you divide your network into security zones and use firewall hosts, such as Cisco's PIX family, Nokia's appliances or Checkpoint's products, to enforce access rules on traffic going to and from zones.

A properly-implemented zone-based security should be transparent to both authorized and unauthorized users. Zone-based security also makes it possible to hide the structure of your network using address translation which greatly hinders anyone trying to map your system as a prelude to an active attack.

Once your firewalls are in place, you should be prepared to react appropriately to unauthorized activities across or within your network. This can be done by tracking server-based event logs.

Make sure you can be alerted to any breach of security and are able to trace it back to its source. Your audit logs should also enable you to define the data set which was compromised. You can then take action to prevent further damage, or patch up any damages that was the result of the breach.

Zone-based security can be extended to laptops in the field through the use of encrypted VPNs. Note, however, that a laptop in the field is effectively outside your security wall. It is physically accessible to unauthorized users and open to the installation of unauthorized software, and viruses.

Where laptops are concerned, security is entirely dependant upon users' habits. For example, a laptop running Windows 2000 requires a logon, but once logged on, it is entirely up to its user to enforce continual security.

If the user walks away from the laptop in the middle of a network session with applications and files open, anyone can tap in without having to supply a password.

Hence, plan for the possibility that data on a laptop will fall into unauthorized hands. If you have to, educate your users to carry minimum data on their laptops and to encrypt very sensitive data which they must carry.

For example Windows 2000 permits a user to mark a file or folder as "available off-line", which results in Windows keeping a shadow—and synchronized—copy of the data on the user's local hard disk. This makes it very easy for a user to manage the data set they carry around.

You can use Pretty Good Privacy (PGP) to encrypt sensitive files. The commercial versions of PGP now provide strong encryption and integrate well with Windows 2000. It is also very easy to use and, if your laptops are reasonably quick, poses no more of an inconvenience than WinZip as far as speed of encryption and decryption is concerned.

On the Move

While security on laptops is getting easier, the same can't be said for PDAs, organizers and mobile phones. Firstly, security tools for such devices are thin and secondly, these personal widgets are increasingly being used to store sensitive data. Meeting notes, contact lists complete with confidential annotations and even audio notes of conversations are just some examples.

To make things worse, these devices are usually configured with default passwords for connection to hosts, or are able to bypass access controls. For example, almost all data-capable mobile phones store user IDs and passwords for remote access, which means that anyone who has access to the device can use it to access remote networks.

Since banning the use of these devices is not feasible, education of users appears to be the only action that enterprises can do at the moment. In other words, real security is in the hands of your users-just as it always has been.

Demilitarised Zoning

The term demilitarised zone (DMZ) comes to the IS world from the military, where it is defined as an area in which military actions are prohibited. In the technology arena, DMZs were first defined as the network segment between the external interface of a firewall and the internal interface of an external (often an Internet) router.

DMZ's purpose is to segregate sensitive internal networks from other networks while allowing services to be offered. Traffic cannot flow into or out of the DMZ without being forwarded through a network access-control system.

Policies on firewalls and access-control systems define and restrict all traffic passing through the DMZ. In contrast, traffic flow on the Internet and between internal corporate networks is usually unrestricted.

The primary role of a DMZ is to mitigate risks associated with offering services to untrusted clients. A DMZ accomplishes this by providing network-level protection for your hosting environment, as well as segregating public hosting facilities from your private network infrastructure.

For example, if you're hosting a website, anyone with a browser can connect to it. Without a DMZ configuration, your hosting systems reside either outside your firewall (exposed to the Internet) or on a network segment in your internal network. The former scenario leaves your Web-hosting environment open to all attacks. The latter could lead to attacks against other internal, more critical systems should your Web-hosting systems be compromised.

A DMZ lets you protect your Internet servers while safeguarding your mission-critical internal systems. DMZs also play a role in securing other services inside the enterprise, like HR or payroll records. The DMZ protects both the Web application server and the critical database systems by allowing only HTTP/HTTPS traffic into the DMZ Web server and database network traffic (such as SQLnet) from the DMZ Web server to the HR database system.

In most enterprises the perception is that a firewall provides a hardened perimeter. However, the security of internal networks and hosts is usually very soft. To beef up internal security, one approach is to put into a DMZ hosts that do not contain sensitive data but instead proxy access to the data. This can occur via an application interface, such as a website, or via a network protocol reverse proxy, such as HTTP or SQLNet.

This separation of data from the application layer within the network provides an additional level of security, because a compromise of the DMZ system doesn't directly expose the internal systems that house business-critical data to network attacks. Now an attacker has an additional barrier to overcome once an initial penetration has been successful.

And you will have more time to respond to the attack before critical data is compromised. -Brooke Paul

Brooke Paul is Vice President of AFG Technology Division, part of American Financial Group. His duties include information security program management for AFG.

Lock down

No matter how paranoid you are about data security, one thing is certain: you can't really "lock" up data. Doing business effectively in the current corporate world requires that users carry data (often sensitive), around with them. Actually, the locking down of data is easy—it is getting any use out of these vaulted data that is impossible.

For instance, if you locked up a customer contact list inside your network, how effectively would your sales people be able to work in the field?

Similarly, how could your staff work effectively in meetings with clients if they did not have client files on hand or the ability to make presentations? If you can't "lock up" data, it follows that some of it will fall into the wrong hands. The primary objective of any IT security regime is therefore auditing—that is tracking who has what data, where the data is, and what they are doing with it. In order to properly audit data access and activity, the first thing that you need to do is identify its user. Identification, or the accurate authentication of users, is unequivocally, the single biggest problem in computer security.

Most companies' networks depend on a simple combination of username and password to authenticate users. Most organizations make the implicit assumption that the person who types a given username and password is the user to whom that username and password has been assigned. Yet, we know that often, secretaries know their boss' username and password. Generally, executives high up in the corporate tree spend very little time in front of a computer, but are assigned network access which is commonly used by their secretaries.

Even junior managers, especially those who have to share secretaries with the rest of their department, tend to tell secretaries their passwords. In companies which subscribe to pooled human resource and workstation sharing, passwords and login IDs often get shared as well. And even if passwords are judiciously guarded, shared access is still likely to occur in a shared resource environment. This happens, for instance, when the permanent typist has to attend a meeting and leaves her workstation to a temporary typist who continues to work during the meeting. Chances are the first user will not bother—or has forgotten—to logout before clearing his desk.

Graeme K. Le Roux is the director of Morsedawn (Australia), a company which specialises in network design and consultancy and writes for Network Computing-Asian Edition.