is no shortage of security tools for enterprises today. But
as many IS managers have learned, these tools often come with
disclaimers. by Graeme K. Le Roux
the dark ages of IT, computing data was sheltered in machines
which were locked in basements, along with operators and user
terminals. The operators were the only ones who used the terminals,
and they read from and wrote to either punch cards, paper
tape or fan form paper. There were no connections to the outside
Was this real security? Well, no. During those times, users
submitted jobs on paper and were given answers on paper. These
stacks of fan form paper, while inconveniently bulky to sneak
out of the building in a brief case, were easy enough to fall
into the hands of the wrong people. In the absence of shredders,
these piles of fan form also stuck out like a sore thumb in
a garbage bin.
Back then, security was totally reliant on users and operators
being aware of the risks and acting responsibly. Today, we
have many more security tools but are we using them correctly?
User authentication forms the basis for any security setup.
Other than the commonly-used password and ID, token-based
systems are becoming an important attempt to accurately identify
Token-based solution typically comes in the form of a company
ID which features a magnetic strip or smart card. Users log
in with both token and password, and the token can often be
used for both workstation and building access. More recent
token-based authentication systems make use of devices which
plug into USB ports.
Token-based systems work pretty well, with caveats. For instance,
if users chooseout of convenience or lazinessto
leave their authentication token in the reader attached to
the user's workstation all day (or for weeks), it negates
the scheme's benefit. And of course cards can be lost, left
at home, stolen, etc.
The second reasonably successful solution is to use fingerprint
identification schemes, like the Identix solution that was
licensed to Compaq. Essentially, your finger print substitutes
as your password. Fingerprint readers are available in PCMCIA
card format as well as for desktop ports which makes them
an option for laptops as well as desktops.
Fingerprint readers are one example of biometric authentication.
Other examples are retinal scanners, which are still too expensive
for general use. Another biometric solution is voice-activated
authentication, which requires that voices are accurately
Unfortunately none of the current systems are proactive. An
authorized user still logs in once and from then on, the system
assumes that any activity at that workstation is that of the
same authorized user.
Several other biometric systems are currently under development
which address this problem, with perhaps the most promising
being facial recognition technology.
The idea is when an authorized user sits in front of a workstation,
the workstation recognizes him and logs him in. If the face
changes, the system logs the original user out and logs the
new one in provided that the new person is an authorized user.
As you can imagine, the complexities of this kind of fuzzy
technology is incredibly high, and not here yetat least
not in commercial deployment.
So in practical terms, we have to live with the limitations
of simple username/password-based authentication. Although
lined with loopholes, this is not a bad system, provided you
audit your system. This is done with firewalls and server-based
The classic method of deploying a firewall is to place it
between your network and the outside world. The problem is
that just about every case study of network security breaches
has shown that most security violations are a result of the
actions of local users.
A better way to deploy firewall technology is to apply it
to secure "zones" in your enterprise. Essentially,
you divide your network into security zones and use firewall
hosts, such as Cisco's PIX family, Nokia's appliances or Checkpoint's
products, to enforce access rules on traffic going to and
A properly-implemented zone-based security should be transparent
to both authorized and unauthorized users. Zone-based security
also makes it possible to hide the structure of your network
using address translation which greatly hinders anyone trying
to map your system as a prelude to an active attack.
Once your firewalls are in place, you should be prepared to
react appropriately to unauthorized activities across or within
your network. This can be done by tracking server-based event
Make sure you can be alerted to any breach of security and
are able to trace it back to its source. Your audit logs should
also enable you to define the data set which was compromised.
You can then take action to prevent further damage, or patch
up any damages that was the result of the breach.
Zone-based security can be extended to laptops in the field
through the use of encrypted VPNs. Note, however, that a laptop
in the field is effectively outside your security wall. It
is physically accessible to unauthorized users and open to
the installation of unauthorized software, and viruses.
Where laptops are concerned, security is entirely dependant
upon users' habits. For example, a laptop running Windows
2000 requires a logon, but once logged on, it is entirely
up to its user to enforce continual security.
If the user walks away from the laptop in the middle of a
network session with applications and files open, anyone can
tap in without having to supply a password.
Hence, plan for the possibility that data on a laptop will
fall into unauthorized hands. If you have to, educate your
users to carry minimum data on their laptops and to encrypt
very sensitive data which they must carry.
For example Windows 2000 permits a user to mark a file or
folder as "available off-line", which results in
Windows keeping a shadowand synchronizedcopy of
the data on the user's local hard disk. This makes it very
easy for a user to manage the data set they carry around.
You can use Pretty Good Privacy (PGP) to encrypt sensitive
files. The commercial versions of PGP now provide strong encryption
and integrate well with Windows 2000. It is also very easy
to use and, if your laptops are reasonably quick, poses no
more of an inconvenience than WinZip as far as speed of encryption
and decryption is concerned.
On the Move
While security on laptops is getting easier, the same can't
be said for PDAs, organizers and mobile phones. Firstly, security
tools for such devices are thin and secondly, these personal
widgets are increasingly being used to store sensitive data.
Meeting notes, contact lists complete with confidential annotations
and even audio notes of conversations are just some examples.
To make things worse, these devices are usually configured
with default passwords for connection to hosts, or are able
to bypass access controls. For example, almost all data-capable
mobile phones store user IDs and passwords for remote access,
which means that anyone who has access to the device can use
it to access remote networks.
Since banning the use of these devices is not feasible, education
of users appears to be the only action that enterprises can
do at the moment. In other words, real security is in the
hands of your users-just as it always has been.
The term demilitarised zone (DMZ) comes to the IS world from
the military, where it is defined as an area in which military
actions are prohibited. In the technology arena, DMZs were
first defined as the network segment between the external
interface of a firewall and the internal interface of an external
(often an Internet) router.
purpose is to segregate sensitive internal networks from other
networks while allowing services to be offered. Traffic cannot
flow into or out of the DMZ without being forwarded through
a network access-control system.
Policies on firewalls and access-control systems define and
restrict all traffic passing through the DMZ. In contrast,
traffic flow on the Internet and between internal corporate
networks is usually unrestricted.
The primary role of a DMZ is to mitigate risks associated
with offering services to untrusted clients. A DMZ accomplishes
this by providing network-level protection for your hosting
environment, as well as segregating public hosting facilities
from your private network infrastructure.
For example, if you're hosting a website, anyone with a browser
can connect to it. Without a DMZ configuration, your hosting
systems reside either outside your firewall (exposed to the
Internet) or on a network segment in your internal network.
The former scenario leaves your Web-hosting environment open
to all attacks. The latter could lead to attacks against other
internal, more critical systems should your Web-hosting systems
A DMZ lets you protect your Internet servers while safeguarding
your mission-critical internal systems. DMZs also play a role
in securing other services inside the enterprise, like HR
or payroll records. The DMZ protects both the Web application
server and the critical database systems by allowing only
HTTP/HTTPS traffic into the DMZ Web server and database network
traffic (such as SQLnet) from the DMZ Web server to the HR
In most enterprises the perception is that a firewall provides
a hardened perimeter. However, the security of internal networks
and hosts is usually very soft. To beef up internal security,
one approach is to put into a DMZ hosts that do not contain
sensitive data but instead proxy access to the data. This
can occur via an application interface, such as a website,
or via a network protocol reverse proxy, such as HTTP or SQLNet.
This separation of data from the application layer within
the network provides an additional level of security, because
a compromise of the DMZ system doesn't directly expose the
internal systems that house business-critical data to network
attacks. Now an attacker has an additional barrier to overcome
once an initial penetration has been successful.
And you will have more time to respond to the attack before
critical data is compromised. -Brooke Paul
Brooke Paul is Vice President of AFG Technology Division,
part of American Financial Group. His duties include information
security program management for AFG.
No matter how paranoid you are about data security, one thing
is certain: you can't really "lock" up data. Doing
business effectively in the current corporate world requires
that users carry data (often sensitive), around with them.
Actually, the locking down of data is easyit is getting
any use out of these vaulted data that is impossible.
For instance, if you locked up a customer contact list inside
your network, how effectively would your sales people be able
to work in the field?
Similarly, how could your staff work effectively in meetings
with clients if they did not have client files on hand or
the ability to make presentations? If you can't "lock
up" data, it follows that some of it will fall into the
wrong hands. The primary objective of any IT security regime
is therefore auditingthat is tracking who has what data,
where the data is, and what they are doing with it. In order
to properly audit data access and activity, the first thing
that you need to do is identify its user. Identification,
or the accurate authentication of users, is unequivocally,
the single biggest problem in computer security.
Most companies' networks depend on a simple combination of
username and password to authenticate users. Most organizations
make the implicit assumption that the person who types a given
username and password is the user to whom that username and
password has been assigned. Yet, we know that often, secretaries
know their boss' username and password. Generally, executives
high up in the corporate tree spend very little time in front
of a computer, but are assigned network access which is commonly
used by their secretaries.
Even junior managers, especially those who have to share secretaries
with the rest of their department, tend to tell secretaries
their passwords. In companies which subscribe to pooled human
resource and workstation sharing, passwords and login IDs
often get shared as well. And even if passwords are judiciously
guarded, shared access is still likely to occur in a shared
resource environment. This happens, for instance, when the
permanent typist has to attend a meeting and leaves her workstation
to a temporary typist who continues to work during the meeting.
Chances are the first user will not botheror has forgottento
logout before clearing his desk.
K. Le Roux is the director of Morsedawn (Australia), a company
which specialises in network design and consultancy and writes
for Network Computing-Asian Edition.