Getting a Secure Intranet

Transcription

1 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like to steal or destroy proprietary data on computer networks. Most companies have implemented measures so they can avoid data theft by using Web technology for internal communication. Such networks are called intranets. An intranet is a small-scale World Wide Web that is protected by a firewall which prevents hacker intrusions. Intranets allow users to accomplish the same tasks that can be done on the Web, such as posting documents, sending electronic mail, and chatting with other users. In addition, corporate intranets are used as vehicles for keeping employees up to date on company policies and information. Cost Advantages over Groupware Intranets can be implemented more quickly and less expensively than other methods, such as groupware It could take a $250,000 investment to install Lotus Notes, for example, as compared with $10,000 for installing an intranet. If a company already has most of the necessary computer equipment, its cost would be even less. Although the cost savings are achieved, in part, by the use of existing equipment, the real benefits come from using broader-based technology for internal communications, rather than implementing a commercial software product. With Lotus Notes and groupware products like it, a company needs to first pay for the product, license it for each user, and implement it across its network. Later, there are costs related to upgrades as well as technical support to troubleshoot Lotus-specific problems that arise from incompatibilities or conflicts between the Lotus product and other company computer system or peripherals.

2 Because intranets use technology that is widely implemented, many vendors are competing for business in this area. A company can cost-compare before it begins to implement its intranet solution and still know that the basic technology will be there tomorrow. Intranets are a safe and cost-effective means of communication, especially when an intranet is not connected to the Internet at large. Companies that do not require real-time chat can, for example, save money if they do not have to purchase a whiteboard, for which costs can range from as low as $50 to as much as $1,000. Furthermore, if a company implements an intranet solely for the purposes of internal employees without connections to the outside world then a firewall investment is not necessary since there is already tight control on who accesses the network data. Should a company have connections to the Internet and have an internal intranet, then the cost of a firewall (discussed later in this chapter) needs to be factored into the total cost. Security Advantages Simple intranets can be created inexpensively in-house, and by using internal staff, a company can reduce the risk of third-party intranet installers potentially leaking intimate details of a company s network to its competitors. Hackers feed on information that allows them to connect tapping devices to network wiring and access information as easily as if they were inside a building. In addition, when a company uses its internal staff, not only is it educating employees as to the mechanics of the network, but the company knows who is setting up and using the intranet at all times. GETTING STARTED Intranet users require a local area network. Ethernet LANs can be installed over existing telephone lines. The network can be made of PCs or Apple Macintosh computers, or a combination of both. Because intranet technology is platform-independent, each workstation needs to be monitored regularly. It is important not to let employees indiscriminately alter workstations, because every change can potentially compromise data access. An intranet system requires at least one Web server. If a company has many different Web servers, a highly distributed infrastructure is required. One server will do if the company has a tightly controlled or centralized infrastructure. In addition, companies should not experience the need to alter their application-computing model when creating an intranet. The server can run on any well-powered PC and can handle several thousand hits per hour.

3 Intranet Applications and Their Risks When a company becomes connected to an intranet, the next step is to add suitable applications. When choosing applications, the IS manager should try and keep as much control over outside links as possible. . Electronic mail is a necessary application that nearly all employees will need to communicate effectively with the modern-day client. Yet e- mail can place a business at great risk. Security starts with employees awareness that they must be careful with the information they send out through this unsecured medium. Ensure that workers do not send passwords or any other sensitive corporate information through the channel, since a hacker can easily review this information as it goes from the company s server and onto the Internet. Personal web pages. Web pages are a way to let workers using the corporate intranet and clients on the Internet access information about each worker. As with , the type of information employees place on their Web page should be monitored. Bulletin boards. Bulletin boards are a great way for companies to promote general discussion over intranets. Work groups can achieve greater productivity and increased communication regarding products and new ideas for the company s research and development teams. However, just as with and Web pages, it is important to restrict highly sensitive information across a channel that can be easily viewed. Assessing Types of Threats The intranet, like the Internet, promotes open information exchange, but within a limited environment. Do not be misled into feeling too secure by the fact that the network resides behind a firewall. Businesses need to do a risk assessment to determine what information of value they have on the server and the nature of the business being conducted on it. The exact approach to securing a corporate Web server depends on both the function and purpose of the intranet Web site. The threat may not be someone stealing company data, but instead a person trying to alter data or, worse yet, use the company site as a starting point to attack or to store contraband data. Prying eyes. It is always prudent to plan to protect sensitive company data. There are two hacker personalities to watch for. The first type of hacker is committed to breaking into systems for a living. This person looks for software, company plans and forecasts, information on new products and ventures, as well as inside information that could

4 possibly lead to insider trading. The second hacker type includes those who simply enjoy destroying data for the fun of it. There are several ways in which to protect a company s electronic assets from such people. First, the company needs to make certain employees choose secure passwords. It is also important not to allow employees to install their own modems. An organization can only control security with equipment it knows about. An extra modem may just as well be an open door that invites the hacker into your network. In addition to preventive measures such as making employees aware of the appropriate behaviors expected of them when using the corporate intranet, there are state-of-the-art technologies companies can employ to keep intranets secure. STATE-OF-THE-ART TECHNOLOGY Secure Browsers Each computer on the corporate intranet will need its own Web browser, which is the means by which the computer retrieves documents and images off the internal Web server. Currently, the two most popular browsers are Netscape Navigator and Microsoft s Internet Explorer. Although both of these applications employ sophisticated encryption technology when sending and receiving information to secure documents, it is important to upgrade to the newest version of any browser to ensure the company has the latest in security technology at its disposal. Using older browsers or unknown third-party browsers can expose a company to potential weaknesses that hackers can exploit to steal passwords and other data flowing across the corporate network. Firewall Protection Most businesses establish a firewall for each intranet server in their network. Firewall software both protects and forms a barrier between the intranet and the larger Internet. Firewalls can be configured to identify sources and that permit only qualified employees to log in or only certain files to be retrieved or submitted into the network. This is important so hackers cannot download important or sensitive documentation, or upload potentially harmful viruses that could disable or destroy a system and its data. The vendors of firewall systems include Digital Equipment Corp., Eagle Systems, IBM Corp., Sun Microsystems Inc. and Trusted Information Systems Inc., among others. Firewalls can cost from around $10,000 to $50,000.

5 Of course, someone has to be fairly determined to tap into company telephone lines, but there are many people who are technically adept and interested in getting into company systems. If the company is a high-end corporate entity, the risk is even greater. Companies should not, however, be lulled into a false sense of security by having a firewall. The minute that hackers see security on a Web site, they will reason that there must be information worth having on it and may be more active in their attack. Encryption Although firewalls can be set up to send only HTTP (hypertext transfer protocol) traffic to a Web server, they cannot ensure the safety of the content of the information flowing to and from the Web server through the network. It is at this point that data is encoded so hackers can neither read nor tamper with it. The most widely known encryption technologies deploy the Data Encryption Standard (DES) or RSA Data Security Inc. s encryption algorithm for encoding and securing information. Web technology uses the secure HTTP(S-HTTP) protocol, which protects the Web s HTTP application. The secure sockets layer (SSL) protocol employs encryption to secure an IP session. Access Control Protecting the content of Web pages is one of the most difficult security problems. Webs must be fortified with multiple layers of security barriers to ensure that anyone who accesses the site has been permitted to do so. Then, once access is granted, that person is limited only to reading or writing to data he or she is authorized to work on. Although companies install separate firewall and increased encryption and authentication technologies, IS managers still must be prepared for threats from external hackers, who are dialing in, as well as internal hackers. Should a hacker from anywhere inside the company try to breach security and access confidential files, it is usually possible to stop the unauthorized user s access and trace the suspect s source address. However, as hackers become more and more adept, they can access the machines from fake source addresses, thereby nullifying these efforts. Should an outside hacker break into a firm s network segment, security methods can lock the hacker out. Again, hackers can misdirect routing information to make it appear as if they are dialing in from another number than the one they are really using.

6 Secure Server Software Web server software often comes with permanent passwords that can only be changed manually by the system administrator. Netscape Communications Corp. s Communications Server formulates its own password data base. Secure versions of Web server software include Netscape s Commerce Server and Open Market Inc. s Secure Web Server. The Commerce Server encrypts information that flows across the network; in addition, it requires that the end user run a secure version of Netscape s Web browser software. Open Market s Secure Web Server even adds its own layer of user authentication with checksum programs that make certain that a server and client are, in fact, who they say they are. The most sensitive point of entry is the root user, or superuser, who is most vulnerable to Trojan Horse attacks. The root user is the cornerstone of both the corporate intranet and of the entire operating system. Therefore, when hackers get access to the root user, they are free to open any employee s mail (including the CEO s) or even delete an entire data base on the server. Data is more susceptible on a UNIX server because this operating system has well-known points of vulnerability that are the targets of many hackers. Windows NT has its own root account, called administrative user, that is just as vulnerable to determined hackers as UNIX s root user. CONCLUSION Intranets may be the most important form of communication that a company will use. An intranet is much more cost-effective to develop and maintain than a groupware application such as Lotus Notes. Furthermore, an intranet is more versatile. Intranet security issues that are at the forefront of many business managers minds include the danger they face from people on the outside getting onto their networks and accessing or modifying their data in transit. Two factors are important to achieve the goal of a secure intranet: The technology factor. Keep equipment up to date and software applications current so as to avoid any loopholes that a hacker is looking for to gain access to corporate applications. Employ proven security technologies and data encryption standards to keep private files private. Intranet Web sites should always be configured with a firewall between it and the company s internal network as a way to protect sensitive corporate data from prying eyes. Added security measures, such as password access control, will ensure that users access only the data for which they are authorized.

7 The human factor. The IS manager should educate employees about the importance of data on the corporate intranet, and make sure employees choose secure passwords and change them regularly to reduce the chance of their falling into the wrong hands. By setting up defined standards for appropriate Net behavior, IS managers can effectively keep their data secure.