Getting a Secure Intranet



Similar documents
APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

The Self-Hack Audit Stephen James Payoff

Cyber Security: Beginners Guide to Firewalls

Web Security School Final Exam

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Firewalls for small business

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Application Security in the Software Development Lifecycle

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Information Technology Cyber Security Policy

PrivyLink Internet Application Security Environment *

IBM Managed Security Services Vulnerability Scanning:

Security Basics: A Whitepaper

What Do You Mean My Cloud Data Isn t Secure?

The BiGuard SSL VPN Appliances

The Benefits of SSL Content Inspection ABSTRACT

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Did you know your security solution can help with PCI compliance too?

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Wireless Network Security

Security Policy JUNE 1, SalesNOW. Security Policy v v

Table of Contents. Page 2/13

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

When visiting online banking's sign-on page, your browser establishes a secure session with our server.

Best Practices for Secure Remote Access. Aventail Technical White Paper

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

White Paper. Securing and Integrating File Transfers Over the Internet

Basics of Internet Security

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Security Practices for Online Collaboration and Social Media

ICTN Enterprise Database Security Issues and Solutions

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Penetration Testing Service. By Comsec Information Security Consulting

12 Security Camera System Best Practices - Cyber Safe

McAfee.com Personal Firewall

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

Security Issues with Integrated Smart Buildings

Managing IT Security with Penetration Testing

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

The GlobalCerts TM Secur Gateway TM

Cyber Security: An Introduction

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Internet threats: steps to security for your small business

Your security is our priority

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Banking Security using Honeypot

Firewalls Overview and Best Practices. White Paper

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Passing PCI Compliance How to Address the Application Security Mandates

What is Really Needed to Secure the Internet of Things?

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

WHITE PAPER. An Introduction to Network- Vulnerability Testing

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Secure Data Center Operations Gilbert Held Payoff

Network and Host-based Vulnerability Assessment

Welcome to the Protecting Your Identity. Training Module

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Keystroke Encryption Technology Explained

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

By David G. Holmberg, Ph.D., Member ASHRAE

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Firewalls for the Home & Small Business. Gordon Giles DTEC Professor: Dr. Tijjani Mohammed

Frequently Asked Questions (FAQ)

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

Countermeasures against Bots

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

SSL Certificates 101

CMPT 471 Networking II

Application Firewall Overview. Published: February 2007 For the latest information, please see

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Security Digital Certificate Manager

Using a Firewall General Configuration Guide

Symantec Endpoint Protection Analyzer Report

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

An Introduction to Network Vulnerability Testing

Inspection of Encrypted HTTPS Traffic

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

Global Partner Management Notice

Transcription:

61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like to steal or destroy proprietary data on computer networks. Most companies have implemented measures so they can avoid data theft by using Web technology for internal communication. Such networks are called intranets. An intranet is a small-scale World Wide Web that is protected by a firewall which prevents hacker intrusions. Intranets allow users to accomplish the same tasks that can be done on the Web, such as posting documents, sending electronic mail, and chatting with other users. In addition, corporate intranets are used as vehicles for keeping employees up to date on company policies and information. Cost Advantages over Groupware Intranets can be implemented more quickly and less expensively than other methods, such as groupware It could take a $250,000 investment to install Lotus Notes, for example, as compared with $10,000 for installing an intranet. If a company already has most of the necessary computer equipment, its cost would be even less. Although the cost savings are achieved, in part, by the use of existing equipment, the real benefits come from using broader-based technology for internal communications, rather than implementing a commercial software product. With Lotus Notes and groupware products like it, a company needs to first pay for the product, license it for each user, and implement it across its network. Later, there are costs related to upgrades as well as technical support to troubleshoot Lotus-specific problems that arise from incompatibilities or conflicts between the Lotus product and other company computer system or peripherals.

Because intranets use technology that is widely implemented, many vendors are competing for business in this area. A company can cost-compare before it begins to implement its intranet solution and still know that the basic technology will be there tomorrow. Intranets are a safe and cost-effective means of communication, especially when an intranet is not connected to the Internet at large. Companies that do not require real-time chat can, for example, save money if they do not have to purchase a whiteboard, for which costs can range from as low as $50 to as much as $1,000. Furthermore, if a company implements an intranet solely for the purposes of internal employees without connections to the outside world then a firewall investment is not necessary since there is already tight control on who accesses the network data. Should a company have connections to the Internet and have an internal intranet, then the cost of a firewall (discussed later in this chapter) needs to be factored into the total cost. Security Advantages Simple intranets can be created inexpensively in-house, and by using internal staff, a company can reduce the risk of third-party intranet installers potentially leaking intimate details of a company s network to its competitors. Hackers feed on information that allows them to connect tapping devices to network wiring and access information as easily as if they were inside a building. In addition, when a company uses its internal staff, not only is it educating employees as to the mechanics of the network, but the company knows who is setting up and using the intranet at all times. GETTING STARTED Intranet users require a local area network. Ethernet LANs can be installed over existing telephone lines. The network can be made of PCs or Apple Macintosh computers, or a combination of both. Because intranet technology is platform-independent, each workstation needs to be monitored regularly. It is important not to let employees indiscriminately alter workstations, because every change can potentially compromise data access. An intranet system requires at least one Web server. If a company has many different Web servers, a highly distributed infrastructure is required. One server will do if the company has a tightly controlled or centralized infrastructure. In addition, companies should not experience the need to alter their application-computing model when creating an intranet. The server can run on any well-powered PC and can handle several thousand hits per hour.

Intranet Applications and Their Risks When a company becomes connected to an intranet, the next step is to add suitable applications. When choosing applications, the IS manager should try and keep as much control over outside links as possible. E-mail. Electronic mail is a necessary application that nearly all employees will need to communicate effectively with the modern-day client. Yet e- mail can place a business at great risk. Security starts with employees awareness that they must be careful with the information they send out through this unsecured medium. Ensure that workers do not send passwords or any other sensitive corporate information through the E-mail channel, since a hacker can easily review this information as it goes from the company s server and onto the Internet. Personal web pages. Web pages are a way to let workers using the corporate intranet and clients on the Internet access information about each worker. As with E-mail, the type of information employees place on their Web page should be monitored. Bulletin boards. Bulletin boards are a great way for companies to promote general discussion over intranets. Work groups can achieve greater productivity and increased communication regarding products and new ideas for the company s research and development teams. However, just as with E-mail and Web pages, it is important to restrict highly sensitive information across a channel that can be easily viewed. Assessing Types of Threats The intranet, like the Internet, promotes open information exchange, but within a limited environment. Do not be misled into feeling too secure by the fact that the network resides behind a firewall. Businesses need to do a risk assessment to determine what information of value they have on the server and the nature of the business being conducted on it. The exact approach to securing a corporate Web server depends on both the function and purpose of the intranet Web site. The threat may not be someone stealing company data, but instead a person trying to alter data or, worse yet, use the company site as a starting point to attack or to store contraband data. Prying eyes. It is always prudent to plan to protect sensitive company data. There are two hacker personalities to watch for. The first type of hacker is committed to breaking into systems for a living. This person looks for software, company plans and forecasts, information on new products and ventures, as well as inside information that could

possibly lead to insider trading. The second hacker type includes those who simply enjoy destroying data for the fun of it. There are several ways in which to protect a company s electronic assets from such people. First, the company needs to make certain employees choose secure passwords. It is also important not to allow employees to install their own modems. An organization can only control security with equipment it knows about. An extra modem may just as well be an open door that invites the hacker into your network. In addition to preventive measures such as making employees aware of the appropriate behaviors expected of them when using the corporate intranet, there are state-of-the-art technologies companies can employ to keep intranets secure. STATE-OF-THE-ART TECHNOLOGY Secure Browsers Each computer on the corporate intranet will need its own Web browser, which is the means by which the computer retrieves documents and images off the internal Web server. Currently, the two most popular browsers are Netscape Navigator and Microsoft s Internet Explorer. Although both of these applications employ sophisticated encryption technology when sending and receiving information to secure documents, it is important to upgrade to the newest version of any browser to ensure the company has the latest in security technology at its disposal. Using older browsers or unknown third-party browsers can expose a company to potential weaknesses that hackers can exploit to steal passwords and other data flowing across the corporate network. Firewall Protection Most businesses establish a firewall for each intranet server in their network. Firewall software both protects and forms a barrier between the intranet and the larger Internet. Firewalls can be configured to identify e-mail sources and that permit only qualified employees to log in or only certain files to be retrieved or submitted into the network. This is important so hackers cannot download important or sensitive documentation, or upload potentially harmful viruses that could disable or destroy a system and its data. The vendors of firewall systems include Digital Equipment Corp., Eagle Systems, IBM Corp., Sun Microsystems Inc. and Trusted Information Systems Inc., among others. Firewalls can cost from around $10,000 to $50,000.

Of course, someone has to be fairly determined to tap into company telephone lines, but there are many people who are technically adept and interested in getting into company systems. If the company is a high-end corporate entity, the risk is even greater. Companies should not, however, be lulled into a false sense of security by having a firewall. The minute that hackers see security on a Web site, they will reason that there must be information worth having on it and may be more active in their attack. Encryption Although firewalls can be set up to send only HTTP (hypertext transfer protocol) traffic to a Web server, they cannot ensure the safety of the content of the information flowing to and from the Web server through the network. It is at this point that data is encoded so hackers can neither read nor tamper with it. The most widely known encryption technologies deploy the Data Encryption Standard (DES) or RSA Data Security Inc. s encryption algorithm for encoding and securing information. Web technology uses the secure HTTP(S-HTTP) protocol, which protects the Web s HTTP application. The secure sockets layer (SSL) protocol employs encryption to secure an IP session. Access Control Protecting the content of Web pages is one of the most difficult security problems. Webs must be fortified with multiple layers of security barriers to ensure that anyone who accesses the site has been permitted to do so. Then, once access is granted, that person is limited only to reading or writing to data he or she is authorized to work on. Although companies install separate firewall and increased encryption and authentication technologies, IS managers still must be prepared for threats from external hackers, who are dialing in, as well as internal hackers. Should a hacker from anywhere inside the company try to breach security and access confidential files, it is usually possible to stop the unauthorized user s access and trace the suspect s source address. However, as hackers become more and more adept, they can access the machines from fake source addresses, thereby nullifying these efforts. Should an outside hacker break into a firm s network segment, security methods can lock the hacker out. Again, hackers can misdirect routing information to make it appear as if they are dialing in from another number than the one they are really using.

Secure Server Software Web server software often comes with permanent passwords that can only be changed manually by the system administrator. Netscape Communications Corp. s Communications Server formulates its own password data base. Secure versions of Web server software include Netscape s Commerce Server and Open Market Inc. s Secure Web Server. The Commerce Server encrypts information that flows across the network; in addition, it requires that the end user run a secure version of Netscape s Web browser software. Open Market s Secure Web Server even adds its own layer of user authentication with checksum programs that make certain that a server and client are, in fact, who they say they are. The most sensitive point of entry is the root user, or superuser, who is most vulnerable to Trojan Horse attacks. The root user is the cornerstone of both the corporate intranet and of the entire operating system. Therefore, when hackers get access to the root user, they are free to open any employee s mail (including the CEO s) or even delete an entire data base on the server. Data is more susceptible on a UNIX server because this operating system has well-known points of vulnerability that are the targets of many hackers. Windows NT has its own root account, called administrative user, that is just as vulnerable to determined hackers as UNIX s root user. CONCLUSION Intranets may be the most important form of communication that a company will use. An intranet is much more cost-effective to develop and maintain than a groupware application such as Lotus Notes. Furthermore, an intranet is more versatile. Intranet security issues that are at the forefront of many business managers minds include the danger they face from people on the outside getting onto their networks and accessing or modifying their data in transit. Two factors are important to achieve the goal of a secure intranet: The technology factor. Keep equipment up to date and software applications current so as to avoid any loopholes that a hacker is looking for to gain access to corporate applications. Employ proven security technologies and data encryption standards to keep private files private. Intranet Web sites should always be configured with a firewall between it and the company s internal network as a way to protect sensitive corporate data from prying eyes. Added security measures, such as password access control, will ensure that users access only the data for which they are authorized.

The human factor. The IS manager should educate employees about the importance of data on the corporate intranet, and make sure employees choose secure passwords and change them regularly to reduce the chance of their falling into the wrong hands. By setting up defined standards for appropriate Net behavior, IS managers can effectively keep their data secure.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information