INTERNET SECURITY

"CREATING A SECURE NETWORKING ENVIRONMENT!"

By

Gary Sabala

Overview:

With business beckoning on a the new electronic frontier, the need for developing a truly secure networking environment has risen to the fore front of issues concerning electronic commerce and the Internet. This paper will be centered around defining the problem of providing security on an electronic frontier, and developing some potential strategies for protecting business information in an electronic environment.

When talking about electronic commerce or an electronic frontier, the key issue to be remembered is that there is a movement to develop an interactive network of computer systems which will be linked together to provide benefits for its users. Unlike the past where a company would develop a internal network of computers which was totally isolated from other networks, today with the advent of the Internet and various other electronic information mediums, companies are realizing the benefits of connecting to other networks and are increasingly doing so. But with this increased connectivity to other networks and increased access to their own network, comes the risks of the "unauthorized individuals" attempting, and some times succeeding, to gain access to confidential information.

The need for security in the new electronic frontier has given rise to a whole industry of security technology providers. From data encryption to firewalls to Smart Cards, there are a variety of technologies on the market today that can assist in keeping unauthorized individuals from accessing critical information and using it to their advantage. The real key in using these technologies is to develop a security strategy which will fit the needs of your company or situation. Strategy is key mainly from the stand point of making sure that there are no holes in your security efforts. Strategy is also important in that the level of security required will have a direct correlation on the cost of providing that security level, thus by developing a multi-level security strategy a company will be able to get the most benefit from its security dollars.

There is little doubt that the electronic frontier will be growing exponentially in the future, and with this growth will come an increased need for providing a truly secure environment where the users can be confident about confidentiality and security. The real point of this paper is that there is no such thing as a 100% secure environment. If an individual has enough resources and determination, they will eventually be able to break into any system. The real key is to make the cost of breaking into the system more than what is contained in the secure environment. It is a proven fact that there are numerous systems with little to no protection in the electronic arena which would be much more attractive to most individuals who seek to gain unauthorized access, than systems which have a reasonable amount of security. Thus the real goal of any corporate network security policy is to do as much as reasonably possible to secure the corporate assets which reside on the network

The Need for Security:

"Illegal attacks on Pentagon computer systems soared as high as 250,000 last year, according to recent government estimates. In a recent study of the vulnerability of military networks, it was estimated that about 1 in 500 security breaches are detected and reported." 1

"Less than a year ago, Russian programmer Vladimir Levin became the cyber-criminal of the century when he and his accomplices were caught (but just barely) tapping into Citibankís vast financial network, from which they were transferring a whopping $10 million to various bank accounts around the world." 1

" Several British financial institutions, including the Bank of London, have paid hackers a total of more that a half-million dollars to keep mum about recent computer break-ins, says the London Times. The American Society for Industrial Security estimates that high-tech crimes including unreported incidents may be costing US corporations as much as $63 billion a year." 2

The three quotes above should make it clear that security within the networking/electronic commerce arena is currently an issue to all of the companies which seek to utilize the benefits of a electronic network environment. As the use of the electronic medium grows, it will attract an increased number of individuals who will attempt to gain unauthorized access for a variety of reasons. "Killen & Associates, a Palo Alto market-research firm, says that by the year 2000, consumers, businesses, government and educational institutions worldwide will use Internet commerce for 9 billion payment transactions a year, passing the equivalent of $300 billion digital dollars." 1 With so much valuable information moving across the electronic frontier, there will undoubtedly be an ever increasing need to provide a secure environment in which uninterrupted transfers can take place.

The Security Crackerís:

In looking at and classifying the need and level of security needed within a certain environment, one needs to first look at what type of individuals make seek to gain unauthorized access to your network. One classification of individuals which is associated with unauthorized access to networks are "Hackers". Hackers are in many cases computer nerds who thrive off the thrill of being able to access private networks through a variety of means. In many cases Hackers are not seeking to vandalize of take any thing from the networks they break into. Hackers generally are not likely to have the capital to afford high powered computer systems needed to break large (128 bit) encryption keys. Another classification that we might want to look at are well funded organizations which have the super computers and other necessary tools to break into almost any system. Theses types of organizations can include government organizations (such as the U.S.ís National Security Agency-NSA) or organization funded by large private parties. Probably the most prevalent category of unauthorized individuals seeking to gain access to a network are employees. A vast majority of the reported cases of information theft or network vandalism comes from a companyís own employees. Many companies take internal security too lightly and are driven to believe that any threat to their networks will come from outsiders.


Security Technologies:

Firewalls:

"Firewalls are often compared to building security guards: They stand at a networks front entrance and verify that every packet coming in and out of the Internet gateway is authorized to do so." 2 Firewalls basically have three main function which are: 1) all traffic must pass through this single point, 2) to log all traffic that passes through it, and 3) to create a barrier to access to the network which is impregnable to attack. It is estimated that about 60% of all companies are currently using firewall technology within their networks today. The firewall can also act as a packet filter, in that it can allow and deny access to the network (in both directions) based on IP header on the incoming or outgoing packet of information. The main draw back of firewall/packet filter applications are: 1) they cannot keep track of a particular network session (which means it cannot track where a user goes on the network once they get access), 2) they cannot prevent IP spoof attacks. Spoof attacks occur when a hacker is able to guess a legitimate pass word and gain access to the system. There are some applications which will ping the user once a legitimate pass word has been given to verify the authenticity of the user. Another potential draw back of the firewall protection scheme is that it can slow down the rate of access to the system due to the fact that it takes time to verify passwords and other security protocols. Firewall technology is expensive (in the range of $15,000 per site or connection gate) 3, so a company with multiple entries into their network will need to determine the balance between costs and security values.

Encryption & Digital IDís:

Mastercard and Visa recently combined forces to release standards to safeguard credit card activities on the Internet. Joining forces with them are American Express. IBM, Microsoft, and Netscape communications and others. This joint effort is known as the Secure Electronic Transactions (SET) initiative. SET has resulted in an encryption standard that encodes all credit card numbers and other personal information in such a way that on-line the userís and merchantís banks can read it. Retailers themselves cannot unscramble the information, ensuring that hackers are unable to break through a firewall and read the data as it travels across the network. 3 SET is based on the highly touted encryption scheme known as public-private key that was developed primarily by RSA Data Security of Redwood City, California. Digital IDís (which are part of the SET standard) will play a major role in authenticating businesses and individuals in the electronic commerce arena. "Digital IDís also known as digital certificates, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. With Digital IDís it is possible to verify someoneís claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate others." 4 see the diagram above for an example of how Digital IDís work.

Unless a company is located solely on one site, a company will have to develop multiple networks and attempt to securely connect these networks together. This type of connection is called LAN (local area network) to LAN connections, and is many cases is done through the use of dedicated lines. The cost of purchasing a dedicated line from the local phone company can be a big strain on an IT budget. Many companies today are circumventing the need for dedicated lines through the development of virtual private networks (VPN). VPNís are developed by using the Internet and using encryption to scramble information going through the VPN link. Companyís such as Secure Computing has developed firewall applications which will allow users send information over the Internet using private and public key encryption technology.

Smart Cards:

Smart Cards offer another avenue to ensuring security when allowing access to a network. These credit card-sized devices generate random numbers about every minute, in sync with counterparts on each entry point in the network. To log onto the computer, people must enter a pass word into the smart card get a randomly generated pass number and enter this number and a password into the security system of the network. Even if the smart card is stolen, it will not generate a random number unless a password is first entered into the smart card. This process verifies the authenticity of the person seeking access to the network.


Security Strategies:

Electronic network security can be broken down into three areas:

Access security means controlling the port -- who can and canít dial in or out. Pay load security involves encryption or other manipulation of the data being sent over the network. Pay load is defined as the data sandwiched between the address header and the cyclic redundancy check/trailer data in the packet. People security is the ability to monitor who has access to what within a organization. This many times dictates a dedicated gatekeeper who makes decisions to has access to which parts of the networks.

In order to insure proper electronic security within a corporate network, the following four steps should be done:

Risk Analysis:

As was mentioned earlier, there are basically three sources of security issues involved: 1) access security, 2) payload security, and 3) people security. Assessing the possible access security risks, many times involves hiring individuals to attempt to break into your network and reporting if they were successful and if so how. This can be a delicate thing to do in that a break into the network could cause a disruption of service. Access security can also entail a through review of all the access points within your network and the security measures that are on each of the access points. Payload security can be assessed by determining what types of information will be transferred in and out of the network and the degree of security needed for each payload. This assessment should include any information which is leaving or entering the local area network (LAN). People security needs to be assessed from the stand point of determining what people have access to what information on the corporate network. Due to the fact that most network information thefts happen by employees, people security should be view with as much (if not more) importance as the other two security areas.

Business Needs Analysis:

Once the risk assessment is done, the next step in the process is to determine what some of the costs are with the risk points that have been identified. This would include the costs of adding additional security and the costs of having the security of the network compromised. Scenarios should be developed in order to determine worst case scenarios on what could happen in the event of a security breach of the network. Cost of downtime, information replacement, etc. should be assessed to each of the scenarios.

Security Policy:

Once the Risk Assessment and the Business Needs Analysis are completed, management should have sufficient information to weigh the cost and benefits of implementing various security strategies. Because added security in most cases means added costs, great care should be taken to develop various levels of security needed to protect the information on the network.

Identify Security Mechanisms and Methods:

In order to effectively carry out the security policy, various network security technologies need to assessed and implemented. This assessment should be carried out on both a cost and degree of protection level.


Conclusion:

As was mentioned in the overview section of this report, there is no such thing as a 100% secure network. But by combining a strong network security policy with the right security technologies, a formidable defense to "unauthorized access" to a network can be developed. It must be made clear that as internet security devices evolve, so will the interest and resources to conquer theses same technologies. So a dynamic security policy must be developed to continually assess/implement new security technologies, as to stay at least one step ahead of unauthorized individuals seek to break down your network defenses. For more information on internet security and the technologies involved, I would recommend the following sites:

1) W3C Security Resources

2) RSA

3) Digital ID's - Verisign

4) SET Standards - Visa

5) Firewalls - BorderWare

6) Secure ID's - Securid


References

1) Lange, Larry: "Breaking Into Electronic Commerce", Computer & Communications OEM Magazine, November 1, 1996

2) Karve, Anita: "In the Line of Fire, Firewall Technology", LAN Magazine, October 1996

3) Rothfeder, Jeffery: "Hacked! Are Your Company Files Safe?, PC World, November 1996

4) VeriSign Digital ID Center, http://digitalid.verisign.com/id_intro.html, October 1996

5) Avolio, Frederick: "Firewalls Are Not Enough", Gauntlet Firewalls, November 1996

6) "Frequently Asked Questions About the SET Standard", http://www.rsa.com/set/set_faq.html, November 1996

7) Rogers, Karen: " On the net -- can encryption offer peace of mind to nervous network managers", CMP, March 25, 1996

8) Liebmann, Lenny: "The network security blanket", Network Solutions Quarterly, March 1, 1996

9) Wilde, Candee: "Internet security -- A moving target", Interactive Age, May 13, 1996

10) Chapman, Brent: "Internet security: What measures can be taken", Oíreilly & Associates Inc., September 1996

11) Stipp, David: "Techno-Hero or Public Enemy?" Fortune, November 11, 1996

12) Silbert, Olin: "Securing the content, not the wire, for information commerce", Intertrust, November 1996

13) Power, Richard: "Follow the money; securing a network for electronic commerce, LAN Magazine, October 1996

14) Loeb,Larry: " The stage is SET", Internet World, August 1996