Internet Security Concerns How Much Security Do You Need? When it comes to computer security, many organizations engage in a principle known as "minimaxing." These organizations try to minimize their maximum regret. Put another way, they look at the worst thing that could go wrong and take whatever steps are necessary to avoid such events. As applied to networking, this often translates into private networks with no public access. It is easy to understand the logic in this approach, but in an era when electronic commerce is on the brink of exploding, it may be necessary to reassess some of these rather conservative principles. Some organizations are irrationally paranoid when it comes to the Internet. Their fears are often based on media sensationalism and technical ignorance. This is not to say that security concerns do not exist, since all of the me dia reports of hackers have much of their basis in fact. However, reasonable precautions can be taken to minimize security exposures if you have a firm understanding of the issues involved. We cannot provide such an understanding within the confines of this chapter, but we can at least introduce some of the risks and provide an overview of the technologies available to minimize these risks. Beyond that, the services of a network security consultant may be desirable to address your specific concerns. Most major ISPs either employ such experts or can provide you with a reference to a qualified consultant. Points of exposure The classic tales of Internet security breaches revolve around hackers compromising internal business systems or gaining access to confidential information. These threats are genuine and should be taken seriously. As an open network, the Internet offers many points of entry, and the dynamic complexity of it makes it easy for violators to hide their origins. In short, it is rather easy to be an anonymous criminal on the Internet. At the same time, it is important to balance the threat of unauthorized access with both the benefits of broad connectivity and the probability that many more serious exposures already exist from within your corporate network. Security should be a major concern of information systems professionals on both public and private networks, but it is somewhat hypocritical to adopt a strict position on public network access while being lax on internal security measures. The fact is that any computer network introduces some level of vulnerability, but we implement such systems nonetheless because the benefits outweigh the risks. While not as well publicized as network break-ins, another security risk associated with Internet connectivity relates to corporate liability for employee activities. While the case law is somewhat ambiguous in this regard, there is precedent that holds an employer legally li able for illegalities committed using a corporate network. Some of the most well-publicized cases involve employees using Internet connections to gain illegal access to competitive information, but the current federal legislative climate is also such that charges of Internet harassment and exchange of indecent materials may also present liabilities for employers. Managing the Security Risks Unauthorized access to corporate information or other forms of malicious hacking are usually managed through the use of firewalls that protect portions of the corporate network from intruders. The firewall "industry" is maturing and many sophisticated systems are available that offer relatively high levels of protection. Some of these security toolkits are available at no charge, while others are marketed as commercial products. Some may be included in the network routers provided by your ISP. Two general strategies are essential to any Internet security policy. First, provisions must be developed for proactively monitoring network activity in such a way that suspicious activity can be identified before the consequences become serious. Second, proactive steps should be taken to address known security vulnerabilities by implementing appropriate access restrictions to the corporate network. These steps should go well beyond traditional password-based security systems. These two strategies should form the basis for a corporate security policy aimed at keeping information resources secure. The first line of defense in protecting your network resources is in the router used to connect your systems to the Internet. Through the use of packet filtering capabilities, it is possible to control strictly the source of data entering your network. Unfortunately, while using a router for this can be effective, such simple systems lack the logging a nd alarm functions that are fundamental to a well-protected network. Many sites implement more sophisticated security gateways that more effectively handle these tasks. Some even turn to the use of application filtering via proxy servers, that require strict authentication to enter or leave the corporate network. In such an environment, publicly accessible servers, including a World Wide Web server, might be placed on an unsecure network while secure systems are located behind the proxy firewall. The downside to the use of proxy servers rests in the fact that client applications used to gain access to Internet resources from behind the firewall must be intelligent enough to deal with the proxy server. END Return to Table of Contents November 15, 1996 Print This Page E-mail this URL