InformationWeek

The Online Safety Net

As more businesses use the World Wide Web, the need--and demand--for dependable firewalls is intensifying

By Tom Groenfeldt
Issue: Jan. 30, 1995

It was only last summer when Wells Fargo &Co. , the $52.2 billion San Francisco bank, hooked a World Wide Web server to the Internet to give potential customers new account, credit card, or loan information. Until then, Wells Fargo had stayed away from the Internet, not wanting to expose its assets or client-confidentiality to a hacker.

The bank jumped onto the public electr onic highway only after it felt that technology had developed to the point that its internal, business networks could be safe. To insulate its networks against outside intruders, the 17,400-employee bank installed Screening External Access Link (Seal), an Internet protection program developed by Digital Equipment Corp. "We have a very secure firewall that prohibits outsiders from getting into the bank's internal network," says William Finkelstein, VP and manager in charge of direct access financial services for the bank.

Wells Fargo may be typical of many businesses. As more companies link their business client-server and legacy information systems (IS) with customers, potential clients, suppliers, and researchers, the need for some form of security grows.

Indeed, an InformationWeek /Advantage Business Research survey of top IS executives last November found that three-quarters of all large businesses have installed or plan to install an Internet server. And a similar survey conducted by Forrester Research Inc., a technology consultancy in Cambridge, Mass., in October showed that two of three large companies already had some kind of Internet connection, says Jay Batson, the senior analyst of network strategy at Forrester, "Everyone surveyed was concerned about security, mostly about hacker penetration." As a result, businesses are turning to firewalls, a set of components and software that lies between a local area network (LAN) and the Internet. For related story on secure transactions online click here

A firewall can be as simple as a programmable router that accepts traffic only from certain addresses. Or it may be as complex as a three-computer gateway where one internal computer accesses the corporate network, another machine communicates with the Internet, and a third receives, screens, and retransmits data between PCs.

Dealing With Danger
Why do so many businesses want a firewall? They find that once an Internet link is open ed to the outside world, it can allow curious outsiders, hackers, and corporate spies access to corporate networks. Certain applications, especially some newer programs that may have undetected flaws in their code, offer ripe opportunities for mischief makers.

There have been break-ins in the networks of large organizations ranging from NASA to NATO. The Thanksgiving weekend penetration of General Electric Co.'s systems , which ironically had a firewall installed, caused the consumer products manufacturer a fair measure of embarrassment. Since the break-in, GE has declined to say how it has improved its protection technology.

Small businesses also are pondering ways to protect themselves from the unknown. Arztec Computer Resources Inc. , a Kansas City, Kan., computer-parts broker with a staff of six, recently opened an Internet home page on a leased World Wide Web server.

It wasn't long before CEO Chris Derrington was conducting new business with buyers in South Africa and Australia. Now Derrington wants to expand his Internet business with two or three more home pages so that customers can tie directly into his Novell NetWare LAN. But first, he wants a firewall to protect Arztec from hackers.

Not every company operating a Web site needs a firewall. Some use public Web servers for marketing chores or to allow their customers to download software. Many of these servers have little or no connection with internal corporate systems.

Don Gooding, a research partner at Accel Partners, a Princeton, N.J., venture capital firm specializing in technology, placed Web pages on a commercial Internet service to separate public data physically and logically from the firm's private network.

Can't Afford To Lose
Firewall Security Corp. , a reseller in Monte Sereno, Calif., uses a Web server to hold marketing data and a questionnaire that Internet users can fill out. "We don' t keep anything on that machine that we can't afford to lose," says W.L. Kennedy, the company's technical director. Firewall Security finds it simpler and cheaper to leave the Web server relatively exposed and reload it if there's a problem rather than spend the money to create a high-security environment.

Harold Mann, principal of Mann Consulting, an ad placement agency in San Francisco, says many of his clients take the middle ground when it comes to security. Mann works with agencies that place advertisements on Web servers but shy away from interactive access. "They aren't ready to migrate to a system where suddenly they have to worry about security," says Mann.

But any company willing to allow interactive access to its internal systems must build firewalls. Rockwell Automation-Allen Bradley , the Milwaukee automation-tool subsidiary of Rockwell International Inc., uses the Internet to correspond with customers, send out software fixes, and communicate with offi ces in other countries. To protect its internal NetWare LANs, Allen Bradley relies on a router from Cisco Systems Inc. in Menlo Park, Calif., that is programmed with a list of addresses it will accept. "Security is certainly an issue," says Dave Heaster, a systems analyst at Allen Bradley. "But that should not turn you away from looking at new technologies."

Programmable routers average $3,000, a relatively low cost that's attractive to smaller companies. These companies use a router to act as a deterrent to casual intruders, much like a car owner buying a Club anti-theft device instead of installing an alarm system. But as the GE case demonstrates, firewalls have to grow stronger to battle sophisticated hackers who are becoming increasingly adept at tampering with corporate systems.

Digital's Seal system, which costs $25,000 or more for a package that includes hardware, software, and consulting, records who has logged on to a system, as well as who tried to log on but failed. The latter frequently is a warning sign of an attempted break-in.

"With logging, auditing, and sucker traps, we can tell the difference between the casual knock at the door and the person who is trying to probe maliciously," says Bill Pozerycki, a security consultant at Digital. Wells Fargo has alarmed its Seal system against break-ins. It continuously monitors suspicious activity and frequently tests the effectiveness of the firewall. Says VP Finkelstein, "The Internet is a public place, and like any public place, it has people with whom you may not want to associate. But that doesn't reduce the value of the public place as a place to do business."

Identifying Users
Reed Elsevier Plc., the Anglo-Dutch company that bought the Lexis and Nexis databases from Mead Data Central, now counts 656,000 users of its legal and news information resources. As the databases' new owner, Reed Elsevier produces, protects, and sells data. It also must market to information buyers and communicate with off-site consultants--al l without losing control or integrity of its inventory. Many Lexis and Nexis users access data through the Internet, says Rick Bellingar, a security analyst at the company.

So Reed Elsevier had installed an Interlock firewall, manufactured by Advanced Network &Services Inc., an Elmsford, N.Y., company acquired by America Online last November. "We wanted a firewall that allowed us to do highly secure identification and authentication," says Bellingar.

Interlock lets Reed Elsevier define where users can come from and what kinds of interactive sessions they're allowed to initiate. It requires a battery-powered, credit-card-sized device that generates a new password every 60 seconds. "We're protecting internal networks-development, production, testing, certification--the entire range of business functions," explains Bellingar.

Cincom Systems Inc., the manufacturing-sector software developer in Cincinnati, uses a packet-filtering router sold by Morning Star Technologies Inc. in Columbus, Ohio.

The router picks up and authenticates Internet traffic bound for the internal network, including communications from company offices in Boston, St. Louis, and Japan.

But marketing materials and software upgrades are kept on a separate, publicly accessible Web site that permits access by anyone from anywhere in the world. Since software patches and upgrades are worthless without the main program, the company doesn't protect them with a firewall.

"We are using the Internet as our own private, wide area network," says Kevin Scalf, senior network communications analyst at Cincom. "The best thing for those thinking of getting on the Internet is to read a lot and find out what you are willing to risk. If you're very careful and take the time to understand filtering, you can be relatively safe. But the only way to be 100% secure is to not be connected at all--and then you miss out."

Part Of The Solution
Installing a firewall is only part of a business security solution, warns Marcus Ranem, senior scientist at Trusted Information Systems Inc. in Glenwood, Md., a security consultancy and firewall provider.

If a company restricts access with a firewall, it should require passwords on its internal servers as well. It also should monitor the system regularly to look for unauthorized modems that can compromise the network.

No one should avoid the security question. A company that bans employee access to the Internet can still get burned, Ranem warns. Enterprising workers can always sign up with an online provider anyway and make their own direct connections. Says Ranem, "Do it right or someone will do it wrong for you."

Adds Digital's Pozerycki, "Companies understand that if their competitors are online and are instantaneously global, they have to be online as well."

That may be true, but they had better be well-protected before they plant a stake in cyberspace.

Comments on this story?