InformationWeek

September 25, 2000

Printer ready

Is 'Always On' Worth Being 'Always Exposed?'

continued...page 2 of 3

More on Network Security:

Internet Week: NETWORK SECURITY (9/11/00)

Internet Week: Freaky-Why Is The Firewall So Leaky? (9/11/00)

Computer Reseller News: Information Alarm (9/11/00)

TechEncyclopedia:

Send Us Your Feedback

That was unacceptable. "The network is critical to us," Spath says. "We run all our sales reports off a single computer at our main site, so when we had the opportunity to switch to a DSL virtual private network, we did."

Shakespeare hired Public Access Network Corp., a New York network services firm known as Panix, to install and manage its DSL connections. Panix installed R7100 SDSL routers from Netopia Inc., which costs $400 to $900, as the basic building blocks of an SDSL (single-pair DSL) VPN. The routers are equipped with built-in firewalls that provide the first line of defense against hackers. Users can also set up Network Address Translation through their routers. NAT is a method of spoofing hackers by using a published IP address on the Internet and a different one internally. A hacker who tries to compromise the system through its published IP address comes up empty.

Shakespeare opted for firewalls and a relatively closed system with a limited area of exposure to the outside world. Even Shakespeare's choice of mail-server hardware--a Macintosh--had security in mind. Security experts say that Macs are less open and tougher to crack than PCs that run the Windows operating system. The mail server also faces inward--it serves only the company's employees.

"As long as you configure it correctly, a firewall provides a lot of protection. We aren't offering any exotic services like File Transfer Protocol" says Bill Kurland, another co-owner of Shakespeare. "We're only getting mail and Internet access from the outside, so it's tough to break in."

Services that use FTP, Simple Mail Transfer Protocol (SMTP), and protocols such as NetBIOS can be areas of vulnerability for companies of any size. With the emergence of services-laden operating systems such as Windows NT and 2000, many companies find themselves open to compromise.

"Services are usually what gets exploited by hackers. The default, out-of-the-box install for Windows NT and 2000 offers too many services to be considered safe," says Todd Waskelis, VP of managed security services for NetSec, a computer security firm in Herndon, Va. "Services such as NetBIOS--where another machine can easily connect to your machine and retrieve information such as user names--need to be adjusted. Keeping too many services open makes you vulnerable."

The solution, Waskelis says, is to turn off the services that aren't in use and configure the system to resist attempts to exploit services that are open and in use. And technology managers should institute rules and policies on all machines to restrict access in and out of certain ports on the machines. The process is called "locking down" the network, and it requires not only a fairly intimate knowledge of the potential vulnerabilities of the network but also a good working knowledge of the operating system and IP.

For small companies, that may require the hiring of outside experts such as NetSec and Panix. For large companies, it may require the hiring or the training of an in-house expert. Security is a moving target, so what passes as locked-down security today could be an open invitation to a hacker tomorrow.

"Renaming accounts using a password schema that's very difficult to crack is another good defense mechanism. Firewalls are only as good as the person implementing them," says Waskelis. "You have to stay on top of everything. There are a lot of devices and software you can load on your machine, but it can't be a 'fire-and-forget' kind of mentality."

It's the "always-on" vulnerability of DSL that prompted 107-year-old brokerage firm Scott & Stringfellow Inc. to bring a security expert, Predictive Systems, into the earliest planning stages of its recent Web effort. For reasons of privacy and control, the company decided to host its own Web site; many companies outsource that function.

Scott & Stringfellow's clients are wealthy and require timely attention from a broker. Unlike Shakespeare, which closed its system as much as possible, the brokerage has an open, distributed system because many of its brokers work remotely.

"We felt that we could deepen the adviser-client relationships through the Web," says Rob Brown, senior VP of business development at Scott & Stringfellow. "But we felt that we should keep full control of the platform because of the nature of our business and the requirements of our clients."