InformationWeek

September 25, 2000

Printer ready

Is 'Always On' Worth Being 'Always Exposed?'

continued...page 3 of 3

More on Network Security:

Internet Week: NETWORK SECURITY (9/11/00)

Internet Week: Freaky-Why Is The Firewall So Leaky? (9/11/00)

Computer Reseller News: Information Alarm (9/11/00)

TechEncyclopedia:

Send Us Your Feedback

The brokers access the distributed Scott & Stringfellow network using DSL and cable modems. That, Brown says, provides a highway for hackers to try to access the company's resources.

"With dial-up, there isn't that overarching broadband vulnerability. With dial-up, you're on and off the network; you aren't sitting out there creating an attraction for hackers," says Marr of Predictive Systems. "Broadband is also efficient and cost-effective and companies employ it and protect themselves."

To protect itself, Scott & Stringfellow used standard measures such as firewalls and authentication. But the company also battle-hardened its network from the application level. Predictive Systems worked with the company that wrote the Web application for Scott & Stringfellow from the development stage.

"We worked side by side with the application developer so the application didn't have to be rewritten to accommodate security changes we suggested," says Art Spring, director of Predictive's banking division. "That cut the development time because there was a very strong element of security in the application."

Predictive worked to ensure that authentication was built into the application. In many cases, authentication--particularly public key infrastructure--can be skittish and misfire on client machines if the client, the application, and the operating system aren't built to accommodate PKI. A misfiring authentication system can be an open invitation to hackers.

Not every company needs to look outside for expertise. That's especially true for Comtelligence LLC in Garden Grove, Calif., a 15-person company that sells--and uses--DSL services.

Rob Brown Brown Caption "We're a technology company, but we're also a typical small business," says Don Reese, Comtelligence's manager of technical services. "For us, DSL made more sense than anything else because of the economics. We didn't have $1,200 a month to spend on a T1 line. We got enhanced DSL for $300 a month, and it's comparable to T1 on the download."

Comtelligence has two locations it needs to protect: its corporate offices and its computing and communications facilities at a data center owned by Qwest Communications International Inc. "We have a router installed with basic firewall technology. We've closed a lot of the ports that can make us vulnerable, and we limit the traffic entering our building," Reese says. "We're using the same principles and policies at our Qwest center."

Reese believes that most companies that use DSL can be adequately protected by a router-based firewall. But for companies with large, highly available, and highly vulnerable systems, he would recommend a more-complex firewall such as Check Point's Software Technologies Inc.'s Firewall-1, which starts at $2,995.

"The basic trick is to know what ports to keep open and which to close. It takes a good working knowledge of how IP works. There are 65,000 ports available under IP and each has some designated functionality," Reese says. "Hackers will try to attack through some unattended port or some broken security policy. Companies that had a window of exposure must now lock things down."

These tactics will become commonplace in the next few years as millions of businesses and consumers use DSL, but they require extra work and attention from network managers. The good news: There are programs and procedures to ward off the bad guys. The bad news: Network security is a moving target. Attack programs change, but because computers are connected around-the-clock, attacks can come at any time from anywhere.

"Service providers don't tell you the whole story," Marr says. "The best defense against attacks is a well-educated user."