Chapter 12

Overview of an Intranet Security System


If you think that you're completely safe from external threats, think again. Consider this: A government study found that the United States Pentagon's computers are attacked by hackers some 250,000 times a year-and that about 160,000 of those times the attacks are successful. In the successful attacks, data and software are read, stolen, modified, or destroyed. The attacks have cost the government hundreds of millions of dollars.

If the Pentagon can be broken into, so can you. Intranets are vulnerable because of the openness of Internet technology. Look at it this way: There's a door between your intranet and the Internet that lets people inside an intranet go out onto the Internet to get information. That same door can let intruders from the Internet into your intranet.

In addition to unauthorized external access that leads to attacks and theft, there are other security issues to worry about. It's not just people from outside the intranet who can pose security risks. People within the corporation on the intranet can pose problems as well. There is data within a company that requires restricted access, such as personnel records. Malicious mischief is not restricted only to people outside a company.

Computer viruses can be brought in to the intranet with an innocent looking program picked up on the Internet. It can then infect the other computers on the intranet, damaging millions of dollars worth of hardware and software.

There are ways to combat these problems. Any intranet needs to have a comprehensive security system in place. In addition to considering the nature of the threats that require defensive measures, you must evaluate factors such as the size of the intranet and/or company, the value or confidentiality of the data, and how important an uninterrupted, operational intranet is to the company. Technology changes all the time, so the system needs to be constantly monitored and updated.

Security systems are generically referred to as firewalls. Firewalls are hardware/software combinations that allow people from inside an intranet to access data on the Internet, but keep intruders from getting onto the intranet. In fact, firewalls are only one part of a comprehensive intranet security system.

Routers play a major role in firewalls-and are important in any security system. Routers are the technology that lets people on the intranet connect to the Internet, and allows data from the Internet to get to users on the intranet. Because all data going to and from the Internet passes through routers, they're a logical place to put security measures. A variety of security measures can be used in concert with routers. The primary one is called filtering and is accomplished by filtering routers. What filtering routers do is quite simple. They examine every packet coming into and going out of an intranet. Based on a set of rules that a system administrator has established, the router will let some packets in (pass) and will keep other packets out (drop). For example, packets coming from specific users or specific networks can be blocked. Access to entire Internet resources, such as FTP, can be blocked if, for example, a system administrator fears a virus infection if file transfers were allowed.

Proxy servers are another important tool in the fight for intranet security. They allow people on an intranet to get to Internet resources, but the proxy servers act as a kind of go-between. In a system set up with a proxy server, this process can be invisible to the user making the request. The proxy server evaluates the request against an authorization database, and if the request is acceptable, the proxy contacts the Internet. The returning page also passes through the proxy server from the Internet and passes it to the person who requested it. In this way, the proxy server can keep a record of all transactions, and provides a trail to track any kind of attacks. Additionally, the proxy server can be used as a way to keep the intranet shielded from the Internet, because the only IP address going out to the Internet is that of the proxy server, so anyone trying to capture IP addresses for a spoofing attack (pretending to be a legitimate client) can't "see" the originating IP addresses.

Another kind of server important for intranet security is a bastion server. A bastion server is configured especially to resist attacks. Frequently, it is put on its own subnetwork, known as a perimeter network. That way, if the bastion server is attacked and broken into, the intranet is still shielded-the only part compromised is the bastion server.

Encryption and authentication systems are used to prevent unauthorized access to an intranet. Encryption can be used to protect data and passwords. Encryption depends on the use of secret and/or public keys. User names and passwords can be compromised fairly easily, allowing someone to masquerade as a legitimate user. Authentication systems expand on the basic "something you know" security provided by passwords to one that checks that there is "something you have" that is uniquely in your possession, a token of some sort. Encrypted digital signatures are created with keys that also are uniquely in your possession so they can't be altered without such tampering being discovered. Encrypted digital signatures help authenticate the sender of a message and protect against message tampering.

Viruses are a major concern to anyone running an intranet. While the threat of viruses is undoubtedly overblown by the news media, the truth is that viruses are a problem and a potential danger. One way to solve the problem is to use traditional virus scanning and eradication software. This software runs on each user's computer, and allows people to check their computers for viruses, and to kill the virus if at all possible. But doing things that way depends on each user actually running the most up-to-date virus checkers, which doesn't always happen. A better solution is to run virus-checking software specifically designed for intranets. It runs on a server, and as files are sent to the intranet it checks them for viruses. If they're virus-free, it lets them through. If they appear to contain viruses, it blocks them.

There is software that can block users from accessing objectionable sites, such as sites with violent or sexual content. On an intranet a server-based software that does this examines outgoing requests, such as the URL name and words contained in the header of the file. The software has a database of objectionable URLs and objectionable words. When it comes across a site that has an objectionable URL or objectionable word, it won't allow that request to be sent. It will also inform the user that the site is blocked. Since there are so many sites on the Internet, and so many more new ones being created each day, the database can be updated monthly. That way, even new sites will be blocked.

Traffic monitoring is another method to maintain a secure intranet. This is software that sits on a server, and monitors all traffic between the Internet and the intranet. It can also monitor all traffic on the intranet itself. The intranet administrator can set rules and decide what kind of traffic to track. The nature of the traffic is the area of concern when trying to assure yourself that only authorized users and services are involved.

Overview of an Intranet Security System

Any intranet is vulnerable to attack by people intent on destruction or on stealing corporate data. The open nature of the Internet and TCP/IP protocols expose a corporation to attack. Intranets require a variety of security measures, including hardware and software combinations that provide control of traffic; encryption and passwords to validate users; and software tools to prevent and cure viruses, block objectionable sites, and monitor traffic.