It is interesting to note that electronic computers came into being for the purpose of stealing data. Alan Turing's Enigma machine, recognised as the first electronic computer, was used to crack the German Navy's encryption codes during WWII. It's hardly surprising then that computers should present a potential threat to data security today.
The prospect of emerging electronic commerce has left businesses on the horns of a dilemma - trade over the Internet and risk attack from hackers and data thieves, or continue to trade by conventional means and lose competitive advantage to more technologically minded entrepreneurs.
Research shows that the business community is aware of the Internet's insecurity but is uncertain what to do about it. James Tarin, director of strategy at new media consultancy firm Clarity communications, deals with enterprises like Fujitsu and NatWest and finds they are no less scared than small business owners. "Everyone is worried about the dangers the Internet presents to their intellectual property," he says.
A recent survey of the top 3,000 UK businesses by Internet consultancy firm JCP shows that 77 per cent of the businesses surveyed are concerned about the security of electronic payment over the Internet, but fewer than 15 per cent are familiar with the existence of industry standard approaches to security.
Before these standard Internet security systems are discussed, it's worth considering what on the network needs to be protected. For most businesses, the first thing that springs to mind is confidential or proprietary data (trade secrets) which may include research and development on a new product, or, internally, personnel files and salary data. Anyone with access to this information can sell it to competitors who will use it to steal a product development lead or poach key staff.
Second, the business is at risk from individuals who disrupt the service of the network, be it intentional or not. The former may accidentally introduce a virus into the network which will lock up a PC or server. The latter may bombard a server with incoming messages or connection requests that lock it up by occupying the processor, rendering the hardware useless.
Finally and probably most importantly for anyone thinking of using the Internet for trade, electronic transactions of all kinds are vulnerable to interception and corruption. Not only are financial transactions at risk, it's quite possible to analyse the patterns of a company's incoming and outgoing email traffic and use the information to predict future alliances, mergers, takeovers and contract wins.
HARK,WHO GOES THERE?
Various security technologies have been developed to protect these resources. One of the simplest, oldest and most technologically mature lines of defence is the firewall. Like all acronyms in the IT world, the term firewall barely describes its function. It might be more useful to consider the firewall as the gatehouse of a mediaeval town. The town is enclosed from the outside world by a wall which protects it from plagues and hordes of barbarians who want to rush in and sack the town. However, the town needs contact with the outside world so it can trade manufactured goods with other towns, and to hear news about the region.
The network then, is similarly protected from the potentially hostile Internet by a firewall gateway which permits or denies access depending on the nature of the traffic wanting to get through.
There are two basic types of firewall: network level and application level. The most basic level of Internet security, the packet filter, works at the network level. It can also be the cheapest because it comprises an edge router, one of the most basic building blocks of the network. All that is required to turn one into a firewall is to configure it to accept or deny certain types of communications.
Information is presented to the router in units of data called packets. Each packet starts with information on its source and intended destination. The packet filter will accept or deny the traffic, depending on how it has been configured to react to that information.
Although relatively cheap and cheerful, packet filters are not very sophisticated. A list of ports and addresses has to be set up which states who can be admitted and who must be denied, rather like a sentry who follows orders to the letter and makes no allowance for context. Packet filters do not take much notice of what the packet contains, only the addressing information. They are also easily spoofed, that is to say, an experienced hacker can disguise the true source and the destination of a packet.
A more common problem is that it is difficult and time consuming to set up filter tables and some services such as FTP. DNS and X are not handled well since they often require an incoming call from an unknown host which is blocked by the filter. Other services like mobile users use random port numbers and so cannot be listed on the filter tables. These last two drawbacks seriously impede a company's ability to maintain customer services and carry out electronic commerce over the Internet.
A more sophisticated version of this type of router-based firewall has traffic routed to a bastion host, a server within the network that is armed with all sorts of software security devices; encryption keys to ensure the content has not been viewed in transit; electronic signature checking to ensure the content is legitimate; and hash functions to ensure the content has not been intercepted or corrupted by a third party.
The bastion host acts like a captain standing behind the sentry, stopping any undesirables the sentry lets through. The bastion host can also be used in intranets to prevent unauthorised network users stumbling over or corrupting sensitive internal data.
The next step up from the network level firewall is the application level. These are servers placed between the edge of the network and the Internet and act as a sort of quarantine. Information does not pass through the firewall, as with the packet filter, but is stored and collected from the other side. There are many advantages to this sort of architecture, termed a proxy server. Elaborate logging and auditing of traffic passing through can be conducted.
Application-level firewalls can also be used as network address translators, masking the true addresses of the nodes inside the network. This makes it more difficult for hackers to spoof themselves inside the network. Application-level firewalls can also be used to segregate sensitive areas of the intranet so that sales cannot get into accounting's raw data, but management can.
Application-level firewalling is expensive because a separate proxy must be set up for each application, for instance, Internet access email telnet sessions. It may, depending on the sophistication of the firewall, impact on the performance of the network.
State watching (sometimes called stateful inspection) firewalls have emerged as another method for restricting unauthorised access to the network. The method is based on analysing the patterns of traffic passing through the gateway and so represents an instance where firewalls are becoming more like network management tools. These firewalls watch packets, like a network level firewall, but take the additional step of associating computer operating system ports with the connections the packets cause. When a connection closes, the firewall blocks access to the closed port until they are opened in an approved manner. This added check can stop a hacker from capturing a port by getting around the operating system's safeguards.
The patent for this technology was awarded to Checkpoint software last March, although many other vendors have also integrated it into their product ranges.
Setting up a firewall can be a time-consuming job. One of the latest marketing ploys addresses the problem with preloaded firewalls. Checkpoint software bundles a version of its Firewall-1 product with AST servers running Windows NT. Data General has also produced a form of preloaded Internet security in its Secure Internet Server, a bastion host based on an Aviion server with a Clariion Raid disk subsystem.
The security systems have been built into the Unix OS at kernel level to give the operating system more discretion when giving out access privileges. The whole thing costs under #27,000.
Built-in packet filters are also available, like Sun's firewall first packet filter, built into its Netra Internet server. Firewall First also works as a simple application level firewall FTP, Telnet, HTTP and email are automatically screened and a fifth service can be chosen manually.
Any of the five services can be enabled or disabled.
The next frontier for data security is the potential threat of Java and ActiveX applets because they carry their own source code when they enter the network. These technologies have the potential to cause mischief and many network administrators are considering a ban on their use. Such interdiction can only occur at the application level through the use of an application proxy configured to recognise these applets in the datastream. Seattle Software's Watchguard is the first to include Java and ActiveX filters. The company has introduced a competitive pricing plan for Watchguard products with an entry-level of about #3,000.
The level of protection to the network that a firewall can provide without impacting on its performance and flexibility is improving all the time, but it's a mistake to pin all one's security hopes on one defence. Because firewalls sit at the edge of the network, they cannot cope with security leaks from within.
Protecting the network from viruses is one area that firewalls cannot secure against because many viruses are caught from infected floppy disks. A company's modem pool is another point of entry that the firewall cannot check.
Tarin advises on a broad strategic approach to electronic security. One thing that firewalls will never be able to prevent, he explains, is trusted users abusing their network access privileges or even unwittingly passing them on. All employees must be made aware that the integrity of the network depends on them keeping a close guard on their own access codes.
IT'S BETTER TO BE SAFE THAN SORRY
Companies tend to forget, Tarin explains, about access privileges that are given to temporary workers who are only with the company for a short time. He advocates a continual and regular removal of old access codes, user names and IP addresses. "A comprehensive security programme requires these sorts of considerations to be budgeted into the investment in money and man-hours allotted at the outset," says Tarin.
He acknowledges that as security systems improve, so does the ability of hackers to crack them. He cites the instance of the widely used DES encryption standard, used to ensure the privacy of email, being cracked by a hacker with a 486 PC using borrowed computing power through a Java applet. "There's no such thing as total security. The rewards of investing in sophisticated security are balanced by the hacker's efforts to gain access to your systems," he says.
The more complex your security systems, the greater the likelihood that only the most talented and determined hackers will brick your systems. The rest will simply give up and turn to a less well-protected site.
Julian Goldsmith is a freelance journalist.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago