The Executive's Basic Guide to Intranets
6. What Type of Security Issues are Involved with an Intranet?
There are a number of security issues and risks associated with intranets.
Probably the two biggest security threats are unauthorized access (both from
outside the network and from within) to corporate assets, and the threat of
damage and loss through infection from a virus.
When you set up an intranet you are in essence, providing a "door" between your
intranet and the Internet that allows people inside the intranet to go out onto
the Internet to get information. That same door, if not properly secured, can
let intruders from the Internet into your intranet. This unauthorized external
access can and often does, lead to attacks on the network and theft.
Keep in mind that malice is not restricted only to people outside your company.
The other security threat comes from within your organization. Clearly, there
is data within a company that requires restricted access -- like personnel
records, sales databases, or financial information-- that need to be secured
from unauthorized internal access as well.
Any intranet needs to have a comprehensive security system in place. In
addition to considering the nature of the threats that require defensive
measures, you must evaluate factors such as the size of the intranet and/or
company, the value or confidentiality of the data, how critical an
uninterrupted, operational intranet is to the company, and what resources must
have restricted access.
Firewalls
The most common method of securing an intranet is through something called a
"firewall". Firewalls are hardware/software combinations that are configured to
determine what information can flow in and out of the intranet. Since all data
going to and from the Internet passes through routers, they play a major role
in firewalls. The most common is a filtering router which examines every packet
coming into and going out of an intranet. Based on a set of rules that a system
administrator has established, the router will let some packets in (pass) and
will keep other packets out (drop). For example, packets coming from specific
users or specific networks can be blocked. Access to entire Internet resources,
such as FTP, can be blocked as well. This is what is commonly known as "packet
filtering." Routers are intelligent enough to distinguish between data that
passes through its "in" and "out" ports so that even if an intruder were able
to get the correct information needed to fake a request and make it look like
it came from inside the firewall, the router can see that the request
originated from its "out" port and will know to reject it. Firewalls can also
be implemented internally between segments of your intranet to restrict and
monitor access to certain resources.
Proxy Servers
Proxy servers are another important tool used to maintain intranet security.
The proxy server, acting as a sort of go-between, is placed between the
intranet and the Internet. It evaluates all requests for information or
Internet services against an authorization database, and if the request is
acceptable, the proxy contacts the Internet. The returning page also passes
through the proxy server from the Internet and passes it on to the person who
requested it. In this way, the proxy server can keep a record of all
transactions, and provides a trail to track any kind of attacks. The proxy
server also shields the intranet from the Internet, because the only IP address
going out to the Internet is that of the proxy server. That way, anyone on the
outside trying to capture IP addresses for a spoofing attack (pretending to be
a legitimate client) can't "see" the originating IP addresses (i.e. because its
hidden inside the network).
Firewalls and proxy servers are an effective "barrier" method of controlling
what information can go in and out of an intranet, but they don't address the
issue of maintaining data integrity once the data is passed through (either
into the network or out on to the Internet) and they also don't address whether
the individual sending data is who they say they are. That is where encryption
and authentication systems come into play.
Encryption
Encryption is a sophisticated method of encoding or "scrambling" data in a way
that only the party for whom the message is intended can decode or unscramble
it. This is accomplished by something called public key cryptography which uses
key pairs -- separate mathematical "keys," a private and a public one -- to
encrypt and decrypt messages. With this methodology, an individual uses
software to generate a key pair, holds onto the "private" key (which presumably
is known only to that individual), and freely distributes the "public" key to
whomever they wish to transact business with (i.e. send secured information).
Any party holding the public key can send an encrypted message that can only be
decoded by that person's private key and vice versa. Each key is the inverse
function of the other; what one does, only the other can undo.
That way the integrity of the message is maintained (i.e. no one who attempts
to intercept the data in transit can actually get at the information unless
they have the private key to unlock it). For example, if you sign a transaction
with your bank using your private key, the bank can read it with your
corresponding public key and know that only you could have sent it. Likewise,
if your bank sends you a receipt signed with your public key, only you can read
it with your private key. This method allows each party to the transaction to
ensure that data is transmitted securely across a public network without fear
of being read by "prying eyes."
Authentication
While encryption is a very powerful method for securing data, by itself it is
not enough because it doesn't offer proof positive of the identity of the
sender. Nor does it verify whether or not information has been tampered with or
somehow altered in the transmission. Authentication adds another layer of
security and peace of mind by providing positive identification that the sender
of the information is indeed who he or she claims to be.
Basic authentication systems are the traditional password authorization systems
widely in use. However, in today's robust computing environment, more
sophisticated methods of authentication are necessary to ensure the integrity
of data and to eliminate or reduce the probability of fraud.
Digital signatures or Digital IDs bring this level of sophistication to the
arena. With a Digital ID, a public/private key pair (like the one described
above) is generated and bound to a user's name and other identifying
information by a trusted third party certification authority who issues the
Digital ID to the user. This ID can be enclosed in an encrypted message to
assure the recipient of the identity of the sender. It can also be installed in
a Web browser where it can be used in place of a password dialog for
information and services that require membership or restrict access to
particular users. Since the slightest change in a digitally signed document
will cause the digital signal verification process to fail, this method of
authentication also allows people to check the integrity of signed
documents.
Viruses
Since viruses are a major concern to anyone running an intranet, the best way
to deal with them is to run virus-checking software specifically designed for
intranets. It runs on a server, and as files are sent to the intranet it checks
them for viruses. If they're virus-free, it lets them through. If they appear
to conatin viruses, it blocks them.
|