It is entirely possible that the Internet represents the single largest
explosion of new communications technology in decades. It is a vital and
growing network that is changing the way we do business. It is a new medium of
communication with an audience potential that matches or exceeds that of
television or radio. The appeal of this medium includes it’s an interactive
capability, it’s openness and it’s relative ease of use. Unfortunately, these
same qualities make it susceptible to fraud, theft, and vandalism. The Internet
simply was not designed to be a secure environment. Today’s Internet security
threats range from curious prowlers to well organized, well-equipped intruders
who seek to gain access to private information or maliciously disrupt your
organization’s communications and computer systems. As the Internet grows, so
do the threats from intruders.
Table of Contents
Who is at risk?
Any individual or organization that connects to the Internet is at risk. For
individuals, the risk is generally limited to the threat of downloading virus
infected files or, in extremely rare cases, visiting sites that contain
malicious executable programs or “applets”. There is also the threat of
credit card fraud if you make credit card purchases to Internet sites that do
not provide “secure transactions”, a form of encryption. For the individual,
the threat of loss might be linked most closely to the number of files
downloaded from the Internet. Lesser threats include Internet-based
“stalking”, remote access to your PC data and fraudulent use of your identity.
For the business, it’s an entirely different story. Unlike a personal PC in a
home, there is typically information on a business computer network that has
some value in some (open, gray or black) market. In any business, assets that
are not properly protected are at risk of being stolen. This rule holds true
on the Internet as well. For every major Internet break-in incident, you may
see on TV or read in the paper, there are thousands that don’t get press and
thousands more that simply aren’t reported or even detected. These intrusions
range from pranks like vandalizing the CIA home page, to thefts of data such as
credit card information, to the placement and execution of malicious programs,
like those designed to shut-down Microsoft’s web sites or the *entire*
Internet Domain Naming System. These major attacks could cost millions, even
billions of dollars in lost data, sales or productivity.
Specific examples of the methods intruders use to gain access to business
systems connected to the Internet include:
Vulnerable TCP/IP services
A number of TCP/IP services are not secure and can be compromised by
knowledgeable intruders. FTP, telnet, sendmail, sockets, network management
protocols and rlogin are all potentially vulnerable. Although most of the
products provided by major system producers are stable, some TCP/IP
shareware/freeware applications have known access “holes”.
The majority of Internet traffic is unencrypted. E-mail, passwords, file
transfers, even video and audio feeds can be monitored and captured using
readily available software.
Spoofing is a technique used to fool network equipment into believing that the
request for communications is coming from someplace other than it’s actual
source. It is the single most commonly used method to aid in unauthorized
access to host computer systems. In TCP/IP, the source of a data packet is
attached to the packet in the form of the sender’s IP address. Many network
routing protocols simply check this address to validate the source. Using a
combination of techniques, it is possible to fool a system into believing that
a packet is coming from a trusted system within the business’s LAN when in
reality the packet is coming from a remote computer well outside the
organization’s LAN. (For example, some Internet sites will display your IP
address on the screen to let you know they “know who you are”. If you use
dial-up networking and change the last three digits in your IP address,
chances are about even that you will still get access to these Internet sites,
but the sites you connect to will think you are somebody else!)
Flawed LAN Services and Mutually Trusting Hosts
Many network and host management systems like Network Information Services
(NIS) and Network Files Systems (NFS) rely on the use of centrally located
security lists and password files. If one host on these shared systems is
compromised, then all of the data available to it on the other systems is also
compromised. This same principle applies to “trusted hosts” a system where a
user logged in to one system can Telnet to another system and not need a
password because anything coming from the source system is trusted as being
Complex Configuration, Controls and Operating Systems
Host system access controls are getting increasingly complex and difficult to
test. With this increase in complexity comes an increased likelihood that some
access hole will be unchecked and left open for potential invasion. Some of
these holes are simple. For example, many network administrators do not
realize that if you can Telnet to a network device like a router, you can
Telnet to it from *all access points*, including the Internet, unless it is
configured to prevent this. As a result, thousands of routers attached to the
Internet are vulnerable to attack. This complication extends to operating
systems, as well. An inexperienced system administrator could leave critical
files available to anyone who accesses those systems. (For example, a poorly
configured web server may provide a simple method for intruders to get copies
of the system’s key files like /etc/password, /etc/hosts and /etc/hosts.equiv
which could allow the intruder access to all other systems in that company’s
LAN. For example, use an Internet search engine to find /etc/password and you
might actually find some company’s *actual password file*!!)
Lack of multiple-host Security Features
As the number of hosts within an organization increases, the probability that a
single host is not configured properly increases. Management of a single host
is demanding. Management of many systems could easily result in mistakes. In
addition, if a bug or error that would make a machine vulnerable is found, it
would take an extended period of time to correct the mistake on all systems and
verify that the fix has been implemented properly. There is simply no secure
way to manage multiple systems effectively without running into some of the
problems mention in the paragraphs above.
How vulnerable are Internet sites?
Any organization that is attached to the Internet is vulnerable to some level
of attack by intruders. The level of risk is associated with several factors
including the number of systems at the site, the types of TCP/IP services used,
the operating systems involved, the number and type of connections to the
Internet and between each system in the network, the site’s profile, popularity
or (as in the CIA) prizeworthyness and the site’s preparation in defense of
What are the solutions?
For the individual, the solution is to be alert and cautious. Don’t include
personal information in your e-mail signature, don’t use or divulge your real
or user name or any personal information in chats, be sure to use only secure
transactions for purchases (both Netscape and Internet Explorer tell you when
you are using a secure transaction) or use a proxy charge company that
eliminates the need to pass credit card information across the Internet, use an
active (always loaded into memory) virus checker and try to download executable
files only from “respectable” sites. To prevent remote access to your PC in
Windows ’95, turn off file and resource sharing before connecting to the
For business, data security should be approached from a strategic perspective.
Security should be a consideration in the earliest stages of network
implementation, long before connection to the Internet. Sound system
administration practices are the cornerstone to tight security in any network.
Use a Firewall
A firewall is not just a computer or router, but an approach to security. It
is one of a number of key pieces in an organizations network access policy.
That policy is implemented by forcing connections to pass through the firewall.
A firewall provides a number of advantages to sites by helping to increase host
system security. These advantages include:
Protection from Vulnerable Services
A firewall is capable of filtering out protocols and services deemed to be
unnecessary or insecure. This reduces the risk of access via spoofing, flawed
TCP/IP services, trusted hosts NIS/NFS and other methods originating beyond the
Controlled Access to Hosts
A firewall can also control access to site systems. For example, some hosts
can be configured to only accept packets from other systems within the LAN
while other, less critical systems can be configured to permit access through
With the use of a firewall, the need for specialized host monitoring software
on the other systems in a LAN is minimized. Traffic logging and system access
requests can also be maintained on the firewall, saving valuable processor time
on the other systems for business applications.
A firewall is also capable of keeping information *inside* the LAN.
Information like domain names for specific systems need not be passed to an
Internet domain name server as long as the Internet DNS knows to send all
requests to the firewall. In other words, individual LAN IP addresses and
system names would only be maintained on the LAN, eliminating the possibility
of an intruder learning a LAN IP address.
As stated earlier, a firewall is a method to enforce network policy. Many of
the techniques used to enhance security can also be used to enforce policy.
Examples might include limiting access to certain key systems to the
organization’s users who may access the LAN via the Internet, prohibiting
access to restricted Internet sites, prohibiting the use of specific services
across the Internet such as FTP and reducing spam e-mail by adding common spam
sending sites to the firewall’ s “deny mail” list.
Issues and Problems with Firewalls
A firewall is not a cure-all for Internet access and security problems. Some
of the issues related to firewall security shortcomings include the following:
Restricted Access to Desirable Services
Users want access to be simple and all-encompassing. Users may “blame” the
firewall for restricting access to services like FTP, Telnet, NFS, etc.
Although these restrictions are commonly implemented in firewalls, they could
theoretically also be implemented on each of the organizations hosts if there
were no firewall in place. Network policy should determine what services are
available to users, whether a firewall exists or not.
Little protection from Internal and Back Door Attacks
Firewalls protect systems from intruders from outside the LAN, not inside.
Data on the host systems is not protected from employees who access these
systems from within the LAN. Similarly, direct access to hosts via dial-up
modem connections are equivalent to accessing the host directly via a terminal.
Care should be taken not to relax or overlook security for these types of host
A firewall has the potential to throttle access to and from the local systems.
Since the firewall software must analyze a great deal of data to determine if
that information is safe and permitted to be passed on, the throughput of that
system may be less than that of a high-speed router. This problem is not easy
to remedy, although it can be minimized by the selection of a system
appropriately sized to handle the throughput required.
The firewall system is itself potentially vulnerable. It represents a single
system containing a large percentage of your organization’s security “secrets”,
making it a prize for a potential intruder. To minimize this threat, it is a
good idea to keep advised of activities, enhancements and upgrades provided by
the firewall manufacturer or developer.
New Technology and Viruses
With the advent of new technology, there is always the possibility of new
methods for intruders to gain access to your systems. Web based executable
programs, such as Java, for example, are capable of transmitting helpful
information back to potential intruders. Macro viruses passed in mail
attachments are also capable of passing instructions to other programs on your
system. These processes are not recognized by firewalls alone, although a
comprehensive security policy, including a network virus checker, greatly
reduces the chance of invasion via virus type attacks.
Other Ways to Enhance Internet Security
Although a firewall may be the single most effective component in an
organization’s security plan, there are some other issues to consider.
Stay Current with Software Maintenance
In order to have access to the latest , most secure versions of your firewall
and host operating systems and software, you should maintain current software
service contracts with these vendors. It is common for attacks on systems
known to be vulnerable to increase dramatically within days of a
vulnerability’s discovery. If you find yourself in the unfortunate position
of owning one of these systems, it may take an extra few days to get the
necessary fix from the vendor if you are not already on a service contract.
This extra few days may be more than enough time for intruders to find and gain
access to your system.
Use Network Virus Software
As stated above, the only way to prevent damage via a virus is to run a virus
checker. The newer generations of network virus checkers are excellent at
providing protection to all users on a network.
Change Passwords Often or use additional Validation
Usernames and passwords usually pass across the Internet in an unencrypted
form. Users that access systems via the Internet should be forced to change
their passwords as often as possible to minimize the potential for unauthorized
use. Administrators may want to consider additional security methods like the
use of host/client encryption or an authentication key that forces the user to
enter in a calculated number in response to a request by the host system.
(These systems often include a special “black-box calculator” that generates
the desired number)
There are plenty of magazines, services and Internet sites that provide
regularly updated information on Internet intruder methods, weak or “cracked”
host programs, and potentially harmful applications and web sites. Run a
search for them, find one and stay abreast of events. Free magazine
subscriptions include Info-Security News, Network Computing, Web-Week, Internet
Week, PC Week, Info-Week and about a half dozen others.
Think like an Intruder
There is an incredible collection of publications and Internet sites that cater
to the potential intruder. These sites can be found easily using search
engines. There are also USENET groups that are often the first to post new
security holes found by intruders happily sharing their techniques. You should
also go to the local Borders and pick up a copy of any hacker magazine they
may have (2600 is an *excellent* example).
Go ahead, try to break in!
Once you are armed with some of the common intruder techniques, have searched
the Internet for helpful intruder information, picked up a magazine or two and
downloaded a password cracking program, you may as well try to break into your
system! (Be sure to get your System Administrator’s permission first!) This
is probably the single most enlightening thing you can do to determine just how
vulnerable your system is.
Although Internet use is growing rapidly, the threat of intrusion via the
Internet is a serious risk.
For an individual, the risk is relatively minor and some basic precautions may
be all that is necessary. For the organization, the risk of loss due to
invasion is significantly higher. Precautions include the development of a
comprehensive security policy which includes the use of a firewall, virus
software and sound system administration principles. A firewall is not a
panacea for Internet security protection, but one of many tools that can be
used to minimize the risk of unauthorized access to the organization’s
systems. It can only be effective when used in combination with other security
enhancing techniques, policies and procedures.