Counter-intelligence: Tackling security issues head on

Late last year, keynote speakers at the Etre Technology Conference in Cannes in Italy said that despite the huge number of IT security products and services cramming the market, businesses are more exposed than ever to emerging threats.

Wolfgang Held, a business technologist at 3Com SA, looks at the state of security in business today - a scant 12 months after the MyDoom virus spread panic and despondency through corridors of power throughout the world.

In any controlled business environment today there are many security risks and vulnerabilities - despite the best efforts of organisations to close the gaps, identify the loopholes and bar the doors against malicious intruders.

Company CEOs will be disappointed to learn that money spent on security systems will not guarantee the safety of their firm`s intellectual property or protect its networks and other platforms from abuse.

They are aware of the bombardment their systems face on a daily basis from denial of service and hacker attacks, viruses, Trojans and other forms of assault.

But, most likely, they will be surprised to know that a significant percentage of all security breaches originate from within their organisations, from secret corners in anonymous offices, perpetrated by those whose intent is - at best - to cause disruption and - at worst - to steal valuable information and resources.

Internal security is often compromised unintentionally, by, for example, the addition of seemingly innocuous software systems introduced to a laptop computer by an enthusiastic Internet surfer.

These rogue systems are often illegal, unlicensed and have the potential to slow the corporate network by consuming valuable bandwidth.

Through their inappropriate use of corporate computing resources, the users of illegal software open the doors to potentially harmful intrusive systems, usually downloaded from porn and other inappropriate Web sites.

The problem with tight security systems, be they physical, biometric or password-based, is their ability to limit the access of legitimate users to mission-critical information and resources at moments of urgency.

It`s a well-known axiom that unless access is easy, productivity always suffers.

The fact is, the more "onion skin" layers of security used to envelope sensitive information, the more tedious it becomes for workers to perform their assigned tasks.

Nevertheless, it is important to establish (and publish) policies governing network access. This is particularly relevant in the case of wireless networks, where, in addition to traditional parameters such as firewalls, additional "micro-level" security should be implemented.

Security is not necessarily "rocket science". There are a host of common-sense policies, for example:

* Restrict network access from public terminals to only those applications that the user is authorised to run.
* Centralise data storage within the data centre and implement hardware and software based security solutions to protect this repository from both internal and external attack. The idea is to limit the number of opportunities those with malicious intent will have to strike.
* Strictly control access to this area, particularly intrusions from branch offices.
* Pay particular attention to Internet access and raise the alarm when unauthorised use of Internet bandwidth by anyone is detected.
* Be wary of situations in which the Internet is the primary link between branch offices and head office. While ideal for reducing wide area network (WAN) link costs, the Internet is open to abuse on a sizable scale.
* Emphasise the use of business-owned security devices and limit third-party leased devices as much as possible.
* Limit the private use of laptop PCs.
* Establish multiple security zones within the organisation with different levels of protection. This is particularly useful to contain threats to the corporate network.
* Ensure the concept of secure network zones is duplicated at senior executives` private home networks - so that they have a private gaming zone for entertainment and a secure business zone for work.
* Install firewall devices on these remote networks, using predetermined configuration settings from the corporate network.
* Make sure adequate encryption levels are maintained, along with the appropriate authentication mechanisms.
* Introduce the concept of management to network security, and virtualise private tunnels across the Internet when they cannot be avoided.
* Managed systems will help formalise and secure the introduction of software patches and updates - also prime carriers of viruses and Trojans.

It is important to realise that any security feature added to the network will introduce some element of latency and delays in transmissions. Systems should be implemented that do not reduce the performance of the network to the point where business-critical applications will fail.

Technology that is capable of maintaining this critical balance is key.

Let`s be clear, the average corporate-wide network, with its Ethernet cabling, random wireless access points, roving remote dial in laptops, and virtual private network (VPN) tunnels, offers the determined miscreant many wide open "back doors" through which to enter.

In designing a "blanket" that promotes productivity as well as security, it is vital to adopt standards such as 802.1x, EAP (Extensible Authentication Protocol) and RADIUS technology to support active defence mechanisms.

For example, the use of IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys.

802.1X ties EAP to both the wired and wireless network media and supports multiple authentication methods, such as token cards, one-time passwords, certificates and public key authentication.

Initial 802.1X communication begins with an unauthenticated supplicant (a client device) attempting to connect with an authenticator (an 802.11 access point).

The access point responds by enabling a port for passing only EAP packets from the client to an authentication server located on the wired side of the access point.

Finally, the access point blocks all other traffic until the access point can verify the client`s identity using a RADIUS (Remote Authentication Dial In User Service) authentication protocol-based server.

Once authenticated, the access point opens the client`s port for other types of traffic.