Security: the next frontier

By J.B. MilesSpecial to GCNRecent hacker attacks on popular Internet sites might not be cause for panic among federal information technology managers, but they do heighten concerns that expensive virtual private network, firewall and encryption security tools won't prevent intruders from erasing key files or stealing mission-critical information. And with good reason.'There is no such thing as absolute network security,' said Mark Merlow, a networking expert and author of . 'Security is really just a balancing act between unfettered access to program functions and controls that prevent such access,' he said.Merlow and other experts agree on the two guiding principles of network security:''Prohibit everything that is not expressly permitted.''Permit everything that is not expressly prohibited.Easily said, but putting those goals into practice is another matter, even in self-contained networks under total end-to-end control. And with many networks linked to outside networks, or operating as VPNs within the architectures of larger public networks, effective security becomes even more difficult.The huge growth in Internet use and related services, such as e-mail, electronic-commerce transactions, VPNs and other Web applications, has led many to wonder if it will ever be possible to guarantee end-to-end data security in this unsecured and essentially unregulated global marketplace.But developments in technology at the network, server and workstation levels can help prevent a security breach or expose one after it occurs, particularly when Internet transactions are involved. Firewalls are an improvement over security measures built into packet filtering routers (). Firewalls insulate and protect an organization's private networks from public networks by establishing controls on the traffic allowed.New firewalls work as application gateways that provide tighter security than packet filtering can. Their special codes, called proxy services, determine whether specific applications can pass through the gateway.Many firewalls are software-based and reside on network hosts and routers. Another type consists of firewall appliances'turnkey hardware and software devices with plug-and-play characteristics that are easy to set up and run.Compared with router-based software firewalls, they are easy to deploy and manage and are especially useful in far-flung offices where IT talent is often stretched to the breaking point. VPNs are software-defined private communications networks configured over other network backbones such as X.25, asynchronous transfer mode, switched 56-Kbps and frame relay. The rise in Internet use has provoked lots of interest in Internet VPNs, which provide even better economies of scale and cost savings than those based on other technologies.Most VPNs now incorporate IPSec, an evolving set of standards that boosts security measures via optional tunneling protocols, specialized authentication headers and payload headers that can be based on encryption algorithms chosen by the user.IPSec works at Layer 4 of the TCP/IP stack, providing not only application-level security but security throughout the network. Because of the growing popularity of Internet communications, virtually all switch, router, VPN and firewall manufacturers are hustling to incorporate IPSec into their products.IPSec is extremely flexible because it can support many encryption algorithms and authentication technologies. The Data Encryption Standard and Triple DES are the most popular encryption technologies used by the government, but the National Institute of Standards and Technology is working on a new encryption standard, the Advanced Encryption Standard. IPSec will be ready for AES when it arrives.IPSec is good, but it isn't perfect. First, it doesn't scale well beyond the VPN level to the enterprise. It employs the Internet Key Exchange Protocol, which uses unique keys to manage every node in the network. This means the numbers of keys in use grows exponentially as new nodes are added, complicating their management. Interoperability among vendors' IPSec products also is a problem. And its use can slow encrypted network traffic to or below a 100-Mbps crawl.Despite drawbacks, IPSec looks to be a winner with heavyweight hardware and software manufacturers such as Compaq Computer Corp., Entrust Technologies Inc. of Plano, Texas, IBM Corp., Intel Corp. and Microsoft Corp., all of which plan to join forces in producing IPSec products. PKI consists of an evolving set of standards for encrypting, authenticating and validating network transactions through the use of digital certificates and certification authorities.Although not limited to the Internet, PKI does provide the basic building blocks for end-to-end Internet security, particularly where a high level of trust is required for conducting electronic transactions.The government is directly involved in PKI through the Healthcare Internet Interoperability Pilot, a system that authenticates users and tracks support and expenditures for 500,000 people at hospitals, government agencies and insurance companies.It also has its own PKI pilot program, the Federal Public-Key Infrastructure Project. The National Institute of Standards and Technology is taking a leadership role in the development of federal public-key infrastructures that support digital signatures and other public-key-enabled security services.With PKI, users receive two keys, one public and one private. A user wishing to send a message employs the recipient's public key, a kind of address. After getting the message, the recipient decrypts it with the private key. This seems simple enough, but problems can occur with so many keys floating around an organization with hundreds or thousands of users and no inherent guarantee of the identities of user A or user B.To counteract this problem, the technology uses digital signatures to authenticate users. In this technology, a cryptographic hashing algorithm is used to create a message digest within a document. This digest acts like a fingerprint and cannot be forged.To further authenticate user identities, most third-party PKI software tools use digital certificates to notarize the connection between a digital signature and its owner via a certifying authority, a trusted third-party agent such as Arcanvs Inc. of Salt Lake City, Baltimore Technologies PLC of the United Kingdom, Entrust, GTE CyberTrust Solutions Inc. of Needham Heights, Mass., and VeriSign Inc. of Mountain View, Calif.The International Telecommunication Union's ITU-T X.509 digital certificates contain the certifying authority's name, the user's public key and digital signature and other identifying information, and is an internationally recognized identification for electronic transactions and e-commerce. Like a digital signature, a digital certificate cannot be forged.PKI also requires a central directory for storing digital certificates and other information. An organization already using the Lightweight Directory Access Protocol for storing e-mail information may find that it fits the bill.The downside to PKI technology is that it can be expensive and difficult to implement. Furthermore, PKI vendors continue to squabble over appropriate standards, and interoperability is spotty. But, companies including Entrust, IBM, Microsoft and RSA Security Inc. of Redwood City, Calif., recently founded the new PKI Forum to hammer out the details. An effective security strategy demands more than one technology, particularly for user access and authentication.Secure smart cards are credit-card-size devices with embedded microprocessors that carry more information than the magnetic-stripe cards in wide use today. Most of them comply with the PKI model.Tokens are similar in function to secure smart cards, although not as popular. Biometric access control devices can read a fingerprint, face, eyes and even a voice. Unlike HP and IBM, NEC Technologies Inc. of Itasca, Ill., is backing biometrics as the best access-control technology with TouchPass, a fingerprint scanner.Basically, biometric devices assess the unique characteristics of each user to grant or deny access to a computer. Inexpensive fingerprint scanners are available for less than $150; the price of face and retinal scanners is generally much higher. Soon biometric functions will be incorporated directly into keyboards, screens and pointing devices.Smart cards and tokens are easy to manufacture and are compatible with PKI and other advanced encryption standards. Biometric products also are easy to manufacture, and they respond to identifying characteristics that, unlike keys and passwords, cannot be lost or stolen.Many users find these access technologies to be ideal companion pieces to more sophisticated encryption and key management products.