Watchdogs on the Internet ISPs find a niche providing increasingly complex security

Even before the advent of the most lucrative and open of all networks, the Internet, computer network security systems had been under the lens of a most unforgiving microscope.

Technologically in-tune teens have tried to crack them, and the U.S. Department of Defense routinely conducts war games against them. In Hollywood fare, security systems exist either to be hacked or to go awry on their own.

Unfortunately, in real life, when a security breach is found, corporate information officers' heads have been known to roll.

With the Internet now promising to revolutionize the way the world conducts business, that nagging fear of a non-secure network lingers. Analysts and customers cite it as the biggest obstacle to the Internet's widespread use for mission-critical business such as Internet commerce, or collaboration on documents and strategies.

More worrisome is the idea that a connection to the Internet can lead miscreants to corporate networks, where a creative code cracker could get his or her hands on sensitive data that hold the key to corporate fortunes.

What some see as an obstacle, however, could become a huge business opportunity for Internet service providers, especially those affiliated with a major telecommunications carrier. Developing security strategies using firewalls, encryption and virtual private networks (VPNs) could become just the sort of value-added service for which ISPs have been searching in this era of low-revenue Internet access.

"When a customer has a problem with his communications, he calls his carrier," says Mark Taylor, director of business development for Waltham, Mass.-based Raptor Systems. "There's no reason that shouldn't be the case for the carriers developing ISP businesses. There are huge masses out there that need the Internet but are not networking- and computer-aware, and they're going to need help not only in deciding what security technology to employ but what sort of security policy the customer really needs.

While observers have bandied about the seriousness of today's security problems, few doubt that those problems will worsen as the Internet expands.

Policy on paper "There are two types of threats out there," says Phil Neray, director of product marketing for St. Paul, Minn.-based Secure Computing. "There's the malicious mischief that you hear about computer-savvy high school or college hackers doing, where they break in and look around. There's no real premeditated theft involved. The second threat is a lot more serious, where theft is the intent-the theft of credit card numbers, industrial espionage, that sort of serious, damaging crime.

For both customers and their security systems providers, a security policy is the first issue to be addressed. "Some people say that the majority of companies have no security policy, but that isn't really the case," says Fred Avolio, vice president of technical marketing at Trusted Information Systems, Glenwood, Md. "They have a security policy, but nothing is written down. It's in their heads, in the minds of four or five different people in different departments. The challenge is to get their take on what needs to be protected and analyze this into something coherent.

"Most companies don't realize what needs to be protected, from whom and when," says Doug LaBorde, product manager for Ascend Communications' network security division. "As in any communications environment where the customer can go to another provider for his services, you've got to know your customer.

That can take some diplomacy, understanding and clear communications on the service provider's part. "Initially, you're going to find that the policy, if there is one, boils down to, 'Let the good guys in, keep the bad guys out,'" LaBorde says. "Their goal is to prevent all inbound traffic from getting in and allow all outbound traffic to get out, and that's clearly not what you want.

Instead, a more comprehensive approach must be taken, analyzing the data on the network, the network's users and the users' need to know sensitive data. "You need to understand a lot of the nuances associated with not only networks, but how the business operates and how it disperses information," Raptor Systems' Taylor says. "This can be difficult when you're imposing a new idiom of security.

For customers, that can be an eye-opener. A prominent New York City criminal law college initially told Secure Computing that it had nothing worth stealing.

When pressed, university officials realized that their networks contained the classic target of the school-age hacker: grades. "They had the health center's information on their network, so that anyone getting access could look at the students' health records," says Secure Computing's Neray. "They also had student financial records on file, and students who had paid for their tuition with a credit card had their account numbers in those files. You could even go so far as to imagine that a competing college could possibly try to break in and look at administrative records and try to recruit the school's top 10 students. It was another illustration that lots of folks don't understand what there is to protect in the first place.

While a fear of outside intruders may precipitate a security system, studies have shown that 70% of break-ins to unauthorized data happen within corporate networks, again raising the specter of industrial espionage, Neray says. Add to that cyberloafing-employees who misuse Internet connections for bandwidth-gobbling, non-business-related Net surfing-and what was intended to be a productivity-building tool could instead cost businesses millions of dollars.

"The weakest link is where people will strike," says Hans Von Braun, an analyst at Creative Strategies Inc., a San Francisco-based consulting firm. "While securing your network is good, it isn't enough. In the case of credit cards, for example, someone could hack into your system to get those numbers, but it would be easier for someone within the operation to just find the slips and write down the numbers from a hard copy.

This relative ignorance leaves the door wide open for a carrier's Internet branch to provide consulting services, analysts say. For that scenario to work, however, Internet integrators have to know more than hardware and bandwidth.

"Timing is everything," says Taylor. "What's locked down one day to all but the senior executive staff, like quarterly results, must be available to everybody the next day.

Changing management techniques also pose a challenge. "Functional organizations-where each title corresponds to a particular set of duties-are easy to manage," Taylor says. "But today, we're seeing more project-based organizations and new organization dynamics, so what employees need to know can change.

Although businesses may hate to hear it, quite a bit of human input is required to keep track of these needs, and many companies must employ a security manager to enforce their policies.

Fortunately, while the human element continues to be a variable, the tools to combat security breaches are being developed with the modern network's complexities in mind.

Fighting back Chief among these are firewalls-software barriers designed to contain and filter traffic in and out of a designated area. Although routers and other internetworking devices can use their access capabilities to create simple firewalls, customers with increasingly complex needs are turning to pre-configured firewall systems to cut implementation time and provide a degree of flexibility that previous generations of firewalls could not.

Firewalls come in a variety of flavors. Instead of the router's blockade style of security, packet filters that screen incoming and outgoing traffic are easier to use than routers. The packet also filters and logs traffic-a helpful feature to check for holes after a suspected break-in.

On the downside, packet filters provide direct connections between internal users and external hosts, which enhances speed but can compromise security.

Application-level gateways, or proxy servers, shield internal resources from external users by acting as a proxy for Internet services. The gateway analyzes traffic and permits specific application types to get through to internal users. Consequently, these systems monitor traffic more carefully and provide even greater logging and analysis capabilities.

But because of the gateway's application-specific nature, performance and flexibility suffer. Each application allowed through the firewall requires specific software support, so the gateways demand more processing power, leading to reduced performance compared with packet filters (Figure 1).

Circuit-level gateways serve as proxies to external hosts, but they do so at the transmission control protocol level. This opens a hole in the firewall, providing end users with greater transparency but at the expense of some security.

Today, firewall vendors are scrambling to introduce what they term their third generation of firewalls in less than five years, using a mixture of these approaches and various technical strategies.

Raptor Systems offers a broad range of products grounded in its Unix-based Eagle line of firewall products, including products targeting mobile users and remote site communications.

Trusted Information Systems uses a pure application gateway approach to its Gauntlet firewall. The firewall contains proxy services that include a Web browser for better security. The TIS product also acts as a crystal box, letting customers verify the relatively small source code (700 lines for the information gateway) for integrity and security.

Secure Computing's Sidewinder is another application-level gateway. This firewall uses what the company calls "type enforcement technology," which enhances security by partitioning Internet services (a Web server, for example) into different areas. If one of the areas is breached, the rest remain secure.

Toronto-based Border Network Technologies focuses on a simple black box approach that emphasizes ease of use. Its Firewall Server combines an Internet gateway and a firewall, and it is based on a security-hardened, heavily modified Unix operating system kernel.

Check Point Software Technologies' FireWall-1 is based on an architecture called stateful inspection, which includes application-level filtering capabilities. The architecture provides speed and transparency, combined with application gateway-like security and management, and the system easily integrates new and customized in-house applications.

In contrast to the packet filters, which leave open single holes in the firewall for incoming data for a predetermined amount of time, the Check Point solution closes the holes as soon as the data transmission is complete.

The various approaches emphasizes the firewall marketplace's volatility, which is precipitated by end users' increasing understanding of the importance of security. A report by International Data Corp., Framingham, Mass., projects the market for firewall products will grow from 10,000 units sold in 1995 to more than 1.5 million in 2000. That has vendors scrambling to find new channel partners and new innovations.

An example of the way in which those millions of firewalls are distributed is Check Point's FireWall-1. It was adopted as the managed firewall component of networkMCI's Intranet Builder and Intranet Complete services this March, following a pattern the company has seen emerging.

"In the past, we've seen deployment being conducted mostly from within the customers," says Asheem Chandna, director of business development for Check Point. "But we see numerous opportunities for the telecommunications carriers under one of two models. Either they will resell the entire security solution and use the same channel for this sale that they used for the initial sale of services to the customer, or they will provide a managed security service in which the ISP manages the service for the customer but charges on a service basis.

He predicts that ISPs will offer the security service along with network management, load balancing, quality of service and other value-added features that are becoming commonplace.

Another value-added service that carriers already offer is the VPN, or managed networks that give customers the benefits of a leased-line network at a lower cost. To avoid VPN security breaches, more carriers are using private contractors like VPNet, a San Jose-based company that provides such services to ISPs and carriers.

"We can ensure data privacy, integrity and authenticity at our end through a combination of firewalling and data encryption, and we work to strategically link our customers with our suppliers on an ad-hoc basis," says Rick Kagan, vice president of marketing at VPNet.

VPNet's approach not only protects the networks at the ends of communications transmissions but the packets themselves while en route.

"When you're sending something over a public network, it's almost as if you're writing all of your crucial business information on one side of a postcard," says Kagan. "Anybody who happens to pick up that postcard, through whatever means, is going to be able to see that information.

To protect the data, VPNet employs data encryption standard (DES) and Triple DES encoding systems to encrypt data payloads and headers. "DES is 20 years old, but there's a reason it's so old: It works," says Kagan. "It's well known to have survived hackings, it's been beat on for a while, and it's done a good job.

The downside of encryption is its effect on firewalls-it slows them to a crawl. "If the computational cost of a proxy server or a packet filtering system is from one to four, the added cost of encryption is 50 to 100," he says.

Between the firewall and the VPN is a third component: authentication control, or the ability to ensure that the person using the application is approved to enter a private network. "Most people get started with addressing the access issue with firewalls and then move toward the VPN," says Check Point's Chandna. The authentication process is a very important part of the VPN solution, he says.

Authentication systems can take the form of desktop software, smart cards or multipurpose identification badges.

When investigating these techniques, companies need to consider their networks' weakest link, says Trusted Information Systems' Avolio. "When we start to work with a customer, we perform an audit of the entire telecommunications system, including fax machines, telephones-anything that's connected to the outside world. We know what the organization looks like and we monitor it daily.

This approach prevents the creative miscreant from exploiting a non-secure route into the network-through a desktop CTI interface, for instance. "If they get access to the network, they're in, all because of some poor secretary or executive vice president who didn't know any better," says Avolio. "At that point, what's the point of spending $50,000 on a door when your house has cheap windows and a bad lock on the back porch?"

If all this seems a bit removed from the "sign 'em up, plug 'em in" approach that ISPs have taken to the Internet, there is a reason: It takes a massive amount of effort, expertise and marketing savvy to help a customer tailor a secure network system.

"ISPs and carriers may not be our best spokespeople," says a representative of one security vendor who asked not to be named. "If they're trying to sell dial tone, the addition of a $30,000 to $40,000 cost on top of the initial expense could impact the number of customers they can sign up. It might seem like a disincentive to new customers. This may not be an area where a slow-moving, heavily regulated business does well.

Still, the mechanisms will change as the threats change, says Avolio. "Of our top 70 resellers now, 21 are ISPs, like AT&T, UUNet and PSINet. The smaller ISPs, and much bigger ones like Sprint, are offering these sorts of managed services now.

The last eight to 10 months have seen increasing mergers of data and telephony services at both the Bell companies and long-distance providers, says Raptor Systems' Taylor. "The guy delivering telephony services to a business is just a warm call away, and it seems pretty clear that that call in the future is going to include talk of Internet services. There's no way that security won't be part of that conversation."

Anyone who believes networks are impervious to outside intrusions should talk to Jeff Moss, president of DefCon Communications, Las Vegas.

To his peers in the hacker community, Moss is known as "Dark Tangent," an expert on the ins and outs of public and private networks. For the past four years, Moss has organized DefCon, a hackers' convention where firewalls, encryption and other security measures are put to the test by the cream of the cracking crop.

The need clearly exists to educate corporate customers and their employees about security, but if the telecom companies' record is to be considered, they are the last ones to be offering advice, he says.

"The phone companies are lame," Moss says. "Most of the time, their own employees don't understand their internal security systems, so the idea that they could educate anyone else is absurd.

As an example, he cited an incident in which a fellow hacker accessed Moss' circuit IDs and began putting in service orders in his name. "He was calling the guy at the network operations center [NOC] and pretending to be me," Moss says. "The impostor actually called when I was on the phone with the guy at the NOC, and he asked me, 'What should I do?' I said. 'Stop giving out my information.'"

Eventually, the other hacker called Moss. "From the phone company's records, he'd gotten my Social Security number and ran a credit check through Equifax," Moss says. "He said, 'Dude, you've got one of the best credit ratings I've ever seen! The only guy with a better rating I've run across like this was the head of security at MCI.'"

How can companies prevent such security lapses? Making security a priority is the first step, Moss says.

"The telcos have had this problem for years, and they just don't seem to have the resolve to face it," he says. "With the increasing amount of data traffic, they're stumbling into a whole new era of nightmares unless they start to bring some resources and some smarts to bear.

There appears to be no shortage of experts. The next DefCon convention in July is expected to draw more than 1000 participants. "It's crazy, hectic-generally out of control," says Moss. "We have an informal network of people testing the systems of the day. It's like, Bill knows about encryption, and Fred works on cell phones, and the conference lets these people get together.

Before panicking, rest assured that this group is, by and large, not out to steal or wreak havoc on networks. DefCon has gone from an underground cyberparty to an almost legitimate event, with breakout sessions and lurking corporate headhunters.

Although Moss admits that some people succumb to the temptation of larceny, the majority of hackers break in simply for the challenge. "Sometimes you have to show them up," Moss says. "It's like the security bug in Windows NT. Microsoft would rather perform spin control than actually combat the problem. They need to have their security faults pointed out."-CB