The Executive's Basic Guide to Intranets

6. What Type of Security Issues are Involved with an Intranet?

There are a number of security issues and risks associated with intranets. Probably the two biggest security threats are unauthorized access (both from outside the network and from within) to corporate assets, and the threat of damage and loss through infection from a virus.

When you set up an intranet you are in essence, providing a "door" between your intranet and the Internet that allows people inside the intranet to go out onto the Internet to get information. That same door, if not properly secured, can let intruders from the Internet into your intranet. This unauthorized external access can and often does, lead to attacks on the network and theft.

Keep in mind that malice is not restricted only to people outside your company. The other security threat comes from within your organization. Clearly, there is data within a company that requires restricted access -- like personnel records, sales databases, or financial information-- that need to be secured from unauthorized internal access as well.

Any intranet needs to have a comprehensive security system in place. In addition to considering the nature of the threats that require defensive measures, you must evaluate factors such as the size of the intranet and/or company, the value or confidentiality of the data, how critical an uninterrupted, operational intranet is to the company, and what resources must have restricted access.

Firewalls

The most common method of securing an intranet is through something called a "firewall". Firewalls are hardware/software combinations that are configured to determine what information can flow in and out of the intranet. Since all data going to and from the Internet passes through routers, they play a major role in firewalls. The most common is a filtering router which examines every packet coming into and going out of an intranet. Based on a set of rules that a system administrator has established, the router will let some packets in (pass) and will keep other packets out (drop). For example, packets coming from specific users or specific networks can be blocked. Access to entire Internet resources, such as FTP, can be blocked as well. This is what is commonly known as "packet filtering." Routers are intelligent enough to distinguish between data that passes through its "in" and "out" ports so that even if an intruder were able to get the correct information needed to fake a request and make it look like it came from inside the firewall, the router can see that the request originated from its "out" port and will know to reject it. Firewalls can also be implemented internally between segments of your intranet to restrict and monitor access to certain resources.

Proxy Servers

Proxy servers are another important tool used to maintain intranet security. The proxy server, acting as a sort of go-between, is placed between the intranet and the Internet. It evaluates all requests for information or Internet services against an authorization database, and if the request is acceptable, the proxy contacts the Internet. The returning page also passes through the proxy server from the Internet and passes it on to the person who requested it. In this way, the proxy server can keep a record of all transactions, and provides a trail to track any kind of attacks. The proxy server also shields the intranet from the Internet, because the only IP address going out to the Internet is that of the proxy server. That way, anyone on the outside trying to capture IP addresses for a spoofing attack (pretending to be a legitimate client) can't "see" the originating IP addresses (i.e. because its hidden inside the network).

Firewalls and proxy servers are an effective "barrier" method of controlling what information can go in and out of an intranet, but they don't address the issue of maintaining data integrity once the data is passed through (either into the network or out on to the Internet) and they also don't address whether the individual sending data is who they say they are. That is where encryption and authentication systems come into play.

Encryption

Encryption is a sophisticated method of encoding or "scrambling" data in a way that only the party for whom the message is intended can decode or unscramble it. This is accomplished by something called public key cryptography which uses key pairs -- separate mathematical "keys," a private and a public one -- to encrypt and decrypt messages. With this methodology, an individual uses software to generate a key pair, holds onto the "private" key (which presumably is known only to that individual), and freely distributes the "public" key to whomever they wish to transact business with (i.e. send secured information). Any party holding the public key can send an encrypted message that can only be decoded by that person's private key and vice versa. Each key is the inverse function of the other; what one does, only the other can undo.

That way the integrity of the message is maintained (i.e. no one who attempts to intercept the data in transit can actually get at the information unless they have the private key to unlock it). For example, if you sign a transaction with your bank using your private key, the bank can read it with your corresponding public key and know that only you could have sent it. Likewise, if your bank sends you a receipt signed with your public key, only you can read it with your private key. This method allows each party to the transaction to ensure that data is transmitted securely across a public network without fear of being read by "prying eyes."

Authentication

While encryption is a very powerful method for securing data, by itself it is not enough because it doesn't offer proof positive of the identity of the sender. Nor does it verify whether or not information has been tampered with or somehow altered in the transmission. Authentication adds another layer of security and peace of mind by providing positive identification that the sender of the information is indeed who he or she claims to be.

Basic authentication systems are the traditional password authorization systems widely in use. However, in today's robust computing environment, more sophisticated methods of authentication are necessary to ensure the integrity of data and to eliminate or reduce the probability of fraud.

Digital signatures or Digital IDs bring this level of sophistication to the arena. With a Digital ID, a public/private key pair (like the one described above) is generated and bound to a user's name and other identifying information by a trusted third party certification authority who issues the Digital ID to the user. This ID can be enclosed in an encrypted message to assure the recipient of the identity of the sender. It can also be installed in a Web browser where it can be used in place of a password dialog for information and services that require membership or restrict access to particular users. Since the slightest change in a digitally signed document will cause the digital signal verification process to fail, this method of authentication also allows people to check the integrity of signed documents.

Viruses

Since viruses are a major concern to anyone running an intranet, the best way to deal with them is to run virus-checking software specifically designed for intranets. It runs on a server, and as files are sent to the intranet it checks them for viruses. If they're virus-free, it lets them through. If they appear to conatin viruses, it blocks them.

1997 Copyright 3Com