Network Security: Lock Up the Business

"Initially, we saw an increase in spending throughout September and October [2001," says Steven W. Snider, president of Cadre Computer Resources, a Cincinnati-based security integrator. "We then saw the corresponding slowdown in November and December." The current economic doldrums are largely to blame.

Richard Giordano, information security practice

manager at Raleigh, N.C.-based VAR Alphanumeric Systems, notes, "Most organizations we are working with are challenged to fund IT initiatives in the current business environment."

The Plight of the SMB

A majority of the solution-provider organizations polled for VARBusiness' State of Technology (SOT) survey are indeed likely to deploy security software (62 percent), such as firewalls, encryption and virus protection. But in terms of VAR customers from within the "Fortunate" 500, the response essentially has been "more of the same," because, for the most part, its constituents already enjoyed the luxury of corporate computer-security officers. In the small-to-midsize business market, however,particularly the small-business realm,battening down the hatches was the responsibility of the company network administrator, regardless of whether he or she was prepared for it.

A lot of administrators weren't. And a lot of them still aren't ready. Part of the problem is that, despite the proliferation of various vendor skills-certification programs in recent years, a significant percentage of small-business network administrators had to learn their jobs on the spot. Many of them,especially those who work for firms with only a few employees,also have other, unrelated duties to perform. Their employers often consider those other responsibilities a higher priority than administering their computer network, particularly when it's time to hand out promotions and/or raises.

VARs To the Rescue

In short, many of your customers' overworked and under-appreciated network administrators have neither the time nor the motivation to craft and implement upgraded security measures. That presents you with a potentially profitable opportunity,and a ticklish set of obligations to go with it.

"The main hurdle is selling an intangible offering vs. a physical product that you can test and evaluate," Snider says.

ISPs have uniformly resisted the government's plea to

supply firewall devices to their broadband customers, to filter mail for viruses and worms and, in general, to accept responsibility for providing security solutions to their subscribers. In large measure, that refusal has to do with the potential legal liability involved. As long as end-node security remains strictly the problem of the consumer, ISPs create no exposure to tort suits. However, once they begin providing security devices and/or services, any failure of those measures immediately makes them vulnerable to claims of negligent conduct or due-diligence failure.

Thus, once you've accepted the job of defining a security environment,because simply installing a firewall device does not a secure network make,you're obligated to create a solution that's as comprehensive and reliable as your client's budget and resources permit. So it's crucial that you understand that true network security comprises not just a box or a virus scanner, but a constellation of technologies, practices and policies. It's also critical that you successfully convey that understanding to your customers. "The key challenge is creating long-term business relationships with customers based on trust," Giordano says.

Therefore, although there's money to be made selling the necessary hardware and software to them, the best service you can render your clients,and a potentially very profitable one for you,is to provide consulting to help them define their own security policies. And the place to start the process is with a threat assessment.

Appropriate Measures

Not all computing environments are alike. Some,insurance brokerages, securities firms, doctors' offices and the like,make daily use of highly confidential information throughout their operations. In many others, only the payroll and accounting functions employ truly sensitive data.

Thus, while every network needs a well-considered disaster-prevention and recovery strategy, not every one requires the kind of airtight and rigidly compartmentalized access control that is appropriate for a bank. Nonetheless, every network that includes broadband access to the Internet must be protected from remote intrusion, if for no other reason than to protect against its mail server being spamjacked or its servers being used to launch denial-of-service attacks against third parties. Every network needs comprehensive antivirus protection as well.

In both of the latter cases, the problem lies in how to keep that ongoing protection effective.

For instance, a properly configured firewall is an essential component of any Internet-connected computer network, whether that firewall comprises a black box appliance or white-box hardware, OS and software components that you have personally installed and configured. But an unmonitored firewall is almost as much of a threat to your clients' security as no firewall at all, because it can lure them,and you,into a false sense of security about the level of protection that it provides.

The same thing is true of a virus scanner, and for the same reason: Conditions change. Just as new and ever more devious viruses arise and propagate via both well-known and freshly discovered exploits, so, too, do black-hat system crackers uncover additional vulnerabilities in firewall protection mechanisms. Unless both avenues of protection are kept updated, they become less reliable and more likely to fail as time goes on.

Constant Vigilance

In both examples above, systematic monitoring should be the keystone of any update strategy. And that means not only monitoring virus-scanner and firewall-vendor sites for software updates, but also monitoring OS-vendor sites for fixes to newly discovered exploitations and,most critically,actively monitoring the network itself for signs of intrusion. And that's not a job that can be automated to any meaningful extent.

"Most of our clients that have administrators with available time do intrusion-monitoring the old-fashioned way,foraging through logs for any suspicious activity," Cadre Computer's Snider says. He adds that false positives are "the bane of intrusion-monitoring."

Again, education is the key. Your clients' network administrators need to learn what to look for and where to look for it. And, if you're the one who's going to teach them, you, in turn, must understand which entries in which log files are important and which can be safely ignored.

But even the most careful monitoring won't protect a network from physical intruders or from social engineering.

Let's Get Physical

Using passwords to prevent unauthorized access to user accounts, sensitive applications and, especially, server administration is about the most basic security precaution there is. Even the strongest password policy, however, is no protection against physical intrusion.

Not that passwords themselves are necessarily much of a safeguard because, too often, users left to pick their own passwords choose the names of their spouses, or pets, or even their own login ID, simply because those choices are easy to remember. If they're issued more complex,and thus more secure,passwords, they'll often tape them to the underside of typing tables, or even write them on Post-Its and stick them to the side of their monitors. So network administrators are starting to turn to biometric devices to provide user authentication and login solutions. In fact, SOT respondents who resell, recommend, influence, service or support security technologies expect to sell or recommend considerably more biometrics in the next 12 months,up 36 percent, year over year.

"Password policies and procedures walk a fine line between producing heavy administrative loads or less-than-optimal infrastructure protection," Alphanumeric's Giordano says.

Adds Snider: "Setting the policy is one thing, and monitoring that policy is another."

Thus, all servers should be physically secured,locked in a server closet to which only the network administrator, his or her supervisor, and you have keys. Login access to the

server itself should be password-protected, and, with the exception of the machine from which nightly backups are run, no administrator should ever be left logged on overnight. Likewise, all sensitive documents,especially those that include information about network users,should be routinely shredded to prevent dumpster diving or any other physical-security leaks.

"Critical corporate data assets must be identified, classified and hardened against all malicious activities,regardless of type or origin," Giordano says. And all users should be regularly warned not to fall for social-engineering attacks (see "A Hacker Will Be With You Shortly," left).

An Ounce of Prevention

Providing remote access for authorized network users, offering public services,such as Internet-visible Web servers,from machines physically connected to the enterprise network, and permitting wireless access to the network all create greatly escalated security risks. Unless absolutely necessary, they should be avoided because all three require the creation of a demilitarized zone (DMZ) to logically partition the internal network from the Internet at large.

Setting up a DMZ, with the concomitant need to integrate authentication and encryption services, is a nontrivial task,and one that's well beyond the capabilities of most VARs who do not specialize in configuring security systems.

Wherever possible, Internet-visible enterprise Web servers should be hosted by a third party so that in the event of a successful attack, your customer's internal network cannot be compromised. Likewise, remote access should be permitted only via a VPN connection. And, despite the lure of expanding network coverage without having to pull new cable, adding wireless access points to your customer's network is probably a bad idea.

If you do find yourself adding wireless access points, you should, at the very least, be sure to enable wired equivalent privacy (WEP) and change the wireless system service ID (SSID) to something other than the default. A better approach is to enable WEP and change the SSID to permit only authenticated users to log in, and to allow wireless users access to the internal network only via a VPN.

However, technology alone can't secure your clients' networks. Written policies are also valuable. "The lack of security policies increases corporate liability and exposure to intrusion," Snider warns.

Regardless of the size of the enterprise, effective security requires users to buy into the policies and practices you

develop. That's why, in the best of all possible worlds, you're best advised to encourage your clients to involve their line-level employees in formulating those policies and practices.

"User acceptance and adherence can be maximized," Giordano says. "The value is derived from providing cross-departmental facilitation, security awareness and focus." n