Security

INTERNET AND INTRANETS GUIDE

Security

Firewalls and encryption devices thwart hackers and spies.

bout the same time that the Senate was passing the Information Infrastructure Protection Act a few months ago, Swedish hackers were infiltrating the CIA's Web site. They changed the home page title to the Central Stupidity Agency, replaced Director John Deutch's photo with that of an unknown person and redirected hypertext links to Playboy magazine.

A short time earlier, the General Accounting Office had reported that the Pentagon's computer systems were attacked no fewer than 250,000 times in the last year. Replacing and repairing modified and stolen data after the break-ins reportedly cost the Defense Department millions. GAO concluded that Defense agencies, like their civilian counterparts, had become too dependent on the Internet for e-mail and other applications.

These incidents, and dozens more throughout the government, show what a poor job federal organizations have done to safeguard Web sites and internal intranets from hackers, spies and on-line terrorists. Some agencies simply overlooked security precautions in their rush to cyberspace. Others intentionally ignored warnings because they thought security controls were too expensive, time-consuming and annoying. The subject is so sensitive that many government Webmasters refuse to discuss it for fear they will expose their agencies' vulnerabilities.

But plenty of other entities are speaking out about security threats posed by the Internet and Intranets. The White House, for instance, recently backed a Justice Department proposal to create a rapid-response team to combat computer attacks. The General Services Administration, meanwhile, has established the Federal Webmasters Information Management Working Group to help agencies comply with the 1987 Computer Security Act and other federal security policies.

The National Security Agency has published a set of requirements (available at mitten.ie.org:8000) for firewalls and other Internet security devices. And the National Computer Security Association is offering a certification program for doing security audits on Web sites.

Experts agree that before agencies implement any defense mechanisms, they first must have comprehensive security policies in place. These policies must clearly outline what is to be protected and how. In addition, agencies must have the expertise to monitor security systems to determine whether they are working adequately. The Office of Management and Budget has mandated that agencies provide security training to all new employees before allowing them access to on-line systems.

One of the biggest problems with Internet and intranet security devices is that they are usually proprietary, meaning they only can operate with products using the same protocols. Another problem is that generally no one product is enough, thus experts recommend using a variety of security devices to thwart attacks.

The most popular Internet/intranet security control is a firewall that can be placed between Internet connections and internal local-area networks and wide-area networks. Firewalls keep out intruders by closely monitoring traffic between internal and external networks. The names, applications, and TCP (Transmission Control Protocol) sequence numbers, Internet Protocol addresses and destinations of those wishing to pass through firewalls are checked against access lists. Unauthorized users are denied access to internal networks.

Firewalls contain mechanisms for confirming that information originates from where it says it does, and that it has not been altered en route. They also generally ensure that accepted data can be accessed only by addressees.

Firewalls can comprise hardware, software or a combination of the two. Some are located on separate server gateways, which are computer connections between networks. Proxy servers can be installed between specific applications and programmed to hide critical information from outsiders.

Other firewalls are contained on secured routers, which can be hardware/software combinations that filter data packets to identify source addresses of users trying to enter networks. Switches also can serve as intranet firewalls by dividing traffic into separate networks and localizing it.

Some of the largest suppliers of firewalls in the federal market are CheckPoint Software, Cisco Systems, CyberGuard Corp., Digital Equipment Corp., Harris Computer Systems, Norman Data Defense Systems, Raptor Systems, Trusted Information Systems and V-ONE. Prices range from $5,000 to more than $100,000, depending on the number of nodes on the network.

Many agencies conducting electronic commerce transactions over the Internet rely on encryption devices, which scramble data in order to protect the confidentiality of information. The products use complex algorithms to translate digital files into unreadable code that only can be deciphered with appropriate decoding devices.

Some encryption devices are software-based while others, such as Cylink's InfoGuard asynchronous transfer mode cell encryptor, rely on hardware. Fortezza cards from National Semiconductor Corp. and Spyrus Inc. are used to encrypt e-mail on the Pentagon's Defense Message System.

Two types of technology exist for encoding transmissions: public-key and private-key encryption systems. With private-key encryption, both parties share one key-or mathematical value-for encryption and decryption. IBM's Data Encryption Standard, which was endorsed as a Federal Information Processing Standard in 1977, is the most popular algorithm for private-key encryption. With public-key encryption, such as that sold by Mykotronx and RSA Data Security, each user holds a public key and a secret key. Digital signatures, which serve as electronic watermarks, can be used to authenticate senders and to verify that data has not been altered in transit.