"An Ounce of Prevention" on the Internet: What Are Your Options?
By Thibault Dambrine
The Internet and e-commerce are challenging traditional business models faster than anybody could have predicted. Most companies are now fully aware it is virtually impossible to ignore the web-based competition. Today, most major companies are either selling on the Web or considered late.
As the business traffic on the Internet is increasing, so are the risks. Information and corporate data involving money has intrinsic value. Large amounts of this corporate information flows through public servers every hour of every day and this is obviously too good to pass for virtual muggers, hackers and spies.
As more and more companies are waking up to the new e-business reality: "Compete on the Internet, or lose market share!" The volume of new e-commerce websites, virtual stores, brokers, banks is mushrooming. New installations are typically aimed at taking on the huge opportunity of e-business. If these brave new websites are not well planned from a security stand point, they can also backfire and become a risk to the companies that set them up.
The scope of this subject is very wide. In this article I will cover the basics. I will expand on the possible risks associated with a direct Internet connection, covering also e-mail, web browsers which we use the most every day and how the AS/400 fits into all this. I will also show some of the options one could explore to make a network less vulnerable to outside attacks when connected to the Internet. Taking some wisdom from Benjamin Franklin, prevention is indeed worth the effort, as curing can be much more painful!
The threat of an outside attack from the Internet, be it retrieval of data, snooping, planting of bugs or simply vandalism (deletion of files, corruption of data) is very real. In IBM's own words, "no company should attach a system to the Internet without understanding the risks involved".
But what exactly are we talking about? To make the subject a bit more concrete, here are some common ways in which hackers may choose to invade your realm.
Mail Trash and Vandalism
Vandalism is an unfortunate fact of life. Some people spray walls with graffiti, leave key-scratches on cars or slash tires for fun. Others send malicious trash over by e-mail. Is the next message you are about to open a useless waste of time or is it relevant to your next major contract? Many times, good from bad e-mail messages are difficult to distinguish. If you cannot tell what it is you are receiving until you look at it, neither can your system. Multiply by several thousands the trashy e-mail messages to a single point and you have a simple but effective attack in an unprotected network. Beyond receiving this type of time-consuming junk-mail, if an outsider manages to sign on to your system, the consequences can be very damaging or even fatal.
Many of the traditional IP (Internet Protocol) based utilities such as TELNET and FTP send their passwords without any encryption. Any intermediate system that handles or relays your IP traffic can, while doing so, examine the packets you are sending. This is called "sniffing". Note that any encryption tool that uses the same encryption key more than once for their password is not a very strong defense, since the hacker could potentially use the encrypted password "as is" and get into your system.
On the Internet, you cannot trust anyone to be necessarily who they appear to be. Spoofing is a technique by which the hacker can configure a workstation or a system with a different IP address than the one that has been assigned to it. With this method, one can appear like he is making a perfectly legal request from a workstation belonging to someone within the company. But how does one proceed to get the IP address of your President or anybody in your organization? In an unprotected network, IP basic tools such as PING or TRACEROUTE can yield much more information than you would care to reveal to the public at large, like the IP address map of your network for example. How would this be so dangerous? Simply with an IP address, in an unsecured network situation, one can FTP directly to the president's desktop computer, copy what ever is of interest from the hard disk drive and wipe the disk before leaving.
Denial of Service
The so-called "Denial of Service" attack is when your system is effectively paralyzed by a flood of trash messages. The goal of this type of attack is to clog your mailbox with junk, to the point where you are no longer able to function properly. The aim is to make the target overwhelmed to the point where important messages, from clients for example, would not come to the attention of the people they are destined to. The inability to service your clients can be very damaging.
Note that this is by no means a full list of possibilities. Computer system break-ins are something you only hear about in the news very occasionally. Not too many companies want to admit their weaknesses in public. How confident would you feel if your bank admitted to having been raided by a stranger with a PC and an Internet access line? From all accounts, these types of events are mostly not reported. This is a type of crime no corporation wants to be a seen a victim of.
Once an outsider gets into your system via the Internet or any IP network, you should be aware, unless there are secondary security mechanisms in your system you are open to all exposures. With Telnet, a user can have virtual access to your system as if he was sitting at your desk. Pumping back sensitive information with FTP, destroying data or directories, stealing corporate secrets or sensitive mail are all possible.
Internal System Security Options
There are many ways to control or reduce your systems exposure to the Internet risks. They are as varied as the risks themselves:
Pull the Plug
Obviously, in this scenario, you would disconnect your system entirely from the Internet. This is safe, but then you also lose the benefits of direct access to the biggest information and customer contact source available.
The simplest form of protection against the Internet is a screening filter. Also known as "packet filter", this type of filter is generally implemented on the router that connects your system to a foreign network or to the Internet. In a two system or two network scenario, Host A sends IP message packets to Host B via the router, which is configured with filter that will allow these packets to go through in this direction. However, if Host B tries to send packets to Host A, they will not be allowed to flow through. Commands issued from Host B such as PING would also go nowhere.
Proxy Servers and Layered Approach to Security
Simply put, a proxy server listens to the computers on your internal network. When a client application makes a request, the proxy server responds by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client application on the computer that made the request. A proxy server provides internal users browser access to servers on the Internet using HTTP, FTP or GOPHER while not revealing the name or address of their browser.
Proxy servers can provide a cache of frequently requested Internet sites, blocks access to specific sites, and provides secure access between your internal network and the Internet. Proxy servers also offers extensible firewall security features.
Packet filtering and alerting can be configured to provide maximum security. An administrator can configure Proxy Server to grant or deny outbound Internet access by user, service, port, or IP domain, for both inbound and outbound connections. Data encryption is supported by means of Secure Socket Layer (SSL). In addition, Proxy Server takes advantage of the security features built into the AS/400.
Packet alerts and logging: Now your e-mail system or pager can notify you almost immediately if your network is under attack so that you can take action. Proxy Server supports several alerting thresholds and can issue alerts for specific events, such as for dropped packets or packets sent to an unused service port. You can have alerts sent to a dedicated packet event log or the AS/400 event log as well. Packet logging allows you to keep a full audit trail for security events.
External Systems Security: The Firewall
IP (Internet Protocol), the heart of "The Internet", is an open protocol by nature. It takes very little to access a remote system via an IP network. Those of us who have worked before with APPC and APPN configurations know how simple it is. The nature of this open protocol makes it both popular and for the first time has spawned a whole new application category: "The Firewalls".
A firewall is a system or group of systems that enforces an access control policy between two networks, namely your own and the Internet. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy.
A firewall can be a piece of software sitting on your main system as described earlier in the Internal System Security Options header, but recognizing the open nature of the IP protocol, many companies run their firewalls on completely separate machines that stand between the corporate systems and the Internet.
What specifically can a Firewall do for your system?
Some firewalls permit only e-mail traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside.
Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc. Firewalls can also mask your internal IP addresses from the outside world. For instance, the firewall can use one IP mask, while the internal network uses another. Thus the hacker cannot use PING to map your internal network.
In point form, an effective firewall should perform the following basic functions:
What can't a firewall protect you against?
Even more important than knowing what a firewall can do, in the paranoid realm of security planning, you want to know very well what a firewall will NOT do for you.
Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network.
For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all. They shouldn't be hooking up to the Internet in the first place, or the systems with truly sensitive data should be isolated from the rest of the corporate network.
Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall. Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering. An attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.
Can a Firewall protect against Viruses?
Firewalls can't protect very well against things
like viruses. There are too many ways of encoding binary files for transfer
over networks, and too many different architectures and viruses to try to search
for them all. In other words, a firewall cannot replace security- consciousness
on the part of your users. In general, a firewall cannot protect against a data-driven
attack -- attacks in which something is mailed or copied to an internal host
where it is then executed. This form of attack has occurred in the past against
various versions of
ghostscript, a freely
available PostScript viewer.
Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software geared to start at boot up time. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet -- a large number of viruses are actually transmitted via floppy disks.
Nevertheless, an increasing number of firewall vendors are offering "virus detecting" firewalls. While every bit helps, it is wise not to count only on a firewall with this feature for protection from attackers.
E-Mail and Internet Browsing Security
E-mail is now the most widely used form of office-to-office, desktop to desktop communication tool. Faster than mail, more direct than a fax, with little or no perceived intermediate steps between the sender and the receiver. I did say, "perceived"!
An e-mail message, travelling from hub to hub on the Internet en route to its final destination may be compared to a postcard. Many people have a chance to read, divert, or track that card as it travels along the chain of delivery.
Most times, your e-mail messages are archived - at least at the departure point and at the receiving point. If you think about it, your own e-mail system probably keeps a copy of your sent mail and you most likely have several hundred messages in your in box too! A skilled hacker can thus get access your messages weeks, months or even years after you send them. Even if you have excellent security systems, do you know if all your correspondents have the same?
Even major e-mail providers like Hotmail are not immune. Microsoft admitted on August 18, 1999 that its MSN Messenger instant messaging client can accidentally disclose Hotmail account passwords. Even if the password is supposedly deleted from a computer, someone else could still view it if they knew the proper keystrokes. Late in August 99, someone found a deceptively easy way to break the provider's security. The trick worked this way: Any Web page that contained a short, simple code -- visible on most browsers as a type-in form -- was able connect to a Hotmail server simply by typing in a user name without requiring a password. The code quickly spread to dozens, if not hundreds of sites.
We send everything via e-mail, from resumes to cooking recipes. Statement or Work documents, contracts, court agreements. Think about it, would you send a copy of your latest deal on a large post-card? This is more or less what we are all doing now with e-mail on the Internet.
Lately, a new type of security-oriented website is sprouting on the Internet. These new websites are filling the security gap that has opened up as we, the Public, have come to depend on having e-mail right at our desk.
Sites like http://www.anonymizer.com/ offer free anonymous encrypted e-mail service, much the same way Hotmail offers free e-mail. Encrypted or anonymous browsing, means your IP packets are "cleaned" of your identity before they leave the privacy site let you browse without the site knowing from what server or what IP address you are browsing from. As the opportunity to pick up information is multiplied, so is the number of sites that will help you hide or shield yourself from the overload of unwanted material.
No doubt, there will be a lot of new development in the near future for e-mail security.
Commercial Transaction over the Internet
How Internet Commercial Transactions Work
Knowing now that e-mail is not a very secure way to send sensitive information such as credit card numbers or other personal data, it is no surprise that the Internet industry leaders have come up with a way to communicate securely over the Internet.
The Secure Socket Layer (SSL) protocol is the current de facto standard for securing transactions and messages over the Internet. The fact that there is transaction security is what allows e-commerce to happen. Despite the boom in Internet commerce transaction volume, there are still a lot of skeptics. Understanding how secure transactions are exchanged may help settle any doubt.
The term "Socket" refers to an open network Application Program Interface (API) standard. It was first designed at the University of Berkeley to create a standard programming interface for communication sessions over TCP/IP. The Secure Part of Secure Socket Layer rides on top (yes, like a layer of software) of top of ordinary "Socket" APIs and are used to encrypt messages exchanged over these "Sockets".
The primary goal of SSL is to provide privacy and reliability between two communicating applications. SSL is the tool that makes the exchange of private e-commerce transactions over the Internet. The same types of encryption tools are also at the heart of "tunneling" applications. Tunneling is a term that describes the use of the Public Internet to exchange data between remote elements of a private network over the public Internet while keeping the data private. Tunneling is what makes Virtual Private Networks or VPN's possible. The term "tunneling" refers to the way you create your own private [encrypted] tunnel of information flow between two remote locations.
Here, from the Netscape Website, is the textbook definition of SSL:
The protocol is composed of two layers. At the lowest level, layered on top of some reliable transport protocol is the SSL Record Protocol. The SSL Record Protocol is used for encapsulation of various higher level protocols.
One such encapsulated protocol, the SSL Handshake Protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently.
The SSL protocol provides connection security that has the following basic properties:
Here is what it means in more common terms: You can think of the asymmetric encryption key as a pad lock that would have one key to lock and a different key to unlock, with a unique correlation between the locking and the unlocking key. The locking key is public and the unlocking key is private.
When you make a transaction on the Web with a secure socket layered site, essentially, you get the public key from the e-commerce vendor that will be used to encrypt the data you will send. You then send data encrypted with that public key over the Internet back to your vendor. This (now encrypted information) for example may contain the item number you are ordering and your credit card number. To decrypt the message you have encrypted with the public key, the only efficient method there is, is to use the matching (and private) decrypting key. Only the e-commerce vendor you are purchasing your item over the Internet from has this private key. This system of asymmetric keys is design in such a way that it would take years of processing to figure out the private key, thus discouraging sniffing on your SSL transactions.
Both Netscape and Microsoft have built SSL into their browsers and servers. Encrypting and decrypting does take computer resources, but with the power now available at one's desktop, this has become a negligible factor.
More on SSL can be found at http://home.netscape.com/eng/ssl3/3-SPEC.HTM#8-1
AS/400 Internet Security Exposures
Although the AS/400 has built-in operating system security features second to none. Even it is not immune to malicious hackers. The days when AS/400 was used as a stand-alone machine are long over now. In even the most basic shops, the typical installation has the AS/400 hooked up to a number of PC's serving as 5250 terminals with emulators. Most times, these emulators are connected with a LAN, mostly using IP as a protocol. Through this path, the Internet is just one hop away.
The IBM web site (accessible via www.tug.on.ca) contains electronic versions of most Red books available. One of them, "Securing your AS/400 from HARM on the Internet", identifies no less than 8 areas to secure on your system, if it is going to be exposed to the Internet, even indirectly. Here (directly from the book) is a summary of these exposures and precautions:
This is all about basic security on the AS/400, exposures such as the security levels that you are working with, the password rules, the security system values that you defined, the user profiles, the authority to your system objects and your TCP/IP applications and ports.
If you chose to use your AS/400 as Web Server, your primary security concern will be to control what data can be accessed and what data should be kept from prying eyes. You want to also ensure HTTP server requests cannot put, update or delete data on your system.
Most World Wide Web (WWW) servers require that you write scripts or programs to create interactive forms and applications. The AS/400 developer community can use a shorter path to the WWW: The AS/400 Workstation Gateway function of the Internet Connection for the AS/400 (IC/400) Workstation Gateway (WSG) function allows you to use your current interactive applications as a base for WWW screens. Here is how it works: Functionally, the IC/400 WSG is similar to a TELNET session. It simply sends the 5250 screen images to the browser rather than a 5250 emulator. The main security exposure here is similar to that of a TELNET session: user ID's and password are transmitted in the clear, or without being encrypted. One way to prevent detection of user ID's and passwords is to implement an anonymous WSG application.
The AS/400 as a mail server can accept mail from external hosts and send mail through SMTP. All the threats related to mail attacks are relevant here, even on the AS/400.
The first thing that comes to mind when thinking about mail security is viruses. Narrowly defined, a virus is a program that can change other programs to include a copy of itself. The AS/400 architecture prevents any AS/400 object from being replaced by a virus, however, attachments sent in electronic mail can be stored in a shared folder or in the integrated file system. From there it can be spread to PCs within the organization. Mail attacks can also do a variety of different damages, such as overloading the disk, the CPU or other trouble.
FTP consists of a client and a server. The AS/400 can play both roles. FTP subcommands can either transfer files or trigger commands. Some of these subcommands are powerful and must be controlled with an FTP exit program. Access to certain files may be equally sensitive and this also must be protected.
The AS/400 Telnet server allows a TCP/IP client to log on as a remote Telnet client, sign-on, and run applications on the AS/400 system. When using Telnet, every character, including user profile and password, exchanged between client and server are transmitted in the clear. This is a huge security exposure and if at all possible, IBM recommends not using Telnet over the Internet.
SLIP stands for Serial Line Internet Protocol. SLIP is used when you run TCP/IP over dial-up connections through an RS232 port. SLIP provides an easy way to access your AS/400 system via a switched line. SLIP is used more commonly for a group of employees who "dial in" to the AS/400 system via a regular phone line. The exposures of using SLIP are similar to that of any access via the Internet. You cannot be completely sure that the person "dialing in" is not a hacker that has stolen a password. The applications allowed to be used within the access provided with SLIP must also be secured.
I/NET is comprised of Commerce Server/400, and Webulator/400 on the AS/400 system. The cornerstone of Web-based commerce is encryption and the ability to transmit data over the Public Internet without individuals being able to read your messages on the way. Thus, a private encryption key is an asset to be protected at all cost. With a copy of your private key, anyone can pose as you or your company.
Webulator/400, which is the I/NET workstation gateway product, allows the Web Server to present a 5250 screen via a Web browser. In a controlled environment, this is no greater exposure than running any other non-programmable terminal. However, connecting the Web server to the Internet removes physical security and relies solely on how you have secured your AS/400 system.
Security, on any system, starts with the basics. A strong internal security is the base building block from which to start. When connecting to the World Wide Web, the AS/400 is no less vulnerable to malicious attacks than any other system. The best place to start for protection in this realm is to be well informed of the dangers inherent to each type of connection or combination of connections (see I/NET). On top of this, having a multiple barrier strategy to security should be considered as base necessity. If one barrier is broken, there must be (as much as possible), another one behind to stop the intruder or to limit the damage.
If you remember the old days of 5.25 inch floppy disks that were "copy protected", you probably also remember the programs that "made them copyable". Every time a new copy protection scheme came up, it never took too long for some body to come up with a meaner, smarter copy program. The Internet for worldwide mass usage is still a young technology. The battle between the hackers and the privacy advocates will go on for a while yet. Our only weapons, for now, are to stay informed and use common sense.
As you can see, security on the Internet is a vast subject. In this article, we have only scratched the surface.
"An Ounce of Prevention is Worth a Pound of Cure" is a phrase coined by Benjamin Franklin (1706 - 1790).
Over two hundred years after it was first iterated, the Internet is giving new meaning to this wise statement.
Sources and notes:
IBM: Safe Surfing: How to build a Secure Word Wide Web Connection SG24-4564-00
IBM: The Basics of IP Network Design SG24-2580-00
IBM: AS/400 Internet Security: Securing Your AS/400 from HARM in the Internet SG24-4929-00
Microsoft Proxy Server home page on the Internet: http://www.microsoft.com/proxy/
Secure Sockets information can be found on the Internet at: http://home.netscape.com/eng/ssl3/3-SPEC.HTM#8-1
Internet news references in this article can be found at: http://www.wired.com/
You can find out more on FTP and the AS/400 at http://www.tug.on.ca/AS400FTP.htm
The World Wide Web is also replete with firewall and Internet security literature. For most of my Internet searches, I use a tool called copernic. It is available at http://www.copernic.com/. It launches your search (with your search argument) simultaneously in a dozen of the major web search engines (like Yahoo or Lycos) and returns the results faster than you could do it yourself. Great research product for the Web!
The author does not own shares in any of the websites or products mentioned in this article.Back to Tylogix Home Page