Enterprise Technology: The Right Ways to Protect Your Net
Companies everywhere leave back doors open to hackers and thieves. Here are smart tips for tightening your security and protecting your enterprise.Brad Grimes
Who was trying to break into Major League Soccer's network? The question dogged Joseph Dalessio, network administrator for the New York-based league. "Either there were a lot of guys who wanted to try out for MLS teams, or they were gamblers looking for information that could affect the outcome of games," he says.
In January, Dalessio decided it was time to take stronger measures to protect the league's network. "We have a small user base--just over 500 people in 13 offices," he says. Even a single hacker-related outage could have been devastating, hitting everyone on the league's wide area network. So he deployed Cisco Secure PIX firewalls at league headquarters and at the 12 team offices.
Aside from rolling out the new, robust firewalls, Dalessio tweaked the network's infrastructure. For example, he took the old WatchGuard Technologies Firebox II system that had provided firewall protection for the league's previous network infrastructure and dedicated it to defending the remote-access servers that allow mobile workers to call in to the network. He broke monitoring and filtering functions away from the firewall and used SurfControl's SuperScout software to set up separate systems. And rather than add virus protection at the firewall level, he decided to use McAfee's WebShield E50 appliances to scan incoming e-mail for the presence of viruses and other malicious code.
"We've had one-tenth of the intrusion problems that we had before," says Dalessio. "And when the Love Bug [virus] and its offspring hit, we were unscathed."
You can learn a lot from Major League Soccer, as well as from the other security-conscious companies we talked with during a month of interviews for this article. We spoke with network administrators who were struggling to keep up with hackers and malcontents. We also talked to security experts, who say that while no company can be totally secure, all could come a lot closer to 100 percent safety if they took additional precautions.
"It is becoming harder to keep track of security issues and how to defend yourself," says Lance Hayden, formerly of the CIA and currently manager of professional services in the Cisco Secure Consulting Services group. "Once you build a better mousetrap, hackers build better mice. But companies can do more to protect themselves. For example, passwords present a common problem. Make them too strong, and employees write them on sticky notes attached to their monitors. But [passwords] need to be stronger. When we do security audits, we can crack up to 70 percent of network passwords."
Better password protection is just one way to keep your network safe. Options for improving security range from perimeter firewalls and intrusion detection systems to virtual private networks and identity authentication products. But you can't just throw them all at your security holes and sleep well. You need the right solutions for your company's unique situation. See which of the tips make sense for your company, and share your ideas with us at enterprise@pcworld.com.
Decisions, Decisions
Hard or Soft? Deciding between a hardware firewall and a software firewall is no trivial issue. In fact, the arguments in favor of each are so compelling that, of the two firewall solutions we hear about most from network administrators, one is hardware (Cisco Secure PIX) and the other is software (Check Point FireWall-1).
Hardware firewalls usually come in the form of plug-and-play appliances. Depending on the amount of traffic traversing your network, you may need a powerful model that can cost up to $100,000. Firewall appliances are normally easy to scale: As you need more protection, you just plug in another one. They may also have failover capabilities--you can have dual firewalls protecting your network; and if one fails, the other will pick up the slack.
Software firewalls run on your servers and often come in economical suites that may include a virtual private network or intrusion detection (see "Get Proactive," below).
Examine your network to determine the level of protection you need. Firewall appliances won't work in every environment, but their performance and ability to handle large loads make them worth a look. Software can slow down network performance if too much of it runs on one server (see "Break 'Em Up," below).
Remote Chance If your company employs a legion of mobile workers who connect to the corporate network through a remote-access server, the chances aren't so remote that a snoop could use that server to break in. You may diligently secure your network perimeters with firewalls and other systems, but if you don't authenticate remote-access connections or protect the server, you're leaving the back door wide open.
Consider installing a software-based firewall for your remote-access server. VPN suites, such as VPN-1 software from Check Point, also include remote-access security features.
If mobile workers handle confidential documents, their home PCs and notebooks should also run firewall software. A couple of our favorites: Zone Labs' $40 ZoneAlarm Pro and Network Ice's $40 BlackICE Defender.
Get Proactive Firewalls have become commonplace, but they're mostly reactive devices. That's why a growing number of companies are also deploying intrusion detection systems. If firewalls are the deadbolts, intrusion detection systems are the trip wires that set off alarms should someone get past the first line of defense. IDS products monitor and analyze network traffic to flag or stop intrusions, including denial-of-service attacks.
Intrusion.com is just one company with a line of hardware and software IDS products. Check Point, Cisco, Computer Associates, Symantec, and others also have IDS products.
Break 'Em Up Consider setting up servers or purchasing appliances that focus on one aspect of security apiece, separating your firewall, VPN, intrusion detection, and encryption systems. The chief benefit? Speed--as security measures become a ubiquitous part of your enterprise, they're liable to drag down your network. Separate servers, each focused on one task, can process data relatively quickly. As traffic grows, you can add a second or third firewall (or other security) more easily.
The Keys to Security An increasing number of companies are turning to public-key infrastructure technology to encrypt and secure all the data traveling along their networks. PKI software allocates digital certificates to company employees, enabling them to authenticate, encrypt, and decrypt files. But PKI products from companies like VeriSign and RSA Security don't come cheap. Research firm Gartner estimates that the typical cost of launching and managing PKI software for 5000 to 25,000 users ranges from $150 to $180 per seat.
When you investigate PKI products, ask the vendors how they charge for their systems. Is it per seat? Per application you want to secure? A combination? You'll also have to factor in training and support costs when you deploy a PKI system. It can be a very complex project, but PKI offers some of the best network security.
Solidify Your OS Anyone who uses Microsoft Windows (pick a version) already knows that operating systems are not always secure.
Enter trusted operating systems: security-hardened versions of standard operating systems. In the past, these products were so pricey and difficult to maintain that only big enterprises in need of rock-hard security bought them. But that was before the Internet made everyone a potential security casualty.
Trusted operating systems come in many flavors, including versions of Windows NT and 2000, Linux, Sun Solaris, IBM AIX, and HP-UX. They tighten security by isolating communications capabilities and other OS functions to keep them safe from hackers. You can also bolster your current operating systems by purchasing a product such as WatchGuard Technologies' $1295 ServerLock, which hardens Windows NT and 2000 servers.
Pull the Plug Even in this era of high-bandwidth, always-on Internet connections, there may be older desktop systems on your network that have dial-up modems inside. And if employees use those modems to get online or to synchronize information with home computers, they are circumventing your network firewalls.
The likelihood that a hacker will break in to your network through a modem connection is slim, but you should still take all reasonable precautions against it. Unless employees need dial-up modems to do their job, don't buy systems with bundled modems. And consider removing the modems from existing systems.
Scan Those Retinas Biometrics may seem like something out of Star Trek, but you ought to start thinking about using fingerprints, retina scans, voice recognition, and other unique-identifier technologies to authenticate network users. All these technologies offer protection against unauthorized users--whether company employees or folks meandering through the halls--who try to log on to a networked computer and then rifle through files.
Biometrics solutions may not be perfect (ask the vendors of fingerprint scanners how their products handle cellophane-tape impressions), but they're better than easy-to-remember (and-guess) passwords like birth dates and maiden names.
DigitalPersona's popular U.are.U fingerprint security system is available in one version for corporate use and in another for home and small offices (the $149 U.are.U Pro and $99 U.are.U Deluxe, respectively). Other choices abound. Veritel's VoiceCheck, for example, uses voice recognition to authenticate users, while products from Viisage use face recognition.
Vanquish Viruses Unless they have cute names like Melissa, viruses don't get much attention at the corporate level. But it's vital that you secure your enterprise against them. You can run antivirus software at all levels, from a gateway to a workstation, but you need central management to know what protection you have and whether it's working.
Symantec has an extensive line of enterprise antivirus products, including Norton AntiVirus for Gateways and Norton AntiVirus for Firewalls. Its Symantec System Center permits real-time communication with clients and servers from a single location. Competitors McAfee and Trend Micro also sell complete enterprise antivirus products.
Brad Grimes is a contributing editor for PC World.
Case in Point: Volkswagen's Hard-Driving Firewalls
Elliot Zeltzer is Volkswagen of America's manager of telecommunications and network services. Based in Auburn Hills, Michigan, he oversees a private extranet connecting 1000 dealerships across North America. When it came time to protect that network, Zeltzer faced the hardware versus software dilemma.
"In the end we wanted high performance and high reliability. In our opinion, that eliminated the option of a firewall running on a Windows NT or Unix server," says Zeltzer. Today, Volkswagen uses a pair of Cisco PIX 525 hardware firewalls to protect every connection along the company's network. "There are very few moving parts--no spinning disks and no operating system that can crash."
The hot-failover capabilities of the Cisco devices were also important to Zeltzer. If one firewall crashes, the second one automatically picks up the security duties, ensuring that the network is protected around the clock. "We didn't feel the clustering abilities of NT and Unix were quite ready for prime time," Zeltzer explains.
"We also wanted to push Unix out of our environment altogether, because it increased the cost of ownership," Zeltzer adds. "By streamlining our operations to as few platforms as possible, we've been able to drive down the cost of network operations by 15 percent."
Case in Point: Marshall and Ilsley Bank Profits From Virus Protection
Last fall, the network administrators of Milwaukee-based Marshall & Ilsley Bank decided that its more than 200 branch offices needed better protection against viruses. The heart and soul of the bank's business ran on secure mainframe systems, but 6000 workstations and several e-mail servers needed reevaluating.
"Enterprise-wide antivirus protection wasn't uniform," says Erin Fliess, M&I's LAN support manager. "Some branches ran Norton AntiVirus; others ran old versions of McAfee. There was insufficient protection on our e-mail servers, and there was no way to centrally manage what antivirus solutions did exist."
M&I chose to adopt McAfee's EPolicy Orchestrator, a server product that can manage large networks of computers running various antivirus utilities. An EPO server at M&I's headquarters monitors virus protection at branches in Arizona, Florida, Minnesota, and Nevada.
"We especially like this solution because it runs well on the available bandwidth connections that we have between offices. We can broadcast virus updates to all our systems and have the changes in place within a day," says Fliess.
"As an added benefit, the product gives us an accurate count of workstations in the field," she says. Currently, the M&I network fends off half a dozen virus attacks each day.
Case in Point: University of Michigan's Healthy Approach to Security
It's looming out there, an ominous cloud on network engineer Kalpesh Unadkat's horizon: HIPAA. Among other things, the Health Insurance Portability and Accountability Act requires healthcare organizations to ensure the security of medical records by April 2003. That includes encrypting all medical information that travels over networks.
As a result, the University of Michigan Health System must secure 10,000 desktop systems at three facilities--not to mention the PCs used by remote workers and telecommuters. The Health System is standardizing on Check Point Firewall-1 and VPN-1, and on Check Point's RealSecure intrusion detection system.
"We are running it on IBM's AIX [operating system], and we like the performance we're seeing," says Unadkat. "We also appreciate the fact that Check Point software is part of OPSEC [Open Platform for Security], so we can integrate new solutions fairly easily."
What about remote workers who download information to their home computers and laptops? Unadkat says that they are required to run Check Point VPN-1 software.
Get the Message
Instant messaging moves to plug the gap between phones and e-mail.
In just three years, tens of millions of people have been lured by the prospect of talking to friends and coworkers using instant-messaging software. AOL Instant Messenger, ICQ, MSN Messenger, and other services have changed the way people interact online.
That revolution is quickly moving inside corporate walls. Industry analysts say that millions of workers use IM--often without the knowledge of their IT departments. The Radicati Group, a consulting and market research firm, predicts that the number of active IM accounts used for business will jump from 28 million in 2000 to 687 million in 2004.
Already, more than 250,000 IBM employees use Big Blue's own Lotus Sametime software to send messages to each other over a network. The U.S. Army has 3100 people using WiredRed's E/pop. And companies such as Boeing and Dow Chemical use Microsoft NetMeeting for instant collaboration. Should your company consider IM too?
Software makers are quick to tout the advantages of enterprise IM. Users can see whether colleagues are available and make quick, efficient contact. For example, a marketing specialist who needs to set up a client briefing can type an instant message inviting a manager to attend.
But some experts believe instant messaging fills a space that may not need filling. "Does the value of the interruption equal or exceed the value [of the worker's task]? That's a question that isn't asked enough," says Gil Gordon, president of Gil Gordon Associates, a telecommuting and virtual-office consulting firm.
The problem, says Gordon, is that IM presents yet another distraction to workers already inundated by phones, e-mail, and beepers. While users can set IM software to ignore queries, the software still adds another channel of communication to an already busy environment.
IT departments must also assess how IM clients will affect system and network performance. Text-based messaging uses little bandwidth and processing power. But comprehensive IM clients often pack features such as a whiteboard, videoconferencing, and application sharing--all of which can consume considerable PC resources and bandwidth.
Lou Latham, an analyst at industry research firm Gartner, contends that IM earns its keep. "As far as the individual worker is concerned, this is a major plus."
Management Muddle
Latham says that most IT departments already contend with unmanaged IM installations because users download client software from the Internet. A key concern is the fact that IM clients such as those from AOL and Microsoft transact messages over their own servers. As a result, businesses may find sensitive information being transmitted unencrypted over the Internet and landing in the hands of unauthorized parties.
Furthermore, an IM system that fails to integrate with existing directory services or other databases could lead to a nightmare of double entries and mismatched settings. IBM says it opted to use Sametime for its massive IM rollout in part because that product taps into standard LDAP servers that store account data.
Ultimately, the question may be whether you can afford to avoid instant messaging. With its simple interface, small network footprint, and easy integration, IM promises sizable return for a small investment.
"We went from no users to over a quarter of a million users, with no help desk, no support structure, no anything--just word of mouth, says John Patrick, IBM's vice president of Internet technology. "It's become a way of life. If we turned it off, I think we'd have a mutiny."
Michael Desmond
Vital Stats: Projected IM Growth
| Year | Consumer IM accounts (millions) | Business IM accounts (millions) |
| 2000 | 113 | 28 |
| 2001 | 185 | 62 |
| 2002 | 282 | 151 |
| 2003 | 423 | 345 |
| 2004 | 688 | 687 |
Making IM Work
1. Choose software that works with your corporate directories. Look for clients that tap into your company's back-end directories (Novell Directory Services, Microsoft ActiveDirectory, or LDAP).
2. Train employees on IM etiquette, and make sure users understand that it's okay to tell others that they are too busy to receive messages.
3. Select customizable IM software that lets you hide features and limit access by account characteristics.
4. Unless your network is ready for bandwidth-hungry video, disable the audio and video features in IM clients.
5. Employ encryption to secure communications among employees. And be aware that external communications with vendors or customers will likely be sent "in the clear," where they could be intercepted by hackers.
Production-Savvy LaserJet 9000
Even in the Internet age, large firms depend on high-volume transaction printing to produce invoices, checks, and purchase orders. These time-sensitive jobs often fall to dedicated production-class printers, which can be pricey and difficult to manage. Hewlett-Packard hopes to bridge the gap between departmental and production-level printers with its LaserJet 9000 series.
Built on a 50-page-per-minute engine, these new printers are rated for 300,000 cycles per month, double the capacity of the HP LaserJet 8150. They combine production-class specs with familiar technologies and management tools. The result is a printer that HP says can serve as both a departmental workhorse and an entry-level production printer. HP is hardly alone in this portion of the market: IBM, Xerox, and Konica all sell networked laser printers in the 40- to 60-ppm range.
For production printing, LaserJet 9000 series printers translate data streams tailored for IBM and Xerox production printers into HP's PCL5 description language. This optional capability lets a firm deploy one of these printers without disrupting established practices. For departmental use, LaserJet 9000 printers feature the same management tools that are found in other HP printers, so they should integrate easily into existing workgroup operations.
In either environment, IT shops can cluster multiple LaserJet 9000 units to spread high-volume print jobs across several machines. In this scenario, virtual print speeds can approach 300 ppm.
The base-level HP LaserJet 9000, which lacks networking hardware and advanced paper options, is expected to cost $2999 on the street, but most businesses will want to start with the LaserJet 9000n at $4839. The $5369 9000dn variant adds duplex printing, while the $8237 9000hns model significantly boosts media handling for high-volume operation.
Michael Desmond
Sign on the Dotted Line
A little more than a year ago, then-President Clinton signed the Electronic Signatures in Global and National Commerce Act, validating electronic signatures as a legally binding way to sign documents. Now, version 5.0 of ApproveIt Desktop from Silanis lets companies tap into the potential time and cost savings of electronic signatures.
Available for Windows 9x, NT 4.0, and 2000, ApproveIt Desktop lets users electronically sign documents using public-key encryption to protect against tampering or intrusion. This capability lets businesses eliminate time-consuming routing of paper documents without losing assurance that signed documents are valid under law. ApproveIt embeds digital signatures into documents, so they travel with e-mailed or downloaded files. Competitors include E-Lock Assured Office and ILumin Digital Handshake Server Suite.
Here's how it works: Users sign a document by clicking the Approve icon or by selecting Approve under the ApproveIt menu item that the software installs in popular applications. Once a signature is applied, ApproveIt Desktop takes a snapshot of the document and embeds an authentication code in the file. The next time a user opens the document, ApproveIt runs a second profile to confirm that the file still perfectly matches the signed original. If the program detects a change, it invalidates the signature.
ApproveIt requires all signing parties to have the application installed--documents that are bound for other companies must be printed on paper for traditional signatures. To address this need, Silanis ApproveIt Collaboration Server lets ApproveIt users invite third parties into the signature process. Users send an e-mail with a link to the collaboration server, where invited parties enroll. The process requires installation of a software plug-in, however--a step that many IT departments may not authorize.
ApproveIt Desktop works with Word and Excel, Adobe Acrobat, and JetForm FormFlow 99 and FormFlow Classic software; a single-user license costs $149. Volume discounts are available.
Michael Desmond