Modern enterprises use public networks to conduct private business. The Internet is a great medium for data exchange, whether that be using Web sites for customer interaction; enabling e-mail or XML data exchange between organisations; or creating Web front ends to existing databases so sales staff can check list prices while mobile. PSTN (Public Switched Telephone Network) and ISDN (Integrated Services Digital Network) are used in similar ways to provide dial-in access to public and private resources to customers and mobile staff.
Both of these solutions give computer systems a tangible address in the physical world, whether it be a phone number or a fixed Internet address. This connection comes at a price. Even though computing resources may be locked in high-security data centres, the security guards can do nothing to stop an electronic assault by someone using a network address to access the system. The age of data connectivity demands consideration of overall system security.
To best understand the tasks ahead, we'll first define some common scenarios where corporate resources are commonly coupled to the public networks and then see how they fit with the security methods we'll discuss later.
Scenario One: The customer Web site (Back to contents)
Public Web sites no longer consist of just simple, static content such as product information. When that was the case, the primary security concern was avoiding denial of service (DOS) attacks, where hackers would 'flood' a site with requests to make it unavailable to other customers, and site defacements, where pages on a site would be removed or replaced with potentially offensive or embarrassing content.
In order to get closer to their clients, many organisations now build Web applications that integrate into their database systems to allow customers to change their orders, view or modify personal data and otherwise interact with business systems. This has increased the importance of protecting the public Web site, both to ensure internal databases are not modified without authorisation and to meet legal requirements to keep customer information confidential.
Scenario Two: Linking remote offices (Back to contents)
The cost of dedicated leased data links between any two sites is high enough within the same city. When the requirement is to link two offices across the globe, it becomes prohibitive for many companies. Many companies are looking to use the Internet to move data between sites.
Scenario Three: Road warriors and telecommuters (Back to contents)
Providing staff with the tools to make them more productive has become standard practice in recent years. It makes sense to provide sales staff with up-to-the-minute information on pricing and availability. Giving staff access to their e-mail and other network resources encourages them to check in while away from the office. What started as providing Web-based e-mail is now about providing all the resources of an in-house desktop to a multitude of devices and locations.
Scenario Four: Business-to-business data exchange (Back to contents)
Data exchange between organisations doing business together takes many forms. These can include e-mailing documents, creating Web portals, or creating direct data exchanges, using older systems such as EDI (Electronic Data Exchange) or newer options such as XML (Extensible Markup Language). In all these scenarios, nobody wants their competitors to know what they are doing.
Why worry? (Back to contents)
The amount of computer crime is escalating. All it takes is one disgruntled person to start a Denial Of Service (DOS) attack and an organisation can be crippled for days. Hackers seeking vulnerable but well-connected systems as a base for their attacks need look no further than the growing number of PCs constantly hooked up to broadband connections.
Some hackers like the challenge, ex-employees may hack for revenge and others hope to find something valuable they can sell or trade through the computer underground. No matter how trivial the Internet resources exposed by a company, they will be probed within hours of becoming 'live', and if interesting, attacked soon after. The best hope for securing systems is to make them so hard to access relative to their perceived value that nobody will bother, and ensure that in the time it takes to break in the alarm bells will be set off, allowing administrators to counter the intrusion.