Network Security November 1994

Tricks of the LAN security trade Frank Doyle

Bells and whistles that enhance network security are available in copious amounts from endless lists of vendors. The latest in firewalls continuously grace the glossy pages of trade weeklies, while emerging technology from the PCMCIA is encapsulating complex encryption algorithms into credit card-sized peripherals. But even in the high-tech world of distributed computing nothing beats good, old-fashioned know-how. Years of experience that culminate in a well - implemented plan, rather than the latest gee-whiz gadgets, are an essential part of any network secured from outsider or insider damage. So, what are some tricks of the LAN security trade?

Developing the grand design

"1he primary steps of deve lop ing a secure local area network consist of assessing the value of the information and from whom it is being protected", said Kevin Sorenson, director of marketing at Roseville, Minnesota-based Secure Comput ing Corp, "Only after an organizat ion has gathered that information can it really sit back look at risk

assessment and make real decisions", he cont inued. "At this point what you end up with is a general security policy, Then you can make decisions w i th equipment, come up with procedural strategies, and so forth,"

Accord ing to Sorenson, companies only have three different types of information: proprietary, employee and supplier, The company

implement ing a security plan needs to weigh the relative value of each type of information in relation to its loss, modif icat ion, or denial,

Experts agree that good network security requires, first and foremost, the ded ica t ion of administrat ive resources, There is a t endency to put LAN security solely in the hands of technic ians and engineers, Technical personnel, however, rarely have the corporate c lout necessary to enforce the plan, a l locate f inancial resources to support it, and change it when necessary, For this reason, a well implemented security plan is one in which the c o m p a n y has a clearly def ined pol icy and there is a h i e ra r chy - - hopeful ly with its p innac le at the execut ive level - - that clearly defines those who are u(timalely responsible, Everything after that is technical ,

Insiders

Once a strategy is deve loped, companies can begin looking at techniques for securing their existing networks. Internal

12 ©1994 Elsevier Science Ltd

November 1994 Network Security

threats can be minimized by installing nodes without f loppy disk drives, and even nodes without hard disk drives. "Insiders are mot ivated by extortion, looking for conf idential information that can be profited from", said Wlnn Schwartau, execut ive director of Inter.Pact Inc, a Seminole, Florida-based security consultancy. "Anywhere from 40-80% of them are working with an outsider."

Before establishing a security procedure aimed at insiders, a company must first consider insiders' abilities to damage the company. If the company is comprised of 3% technical staff and 97% button-pusher appl icat ion users, the security pol icy and implementat ion will be significantly different if the vast majority of people are trained software engineers. "There is a tendency to say that if I have a lot of non-technical people, security need not be strong", Schwartau said.

But this is not necessarily the case. For example, "Using Novell [NetWare], most software-based security systems can be bypassed by boot ing off the A drive", he said. To avoid this, LAN administrators may need to install a hardware-based security system or use floppy-less PCs.

Regarding f loppy disk drives, Schwartau asks, "Do you really need them? I mean, how many company secrets can fit onto 1.44 megs?" Anticipating a fairly high number in response, Schwartau recommends eliminating f loppy drives in most situations, especial ly where temporary employees are concerned.

Others consider PCs without f loppy disk drives the last resort of the very paranoid and should therefore be used only if extremely valuable information is at risk. Even with diskless workstations, people can look at information on monitors, which might be enough to constitute a security breach.

In addit ion to stolen files, there are also increased reports of

stealing memory boards and hard disk drives from inside computer systems. "They often do this not so much to sell the hardware as to remove the hard drive and take the data", said Albert Janjigian, principal analyst at Boston-based Stat Resources Inc. To prevent such a theft Janjigian recommends locking computers down to tables or installing alarm systems that will trigger when someone tries to tamper with a case. But proper storage procedures will also contribute to protecting data. "We only keep applications at the workstations. All data files go to the server", he said.

Such an extreme approach - - which has led to workstations without hard disks - - i s almost a step backward to the days of mainframe computing. Gaining wider accep tance in Europe than in the US, such an approach often results in a compromise to eff iciency of users accustomed to having all the data they need to do their jobs. "Now companies are targeting each other. It's now just part of the [corporate] mindset", said Hans Van Braun, network security consultant with San Francisco-based Creative Strategies Research International Inc.

To document the rise in security breaches, Van Braun conducted a survey of 451 US companies early this year. Of them, there were 269 reports of security breaches, 39% of which were inside jobs, and 46% from the outside. Additionally, 16% of the incidents in Van Braun's survey resulted in losses in excess of US$100 000, 18% were losses from US$10 000 to 100 000, and the rest less than US$10 000.

Despite these results, 20% of Van Braun's respondents admit ted that they have little or no security on their networks, either in the form of password protection or firewalls, and 40% expressed no concern with network security at all. "The best thing is to have good Iogons and a system that reports things out of the ordinary"", Van Braun counselled.

Van Braun said that a network administration system that simply prints read-outs of all Iogons Is just not up to snuff. Nobody in IS or elsewhere In the company is going to have the t ime to review each Iogon and determine Its validity. Instead analysts recommend developing or purchasing software that only reports on fai led attempts and phone calls that discpnnect before the full password is entered. Better yet is a system that monitors and reports on after hours Iogons and pages the appropr iate people when suspect attempts are being made, as well as systems that are able to automat ical ly identify when data in files have been modif ied without authorization.

'Open Sesame'

Security tends to become difficult when IS departments burden users with too many restrictions on how they use their machines. Users are typical ly accustomed to logging on to their PCs with name and password only. Anything more than that - - like a token system with peripherals that can be lost or left at home - - will most likely become a burden. Practical adv ice on passwords is to make them at least eight characters long. "Six characters used to be the old wisdom", said Robert Clyde, vice president of product marketing at Axent Technologies, a products and services division of Rockville, Maryland-based Raxco Technologies Inc.

As companies invest thousands to protect the family jewels from menacing threats on modern, distributed computing, they could just as easily benefit from a few simple precautions. When counting options that will lead to tighter network security, LAN administrators and corporate executives need not look far to come up with new solutions. A well implemented plan and distinct hierarchy is just as important - - maybe even more-so - - as the latest token system; eight digit passwords are as key to security as firewalls.

©1994 Elsevier Science Ltd 13