IS YOUR FIREWALL ENOUGH? Friday 11 May 2001 PDF Print Many people think that a firewall is enough to protect web-connected computer systems from security hazards. Not so, says Paul Oxley, product marketing manager at Wick Hill, which specialises in security solutions for ebusiness. A firewall is an absolutely essential security tool. No doubt about that. But if you want your company's network to be truly secure, there's work to be done before you even think about what tools you need to deploy. Your first step should be to undertake a study to assess the security risks your organisation faces. Once you've identified those risks you need to formulate a security policy, which will lay out the risks, discuss any relevant issues around them and stipulate what tools can be used to deal with those risks. The policy should be a wide ranging document not just about security but also about managing your business as a whole. It needs to reflect the philosophy and ethics of your organisation. As well as more obvious security issues such as hackers and viruses, it needs to cover other Internet issues such as the use of e-mail (e.g. do you use copyright notices) or web use (e.g. controlling web use in business hours). A security policy needs to be based on clear thinking and to lay out exactly why certain security actions are necessary. It needs to find a happy balance between security measures and allowing your organisation to function effectively. An excellent book and CD by Charles Cresson Wood called 'Information Security Policies Made Easy' clearly shows the necessary thinking that needs to go on around setting up policies. Attitude and education At a very early stage there is an education process to undertake. While everyone understands the need to protect physical assets, lock doors and have security guards, most employees do not make a parallel with the need to protect a company's information, which is arguably more valuable. So the importance of information needs to be stressed and the value of protecting it for both employee and company. Without a doubt, staff attitude is the single most important factor in making security work It is essential that senior management appreciates the need for security, is committed to it and allocates money to it – otherwise IT staff will be fighting an uphill struggle to implement proper security measures. Once a risk assessment has been done, security policies have been drawn up, staff have been educated on the importance of security, senior management has committed to the concept and money has been earmarked for it, you then need to deploy the tools that have been selected. That is certainly not the end of the process however. Security is not static. Your security policy needs to be managed and regularly reviewed. You need to keep abreast of security threats and you need to monitor your security tools to see if they are working properly. You need to look at the information your security tools provide, as it is invaluable in helping you understand your security risks. And you need to test and audit your security measures to make sure they are working effectively. Internal and external security Everyone understands about the risks of a hacker from outside trying to get into your computer system. Yet, FBI stats consistently show that around 75% of all security breaches are internal. Those internal risks include serious financial fraud, employees sending confidential information to other companies and disgruntled employees taking action to sabotage systems. They also include general snooping, such as finding out salaries or other confidential company information, which can have problematical consequences. Another major area of risk often neglected is that of third parties. Your security is only as strong as your weakest link and you need to consider all those connecting into your systems from outside. So if you have Internet connections with branch offices, customers and suppliers, or a link with a company supplying information to you electronically, you need to protect these connections. If you have staff dialling in using mobiles, or you have staff using laptops outside and then connecting to your system, you need to consider these. Viruses, for example, can often get into your system from laptops, so you need a policy in place to deal with laptop use. Security tools - the firewall The firewall is an absolutely key security tool and properly configured it should protect you from external hacking. Depending on the firewall, you may also get a host of other security features such as VPNs, prevention of denial of service attacks, encryption, authentication, certification or web blocking of unsuitable Internet sites. As firewalls today are low-cost and easy to deploy, they can also be used widely in an organisation. So they can protect internal departments such as finance or human resources. They can also be used for all your branches or for mobile users dialling into head office. Other key basic security measures you will want to deploy are virus control, encryption and access control. Virus control is absolutely essential to avoid a whole host of problems which may range from just minor irritations to results which can cost you hundreds of thousands, or even millions of pounds. Without encryption, sending data is like sending a postcard – it's there for everyone to see. Encryption is essential and will probably come as part of your firewall or VPN facilities. Access control is a basic and essential security measure ranging from password protection to more stringent forms of control such as biometrics (e.g. using fingerprints to gain access) or smart cards. You will need to assess your level of risk to decide which is most appropriate, but don't forget, as far as access is concerned, attitude is the most important security measure – if staff leave passwords lying about, you've got security problems. VPNs A virtual private network is a secure tunnel over the Internet through which data can flow from one network to another without the risk of being read by hackers. Key components of VPNs are access control, encryption and the authentication of data and users. VPNs are essential for any organisation with regular Internet communications with branches or third parties, such as suppliers. Today, peer-to-peer VPNs are available (such as those from CA's eTrust range) which protect information between individual PCs. VPNs are also available for mobile users and employees working from home. ServerLocking ServerLocking is a major development in protecting data, both from external sources and within an organisation. Products such as WatchGuard's ServerLock install on web, database or transaction servers to ensure that server-based information cannot be altered by unauthorised internal or external users. Intrusion Detection If you are serious about security, intrusion detection can be a very powerful tool. It monitors all incoming and outgoing activity on your network, taking a 'detect, alert, and prevent' approach. It will help enforce your security policies by picking up any problems your policy has defined, alerting you and carrying out automatic prevention. Intrusion detection software may be quite sophisticated. Products such as CA's eTrust intrusion detection protects against internal and external hacking as well as distributed denial of service attacks. It has an integrated virus engine and can enforce your business policies on web use. Content Inspection is another tool which you may want to deploy. It can protect companies from malicious mobile code attacks which may be hidden in viruses, Trojans, worms etc. or in Java applets, Active-X controls and scripts – all of which can bring your business to a halt. It may also be used to check the content of e-mails to make sure they conform with the standards laid out in your security policy. Monitoring, management and analysis Once you have your security system in place, you may be feeling safe but unfortunately you cannot afford to rest on your laurels. First of all you have to make sure that your system is actually working. The majority of breaches of firewalls occur because the firewall has been wrongly configured. So you need to test your systems. Vulnerability testing tools are available such as WebTrends Security Analyzer which throws the latest tests at your system to see if there are any holes. Regular security audits testing your system are also advisable. Keeping up to date is essential because hackers and virus writers will always come up with new ideas. Expert help is very useful here. Solutions such as the WatchGuard LiveSecurity system (firewall-based Internet security) includes a LiveSecurity Service which provides software updates, threat responses, timely information and technical support to keep your network defences up to date. Monitoring and analysis are also key. For example, unless you monitor your firewall activity and get easy to understand reports, you simply wouldn't know if someone was trying to breach your firewall 100 times a day - and you certainly would want to know that! WebTrends Firewall Suite, which provides easy to understand reporting is useful here. Intrusion detection is another helpful tool. Conclusion Is a firewall enough? It's certainly essential, but if you're serious about network security you need to take a much broader approach – one that recognises the crucial importance of information and the absolute necessity of protecting it; one that truly integrates security throughout your business; one that matches the appropriate tools with the appropriate risks; and one that involves all staff in the security process. By Paul Oxley, product marketing manager, Wick Hill Ltd. -ENDS- Pic of Paul Oxley available. Paul Oxley is product marketing manager at Wick Hill Ltd., specialists in infrastructure solutions for enabling e-business with a heavy emphasis on security. They can be contacted on 01483 466500, e-mail firstname.lastname@example.org, visit http://www.wickhill.com For further press information, please contact Annabelle Brown on 0191 252 8548, e-mail email@example.com. This press release was distributed by ResponseSource Press Release Wire on behalf of Annabelle Brown in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.