In-Depth

Web-to-Host Connections: Network Security: Damn the Hackers, Full Speed Ahead

• 05/01/2000

What’s the gravity of the threat to organizations connecting their legacy systems to the Web? In discussions I’ve had with CIOs and IT managers, the consensus seems to be, to paraphrase Admiral David Farragut, "Damn the hackers, full speed ahead."

That’s precisely the U.S. Navy’s take on the challenge. When it comes to information assurance, the Navy knows there are limits. "Too much security is not a realistic option in today’s e-business environment," says Dave Wennergran, Deputy CIO of the Department of the Navy. "Your ultimate security is total isolation. At the same time, you can’t get your business done ... We are an organization that needs far-flung communication and the sharing of knowledge."

The Navy has ambitious e-business initiatives underway, from building links to its supplier networks, to online telemaintenance, in which Navy personnel on board a destroyer in the South Pacific can work online, and in realtime, with engineers at a contractor site in Indianapolis to resolve a problem. Part of the Navy’s approach is to rely increasingly on digital certificates, encryption and smart card verification over the Internet.

The security structure and tools that are currently available are more than adequate for protecting all sorts of systems, and the benefits of going out on the Web with e-business far outweigh the risks. In Web-to-host deployments, firewalls, VPNs, SSL and PKIs provide a high degree of security that are coupled with an S/390 or AS/400’s inherent security features built in below the machine interface layer.

However, while systems may have multiple layers of security from Web attacks, there is still an Achilles’ Heel – passwords. People forget them, or write them down in the wrong places, or use obvious passwords. Wayne O. Evans, a Phoenix-based IT security consultant and speaker, calls security a "black art" for many customers. "In most cases, the security of mainframe and midrange systems isn’t weak, but the implementation of the security is weak," he says. Something as simple as changing passwords on a regular basis can multiply the security of a system, Evans notes. "Companies are afraid that if they force users to change their passwords, the users won’t be able to remember them."

The current system for managing passwords is not a credible authentication solution, agrees Eric Hemmendinger, an analyst with Aberdeen Group. "Users record passwords on Post-It notes, exposing the myth of passwords as protection for the IS infrastructure."

There are password solutions coming into the market that offer a means to address this issue – and can be extended to internal Web-to-host deployments. One interesting password-related security technology on the horizon is biometrics. A low-price device, now offered by Compaq, may help drive acceptance of biometric security in corporate environments. The PC server giant offers small $99 fingerprint readers – about the size of two sugar cubes – that can be attached to end user workstations to authenticate end users. The device and software make use of a user’s unique password for life – his or her fingerprints.

Another approach, more suitable to external Web-to-host access, is to put an "instant VPN" on a smart card that integrates biometric information. The Battelle Institute recently unveiled such a solution that stores digital fingerprints. Work is also underway for digital face and handprints, as well as iris and retina pattern recognition. The fingerprints of an individual accessing the network can be read through an attached fingerprint reader, then matched up against the information stored in the card, explains David Appelbaum, Manager of Advanced Systems for Battelle. The two sets of fingerprints act as keys that can enable Web access and e-commerce. "This will eliminate the need for third-party certification, or a certificate authority," says Appelbaum. The card can interface with HTML or XML formats, and no special tools or e-commerce packages are required, as they currently are to develop a VPN.

Even biometric readers and smart cards still "do not address a key issue – when the user walks away, the PC, and network-connected servers and applications, remains accessible to anyone in the vicinity," says Hemmendinger. "For the sake of convenience, too many users fail to log off from applications, networks and systems before walking away from their desktop PCs."

That’s why Hemmendinger is bullish on "contactless authentication." One vendor offers a "Vicinity Card" that can be detected at a close range by a sensor attached to the PC, using wireless technology. The session is disabled when the user steps away from the PC.

While these technologies are promising, widespread acceptance is still years away for full-blown e-business sites, let alone Web-to-host arrangements. For now, along with encryption and firewall technologies, the best weapon an IT manager can deploy is end user education and awareness.

About the Author: Joseph McKendrick is an independent consultant and author, specializing in technology research and white papers. He can be reached at joemck@aol.com.