<B>Special Feature:</B> Layers of Security: Firewalls, Anti-virus Software, VPNs

IT has become dependent on the Internet, intranets and extranets, making corporate information vulnerable to outside intrusion. We can approach the IT view of security in an onion-skin fashion, starting first at the firewall protecting the company, next proceeding to the internal network, dealing with viruses and the control of errant ActiveX, Java and executable files, and finally examining the role of virtual private networks (VPN).

The first line of defense against external threats to the network is a firewall. If the computers are attached to a network, the computers are at risk. Firewall technology provides a set of mechanisms to enforce a security policy on communication traffic entering or leaving a company.

Firewalls focus on maintaining the privacy and authenticity of communication within a company. Data entering or leaving a company is protected from eavesdropping (passive wiretapping) and change (active wiretapping). The firewall influences only the traffic that passes between the company and the Internet; traffic that stays completely within or completely outside the company is not affected. Firewalls also provide a measure of protection from "denial of service" attacks, where users inside the company are prevented from accessing the Internet by a message that disables communication equipment or a flood of messages that clog the intranet.

Firewalls address network security in a way host-based security cannot. Firewalls make the administration of the systems and network more efficient, because they are transparent to users, limit exposure to the internal network, and can accommodate almost any internal network topology. Firewalls are also growing in popularity within companies’ intranets, segregating the developers from the production line, the business partners on the extranets from research and development, and so on.

Detractors claim firewalls generate a false sense of security, leading to laxity in enforcing security measures. Firewall development diverts resources away from improving the security of the systems within the firewall. Firewalls do not provide protection against malicious insiders and fail against connection activities that circumvent the firewall, such as unauthorized modems attached to computers within the firewall. In addition to these unauthorized rendezvous, there are "data-driven" attacks, such as those carried out by malicious executable code in apparently innocent downloaded Java applets, ActiveX controls, macro viruses attacking Microsoft Word and Excel, viruses attached to incoming e-mail, and malicious executables attacking the operating system.

Firewall Protection Schemes

Firewalls employ security mechanisms that roughly correspond to one of the seven layers of the OSI model. The packet-filtering mechanism, for example, operates primarily on the network and transport layers, while the network address translation operates solely on the network layer. Operating at the transport level is a circuit-level proxy mechanism, while the application-specific proxy mechanism operates at all three top levels.

All major firewalls are based on one of two architectures: application-level or stateful packet filtering. Application-level firewalls force all network traffic (IP packets) to be examined, reassembled and relayed to applications on the firewall. Stateful packet filtering examines individual packets, and stores state information about the connection on the basis of the first packet of a new connection that has been authorized to pass through the firewall. Only additional packets from this already established connection are passed through. This is more efficient that the original router-based packet filtering, where every packet was examined.

Selecting the right firewall for your enterprise usually involves finding answers to a long list of questions. Some of these questions are answered by reviewing a vendor's products, reviewing the vendor’s educational information and documentation, and examining each product’s functionality. How does the product integrate into your existing operation? Is it essentially plug-and-play, or does it require extensive setup and adjustment to work with all elements of your IT infrastructure. Are the operating systems compatible? Can the product be readily integrated with other security tools? What network and management protocols are supported?

Since monitoring the activity at a firewall is notoriously neglected by IT operations, questions pertaining to how the product handles reports and audits are especially important. What types of reports are available: usage, operation, incident and summary? Are audit analysis tools for the reports available or included? If intrusion detection is included, how well is it done; what is the number of false positives?

In addressing attacks and responses, does the product offer counterattack or counterintelligence probes from attacks from the Internet to qualify the address and validity of the attack, or does this require manual recognition and intervention? SecureZone from Secure Computing Corp. (San Jose, Calif., www.securecomputing.com) offers both counterintelligence (probe of the address attempting the break-in) and counterattack (trapping and shutting out the offending address, according to pre-programmed rules). Few if any other commodity style products have this capability.

Other questions to ask: What is the fault tolerance of the product? Does the product recognize data content? Does it proactively block viruses, executable code, malicious Java or ActiveX code, or malicious mail attachments?

What are the installation and maintenance issues of the product? In addition to integrating the firewall into your environment, how does it scale over the evolution of your company’s IT strategy? What is the price tag for the hardware, software, training, service contracts, warranty, and ongoing administration? New features to consider in selection include:

- Simpler management interfaces to make it easier to configure the firewall and understand its monitor.

- Intelligent proxies to implement virus scanning, URL blocking, Java and ActiveX filtering.

- User authentication for remote users.

- Security from protocol-based attacks, such as "Ping of Death" and TCP SYN floods.

- Web page caching, VPNs and bandwidth management.


Viruses are a potent security risk that may come undetected across the Internet or be manually loaded onto a user’s desktop. More than 16,500 distinct viruses exist, with a 40 percent increase in viruses registered in 1997. Macro viruses -- for example, commands in Microsoft Word and Excel -- have doubled every 6 months in the past 2 years. With the "openness" of the Internet and intranets, these macro viruses can travel widely and infect systems at an unprecedented rate as they are carried by documents and lay sequestered in document management systems.

Most organizations have implemented anti-virus software within their organizations. Vendors such as Network Associates Inc. (Santa Clara, Calif., www.nai.com), Symantec Corp. (Cupertino, Calif., www.symantec.com), Sophos Inc. (Woburn, Mass., www.sophos.com) and Trend Micro Inc. (Cupertino, Calif., www.antivirus.com) provide solutions based on anti-virus scanner programs looking for signatures of known viruses. New coded and polymorphic viruses are hard to identify with these scanning approaches. Coded viruses are encrypted to disguise their signature. Polymorphic viruses change their structure to evade identification.

Typical viruses come in three families: boot sector, executable file and macro. Like their biological analog, viruses replicate and attach to other programs. Viruses consist of a replication capability and an optional payload. Since all viruses act fundamentally in the same way, their behavior provides a potential target for identifying and sequestering unknown viral components. In-Defense from Tegam Int'l Inc. (Santa Cruz, Calif., www.in-defense.com) uses a dynamic security review of behavior to identify virus activity. Even a new virus, either newly launched or a mutation of an existing virus, can be identified because its behavior.

ActiveX and Java Security

ActiveX controls provide direct access to the system resources of a client’s system. A vendor who touts the ability to automatically upgrade and configure users' desktops with the "latest and greatest" should strike fear into the heart of every MIS director, even if the vendor has the highest of ethics. If a vendor does not respect existing DLLs and overwrites them, such as Microsoft often does, uncontrolled ActiveX is easily seen as an anathema.

Several vendors are lining up products to scan for incoming viruses, ActiveX and Java applets, including Symantec, with Norton Antivirus V5.0, and eSafe Technologies Inc. (Seattle, www.esafe.com), with Protection Gateway. Finjan Inc. (San Jose, Calif., www.finjan.com) has been in this field longer than Symantec or eSafe, with the SurfinSuite family of products to proactively evaluate ActiveX controls and Java applets as they proceed through the firewall. Finjan's SurfinShield Xtra provides addition protection for studying ActiveX controls by providing a "sandbox" called Xbox. Finjan’s technology creates a sandbox for ActiveX, monitoring ActiveX control activities, looking for file and network access, and providing an environment to perform typical network monitoring activities.

Virtual Private Networks

VPNs are an inexpensive way to tie remote users into the corporate intranet, saving on the price of dedicated T1, dial-up and frame relay lines. VPNs can solve business problems and boost a company’s bottom line. One organization supporting 450 remote users around the world saved $100,000 per month in dial-up long distance charges.

A VPN is a network tunnel created to pass encrypted data between two or more authenticated parties. It ensures data privacy, integrity and authenticity. The key benefits of a complete VPN are confidentiality, strong authentication, routing and tunneling, automated key management, performance and standards implementation. To ensure positive authentication across networks, servers and users, X.509 digital certificates are becoming the de facto standard, because they provide significantly stronger authentication than traditional username-password schemes. At present, buyers of VPNs must be very careful to purchase products that demonstrate interoperability using the full set of the IPSec protocol.

The logical place to implement a VPN is at the firewall or proxy server. Most of the leading firewall vendors incorporate VPN technology into their products. The firewalls run on both Windows NT and Unix platforms. Proxy server vendors are also incorporating VPN technology.

Security is often managed as concentric rings of control, starting at the an outer firewall and managing inward. The key driver behind a sound security implementation is a security policy that is understood and can be implemented by both the IT group and all of the users. Firewalls offer the first defense, shrouding the company with a uniform blanket of security. Within the firewalls, IT must grapple with viruses, errant and malicious Java applets and ActiveX controls. Complicating this "onion-skin" approach is the need to make the company’s intranet more accessible to remote users physically outside the corporate facilities. VPNs provide a method to securely extend the protection offered within the company to remote locations. -- E. Loren Buhle Jr., Ph.D., is a managing associate in the National Internet Practice of PricewaterhouseCoopers LLP (New York).