Internet Security PoliciesCopyright (C) 09/1997 by Howard Fuhs
Prompted by the ascendancy of the net as a fashion phenomenon the discussion of the advisability of connecting the internal company network to the Internet for commercial reasons rages in lots of companies wishing to participate in the excitement of the World Wide Web. Irrespective of the possible business advantages brought about by such a move there is no way to avoid considering the security problems, which may threaten the very existence of the enterprise.
When the military ARPA-Net (which later developed into the Internet) was established, the emphasis was on availability under all circumstances rather than on security (availability under all circumstances is also an important part of security). That fact now forces businesses to face the problem of having to connect their internal networks (however secure they may be) to a network, which must be considered both insecure and unreliable. Add to this that almost anybody with a computer, a modem and a telephone line now can connect to the Internet and use or misuse it for his own purposes and it becomes obvious that it is advisable to take suitable security precautions.
Whenever security measures are discussed in connection with the Internet and internal networks the magic word firewall pops up. Fundamental to such a firewall is not only hardware and software but above all the security policies constituting the guidelines determining the practical installation of the firewall. We are goin to take a closer look at the design of these policies.
In order to tie a protective measure to a security policy it is necessary to define the tasks of the protective mechanism. Thus, a firewall consists of a number of components and systems situated between two networks. lt must be able to perform the following tasks:
The protective measure must not be liable to be attacked or it must be able to defend itself.
All the traffic between the inner and the outer networks must pass through the protective measure.
Only the traffic defined to be legitimate and legal by the security policy may be allowed to pass through the protective measure.
Attempts to violate the security policy must raise an immediate alarm.
When a security policy is implemented it is also necessary to decide what the fundamental security attitude in the company should be.
Everything which is not expressly disallowed is permitted.
Most users wish this very liberal attitude to prevail, but from a security point of view it is extremely dangerous and cannot be recommended in case of an Internet connection. This attitude makes it impossible to effectively control data exchange and leaves the door wide open to misuse.
Everything that is not expressly allowed is forbidden.
Hard as this attitude may sound it is only really possible to maintain a defined level of security between the inner and the outer network on this base. This is particularly true when you consider the possible existence of not yet discovered security holes and design weaknesses in the network technologies in use and in future network services.
The allocation of access rights is a fundamental security aspect. Only the access right that a person really needs in order to perform his work efficiently should be granted. In this connection it is important to consider whether a person actually needs access to the Internet in order to be able to perform his job. Company research has shown that people with free Internet access tend to spend progressively more time performing unproductive tasks without relation to their job functions. Typically, tasks such as reading and responding to private email and reading Usenet newsgroups belong in this category. These types of activities not only cost valuable time but also use valuable resources and storage space on company Computers.
The Internet offers many different possibilities in the shape of information services. The best known ones are probably email, FTP (File Transfer Protocol) and (World Wide Web). All these Internet services (including the ones not mentioned here) bring certain security risks and design weaknesses, and offer possibilities for misuse, both internal (company staff) and external ("vile hackers").
In order to obtain good security it is necessary in the security policy to define which of these Internet services should be available to the users in the first place. This is one of the factors that determine how to install the firewall. All the permitted Internet services are allowed to pass through the firewall only after they have been examined and approved. All services which are not permitted in the organisation are stopped at the firewall.
lt can not be assumed that allowed Internet services in themselves are more secure that those not permitted by company policy. Services are permitted or disallowed on the basis of how their use can benefit the company, and for each one it is necessary to evaluate which risks its introduction brings, and at which expenditure of personnel and finance access to the service can be provided in a reasonably secure manner. E.g. it is indispensable to study the known security holes in the permitted services and how to plug these. This knowledge must be kept constantly updated, e.g. by frequently checking the advisories from the Computer Emergency Response Team (CERT) at the Carnegie Mellon University (FTP://cert.org/pub/cert advisories).
When developing the security policy it is necessary to consider various interests in order to attain the desired results. The best corporate security policies fail if the employees disregard them in their daily work. lt is necessary to make very clear policies and to explain the reason for each individual measure. Employees only follow policies that they understand and approve of.
lt is also necessary to consider financial interests. The prescribed security must remain within a business framework and stand in a reasonable relationship to the business and the value of the data that are being secured. lf too much security is required productivity can easily suffer because systems become too complicated to operate and thus can no longer be used profitably. The development of security policies should be carried out by a group including representatives from management, system administration and users. Only a company-wide teamwork can assure that the policies can be implemented in practice and are usable for all groups. This normally means that certain compromises have to be made.
When developing a security policy the following points are among those which need to be considered:
- Who should be allowed access to the internal company network?
- Under which circumstances, and with which procedures is it permitted to log into the company network?
- Who (if anybody) is allowed to log into the company network from outside?
- How must computers used by teleworkers be secured?
- Which additional security policies must be followed regarding company computers placed in the homes of employees or used by travelling employees?
- How can employees working outside company premises be given secure access to the company network?
- How are "guest" accounts handled?
- Which types of information are considered confidential within the organisation?
- How is this information protected? Should it be permitted to email it to destinations outside of the organisation?
- Which policies should be in force regarding confidentiality of information?
- How is personal information protected?
- How secure must computers be in order for them to be allowed onto the internal network / the Internet?
- How is virus protection carried out?
- When must data be encrypted, and how is the encryption performed?
Responsibilities and data ownership must be clearly defined and allocated to individuals or departments. This serves to give the users clear communication lines in case of problems or misunderstandings. It also serves to counteract this certain responsibility-neutrality which so often can lead to unpleasant mishaps ("But I thought you were doing the
backups..."). To these responsibilities belong:
- Who trains the users? Security policies stand or fall with user acceptance.
- Who carries out user support? Essential for solving small daily problems.
- Who installs new updates and security improvements? After appropriate training these tasks can often be performed satisfactorily by internal staff. Otherwise it is necessary to rely on external consultants.
- Who is responsible for the maintenance of security mechanisms (backup)? Also in this case the question is determined by qualifications with consequences as indicated above.
- Who tests the functionality of the security mechanisms? lt is highly recommended to use external qualified IT security auditors for this job to secure an independent and objective audit.
- Who to call in case of an emergency? Certain types of emergencies (e.g. virus infestations) require a quick competent reaction in order to limit the damage. The person in charge of emergencies must have access to a catalogue of countermeasures available to him to help him to handle such a situation, and he should probably also be authorised to call in external assistance if required.
A security policy must not only be flexible in order to make it possible to work with it as a part of normal work routines but also because the Internet is in a state of constant flux. New services appear, old services are changed. This constantly changes the risk scenario and makes it necessary to regularly re-evaluate the workability of a security policy as well as its ability to cope with new risks. This is an ongoing process. lt is also necessary to evaluate whether new services or changes to existing services collide with the security policy and either change the policy, disallow the service or change countermeasures to counteract the increased risk.
The security policy must clearly outline the consequences for staff violating security procedures. The wording of this part of the policy document should not be rigoristic but rather give management the mandate to impose certain sanctions after carefully considering the circumstances of each individual case and the gravity of the transgression.
lt is not advisable to introduce mandatory punishment because this normally turns out to be extremely counterproductive from a security point of view. Fear of severe consequences will often keep an employee from reporting mistakes, e.g. having unintentionally introduced a virus infestation into a computer, thereby delaying the process of limiting the damage and closing security holes. Even worse, an unqualified person may attempt to repair the situation and in fact aggravate it. This is quite frequently seen in case of virus infestations, where users first attempt to remove the virus e.g. by formatting their hard disk, thus destroying valuable data, and subsequently claiming that a computer fault did it...
Copyright (C) 09/1997 by Howard Fuhs