Feeling Insecure - Page 4

Complex Networks

Network security experts say that while some technologies are more prone to security breaches than others, the sheer complexity of modern enterprise networking is the greatest weakness for most companies.

I-managers responsible for evaluating new technologies have to understand how those technologies interact with existing setups, and make sure adequate resources are applied to maintaining high-touch systems. Individually, almost any communications service could be perceived as a security risk.

Private lines are staples of many enterprises, but new network vulnerabilities are leading I-managers to question whether they can afford to live with known security flaws in this immensely popular technology.

"AT&T has been hacked before," said Chris Calabrese, an Internet security analyst of a major health care company. "If you are going to use private lines, you have to understand you are relying on AT&T security, and you have to put it in all your contracts."

Most technologies that land on security experts black list are new. They end up there for a simple reason: Not enough is known about their security flaws. They include network-based virtual private networks (VPNs), Multiprotocol Label Switching and Internet Protocol Security alike, and are mistrusted because customer traffic travels unencrypted from the origination >> point to the carriers network.

Domain Name System servers and Border Gateway Protocol routers fall into that category because too few are patched properly against vulnerabilities. And fears persist over most Web-based technology that is open to viruses and worms - which covers almost any Internet technology.

Steve Bellovin, an AT&T Labs Research security scientist, pointed out that the technologies with the most vulnerabilities are the most popular ones - Web servers, Web browsers and mailers. But most of the problems that arise with those come from lack of maintenance; patches were available to prevent most recent virus outbreaks, including Code Red, he said.

I-managers should start to face the realities that, even with firewalls in place, most people are likely to sacrifice security for convenience, Bellovin said. A case in point was the Internet Engineering Task Forces recent infiltration by a virus that got in through an unsecured laptop used to dial in to the IETF network.

Should companies ban laptops from connecting to their local area networks? Experts said no. But security managers should spend more money and get firewalls they can control remotely so that they can refuse access to certain applications. Bellovin said some of the worst vulnerabilities can be introduced when users allow their computers to operate as servers for certain applications, a common practice with popular peer-to-peer file sharing setups.

Another reality of todays security situation is that most Web servers are vulnerable because most of their holes cant be patched - at least, not all at once.

"Web servers are very dangerous," Bellovin said. "I basically view those as sacrificial machines."

Whatever you do in your networks, he said, dont make a Web server a front end to your database, especially if valuable information such as credit card numbers is stored there. Put that database on a separate server, build a firewall in between and restrict the language spoken between the two machines. The main objective here is to ensure that the Web server cant retrieve the entire database in one data dump.