Eyeing Net Security

State and local government agencies may face a different kind of time bomb once the century date turns over. While they have been dealing with the Year 2000 crisis, many localities have not been able to keep pace with their network security needs, state and local officials said. The bad news is tha

State and local government agencies may face a different kind of time bomb once the century date turns over. While they have been dealing with the Year 2000 crisis, many localities have not been able to keep pace with their network security needs, state and local officials said.

The bad news is that hacking is on the rise, even in state and local government shops. The good news is that network security technology has become so sophisticated that even basic firewall systems can provide unprecedented amounts of information about who is trying to get on your network.

The level of "doorknob rattling" by hackers has increased significantly at many state and local government World Wide Web sites, information technology officials said, and most officials expect more intrusions as state and local governments bring up electronic commerce systems and open up information-access policies. But while some jurisdictions have enhanced their network security to counter this trend, many more have not.

Gary Swindon, Michigan's director of the Office of Computing and Telecommunications, said there have been "a lot" of attempts by hackers to get into Michigan systems-a situation that he expects will only continue. While Michigan's IT security program is "solid," he said, the level of intrusion protection in government agencies overall "is fair at best."

At the local government level, agencies report even less urgency about network security, partly because network security usually winds up well down the list of priorities for most mayors and county executives. "It's a bottom-line thing," said Susan Lowman, the IT administrator for Catawba County, N.C., and president of Government Management Information Sciences, an organization of state and local IT professionals.

"The management of most counties asks what a firewall will give them, and typically-given the nature of the data they are producing and handling-they tell themselves that no one is likely to try and get their information. And when everyone in government is after the same pool of money, they aren't inclined to give that money for firewalls or other security," Lowman said.

Nevertheless, there is a need to stop people from getting into systems and changing data or getting confidential information. For that reason, Catawba County uses firewalls and a multilevel password system as its core security, Lowman said.

The firewalls have been in for 18 months, Lowman said. That might not sound like a long time, but Catawba is among the top five North Carolina counties in deploying security, said Lowman, who called North Carolina "leaps and bounds" ahead of most other states.

Another reason for the network security slowdown is that most state and local governments have time for only one IT problem: the Year 2000. Although some, such as Michigan, consider themselves on top of their Year 2000 work-and thus able to turn more attention toward security-many others are focused solely on managing the date change.

In California, the top security project is making the firewalls already in place work more effectively. But that is, at best, "a parallel effort" with the Year 2000, a California state government spokesman said.

Meanwhile, network security technology is becoming more sophisticated. For instance, firewalls, still the first line of defense against attacks, have become more than simple barrier systems. Advances in firewall technology are being driven by customers who are demanding more sophisticated features from their systems, company executives said.

Customers want the firewall, as the gateway to the network, to do more than simple packet filtering. They want firewalls to perform user authentication and content security, integrate closely with other security devices such as intrusion-detection systems (IDSes) and account for protocols that are becoming more important for working on the Internet, such as virtual private networks.

Network security vendors are responding to the demand. "We believe the firewall is the platform for all of network security," said Greg Smith, group manager of product marketing for CheckPoint Software Technologies Ltd., which makes the popular Firewall-1 system.

Similarly, firewall products from Internet Security Systems Inc., Atlanta, are widely used for network vulnerability assessments, according to Ted Doty, product manager for Internet scanner products at ISS.

Sitting behind the firewall on a host computer or at key points on the network is the IDS, which is rapidly becoming an important weapon in the network security arsenal. IDSes alert systems administrators about hackers who get by the firewall. IDSes also guard against unauthorized intrusions from inside organizations, which are increasingly seen as the biggest security threat.

While IDSes are used most widely in the federal government, particularly in Defense Department agencies, they should quickly extend their reach as network security becomes a higher priority for civilian and state and local agencies.

The third basic element of reliable security, and the least mature, is public-key infrastructure (PKI), which uses digital keys to encrypt data and verify identities. A lack of standards has limited its use so far, but PKI could become the most critical piece of network security technology for state and local government agencies, which will require iron-clad authentication and verification systems for electronic transactions and commerce.

That's certainly the case for the Massachusetts Registry of Motor Vehicles, which is on the bleeding edge of the government e-commerce movement. The agency has had a Web site up since early 1996 from which people can get information on RMV branch locations and fee schedules, review online versions of a driver's manual and obtain forms.

RMV wanted to be able to accommodate e-commerce on the site so that people could pay fees using their credit cards. The front-end security is supplied through regular browser Secure Socket Layer (SSL) security technology and credit card validation.

Larry McConnell, deputy registrar of information services at RMV, said, "We thought about going with open forms and just asking people to send us the information," on the theory that there is minimal risk anyway to peoples' credit card data being misused. "But we decided at least [the SSL] level of security would calm people enough to draw them into using the service."

In the future, RMV wants to use more sophisticated technology, such as PKI, to authenticate the system's users, as well as digital certificates to ensure the validity of transactions, but McConnell said RMV will wait until this kind of technology "is a little more user-friendly." Other security measures, such as firewalls and revolving Internet Protocol addresses, are used to secure the system overall, he added.

Security and Network Management

Sometimes security systems can tell more about the network than simply who tried to gain unauthorized access. When the Citrus County, Fla., school board installed an Axent Technologies Inc. Raptor firewall more than two years ago, its first desire was to protect its

19-school network from hackers. But as the school board became familiar with the firewall and what it could do, IT officials there realized that the firewall also could capture real-time data about network traffic flows, and that data could be used for other kinds of analysis.

"Each machine on the network has a separate address, so we can show how data goes from machine to machine," said John Mayer, computer network specialist for the school system. "Using the data we get from the firewall, we can calculate what time of the week would be best for teachers to run an extra class using the network, for example. Knowing what kind of traffic would be involved, we can deny everything else for those times."

That type of data analysis will become useful, Mayer said, as the school's network traffic explodes. The network alread has seen a 400 percent increase in usage since October 1998. Mayer expects more such spurts, which will mean significant spending on new machines and network infrastructure.

With the kind of data he can get about how the network is used, Mayer said, it will be much easier to inform the school board about what is being done with its investment. And as people know more precisely what they are getting for their money, they will be more confident about investing even more in the future.

In state and local network shops, such uses for security technology are more the exception than the rule, observers said. In the end, it comes down to how many resources agencies can throw at the problem. And even for those organizations with a good handle on security, the pressure to spread shrinking budgets over ever-broader needs means security will continue to be a tough sell.

"Between organizations that do have resources and those who don't, there's a big difference in the way they approach security," said Dianah Neff, chief information officer for Bellevue, Wash. Her city's network has firewalls, proxy servers and a security policy. But the system has never been tested by independent auditors. The first such audit of Bellevue's systems will take place in the first quarter of next year.

"If you want to test your security, you really do need someone to come in and do a security audit," Neff said. "But sometimes, it's difficult to justify that outside of the information systems organization itself."

On the other hand, having good security is not just about technology. "Security is never liked because people see it as intrusive," said Lee Lane, security manager for Arizona's information services department. "You have to incorporate security in such a way that they can still go off and do their business effectively."

His recipe for a secure environment? "Keep your users happy."

Brian Robinson is a free-lance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com.

****

A Network Technology Sampler

A few years ago, there was not much in the way of security products to protect information technology systems and networks except firewalls. And those products were relatively primitive. Today there is a sophisticated blend of protective devices that organizations can throw into their security mix.

Firewalls

There are three types of firewall technologies available, with different strengths and weaknesses.

* Packet-filtering firewalls allow or disallow data packets to pass through the firewall based on a pre-set security policy. They can put a blanket block on traffic coming into the network or block connections to and from specific hosts.

* Proxy servers examine network traffic according to policies set for specific applications.

* Stateful inspection firewalls examine the data packet itself and look at all the layers of a network to make sure they comply with a security policy.

Intrusion-Detection Systems

IDSes are used to detect unusual or unauthorized activity in a network of computer systems. When an intrusion is detected, the IDS can react in a number of ways, from simply alerting systems administrators to the intrusion and letting them decide what action to take, to automatically kicking the intruder off the network.

There are two main types of IDS.

* Network-based systems use monitors placed at strategic points on the network to examine data packets in order to determine if those data packets conform to known attack signatures.

* Host-based systems use intelligent agents that constantly monitor computer audit logs for suspicious activity. Those agents compare audit logs with a library of attack signatures or user profiles, as well as polling key system files and executable files for unexpected changes.

Public-Key Infrastructure

PKI is the least advanced of the security technologies, and its adoption has been slowed by haggling by vendors and industry bodies over the adoption of standards-a vital move for PKI's wide-scale adoption. However, there's little doubt that PKI will be a major part of any organization's security armor because the technology provides components that are key to development of electronic commerce and online transactions.

Digital certificates are issued by a certificate authority to members of an organization that uses PKI; these certificates act as a user's digital identification. An individual user also is assigned a pair of cryptographic keys. One key is private, and only that individual can use it; the other key is public, and it is published in online directories. The user "signs" digital documents with his private key, and the recipient uses the public key to verify that signature.

PKI provides authentication (proof of the sender's identity), data integrity (assurance that the data has not been corrupted or meddled with), confidentiality (involves encryption to keep data private) and nonrepudiation (senders cannot deny that they sent the data).

- Brian Robinson

****

Net Terrorism

Last year, when President Clinton issued Presidential Decision Directive 63, a comprehensive accounting of the protection provided to America's critical infrastructure, the main emphasis was on the protection of the national infrastructure from cyberterrorists. But the federal government's involvement in this area doesn't let state and local authorities off the hook.

The Critical Information Assurance Office is expected soon to release a national plan for infrastructure protection. That plan will outline the major issues to which the federal government must attend. The feds intend to take the message to statehouses and city halls to advocate that they adopt something similar.

NEXT STORY: Popularity Problems

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.