Eyeing Net Security
- By Brian Robinson
- May 02, 1999
State and local government agencies may face a different kind of time bomb once the century date turns over. While they have been dealing with the Year 2000 crisis, many localities have not been able to keep pace with their network security needs, state and local officials said.
The bad news is that hacking is on the rise, even in state and local government shops. The good news is that network security technology has become so sophisticated that even basic firewall systems can provide unprecedented amounts of information about who is trying to get on your network.
The level of "doorknob rattling" by hackers has increased significantly at many state and local government World Wide Web sites, information technology officials said, and most officials expect more intrusions as state and local governments bring up electronic commerce systems and open up information-access policies. But while some jurisdictions have enhanced their network security to counter this trend, many more have not.
Gary Swindon, Michigan's director of the Office of Computing and Telecommunications, said there have been "a lot" of attempts by hackers to get into Michigan systems-a situation that he expects will only continue. While Michigan's IT security program is "solid," he said, the level of intrusion protection in government agencies overall "is fair at best."
At the local government level, agencies report even less urgency about network security, partly because network security usually winds up well down the list of priorities for most mayors and county executives. "It's a bottom-line thing," said Susan Lowman, the IT administrator for Catawba County, N.C., and president of Government Management Information Sciences, an organization of state and local IT professionals.
"The management of most counties asks what a firewall will give them, and typically-given the nature of the data they are producing and handling-they tell themselves that no one is likely to try and get their information. And when everyone in government is after the same pool of money, they aren't inclined to give that money for firewalls or other security," Lowman said.
Nevertheless, there is a need to stop people from getting into systems and changing data or getting confidential information. For that reason, Catawba County uses firewalls and a multilevel password system as its core security, Lowman said.
The firewalls have been in for 18 months, Lowman said. That might not sound like a long time, but Catawba is among the top five North Carolina counties in deploying security, said Lowman, who called North Carolina "leaps and bounds" ahead of most other states.
Another reason for the network security slowdown is that most state and local governments have time for only one IT problem: the Year 2000. Although some, such as Michigan, consider themselves on top of their Year 2000 work-and thus able to turn more attention toward security-many others are focused solely on managing the date change.
In California, the top security project is making the firewalls already in place work more effectively. But that is, at best, "a parallel effort" with the Year 2000, a California state government spokesman said.
Meanwhile, network security technology is becoming more sophisticated. For instance, firewalls, still the first line of defense against attacks, have become more than simple barrier systems. Advances in firewall technology are being driven by customers who are demanding more sophisticated features from their systems, company executives said.
Customers want the firewall, as the gateway to the network, to do more than simple packet filtering. They want firewalls to perform user authentication and content security, integrate closely with other security devices such as intrusion-detection systems (IDSes) and account for protocols that are becoming more important for working on the Internet, such as virtual private networks.
Network security vendors are responding to the demand. "We believe the firewall is the platform for all of network security," said Greg Smith, group manager of product marketing for CheckPoint Software Technologies Ltd., which makes the popular Firewall-1 system.
Similarly, firewall products from Internet Security Systems Inc., Atlanta, are widely used for network vulnerability assessments, according to Ted Doty, product manager for Internet scanner products at ISS.
Sitting behind the firewall on a host computer or at key points on the network is the IDS, which is rapidly becoming an important weapon in the network security arsenal. IDSes alert systems administrators about hackers who get by the firewall. IDSes also guard against unauthorized intrusions from inside organizations, which are increasingly seen as the biggest security threat.
While IDSes are used most widely in the federal government, particularly in Defense Department agencies, they should quickly extend their reach as network security becomes a higher priority for civilian and state and local agencies.
The third basic element of reliable security, and the least mature, is public-key infrastructure (PKI), which uses digital keys to encrypt data and verify identities. A lack of standards has limited its use so far, but PKI could become the most critical piece of network security technology for state and local government agencies, which will require iron-clad authentication and verification systems for electronic transactions and commerce.
That's certainly the case for the Massachusetts Registry of Motor Vehicles, which is on the bleeding edge of the government e-commerce movement. The agency has had a Web site up since early 1996 from which people can get information on RMV branch locations and fee schedules, review online versions of a driver's manual and obtain forms.
RMV wanted to be able to accommodate e-commerce on the site so that people could pay fees using their credit cards. The front-end security is supplied through regular browser Secure Socket Layer (SSL) security technology and credit card validation.
Larry McConnell, deputy registrar of information services at RMV, said, "We thought about going with open forms and just asking people to send us the information," on the theory that there is minimal risk anyway to peoples' credit card data being misused. "But we decided at least [the SSL] level of security would calm people enough to draw them into using the service."
In the future, RMV wants to use more sophisticated technology, such as PKI, to authenticate the system's users, as well as digital certificates to ensure the validity of transactions, but McConnell said RMV will wait until this kind of technology "is a little more user-friendly." Other security measures, such as firewalls and revolving Internet Protocol addresses, are used to secure the system overall, he added.
Security and Network Management
Sometimes security systems can tell more about the network than simply who tried to gain unauthorized access. When the Citrus County, Fla., school board installed an Axent Technologies Inc. Raptor firewall more than two years ago, its first desire was to protect its
19-school network from hackers. But as the school board became familiar with the firewall and what it could do, IT officials there realized that the firewall also could capture real-time data about network traffic flows, and that data could be used for other kinds of analysis.
"Each machine on the network has a separate address, so we can show how data goes from machine to machine," said John Mayer, computer network specialist for the school system. "Using the data we get from the firewall, we can calculate what time of the week would be best for teachers to run an extra class using the network, for example. Knowing what kind of traffic would be involved, we can deny everything else for those times."
That type of data analysis will become useful, Mayer said, as the school's network traffic explodes. The network alread has seen a 400 percent increase in usage since October 1998. Mayer expects more such spurts, which will mean significant spending on new machines and network infrastructure.
With the kind of data he can get about how the network is used, Mayer said, it will be much easier to inform the school board about what is being done with its investment. And as people know more precisely what they are getting for their money, they will be more confident about investing even more in the future.
In state and local network shops, such uses for security technology are more the exception than the rule, observers said. In the end, it comes down to how many resources agencies can throw at the problem. And even for those organizations with a good handle on security, the pressure to spread shrinking budgets over ever-broader needs means security will continue to be a tough sell.
"Between organizations that do have resources and those who don't, there's a big difference in the way they approach security," said Dianah Neff, chief information officer for Bellevue, Wash. Her city's network has firewalls, proxy servers and a security policy. But the system has never been tested by independent auditors. The first such audit of Bellevue's systems will take place in the first quarter of next year.
"If you want to test your security, you really do need someone to come in and do a security audit," Neff said. "But sometimes, it's difficult to justify that outside of the information systems organization itself."
On the other hand, having good security is not just about technology. "Security is never liked because people see it as intrusive," said Lee Lane, security manager for Arizona's information services department. "You have to incorporate security in such a way that they can still go off and do their business effectively."
His recipe for a secure environment? "Keep your users happy."
Brian Robinson is a free-lance journalist based in Portland, Ore. He can be reached at [email protected]
A Network Technology Sampler
A few years ago, there was not much in the way of security products to protect information technology systems and networks except firewalls. And those products were relatively primitive. Today there is a sophisticated blend of protective devices that organizations can throw into their security mix.
There are three types of firewall technologies available, with different strengths and weaknesses.
* Packet-filtering firewalls allow or disallow data packets to pass through the firewall based on a pre-set security policy. They can put a blanket block on traffic coming into the network or block connections to and from specific hosts.
* Proxy servers examine network traffic according to policies set for specific applications.
* Stateful inspection firewalls examine the data packet itself and look at all the layers of a network to make sure they comply with a security policy.
IDSes are used to detect unusual or unauthorized activity in a network of computer systems. When an intrusion is detected, the IDS can react in a number of ways, from simply alerting systems administrators to the intrusion and letting them decide what action to take, to automatically kicking the intruder off the network.
There are two main types of IDS.
* Network-based systems use monitors placed at strategic points on the network to examine data packets in order to determine if those data packets conform to known attack signatures.
* Host-based systems use intelligent agents that constantly monitor computer audit logs for suspicious activity. Those agents compare audit logs with a library of attack signatures or user profiles, as well as polling key system files and executable files for unexpected changes.
PKI is the least advanced of the security technologies, and its adoption has been slowed by haggling by vendors and industry bodies over the adoption of standards-a vital move for PKI's wide-scale adoption. However, there's little doubt that PKI will be a major part of any organization's security armor because the technology provides components that are key to development of electronic commerce and online transactions.
Digital certificates are issued by a certificate authority to members of an organization that uses PKI; these certificates act as a user's digital identification. An individual user also is assigned a pair of cryptographic keys. One key is private, and only that individual can use it; the other key is public, and it is published in online directories. The user "signs" digital documents with his private key, and the recipient uses the public key to verify that signature.
PKI provides authentication (proof of the sender's identity), data integrity (assurance that the data has not been corrupted or meddled with), confidentiality (involves encryption to keep data private) and nonrepudiation (senders cannot deny that they sent the data).
- Brian Robinson
Last year, when President Clinton issued Presidential Decision Directive 63, a comprehensive accounting of the protection provided to America's critical infrastructure, the main emphasis was on the protection of the national infrastructure from cyberterrorists. But the federal government's involvement in this area doesn't let state and local authorities off the hook.
The Critical Information Assurance Office is expected soon to release a national plan for infrastructure protection. That plan will outline the major issues to which the federal government must attend. The feds intend to take the message to statehouses and city halls to advocate that they adopt something similar.