 |
|
DAILY NEWS AND INFORMATION
FOR THE GLOBAL GRID COMMUNITY / JULY 21, 2003; VOL. 2 NO. 29
|
Special Features:
THE THREE MOST COSTLY MISTAKES IN
NETWORK SECURITY
By Scott Palmquist, VP, Product Management,
CipherOptics
While millions are spent today securing intranets, running leased lines,
restricting access to IT assets, and strategically concealing network cabling,
relatively little is thought about or spent on what happens to network data
once it leaves the network end. Whether data is on its way to a client, a
partner or another trusted network, unencrypted data is neither secure nor
protected. A looming liability that threatens the heart of enterprise networks
both small and large, this security hole is partially attributable to some
fundamental misconceptions in today's network security market.
These misconceptions include questions of whether dedicated leased network
lines are vulnerable, what virtual private networks (VPNs) do to prevent
hackers from eavesdropping, and if firewalls do anything to protect network
data in transit. The answers to these questions give a peek into the soft
underbelly of virtually all current unencrypted network systems.
The Three Costly Mistakes in Network Security
What are today's costliest mistakes in network security? See if these three
situations ring true:
Mistake #1: "Our leased lines are safe-only we have access to them." Lines-
even fiber-optic lines-can be tapped using means that are not detectable to
the receiver. Once only available to well-funded intelligence organizations,
monitoring systems are now available to the average hacker for less than
$1,000. It takes just one unscrupulous person to tap a line.
Mistake #2: "Our VPNs are secure." No network is truly secure if data is
interpretable to anyone who manages to intercept it. While providing logical
traffic separation techniques and ensuring quality of service, VPNs provide no
protection for the data once it is actually in transit. Truly private networks
require the use of data encryption, such as the IPSec protocol, to encrypt all
IP traffic-making data useless to those who do not have the key to decode
it.
Mistake #3: "Our system has a firewall-we're already protected." Excellent
for
their purpose-keeping unauthorized users and hackers out of an organization's
secure intranet-firewalls do nothing to protect data once it has passed
through the firewall on its way out of the network. Supplementing an existing
firewall with an encryption appliance can both improve the performance and the
security of any intranet.
Encrypt Everything
The security gap created by these misconceptions force a
look at network security from a new point-of-view; that is, that no one can be
certain that a line is secure. And while billions can be spent in time,
effort, and money on ways to achieve "secure" lines, network and security
managers have another option-making the data on their lines useless to anyone
outside the organization.
Eliminating the need to "trust the line" for complete security is where
Internet Protocol Security (IPSec) encryption comes in. IPSec is the
encryption of traffic on an IP network. A simple and cost-effective solution
for many of the security deficits in most of today's network traffic, IPSec
encryption offers the essential elements of confidentiality, authentication,
and integrity of secure network data traffic.
The History and Future of Encryption
Encryption isn't new. Numeric encryption
has been around since the ancient Greeks. Modern encryption systems had their
beginnings when the telegraph and radio brought electronic data transmission
into play, along with the need to keep that data secret from those who might
listen in.
In the 1970's, the Data Encryption Standard (DES) algorithm was introduced.
This standard broke data into pieces and then encrypted and decrypted each
piece using a 56-bit key to perform mathematical transformations on them. DES
was widely used until computers became powerful enough that a brute-force
method of simply applying all of the possible keys to decrypt the data became
easily possible.
DES was followed by the current standard, Triple DES (3DES), which uses
three
56-bit keys and three DES operations, which results in the equivalent of one
168-bit key. 3DES is a much more secure method, requiring literally billions
of times longer to break with the same brute-force methods.
In anticipation of the needs for stronger encryption methods in the future,
newer standards are already being developed. The Advanced Encryption Standard
(AES), which uses 128-, 192- or 256-bit keys, has been developed via an open
competition initiated by the National Institute of Standards and Technologies
(NIST). This new standard provides another considerable jump in encryption
security.
At Encryption's Side
While encryption alone renders data in transit
uninterpretable to anyone who might intercept it, complimentary technologies
exist to improve the overall security provided by any encryption system.
One such technology is authentication, or the capability to ensure that
data
senders and receivers are identifiable. It's important to know that your data
is going to or coming from a trusted source. One of the most popular forms of
authentication is Public Key Infrastructure (PKI). It is used to verify the
sender and receiver of data so that both parties know with whom they are
communicating.
Once communication with a trusted source is established, it's equally
important to ensure that the data has not been tampered with in transit. By
using a class of cyberattack called the "man in the middle attack", unsecured
data is subject to alteration by a malicious third party while in transit on
unsecured lines. The industry standard codes to solve this issue are the MD5
and SHA-1 Message Authentication Codes. They create a unique fingerprint for
each packet of data based on its contents. Only the sender and receiver, who
share the common keys, can correctly calculate this fingerprint-which becomes
incorrect if the packet is altered in transit.
Examining each packet for encryption/decryption also allows packet
filtering
technologies to examine them right at the edge of a secure network. With the
proper security policy in place, troublesome and unsecure applications, such
as online gaming and music sharing, can be disallowed with the resultant
packets dropped.
Real-World Application
Across Different Sectors Encryption technology has
grown and improved as the various areas needing the technology have grown and
changed. Different industries and enterprises might have different reasons for
needing IPSec encryption, but the applications themselves are not hard to
find.
Security is an ever-present concern at all levels of government and the
military. The safety of our nation and its people requires the utmost care is
taken in protecting the information that federal, state, and local governments
need to run on a daily basis. IPSec encryption is an important and simple
method to achieve the confidentiality requirements demanded by government
organizations. Law enforcement is another area where network security is
essential and where IPSec can help.
With identity and credit card theft as rampant as ever and new legislation
such as the Gramm-Leach-Bliley (GLB) Act adding to the security requirements
being placed on financial institutions, IPSec encryption becomes an ideal
solution for financial institutions needing to secure the immense number of
transactions and transmissions that are a part of daily financial operations.
IPSec encryption enables the remote backup and disaster recovery storage
systems required by financial organizations and promotes network security
along the crucial network lines between national, regional, and local banking
centers.
In medicine, patient records, billing information-even x-rays-are now being
transmitted across the Internet, and the trend will only grow with time. With
patient confidentiality and financial security in mind, IPSec encryption can
keep pace with the growing needs of the healthcare community and can help
ensure compliance with the federal government's Health Insurance Portability
and Accountability Act (HIPAA).
IPSec encryption protects our nations vital infrastructure while also
supporting the 24/7 operations so vital to the utility industries. With the
global threat of terrorism a constant concern, the need to protect vital
operational information from outside sources is more important than ever.
Encryption systems are now available with throughput to match the needs of
this demanding sector, ensuring all communications are secure.
The Risk-Return
Like all business decisions, network security is a matter of
evaluating the risk versus the costs involved with mitigating that risk. Can
you afford to risk having your critical data exposed and unprotected,
available to anyone who can get it?
In the past, encryption systems could not keep up with the rapid
advancements
in computer speed, and were overlooked as a possible solution. Today, that's
changed. Encryption systems now operate at full-duplex gigabit Ethernet speed
and with minimal latency, providing IPSec encryption to network and security
managers who want to close the holes left in their network security plans.
In this increasingly real-time, data-dependent, Internet-based economy, no
organization can afford to leave their data unprotected. Encrypting IP traffic
provides an end-to-end, cost-effective, and technologically complete step
towards achieving complete network security in today's networked
environment.
About The Author
Scott Palmquist is the vice president of Product Management for
CipherOptics.
CipherOptics is the developer of the Security Gateway™, a new network security
encryption appliance. The Security Gateway plugs right into most networks and
provides 3DES -- and soon AES -- IPSec encryption at full-duplex gigabit speed.
Able to be installed in various network configurations from point-to-point to
remote storage to intranet compartmentalization, the Security Gateway is a
flexible and low-cost solution to the issue of network line security. You can
reach Scott at scottp@cipheroptics.com or at (919)
865-7323.
|