QUESTION & ANSWER

The barriers between you and a 'hack-proof' network

By Eric B. Parizo, SearchNetworking.com News Editor 23 Oct 2003 | SearchNetworking.com

Digg This!     StumbleUpon     Del.icio.us

Is it possible to have a "hack-proof" enterprise network?
Jeffrey Posluns: For one, you're always going to have trouble dealing with users. They do not want to follow policies. They just want to do their jobs in the most convenient way possible without thinking about the consequences of their actions. There have been a lot of Outlook/Microsoft-based viruses in the past year, enough so that people should know not to open up strangely formatted attachments, but they keep on doing it. There is not too much one can do, other than keep on educating the users, or get them off Microsoft platforms.

Jeffrey Posluns

In your opinion, are wireless networks easier or more difficult to secure than wired networks?
Posluns: The answer is both, potentially, but it depends on the specific technologies that are being used. If one [company] is using all of the latest, most recent security capabilities for wireless networks, then a wireless network can be limited to specific users who are authorized to use it. It's a lot more difficult for a bad guy to make use of networking resources. But in a wired environment, anyone can plug in. There are things you can do on a switch to limit Mac addresses, but it's nearly impossible to control things to that detail on a wired network.

But most organizations with a wireless network are not going to have all the available capabilities, like an authentication server and access control. At present, a wired network is going to be more secure. We look forward to a few years from now when wireless can take its place.

Do you recommend using public Wi-Fi hot spots?
Posluns: I have no problem with them. You should be using SSL for any of the communications that you're making with your company servers, if you're going to have private info on them. For instance, if I'm in a Starbucks coffee shop, I have no problem using their network, but when I connect to a work-related system, like an e-mail server, it's encrypted. I'm going to be using a VPN. Others may be able to see what systems I'm connecting to, but that doesn't pose that much of a risk.

What do you think about Microsoft's decision to release vulnerability information on a monthly basis?
Posluns: I believe that vulnerability info should be released as soon as it exists. That way, the people who will have issues with it can implement controls to minimize it, until a method exists to completely eliminate the vulnerability. Otherwise, you're leaving people with gaping wide-open holes in their information systems that are subject to exploits. I'm not going to get into what I think about the liability issues involved.

Do you buy into the belief that instant messaging is a major network security concern for the enterprise?
Posluns: It depends on how it's implemented. IM can potentially cause [security] issues in an organization, due to the ability to share files and bypass most organizations' controls over how information should be passed outside of the enterprise. On the other hand, IM can allow enterprise users to increase the efficiency with which they work.

In my organization, the fact that I can log onto our internal chat server and have all the different people in our operations centers chat with me immediately means that I don't have to be on the phone all the time. A phone conversation is going to take more concentration than having a window open, where I can look at it 30 seconds, and then go back to what I'm doing. It allows me to multitask. So should organizations be using an enterprise IM or allowing users to connect to the publicly available one? If you're using a public one, it's going to depend on your security policy and what it is you're going to do.

Is it getting more difficult to keep the enterprise network secure?
Posluns: I don't think it's getting more difficult to keep an enterprise network secure, but people are paying more attention to what the security risks are. If you only have to take care of two [security issues], it's easy to do. If you have to scale up from two to 10 to suddenly 150, that can be a nightmare. More knowledge is readily available now to the attacker and to the organization, but over the next few years, it'll probably level out.

More knowledge will be available to the defenders, but the biggest problem will still be the users. If you tell a user that he has to have a password that's eight characters and change it every 30 days, they're not going to like it. It creates more forgotten passwords, more calls to the IT department. An executive will demand that he get to keep his dog's name as his password longer, and he'll have enough push to make that happen. I've seen that happen.

FOR MORE INFORMATION:

Learn how you can learn more from Jeffrey Posluns at Networking Decisions 2003.

Read our tech tip on intrusion detection resources.

Read more stories by News Editor Eric B. Parizo.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary