Knowing how secure the most secure operations are—and what products those organizations use to achieve it—can help you establish your own criteria.

Geeks with Guns

Knowing how secure the most secure operations are—and what products those organizations use to achieve it—can help you establish your own criteria.

It’s dark in the middle of Kansas on a lonely road. High winds and pelting rain bring visions of tornadoes and death by flying cows. A lone police cruiser spots a suspicious van prowling slowly past. Is it a distant relative trying to read shadowy mailboxes? A crack cocaine dealer searching for the lab? Pizza Hut? Should our courageous Kansas cop call for back up? Offer to help? Head for the safety of Burger King? A quick check via the officer’s on-board laptop accesses the central database in Topeka. The answer comes back quickly. No arrests, no warrants. No recent drug activity or reason for suspicion in this neck of the woods. The van isn’t on anybody’s list of stolen vehicles, and it doesn’t fit any known criminal activity definition. The van pulls in at the next driveway. The cruiser continues on.

We all know the technology that makes this possible. But how is it made secure? What’s to prevent someone from intercepting this information or, worse still, changing it? What keeps criminals out of the criminal databases that are now linked to the Internet?

This month I’m going to take you through a solution developed for the Kansas Bureau of Investigation by FishNet Consulting, Inc., an Internet security consulting firm based in Kansas City. If you think you have a tough review committee to face before you can implement a VPN, consider that this system had to be reviewed by a U.S. National Security Subcommittee! It turns out the KBI choices mirror ours, albeit at a higher level of intensity than some of us are used to.

Kansas-Style Security

You know the drill. Cops on the beat need information. From a car’s license plate they can get that information—if they have enough time. Investigators need information too, to solve crimes and maybe prevent them. Fingerprint matches, mug shots, criminal history... but where do they get it? Kansas isn’t exactly New York City. There are miles and miles of highways and dirt roads. One hundred and fifty counties, many of them rural, contain hundreds of small communities with few dollars for sophisticated leased-line solutions and fewer police officers.

The KBI wasn’t really seeking a security solution. They wanted an information solution and knew it had to be very secure. In fact, the FBI doesn’t allow any criminal information database to use the Internet unless a high level of security can be proved. Representatives from KBI and FishNet Consulting had to travel to Washington, D.C. and present their solution before the National Security Subcommittee.

What makes it even more unusual—and of interest to us in talking about security products—is the fact that it’s the first Internet-based criminal information solution and that it’s the result of combining six security products. This solution may prove to be the model for other states; it’s currently considered to be ahead of even what the FBI has.

Until recently, Kansas cops relied on frame relay, car radios, the telephone, and snail mail to connect to the rest of the world. Their old 4.8K SNA dedicated network connected 270 agencies and some 4,000 users. Data was often dispersed and not always easy or quick to be found. Now, however, security products, laptops, and Internet access can provide quick, cheap, mobile resources to tap centralized databases of information. Currently, the new KBI infrastructure connects 750 criminal justice agencies and is used by 2,500 individuals. By next year, the Bureau estimates this will be a 2.5 million-seat installation. (Implementation was approved early last fall.)

Firewall Terms
Packet-filtering routers—A type of firewall in which packet-filtering routers filter each packet through a set of rules. The source and destination address are examined to see if they’re excluded by a rule that’s been configured on the router. Packets not denied access are passed. Adding more rules decreases performance. Examination is at a low level. Data in the packet isn’t examined. While packet-filtering routers are often used as firewalls, they’re considered easily fooled and not a good choice for your only security defense.

Application firewalls—Dual homed interfaces to two separate networks, such as your network and the Internet. Examination is at a higher level, the application level. Packets not explicitly allowed access will be denied. Characteristics other than source and destination address are considered.

Stateful inspection—Communication- and application-derived state and context information is examined and updated dynamically. Stateful inspection and action occurs before the communication enters the operating system of the gateway.

Two-factor authentication—The use of a something only the user knows—a memorized personal ID number or password—and something unique that the user possesses—a device or physical attribute such as fingerprints.

Dual-homed or multihomed—Computers with multiple interfaces, for example, ones with two or more NICs that connect them to two or more separate networks.

The Products that Make It Happen

We all know that passwords can be cracked. Two-factor authentication keyfobs (hardware authentication tokens) from Security Dynamics Technologies, Inc. provide the KBI with six-digit ID numbers that change every 60 seconds. Each police officer has this and a private PIN. He or she needs both the physical access provided by a computer and modem (or other connection to the Internet) and the ID number and PIN to get the information described previously. Would-be intruders would need all four components as well as knowledge of the access points and how to use the software. At headquarters in Topeka, a Check Point Software Technologies Ltd. FireWall-1 sits between the data and the Internet. Check Point’s VPN-1 software encrypts all data. Encryption accelerator boards from Chrysalis-ITS speed this process. Entrust Technologies’ public key infrastructure provides certificates and Internet Security Systems, Inc.’s RealSecure intrusion detection software keeps a watchful eye on all activity.

How well do all these products work together? If you’ve been around for a while, you know that integrating various hardware and software components isn’t always easy. Yet, it’s desirable because it keeps us from getting stuck in a single-vendor solution. Wouldn’t this be harder still in a security setting?

The components in this mix were integrated by FishNet using Check Point’s OPSEC (Open Platform for Secure Enterprise Connectivity) API. Other security product firms have announced similar APIs: Aventail Corp., with its CCI or Common Content Inspection API; Finjan Software Ltd.; and Internet Security Systems, Inc. with ANSA (Adaptive Network Security Alliance).

These APIs will help organizations integrate security products from multiple companies, giving birth to a new business: security integrators. Look for other security solutions to be comfortable associations of multiple products linked by enterprising consulting firms.

Achieving Your Own Security Plan

Today, the question isn’t, should you get a firewall or when, but which one? It’s not just a matter of securing your files from attack via the Internet; it’s a matter of securing your data and mission-critical systems from accidental or malicious damage from within your company as well. Special security software such as firewalls, intrusion detection systems, badges, smart cards, and encryption accelerator cards can help. Let’s start by going through questions that can help you focus your investigation on the types of protection you might need for your enterprise-wide security solution. These are the same questions pondered by the KBI in its planning efforts.

  • How tight does security need to be? Evaluate the inherent risk to your systems and data. This is going to depend on your business and the type of data you handle. Fort Knox and the FBI obviously have a higher need for tighter security than the local toy store. Break down this risk evaluation by asset: payroll records, financial data, R&D vs. public information, or details about the company picnic. If data access needs to be protected to a higher degree, consider a PKI—a public key infrastructure. Look to companies like Entrust and VeriSign, Inc. for information about certificates and PKIs. Compare and contrast with Microsoft’s Certificate Server.
  • What are the obvious points of necessary protection in your system? Document and examine complete network diagrams. Look for obvious points of outside entry: Internet access, dial-up modems, leased lines. Leased lines? Aren’t they supposed to be secure? Remember: They’re points of access to your network. What could happen at your provider’s junction boxes that might jeopardize your network?
  • Is there a need for remote access? Traveling salespeople, executives, network engineers. Do these road warriors and armchair administrators carry sensitive information on their laptops? Do they keep it at home or can they access it from home? Could their modem and company access numbers provide an easy path to sensitive data? What if their laptop is stolen from home or while on the road? Check out hardware tokens from Security Dynamics’ SecurID. Also consider fingerprint scanners like BioMouse Plus from American Biometric Company.
  • If you offer Web access for employees, is URL screening an issue? Should you restrict access to known sites such as entertainment, pornography, and/or shopping, that have nothing to do with your employees’ business pursuits? Products such as WebSENSE by NetPartners Internet Solutions, Inc. can do just that.
  • Do you have a current virus detection and protection scheme in place? Many products now offer virus screening at the firewall level (check offerings from Data Fellows Inc., Aladdin Knowledge Systems, Integralis Network Systems, Symantec Corp.’s Norton AntiVirus, and TrendMicro) to protect you from this threat, before it reaches the network. But this isn’t the only solution you need. Any data access point (dial-up modems, floppies, CD-ROMs, keyboards) can be an infection point. Computer Associates offers server-based virus detection programs.
  • Do you have sensitive areas (such as accounting or R&D) within your company that could benefit from extra protection? Firewalls aren’t just built for sitting between the network and the Internet. They can also protect areas of your company from the curious eyes and fingers of employees who have no right to see them.
  • How do you monitor the use of your network? Do you have trained personnel with hours free to scan miles of audit logs? Or would a program that filters and alerts you to records of interest be important? What about the ability to generate executive-level charts and graphs? (It seems you have to paint them a picture sometimes or they just don’t get it.) For help with your security audit, look into scanning technology such as RiskPAC, a PC-based questionnaire and knowledgebase tool from CSCI.
  • A firewall may or may not keep intruders out. How are you going to find out if someone has broken in—or if inside folks are where they shouldn’t be? Intrusion detection software such as Kane Security Monitor from Intrusion Detection, Inc. or RealSecure may be part of the answer here.
  • Do you know how a firewall works? Seems silly, doesn’t it? But there are different types of firewalls that work on different principles. Even security experts disagree on the best type of firewall. If you don’t know what they are, how will you choose? (And you thought this was one area where the best choice was to hire an expert and let them make decisions for you!)
  • How much data do you need to secure, and how is it secured? How often does it change? And how tightly does it need to be secured? If a large amount of data must be encrypted before it moves across the wire, encryption accelerator cards may be the solution, especially if you’re accessing the Internet at above-T3 speeds and/or using Triple DES (a more-advanced-than-DES encryption algorithm), Internet Key Exchange (IKE, the exchanging of encryption keys over the Internet). Check out the offerings from Chrysalis-ITS for information about encryption subsystems for network security.
  • How are you going to test your security defenses? Consider scanning tools, hacker tricks, and hiring a Tiger Team (or “piranha team” as coined by FishNet Consulting) to investigate holes and weakness. How about a monthly service that pulls data from your network and provides you with reports? Got a secure solution, you say? Technology changes every day. Just when you thought it was OK to come in from the cold, another dazzling new security breach gets discovered or an employee accidentally deletes or changes critical data. How do you protect against that?

I think you get my point here. Security isn’t a one-time—or one-product—thing. You don’t just decide on “a” product and believe it’s the security solution for all times. Look carefully at your situation and then examine the types of products that seem to bring a solution.

Additional Information

To learn more abou the companies and products referenced in this story, visit these sites:

A final note: Why expose the Kansas Bureau of Investigation to potential attacks by publishing its security solution? Well, why practice security through obscurity? It’s hoped that by giving one solution, others will develop. Besides, in true cyberspook fashion, how do you know we’ve really exposed the true list of products and procedures for the KBI?

Featured