Is Your Data Safe?
The type of security you choose for your system depends on what you need to protect--and why. Herewith, an overview of the options
When you think of purchasing security products for your car, you probably run through a quick checklist in your head: Is your car a natural target for thieves (Porsche)? Do its parts fetch high prices on the black market (Honda Accord)? Do you have anything in your car that a thief might want (CD player)? The answers to these questions generally determine whether you shell out for a highfalutin alarm system, opt for the Club, or simply trust your door locks to deter would-be joyriders.
When you think about security for your company's computer system, a similar rundown makes sense. Who is most likely to try to break into your system, and why? What kinds of information need to be protected most vigilantly? What functions are most susceptible to tampering? Like the automobile-security industry, the computer-security market offers a wide range of options, with everything from antivirus software to one-time password devices. It's a good idea to assess your requirements in detail before shopping around, because one company's security needs may be very different from another's.
Here we take a look at two of the most basic and essential types of protection: firewalls and encryption. A firewall helps control who gets into and out of your network. (Think of it as car door locks and alarm system all in one.) An encryption program prevents anyone from reading your E-mail or the files on your system. (Think of the Club, which makes it impossible for an intruder to drive a car after a break-in.) One or the other--or both--may be right for your company.
Firewalls: Gatekeepers to Your System
Firewalls act as gatekeepers between a company's internal network and the outside world. At minimum, they examine the location from which data enter your system or the location to which data are going, and then choose, based on your instructions, whether to allow the transfer of that information. For example, you might set up a firewall to accept files from your office in Hawaii but to reject any other files. (The most thorough firewalls examine the contents of files for viruses.) In addition to gatekeeping functions, most firewalls monitor the use of your system and keep logs so you'll know if anyone is trying to break in. For example, if someone tries to log on to your system five times with the wrong password, the firewall's activity report will show that. (Some firewalls E-mail or page the systems administrator when they detect suspicious activity.) Other firewalls offer encryption options, which allow you to scramble the information in files, making it unreadable. A caveat: the more protection and options a firewall package offers, the more time-consuming it usually is to set up and maintain. Some programs are so sophisticated that even experienced systems administrators need to take a training course before implementing the package.
Fortunately, there's been a recent move toward firewalls with user-friendly graphical interfaces, as opposed to the UNIX-based firewall software (which requires you to type in commands) that dominated the market until about a year ago. For companies short on technical expertise, FireWall/Plus (from Network-1 Software & Technology; 800-NETWRK1; www.network-1.com) is one product to consider. FireWall/Plus has a graphical user interface; you simply click on one of 10 buttons to configure one of the 10 different firewalls. One option, for instance, prevents anyone from getting onto the Internet through your system; another lets people transfer files out of the company but blocks any files from coming in.
Richard Gillespie, manager of network services for Aspen Publishing, in Gaithersburg, Md., bought FireWall/Plus to use at the $60-million health and legal publishing company. He wanted employees to be able to use E-mail and the Internet but didn't want anyone from outside to be able to send files into the company via the Web. "I pointed a green arrow at the button that said 'mail in/out, and Web out,' and that was it," says Gillespie. That convenience was the clincher. He says he bought FireWall/Plus because he didn't want to go through the ordeal of learning UNIX.
FireWall/Plus can also be used to set up internal firewalls. While most firewalls are written to protect companies from external threats via the Internet, FireWall/Plus also filters traffic on internal networks. The program not only can tell whether a file is external or internal but can determine the source of a file from within your own network. For example, if you want to protect your financials from prying eyes in your own company (say, from the sales department), you can set up FireWall/Plus on an internal network server. Since the program takes up less memory than external firewalls, it can coexist with other server applications, such as E-mail programs, and protect those applications at the same time.
Pricing for FireWall/Plus varies, depending on which version you choose and how many users will access the system. (Industrywide, the cost of a firewall rises with the number of users; some vendors tack on additional fees to configure the firewall for you.) If you want full Internet protection, prices range from $5,000 to $13,000, depending on the number of users. Once you have the Internet version set up, you can add internal firewalls for anywhere from $2,500 to $6,000, again depending on the number of users. There is also an individual workstation version (if you want to, say, protect only your chief financial officer's computer), which sells for $750 for up to five users.
Another easy-to-use firewall is On Guard ($6,490 per 100 users; On Technology Corp.; 617-374-1400; www.on.com), which can also be used for an internal firewall (although it's not as flexible as FireWall/Plus). And new this spring is the Wall ($995; Raptor Systems Inc.; 800-9-EAGLE-6; www.raptor.com), aimed at businesses with up to 25 users. Setup time for these products is minimal (less than an hour in most cases) and administering them doesn't require an understanding of UNIX. The downside is that you sacrifice some flexibility in configurations and, in the case of the Wall, you're locked into the limited universe of 25 possible users.
If you keep sensitive customer information on your external network, or you keep company financials, for instance, on a network that's connected to the external world, you might want to try a product that offers more options than basic gatekeeping and monitoring. One to consider is SmartWall (base price, $15,495; V-ONE Corp.; 800-495-VONE; www.v-one.com). One nice feature of SmartWall is its real-time monitoring capabilities. Most firewall products, including SmartWall, log all systems activity and can generate reports for the systems administrator. But SmartWall goes a step further and alerts the administrator, via E-mail or pager, about suspicious on-line activity. This is especially useful given that some hackers will bombard a system with entry requests until it crashes and then sneak in while the firewall is down. SmartWall will page an administrator if, for example, someone tries to log into the system a particular number of times with an incorrect password, one sign of an attempted break-in. The administrator can then examine the logs to determine where the meddling is occurring and can reconfigure the software to block particular addresses from entering.
One of SmartWall's major selling points is SmartGate, a smart-card technology that comes with the firewall but may also be used, and/or purchased, separately. Because firewalls deny access, they may make it difficult for legitimate users--such as suppliers and virtual employees--to get into a company's network. Smart cards, similar to ATM cards, let authorized users log in if they're on the road or working from home. (The technology is also available as disks, called virtual smart cards.)
Don Grage, CEO of Potomac Interactive Corp., a Web-site development and Internet consulting company based in Arlington, Va., installed SmartWall with SmartGate about a year ago to ward off hacker attacks. Grage's customers, many of whom hand over detailed company material when contracting with Potomac to develop their Web sites, were worried about the prospect of sabotage and requested that Grage set up a firewall. "They didn't want people breaking in and seeing their company information in its raw form," he says. But Grage's employees have to access Potomac's system off-site when they're making customer-service calls. The smart-card technology allows for both options.
Since installing SmartWall, Grage has had one break-in. Hackers used one of his servers as a repository for stolen Macintosh software and then posted the server's address on a computer bulletin board. After receiving several calls from people who complained they couldn't access the Mac software on his Internet site because of heavy traffic, a surprised Grage investigated and discovered the pirated software (500 MB worth). Luckily, says Grage, the server was outside the firewall, which meant that nobody had gotten access to anything inside the boundary, where private company information resides. Had the firewall not been there, the hackers could easily have jumped from the external to the internal system, because the two are connected. "If they had gotten into our internal local area network," Grage says, "it would have been a nightmare."
Secure as firewalls are, they can't repel intrusion 100% of the time. So if you're looking for the ultimate way to protect your company's secrets, you might want to consider encryption as a second layer of protection.
Think back to the breakfast cereal you ate as a kid. Sometimes there was a paragraph of gobbledy-gook on the back of the box that you could read only by putting a special piece of transparent colored plastic over it. Then, magically, the message would become crystal clear. That's essentially how encrypting a computer file works. One person creates a message and turns it into gibberish, using a special "key," or code. Only someone with the right decoding phrase (the equivalent of the transparent colored plastic) can read the message.
Computer encryption is serious stuff--so serious that the U.S. government has been trying to restrict it for years. Because a good encryption scheme is based on algorithmic mathematics, it's unbreakable unless you put several supercomputers to work deciphering the code--and even the computers may not be able to crack it. "It's absolute," says Craig Rowland, an Internet security consultant in Gaithersburg, Md. Rowland should know. He breaks into systems for a living--when customers ask him to test their security measures. The only thing that ever foils him or any hacker, he says, is encryption.
Probably the most famous encryption program is Pretty Good Privacy (PGP), created by Philip Zimmermann and released as freeware over the Internet in 1991. That put Zimmermann in hot water with the feds, who regard encryption as a potential threat to national security. (The government has banned the export of 40-bit and higher encryption algorithms, which are officially classified as munitions. Currently, the government requires manufacturers to have a special license to export files encrypted above 40 bits; they must provide the government with the mechanism[s] for key recovery in the event of a criminal investigation.) Finally, after years of dealing with the threat of patent suits and federal munitions laws, Zimmermann started his own company, Pretty Good Privacy Inc., in San Mateo, Calif., in March 1996. His first commercial product is an E-mail encryption program called PGPmail ($149.95; 415-631-1747; www.pgp.com). Some versions of the original PGP (which also encrypts E-mail messages) are still available for free on the Internet. (Manuals and technical support are not available with the freeware programs.) PGP is export-restricted.
PGPmail works with all E-mail packages, and it offers toolbar-functional plug-ins for both Eudora and Netscape. (It's usually a cut-and-paste operation.) To use the program, you create keys for encrypting and decrypting messages. One key is your public key, which you give to people who want to send you secure messages. (Both parties must have PGP.) The second key, your private one, you keep and use to decode those messages. The keys are nothing more than mathematical formulas and look like a block of random text. Here's a segment of someone's public key:
If you want to send an encrypted message to someone using PGPmail, that person must first E-mail you his or her public key, which is stored on a PGP program. Whenever you send an encrypted message, the recipient uses his or her public key to decode your message.
In addition, the recipient must enter a pass phrase to decrypt the message. The pass phrase protects your private key.
If you E-mail sensitive documents to your customers and suppliers over the Internet, a program like PGP can ensure that the content of those documents remains confidential. Another option that PGP gives you is a "digital signature." The signature (a mathematical formula that works the same way your keys work) can be used when encrypting your entire message isn't necessary. For example, you want to send an announcement to all your customers that you've increased your prices. The actual message may not be a secret, but establishing that the message is indeed from you and not from a malicious competitor is important. In some states, like Florida, Georgia, and Utah, a digital signature is as legally binding as a written one.
If you're looking for something even easier to use than PGPmail, and something to encrypt more than just E-mail, you might want to try PCCrypto ($49; McAfee; 408-988-3832; www.mcafee.com). PCCrypto has a point-and-click setup and lets you choose between three encryption algorithms: 160-bit, 56-bit, or 40-bit. PCCrypto can encrypt E-mail messages and computer files, such as Word documents and spreadsheets. One of its biggest selling points is that, unlike PGP, someone receiving an encrypted message doesn't need to have PCCrypto to read it; the recipient needs only a password.
Of course, for that reason the program is not nearly as secure as PGP, because intruders can often guess passwords. Passwords tend to be mnemonic devices, for one thing, and there are also programs that guess at passwords, trying millions of letter combinations to find a match. Another disadvantage of PCCrypto is its choice of algorithms. Its 160-bit algorithms are foolproof, but with the federal law that prohibits sending those encrypted files overseas, the only alternatives are the 40-bit and 56-bit algorithms, which are weaker and not entirely secure. (McAfee, however, is in the process of getting government approval to export at 160-bit algorithms.)
For companies that don't want to spend a lot on security or don't keep sensitive information on machines that are accessible to the outside world, PCCrypto is a solid choice. For a highly secure option you might consider waiting until the end of June for the new release of SecurPC ($129; Security Dynamics; 617-687-7000; www.securid.com), which uses a 128-bit algorithm that has been licensed for export.
Like PCCrypto, SecurPC encrypts everything except executable files (files that run programs). It has an emergency-access option. If someone suddenly leaves your company, the administrator, CEO, or other appointed person has a special master key that allows access to the departed employee's encrypted files, important if, say, that person kept customer information on a hard drive rather than in a shared database.
The computer network that's absolutely impenetrable probably hasn't been invented yet. Still, a secured system will probably keep your confidential company records a whole lot safer than if you leave them afloat on an unprotected server. Or, for that matter, locked in the trunk of your car.
There are hundreds of firewall and encryption programs currently on the market. The following manufacturers, in addition to the ones mentioned above, are among those that offer some of the best:
- Check Point Software Technologies , Redwood, CA; 800-429-4391; www.checkpoint.com
- Secure Computing , Roseville, MN; 800-692-5625; www.securecomputing.com
- Secure Computing , Roseville, MN; 800-692-5625; www.securecomputing.com
- Syncronys Softcorp , Culver City, CA; 888-777-5600; www.syncronys.com
- Tumbleweed Software , Redwood City, CA; 415-363-7022; www.tumbleweed.com
Sarah Schafer (email@example.com) is a staff writer at Inc. Technology.