Forwarded From: "Prosser, Mike" <Mike_Prosserat_private> http://www.nwfusion.com/news/0608extranet.html Extranets stress security safeguards Dynamic passwords prove an effective way to ward off hackers. By Ellen Messmer Network World, 6/8/98 Extranets sound like a brilliant idea; just open your intranet up to customers and wait for the benefits of closer communication to come pouring in. But not every potential visitor is a loyal customer, which means that network managers have to protect their nets from infiltrators. This extranet challenge often means taking a hard look at improving security procedures. That's what had to be done in Santa Clara County, Calif., where the ClariNet WAN is operated for the benefit of county em- ployees. When the county decided to give hundreds of non-county employees access to databases on ClariNet, the network staff confronted the inconvenient fact that simple passwords/ID logons just aren't good enough anymore. To protect the network, County Network Manager Dean Leinebarger led a team that decided to forego the usual password/ID remote access logon routine in favor of more secure "dynamic" passwords generated by hardware and software tokens. Why? "Reusable passwords are too easy for hackers to sniff," Leinebarger said. "In addition, passwords sometimes get shared among users." Now the County has started giving out Axent Technologies, Inc. CryptoCard hardware tokens to business partners, including equipment vendors that perform remote maintenance on ClariNet gear. Using the CryptoCards, users can create a one-time dynamic password for authentication by the Cisco Systems, Inc. Secure Server that ClariNet had already installed for remote access. Similar to other brands of palm-size security hardware, Crypto- Cards generate a different password each time they get used. With intranets turning so quickly into extranets, concerns that hackers may also be barging their way in has everyone rightfully concerned. How bleak is the hacker situation? Ask Steve Williams, network administrator at the Santa Clara Medical Center. Williams said that would-be hackers, armed with modem autodialer software available off the 'Net, are continually collecting as much information as possible about telephone and computer modem lines so they can try to take advantage of the medical center's networks. The medical center, which keeps an audit trail of all call activity, has now installed what it calls a tripwire system that automatically contacts the District Attorney's office when it spots anything suspicious. "We are prepared to prosecute this type of behavior," Williams emphasized. Like the rest of the county, Santa Clara Medical Center is switching from simple password/ID logon to CryptoCard authentication at its firewall, the Guantlet from Network Associates, Inc. The evolution of intranets into extra- nets is having a wide impact across software applications. Take Lotus Development Corp.'s Domino server, which gives users access to Lotus Notes databases over the Internet through the Notes proprietary client or a Web browser. With the Notes client, security controls can be set for user access to the server, the database, the form view and the document. But this same level of granularity is not possible with a Web browser. "We can do more for the Notes client," acknowledged Kevin Lynch, product manager for Domino Server at Lotus. The more network managers learn about security, the greater it seems their dissatisfaction is with existing controls. Michael Mazzotta, network design engineer at Walt Disney Co., constantly worries about vulnerabilities in the SNMP/Remote Monitoring protocols implemented in a wide range of switching gear. For instance, the older version of SNMP lets anyone check the users, traffic, IP address mapping and topology of the intranet if they know how to send an SNMP request called "read community." Later versions of SNMP, such as Version 2 and the just-finalized Version 3, are better, but apparently haven't been widely implemented, Mazzotta said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:34 PDT