[ISN] Extranets stress security safeguards

From: mea culpa (jerichoat_private)
Date: Tue Jun 09 1998 - 14:14:25 PDT

  • Next message: mea culpa: "Re: [ISN] Infowar, More Hype Than Reality?"

    Forwarded From: "Prosser, Mike" <Mike_Prosserat_private>
    Extranets stress security safeguards
    Dynamic passwords prove an effective way to ward off hackers.
    By Ellen Messmer
    Network World, 6/8/98
    Extranets sound like a brilliant idea; just open your intranet up to
    customers and wait for the benefits of closer communication to come
    pouring in. But not every potential visitor is a loyal customer, which
    means that network managers have to protect their nets from
    This extranet challenge often means taking a hard look at improving
    security procedures. That's what had to be done in Santa Clara County,
    Calif., where the ClariNet WAN is operated for the benefit of county em-
    ployees. When the county decided to give hundreds of non-county
    employees access to databases on ClariNet, the network staff confronted
    the inconvenient fact that simple passwords/ID logons just aren't good
    enough anymore. To protect the network, County Network Manager Dean
    Leinebarger led a team that decided to forego the usual password/ID
    remote access logon routine in favor of more secure "dynamic" passwords
    generated by hardware and software tokens.
    Why? "Reusable passwords are too easy for hackers to sniff," Leinebarger
    said. "In addition, passwords sometimes get shared among users."
    Now the County has started giving out Axent Technologies, Inc.
    CryptoCard hardware tokens to business partners, including equipment
    vendors that perform remote maintenance on ClariNet gear.
    Using the CryptoCards, users can create a one-time dynamic password for
    authentication by the Cisco Systems, Inc. Secure Server that ClariNet
    had already installed for remote access. Similar to other brands of
    palm-size security hardware, Crypto- Cards generate a different password
    each time they get used.
    With intranets turning so quickly into extranets, concerns that hackers
    may also be barging their way in has everyone rightfully concerned. How
    bleak is the hacker situation? Ask Steve Williams, network administrator
    at the Santa Clara Medical Center. Williams said that would-be hackers,
    armed with modem autodialer software available off the 'Net, are
    continually collecting as much information as possible about telephone
    and computer modem lines so they can try to take advantage of the
    medical center's networks.
    The medical center, which keeps an audit trail of all call activity, has
    now installed what it calls a tripwire system that automatically
    contacts the District Attorney's office when it spots anything
    suspicious. "We are prepared to prosecute this type of behavior,"
    Williams emphasized. Like the rest of the county, Santa Clara Medical
    Center is switching from simple password/ID logon to CryptoCard
    authentication at its firewall, the Guantlet from Network Associates,
    The evolution of intranets into extra- nets is having a wide impact
    across software applications.
    Take Lotus Development Corp.'s Domino server, which gives users access
    to Lotus Notes databases over the Internet through the Notes proprietary
    client or a Web browser. With the Notes client, security controls can be
    set for user access to the server, the database, the form view and the
    document. But this same level of granularity is not possible with a Web
    browser. "We can do more for the Notes client," acknowledged Kevin
    Lynch, product manager for Domino Server at Lotus.
    The more network managers learn about security, the greater it seems
    their dissatisfaction is with existing controls. Michael Mazzotta,
    network design engineer at Walt Disney Co., constantly worries about
    vulnerabilities in the SNMP/Remote Monitoring protocols implemented in a
    wide range of switching gear. For instance, the older version of SNMP
    lets anyone check the users, traffic, IP address mapping and topology of
    the intranet if they know how to send an SNMP request called "read
    community." Later versions of SNMP, such as Version 2 and the
    just-finalized Version 3, are better, but apparently haven't been widely
    implemented, Mazzotta said.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:34 PDT