Internet Newsletter for Lawyers |
|---|
It is possible to have security on the network to restrict access to prescribed areas and resources. This security can be applied to the workstations and/or users within the firm and consequently would apply to any “visitor” connected via the Internet. In reality, most LAN’s are “open”; that is, they employ little or no meaningful internal security. Even in firms where some degree of security is employed, “permissions” (the ability of a user/workstation to access the areas/resources to which they are entitled) create an environment for a hacker to “piggyback” those permissions and gain wider access to the network.
It is a truism that the only secure computer is one that is switched off! Once a computer is switched on, it is exposed to risk. As soon as it is connected to the Internet that risk becomes very real and the longer the computer is connected to the Internet, the greater the risk.
So, how does a firm protect itself from unwanted intrusion onto their computers and network? A key component of security is the “Firewall”. Think of the link between your computer/LAN and the Internet as a bridge. How do you stop unwanted intruders crossing the bridge? Build a wall of fire at your end and make sure it stays alight all the time. In computing terms, the firewall sits between the computer or device that has primary access to the Internet and the Internet itself. Its purpose is to prevent unauthorised outside computers getting across the bridge and to control the outgoing access to the Internet by allowing or disallowing program requests for access. For example, the program Internet Explorer would be given “permission” for “outgoing” access to the Internet, but a “malware” program (Trojan, worm or spyware) would be denied.
Any firm accessing the Internet must have a Firewall. The decision of what level of Firewall to employ requires:
i) identification of the functionality that is required from the Internet connection,
ii) a degree of risk assessment and
iii) a skills analysis of the staff who are available to maintain the Firewall.
Each of the main types of firewall are described below: personal firewalls require little or no expertise; hardware firewalls need some expertise to install and maintain and the professional firewall needs a high level of IT knowledge.
Type “Personal+Firewalls” into any search engine and the response will be massive, including products such as Zone Labs and Sygate (both free & highly rated by PC World Magazine), Tiny and McAfee, and also lots of advice and product comparisons. Windows XP does have its own personal firewall built in but, as part of Windows, it can sometimes be overlooked and not even activated. Also, hackers will always go for the easy option first and "cracking" the XP firewall will provide most victims!
Personal firewalls will normally need to be updated (to protect against new techniques for breaching their security) by downloading updates from the Internet. In the same way as anti-virus products, most of these programs will check themselves to see if there are any updates needed.
Products include Watchguard (www.watchguard.com), NetScreen, recently taken over by Juniper Networks, (www.juniper.net), and Sonicwall (www.sonicwall.com).
The next consideration is the functionality that is required from an Internet connection.
Some people think that telephone or ISDN dial-ups are safe but they are not. True, the exposure is limited to the length of time that the computer is on-line to the Internet but, as a general rule, firms with dial-up connections do not have firewalls in place and thus are exposed to intrusions. However, in most cases, adequate protection can probably be provided by a Personal Firewall, as described above.
The same argument applies for having access to the Internet from any workstation on a LAN. Fee-Earners want the information on their desk-top and they want it NOW. So LANs are as inevitable as broadband.
Once you have 24/7 access, there is a strong argument for a hardware firewall, particularly if the connection to the Internet is via a LAN. However, it must be said that personal firewalls are often deployed and have generally proved to provide adequate security to date. You need to assess the increased risk of full-time exposure to the Internet against the cost implications of the more secure hardware firewall.
The problem is that our firewall is specifically designed to stop people coming in from the outside. As soon as we create a “hole” in the firewall to allow our “friends” to gain access, that hole is potentially accessible to our “foes”.
The firewall overcomes this, in the first instance, by trying to hide the hole so that only people who “know” it is there will actually see it. All firewalls can do this and it may stop low-level intruders but it will not stop those who are actively seeking holes in the firewall. It is at this level that personal firewalls generally become inadequate and hardware firewalls become essential.
If a hole is created in the firewall for legitimate purposes, then it must be protected. This is achieved by creating a two-way bridge to the Internet, one side for outgoing connections and one for incoming connections. The incoming side is “retractable”, like a drawbridge. A person can only get in from the outside if they a) know that there is a hole for them to enter through, b) know how to lower the drawbridge, c) know the right path along the drawbridge to miss the “gaps” that would send them plummeting to the depths below and finally d) know the right language to speak when they get to the other side and are able to communicate through the firewall.
An authorised user knows these four things and seeks a connection by sending a “connection line” along the right path, speaking the right language, to the drawbridge. The firewall recognises the authorised user and lowers the drawbridge, thus creating a connection to that particular user. If the analogy continues, the connection that has been made between the user and the firewall is a “network” connection. It isn’t using a real, physical cable and thus is a “virtual” connection. The connection is made available to just the authorised user and is thus “private” between the firewall and that user. Hence the Virtual, Private, Network (VPN) connection has been established.
Hackers are unlikely to “piggyback” the VPN connection because the language that is used between the firewall and the user is encrypted. It is not impossible however, and thus the professional firewall allows a greater range of options for increasing further the level of encryption and security that the firewall can employ.
The biggest weakness in the security of the VPN connection is at the remote end of the connection. If the remote user/office does not have a firewall themselves then a hacker can get into the remote computer and use the VPN link that it has been created to gain access to the main office system. The remote user must have a firewall as well.
The main office must be protected with a hardware firewall. Remote users connecting from a stand-alone computer ie. those working from home, will generally find a personal firewall sufficient. If a remote user is connecting in via a LAN connection to the Internet i.e. someone from a remote office, then the remote office, with its own LAN and broadband Internet connection, should also be protected by a hardware firewall.
For the majority of firms, a hardware firewall at the main office, hardware firewalls at remote offices that have their own LANs and personal firewalls for remote users connecting from stand-alone computers/laptops will be sufficient. Professional firewalls are only really necessary when the configuration itself becomes extremely complex with many remote offices, each with large numbers of users and a significant number of remote and mobile users.
Two further considerations should be mentioned - wireless network connectivity and anti-virus software. Neither of these should be confused with Firewalls.
As mentioned earlier, a firewall is designed to protect the private network (the LAN) from the public network (the Internet). Viruses can still penetrate the computer and/or LAN accessing the Internet using a legitimate connection made through the firewall (a virus contained in an e-mail attachment is a good example) and for this reason, good anti-virus software is still a must for network servers and the computers on the LAN.
It has also been mentioned earlier that most LANs have “open” internal security, i.e. a rather relaxed attitude to the “permissions” of the users and computers on the LAN. When computers (typically laptops) are connected to the LAN using wireless technology the physical cable of the network is replaced by wireless signals and a wireless “router” is attached to the LAN. This router will receive signals from any wireless device that is trying to connect to it (and thus to the LAN) on the same “channel”. This means that someone sitting outside the building, but within range of the router, can connect to your network. As many LANs are open, the “intruder” has gained access to the LAN.
Whilst it is understandable that LANs are generally open, any wireless router must employ security to prevent unseen intruders gaining access to the LAN by encrypting the signal that the wireless router accepts. Whilst there are similarities with firewalls encrypting the VPN connections, wireless connections do not come into the LAN via the Internet and therefore are not protected by the firewall.
To conclude, a LAN needs to be protected by security:
Roger Jackson is Co-Director of JCS Computing Solutions Ltd, a Law Society recognised Software Supplier, www.jcs.co.uk.
Email roger@jcs.co.uk.
Back to Contents.