Forwarded From: "Prosser, Mike" <Mike_Prosser@tds.com>
http://www.nwfusion.com/news/0608extranet.html
Extranets stress security safeguards
Dynamic passwords prove an effective way to ward off hackers.
By Ellen Messmer
Network World, 6/8/98
Extranets sound like a brilliant idea; just open your intranet up to
customers and wait for the benefits of closer communication to come
pouring in. But not every potential visitor is a loyal customer, which
means that network managers have to protect their nets from
infiltrators.
This extranet challenge often means taking a hard look at improving
security procedures. That's what had to be done in Santa Clara County,
Calif., where the ClariNet WAN is operated for the benefit of county em-
ployees. When the county decided to give hundreds of non-county
employees access to databases on ClariNet, the network staff confronted
the inconvenient fact that simple passwords/ID logons just aren't good
enough anymore. To protect the network, County Network Manager Dean
Leinebarger led a team that decided to forego the usual password/ID
remote access logon routine in favor of more secure "dynamic" passwords
generated by hardware and software tokens.
Why? "Reusable passwords are too easy for hackers to sniff," Leinebarger
said. "In addition, passwords sometimes get shared among users."
Now the County has started giving out Axent Technologies, Inc.
CryptoCard hardware tokens to business partners, including equipment
vendors that perform remote maintenance on ClariNet gear.
Using the CryptoCards, users can create a one-time dynamic password for
authentication by the Cisco Systems, Inc. Secure Server that ClariNet
had already installed for remote access. Similar to other brands of
palm-size security hardware, Crypto- Cards generate a different password
each time they get used.
With intranets turning so quickly into extranets, concerns that hackers
may also be barging their way in has everyone rightfully concerned. How
bleak is the hacker situation? Ask Steve Williams, network administrator
at the Santa Clara Medical Center. Williams said that would-be hackers,
armed with modem autodialer software available off the 'Net, are
continually collecting as much information as possible about telephone
and computer modem lines so they can try to take advantage of the
medical center's networks.
The medical center, which keeps an audit trail of all call activity, has
now installed what it calls a tripwire system that automatically
contacts the District Attorney's office when it spots anything
suspicious. "We are prepared to prosecute this type of behavior,"
Williams emphasized. Like the rest of the county, Santa Clara Medical
Center is switching from simple password/ID logon to CryptoCard
authentication at its firewall, the Guantlet from Network Associates,
Inc.
The evolution of intranets into extra- nets is having a wide impact
across software applications.
Take Lotus Development Corp.'s Domino server, which gives users access
to Lotus Notes databases over the Internet through the Notes proprietary
client or a Web browser. With the Notes client, security controls can be
set for user access to the server, the database, the form view and the
document. But this same level of granularity is not possible with a Web
browser. "We can do more for the Notes client," acknowledged Kevin
Lynch, product manager for Domino Server at Lotus.
The more network managers learn about security, the greater it seems
their dissatisfaction is with existing controls. Michael Mazzotta,
network design engineer at Walt Disney Co., constantly worries about
vulnerabilities in the SNMP/Remote Monitoring protocols implemented in a
wide range of switching gear. For instance, the older version of SNMP
lets anyone check the users, traffic, IP address mapping and topology of
the intranet if they know how to send an SNMP request called "read
community." Later versions of SNMP, such as Version 2 and the
just-finalized Version 3, are better, but apparently haven't been widely
implemented, Mazzotta said.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Jun 9 21:00:06 1998