The Inside Job:
Protecting Your Network from Internal Threats

Introduction

Recent news coverage has focused attention on the potential not only for terrorist attacks from abroad but also within U.S. boundaries. Likewise, corporations are realizing that protecting their network from outside threats is not enough; internally based attacks can be equally if not more devastating.

NetVersant Technologies -- my employer -- asked me to investigate the problem of internal attacks: How can firewalls more effectively protect the corporate Intranet? Based on my findings, NetVersant Technologies licensed a specific product, both for internal use and resale, and I've discussed it below. I hope my research and observations also help you develop the most trustworthy security solutions for your network.

If you have any additional questions, please let me know. Simply e-mail me at dan@ netversant.com, or call me at (800) 274-6065, Ext. 131. I welcome your feedback.

As I get new information, I will update this document. Just enter your name and email address in the frame below, and I'll make sure you get updated regularly.

The Threat

According to recent security surveys by the Computer Security Institute/FBI and Ernst & Young (1997), nearly 50% of all network intrusions come from INSIDE.

Company information, applications and operations are at risk when if your firewall neglects to monitor the network's "back doors." Hackers and disgruntled employees are likely to target your network's "points of least resistance" -- those left unprotected by traditional firewalls and vulnerable to internally based attacks such as dial-up access, Trojan Horse type programs, etc.

Why Traditional Firewalls Aren't Enough

Traditional "firewall" software is a server-based application that monitors traffic between two networks and controls access from the outside of your network to the inside. Today's networks, however, require greater security than what traditional firewalls are able to provide. What elements make traditional firewalls an incomplete solution?

• Traditional firewalls are designed to control access from the outside only. They often fail to guard the Intranet server or the LANs (Local Area Networks).
• They don't guarantee that the user is who s/he claims to be. Since they work only with IP addresses, traditional firewalls authenticate only the machine but not the user.
• They can't distinguish, control or report on individual users, machines, accesses, applications, etc. The standard firewall is a one-point, one-time control, and thus lacks what is called "granularity."
• Traditional firewalls -- even those using Virtual Private Networks (VPNs) -- control privacy and integrity only in the "middle" of the communication (between the two firewalls) and not end-to-end.
• They lack detailed, user-based reporting. By using IP addresses instead of the network's user identification, traditional firewalls are unable to base their auditing reports, statistics or graphs on users, groups and departmental utilization.
• Traditional firewalls degrade system/network performance for every single user on the network. As firewalls are refined to work with more and more granularity they've become a serious network bottleneck.
• Traditional firewalls cannot guarantee non-repudiation because they are based on IP addresses, not on users.

The Need for Distributed Firewall Architecture

In order to protect your network, consider the following U.S. military principle: your security is only as strong as its weakest link. Thus, if you want to guard your network effectively, you must ensure that its vulnerable inner portion (stations) are protected along with more traditional servers. The best way to strengthen your network ring is to place fences as close as possible to all objects to be protected. Distributed Firewall Architecture (DFA) does just this.

Fortress Technologies developed the DFA model to accept seven key security elements:

1. Authentication
2. Access Control
3. Privacy
4. Integrity
5. Non-Repudiation
6. Auditing
7. Enterprise management

(See Appendix A for a full list of all protocols supported by the DFA standard.)

Although no product solves all seven elements, all seven need to be integrated and tightly linked to the main operating system platforms for a product to solve future security problems.

Among the advantages of the DFA model is its emphasis on closely linking security solutions with the operating system, making the security transparent and easy to use for the end user and the environment. With DFA, your legacy system can function as usual, allowing you to implement Intranet security without having to modify the environment or end user applications. Another important benefit of DFA is its focus on users, separate from IP addresses; it provides the granularity needed for tomorrow's security features.

A New Approach Is Needed

It's obvious that we need a new approach to Internet security, one that stands up against both external and internal security breaches. NetFortress He@tSeeker Pro™ plays an integral part in this new approach.

A security, administration and auditing software product developed by Fortress Technologies, He@tSeeker Pro™ extends your overall security program by addressing the DFA elements left unsolved by traditional firewalls. After checking into different firewall software, I determined that NetFortress He@tSeeker Pro™ is a needed complement to traditional firewall software, especially because of its ability to guard against internal threats to the network.

Since you install it on your company's workstations and servers, it can be distributed and centrally managed. Applications for He@tSeeker Pro™ include Intranet security and LANs, mobile and telecommuting, and distributed projects; it can also be customized for e-commerce, Extranets, user authentication, etc.

No matter what firewall software you choose to enhance your network protection program, I do recommend you look for the following features -- all of which can be found in He@tSeeker Pro™.

Features to Look For In Intranet Firewalls

Access Control to Internet Resources
Traditional firewalls are designed to protect servers, not network workstations. He@tSeeker Pro™, however, is a workstation-based solution that controls local access to all Internet services based on TCP/IP or other protocols, including generic applications that run in specific TCP ports.

The following Internet services are blocked by He@tSeeker Pro™, which sets off an audible alarm in the event of any hostile attack:

• Executable programs including Java, Active X and cookie downloads.
• All forms of ICMP hacker attacks, broadcast storms and Internet service ports via Ethernet, PPP dial-up networking connections & modems (including inbound FTP, Inbound Telnet and NetBios name services, datagram service and session service)

By bringing firewall security to the desktop level, He@tSeeker Pro™ complements the firewall at the server and anti-virus software at the client. It also contains the spread of an intrusion throughout your Intranet and Extranet.

Implement Security Rules For Individuals or Groups
Unlike traditional firewalls, He@tSeeker Pro™ has a fine degree of "granularity": It can restrict access to specific users or groups of users, based on the server host, IP address and domain name. It lets you dynamically build secure user groups within a company, from Sales to Human Resources. And it prevents the serious network bottleneck caused when traditional firewalls are refined to work with an increasing amount of granularity.

He@tSeeker Pro™ defines up to four different levels of control for each service, including: (1) access allowed to all users without auditing; (2) access blocked with auditing; (3) access allowed for some users or groups; (4) access denied to all users or groups.

User Authentication
As I pointed out earlier, one of the weaknesses of traditional firewalls is that they authenticate machines but not users. He@tSeeker Pro™ uses the resources of the operating system to immediately identify and validate active users, groups and the access rights. The system communicates directly with the network identification provider and uses its own DLLs to access user databases such as those in LAN Manager, Windows NT and Windows 95.

He@tSeeker Pro™ uses a proprietary user database and automatically imports user authentication information used by the operating system. You can integrate it with specific applications or with any access control system available today.

Central Management
The first desktop, distributed firewall managed by the system administrator, He@tSeeker Pro™ can be distributed to all or to selected desktops. Remotely manage client PCs from a central location.

Easy-to-Read, Flexible Auditing Reports, Usage Statistics & Graphs
Detailed, user-based reporting is something that the traditional firewall lacks. But He@tSeeker Pro™ has easy to read, graphical usage and monitoring features that provide a real-time, enterprise-wide security analysis. It collects and consolidates Internet/Intranet access and usage statistics, storing the data in database by its auditing module. The access and usage analysis are presented as spreadsheets, graphs or data you can export for analysis by other software.

Only superusers and auditors can access the auditing module and system log, reviewing the data regarding specific users, workstation, time, etc.; they can also configure report formats and statistical graphs of TCP/IP service usage by these same variables.

Full Automation
He@tSeeker Pro™ fully automates critical security functions -- including data encryption, packet inspection, authentication and compression -- by utilizing components of the patent-pending Secure Packet Shield Technology.

Easy to Install
Unlike many traditional firewalls, He@tSeeker Pro™ is easy to install; InstallShield™ makes the process simple, fast and secure. It operates on Windows 95, Windows NT and Novell systems.

Conclusion

When evaluating your company's network security, do consider the danger of the "inside job" -- hacker attacks initiated from within the enterprise. Corporate Intranets and Extranets are also vulnerable to a wide range of attacks initiated from the Internet. As I've outlined in this paper, traditional firewalls are only part of your company's security solution, because they fail to guard against these internal and Internet-based threats.

I favor He@tSeeker Pro™ because it works so well with traditional firewalls. While your current firewall may be valuable for guarding the network's "front door," He@tSeeker Pro™ protects the other entrances -- the ones more and more likely to face intrusions. And together, your traditional firewall and He@tSeeker Pro™ are the most effective way you can implement Distributed Firewall Architecture, strengthening your network ring.

Again, please do not hesitate to contact me at dan@ netversant.com, or (800) 274-6065, Ext. 131.

Best Regards,

Dan

Dan Sigal
Director of Product Marketing
NetVersant Technologies, Inc.

APPENDIX A

Full list of all protocols supported by the DFA standard

• Authentication – Guarantee that the user is who he claims to be
• Operating System(s) Authentication
• Tokens and SmartCards
• Digital Certificates – X509
• RADIUS
• Biometric Technology
• Access Control
• Single Sign On
• Privacy
• IPSEC
• ISAKAMP, SKIP,
• RSA, Diffie-Helman, Eliptic Curve
• IDEA, DES, 3DES, RC4, RC2
• Integrity
• MD5, SHA
• Non-Repudiation
• SET
• Auditing
• Enterprise Management
• SNMP, LDAP