Packet filters are typically implemented on the routers connecting a site to the Internet. These filters are a set of criteria by which each IP packet that is sent or received from a particular interface is judged. If the packet meets the criteria, it will also decrease the number of sites that your users can access.

Since each IP packet has a source and destination address, it is possible to narrow down the set of other Internet sites that can connect to your network; however, since most Internet applications require two-way transmission, such filtering will also decrease the number of sites that your users can access.

Along with a source and destination address, IP packets utilizing TCP and UDP protocols also contain a destination port number. The port number determines what Internet service this packet is accessing. For example, an IP packet with TCP port number 25 is destined for the Sendmail port, the standard SMTP mail port on a UNIX machine. Many sites choose to develop filter criteria based on the TCP port number and the structure of the packet itself. Such filtering is certainly more thorough than the simple source/address packet filter; however, it requires an in-depth understanding of TCP/IP.

Finally, filters can be created based on the location of particular bits within each packet. Such filtering is quite valuable to those who have mastered the intricacies of TCP/IP.

TOP OF PAGE

An application level firewall is considered by many to be a more complete security mechanism than packet filtering because it is more configurable. Application level firewalls utilize a host that runs application proxy software, such as a telnet proxy.

These proxies support more detailed filtering criteria like destination, user, time of day, etc. Application proxies also allow for hiding the true internal IP address of the user's workstation. This may be important for those sites that are extremely concerned about security.

One concern with application level firewalls is their performance, since the associated proxying tasks require additional computing time. Another concern with application level firewalls is that each client and server involved in proxying must be configured to do so (a time-consuming effort).

TOP OF PAGE

For many organizations with Internet connectivity, authentication is one of the most important aspects of security. Employees frequently use the Internet for remote access to the corporate local network while at home or away on travel. For example, a traveling employee who has dial-up access to the Internet and needs to access information on an office workstation. In such situations, it is imperative that the authentication of the user attempting to gain access is verified.

The problem with the scenario described above is that most sites authenticate users through the use of a login ID and a reusable password that is sent in clear text. There exists a possibility that when the employee attempts to access the office network through the Internet from home, a malicious person could tap the employee's home telephone line and record the entire remote login session. With this information, the malicious person could impersonate a legitimate user and gain access to the company resources, probably without being detected. For this reason, better authentication methods have been developed; a few are described below.

TOP OF PAGE

The philosophy of one-time passwords is that it does not matter if both the login ID and password were "sniffed" since the password is valid only for one remote login session. One-time password authentication schemes require both the user and corporate systems is set-up to use a login ID and a one-time password. The one-time password is usually composed of a secret and a calculated portion. Both the user and the system must know which password is expected each time a remote login occurs.

Since it is unrealistic for a user to memorize each of the successive calculated portions of the passwords, systems have been developed that precalculate the calculated portions of the passwords. These can be printed on a small sheet of paper, which can be tucked into the user's wallet or purse. If this paper is stolen, it is not enough information by itself for an unauthorized user to gain access to the corporate system. The user's name, login ID and secret portion of the one-time password should NOT be written on this or any other paper.

Software versions of one-time password schemes can be installed on portable computers so that the paper is not necessary. This assumes the user will only use that portable computer to gain remote access to the company. There are also electronic pocket calculator-like password generators that eliminate the need for the paper listing of one-time passwords. With these calculators, the user enters a secret password that is then used to calculate the one-time password. Again, the secret password, user name and login ID should not be written on the calculator. s/Key is one of the most commonly used one-time password schemes and is available free of charge on the World Wide Web.

TOP OF PAGE

Dynamic password authentication schemes are similar to one-time password schemes in that if the login ID and dynamic password are sniffed, there would not be enough information to obtain unauthorized reentry. Dynamic passwords rely on the use of a token card. The token card continuously generates dynamic passwords that are displayed on an LCD screen. The dynamic password alone is not enough information for an unauthorized user to gain access to the local resources. The process requires the user to first enter a login ID, followed by a secret password, followed by the dynamic password displayed on the token card at that instant in time. Once again, the user's name, login ID, and secret password should NOT be written on the token card.

The most popular dynamic password implementation to date is Security Dynamics' SecureID token card system. This system is not free of charge, but does provide for more convenient and highly improved authentication than that of the traditional login ID and reusable clear text password authentication method.

TOP OF PAGE

Encryption is a more intensive security mechanism than those described above. Encryption simply refers to the manipulation of a message resulting in a new message that is meaningless to anyone who does not know how to re-manipulate it to its original form. This manipulation of messages is called cryptography.

There are two types of cryptography: symmetric and asymmetric. The most popular implementation of symmetric cryptography is the Data Encryption Standard (DES). In DES the manipulation of the message is done with a private key that is known only to those parties that need to manipulate the message.

One of the major drawbacks of symmetric cryptography is that private keys must be communicated prior to the data exchange and are vulnerable to being accessed by unauthorized users at this point. This may sound trivial, but in today's world of electronic information exchange, ensuring that a key is not compromised in transmission is very difficult. Even utilizing non-electronic systems, such as the US Postal Service does not ensure that during transit unauthorized eyes have not seen the key.

An advantage of symmetric cryptography is the technology is available in hardware implementations. This makes the entire process of encrypting and decrypting messages much faster than cryptography systems that are implemented in software.

TOP OF PAGE

Asymmetric or "public key" cryptography systems operate with both a private and a public key. Messages are encrypted with the sender's private key, and decrypted with the sender's public key. Since each public key decrypts only one private key, the receiver can be certain that the holder of the private key generated the message.

Public key cryptography can also be utilized to ensure that only the intended recipient can decrypt the message by first encrypting the message with the recipient's public key. Since only the recipient holds the corresponding private key, only the recipient will be able to decrypt and read the message.

Public key cryptography was made feasible by the mathematical algorithm invented by three people: Rivest, Shamir, and Adleman. Their initials make up the most commonly used public key cryptographic implementation, RSA.

Public key systems do not require the sharing of a private key with others. A person's public key can be published or sent directly to those with whom that person wishes to share secure data. For this reason, as well as the fact that public key cryptography is considered by many to be more robust than symmetric cryptography, public key systems are becoming more and more popular.

In Conclusion

Many organizations find it appropriate to implement security at many levels: the network level, the host level, and the application level. It is important to fully understand the consequences of implementing and not implementing security in your network.

Product names mentioned herein may be service marks, trademarks, or registered trademarks of their respective companies.

TOP OF PAGE