A Workshop organised by The Biotechnology Information Strategic Forum, with support from DGXII of the Commission of the European Communities, and held at CAB International, Wallingford, Oxon, UK, October 1996
Network Security Today -- Rodrigo Lopez
It is clear that security is essential to the biotechnology industry. A simple slip can render a patent process invalid; and espionage is not to be ruled out. Security is a critical element of today's computer systems; the more so as they become multi-user computer environments.
In general, any computer system has several layers which require attention, such as the:
* hardware, especially storage components
* operating system (OS)
* software that runs under the OS
* user files.
A multi-user system has all of these components plus the need to apply a coherent user policy to protect users from themselves as well as from outsiders.
As hardware component reliability increases, and the manufacturing cost decreases, it has become relatively cheap to connect even the most modest home computer systems to a network across telephone links. The most common type of link today is the international network space, also called the Internet. And it is the Internet that has attracted the most attention in terms of security.
The components of a network are many and the complexity of the architecture that defines its operation are too complex to dwell upon here. Nevertheless, the basic tools (from the user point of view) providing access to the Internet are:
* Usenet newsgroups
* telnet
* gopher
* ftp
* WWW.
The first two are "classical" in their mode of operation in that they require the user to log onto another system in order to transfer files or do some interactive work. The gopher broke this dogma and introduced a means of browsing "publicly" available information without requiring the user to have an account on a foreign computer system. The WWW, and the clients that provide the means of accessing it, have gone a step beyond in that they not only permit access to files, but also provide the means to carry certain types of interactivity with somebody's else's computer system. This offers a potential opening for the serious mischief maker and a new challenge to the computer manager.
In these days of Internet surfing, any site is vulnerable to an approach/attack from an outsider. It is even quite simple today to run complex CPU intensive jobs on somebody's else's computer without asking for permission! This represents a great step in the direction of the spirit of the Internet but unfortunately there are those whose preferred pastime is to waste and render useless such systems. These people are referred to as Crackers, Hackers, Phreakers, and Friends.
To protect themselves from this unwanted attention, many people feel that they should always operate from inside a firewall, and this has lead many companies to install them and then forget about their own internal security schemes. Firewalls do not prevent people using portable devices from plugging these into public network sockets; or from rudimentary diskettes which are used for everything from the simplest and innocent game exchange, to commercial software piracy and to spread the computer viruses most commonly targeted against the single user computer. And if you can't afford a firewall you might not need one. Many administrators are reaching the conclusion that the worst type of security is one that requires advertisement and firewalls, by their nature, often advertise their presence.
An up-to-date pointer into firewall benchmarking can be obtained from:
http://www.data.com/Lab_Tests/Firewalls.html
If you read this document you will soon see that most of the products discussed do well in a variety of classical tests but vary when it comes to the WWW. This is because the security is not so much compromised by the service provider but through the service user. Prior to the WWW, attacks were mainly directed from the outside --toward disrupting the operation of a server. Today the contrary is also true.
Education is probably the best protection, for instance by making sure that users know how and what E-mail and Usenet newsgroups are. The same is true for the WWW. Presently the WWW has become the preferred target for the cyber-journalist. Issues involving pornography and virus infected programs are key targets. Mechanisms have been implemented which deter and prevent users from reaching sites providing these files. These same mechanisms can be implemented locally so that only certain sites are accessible from the company or the institute computers.
In short, security-minded people should learn the weakest points in their network and should educate their users accordingly. Useful information can be obtained from:
Forum of Incident Response and Security Teams (FIRST) http://www.first.org/
Computer Security Research Groups http://www.nist.gov/
COAST -- Computer Operations, Audit, and Security Technology http://www.cs.purdue.edu/coast/
University of Cambridge Computer Security Group http://www.cl.cam.ac.uk/Research/Security/
CERT - Computer Emergency Response Team ftp://cert.org/