Access to the Internet provides an agency with many advantages. In our April column, we discussed how high access speed enables agencies to take full advantage of what the Internet has to offer. Using a DSL or cable connection to the Internet introduces security as an issue. You must be aware of this and deal with it in some manner, so we are going to expand on security issues in this month's column.
Several characteristics of both DSL and cable connections make taking additional precautions necessary. Both of these connections allow you to be connected to the Internet all the time. This "always on" connection has advantages, such as being able to check for new e-mail continuously. However, it also provides a way for someone outside of your system to gain access to it at any time.
Another problem is difficulty in detecting large downloads. This makes it easier for an intruder to download large files from your computer without your being aware of it. Your IP address (your unique computer address on the Internet) does not change for long periods of time, if ever. This makes it easier for intruders to reconnect to your system once they have gained access the first time. It also makes it easier for Web sites to track your activities without having to store information on your computer in a file called a "cookie."
Let me share a personal story to illustrate the potential dangers. We have DSL access at home and cable access at the office. While at the office, we wanted to connect with a computer at home using a remote access program called pcAnywhere (www.symantec.com). We use the Internet as the means of making the remote connection because an Internet connection is more reliable than a dial-up modem connection. When you start pcAnywhere, it looks for available connections and highlights them. Another computer showed up as being available to connect to. Thinking it was the computer at home, we clicked on the icon to connect. To our surprise, someone else's computer was displayed on our screen. Another subscriber on the cable "network" had left his/her copy of pcAnywhere running without having activated any of the security features. We could have gained unlimited access to programs and data on his/her computer. If the other subscriber had activated the security feature that is built into the pcAnywhere software, I would not have been able to gain access. Because the Internet is based on open standards that anyone can use, having security and using it is extremely important.
Security options
Proxy servers provide a variety of essential functions for your LAN. First, a proxy server offers an effective and secure barrier between your internal network and the Internet. You can block various protocols and IP addresses from coming into your network. At the same time you can control the protocols your users utilize to access the Internet. Another benefit is that proxy servers allow you to share your Internet connection among several or even all users on the network. Finally, many proxy servers offer Web caching capabilities for storing previously visited Web sites and providing local access to users who re-visit the sites.
When an office wants multiple workstations on its internal network to use the same Internet connection (DSL or cable), the NAT (Network Address Translation) or a proxy server will allow this to take place. Every individual computer that is connected to the Internet has a unique address called an IP address. A single DSL or cable connection has one IP address that identifies that connection to the rest of the Internet. The NAT or proxy server "fools" the system by using the DSL IP address and setting up ghost IP addresses for the internal workstations. Hence the "translation" in Network Address Translation. The software intercepts the request for information from the individual workstation, keeps track of the request, sends it out over the Internet and then knows to which individual workstation it should be routed when the information is returned.
Network Address Translation (NAT) or a proxy server does not necessarily imply any security. If the computer with the physical connection to the Internet (called a gateway) is using NAT or a proxy server, it does not necessarily mean that the gateway is any more secure than it would be if those services were not running. It usually does mean that the network behind is harder to get to or attack, but even that is not always true. For more detailed information on your particular situation and setup, you will need to talk with your network administrator.
In general, a NAT is easier to set up and use than a proxy server because it is simply installed on the computer that is directly connected to the cable modem. Proxy servers generally require settings for each client computer on your local network. NAT makes the machines on the local network behind the gateway machine more secure essentially because the client computers on the local network use IP addresses that are reserved for use on internal networks only. Those IP addresses will not show up on the Internet.
Proxy servers are used where you want tighter control of what the client machines are allowed to do, or when you have many client machines. The proxy lightens the load on the cable or xDSL modem by caching Web pages that are downloaded. So assuming that the users on the local network tend to surf the same pages, the performance can be greatly enhanced. With a NAT, every request requires retrieval through the cable modem--no caching.
Firewall
A "firewall" in an insurance context offers protection from a fire spreading. In the computer world, a firewall is designed to address two problems: mapping your network into a limited number of public IP addresses and providing security to prevent outside parties from accessing internal resources.
NAT addresses the first problem and is generally used when you are using a packet filtering firewall to provide the security. Combined, they solve both problems.
Proxy servers can be used to solve both problems also. Most commercial gateway firewall products these days are a combination of all of these. Proxy servers can be highly secure, and allow you to look into the application data of the packets, so you can block URLs (to enforce your electronic communications policy), etc. However, they can be somewhat limiting because writing an intelligent, secure proxy for every protocol/application is more than anyone can handle.
Some specific products
The following is a list of a few software products that can be used to solve all or part of the Internet sharing problems described. There are also quite a few hardware boxes that provide some of the same features. The advantage of using a hardware implementation is that the gateway computer does not have to be on in order to access the Internet from the client computers on the local network. But it may also be a more expensive solution.
ICS is the NAT service in Windows 98 Second Edition. It used to be called NAT 1000 before Microsoft purchased the company.
ZoneAlarm v2.1 (by Zone Labs (www.zonealarm.com)) is a simple firewall that resides on a single computer. With Stealth Mode enabled, ZoneAlarm's Firewall renders your computer invisible to the Internet and potential intruders. If you can't be seen, you can't be attacked. Because you tell ZoneAlarm how you use your computer, the firewall allows only traffic that you understand and initiate. ZoneAlarm also allows you to block Internet traffic while your PC is unattended or while you are not using the Internet. With the Internet Lock, you have absolute control over the use of your always-on connection to the Internet.
WinProxy v3.0 (by Ositis Software (www.winproxy.com)) resides just above the physical layer, and is a firewall and a proxy capable of blocking ports that are opened by the operating system. The firewall ensures that users don't have intruders invading their system or bombarding them with multiple requests that result in "denial of service" attacks. To accommodate a wide variety of user requirements, WinProxy offers five levels of built-in security that can be customized to the user's needs. It also includes pre-configured firewall settings to accommodate applications such as NetMeeting, MSN, AOL and some of the more popular games that can be troublesome for NAT/proxies.
BlackICE Defender (www.blackice.com) from Network ICE fits under the firewall category, but really belongs in a new category: "intrusion detection system." It analyzes the traffic, even traffic allowed through the firewall, proxied, or translated. In much the same way anti-virus software scans the hard disk, BlackICE Defender scans the network traffic.
There is no security issue that I'm aware of where you'd choose a NAT instead of a proxy or vice-versa. A proxy allows the administrator more control over what is or isn't allowed onto the client computers on the local network, while a NAT typically offers easier set up.
Providing additional layers of security for your office should be an integral part of your Internet strategy. However, don't let security concerns prevent you from installing high-speed access in your office. The benefits far outweigh potential problems. *
The author
Steve Anderson has been a licensed insurance agent for over 20 years. He is president of steveanderson.com, Inc., which provides products and services that help agents maximize profits using commonsense technology. E-mails are welcome at steve@SteveAnderson.com or visit his Web site (www.steveanderson.com). He can also be reached at (615) 599-0085.
©COPYRIGHT: The Rough Notes Magazine, 2000