by Mike Morgan
An intranet is an internal network solution that uses the TCP/IP protocol and existing Internet technologies. These technologies range from Web servers and HTML to e-mail, network news, and multicasted live media. The essential idea of the intranet is that anything you've used on the Internet can be used inside your organization to build customized solutions.
This section describes six application areas you can address with your intranet:
The section "Security for Your Intranet" describes how you can turn your intranet into an extranet without leaving your network vulnerable to attack.
Most intranets are started when a system administrator places a Web server on the local network. You can run a robust, secure Web server on any popular version of UNIX, or on Windows NT. The Macintosh is also popular as a host for the Web server. You can get a Web server for free (such as the popular Apache server, available at http://www.apache.org/) or pay to get additional features. Netscape Communications offers two Web servers: the entry-level FastTrack server, which you can set up in just a few minutes, or the powerful Enterprise server, which includes advanced features such as free-text search and user agents. If you have elected to use Microsoft's Windows NT as your server, you probably already have its Internet Information Server (IIS) software.
In its simplest form, the host of your Web server just needs a network interface card (NIC) and a connection to your local area network (LAN). If you intend to operate an extranet, you also need a connection from your LAN to the Internet. The section "Security for Your Intranet" addresses this connection. You may also want a connection to the Internet if your intranet spans more than one site. That way you can use the Internet as a low-cost way to connect the various networks in your company. Be sure to use a tunneling router, described in the section "Security for Your Intranet" to encrypt your packets as they move from one site to another.
To place your intranet Web server into operation, prepare your pages on a local computer and then copy them to the Web server's host. If you're using Netscape LiveWire (described in Chapter 36, "Developing with LiveWire Pro") or Microsoft's FrontPage (described in Chapter 42, "Using HTML and Site Tools"), the tool itself will copy your pages to the server. If you're building the pages by hand, you can run an FTP (File Transfer Protocol) server on the same machine that hosts your Web server and copy the pages from your machine to the host via FTP.
A good way to start the planning process of your intranet is to make a list of your audience's needs. A great way to get ideas is to identify the company's objectives and goals and then develop one or more designs that will help the company meet its goals. Choose the design that gives you the best return on your investment.
NOTE: You can use your Web server to deliver static pages of information or dynamic Web applications. Whether you're building a static site or a dynamic application, the techniques of outlining, storyboarding, and then designing individual pages are equally applicable.
Many of your intranet applications will need to access corporate databases. Learn more about this technology in Chapter 37, "Databases."
Starting the Design Process You can use electronic tools to help capture your design. Microsoft PowerPoint (www.microsoft.com) can help you present screens of information to potential users, giving them a feel for the intranet application. Figures 45.1 and 45.2 show two screens of a PowerPoint presentation describing an intranet-based customer service application. Figure 45.1 describes the first steps of an intranet Web application for inbound telemarketing. In Figure 45.2, the developer has prepared an HTML mock-up of the first screen, and has captured a snapshot of that screen in the PowerPoint presentation. By using PowerPoint, the developer was able to add annotation to the presentation.
FIG. 45.1
PowerPoint is an excellent tool for capturing and presenting key design decisions.
FIG. 45.2
If you've built HTML mock-ups of the application's pages, embed the page in PowerPoint
and use PowerPoint's text tools to provide additional information.
NOTE: Portions of a Web-based telemarketing application, as well as a PowerPoint presentation describing the full application, are available on the CD-ROM that accompanies this book. Look in the chap45/telemark/ directory.
Charting tools such as Visio (www.visio.com) can help you organize and present the connections between pages. By mapping out your content, you will have an instant visual reference as to how your site will function and flow, as well as how all of the documents will be hyperlinked together. When your virtual "skeleton" is complete, you will instantly be able to tell how balanced your intranet is, and which department(s) may need to provide additional content.
You can also use site management applications such as Microsoft FrontPage or Netscape LiveWire to get an idea of how the site is designed. Figure 45.3 shows an outline of a typical site, developed in Microsoft's FrontPage.
By mapping out your content, you have an instant visual reference as to how your site will function and flow, as well as how all of the presented documents will be hyperlinked together. When your site's "skeleton" is complete, you will be able to see how balanced (or unbalanced) your intranet is. If you don't have enough material to meet your goals for one or more departments, you'll be able to see that fact instantly.
Building the Storyboard Once you are satisfied with your site outline, the next step is to build a complete storyboard. You may have already captured screens when you were outlining your intranet's applications. Now you can "connect the dots," laying out the contents of each page. For your first efforts, a pen and paper are sufficient to capture your design. On each page, you should
FIG. 45.3
Building a site mock-up will help you in the overall planning of your Web site.
TIP: You'll improve your site's internal consistency if you use a style guide. Choose one of the guides available online and adapt it to your specific needs. Use this guide as a checklist to make sure that each page has all the common elements you want, including links to adjacent pages, the home page, and a search or index page.
ON THE WEB: http://www.hwg.org/resources/html/style.html This page on the HTML Writers' Guild site contains a list of HTML style guides available online.
Be sure to subject your design to human review, starting when it's just an outline. You won't be able to satisfy everyone--every element of your site must be able to meet a minimum return on the investment--but you should get as much feedback as you can.
TIP: Use a Red Team of reviewers to increase site effectiveness and save money. A Red Team is a group of people whose skills and interests generally match those of your target audience. They are deliberately not involved in the design process. Show them the finished design and use their feedback to hone the design into its finished form.
When you develop pages for a public Web site, you need to take into account the fact that your visitors will be using a wide range of browsers and connection speeds. If you design pages with frames, for example, you should also provide a nonframes version. If your pages are graphics-rich and load well over ISDN or faster connections, you should provide a text-only version for use by visitors who have a slow dial-up connection.
At first glance, you might think that you could relax all of these decisions when you start designing your intranet because the company has some control over how users connect and which browsers they use. There are several reasons, however, that you should not make too many assumptions about your user's environment--for example,
Although your intranet may include a variety of types of servers (for example, Web, directory, and media) and your Web server may include many different applications, the core of your Web server is likely to be static HTML pages. This section gives recommendations on how to design pages for your intranet.
Choosing an HTML Level When you write for an Internet audience, you typically use the latest official level of HTML. If you're writing for an internal audience and you need to take advantage of some of the features of the newest draft release, you may choose to use those features as long as the browsers commonly used in your organization support the draft feature.
TIP: Whether you use a stable HTML level or a draft version, be sure to use the <!DOCTYPE...> tag at the beginning of the document to declare which level of HTML you're writing. When your page is ready, be sure to validate it so you know you've written syntactically correct HTML.
ON THE WEB: http://www.webtechs.com/html-tk/ If your pages are not accessible from the Internet, you won't be able to use public validators such as WebTech (http://www.webtechs.com/html-val-svc/) or Gerald Oskoboiny's Kinder, Gentler Validator (KGV) (http://ugweb.cs.ualberta.ca/~gerald/validate/). Visit this site to download a validator that you can run on your local host. Learn more about what a validator is and what it does in Chapter 39, "Verifying and Testing HTML Documents."
Opting for HTML Extensions Advanced Web browsers such as Netscape Navigator 4.0 (a component of Netscape Communicator) and Microsoft Internet Explorer 4.0 offer various features beyond those described in the World Wide Web Consortium's HTML specifications. For example, both browsers offer the <FRAMESET> tag, which is not yet part of the HTML standard. Both browsers also support a scripting language (Netscape supports JavaScript and Microsoft supports JScript and VBScript) and external objects (Java applets, Navigator plug-ins, and ActiveX controls). If your organization uses browsers that support extended features, you may choose to use those features in your designs. As you use them, remember the users who may call in from home, or those extranet users who access your network from outside the organization, and make sure you haven't designed a page that is unusable by those users.
Designing for Bandwidth Many organizations run their intranet over an Ethernet-based local area network, or LAN. Users on such a LAN can count on 10Mbps raw speed, though as the load on the LAN increases, the effective throughput per user can fall appreciably. Faster technologies exist and are commonly used in larger organizations. The speed of a connection is also known as its bandwidth. Some organizations have several different sites that are geographically distant from one another. They link them into a wide area network (WAN) using leased lines. Typical speeds are 56Kbps (for a leased digital line), 64 or 128Kbps (for ISDN), or even 1.5 to 5MBps (for T1 and T3 connections respectively). Higher bandwidth connections are expensive. In many parts of the U.S., a T1 connection costs over $1,000 a month. In some parts of the world that bandwidth is not available at any price. When you design your intranet pages and applications, it's nice to be able to count on high speed. Be careful, however, that a user on a busy LAN or WAN or a user on a dial-up connection doesn't find your design unusable.
After the storyboarding is done and your design has been reviewed, begin the actual HTML coding process. Here's a five-step process used by many Webmasters and site designers:
FIG. 45.4
If the user chooses not to load the graphic, he or she can still follow the links
to the sections of the art gallery.
TIP: Not every file on your intranet has to be coded in HTML. You can add hyperlinks to any file type. When a Web browser encounters a file type that it cannot display or does not know how to handle, the user is prompted with a dialog box. He or she can open the file with an application (such as Microsoft Word) or save the file to the disk.
If your organization has standardized on Microsoft Office 97 products, you can have your users configure their browsers so that all PowerPoint documents are opened by Microsoft PowerPoint. Applications configured in this way are called helper applications.
ON THE WEB: http://www.microsoft.com/office/viewers/default.htm If you need to make a Microsoft Office 97 document available to users who don't have Microsoft Office 97, ask them to install the viewers available at this site. Viewers are available for Word, Excel, and PowerPoint.
CAUTION: You should discourage your users from using products that have a macro language as helper applications. Some viruses are passed through macros. If the browser opens Microsoft Word whenever it sees a Word document, it may open a file with a macro virus and infect the machine.
Instead, use a viewer or a "lite" application, such as WordPad, that does not support macros. Once the user is confident that the document is not an attempt to spread a virus, he or she may choose to open it in Word.
If you use your intranet only to provide static Web pages and dynamic applications, you're missing much of the potential of your network. Electronic mail, or e-mail, is the most popular single application on the Internet, and you can take advantage of this technology on your intranet.
Like the Web, e-mail is a client-server technology. You'll need an SMTP (Simple Mail Transfer Protocol) server to deliver mail from one site to another. You'll also want a POP (Post Office Protocol) server or IMAP (Internet Message Access Protocol) server to store the messages until they are retrieved by the user.
An SMTP server is built into most versions of UNIX, and UNIX POP servers are freely available on the Internet. You can also buy mail servers from Microsoft and Netscape. Microsoft Exchange is part of BackOffice Server. The Netscape Messaging Server is included in Netscape's SuiteSpot.
While many users think of e-mail in terms of text, you can use the Multimedia Internet Mail Extensions (MIME) to attach all sorts of files to an e-mail message. Advanced mail clients allow you to add attachments easily and show the attachment as a clickable graphic at the end of the message (see Figure 45.5).
FIG. 45.5
This e-mail message contains an attached Microsoft Word document.
You can also include HTML in your e-mail message, allowing you to embed lists, graphics, and even Java applets in your messages (see Figure 45.6).
FIG. 45.6
This e-mail message is an HTML document.
TIP: Only advanced e-mail clients such as Netscape Messenger and Microsoft Outlook Express can display HTML-based e-mail messages. Use your address book to record whether a particular recipient can handle HTML-based messages. (See Figure 45.7 for an example of the address book in Netscape Messenger.)
FIG. 45.7
Use the address book to keep track of which recipients can handle HTML-based messages.
Many Internet users are aware of Usenet, the great collection of newsgroups that are propagated from one server to another around the world. If your company has a topic of widespread interest, you can petition the Usenet community to add a newsgroup. A simpler approach is to host a newsgroup on your own server and make it available over the Internet.
On your intranet, you can set up newsgroups for every project and department. Your employees can use a newsreader to subscribe to any of these newsgroups and, with proper authority, can read and post messages. (If your company uses Netscape Communicator, you already have an excellent newsreader embedded in that product.) You can also set up moderated newsgroups--newsgroups in which every posting is sent to a human moderator who determines whether to allow the message to be posted.
Many of the free news servers are most appropriate for public servers and Usenet. Commercial news servers, such as the Netscape Collabra server, offer sophisticated security options as well as the capability to build "virtual newsgroups" based on text search. (Collabra is available in Netscape's SuiteSpot.)
ON THE WEB: http://www.stairways.com/rumormill/index.html If you use a Macintosh server, you can download this shareware news server. Windows NT-based sites may prefer ftp://ftp.agt.net/pub/coast/nt/internet/nd10a2nt.zip. UNIX site administrators should visit http://www.isc.org/inn.html. InterNetNews (INN) is widely used as the UNIX news server.
In most companies, the cost of overnight mail and long-distance telephone is a significant part of doing business. You can replace many overnight mail packages with e-mail (described earlier in this section). When you need a person-to-person meeting, consider using the Internet instead of the phone.
ON THE WEB: http://www.imtc.org/imtc/i/activity/i_voip.htm Learn more about Internet telephony at the Voice Over IP forum of the International Multimedia Teleconferencing Consortium, Inc. You can get a list of commercial software providers at http://www.yahoo.com/Business_and_Economy/Companies/Computers/Software/Internet/Internet_Phone/.
If you're using Netscape Communicator, you already have Netscape Conference. Add a microphone, and you're ready to communicate with other Conference users around the Net.
Several companies are offering video-conferencing. Shark Multimedia (www.sharkmm.com) has developed the SeeQuest video-conferencing kit, which includes a high-speed modem, speaker phone, and Connectix QuickCam camera. Both color and black-and-white versions of the kit are available.
Specom offers a competing system--SuiteVisions. SuiteVisions includes a 24-bit digital color camera called the VisionCAM. You can get more information on SuiteVisions from http://www.specom.com/.
If you're collaborating by using e-mail and newsgroups, then you don't care too much when users pick up or send their messages. If your work group is spread across many time zones, you don't have to do any calculations to figure out "If it's 3 P.M. here, are they still at work there?" You just send your message and read the reply when it arrives.
If you want to hold real-time meetings over the phone or use audio- or video-conferencing on the Internet, or in person, you need to coordinate personal calendars. Most commercial groupware products include some mechanism for sharing calendars. The Professional Edition of Netscape Communicator includes Netscape Calendar, which works with Netscape's Calendar Server (a component of Netscape SuiteSpot).
You can use Netscape Calendar to keep your own calendar. When you need to set up a meeting, you can ask the software to suggest times when all of the participants are available. "Participants" can include resources such as a conference room or special equipment. You can also put several agendas up side-by-side (as shown in Figure 45.8) and find a time that is convenient for most participants.
FIG. 45.8
Use Netscape Calendar's Group Agenda to find a time that is convenient for everyone.
Look down the Combined column for free time slots.
If you're using your intranet for collaboration, your users need to be able to find one another. In a small organization everyone may know everyone else. Everyone at least knows the names of the people with whom he or she needs to collaborate. They can use the company phone book to find the person's phone extension and, perhaps, his or her e-mail address.
As the organization grows, the task of maintaining a written phone book becomes time- consuming. You may want to explore the use of a directory server on your intranet. The international standard for online directories is OSI X.500. Most Internet experts agree that X.500 is an adequate standard for directories, but the protocols for reading and writing the directory are complex and difficult to implement on the Internet. The Internet Engineering Task Force (IETF) has released a "slimmed down" access protocol called LDAP (the Lightweight Directory Access Protocol).
Netscape has implemented a server based on X.500 and LDAP--Netscape calls the product Directory Server--and includes it in its SuiteSpot package. You can implement a gateway between the Directory Server and the Web, but if your users are using Netscape Communicator you can access a Directory Server directly, as shown in Figure 45.9.
FIG. 45.9
Use this Preferences dialog box to integrate Communicator with your Directory Server.
Netscape chose to use vCards, an open standard for personal data interchange, as the basis for directory entries. Once you've told your copy of Communicator which directory server(s) to use, you can look up people and resources in the directories and retrieve their vCard. If you like, you can copy the vCard to your Personal Address Book, as shown in Figure 45.10.
FIG. 45.10
Use vCards to integrate your personal address book with the Directory Server.
A vCard is the electronic equivalent of a business card. Once you have a person's vCard, you can easily e-mail them or connect to them by using Netscape Conference.
If your LAN is completely isolated from the Internet, you are primarily interested in host-level security. Your network is vulnerable to attack by your own employees. When you connect your LAN to the Internet, however, you open yourself to other kinds of attack. Only a small percentage of Internet users are likely to attack your site, compared to the number of employees who may go after your site. The sheer size of the Internet, however, means that many attackers from the Internet may be trying to break into your intranet.
For more information on Web security, see Chapter 41, "Building a Secure Web Site."
In its simplest form, an intranet is a LAN connected to the Internet. Although most Internet users are far too busy working on their own projects to have time to attack your network, there are some Internet users who will attempt to gain unauthorized access to your computers. In general, these adversaries fall into one of six categories:
As shown in Figure 45.11, your company's security stance represents a tradeoff between security, ease-of-use, and performance. Your security position represents a management decision based, in part, on the kind of attacker you think may come after your site and the value of the information. Here are two rules of thumb to help you decide how much you should budget for security:
FIG. 45.11
Your company's management needs to set a security policy that balances security,
performance, and usability.
Many aspects of security can be controlled on a resource-by-resource basis. Thus, if you have a section of your intranet that lists company social events, you may choose not to secure that part of the site as tightly as you secure the corporate financial data.
CAUTION: Many sites are set up so that each server trusts the others. A successful attack on the server that hosts the company social calendar might allow an adversary to break into the server that carries accounting data.
This part of the chapter addresses two levels of intranet security. Network security pertains to the security of your data packets as they are transported across the network. Host security addresses operating-system issues--if an adversary can gain access to a command prompt on your UNIX or Windows NT host, he or she may be able to read or change information managed by the server. Finally, this section addresses server security--mechanisms by which you can reduce the likelihood of a user visiting your Web or news site and accessing sensitive information.
Figure 45.12 illustrates a typical LAN with access to the Internet. An outside user may come from a LAN on other company site, accessing your LAN as part of the company's intranet. The user may also be an extranet user, authorized to read and write a portion of your network's data. He or she might also be an Internet user, coming onto your intranet to access a name server, mail server, or even a Web server.
Regardless of why the outsider has come to your LAN, you should take several steps to ensure that only authorized users get onto the network and that they get access only to specific data.
FIG. 45.12
Outside users may come from the intranet, extranet, or Internet.
You may choose to protect your network at any of several points. Most network administrators will choose to use a combination of security techniques. Figure 45.13 shows several common security tools:
FIG. 45.13
Use network-level tools to decrease the likelihood of someone reading or changing
data on the network.
TIP: Whoever designs your company's access control system is setting your company's access control policy. Don't leave this important responsibility to the technical staff. Management should take an active role in determining policy and then have the technical staff implement the policy. Finally, have auditors check the implementation to be sure that it matches the specified policy.
Firewall Routers Routers are the traffic directors of the Internet. If you place a machine on the Internet and give it an IP address of 207.2.80.1, you must also provide a router that tells the rest of the network where packets for that address should be directed. When you connect a LAN to the Internet, you must place a router between the two so that packets can pass between the Internet and the LAN. This router gives you a good place to start implementing your access control policy. Routers that deny access to unauthorized packets are called firewall routers. Today, most routers can be configured to offer some firewall services.
Listing 45.1 shows an example of a typical firewall router configuration. By design, most firewall routers severely restrict the packets that pass from the Internet to the intranet. In this example, packets associated with e-mail (the Simple Mail Transfer Protocol, or SMTP) and the Domain Name Service (DNS) are allowed through, as are FTP packets that go to non- privileged ports.
no ip source-route access-list 101 deny ip 207.2.80.0.0.0.0.255 access-list 101 permit tcp any established access-list 101 permit tcp any host 207.2.80.10 eq smtp access-list 101 permit tcp any host 207.2.80.20 eq dns access-list 101 permit tcp any 20 any gt 1024 access-list 101 deny tcp any any range 6000 6003 access-list 2 permit 207.2.80.0 255.255.255.0
NOTE: Listing 45.1 is intended only to give you an idea of what sort of checks can be made by a firewall router. Check the documentation that came with your router and consult a computer security expert to determine the best way to implement your company's access control policy.
The first line in Listing 45.1 tells the router not to allow an outsider to force packets upon you. Source-routing allows the originating router to specify how the packet will be routed--useful as a diagnostic tool, but a deadly vulnerability on an intranet.
The second line tells the router than anyone coming from the outside world who claims to be on the local LAN (address 207.2.80.x) is a fraud. Because local users often have privileges that are inappropriate for outsiders, this line is an important safeguard. The next line,
access-list 101 permit tcp any established
tells the router not to disrupt any established TCP connection. With this rule in place, you can change the router's configuration without disturbing connections that are already in place. Since most HTTP connections are short-lived, this line does not open a significant security hole.
The next three lines deliberately open a hole in the firewall. The first of these lines allows any outsider to send packets to machine 207.2.80.10, the mail server, as long as the packet uses the Simple Mail Transfer Protocol (SMTP). This line allows outsiders to send mail to people in our organization. The next line is similar. It allows outsiders to use our nameserver to convert domain names (for example, www.xyz.com) to IP addresses (for example, 207.2.80.1). The next line in this section,
access-list 101 permit tcp any 20 any gt 1024
tells the router to permit anyone using FTP (which comes from port 20) to access the higher port numbers (greater than 1024) on our machine. This line allows your staff to transfer files via FTP, as long as they run a nonprivileged process on a nonprivileged port.
The next line explicitly denies outside access to certain high-number ports that are associated with X Window and the Network File System (NFS)--two services that no outsider has any business accessing.
The last line makes an entry to access list 2, which controls who is allowed to make changes in the router's configuration. This line says that anyone on your local network (207.2.80.x) or the local host (255.255.255.0) is authorized to make changes (assuming they can satisfy other security restrictions).
Because a firewall router is installed at the interface between the LAN and the Internet, it can only protect against attacks from the Internet. Specifically, it offers no protection against the following threats:
Firewall routers are an important first step in securing your network against attack. For best protection, however, they should be used in conjunction with other security technologies, such as proxy servers and channel security.
Proxy Servers Most organizations will want to operate a proxy server in connection with their firewall router. The router implements general policies at a level that is low in the protocol stack, close to the hardware. A proxy server offers pin-point access control at a level much higher in the protocol stack. Figure 45.14 shows a typical firewall installation that includes a proxy server. This configuration is known as a screened host firewall.
FIG. 45.14
In a screened host configuration, most packets are required to go to the bastion
host.
In a screened host firewall, the firewall router allows only a handful of packets to pass directly to the LAN. (Such packets might include packets destined for the mail server or nameserver, as shown in Listing 45.1 earlier.) All other packets are sent to a proxy server on the bastion host. For example, suppose the company wants to operate a Web server for use by the general public. The Web server itself is running on the LAN, on machine 207.2.80.1. Anyone attempting to access 207.2.80.1 from outside the LAN is denied access. The company offers a proxy server on the bastion host, 207.2.80.90. If an outside user queries the company's nameserver and asks for the IP address of the machine named www, the nameserver directs that user to 207.2.80.90--the proxy server. When the outside user sends a query to port 80 (the default HTTP port) of 207.2.80.90 (the proxy server), the firewall router permits it to pass. The proxy server checks its security tables to see if it is authorized to send back the requested page. If it is, then it checks its cache to see if it has a current copy. If it doesn't have a cached copy, the proxy server contacts the real Web server, fetches the page, and returns it to the requesting user.
If an adversary attacks the proxy server and is able to defeat its security, he or she has access to pages in the cache and other files on the bastion host. The adversary could use the bastion host as a launching point to attack other hosts on the LAN, but if the hosts themselves are secure, the attacker is confronted with extra work. All but the most determined adversaries will become discouraged and will move on to easier prey.
TIP: For even more security, consider using a screened subnet, in which several servers--Web, mail, and DNS--are set up on bastion hosts that are isolated from the LAN by yet another router. The region between the two routers is called the Demilitarized Zone, or DMZ. Because all the services an outsider might legitimately want are in the DMZ, the firewall router doesn't have to leave any security holes open to the LAN itself. Figure 45.15 shows a screened subnet firewall.
FIG. 45.15
With a screened subnet, the firewall router blocks all outside attempts to access
the LAN itself.
ON THE WEB: http://home.netscape.com/comprod/server_central/product/proxy/index.html/ You can learn more about Netscape's Proxy Server (a member of the SuiteSpot family) online. You might also want to learn about SOCKS, a popular free proxy server, at ftp://ftp.nec.com/pub/security/socks.cstc, and the Microsoft Proxy Server (http://www.microsoft.com/proxy/default.asp).
NOTE: The Netscape Proxy Server comes bundled with virus-scanning software. While the odds of your machines contracting a virus from the Internet are relatively low, there's no reason to take a chance. If your proxy server includes a virus scanner, enable it and subscribe to the updates so you're protected from the latest viruses.
Sniffers and X.509v3 Certificates IP packets passing over an Ethernet contain a hardware address. In general, each network interface card (NIC) can "hear" all of the packets, but only "listens to" the packets whose address match the card's address. Special hardware called a network analyzer or, colloquially, a "sniffer," can be hooked to a network that will listen to every packet. Furthermore, many NICs can be placed in a special mode, called promiscuous mode, in which they listen to every packet. A network technician can use a sniffer or, equivalently, a PC with its NIC in promiscuous mode, to troubleshoot an Ethernet segment. An attacker can use the same technology to read the contents of every packet, hunting for sensitive information that has been sent in the clear (unencrypted).
If you're sending and receiving packets over the Internet, you should consider all packets vulnerable. If your intranet asks for or sends sensitive information, you should use an encrypted channel for that information. The easiest way to get an encrypted channel is to use Netscape's Secure Sockets Layer, or SSL, in concert with an existing protocol.
In order to implement SSL, at least one party on the connection needs to have a public encryption key that has been certified by a Certification Authority. You can get these certificates (known as X.509v3 certificates) from your organization's own Certificate Server, or from a public Certification Authority such as Verisign (www.verisign.com).
If your intranet consists of several sites joined by the Internet, you should consier protecting your intranet by encrypting all packets that go from one site to another. You can accomplish this level of encryption by using special routers (called tunnelling routers) that apply an encryption algorithm to all packets that they send out and a decryption algorithm to all incoming packets. The next two sections describe SSL and tunnelling routers.
SSL While the Secure Sockets Layer (SSL) was developed by Netscape, the details have been made available by Netscape and the technology has been widely implemented. For example, there is a secure version of Apache, the free Web server for UNIX. Most of Netscape's products support an SSL option. You can turn on SSL in Netscape's Web servers (both FastTrack and Enterprise), Directory Server, and Collabra (news) Server. You can also enable SSL on either side of the proxy server. You can also use X.509v3 certificates to encrypt e-mail, by using the S/MIME protocol.
If an end user has an X.509v3 certificate, you can use certificates as the basis for access control. You might tell your Web server that only members of the Accounting department have access to the financial data and then provide a list of the members of the Accounting department. How can the server verify that a user really is who they say they are? By asking the user's client software to present an X.509v3 certificate.
If the user doesn't have a certificate, you'll have to use usernames and passwords as the basis for access control. This mechanism is inferior to X.509v3 certificates for two reasons: First, if the password is ever sent over a nonsecure channel, it can be compromised by an adversary with a sniffer, and second, the user has to remember many different passwords. The user may be tempted to write the password down or use the same password on more than one system. Either way, the likelihood of the password being discovered increases.
Tunnelling Routers If your intranet spans more than one LAN, you should connect them with tunnelling routers. Tunnelling technology, built into many firewall routers, encrypts packets leaving one router destined for another router on your intranet. This solution allows you to build a virtual intranet, connecting your LANs over the Internet instead of using dedicated lines.
ON THE WEB: http://gregorio.stanford.edu/papers/firewall/firewall.html This paper, "Designing an Academic Firewall: Policy, Practice, and Experience with SURF," describes Stanford University's experience with building a virtual intranet. It contains a relevant section (http://gregorio.stanford.edu/papers/firewall/node12.html#SECTION00051000000000000000) on secure IP tunnelling.
Most servers allow you to specify access control by IP address, host name, or user ID. You can also restrict the type of access (for example, read, write, delete). For example, the Access Control entry shown in Figure 45.16 restricts the access to the resources in the sensitive directory.
FIG. 45.16
Use the Enterprise Server's Access Control page to specify the resource to restrict.
Figure 45.17 shows the Access Control List (ACL) being set up. This ACL reads
FIG. 45.17
Use the Enterprise Server's Access Control Lists to specify pinpoint access control
for each resource.
You can apply access control to nearly all servers, including Web servers, proxy servers, news servers, calendar servers, and directory servers.
The best server security in the world is worthless if an adversary can gain access to the host's command prompt. Depending upon the operating system, you may be vulnerable to attack through a mail server, an FTP server, or other network software. You may also be attacked from a trusted host, or by an insider who has access to Telnet or to the machine itself.
Much of the advice on host security is operating system specific. Be sure to read any security notices issued by your operating system vendor and make recommended changes that apply to your configuration.
ON THE WEB: http://www.cert.org/ Keep up with the latest security notices online, both here and at http://ciac.llnl.gov/.
NOTE: Learn more about protecting a UNIX machine in Chapter 40, "Site Security," of Webmaster Expert Solutions (Que, 1996). Many of the principles in this chapter are also applicable to other operating systems, such as Windows NT.
© Copyright, Macmillan Computer Publishing. All rights reserved.