Dealing with Client/Server

Issues in Purchasing and Implementation

Linking Private Networks to the Internet

How can enterprises maintain data security while connecting their internal networks to the Internet?

By Sally Atkins

Joining a private corporate network to the Internet can create new demands in the IS network management agenda. Amid all the hype over the World Wide Web and electronic commerce, little ink is given to the fact that the Internet's growth path will not be smooth. Outages and security breaches are escalating problems at the same time as a record number of businesses are planning to expand their reliance on the Net. It's up to open systems professionals to temper the excitement over the Internet's commercial potential with the realities of managing the network for serious business.

Network security management is a sobering place to start. The Internet is still not a safe place for top-secret information or trade secrets. Essentially, there is nothing you can do to prevent certain problems that arise from opening your gateways to the outside world. Nonetheless, manage you must.

Before beginning to build a network security management architecture, consider your organization's business goals and security policies. The goals of the security policy should dictate the security technology and architecture you select. For example, some organizations need to protect the privacy of their customers and the integrity of their data. Others want to protect data as well as monitor and control their employees' use of the Net.

The reality in buying tools for network security is that you are limited by what fits with your Internet service provider (ISP) vendor's environment. In evaluating ISPs, one of the most important questions to ask is how well they can help protect your private network from the outside world. This capability poses a paradox for advocates of open systems solutions. The better able an ISP is to "wall you off," the more likely it is to have proprietary software on its bastion hosts. In fact, ISPs are differentiating themselves in the marketplace not only on bandwidth access and pricing, but on their ability to outdo their competitors in security matters.

Many users will choose an ISP based on its network operations center's ability to provide turnkey security that meets their corporate security policies. (That turnkey might not include the ability to use Kerberos or other security products that are important to your enterprise.) It pays to check out the fine print. Balance your needs for enterprise authentication and application and data security with your needs for blocking intruders.

The Firewall Solution

Firewalls between corporate networks and the outside world are the most common form of protection today. They monitor traffic and allow insiders to have access to services on the Internet while barring access from the outside, unless it is preauthorized. Naturally, firewall policies should reflect the overall security policy goals of the business. (For a full discussion of firewall issues, see "Raise Shields!".)

The commercial firewall market took off in 1995, according to research from International Data Corp. IDC expects the phenomenal growth of the worldwide firewall market--driven by the adoption of Internet technology and Web servers (both Internet and intranet)--to continue through the year 2000 and forecasts a compound annual growth rate of 174 percent. Clearly, these figures suggest that nearly everyone will at least look into the firewall option.

As you sort through the issues surrounding firewalls, a couple of books among the many published recently may be helpful. Frontiers of Electronic Commerce (Addison-Wesley, 1996) by Ravi Kalakota and Andrew Whinston is a good primer on technical aspects of doing business on the Internet. Building Internet Firewalls (O'Reilly & Associates, 1995) by Brent Chapman and Elizabeth Zwicky goes deeper into the topic.

In the section on firewalls in Frontiers of Electronic Commerce, the authors explain that the simplest firewalls are Internet Protocol (the IP of TCP/IP) packet screening routers placed between the ISP's router and the user's internal network. This type of firewall helps, but screening rules can be difficult to specify for a large corporation with hundreds or thousands of users. They are only a beginning.

Proxy application gateways can be added to firewall servers to manage network functions such as FTP, Gopher, HTTP and other Web protocols. The proxy is an intermediary that helps address security concerns by limiting subsets of the HTTP protocol.

A third level of firewall is the hardened firewall host, a server configured to prevent unauthorized login from outside the private network. IP forwarding is disabled, so the firewall cannot forward unauthorized packets between the Internet and the private network. This solution is particularly useful for intranet applications.

Many of us who grew up in the Internet environment have had to learn empathy for private network management issues such as privacy and transaction security. Others of us are new to the Internet and surprised by the array of annoyances and disasters we must now learn to manage, if not avoid altogether. Managing these public/private dichotomies is critical to satisfying users' expectations that the Internet will appear as solid as their private networks.

The intranet rage is based on making the private networks as convenient as the Internet, only more private and secure. Making the world safe for electronic commerce is a big business for open systems professionals, growing right along with the firewall business itself. Go forth and fortify.

Sally Atkins is president of IST Consulting, an affiliate of NetSource, Inc., based in Boston. She can be reached at