Threat Assessment 101

Steve Buehler

If you're a good network administrator, you play a lot of roles during your workday. Much of your time likely is spent with the mundane tasks of keeping your network up and your users productive. But sometimes you get the chance to think about network security. I think of this as putting on your "missile cruiser captain" hat: You've got to look outside your flotilla of users, assess the threats and risks, and deploy the proper preventive measures to make sure your charges aren't blasted out of the water. Yet even as you're peering outside, your users are demanding changes inside: virtual private networks, internal corporate intranets, and more remote access. Each carries an increased risk of security failures.

I've recently seen two interesting products that address these problems. If you're concerned about security for users dialing into your network, Paralon Technologies (Bellevue, WA; 800-727-2566) offers the LanKey Secure Remote Access Server. Similar in concept to remote-access servers on the market today, the LanKey offers four dual-slot PC Card sockets for your standard V.34 modems. Drop in a Paralon secure modem, though, and whenever a caller without a known and registered Paralon security device tries to get in, the system denies access. If the user's security device is recognized, the two modems negotiate a secure channel between them with a one-time-only DES key that is never transmitted across the wire. The LanKey (about $6,000, depending on configuration) works under AppleTalk (ARA), Novell's NACS/NASI, and TCP/IP (CSLIP, PPP, and SLIP). The Paralon architecture makes it exceedingly difficult for an outsider to crack into your network.

If you're concerned that someone may be watching what's on your wire and snooping or spoofing your IP traffic, consider a new product from TimeStep (Kanata, Ontario, Canada; 800-383-8211) called Permit. The TimeStep people decided that for minimum user impact they would set up secure DES sessions between correspondents and then scramble only the data within the packet frame. At the network layer, packet headers and trailers are unchanged; only the data section of the network frame is altered, and the legitimate receiver unscrambles it. As with the Paralon, a secure session is created when needed and torn down when done. The advantage of this architecture is that it should be extensible to any data-link protocols (Ethernet, Token-Ring, PPP). One shortcoming is that TimeStep supports only TCP/IP traffic right now. A standard setup consists of a dedicated PC running Permit manager software ($5,000) and software on each Windows for Workgroups client ($99 per client, $149 per remote user). A software and ISA hardware bundle ($219 per client) speeds up encryption and decryption for faster throughput.

Most network-security analysts will tell you that anything one human can build, another can break into. Like the missile cruiser captain, you have to decide which threats are legitimate and which are noise. Only then can you choose the best tools to defend your users from the outside threats while you get back to those mundane network-administration tasks.

Copyright (c) 1996 Ziff-Davis Publishing Company