Last week we looked at the importance of
laying a foundation of sound policies and procedures as it relates to
network and Internet security. Even the best policies and procedures
won't keep out the bad guys, whether those bad guys be hackers trying
to poke around your servers or a virus unleashed on your network. This
week we will look at ways to make technology work for you in protecting
your network.
Routers and Firewalls
The first and most obvious line of defense in protecting your
network is a firewall. This might not be as obvious as it seems,
however. I have seen numerous companies and even one bank(!) which had
their network connected directly to the Internet with no
firewall and no network address translation (NAT). Each and
every computer on the network in these companies operated as a fully
accessible, completely unprotected node on the Internet. Yikes! Just in
case I have not made myself clear: this is not the preferred way
to secure your network!
The next step up the line from doing absolutely nothing is
implementing NAT (network address translation). NAT works by projecting
one common external IP address onto the Internet while hiding the
internal network with IP addresses which are not routable on the
Internet (192.168.x.x and 10.x.x.x). Anytime a computer on the internal
network connects to the outside, it goes through a router which
"translates" that computer's internal IP address into the external
address assigned to the router. This gives some degree of security and
is far better than nothing, but it still has some shortcomings and can
be circumvented. In addition, NAT can use a great deal of CPU power on
a busy network, which can cause performance degradation.
True firewalls come in two varieties: software-based and
hardware-based. Software firewalls are programs which run on a computer
which is running some other underlying operating system (OS). These are
often a great solution for small and medium size businesses because
they give wide functionality at a relatively low price. The down side
is that these firewalls give you three layers of potential failure:
hardware, OS, and the firewall program. Also, keep in mind that no
firewall can be more secure or stable than the underlying OS on which
it runs.
The Firewall market changes daily. Companies form and fold and are
bought and sold. With that in mind, any recommendation I make here
could be obsolete by the time you read the column. Therefore, rather
than focusing on specific product recommendations, I will deal more
with giving you the bases for evaluating a product.
If you choose a software-based solution (and I have for most
companies I have done work for), the preferred OS to utilize is Unix,
Mac OS X, Novell NetWare, or Linux. These OSes are as stable and
secure as they come.
Most any firewall that runs on Unix should also run on OS X.
Since Mac OS X is BSD Unix underneath the hood, I expect to see
more traditional Unix programs ported to the platform to take advantage
of the outstanding Aqua GUI. Of course, if you want to drop down to the
command line, you can run those programs today.
Linux is virtually as solid as Unix and has the added advantage of
being free. There are also some great firewall programs for Linux, some
for under $200.
Currently, the only firewall which runs on Novell NetWare is
Novell's own BorderManager. This is an excellent program which I have
used on several occasions and which I highly recommend if you have
Novell expertise. It is, however, a relatively expensive program and
requires a moderate level of knowledge in NetWare. Most of these
products are configured either at the console or remotely by telnet,
making them Mac-friendly.
Although it should go without saying, I will say it anyway: Avoid
running your firewall on a Microsoft OS. Regardless of your opinion
of Microsoft, even the most die-hard paper MCSE's I know admit that
Windows is not the first choice as your network gatekeeper.
In hardware-based firewalls, the firewall program is the OS,
thereby reducing the potential points of failure to two. There are
obvious advantages to designing an appliance for a single purpose from
the ground up, and most hardware firewalls reflect this. The advantage
of this route is that the firewalls tend to be solid as a rock. The
disadvantage is that most of them tend to cost about as much as a rock
- a 5-carat diamond! However, if you have a large company and/or need
to have maximum uptime from your firewall, this is the best route. If
your chosen hardware firewall does not have a Mac administration
interface, make sure it can be configured by telnet lest you find your
Mac all dressed up with no place to go.
Mail Server
My advice is not to run your own email server in-house, at least not
as your sole email server. My recommendation is to let a third-party do
this for you. I have used a company in the past (and still do) that
charged us $16.95 per month to host our Web site and email. There was a
$5 charge to set up each mailbox, but no recurring fee after that. The
company has triple redundant connections to the Internet, runs a 100%
Linux shop, has generator backup, state of the art technical as well as
physical security, 24/7 monitoring, and technical support. I could not
approach this level of support in-house for $16.95 per hour.
I still run my own mail server in-house, but it retrieves our mail
from our host rather than collecting it as it comes in directly from
the Internet. When we send internal email, it never leaves our internal
server. The advantage to this system is that if our internal server
goes down, we still receive email from senders outside of the
company.
It does not project an image of your company as competent if a
potential customer sends you an email and it is bounced back due to
your server being down.
This gives us the best of both worlds. We have stability and
reliability without having to maintain our own 24/7 staff. We still get
the advantages of our own server: We can virus scan all email, apply
spam filters, and have complete control over configuration. While this
is a great solution, very small companies might be just as well served
to let their ISP or Web host serve as their sole mail server.
Most of the general rules for evaluating firewalls apply here, too,
with the exception that there are very few hardware-only email servers.
On the high-end, the "Big Three" in order of total installed base are
Lotus Notes, Novell GroupWise, and Microsoft Exchange. The Lotus and
Novell solutions are extremely stable and full-featured, but they are
also costly and can be difficult to set up and administer. If your
business is extremely large (500+ users) and has the in-house
Information Technology personnel for support, either of these would
make a great solution. Exchange is easier to set up, but is also
expensive and tends to be a buggy and unstable virus-magnet (do the
words Nimda and Code Red ring a bell?).
Another great solution for larger companies, and even smaller ones,
is the new CommuniGate Pro for OS X from Stalker Software. This program can handle
thousands of users on a large OS X server or even millions of
users on a multiserver cluster! It is relatively easy to set up and
maintain, and it offers virus and spam filters. The entry-level price
is $499 for 50 users, and prices go up from there, which might put it
out of the price range of some smaller companies. This is a great
product which adheres to the first rule of software: It runs on the
most stable OS available.
I have two favorites for the medium and smaller business. The first,
MailGate, has only one flaw: it
requires Windows 95/98, or NT/2000 to run. However, this aside, it is a
great cost-effective solution which offers email and spam filters
comparable to programs costing thousands of dollars. It is available
from MailGate software. Due to its underlying OS, it does need to be
rebooted about once a week though to maintain peak operating
efficiency.
The other is Eudora Internet
Mail Server (EIMS) for Mac. Both of these are easy to set up and
administer and are great solutions for the small or medium-size
business.
Editor's note: A Mac solution I've had excellent results with is
SIMS (Stalker Internet Mail
Server). This freeware mail server requires as little as a Mac II with System 7.1 and
OpenTransport 1.1.1, supports blacklists and other filtering, runs very
nicely on low-end Power Macs, has no limit on the number of users and
redirects, but does not support virus detection.
Web Server
Do not host your Web site in-house unless you have a compelling
reason to do so. This is the primary network entry point for hackers
and is best left to professionals. I have used the company mentioned
above for Web and mail services for years with absolutely no problems
and 99.999% uptime. There are many hosting companies that can boast an
equivalent record. For $16.95 a month, let someone else worry about the
security.
However, if you have to run your own server for some reason, I have
just one word: Apache. Apache is the predominant Web server in the
world, running over 70% of all sites. Versions are available for Unix,
Linux, and Mac OS X, with no appreciable difference among the
versions. They all run better than the Energizer bunny. The version
included with Mac OS X and in some Linux releases features GUI
administration to make setup a snap. However, advanced configuration
options in any version require a trip to the command-line. If you are
not comfortable with this, do not run Apache as an external Web server
- fully securing it against infiltration requires some configuration
only possible at the command-line level.
If your company has or plans to run an Intranet, Mac OS X and
Apache are the ideal solution.
Virus Protection
Firewalls do not generally protect against viruses, although some
have this option. Even the best virus filter on an email server cannot
provide 100% protection. None of these will protect against someone
bringing in a virus on a CD or a floppy, although having a computing
environment composed only of late-model Macs will certainly thwart any
viruses attempting to arrive via floppy.
It is important that every computer in your company have a
virus protection program installed and that the virus files are up to
date.
It is important that every computer in your company have a virus
protection program installed and that the virus files are up to date. I
have always used Norton AntiVirus on my Macs and have never had a
problem. For Windows, Computer Associates and Norton are both good
choices.
Sophos AntiVirus, a
company based in England, also has an excellent antivirus program for
both Mac and Windows. But remember: Regardless of which program you
use, it is just as important to make sure the virus files are updated
regularly.
In the last few years, I have noticed a marked decline in the number
of Mac viruses. I attribute this to a couple of factors, the first
being that Macs make up only a small percentage of computers. Why would
a malicious coder spend hours writing a virus to attack less than 15%
of the world's computers when he could instead write one that could
potentially infect well over 80%? (The other 5%, which run Linux, OS/2,
BeOS or some other OS, are not even on the virus radar screen.) More
Windows = more viruses. Also, the security holes which appeared with
the introduction of Windows 95 and most of which are still not patched
make it an easier target.
This may also be the only downside to OS X: With its BSD roots,
it is susceptible to a whole world of Unix viruses, many of which have
been around for 10-15 years and which Mac users are probably not aware
of. Mac users have been able to get away with being slack in this area
recently, but as soon as you install X, your vigilance must increase!
Having laid the proper framework, we will explore
security for the home user next time.