Technical Aspects of Network Privacy and Security for Business

Last week we looked at the importance of laying a foundation of sound policies and procedures as it relates to network and Internet security. Even the best policies and procedures won't keep out the bad guys, whether those bad guys be hackers trying to poke around your servers or a virus unleashed on your network. This week we will look at ways to make technology work for you in protecting your network.

Routers and Firewalls

The first and most obvious line of defense in protecting your network is a firewall. This might not be as obvious as it seems, however. I have seen numerous companies and even one bank(!) which had their network connected directly to the Internet with no firewall and no network address translation (NAT). Each and every computer on the network in these companies operated as a fully accessible, completely unprotected node on the Internet. Yikes! Just in case I have not made myself clear: this is not the preferred way to secure your network!

The next step up the line from doing absolutely nothing is implementing NAT (network address translation). NAT works by projecting one common external IP address onto the Internet while hiding the internal network with IP addresses which are not routable on the Internet (192.168.x.x and 10.x.x.x). Anytime a computer on the internal network connects to the outside, it goes through a router which "translates" that computer's internal IP address into the external address assigned to the router. This gives some degree of security and is far better than nothing, but it still has some shortcomings and can be circumvented. In addition, NAT can use a great deal of CPU power on a busy network, which can cause performance degradation.

True firewalls come in two varieties: software-based and hardware-based. Software firewalls are programs which run on a computer which is running some other underlying operating system (OS). These are often a great solution for small and medium size businesses because they give wide functionality at a relatively low price. The down side is that these firewalls give you three layers of potential failure: hardware, OS, and the firewall program. Also, keep in mind that no firewall can be more secure or stable than the underlying OS on which it runs.

The Firewall market changes daily. Companies form and fold and are bought and sold. With that in mind, any recommendation I make here could be obsolete by the time you read the column. Therefore, rather than focusing on specific product recommendations, I will deal more with giving you the bases for evaluating a product.

If you choose a software-based solution (and I have for most companies I have done work for), the preferred OS to utilize is Unix, Mac OS X, Novell NetWare, or Linux. These OSes are as stable and secure as they come.

Most any firewall that runs on Unix should also run on OS X. Since Mac OS X is BSD Unix underneath the hood, I expect to see more traditional Unix programs ported to the platform to take advantage of the outstanding Aqua GUI. Of course, if you want to drop down to the command line, you can run those programs today.

Linux is virtually as solid as Unix and has the added advantage of being free. There are also some great firewall programs for Linux, some for under $200.

Currently, the only firewall which runs on Novell NetWare is Novell's own BorderManager. This is an excellent program which I have used on several occasions and which I highly recommend if you have Novell expertise. It is, however, a relatively expensive program and requires a moderate level of knowledge in NetWare. Most of these products are configured either at the console or remotely by telnet, making them Mac-friendly.

Although it should go without saying, I will say it anyway: Avoid running your firewall on a Microsoft OS. Regardless of your opinion of Microsoft, even the most die-hard paper MCSE's I know admit that Windows is not the first choice as your network gatekeeper.

In hardware-based firewalls, the firewall program is the OS, thereby reducing the potential points of failure to two. There are obvious advantages to designing an appliance for a single purpose from the ground up, and most hardware firewalls reflect this. The advantage of this route is that the firewalls tend to be solid as a rock. The disadvantage is that most of them tend to cost about as much as a rock - a 5-carat diamond! However, if you have a large company and/or need to have maximum uptime from your firewall, this is the best route. If your chosen hardware firewall does not have a Mac administration interface, make sure it can be configured by telnet lest you find your Mac all dressed up with no place to go.

Mail Server

My advice is not to run your own email server in-house, at least not as your sole email server. My recommendation is to let a third-party do this for you. I have used a company in the past (and still do) that charged us $16.95 per month to host our Web site and email. There was a $5 charge to set up each mailbox, but no recurring fee after that. The company has triple redundant connections to the Internet, runs a 100% Linux shop, has generator backup, state of the art technical as well as physical security, 24/7 monitoring, and technical support. I could not approach this level of support in-house for $16.95 per hour.

I still run my own mail server in-house, but it retrieves our mail from our host rather than collecting it as it comes in directly from the Internet. When we send internal email, it never leaves our internal server. The advantage to this system is that if our internal server goes down, we still receive email from senders outside of the company.

It does not project an image of your company as competent if a potential customer sends you an email and it is bounced back due to your server being down.

This gives us the best of both worlds. We have stability and reliability without having to maintain our own 24/7 staff. We still get the advantages of our own server: We can virus scan all email, apply spam filters, and have complete control over configuration. While this is a great solution, very small companies might be just as well served to let their ISP or Web host serve as their sole mail server.

Most of the general rules for evaluating firewalls apply here, too, with the exception that there are very few hardware-only email servers. On the high-end, the "Big Three" in order of total installed base are Lotus Notes, Novell GroupWise, and Microsoft Exchange. The Lotus and Novell solutions are extremely stable and full-featured, but they are also costly and can be difficult to set up and administer. If your business is extremely large (500+ users) and has the in-house Information Technology personnel for support, either of these would make a great solution. Exchange is easier to set up, but is also expensive and tends to be a buggy and unstable virus-magnet (do the words Nimda and Code Red ring a bell?).

Another great solution for larger companies, and even smaller ones, is the new CommuniGate Pro for OS X from Stalker Software. This program can handle thousands of users on a large OS X server or even millions of users on a multiserver cluster! It is relatively easy to set up and maintain, and it offers virus and spam filters. The entry-level price is $499 for 50 users, and prices go up from there, which might put it out of the price range of some smaller companies. This is a great product which adheres to the first rule of software: It runs on the most stable OS available.

I have two favorites for the medium and smaller business. The first, MailGate, has only one flaw: it requires Windows 95/98, or NT/2000 to run. However, this aside, it is a great cost-effective solution which offers email and spam filters comparable to programs costing thousands of dollars. It is available from MailGate software. Due to its underlying OS, it does need to be rebooted about once a week though to maintain peak operating efficiency.

The other is Eudora Internet Mail Server (EIMS) for Mac. Both of these are easy to set up and administer and are great solutions for the small or medium-size business.

Editor's note: A Mac solution I've had excellent results with is SIMS (Stalker Internet Mail Server). This freeware mail server requires as little as a Mac II with System 7.1 and OpenTransport 1.1.1, supports blacklists and other filtering, runs very nicely on low-end Power Macs, has no limit on the number of users and redirects, but does not support virus detection.

Web Server

Do not host your Web site in-house unless you have a compelling reason to do so. This is the primary network entry point for hackers and is best left to professionals. I have used the company mentioned above for Web and mail services for years with absolutely no problems and 99.999% uptime. There are many hosting companies that can boast an equivalent record. For $16.95 a month, let someone else worry about the security.

However, if you have to run your own server for some reason, I have just one word: Apache. Apache is the predominant Web server in the world, running over 70% of all sites. Versions are available for Unix, Linux, and Mac OS X, with no appreciable difference among the versions. They all run better than the Energizer bunny. The version included with Mac OS X and in some Linux releases features GUI administration to make setup a snap. However, advanced configuration options in any version require a trip to the command-line. If you are not comfortable with this, do not run Apache as an external Web server - fully securing it against infiltration requires some configuration only possible at the command-line level.

If your company has or plans to run an Intranet, Mac OS X and Apache are the ideal solution.

Virus Protection

Firewalls do not generally protect against viruses, although some have this option. Even the best virus filter on an email server cannot provide 100% protection. None of these will protect against someone bringing in a virus on a CD or a floppy, although having a computing environment composed only of late-model Macs will certainly thwart any viruses attempting to arrive via floppy.

It is important that every computer in your company have a virus protection program installed and that the virus files are up to date.

It is important that every computer in your company have a virus protection program installed and that the virus files are up to date. I have always used Norton AntiVirus on my Macs and have never had a problem. For Windows, Computer Associates and Norton are both good choices. Sophos AntiVirus, a company based in England, also has an excellent antivirus program for both Mac and Windows. But remember: Regardless of which program you use, it is just as important to make sure the virus files are updated regularly.

In the last few years, I have noticed a marked decline in the number of Mac viruses. I attribute this to a couple of factors, the first being that Macs make up only a small percentage of computers. Why would a malicious coder spend hours writing a virus to attack less than 15% of the world's computers when he could instead write one that could potentially infect well over 80%? (The other 5%, which run Linux, OS/2, BeOS or some other OS, are not even on the virus radar screen.) More Windows = more viruses. Also, the security holes which appeared with the introduction of Windows 95 and most of which are still not patched make it an easier target.

This may also be the only downside to OS X: With its BSD roots, it is susceptible to a whole world of Unix viruses, many of which have been around for 10-15 years and which Mac users are probably not aware of. Mac users have been able to get away with being slack in this area recently, but as soon as you install X, your vigilance must increase!  

Having laid the proper framework, we will explore security for the home user next time.