• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 5. Connecting to the Internet (G... > Advanced Internet Security

Advanced Internet Security

Now let’s look at a few more advanced options for Internet security. These options are not required for most people; however, if you rated your risk as High, you should consider some or all of these options. (Again, we’ve talked about some of these in earlier chapters.)

  • Firewalls: A firewall is some hardware—or a combination of hardware and software—that controls access to the traffic in and out of your network. Hmmm, sounds complex. Indeed firewalls can be very complex, but they can be simple too. Think of firewalls as the fences and gates that either allow traffic through or not. The typical home user doesn’t need the power that most full-fledged firewalls offer. Instead, software packages called “personal firewalls” can serve the purpose for home users just fine. Generally speaking, these software packages should be capable of controlling outgoing and incoming traffic and setting “rules” concerning what traffic is okay and what isn’t. They should also provide auditing or logging functions to let you determine if someone is trying to access your system without your permission. You can find more information about firewalls, as well as reviews and suggestions about which products are best for you and your situation, at www.firewallguide.com.

  • Proxy servers: Different proxy servers will give you different functions, so I’ll cover the basic concept first and then talk about some features you can find in these devices. Webster’s dictionary[1] defines proxy as “authority or power to act for another,” and that is exactly what happens here. A proxy server “acts on your behalf” on the Internet while your system sits behind the proxy, protected. All requests for Web pages, e-mail, chat, instant messaging, and such all are made from your systems to the proxy server. The proxy server then makes the request for your systems out to the Internet, without revealing your computer to the Internet. Attackers can’t see your computer and potentially get access—they see only the proxy server. You only have to secure the proxy, and the rest of your network can be protected behind it. If you have only one computer, don’t bother with a proxy server; just protect the one computer. Additionally, some proxy servers offer packet filtering, which is the capability to block certain types of network traffic while allowing other traffic in. Some proxy servers act as complete firewalls, with incoming and outgoing filters, and some include auditing and logging of the traffic allowed and/or blocked.

    [1] Merriam Webster’s Collegiate Dictionary, Tenth Edition. Springfield, MA: Merriam-Webster, Incorporated, 1993.

  • Network address translation (NAT): This very basic form of protection is essentially just hiding your address from the outside world. NAT acts like a proxy server for your address only. This is not very strong protection, but it is protection, and many of the newer Windows versions are shipping with this capability built in.

  • Audit log parsing: Okay, you turn on your auditing so you can see what is happening on your system. That’s good. But now you get a log full of events that are normal, and you have to sort through them to find the ones of interest. That’s bad. This is a job for audit-log parsing tools. The name sounds complex, but they are usually easy tools to use. You tell them what events you want to see, and they search the logs and collect those events. The event logger in Windows NT and later versions can do limited filtering, but if you want the high-end stuff for systems at high risk, you can get parsing tools that can alert you to events in real time and can analyze events as they occur, trying to determine if the pattern is an attack or just normal activity. These advanced tools—called “intrusion detection programs”—might be a bit more than most homes and small businesses need, and they are usually costly. However, many of the personal firewall products available include these functions to some degree.

  • File encryption: One of the oldest ways of protecting information is to encode or encrypt it. Romans used an encryption system to send messages between legions in big battles. They gave staffs of certain sizes to all commanders. Then they wound paper around a staff, wrote a message on the paper, and then unwound it. Only by having a staff of the correct diameter could someone rewind the paper and reconstruct the message. This made the message reasonably secure in transit. Obviously, modern encryption is much more advanced, but it involves some of the same principles the Romans used. First you need a message or piece of data you want to protect. Second, you need a method for disassembling and reassembling the message reliably. Last, you need to ensure that all authorized parties know how to encrypt and decrypt properly and that they are the only ones who can. As a home user, the two places where you most likely would use encryption are for your e-mail and for your files.

    More About Encryption

    You can use a program such as PGP [2] (which stands for Pretty Good Privacy) or Blowfish [3] to provide encryption for your e-mail. These programs use what is called public/private key encryption to accomplish their goals. This means you have one key that everyone in the world can know, and one key that only you know. When you encrypt a message with one key, it can be decrypted by using the other, and vice versa. Using this technology, you can protect messages from anyone but the intended recipient. Windows 2000 has an Encrypted File System (EFS) you can use to encrypt your files, or you can use third-party products to do the job if you are using other Windows-based systems. You can find some of these programs at www.tucows.com/system/fileencryption95.html.

    It is important to know that no encryption is unbreakable. If you can encrypt a file, someone with enough computing power and time can decrypt it. The idea is to make the decryption so hard or time-consuming that it will do the person no good. For example, say you could somehow know who will win the 2015 World Series. You want to protect the information, so we’ll encrypt it. At the time of this writing, 2015 is 13 years away— roughly 177 million seconds (176,601,600, to be exact). If a person could guess once every second from now until 2015, that person would get 176,601,600 guesses at being right. We’ll use a key to introduce randomness to the encryption, which allows us to control how strongly the data is encrypted. To protect our data, we want to make sure there are lots more choices than 177 million—say, 100 times more—so we choose a number between 0 and 20 billion (rounding up to make it even harder). Now, even by guessing once a second, a person has little chance of getting it right. Lucky for us, this simple example is a massive simplification of the real math done by people who do encryption, which means encryption can be both strong and safe.

    One last thing about encryption: you might hear talk about encrypting and also about signing when referring to documents and files. Encrypting obscures the contents of the document or e-mail so that no one but the holder of the decryption key can read it. Signing, on the other hand, doesn’t protect the document; it puts a block of encrypted text on the document as a signature. This block of text can be decrypted by your public key to show that it was indeed you that sent the document, much as a signature on a piece of paper or contract does.

    [2] Freeware program developed by Philip Zimmermann

    [3] Free program designed by Bruce Schneier

  • Security Testing and Analysis Tools: The last advanced option for Internet security is security testing and analysis tools. These tools are the same as or similar to the ones actual hackers use to access sites. I don’t recommend this approach for novices because some of the tools can be complex; however, if you want (or need) to see how exposed you really are, try some of these tools on your systems. It can be an eye-opening experience. Some tools will deface Web pages, grant access to systems, load programs, let you literally control systems, or just leave a note saying you were there. These tools are the digital equivalent of a military training exercise. You’d better know how ready you are before you have to fight the battle, or you’ll probably lose eventually. If you know where your weaknesses are, you can fix them, or at least protect yourself better. You can find a list of some security testing tools at www.insecure.org/tools.html.



Not a subscriber?

Start A Free Trial

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint