|
SUMMARY: This
tech note describes the options available to
establish secure access to your Clients &
Profits database using an internet connection.
|
|
THE CLIENTS &
PROFITS HELPDESK DOES NOT PROVIDE TECHNICAL
SUPPORT FOR INTERNET SECURITY. Installing
and configuring your internet hardware can be
technical, so you should have access to a
computer expert who is familiar with ISPs,
networking and operating systems.
|
With information easily transmitted over the internet,
security has become a greater concern for companies. Your
company now faces security issues from both internal and
external sources, and security has become a concern.
Rightfully so.
While any employer is reluctant to distrust his
employees, 71 percent of respondents to a recent survey
reported that they had detected unauthorized access to
sensitive information by insiders. The reported losses
topped $265 million, primarily from the loss of
proprietary information such as customer files and
company data. Worse, the threat of a disgruntled employee
sabotaging the system is, unfortunately, a very real
concern.
The risk of threats from external sources have increased
dramatically with the growing use of the internet. The
most prolific--and most potentially dangerous--is email.
While a necessary tool for conducting business, viruses
are readily spread through email attachments. Also,
security can be threatened by improperly downloading
flawed files, which could unleash a virus attack
throughout the company. However, external intrusion to
proprietary corporate data is probably the biggest
concern.
This technote will discuss ways in which you can protect
against unwanted access to your Clients & Profits
database, from both internal and external breaches, by
establishing an internal security policy and using
passwords, firewalls, IP filtering, packet filtering,
proxy servers, virtual private networks, and/or secure
socket layers.
Security policy
Your internal security policy is cornerstone to
developing a secure network. By establishing a policy,
you’ll be forced to organize your security, from
passwords and access limitations, to security functions
and technology. Once your policy is in place, it will
enable your IT manager to easily and quickly respond to
security needs rather than focusing on small details,
which, unfortunately, can sometimes detract from gaping
holes in security.
Clients & Profits Log-in
The first line of defense is maintaining your users’
log-in initials and passwords. This is the only security
measure built into Clients & Profits. Other security
measures are those offered by networking technology
discussed later in this tech note.
With a security plan that keeps users’ initials and
passwords private and up-to-date, it is unlikely that
someone without initials and a password could gain access
to your database. When one of your staff members leaves
your company, immediately delete this user from the
database to cut off their access. While you can set
Clients & Profits passwords to expire, which will
stop a user from accessing the database after that date,
it is better to delete the user. Here’s why: A savvy
user can work around the expiration by resetting the date
on his computer, essentially tricking the database into
thinking the user’s password hasn’t expired
yet.
If you’re using My Clients & Profits!, create
user passwords that are different than passwords for
Clients & Profits. While not required, this adds
another layer of security in case passwords become common
knowledge. (Repeat after me: Loose lips sink ships.)
Another built-in security feature of My Clients &
Profits! is an auto-suspend function. After three bad
log-in attempts, a user’s account is suspended until
it’s reset by the system administrator.
Can a user create an export or create a custom report to
gain access to passwords? No. Passwords in Clients &
Profits are encrypted, so even if someone tried to export
or report the passwords, he wouldn’t be able to see
them.
In summary, someone can not access your Clients &
Profits data in any way without a user ID and password,
so keeping these secure is the best way to avoid unwanted
access to your Clients & Profits data.
Remote Access Log-in
Not only does your Clients & Profits database require
a user ID and password, but the remote access method you
choose will require one as well, adding a second layer of
ID and password protection to your Clients & Profits
database. For example, if you use Timbuktu to access your
local network over the internet, it requires a user ID
and password to control a computer on your local network.
As well, if you mount your server over the internet, this
will require a user ID and password (like it does in the
office when you log into your server). Keep in mind that
when you’re using remote access methods like My
Clients & Profits! users won’t be required to
pass through this additional level of ID and password
security since My Clients & Profits! serves web pages
directly from the database, just like normal web pages
are served. The difference between My Clients &
Profits! web pages and your regular web site, for
example, is that if an intruder gains access to the My!
Clients & Profits URL they need an ID and password to
log in. In this case, you want to utilize other
technologies to create additional levels of security,
such as a firewall, IP filtering, and packet
filtering.
Firewalls
Firewalls were originally developed as a strong perimeter
around a company’s data, leaving only a few
“gates” available for the transmission of
information. These “gates” are technically and
correctly referred to as ports. So when someone says
“I opened up port 80 to the internet”, they are
saying “I am allowing network activity to occur
through this port to and/or from the local network.”
With only a few of these gates, they were easily
monitored for unauthorized access. Most firewalls today
have tools built into them to alert the system
administrator of potentially harmful activity is
occurring or attempted through these open gates, since a
firewall will try to block it.
So the first line of defense using network technology is
to open up only the ports necessary for those outside
your office to access your network. Firewalls normally
are set to block ALL outside internet activity so the
system administrator then needs to open up ports to allow
activity that originates outside of your network to enter
within it. The firewall will then monitor the open ports
for dangerous activity and try to block it. For example,
current firewall technology knows how to interpret the
cause of what caused Yahoo’s website to go down in
the year 2000 and blocks that from happening.
Also, keep in mind that all internet applications are
designed to work over certain ports. For example, all
websites are served over port 80 and all web browsers are
designed to look for a web server on port 80 when you
type in a URL, unless you specify a different port.
Therefore, you need to open up the ports required by the
remote access method you are using. You will need to talk
to your application vendor to find out what these are
(i.e., call Netopia to talk about the ports used by
Timbuktu).
In the information age, allowing file transfer over the
internet is necessary in order to conduct business;
therefore, more gates have been cut into the firewall.
Clearly, the perimeter defense is less solid than it once
was. On the positive side, not all firewalls have to be a
barrier between your company and the outside world. By
setting up internal firewalls, you can easily limit
access to smaller subsections of your network. Doing so
will not only stop (or severely limit) unwanted access
from external intruders, but prevent internal intruders
from accessing information apart from their limited
sector.
Two more essential features of firewalls are IP filtering
and packet filtering. It is good to have an understanding
of these, for if properly setup this can essentially
eliminate someone from hacking into your network, then
begin attempting to break through your ID and password
protections.
IP filtering Internet protocol (IP) filtering is a flexible
way to set access rules. IP filtering limits the external IP addresses
that can penetrate the firewall through the open ports to access your
network, as well as which computers on your network can be accessed.
(Keep in mind that in the internet world each computer must be assigned
an IP address so it can be identified on the internet.) So blocking
an IP address is much like blocking a particular computer from accessing
your network. Because the firewall can identify the IP address passing
through it, you can set up the firewall with access control lists
(ACLs) to control which IPs can access which parts of your network.
Further, you can use ACLs to block specific IPs to prevent them from
entering altogether (if you find certain IPs continue to try to access
your network through open ports and you want to block them immediately).
Additionally, you can setup the firewall to only allow access to certain
computers on your network. (Then make sure those computers only have
the necessary files on it that remote users need--and no more.)
However, when setting these parameters, bear in mind that
dial-up internet connections generally assign a different
IP address when the same user logs on, even if it is from
the same physical location. It’s best if your remote
users have fixed IP addresses so you can block all IP
addresses from entering your open ports except those that
you know are safe, such as an outside accountant that you
trust who needs access to your Clients & Profits
database from time to time.
Packet filtering. Some firewalls have the ability not
only to allow or block IP addresses through your open
ports, but to interpret the protocol they are using and
only allow a certain type of protocol to pass through it.
For example, when you type in a URL in your web browser
notice that it is preceded by HTTP. This is because web
browsers essentially communicate using HTTP (hypertext
transfer protocol). Thus, you are able to reduce the size
of the open gate (or port) by only allowing a certain
type of activity through it. This is useful if you are
using My Clients & Profits! because it communicates
with the internet using HTTP, so all you need to do is
open up the port you are serving it over (version 1.02
and later allows you to customize the port you want to
use), then limit activity through that port to HTTP
only.
To summarize the tech note to this point, if, for
example, you are using My Clients & Profits! and know
the IP addresses of those outside the office that want to
access your Clients & Profits database, you can
create a secure ID and password to log into My Clients
& Profits!, open up only the port My Clients &
Profits! uses, only allow activity over this port to
originate from specific IP addresses, set them to have
access to the My Clients & Profits! server alone (IP
address of this server on your network), and only allow
HTTP activity over this port. Taking security to this
level will make a hacker’s job pretty hard. But
there’s more...
Virtual Private Networks Virtual private networks (VPNs) are
a connection between two compatible firewalls over the internet. At
one end, data is encrypted, then sent to the other firewall, which
decrypts it using the same encryption key. By encrypting data before
its transmitted, external intruders are unable to use a packet sniffer
to read the data during transmission. VPNs are a low-cost way to use
the internet to keep sensitive information secure during transmission--and
it costs significantly less than traditional dedicated connections.
Secure Socket Layers Secure socket layers (SSLs) are another
encryption technology that authenticates communications between the
user and the network. When a user contacts the network, both user
and network are identified and their access is authenticated. By encrypting
the connection, a secure tunnel is created through which information
can pass. In order to use SSL technology, both the server and the
client must be SSL-enabled. While SSL is setting security standards
for encrypted communications, it is very demanding on a system’s
CPU, which generally causes diminished performance speeds. The My
Clients & Profits! server does not have SSL abilities, but you
may be able to get around this by using a proxy server.
Proxy Servers Proxy servers are traditionally used as a go-between
for your internet application and the server it’s trying to communicate
with. For example, if you have ever looked at your option settings
in your web browser or e-mail program, you will see the option for
a proxy server. Basically, your web browser or e-mail program communicates
with the proxy server, which in turn communicates with the website
or mail server that you are requesting. There are various reasons
your system administrator may want this that we will not discuss in
this tech note. Standard proxy servers know how to communicate with
other servers using standard protocols like HTTP, FTP, SMTP, etc.
My Clients & Profits! uses standard HTTP so it should work fine
if you’re trying to access it via a proxy server. Therefore,
if you are able to establish a secure connection with a proxy server
(say using SSL), and the proxy server is able to communicate with
the My Clients & Profits! server using non-SSL (since the My Clients
& Profits! server does not understand SSL packets), you can essentially
create a secure connection to your My Clients & Profits! server
and thus to the Clients & Profits database.
