Extras - Security for Intranets and ExtranetsBy Jerry Lawson, Published on November 18, 1998
Jerry Lawson's book, The Complete Internet Handbook for Lawyers, will be published in December by the American Bar Association. Mr. Lawson is a lawyer and designer of the Internet Tools for Attorneys Web site, http://www.netlawtools.com.
(Archived December 15, 1998)
|An increasing number of law firms are trying to improve their
efficiency, and in some cases, attract new clients, through intranets (using Internet type
technology to distribute information inside an organization more efficiently) or extranets
(intranets that are opened up to selected outsiders). John Battin, Director of
Client Development for Tousley & Brain, PLC, of Seattle, Washington, explained
"We consider our intranet/extranet [developed in cooperation with Legal Anywhere, http://www.legalanywhere.com ] to be not only a
productivity tool, but also a marketing tool because it tells our clients that we are
conscious of the costs of doing business, and that we intend to improve the quality of our
services through the use of technology."
While the benefits are clear, many lawyers worry: How safe are intranets and extranets? Like so many questions, the answer is: "It depends." The biggest variable is how much security means to your organization. How much inconvenience are you willing to undergo? How much money are you willing to invest?
This article focuses on intranets and extranets, but many of the security tips in it are equally applicable to Local Area Network (LANs) or Wide Area Network (WANs).
No intranet or extranet (nor any LAN, for that matter) should be considered completely impenetrable. However, through the layering and redundant use of various security tools, most intranets and extranets can be made very secure. On the other hand, unnecessary security measures can decrease the value of your system by making it slow and harder to use. They can also be expensive. The key is to evaluate the level of threat facing you, and your tolerance to risk, and scale your security measures based on your particular needs.
Start by distinguishing two differing areas of concern:
Restricting access to your systems
Protecting information in transit
The latter is obviously a problem with extranets (and WANs), but it is also a concern with intranets (and LANs) if you offer access to remote users inside your organization, perhaps branch offices or telecommuters.
While hackers get most of the public attention, experts agree that in most cases the biggest threat is not hackers. The biggest security danger is usually from insiders. Screening and monitoring your employees is probably the most important countermeasure. Compartmentalizing access to your computer system is another line of defense. Establish trust hierarchies, apportioning different levels of access to supervisors, administrators, trusted users, vulnerable users and guests, according to their need to know. This will often limit the damage one rogue employee can do. Another approach is using encryption on sensitive data stored inside your system, not just as it is in transit.
Requiring User IDs and passwords is probably the most common method used to restrict access to computer systems. They are also one of the greatest sources of vulnerability. If left to their own discretion, a surprisingly high number of users will select passwords that are fairly easy for hackers to crack using password checking dictionary programs, or even simple guessing. (One hacker had words like bbaggins, picard and vulcan on his short list of passwords to guess, while many report good luck with sex-related words). A campaign to educate your users can be supplemented by automated systems that reject easy-to-guess proposed passwords automatically, and remind users to change their passwords at regular intervals.
Upgrading the security of your password system presents a classic example of the security versus usability dilemma discussed above. Long computer-generated random passwords are harder for hackers to crack, but they are also harder for legitimate users to remember. They could be less secure overall if users wind up taping them to their monitors. One time password systems using calculator-type tokens that generate a new password for each login are much safer, but are inconvenient, and an added expense.
In the not too distant future, the solution to the password dilemma may be biometric identification devices, which will authenticate prospective users by thumb print, or some other hard-to-duplicate physical characteristic.
Firewalls are another method of controlling access. They use software to screen out unwanted intruders from the Internet. Firewalls can help, but it would be unwise to rely on them as your sole security measure, as too many law firms seem prone to do. Theres a tendency to think we paid our $50,000 on the firewall, so were safe." This attitude can lead to disaster. A high percentage of firewalls are improperly configured. Further, in many cases even firewalls that are properly configured can be defeated by a skilled, determined attacker.
Web server configuration is another way to try to control access. You can tell a server to allow access only from certain domain names (like barrister.com) or certain IP addresses (the numbers that go along with domain names, like 220.127.116.11). Again, we run into the security versus usability trade off, as this type of setup makes it more difficult for your lawyers to contact your intranet or extranet while they are traveling. Further, like firewalls, web server configuration is not an impermeable shield.
Partitioning is another form of access control. You can set up a network so that sections of it are separate. An intruder may get access to files in your environmental law database, but you may be able to keep him out of your other sections. A simple but highly effective form of partitioning is to have your web operations on a totally different computer system from your law firms main computer system. Depending on your purposes in establishing an intranet or extranet, this option may not work, but in many cases it will get the job done.
Encryption, or scrambling information by the use of software so that it is not accessible without knowing a key, or lengthy type of password, is usually thought of as a method to protect information in transit, and it performs admirably in that role. However, it can also be used to protect very sensitive information in storage on your server.
In Transit Protection
Protecting information inside a law firms computer system is not an easy task. A law firm LAN is in a sense a fixed target, and its usually necessary to make the information in it readily accessible on demand by users. These factors make it vulnerable. Interestingly, protecting information in transit over the Internet may actually be easier in practice: its not as easy to track it, and while in transit, it need not be in an immediately usable form. Information in transit can be encrypted, or scrambled so thoroughly that it will be useless to anyone who does manage to intercept it.
The current buzz phrase is virtual private network. As Steve Steinberg observes in Wired magazine, The wonderful thing about virtual private networks is that its myriad definitions give every company a fair chance to claim that its existing product is actually a VPN.
Stripped of jargon like tunneling, the basic idea underlying all VPNs is pretty simple: information is encrypted before it leaves its destination, and decrypted by the recipient. Modern public key encryption systems that dont require the exchange of private passwords make this practical for widespread commercial use. Information encrypted with a strong encryption program is probably much more secure than that transmitted by voice phone, fax, the U.S. Postal Service or private couriers.
Encryption is used in two ways, and its important not to confuse them. Secure Sockets Layer (SSL) encryption is used to encrypt information traveling between web browsers and secure web servers. You can tell whether you are using a secure server, because there will be a symbolic representation on the screen. For example, in Netscape Navigator 4, the lock in the lower left hand portion of the browser window moves into the locked position.
SSL browser encryption does not protect your e-mail. E-mail travels by a different protocol, and if you want your e-mail to be encrypted, you have to take other measures. Pretty Good Privacy (PGP) it the industry standard encryption program for e-mail. A number of encryption programs based on a protocol called S/MIME are coming onto the market. Because some of them are built into popular browser programs, they may become a popular option. Remember, though, they are not invoked automatically, even if you are using your browsers e-mail component. To send secure e-mail, you have to take additional measures, including obtaining digital certificates that identify you and those you communicate with.
An integrated approach is best. As Peter Ozolin, President of intranet developer Legalanywhere, P.C., explained, "Security solutions must part of a comprehensive policy. It is not just using encryption or password protecting data. A sound security model must consider security at the application level (encryption/software, etc.), network level (firewalls/routers, etc.) and user level (internal security policies - some studies show that 80% of security breaches are internal). The future for intranet/extranet security is promising as the security technologies begin to merge - application/network/internal levels of security administered via one manageable product/service." There is always some security risk when dealing with any computer system, on or off the Internet. The level of security needed should be determined by balancing the expense and inconvenience of security measures against the sensitivity of the information at risk. The guidance of skilled computer security professionals is essential. This is an area where most law firms will be well advised to deal with experienced contractors instead of trying to handle development in house. Although intranets and extranets inevitably involve some risk, most law firms will find that after analyzing the dangers and the available security measures, the potential benefits make accepting some risk tolerable, especially since careful planning can minimize the risk.