Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next Note that TCP/IP protocols and applications are being used on the corporate private information servers maintained on the inside network. Use of TCP/IP for private information servers has led to a new buzzword, namely intranet. In general, intranets are private and protected from outside users. Of course, there may be information on an internal server that you would like to make known to the outside; this has given rise to yet another new term, extranet, or extended intranet. The information presented above is fine for information servers that can be accessed via TCP/IP protocols. But what about the original LAN servers running non-TCP/IP protocols? A potential thorn in the security manager’s side is the issue of placing Internet servers on the LAN and/or placing LAN servers on the Internet. Many firewall products, although created originally to serve the TCP/IP market, also have the capability to handle the communications protocols associated with AppleTalk and NetWare; this is particularly true with the packet filtering capabilities of most routers. Another approach, commonly known as an air gap is to totally segregate the Internet servers and LAN servers, at least in a protocol sense. In this approach, Internet servers only use TCP and the LAN servers only use the LAN protocols. In this way, the LAN servers may be safe even if an attacker does gain control over a TCP/IP system since the TCP/IP system does not have the LAN’s communications protocols. Note, however, that an air gap is not as solid as a firewall and there are a number of ways in which an attacker can get around this, such as downloading the LAN’s communications protocols and installing them on the compromised system! PASSWORDS AND SECURE COMMUNICATIONS Passwords are the most common mechanism used to control access to computer systems and applications. Passwords are widely used because they are simple, inexpensive, and convenient to use and implement. But they are also well-known as being an extremely poor form of protection; it is estimated that over 80% of the Internet’s security incidents are related to poorly chosen passwords. The problem is a large one on the Internet because a skillful intruder may break into one system and never harm it, using it instead as a platform for attacks on many other systems. RFC1244, as part of the site security plan, offers a number of guidelines for selecting and maintaining passwords. Unfortunately, users are notoriously bad about choosing passwords; some studies suggest that simple password guessing will succeed 90% of the time on a system with as few as 16 user accounts. Rules of thumb for selecting passwords include: •  Never use the name of yourself, your spouse, your significant other, your children, your friend, or your pet, or any other easily obtainable information about you, in any form. •  Never use a word from any language as a password. •  Use at least six characters in your password, employ mixed-case characters, and include at least two non-alphanumeric characters. •  Never tell anyone your password. The system manager should also take an active role in managing passwords to do more than just assign them. If the mechanism exists, passwords should have an expiration date; a 90-day period is common although some sites expire passwords monthly. When changed, passwords should not be able to be reused for at least some number of years. If available, a blacklisting mechanism — which shuts off an account after some small number of invalid login attempts — should be employed to deter, and limit the success, of password-guessing. Be careful when using programs that automatically generate passwords. One such system assigned one of the authors of this chapter the password hqTtZ2w and could not be changed; it also couldn’t be remembered! Another such system assigned the password red*zoo which is surprisingly easy to remember and relatively safe. The bottom-line is that hard-to-remember passwords will be written down and can become as much, or more, of a threat as a poorly user-selected password. As a final note, properly chosen passwords can provide extraordinary protection. Most systems store passwords in some encrypted form; in effect, then, the password is a key to a cryptographic system. The security of a cryptographic systems increases as the key size increases, suggesting that passwords are more secure as they grow longer. While there is mathematical truth in this observation, it must be balanced with the weaknesses due to the limitations imposed by some computer systems and the way in which people choose their passwords. Most Unix systems, for example, limit passwords to eight characters in length, but only use the seven most significant bits of each character as the encryption key. NetWare’s passwords, as another example, are case-insensitive, eliminating the benefit of mixing upper and lower case. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.