By Thibault Dambrine

The Internet and e-commerce are challenging traditional business models faster than anybody could have predicted. Most companies are now fully aware it is virtually impossible to ignore the web-based competition. Today, most major companies are either selling on the Web or considered late.

As the business traffic on the Internet is increasing, so are the risks. Information and corporate data involving money has intrinsic value. Large amounts of this corporate information flows through public servers every hour of every day and this is obviously too good to pass for virtual muggers, hackers and spies.

As more and more companies are waking up to the new e-business reality: "Compete on the Internet, or lose market share!" The volume of new e-commerce websites, virtual stores, brokers, banks is mushrooming. New installations are typically aimed at taking on the huge opportunity of e-business. If these brave new websites are not well planned from a security stand point, they can also backfire and become a risk to the companies that set them up.

The scope of this subject is very wide. In this article I will cover the basics. I will expand on the possible risks associated with a direct Internet connection, covering also e-mail, web browsers which we use the most every day and how the AS/400 fits into all this. I will also show some of the options one could explore to make a network less vulnerable to outside attacks when connected to the Internet. Taking some wisdom from Benjamin Franklin, prevention is indeed worth the effort, as curing can be much more painful!

The threat of an outside attack from the Internet, be it retrieval of data, snooping, planting of bugs or simply vandalism (deletion of files, corruption of data) is very real. In IBM's own words, "no company should attach a system to the Internet without understanding the risks involved".

But what exactly are we talking about? To make the subject a bit more concrete, here are some common ways in which hackers may choose to invade your realm.

Vandalism is an unfortunate fact of life. Some people spray walls with graffiti, leave key-scratches on cars or slash tires for fun. Others send malicious trash over by e-mail. Is the next message you are about to open a useless waste of time or is it relevant to your next major contract? Many times, good from bad e-mail messages are difficult to distinguish. If you cannot tell what it is you are receiving until you look at it, neither can your system. Multiply by several thousands the trashy e-mail messages to a single point and you have a simple but effective attack in an unprotected network. Beyond receiving this type of time-consuming junk-mail, if an outsider manages to sign on to your system, the consequences can be very damaging or even fatal.

Many of the traditional IP (Internet Protocol) based utilities such as TELNET and FTP send their passwords without any encryption. Any intermediate system that handles or relays your IP traffic can, while doing so, examine the packets you are sending. This is called "sniffing". Note that any encryption tool that uses the same encryption key more than once for their password is not a very strong defense, since the hacker could potentially use the encrypted password "as is" and get into your system.

On the Internet, you cannot trust anyone to be necessarily who they appear to be. Spoofing is a technique by which the hacker can configure a workstation or a system with a different IP address than the one that has been assigned to it. With this method, one can appear like he is making a perfectly legal request from a workstation belonging to someone within the company. But how does one proceed to get the IP address of your President or anybody in your organization? In an unprotected network, IP basic tools such as PING or TRACEROUTE can yield much more information than you would care to reveal to the public at large, like the IP address map of your network for example. How would this be so dangerous? Simply with an IP address, in an unsecured network situation, one can FTP directly to the president's desktop computer, copy what ever is of interest from the hard disk drive and wipe the disk before leaving.

The so-called "Denial of Service" attack is when your system is effectively paralyzed by a flood of trash messages. The goal of this type of attack is to clog your mailbox with junk, to the point where you are no longer able to function properly. The aim is to make the target overwhelmed to the point where important messages, from clients for example, would not come to the attention of the people they are destined to. The inability to service your clients can be very damaging.

Note that this is by no means a full list of possibilities. Computer system break-ins are something you only hear about in the news very occasionally. Not too many companies want to admit their weaknesses in public. How confident would you feel if your bank admitted to having been raided by a stranger with a PC and an Internet access line? From all accounts, these types of events are mostly not reported. This is a type of crime no corporation wants to be a seen a victim of.

Once an outsider gets into your system via the Internet or any IP network, you should be aware, unless there are secondary security mechanisms in your system you are open to all exposures. With Telnet, a user can have virtual access to your system as if he was sitting at your desk. Pumping back sensitive information with FTP, destroying data or directories, stealing corporate secrets or sensitive mail are all possible.

There are many ways to control or reduce your systems exposure to the Internet risks. They are as varied as the risks themselves:

Obviously, in this scenario, you would disconnect your system entirely from the Internet. This is safe, but then you also lose the benefits of direct access to the biggest information and customer contact source available.

The simplest form of protection against the Internet is a screening filter. Also known as "packet filter", this type of filter is generally implemented on the router that connects your system to a foreign network or to the Internet. In a two system or two network scenario, Host A sends IP message packets to Host B via the router, which is configured with filter that will allow these packets to go through in this direction. However, if Host B tries to send packets to Host A, they will not be allowed to flow through. Commands issued from Host B such as PING would also go nowhere.

Proxy servers can provide a cache of frequently requested Internet sites, blocks access to specific sites, and provides secure access between your internal network and the Internet. Proxy servers also offers extensible firewall security features.

Packet filtering and alerting can be configured to provide maximum security. An administrator can configure Proxy Server to grant or deny outbound Internet access by user, service, port, or IP domain, for both inbound and outbound connections. Data encryption is supported by means of Secure Socket Layer (SSL). In addition, Proxy Server takes advantage of the security features built into the AS/400.

Packet alerts and logging: Now your e-mail system or pager can notify you almost immediately if your network is under attack so that you can take action. Proxy Server supports several alerting thresholds and can issue alerts for specific events, such as for dropped packets or packets sent to an unused service port. You can have alerts sent to a dedicated packet event log or the AS/400 event log as well. Packet logging allows you to keep a full audit trail for security events.

IP (Internet Protocol), the heart of "The Internet", is an open protocol by nature. It takes very little to access a remote system via an IP network. Those of us who have worked before with APPC and APPN configurations know how simple it is. The nature of this open protocol makes it both popular and for the first time has spawned a whole new application category: "The Firewalls".

A firewall is a system or group of systems that enforces an access control policy between two networks, namely your own and the Internet. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy.

A firewall can be a piece of software sitting on your main system as described earlier in the Internal System Security Options header, but recognizing the open nature of the IP protocol, many companies run their firewalls on completely separate machines that stand between the corporate systems and the Internet.

Some firewalls permit only e-mail traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside.

Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc. Firewalls can also mask your internal IP addresses from the outside world. For instance, the firewall can use one IP mask, while the internal network uses another. Thus the hacker cannot use PING to map your internal network.

In point form, an effective firewall should perform the following basic functions:

• Provide a choke point through which all traffic to and from the public Internet must flow
• Limit traffic to allow only what is specifically permitted
• Break TCP/IP connections at the firewall, thus limiting access from the outside
• Stop internal network information (such as IP addresses) from reaching the Internet
• Enforce security policies, as they are implemented
• Prevent and report attacks
• Log violation attempts from the outside in and the inside out

Even more important than knowing what a firewall can do, in the paranoid realm of security planning, you want to know very well what a firewall will NOT do for you.

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network.

For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all. They shouldn't be hooking up to the Internet in the first place, or the systems with truly sensitive data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall. Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering. An attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.

Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software geared to start at boot up time. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet -- a large number of viruses are actually transmitted via floppy disks.

Nevertheless, an increasing number of firewall vendors are offering "virus detecting" firewalls. While every bit helps, it is wise not to count only on a firewall with this feature for protection from attackers.

E-mail is now the most widely used form of office-to-office, desktop to desktop communication tool. Faster than mail, more direct than a fax, with little or no perceived intermediate steps between the sender and the receiver. I did say, "perceived"!

An e-mail message, travelling from hub to hub on the Internet en route to its final destination may be compared to a postcard. Many people have a chance to read, divert, or track that card as it travels along the chain of delivery.

Most times, your e-mail messages are archived - at least at the departure point and at the receiving point. If you think about it, your own e-mail system probably keeps a copy of your sent mail and you most likely have several hundred messages in your in box too! A skilled hacker can thus get access your messages weeks, months or even years after you send them. Even if you have excellent security systems, do you know if all your correspondents have the same?

When you browse the Internet, the majority of commercial Web sites log and record your visits. This means operators of these sites know the hostname and IP address of the machine you used to access their site, the type of computer and browser you used, and the last page you were at before you went to their site. They may also be able to determine your e-mail address and real name. Some Web sites may even try to trick you into handing sensitive information to them. Others don't bother trying to fool you, they just come into your computer and steal it using JavaScript. Once your personal information is obtained, there are a multitude of sources for distributing it on the World Wide Web, including comprehensive directories of names, e-mail addresses and other sensitive information.

Proof positive? Cookies! Certain websites place Cookies in a subdirectory of the browser directory on your machine. Cookies are simply a cute name for files that effectively allow a given server to store its own identity file on your computer. It then records your preferences within that website and interactions such as past purchases when you use a particular site. JavaScript can read whatever other cookies it can find on your computer and tell a Web site all the other pages you visited before you accessed their site.

We send everything via e-mail, from resumes to cooking recipes. Statement or Work documents, contracts, court agreements. Think about it, would you send a copy of your latest deal on a large post-card? This is more or less what we are all doing now with e-mail on the Internet.

Lately, a new type of security-oriented website is sprouting on the Internet. These new websites are filling the security gap that has opened up as we, the Public, have come to depend on having e-mail right at our desk.

No doubt, there will be a lot of new development in the near future for e-mail security.

Knowing now that e-mail is not a very secure way to send sensitive information such as credit card numbers or other personal data, it is no surprise that the Internet industry leaders have come up with a way to communicate securely over the Internet.

The Secure Socket Layer (SSL) protocol is the current de facto standard for securing transactions and messages over the Internet. The fact that there is transaction security is what allows e-commerce to happen. Despite the boom in Internet commerce transaction volume, there are still a lot of skeptics. Understanding how secure transactions are exchanged may help settle any doubt.

The term "Socket" refers to an open network Application Program Interface (API) standard. It was first designed at the University of Berkeley to create a standard programming interface for communication sessions over TCP/IP. The Secure Part of Secure Socket Layer rides on top (yes, like a layer of software) of top of ordinary "Socket" APIs and are used to encrypt messages exchanged over these "Sockets".

The primary goal of SSL is to provide privacy and reliability between two communicating applications. SSL is the tool that makes the exchange of private e-commerce transactions over the Internet. The same types of encryption tools are also at the heart of "tunneling" applications. Tunneling is a term that describes the use of the Public Internet to exchange data between remote elements of a private network over the public Internet while keeping the data private. Tunneling is what makes Virtual Private Networks or VPN's possible. The term "tunneling" refers to the way you create your own private [encrypted] tunnel of information flow between two remote locations.

Here, from the Netscape Website, is the textbook definition of SSL:

The protocol is composed of two layers. At the lowest level, layered on top of some reliable transport protocol is the SSL Record Protocol. The SSL Record Protocol is used for encapsulation of various higher level protocols.

One such encapsulated protocol, the SSL Handshake Protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently.

The SSL protocol provides connection security that has the following basic properties:

• The connection is private. Encryption is used after an initial handshake to define a secret key. Symmetric cryptography is used for data encryption
• The peer's identity can be authenticated using asymmetric, or public key, cryptography

Here is what it means in more common terms: You can think of the asymmetric encryption key as a pad lock that would have one key to lock and a different key to unlock, with a unique correlation between the locking and the unlocking key. The locking key is public and the unlocking key is private.

When you make a transaction on the Web with a secure socket layered site, essentially, you get the public key from the e-commerce vendor that will be used to encrypt the data you will send. You then send data encrypted with that public key over the Internet back to your vendor. This (now encrypted information) for example may contain the item number you are ordering and your credit card number. To decrypt the message you have encrypted with the public key, the only efficient method there is, is to use the matching (and private) decrypting key. Only the e-commerce vendor you are purchasing your item over the Internet from has this private key. This system of asymmetric keys is design in such a way that it would take years of processing to figure out the private key, thus discouraging sniffing on your SSL transactions.

Both Netscape and Microsoft have built SSL into their browsers and servers. Encrypting and decrypting does take computer resources, but with the power now available at one's desktop, this has become a negligible factor.

Although the AS/400 has built-in operating system security features second to none. Even it is not immune to malicious hackers. The days when AS/400 was used as a stand-alone machine are long over now. In even the most basic shops, the typical installation has the AS/400 hooked up to a number of PC's serving as 5250 terminals with emulators. Most times, these emulators are connected with a LAN, mostly using IP as a protocol. Through this path, the Internet is just one hop away.

I/NET is comprised of Commerce Server/400, and Webulator/400 on the AS/400 system. The cornerstone of Web-based commerce is encryption and the ability to transmit data over the Public Internet without individuals being able to read your messages on the way. Thus, a private encryption key is an asset to be protected at all cost. With a copy of your private key, anyone can pose as you or your company.

Webulator/400, which is the I/NET workstation gateway product, allows the Web Server to present a 5250 screen via a Web browser. In a controlled environment, this is no greater exposure than running any other non-programmable terminal. However, connecting the Web server to the Internet removes physical security and relies solely on how you have secured your AS/400 system.

Security, on any system, starts with the basics. A strong internal security is the base building block from which to start. When connecting to the World Wide Web, the AS/400 is no less vulnerable to malicious attacks than any other system. The best place to start for protection in this realm is to be well informed of the dangers inherent to each type of connection or combination of connections (see I/NET). On top of this, having a multiple barrier strategy to security should be considered as base necessity. If one barrier is broken, there must be (as much as possible), another one behind to stop the intruder or to limit the damage.

If you remember the old days of 5.25 inch floppy disks that were "copy protected", you probably also remember the programs that "made them copyable". Every time a new copy protection scheme came up, it never took too long for some body to come up with a meaner, smarter copy program. The Internet for worldwide mass usage is still a young technology. The battle between the hackers and the privacy advocates will go on for a while yet. Our only weapons, for now, are to stay informed and use common sense.

As you can see, security on the Internet is a vast subject. In this article, we have only scratched the surface.

"An Ounce of Prevention is Worth a Pound of Cure" is a phrase coined by Benjamin Franklin (1706 - 1790).

Over two hundred years after it was first iterated, the Internet is giving new meaning to this wise statement.

Sources and notes:

IBM: Safe Surfing: How to build a Secure Word Wide Web Connection SG24-4564-00

IBM: The Basics of IP Network Design SG24-2580-00

IBM: AS/400 Internet Security: Securing Your AS/400 from HARM in the Internet SG24-4929-00

The author does not own shares in any of the websites or products mentioned in this article.