The Sun Observer, Volume 10 No.4
Peter V. Radatti
radatti@cyber.com
CyberSoft
March 25 1996
Notice: Copyright March 25, 1996 by Peter V. Radatti, All rights reserved.
It's time to talk a little bit about why people lose it big time when playing the computer security game. Everyone reads about break-ins at national labs, military bases, banks, universities and other organizations. You never read about break-in anywhere it really counts like Cheyenne Mountain Missile and Space Defense Center. Why and how can you use the same technology? In fact, you can use the same technology, it's free, easy to configure and maintain and will absolutely protect you from all external break-ins. Unfortunately it not popular, requires discipline and may actually cause someone to make a decision. None of these requirements are a problem for the military. The Army doesn't care if they are not popular, the Marines have all the discipline in the world while the Air Force and Navy have no problem making decisions. Results vary from base to base, however these are factors that just don't seem to be popular in business. I worked for large corporations for many years and it always seemed that no one every wanted to make a decision except in the past tense once the project was a success. Very few companies have any kind of discipline unless they are losing money and even fewer managers want to be unpopular. Is my opinion harsh? No. Look at any of the thousands of companies hooking up to the Internet. Very few of them have thought out why they are hooking up or in what way they should hook up. Some of them may buy firewalls but there are always ways of walking though firewalls (as one national lab was rumored to have found out last month.) Once they do hook up they always seem to make the decision that everyone in the company must have access. Nothing less is acceptable. I have no idea why, I assume they want everyone in the company to learn the computer game Doom or to look at anatomically correct pictures on the Internet.
The question that is never asked is, if everyone's computers are hooked up to the Internet then isn't everything on those computers also hooked up to the Internet? This of course includes product development, customer service, accounts payable, accounts receivable, sales and everything that may be on each employees hard drive or on every mainframe on the internal network. In fact almost everything that is work-in-progress is normally found on peoples desktop computers and that is always enough to destroy any company. Of course someone will tell you that the company is protected by its routers, firewalls and the Goatathon 2000 that is between the Internet and the good stuff. The day I or someone I find can't walk thought all that stuff and get to the "good stuff" is the day no one will need computer security experts again. It isn't going to happen. Operating systems and the programs they run are too complex for anyone to fully secure. Especially if you are using a Goatathon 2000 which is what many companies are using. A Goatathon 2000 is my name for wishful thinking and technical mumbo jumbo. Many managers don't want to know what is protecting the system so they don't ask or accept some mumbo jumbo answer that they don't understand. That makes them and their companies a Goat chained to a stake in the jungle. Normally they wouldn't be there in the morning except that the number of staked goats currently exceed the number of hungry tigers.
So how do you protect yourself? The answer is simple. Don't hook up everything to the Internet. Use an Intranet and the Internet. Make no connection between them. You can still have everything you want by using a split architecture.
What is an Intranet and how can I have full access to the Internet and still be protected? An Intranet is an internal network. It provides all of the functions of the Internet without an outside connection. An Intranet is not the Internet. The Internet can be carried on a separate virtual or real network without connection to the corporate Intranet. All of the important company information is on the Intranet. All of the publicly available or not sensitive material is on the Internet accessible LAN. The split network design is just one of several that can be used to protect your information but it was the only one that CyberSoft decided provided the level of security necessary to protect them. CyberSoft has implemented this architecture and you can too. Next month we review the split network design implemented to protect CyberSoft's corporate headquarters and how that design can be adapted by you for your specific needs.
Pete Radatti is the founder and CEO of CyberSoft, Inc. CyberSoft manufactures VFind the antivirus software product that executes under UNIX and simultaneously scans for UNIX, MS-DOS, Macintosh and Amiga destructive software while providing cryptographic integrity to your file system. You can reach Pete at radatti@cyber.com or 610/825-4748 (9:00 AM to 5:00 PM Eastern Time). These articles are dedicated to Chrissy.
