Tuesday, May 17, 2011

Network Security – The Internal Threat

Network Security – The Internal Threat

Most security issues focus on the connection of the corporate network to the Internet and related issues such as viruses transmitted via electronic mail and intrusion from hackers. The issue for evaluation here is the internal network and security threats from the inside of the corporate enterprise. There are many issues for internal security that are still pertinent even if a company has no Internet connection. Security threats to the business from the inside of the network are real and require distinct attention.

This topic of internally originating risk does not get as much attention as the typical perimeter security situation thought of when dealing with network security. When a person looks at corporate business enterprise network security the first obvious issue is firewalls. But this is only truly for perimeter protection. Shirley (1999, May) notes this in Network Computing magazine that "although the majority of corporate losses originate from internal abuse, most organizations have kept their focus on the perimeter." The reality of internal threats to security is not as apparent but does have impact.

A tutorial from Network Magazine depicts the internal threat quite well. "Intentional threats are also potentially damaging. Employees and outsiders pose intentional threats. Outsiders—terrorists, criminals, industrial spies, and crackers—pose the more newsworthy threats, but insiders have the decided advantage of being familiar with the network. Disgruntled employees may try to steal information, but they may also seek revenge by discrediting an employee or sabotaging a project. Employees may sell proprietary information or illegally transfer funds. Employees and outsiders may team up to penetrate the system’s security and gain access to sensitive information. "

In a white paper from Network General, a network security software manufacturer, the issue of internal network security threats does show the real story. The information from Network General reveals that "recent studies estimate that 50% to 80% of intrusions originate from the inside. More disturbing is the fact that these internal attacks are the most damaging." These statistics are supported by the Federal Bureau of Investigation (FBI). Knowles (1996, June) noted in CIO magazine that "computer security problems involve someone inside the corporation about 90 percent of the time; FBI estimates peg the figure at 85 percent." There is additional data to show that this internal threat does exist but often times a company does not report it’s security breaches.

A survey conducted by the System Administration, Networking, and Security (SANS) Institute shows some items that are related to this issue of internal security. The survey shows the 7 Top Management Errors that Lead to Computer Security Vulnerabilities. This list depicts several items that are internal security matters, specifically items number two, four, and five.

internal network security

Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

The damage that is caused by these internal sources can be severe and can result in a loss of revenue. Network General notes that "the disgruntled worker with inside knowledge and adverse motives" poses a direct threat to the enterprise since "they have direct access to vital information" on the local network. Impact of internal threats can be limited to system abuse or extend to actual theft or damage. System abuse can include unlawful copying of copyright or licensed software, unauthorized access to computer files, employee use of computer equipment, or other non-business uses of corporate resources. More damaging impacts can be related to fraud. Employees can resort to theft of corporate data or actual systems. Loss of corporate data or transfer of company files can have a more distinct affect on the business than a physical disaster. System downtime as a result of an internal attack can have an adverse result on the enterprise and end users.

The cost of the internal threat is tangible. Radcliff (1998, April) noted an excellent cost impact in an article on InfoWorld Electric. "Omega Engineering learned firsthand the dangers of the disgruntled employee after a timed virus, known as a logic bomb, wiped out all of its research, development, and production programs in one fell swoop. (The tape backup also was destroyed.) In January, charges were filed against 31-year-old Timothy Lloyd, an Omega programmer, for placing the bomb on the network, which detonated 10 days after his termination. Omega's costs will likely exceed $10 million as engineers and designers rewrite designs and recode programs."

There are ways to combat these internal threats. Some of the solutions are proactive while others are reactionary. Some of the techniques are similar to Internet security methods while some or pertinent only to internal threat reduction. The payback of implementing counter measures is obvious, to protect company resources which include data and systems.

System Administration

The role of the network or system administrator is very important for internal network security. That position is usually responsible for the corporate servers and user accounts. The system admin must ensure that there is proper system administration with correct privileges and permissions. He/she must check that users do not have excessive rights and only those security privileges that the employee needs to perform their job. The system admin is the person who might make use of the various tools to ensure security of the network. This job of administration should be treated as extremely important and not just a second duty of some other person.

Vulnerability Scanning

In a PC Magazine article, Roberts-Witt (1999, August) offers a good explanation of the capabilities of vulnerability scanning. "You can't fix what you don't know is there. Vulnerability scanners do exactly what their name implies: They poke around your network for holes that could lead to security breaches. On the server side, they look for such potential problems as expired user accounts and shaky passwords; on your firewalls, they check for misconfigurations or network services that leave you wide open for attack." Shipley (1999, October) explains in Network Computing magazine that vulnerability scanning applications "take a proactive approach to network security, aiming to provide efficient, thorough, automated identification of security holes at both the host and network levels."

One of the vulnerability scanning products in use in the IT industry is the Kane Security Analyst. The product description explains the software capabilities. "Kane Security Analyst is a network security assessment tool that provides a fast, thorough analysis of network security for Windows NT and Novell NetWare. The KSA compares your network security configuration with industry best practices or your own organizational security policy. In minutes, you can discover your network’s areas of vulnerability and take corrective action."

There are other products that also scan infrastructure hardware such as routers and firewalls and Internet servers as well as other operating systems. Some of the products include: Webtrends Security Analyzer, Network Associates CyberCop, and Internet Security Systems Internet Scanner.

Intruder Detection

Intruder, or intrusion, detection is one of the most important parts of a proactive measure against internal security threats. Radcliff (1998, April) noted that "The only way to protect against this is through ….. monitoring traffic." The SANS Institute offers some direct advice. "Intrusion detection capabilities can help a company secure its information. The tool could be used to detect an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop the exploit from use by future intruders. The correction should be applied across the enterprise to all similar platforms. Intrusion detection products can become a very powerful tool in the information security practitioner’s tool kit."

There are two system approaches to intrusion-detection: host-based which use agents, and network-based which use passive monitors. Host-based systems involve the install of a client application on the system under protection. A management console is used to report from the host system. Network-based systems sit on the network and monitor the network traffic for signs of intrusion. Both systems react when they detect intrusion attempts.

Intrusion detection is a proactive internal measure and gives the network some level of security from an 'attack' within the network. The software applications used scan the network traffic for signs of intruders. Most security plans focus on external access and fail to take into account attack from within the physical sites. Intrusion detection software constantly monitors the network for attacks on the servers, odd behavior, incorrect password attempts, etc. The IT staff can receive pager notification of critical events, for instance someone trying to login to the administrator account at 2am on a Saturday.

Intruder Detection software includes products from the following vendors:
  • AXENT, Omniguard Intruder Alert;
  • Cisco, NetRanger;
  • Internet Security Systems, RealSecure;
  • Network Flight Recorder, product by same name;
  • Security Dynamics, Kane Security Monitor.
Most products rely on attack signatures for misuse detection. There are regular updates of signatures. The products can have some negative affect on bandwidth if not properly configured. Some of the products are protocol independent while some scan particular protocols. Most of the products are software based, a few are network appliances. All the products offer robust reporting.

Internal Network Segmentation

Within some companies the entire user base does not need to see all the systems on the corporate network. This segmentation can be done by the network infrastructure using Ethernet switches to create virtual local area networks (VLANs) which basically creates a series of smaller network segments transparent to the users.

Cisco, a manufacturer of Ethernet switches that provide VLAN capability, provides the following benefits of configuring a VLAN. "Virtual LANs (VLANs) offer significant benefits in terms of efficient use of bandwidth, flexibility, performance, and security. VLAN technology functions by logically segmenting the network into different broadcast domains so that packets are only switched between ports that are designated for the same VLAN. A virtual LAN (VLAN) is an arbitrary grouping of nodes on the network. This grouping promotes efficient use of network resources and facilitates productive entry of repetitive network transactions. A virtual LAN allows the network administrator to structure, separate, or partition a network to match the structure and organization used by existing protocols and applications."

The use of Ethernet switches in a corporate network environment also provides for security of data packets sent since the switch provides protection from ‘sniffing’. The cost of Ethernet switches has dramatically decreased so they are not out of the budget reach of the normal corporate enterprise.

Physical Security

Physical security is one of the more important areas of computer security but it is also one of the most often overlooked. Systems (servers) and critical equipment should not be easily accessible and should not be accessible to non IT staff. Many companies do not have their critical systems behind locked doors. In some workplaces servers can be seen sometimes stuck in hallways or open closets. The threat is real that an inside threat would be the actual theft of the entire file or email server. A related issue is that battery backup and fire prevention systems are needed to provide disaster recovery for the servers.

Another exposure of physical security is that a hacker can more easily gain access to network systems from inside the network perimeter. Being on the local area network can often totally circumvent the firewall. Not only is access to systems easier from inside the network it is also much faster. This is where site security with access cards and alarm systems meets the threat.


The corporate enterprise should entertain the use of an authenticating system. Solutions include products such as Cisco Secure Server, Security Dynamics SecureID, and Remote Access Dial-In User Service (RADIUS) compliant or Terminal Access Controller Access Control System (TACACS) compliant authentication servers. Other authentication technology such as the use of biometrics to read fingerprints is now gaining more installations. An authentication system can provide a single authentication point for the network, remote access, virtual private networking, and internet access.

An authentication server using RADIUS technology creates one point through which all users are scrutinized, and the RADIUS server accepts or denies a user based on company-determined criteria. The server adds two-factor and sometimes token authentication to further secure the login process.

Although RADIUS and TACACS protocols are normally associated with remote user access they can be used inside the network for authentication. These two protocols are widely supported as authentication servers for various hardware such as routers, remote access servers, and other devices.

The Cisco Secure Server provides "the recognition of each individual user, and mapping of their identity, location and the time to policy; authorization of their network services and what they can do on the network." The Cisco product uses RADIUS technology for authentication, authorization, and accounting.

Authentication can also somewhat make the users’ lives a bit easier with a single sign-on. While a company is implementing various security measures it can become cumbersome for the end-users to have to login to numerous systems. An authentication server provides one point for login to all resources, those that are accessible to the specific user.

One role of the authentication server is to encrypt user passwords that travel across the network. Network Computing. Shipley (1997, May) notes in an article in Network Computing that "passwords and user names frequently pass across the network in the clear or can be easily hacked at endpoints." An authentication system eliminates that risk.

Another technology to authenticate users is to use PKIs or Public Key Infrastructures. The credentials passed by the PKI is usually either Kerberos or Public Key. Karve (1998, May) explains in Network Magazine that "most centralized authentication systems support one or more types of credentials. The two most common types of authentication infrastructures are Kerberos and public key. Both are based on key technologies, but they handle authentication differently."

Microsoft has integrated authentication capabilities in Windows 2000. This security capability in Windows 2000 is via the implementation of the Kerberos security protocol, which replaces the previous NT security model. As explained earlier, Kerberos is an industry standard shared-secret key-based method of authentication. The Kerberos standard uses Data Encryption Standard (DES) shared-secret keys to encrypt the transmission of credentials across the network. This protocol has been shown to be extremely effective as an encryption technique.


Although a firewall is typically associated with perimeter protection, especially between the corporate network and the Internet, an installation can be made within the actual enterprise network. A firewall can be used to securely segment sections of the internal network or to protect certain servers while only allowing certain user access.

Ruber (1998, August) noted in CIO magazine that "with respect to preventing potential inside burglaries, experts recommend placing the most valuable corporate information on one or more departmental servers with rigidly controlled access rights, possibly through an internal firewall layer."

There are even firewall products specifically oriented on the internal network requirement. Network-1 Security Solutions makes the Cyberwall PLUS-AP product for internal firewall applications. Their product description explains that "CyberwallPLUS-AP is a high-speed LAN Firewall based on Windows NT and ideally suited for internal network security. CyberwallPLUS-AP provides network administrators with the tools needed to secure and protect LANs within the internal network."

By Stephen F. Delahunty sfd@csi.com


1. Laudon, K. & Laudon, J. (1998). Management Information Systems (5th). Upper Saddle River: Prentice Hall Inc.
2. Berst, J. (1998, April 7). The Biggest Threat to Your Network's Security. (It Isn't What You Think). Ziff Davis Network (ZDNet).
3. Shipley, G. (1999, October 4). The State of Security 2000, Intrusion Detection Systems. Network Computing.
4. Ruber, P. (1998, August 1). A Game of Cat and Mouse. CIO Magazine.
5. Wood, C. (1998, January 15). Impersonate and Infiltrate. Network Magazine.
6. Shipley, G. (1999, May 7). Defending the Enterprise. Network Computing.
7. Intrusion Detection Frequently Asked Questions SANS (System Administration, Networking, and Security) Institute.
8. Schnaidt, P. (1992, March). Network Management: Security. Network Magazine.
9. Microsoft Windows NT 4.0 Security – An Easy Target. (1997, August). Mastering Computers Windows Tips & Techniques Newsletter.
10. Computer Rules: A Guide to Formulating Computer Operating and Security Policy for Users.
11. Physical Security. University of Chicago Network Security Center.
12. Knowles, A. (1996, June 15). The Enemy Within. CIO Magazine.
13. Roberts-Witt, S. (1999, August 9). Protect Your Business. PC Magazine.
14. Radcliff, D. (1998, April 20). The Danger Within. InfoWorld Electric
15. Violino B. & Larsen A. & Davis B. (1999, February 15). More Options For Tighter Security. Information Week.
16. The 7 Top Management Errors that Lead to Computer Security Vulnerabilities. SANS (System Administration, Networking, and Security) Institute.
17. White Paper: Protecting Your Network. Network General.
18. Enforce Strong Passwords. (1997, May). Mastering Computers Windows Tips & Techniques Newsletter.
19. Chacon, M. (1999, May/June). A Matter of Security. Microsoft Certified Professional Magazine.
20. Gillooly, B. (1999, July 12). Silent Intruders. Information Week.
21. Cisco IOS VLAN Services. Cisco Systems Incorporated.
22. Intruder Detection Checklist. Computer Emergency Response Team (CERT).
23. CSI Intrusion Detection System Resource. Computer Security Institute (CSI).
24. Roberts-Witt, S. (1999, August 11). Intrusion Detection: Patrol Network Traffic. PC Magazine.
25. Information Systems Security Association (ISSA).
26. Information Systems Audit and Control Association (ISACA).