Computers & Networks: Security

Security

By Brad Gilmer

Given that computer networks have found their way into the core operations of television facilities, what specific steps can we take to keep our networks secure while still taking advantage of the benefits of networking? First and foremost, do not connect critical computers, such as on-air automation systems, directly to the Internet.

Figure 1. Network address translation hides the true IP address of a computer inside the firewall.

In fact, do not connect these systems to other networks inside your own building. If you need to download files from the Internet, do it on a separate computer and then transfer the files (after antivirus scanning) to your on-air network. Also, do not allow e-mail to run on critical systems. E-mail viruses are commonplace now. All it takes is one e-mail message with a viral attachment to take down your entire system.

Why is it important to avoid connections to the Internet? Because that is where most threats come from these days. There are thousands of computers out on the Internet running robot programs, sometimes called ‘bots’. These programs probe computers at random, looking for security holes and collecting information such as IP address, NETBIOS computer name and operating system information. At best, these probes steal cycles away from time-critical applications such as automation. At worst, these probes allow someone to collect information about the vulnerabilities of your system.

Protect against viruses

Viruses are fairly common. For this reason, you should provide antivirus protection for every computer on your network, and it goes without saying that you should update the virus definition files frequently. Virus definition files contain information that allows the antivirus software to identify and neutralize viruses. Antivirus software vendors update their definitions all the time. Having the latest definitions is critical to computer security.

In the old days, viruses were usually spread through contaminated floppy disks. Now that network file transfers have largely replaced floppies, virus programmers have changed their strategy. Most viruses are spread through e-mail attachments. This is why e-mail should not be allowed on critical systems.

What about computers that are critical but that must run e-mail (newsroom systems for example)? Be sure to use antivirus software that quarantines your messages until they have been scanned for viruses. If you are working in a newsroom environment, you probably have a stand-alone mail server. Install a virus scanner on your e-mail server to scan all incoming e-mail. This allows you to provide e-mail protection from a central location and avoids the hassle of updating virus definitions at every desktop.

Figure 2. Port address translation allows you to forward requests for a specific port to another machine on your internal network.

Do not open attachments from people you do not know. The attachments may contain viral scripts. Be very careful in opening attachments from people you do know. Remember that the virus may have mailed itself to you. Some virus programs infiltrate e-mail programs, and propagate by sending a message to everyone in the user’s address book. Finally, do not open executable attachments unless you know they are clean. Executable attachments are programs that run on the computer. These may be identified by their extension — .exe, .com, .asp, etc. There are many other extensions that are executable, so be wary.

Firewalls

Many facilities today have full-time Internet connections. More than likely, this connection runs through a router at the demarcation point between the Internet service provider and your equipment. Be sure that the router is set properly to provide network address translation (NAT) and port address translation (PAT). NAT conceals the IP addresses of internal machines from the Internet, making it much more difficult to locate and attack a particular machine. With NAT enabled, any message sent to the Internet is modified so that it appears that the message originated from the router. In Figure 1, any messages coming from the internal desktop PC with an IP address of 192.168.1.3 will be modified so that the PC on the Internet sees them as originating from the firewall with an IP address of 62.123.4.23. A query from the PC on the Internet sent to 192.168.1.3 will likely return an error. This is important because the router keeps the PC on the Internet from connecting directly with the desktop PC. It also makes it more difficult to break into an internal PC or server because the person attempting to break into the device must first guess its IP address.

Another way routers limit access is to allow communication only to authorized ports. The Internet functions by using well-known port addresses. For example, when you point your Web browser at a particular URL, the browser will automatically attempt to connect to port 80 unless you tell it otherwise. Web servers are designed to listen to requests incoming on port 80. If a network administrator wants to block incoming Web access, he or she can program the router to reject all communications with port 80 inside the firewall. For a complete list of port numbers, go to www.iana.org/assignments/port-numbers.

Installing a personal firewall provides protection from people trying to get access to your computer. This alert shows that someone is trying to access your computer using NETBIOS. Figure courtesy of Zone Labs. Copyright 2002 Zone Labs. All rights reserved.

If the firewall is configured to drop requests to the port without responding, a computer making a request on that port will receive absolutely no response. Computers on the outside of the firewall cannot determine whether a computer associated with that port exists. For example, you may decide to block all NETBIOS requests coming from the Internet, just in case someone on your internal network leaves their computer open on these ports.

You may want to configure the router to perform Port Address Translation (PAT) to conceal the address of a Web server behind your firewall. Using PAT, you can configure the router so that any requests that come in on port 80 are automatically forwarded to a separate Web server. Doing this allows you to run a Web server without exposing it directly to the Internet.