Information Security Technical Report, Vol. 2, No. 3 (1997) 1

Introduction Gay Hardy, Director of Consultuncy, Zergo Ltd.

This issue of the Information Security Technical Report looks at Corporate Network Security, and covers current hot topics dealing with the latest networking technologies.

Over the past 10 years, we have seen a strong economic trend towards globalization of trade. Corporates wishing to succeed and prosper in this new environment have had to restructure and reorganize, and adapt their business style in order to operate in a much bigger marketplace with fewer boundaries. Ten years ago no one would have predicted the pace of change in IT and the explosive growth in networking, spurred on by the commercial arrival of the Internet. Advances in forever cheaper, easier to use, and more available technologies are enabling businesses to introduce new trading practices, to have direct contact with customers anywhere in the world, and to automate supply and delivery channels. Employees can change their working practices - it no longer matters whether they are at home, in the office or in a hotel room on the other side of the world, it’s possible to do business anywhere using the network. However, these changes introduce new risks including new security issues. The corporate network has no clear boundaries, and the new technologies can easily introduce new vulnerabilities if they are not properly managed. Awareness of these risks and how to tackle them is crucial, if organizations are to avoid costly and perhaps disastrous results. This issue looks at some of the current hot topics that are high on both the technical and management agenda. Because of the complexity and specialist nature of network security, we have also covered the broad key principles and strategically important security issues relating to corporate networking. There

is a ‘Catch-22 with network security - if you do nothing until a strategy has been agreed it will be too late, on the other hand if security is developed without a strategic approach, money might well be wasted on short-term tactical solutions. Pragmatic compromises with an eye on both the short and longer term are needed. The only known way to properly protect a network is to apply cryptographic techniques - but it is a complex technology, and there are currently restrictions on use of strong controls. We will see rapid developments in this area, and two articles in this report look at one major corporate’s approach, and another provides an update from the UK Government on TTP licensing. Volume 2, Number 2 of the ISTR covered technical cryptography in detail and the next report Volume 2, Number 4 will look at the practical application of cryptography in information security. The connection of ‘private’ corporate networks to potentially hostile open networks presents new risks and vulnerabilities. Two articles look at these issues and how to combat them, and the role that firewalls play in defending the corporate gateways. Nearly everyone is standardizing on TCP/IP as their network protocol, and we have, therefore, covered the strategic security issues for this environment. The workstation and local distributed systems are concentrating around Windows NT and Unix, and understanding best security practice for these is essential if loopholes are to be avoided.

Finally, we discuss the merits of penetration testing, a technique that is growing in popularity, as network managers increasingly need to know how vulnerable they really are. All articles in this report represent the views of the authors and not necessarily the views of the organizations that they represent.

0167-4048/97/$17.00 0 1997, Elsevier Science Ltd 1