SUMMARY: This tech note
describes the options available to establish secure
access to your Clients & Profits database using
an internet connection.
THE CLIENTS & PROFITS HELPDESK
DOES NOT PROVIDE TECHNICAL SUPPORT FOR INTERNET SECURITY. Installing
and configuring your internet hardware can be technical,
so you should have access to a computer expert who
is familiar with ISPs, networking and operating systems.
With information easily transmitted over the internet, security has become
a greater concern for companies. Rightfully so. Your company now faces
security issues from both internal and external sources.
While any employer is reluctant to distrust his employees, 71 percent
of respondents to a recent survey reported that they had detected unauthorized
access to sensitive information by insiders. The reported losses topped
$265 million, primarily from the loss of proprietary information such
as customer files and company data. Worse, the threat of a disgruntled
employee sabotaging the system is, unfortunately, a very real concern.
The risk of threats from external sources have increased dramatically
with the growing use of the internet. The most prolific--and most potentially
dangerous--is email. While a necessary tool for conducting business,
viruses are readily spread through email attachments. Also, security
can be threatened by improperly downloading flawed files, which could
unleash a virus attack throughout the company. However, external intrusion
to proprietary corporate data is probably the biggest concern.
This technote will discuss ways in which you can protect against unwanted
access to your Clients & Profits database, from both internal and
external breaches, by establishing an internal security policy and
using passwords, firewalls, IP filtering, packet filtering, proxy servers,
virtual private networks, and/or secure socket layers.
Your internal security policy is cornerstone to developing a secure
network. By establishing a policy, youll be forced to organize
your security, from passwords and access limitations, to security functions
and technology. Once your policy is in place, it will enable your IT
manager to easily and quickly respond to security needs rather than
focusing on small details, which, unfortunately, can sometimes detract
from gaping holes in security.
Clients & Profits Log-in
The first line of defense is maintaining your users log-in initials
and passwords. This is the only security measure built into Clients & Profits.
Other security measures are those offered by networking technology
discussed later in this tech note.
With a security plan that keeps users initials and passwords
private and up-to-date, it is unlikely that someone without initials
and a password could gain access to your database. When one of your
staff members leaves your company, immediately delete this user from
the database to cut off their access. While you can set Clients & Profits
passwords to expire, which will stop a user from accessing the database
after that date, it is better to delete the user. Heres why:
A savvy user can work around the expiration by resetting the date on
his computer, essentially tricking the database into thinking the users
password hasnt expired yet.
If youre using My Clients & Profits!, create user passwords
that are different than passwords for Clients & Profits. While
not required, this adds another layer of security in case passwords
become common knowledge. (Repeat after me: Loose lips sink ships.)
Another built-in security feature of My Clients & Profits! is an
auto-suspend function. After three bad log-in attempts, a users
account is suspended until its reset by the system administrator.
Can a user create an export or create a custom report to gain access
to passwords? No. Passwords in Clients & Profits are encrypted,
so even if someone tried to export or report the passwords, he wouldnt
be able to see them.
In summary, someone can not access your Clients & Profits data
in any way without a user ID and password, so keeping these secure
is the best way to avoid unwanted access to your Clients & Profits
Remote Access Log-in
Not only does your Clients & Profits database require a user ID and password, but the remote access method you choose will require one as well, adding a second layer of ID and password protection to your Clients & Profits database. For example, if you use Timbuktu to access your local network over the internet, it requires a user ID and password to control a computer on your local network. As well, if you mount your server over the internet, this will require a user ID and password (like it does in the office when you log into your server). Keep in mind that when you're using remote access methods like My Clients & Profits!, users won't be required to pass through this additional level of ID and password security since My Clients & Profits! serves web pages directly from the database, just like normal web pages are served. The difference between My Clients & Profits! web pages and your regular web site, for example, is that if an intruder gains access to the My! Clients & Profits URL they need an ID and password to log in. In this case, you want to utilize other technologies to create additional levels of security, such as a firewall, IP filtering, and packet filtering.
Firewalls were originally developed as a strong perimeter around a company's data, leaving only a few 'gates' available for the transmission of information. These 'gates' are technically and correctly referred to as ports. So when someone says 'I opened up port 80 to the internet', they are saying 'I am allowing network activity to occur through this port to and/or from the local network.' With only a few of these gates, they were easily monitored for unauthorized access. Most firewalls today have tools built into them to alert the system administrator of potentially harmful activity occurring or attempted through these open gates, since a firewall will try to block it.
So the first line of defense using network technology is to open up only the ports necessary for those outside of your office to access your network. Firewalls normally are set to block ALL outside internet activity, so the system administrator needs to open up ports to allow activity that originates outside of your network to enter within it. The firewall will then monitor the open ports for dangerous activity and try to block it. For example, current firewall technology knows now how to interpret what caused Yahoo's website to go down in the year 2000, and it blocks that from happening.
Also, keep in mind that all internet applications are designed to work
over certain ports. For example, all websites are served over port
80 and all web browsers are designed to look for a web server on port
80 when you type in a URL, unless you specify a different port. Therefore,
you need to open up the ports required by the remote access method
you are using. You will need to talk to your application vendor to
find out what these are (i.e., call Netopia to talk about the ports
used by Timbuktu).
In the information age, allowing file transfer over the internet is
necessary in order to conduct business; therefore, more gates have
been cut into the firewall. Clearly, the perimeter defense is less
solid than it once was. On the positive side, not all firewalls have
to be a barrier between your company and the outside world. By setting
up internal firewalls, you can easily limit access to smaller subsections
of your network. Doing so will not only stop (or severely limit) unwanted
access from external intruders, but prevent internal intruders from
accessing information apart from their limited sector.
Two more essential features of firewalls are IP filtering and packet
filtering. It is good to have an understanding of these, for if properly
setup this can essentially eliminate someone from hacking into your
network, then begin attempting to break through your ID and password
IP filtering Internet protocol (IP) filtering is
a flexible way to set access rules. IP filtering limits
the external IP addresses that can penetrate the firewall
through the open ports to access your network, as well
as which computers on your network can be accessed. (Keep
in mind that in the internet world each computer must be
assigned an IP address so it can be identified on the internet.)
So blocking an IP address is much like blocking a particular
computer from accessing your network. Because the firewall
can identify the IP address passing through it, you can
set up the firewall with access control lists (ACLs) to
control which IPs can access which parts of your network.
Further, you can use ACLs to block specific IPs to prevent
them from entering altogether (if you find certain IPs
continue to try to access your network through open ports
and you want to block them immediately). Additionally,
you can setup the firewall to only allow access to certain
computers on your network. (Then make sure those computers
only have the necessary files on it that remote users need--and
However, when setting these parameters, bear in mind that dial-up internet
connections generally assign a different IP address when the same user
logs on, even if it is from the same physical location. Its best
if your remote users have fixed IP addresses so you can block all IP
addresses from entering your open ports except those that you know
are safe, such as an outside accountant that you trust who needs access
to your Clients & Profits database from time to time.
Packet filtering. Some firewalls have the ability not only to allow
or block IP addresses through your open ports, but to interpret the
protocol they are using and only allow a certain type of protocol to
pass through it. For example, when you type in a URL in your web browser
notice that it is preceded by HTTP. This is because web browsers essentially
communicate using HTTP (hypertext transfer protocol). Thus, you are
able to reduce the size of the open gate (or port) by only allowing
a certain type of activity through it. This is useful if you are using
My Clients & Profits! because it communicates with the internet
using HTTP, so all you need to do is open up the port you are serving
it over (version 1.02 and later allows you to customize the port you
want to use), then limit activity through that port to HTTP only.
To summarize the tech note to this point, if, for example, you are
using My Clients & Profits! and know the IP addresses of those
outside the office that want to access your Clients & Profits database,
you can create a secure ID and password to log into My Clients & Profits!,
open up only the port My Clients & Profits! uses, only allow activity
over this port to originate from specific IP addresses, set them to
have access to the My Clients & Profits! server alone (IP address
of this server on your network), and only allow HTTP activity over
this port. Taking security to this level will make a hackers
job pretty hard. But theres more...
Virtual Private Networks Virtual private networks (VPNs) are a connection
between two compatible firewalls over the internet. At one end, data is
encrypted, then sent to the other firewall, which decrypts it using the
same encryption key. By encrypting data before it's transmitted, external
intruders are unable to use a packet sniffer to read the data during
transmission. VPNs are a low-cost way to use the internet to keep
sensitive information secure during transmission--and it costs
significantly less than traditional dedicated connections.
Secure Socket Layers Secure socket layers (SSLs)
are another encryption technology that authenticates communications
between the user and the network. When a user contacts
the network, both user and network are identified and their
access is authenticated. By encrypting the connection,
a secure tunnel is created through which information can
pass. In order to use SSL technology, both the server and
the client must be SSL-enabled. While SSL is setting security
standards for encrypted communications, it is very demanding
on a systems CPU, which generally causes diminished
performance speeds. The My Clients & Profits! server
does not have SSL abilities, but you may be able to get
around this by using a proxy server.
Proxy Servers Proxy servers are traditionally used
as a go-between for your internet application and the server
its trying to communicate with. For example, if you
have ever looked at your option settings in your web browser
or e-mail program, you will see the option for a proxy
server. Basically, your web browser or e-mail program communicates
with the proxy server, which in turn communicates with
the website or mail server that you are requesting. There
are various reasons your system administrator may want
this that we will not discuss in this tech note. Standard
proxy servers know how to communicate with other servers
using standard protocols like HTTP, FTP, SMTP, etc. My
Clients & Profits! uses standard HTTP so it should
work fine if youre trying to access it via a proxy
server. Therefore, if you are able to establish a secure
connection with a proxy server (say using SSL), and the
proxy server is able to communicate with the My Clients & Profits!
server using non-SSL (since the My Clients & Profits!
server does not understand SSL packets), you can essentially
create a secure connection to your My Clients & Profits!
server and thus to the Clients & Profits database.