SUMMARY: This tech note describes the options available to establish secure access to your Clients & Profits database using an internet connection.

THE CLIENTS & PROFITS HELPDESK DOES NOT PROVIDE TECHNICAL SUPPORT FOR INTERNET SECURITY. Installing and configuring your internet hardware can be technical, so you should have access to a computer expert who is familiar with ISPs, networking and operating systems.

With information easily transmitted over the internet, security has become a greater concern for companies. Rightfully so. Your company now faces security issues from both internal and external sources.

While any employer is reluctant to distrust his employees, 71 percent of respondents to a recent survey reported that they had detected unauthorized access to sensitive information by insiders. The reported losses topped $265 million, primarily from the loss of proprietary information such as customer files and company data. Worse, the threat of a disgruntled employee sabotaging the system is, unfortunately, a very real concern.

The risk of threats from external sources have increased dramatically with the growing use of the internet. The most prolific--and most potentially dangerous--is email. While a necessary tool for conducting business, viruses are readily spread through email attachments. Also, security can be threatened by improperly downloading flawed files, which could unleash a virus attack throughout the company. However, external intrusion to proprietary corporate data is probably the biggest concern.

This technote will discuss ways in which you can protect against unwanted access to your Clients & Profits database, from both internal and external breaches, by establishing an internal security policy and using passwords, firewalls, IP filtering, packet filtering, proxy servers, virtual private networks, and/or secure socket layers.

Security policy

Your internal security policy is cornerstone to developing a secure network. By establishing a policy, you’ll be forced to organize your security, from passwords and access limitations, to security functions and technology. Once your policy is in place, it will enable your IT manager to easily and quickly respond to security needs rather than focusing on small details, which, unfortunately, can sometimes detract from gaping holes in security.

Clients & Profits Log-in

The first line of defense is maintaining your users’ log-in initials and passwords. This is the only security measure built into Clients & Profits. Other security measures are those offered by networking technology discussed later in this tech note.

With a security plan that keeps users’ initials and passwords private and up-to-date, it is unlikely that someone without initials and a password could gain access to your database. When one of your staff members leaves your company, immediately delete this user from the database to cut off their access. While you can set Clients & Profits passwords to expire, which will stop a user from accessing the database after that date, it is better to delete the user. Here’s why: A savvy user can work around the expiration by resetting the date on his computer, essentially tricking the database into thinking the user’s password hasn’t expired yet.

If you’re using My Clients & Profits!, create user passwords that are different than passwords for Clients & Profits. While not required, this adds another layer of security in case passwords become common knowledge. (Repeat after me: Loose lips sink ships.) Another built-in security feature of My Clients & Profits! is an auto-suspend function. After three bad log-in attempts, a user’s account is suspended until it’s reset by the system administrator.

Can a user create an export or create a custom report to gain access to passwords? No. Passwords in Clients & Profits are encrypted, so even if someone tried to export or report the passwords, he wouldn’t be able to see them.

In summary, someone can not access your Clients & Profits data in any way without a user ID and password, so keeping these secure is the best way to avoid unwanted access to your Clients & Profits data.

Remote Access Log-in

Not only does your Clients & Profits database require a user ID and password, but the remote access method you choose will require one as well, adding a second layer of ID and password protection to your Clients & Profits database. For example, if you use Timbuktu to access your local network over the internet, it requires a user ID and password to control a computer on your local network. As well, if you mount your server over the internet, this will require a user ID and password (like it does in the office when you log into your server). Keep in mind that when you're using remote access methods like My Clients & Profits!, users won't be required to pass through this additional level of ID and password security since My Clients & Profits! serves web pages directly from the database, just like normal web pages are served. The difference between My Clients & Profits! web pages and your regular web site, for example, is that if an intruder gains access to the My! Clients & Profits URL they need an ID and password to log in. In this case, you want to utilize other technologies to create additional levels of security, such as a firewall, IP filtering, and packet filtering.

Firewalls

Firewalls were originally developed as a strong perimeter around a company's data, leaving only a few 'gates' available for the transmission of information. These 'gates' are technically and correctly referred to as ports. So when someone says 'I opened up port 80 to the internet', they are saying 'I am allowing network activity to occur through this port to and/or from the local network.' With only a few of these gates, they were easily monitored for unauthorized access. Most firewalls today have tools built into them to alert the system administrator of potentially harmful activity occurring or attempted through these open gates, since a firewall will try to block it.

So the first line of defense using network technology is to open up only the ports necessary for those outside of your office to access your network. Firewalls normally are set to block ALL outside internet activity, so the system administrator needs to open up ports to allow activity that originates outside of your network to enter within it. The firewall will then monitor the open ports for dangerous activity and try to block it. For example, current firewall technology knows now how to interpret what caused Yahoo's website to go down in the year 2000, and it blocks that from happening.

Also, keep in mind that all internet applications are designed to work over certain ports. For example, all websites are served over port 80 and all web browsers are designed to look for a web server on port 80 when you type in a URL, unless you specify a different port. Therefore, you need to open up the ports required by the remote access method you are using. You will need to talk to your application vendor to find out what these are (i.e., call Netopia to talk about the ports used by Timbuktu).

In the information age, allowing file transfer over the internet is necessary in order to conduct business; therefore, more gates have been cut into the firewall. Clearly, the perimeter defense is less solid than it once was. On the positive side, not all firewalls have to be a barrier between your company and the outside world. By setting up internal firewalls, you can easily limit access to smaller subsections of your network. Doing so will not only stop (or severely limit) unwanted access from external intruders, but prevent internal intruders from accessing information apart from their limited sector.

Two more essential features of firewalls are IP filtering and packet filtering. It is good to have an understanding of these, for if properly setup this can essentially eliminate someone from hacking into your network, then begin attempting to break through your ID and password protections.

IP filtering Internet protocol (IP) filtering is a flexible way to set access rules. IP filtering limits the external IP addresses that can penetrate the firewall through the open ports to access your network, as well as which computers on your network can be accessed. (Keep in mind that in the internet world each computer must be assigned an IP address so it can be identified on the internet.) So blocking an IP address is much like blocking a particular computer from accessing your network. Because the firewall can identify the IP address passing through it, you can set up the firewall with access control lists (ACLs) to control which IPs can access which parts of your network. Further, you can use ACLs to block specific IPs to prevent them from entering altogether (if you find certain IPs continue to try to access your network through open ports and you want to block them immediately). Additionally, you can setup the firewall to only allow access to certain computers on your network. (Then make sure those computers only have the necessary files on it that remote users need--and no more.)

However, when setting these parameters, bear in mind that dial-up internet connections generally assign a different IP address when the same user logs on, even if it is from the same physical location. It’s best if your remote users have fixed IP addresses so you can block all IP addresses from entering your open ports except those that you know are safe, such as an outside accountant that you trust who needs access to your Clients & Profits database from time to time.

Packet filtering. Some firewalls have the ability not only to allow or block IP addresses through your open ports, but to interpret the protocol they are using and only allow a certain type of protocol to pass through it. For example, when you type in a URL in your web browser notice that it is preceded by HTTP. This is because web browsers essentially communicate using HTTP (hypertext transfer protocol). Thus, you are able to reduce the size of the open gate (or port) by only allowing a certain type of activity through it. This is useful if you are using My Clients & Profits! because it communicates with the internet using HTTP, so all you need to do is open up the port you are serving it over (version 1.02 and later allows you to customize the port you want to use), then limit activity through that port to HTTP only.

To summarize the tech note to this point, if, for example, you are using My Clients & Profits! and know the IP addresses of those outside the office that want to access your Clients & Profits database, you can create a secure ID and password to log into My Clients & Profits!, open up only the port My Clients & Profits! uses, only allow activity over this port to originate from specific IP addresses, set them to have access to the My Clients & Profits! server alone (IP address of this server on your network), and only allow HTTP activity over this port. Taking security to this level will make a hacker’s job pretty hard. But there’s more...

Virtual Private Networks Virtual private networks (VPNs) are a connection between two compatible firewalls over the internet. At one end, data is encrypted, then sent to the other firewall, which decrypts it using the same encryption key. By encrypting data before it's transmitted, external intruders are unable to use a packet sniffer to read the data during transmission. VPNs are a low-cost way to use the internet to keep sensitive information secure during transmission--and it costs significantly less than traditional dedicated connections.

Secure Socket Layers Secure socket layers (SSLs) are another encryption technology that authenticates communications between the user and the network. When a user contacts the network, both user and network are identified and their access is authenticated. By encrypting the connection, a secure tunnel is created through which information can pass. In order to use SSL technology, both the server and the client must be SSL-enabled. While SSL is setting security standards for encrypted communications, it is very demanding on a system’s CPU, which generally causes diminished performance speeds. The My Clients & Profits! server does not have SSL abilities, but you may be able to get around this by using a proxy server.

Proxy Servers Proxy servers are traditionally used as a go-between for your internet application and the server it’s trying to communicate with. For example, if you have ever looked at your option settings in your web browser or e-mail program, you will see the option for a proxy server. Basically, your web browser or e-mail program communicates with the proxy server, which in turn communicates with the website or mail server that you are requesting. There are various reasons your system administrator may want this that we will not discuss in this tech note. Standard proxy servers know how to communicate with other servers using standard protocols like HTTP, FTP, SMTP, etc. My Clients & Profits! uses standard HTTP so it should work fine if you’re trying to access it via a proxy server. Therefore, if you are able to establish a secure connection with a proxy server (say using SSL), and the proxy server is able to communicate with the My Clients & Profits! server using non-SSL (since the My Clients & Profits! server does not understand SSL packets), you can essentially create a secure connection to your My Clients & Profits! server and thus to the Clients & Profits database.