Development server outside your firewall needs a special security plan

By Shawn P McCarthy -- Logistics Management, 5/1/1998

If your company is developing Internet-based business applications, you may need a shared development space where you and your business partners can gain access to the same databases and tools.

But it's a bad security practice to allow outsiders into a machine located behind your Internet firewall. The firewall is your local area network's single point of entry to the Internet and your defense against unauthorized entry or tampering with your internal systems. The most secure firewall is one that allows outbound connections but refuses all inbound connections except e-mail.

Locating an isolated development computer outside the firewall where partners can use it is becoming a common practice, but it's important to have a good security policy in place before opening the machine to others. Here are some ways to minimize risk.

* Limit the number of accounts on the development computer. It reduces the chance that any individual will make a configuration error or use a weak password.

* Use a straight IP number for all addressing if possible. With no Domain name, the server won't turn up in the Internet Domain Name System tables. A hacker still can "ping" a range of addresses to look for a new machine, but you'll attract far less attention with a numeric address.

* Require that both you and your business partners use Secure Shell (SSH) for your connections. Unix remote login protocols or traditional Internet protocols like telnet and ftp send passwords over the network without encryption. A hacker could capture that password and use it to gain access to the system. SSH offers encryption and user authentication.

* Place the machine behind a packet filtering router. Set the router to accept connections only from approved IP addresses. Yes, it's possible to trick such a router into accepting a full connection from an unapproved client. But it takes a fairly talented hacker to accomplish this. If you're also using SSH, hackers can't nab your password. Another option is to place the server on a screened subnet--a separate network attached to your firewall or, even better, with its own separate firewall that's set to allow SSH and secure http connections.

* For very high-end security, there are systems that offer rotating, timed passwords. Security Dynamics Inc.'s ACE/Server, Cryptocard Corp.'s Cryptocard, and Accent Technologies Inc.'s SecureNet Key are the most popular. You can even get a card with a password display synchronized with your server. Numeric passwords change every minute and can only be read from the card. Combined with the limited IP connection and SSH services mentioned above, your system would be nearly impossible to hack.

* Before rollout, use the Unix Security Administrator's Tool for Analyzing Networks (SATAN) to run a scan on your network and the server to look for configuration errors that could compromise security.

Taken as a whole, the precautions mentioned here can offer a fairly secure way to provide a shared workspace outside your firewall. With more partnerships requiring such shared resources, it's a good idea to be prepared to offer these services safely.

Tip of the Month

What if the development server you've placed outside your corporate firewall needs to interact with a database on your internal network? Just set the database server to accept a query that comes from the IP address of the development server and set the firewall to permit the Web server to send a call to the database, but no other internal services. If the external server is hacked, the only path into your network leads to your database server, which has its own access controls.

Pointers

+ A wide range of information on firewall products and practices can be found at http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption/Firewalls/

+ SSH servers start at about $500. Client software costs about $100 per user. Visit http://www.datafellows.com/f-secure/fnetsys.htm for details on the popular F-Secure SSH server from Data Fellows Inc. of San Jose.

+ Download a copy of SATAN from Ohio State University at ftp://ftp.net.ohio-state.edux/pub/security/satan/.