By Brad Gilmer
Given that computer networks have found their way into the core operations of television facilities, what specific steps can we take to keep our networks secure while still taking advantage of the benefits of networking? First and foremost, do not connect critical computers, such as on-air automation systems, directly to the Internet.
Figure 1. Network address translation hides the true IP address of a computer inside the firewall.
In fact, do not connect these systems to other networks inside your own building. If you need to download files from the Internet, do it on a separate computer and then transfer the files (after antivirus scanning) to your on-air network. Also, do not allow e-mail to run on critical systems. E-mail viruses are commonplace now. All it takes is one e-mail message with a viral attachment to take down your entire system.
Why is it important to avoid connections to the Internet? Because that is where most threats come from these days. There are thousands of computers out on the Internet running robot programs, sometimes called ‘bots’. These programs probe computers at random, looking for security holes and collecting information such as IP address, NETBIOS computer name and operating system information. At best, these probes steal cycles away from time-critical applications such as automation. At worst, these probes allow someone to collect information about the vulnerabilities of your system.
Protect against viruses
Viruses are fairly common. For this reason, you should provide antivirus protection for every computer on your network, and it goes without saying that you should update the virus definition files frequently. Virus definition files contain information that allows the antivirus software to identify and neutralize viruses. Antivirus software vendors update their definitions all the time. Having the latest definitions is critical to computer security.
In the old days, viruses were usually spread through contaminated floppy disks. Now that network file transfers have largely replaced floppies, virus programmers have changed their strategy. Most viruses are spread through e-mail attachments. This is why e-mail should not be allowed on critical systems.
What about computers that are critical but that must run e-mail (newsroom systems for example)? Be sure to use antivirus software that quarantines your messages until they have been scanned for viruses. If you are working in a newsroom environment, you probably have a stand-alone mail server. Install a virus scanner on your e-mail server to scan all incoming e-mail. This allows you to provide e-mail protection from a central location and avoids the hassle of updating virus definitions at every desktop.
Figure 2. Port address translation allows you to forward requests for a specific port to another machine on your internal network.
Do not open attachments from people you do not know. The attachments may contain viral scripts. Be very careful in opening attachments from people you do know. Remember that the virus may have mailed itself to you. Some virus programs infiltrate e-mail programs, and propagate by sending a message to everyone in the user’s address book. Finally, do not open executable attachments unless you know they are clean. Executable attachments are programs that run on the computer. These may be identified by their extension — .exe, .com, .asp, etc. There are many other extensions that are executable, so be wary.
Many facilities today have full-time Internet connections. More than likely, this connection runs through a router at the demarcation point between the Internet service provider and your equipment. Be sure that the router is set properly to provide network address translation (NAT) and port address translation (PAT). NAT conceals the IP addresses of internal machines from the Internet, making it much more difficult to locate and attack a particular machine. With NAT enabled, any message sent to the Internet is modified so that it appears that the message originated from the router. In Figure 1, any messages coming from the internal desktop PC with an IP address of 192.168.1.3 will be modified so that the PC on the Internet sees them as originating from the firewall with an IP address of 220.127.116.11. A query from the PC on the Internet sent to 192.168.1.3 will likely return an error. This is important because the router keeps the PC on the Internet from connecting directly with the desktop PC. It also makes it more difficult to break into an internal PC or server because the person attempting to break into the device must first guess its IP address.
Another way routers limit access is to allow communication only to authorized ports. The Internet functions by using well-known port addresses. For example, when you point your Web browser at a particular URL, the browser will automatically attempt to connect to port 80 unless you tell it otherwise. Web servers are designed to listen to requests incoming on port 80. If a network administrator wants to block incoming Web access, he or she can program the router to reject all communications with port 80 inside the firewall. For a complete list of port numbers, go to www.iana.org/assignments/port-numbers.
Installing a personal firewall provides protection from people trying to get access to your computer. This alert shows that someone is trying to access your computer using NETBIOS. Figure courtesy of Zone Labs. Copyright 2002 Zone Labs. All rights reserved.
If the firewall is configured to drop requests to the port without responding, a computer making a request on that port will receive absolutely no response. Computers on the outside of the firewall cannot determine whether a computer associated with that port exists. For example, you may decide to block all NETBIOS requests coming from the Internet, just in case someone on your internal network leaves their computer open on these ports.
You may want to configure the router to perform Port Address Translation (PAT) to conceal the address of a Web server behind your firewall. Using PAT, you can configure the router so that any requests that come in on port 80 are automatically forwarded to a separate Web server. Doing this allows you to run a Web server without exposing it directly to the Internet.
How can you be sure that your router is providing NAT, hiding ports and performing PAT? From a computer on the inside network, point your browser to Steve Gibson’s Web site, www.grc.com, and go to the “Shields Up” section. Steve has done a great service to the Internet community by providing a free site that probes routers and firewalls for security holes. This probe is totally non-destructive; its only function is to report back to you any security holes it finds. If you do find that various ports are open, or that Steve can determine your NETBIOS computer name, you may want to contact your ISP to have them tighten up security on your router.
Security is not only a desktop or server issue. If you travel with a laptop, you should use a personal firewall. Personal firewalls are protective programs that run on your computer, blocking unauthorized communications. When you first install firewall software, you may be surprised at the number of messages you get. It is important to know that not all of these messages are caused by intruders trying to break into your computer. Many of them are caused by software packages interacting over the Internet in completely benign ways. In any case, when you see the warnings, you may feel better knowing that you are running a firewall.
Software updates and backups
One thing you can do to improve the security of your systems is to check for software updates frequently. Almost all software vendors work very hard to block any known security holes. When they do, they frequently make updated programs available to customers free of charge. One such company is Microsoft. Point a browser to windowsupdate.microsoft.com and Microsoft will check your system and then suggest a list of updates you may want. Most of these updates tend to relate to security. Many other vendors provide update service as well.
One of the least expensive security solutions is to backup your system regularly. There is no way to make your computer absolutely bulletproof. It is likely that sooner or later you will have a computer problem related to security. When you do, you may be very glad that you have a full backup on hand.
Finally, while the threats from e-mail viruses and break-ins over the Internet are real, it is good to keep things in perspective. As engineers, the methods you employ to tighten security may have an adverse impact on the people who operate the facility on a daily basis. Remember to balance your response with any inconvenience the cure may cause.
- Do not connect critical computers to the Internet, either through full-time connection or dial-up.
- Provide antivirus protection on EVERY computer.
- Update antivirus software regularly.
- Update other software packages regularly.
- Use a router to hide your computer.
- Use a personal firewall on laptops to block intruders.
- Make backups.
Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association and executive director of the Video Services Forum.