Communications controls (also called network controls) secure the movement of data across networks. Communications controls consist of firewalls, antimalware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems.

Firewalls

A firewall is a system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network.

Simply, firewalls prevent unauthorized Internet users from accessing private networks. All messages entering or leaving your company’s network pass through a firewall.

The firewall examines each message and blocks those that do not meet specified security rules.

Firewalls range from simple, for home use, to very complex for organizational use. Figure (a) illustrates a basic firewall for a home computer. In this case, the firewall is implemented as software on the home computer.

Figure (b) shows an organization that has implemented an external firewall, which faces the Internet, and an internal firewall, which faces the company network. Corporate firewalls typically consist of software running on a computer dedicated to the task.

A demilitarized zone (DMZ) is located between the two firewalls. Messages from the Internet must first pass through the external firewall. If they conform to the defined security rules, they are then sent to company servers located in the DMZ.

These servers typically handle Web page requests and e-mail. Any messages designated for the company’s internal network must pass through the internal firewall, again with its own defined security rules, to gain access to the company’s private network.

The danger from viruses and worms is so severe that many organizations are placing firewalls at strategic points inside their private networks. In this way, if a virus or worm does get through both the external and internal firewalls, then the internal damage may be contained.

Anti-malware Systems

Anti-malware systems, also called antivirus, or AV, software, are software packages that attempt to identify and eliminate viruses and worms, and other malicious software.

AV software is implemented at the organizational level by the information systems department.

There are currently hundreds of AV software packages available. Among the best known are Norton AntiVirus (www.symantec.com), McAfee VirusScan (www.mcafee.com), and Trend Micro PC-cillin (www.trendmicro.com).

Anti-malware systems are generally reactive. Whereas firewalls filter network traffic according to categories of activities likely to cause problems, anti-malware systems filter traffic according to a database of specific problems.

These systems create definitions, or signatures, of various types of malware and then update these signatures in their products.

The anti-malware software then examines suspicious computer code to determine whether it matches a known signature.

If the software identifies a match, it removes the code. For this reason organizations regularly update their malware definitions.

Because malware is such a serious problem, the leading vendors are rapidly developing anti-malware systems that function proactively as well as reactively.

These systems evaluate behavior rather than relying entirely on signature matching. In theory, therefore, it is possible to catch malware before it can infect systems.

Whitelisting and Blacklisting

A report by the Yankee Group (www.yankeegroup.com), a technology research and consulting firm, stated that 99 percent of organizations had installed anti-malware systems, but 62 percent still suffered malware attacks.

As we have seen, antimalware systems are usually reactive, and malware continues to infect companies. One solution to this problem is whitelisting. Whitelisting is a process in which a company identifies the software that it will allow to run on its computers.

Whitelisting permits acceptable software to run, and it either prevents any other software from running or it lets new software run in a quarantined environment until the company can verify its validity.

Whereas whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows everything to run unless it is on the blacklist.

A blacklist, then, includes certain types of software that are not allowed to run in the company environment.

For example, a company might blacklist peer-to-peer file sharing on its systems. In addition to software, people, devices, and Web sites can also be whitelisted and blacklisted.

Secure Socket Layer

Secure socket layer, now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking. TLS encrypts and decrypts data between a Web server and a browser end to end. TLS is indicated by a URL that begins with “https” rather than “http,” and it often displays a small padlock icon in the browser’s status bar. Using a padlock icon to indicate a secure connection and placing this icon in a browser’s status bar are artifacts of specific browsers. Other browsers use different icons . The important thing to remember is that browsers usually provide visual confirmation of a secure connection.

Employee Monitoring Systems

Many companies are taking a proactive approach to protecting their networks against what they view as one of their major security threats, namely, employee mistakes. These companies are implementing employee monitoring systems, which monitor their employees’ computers, e-mail activities, and Internet surfing activities. These products are useful to identify employees who spend too much time surfing on the Internet for personal reasons, who visit questionable Web sites, or who download music illegally. Vendors that provide monitoring software include SpectorSoft (www.spectorsoft.com) and Websense (www.websense.com).

Virtual Private Networking

A virtual private network is a private network that uses a public network (usually the Internet) to connect users.

VPNs essentially integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization’s networks.

VPNs are called virtual because they have no separate physical existence. They use the public Internet as their infrastructure.

They are created by using log-ins, encryption, and other techniques to enhance the user’s privacy, the right to be left alone and to be free of unreasonable personal intrusion.

VPNs have several advantages.

First, they allow remote users to access the company network.

Second, they provide flexibility. That is, mobile users can access the organization’s network from properly configured remote devices.

Third, organizations can impose their security policies through VPNs.

For example, an organization may dictate that only corporate e-mail applications are available to users when they connect from unmanaged devices. To provide secure transmissions, VPNs use a process called tunneling. Tunneling encrypts each data packet to be sent and places each encrypted packet inside another packet. In this manner, the packet can travel across the Internet with confidentiality, authentication, and integrity. Figure below illustrates a VPN and tunneling.