Page 350 -
P. 350
Chapter 8 Securing Information Systems 349
virtual private networks, intrusion detection systems, and Web content filtering
and antispam software. These comprehensive security management products
are called unified threat management (UTM) systems. Although initially
aimed at small and medium-sized businesses, UTM products are available for
all sizes of networks. Leading UTM vendors include Crossbeam, Fortinent,
and Check Point, and networking vendors such as Cisco Systems and Juniper
Networks provide some UTM capabilities in their equipment.
SECURING WIRELESS NETWORKS
The initial security standard developed for Wi-Fi, called Wired Equivalent
Privacy (WEP), is not very effective because its encryption keys are relatively
easy to crack. WEP provides some margin of security, however, if users remem-
ber to enable it. Corporations can further improve Wi-Fi security by using it
in conjunction with virtual private network (VPN) technology when accessing
internal corporate data.
In June 2004, the Wi-Fi Alliance industry trade group finalized the 802.11i
specification (also referred to as Wi-Fi Protected Access 2 or WPA2) that
replaces WEP with stronger security standards. Instead of the static encryption
keys used in WEP, the new standard uses much longer keys that continually
change, making them harder to crack. It also employs an encrypted authentica-
tion system with a central authentication server to ensure that only authorized
users access the network.
ENCRYPTION AND PUBLIC KEY INFRASTRUCTURE
Many businesses use encryption to protect digital information that they store,
physically transfer, or send over the Internet. Encryption is the process of
transforming plain text or data into cipher text that cannot be read by anyone
other than the sender and the intended receiver. Data are encrypted by using a
secret numerical code, called an encryption key, that transforms plain data into
cipher text. The message must be decrypted by the receiver.
Two methods for encrypting network traffic on the Web are SSL and S-HTTP.
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS)
enable client and server computers to manage encryption and decryption
activities as they communicate with each other during a secure Web session.
Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used
for encrypting data flowing over the Internet, but it is limited to individual
messages, whereas SSL and TLS are designed to establish a secure connection
between two computers.
The capability to generate secure sessions is built into Internet client browser
software and servers. The client and the server negotiate what key and what
level of security to use. Once a secure session is established between the client
and the server, all messages in that session are encrypted.
There are two alternative methods of encryption: symmetric key encryp-
tion and public key encryption. In symmetric key encryption, the sender and
receiver establish a secure Internet session by creating a single encryption key
and sending it to the receiver so both the sender and receiver share the same
key. The strength of the encryption key is measured by its bit length. Today, a
typical key will be 128 bits long (a string of 128 binary digits).
The problem with all symmetric encryption schemes is that the key itself
must be shared somehow among the senders and receivers, which exposes
the key to outsiders who might just be able to intercept and decrypt the key.
MIS_13_Ch_08 Global.indd 349 1/17/2013 3:10:23 PM
