Client-Server Security
Why Client Server Environments are so Popular
Client-server environments are popular because they increase application processing efficiency while reducing costs and gaining the maximum benefit from all resources working together. These benefits are gained by splitting processing between the client machine/software and server machine/software. Each process works independently but in cooperation and compatibility with other machines and applications (or pieces of applications).
All independent processing must be performed to complete the requested service. Cooperation of application processing produces another client-server advantage, it reduces network traffic. Since each node (client and/or server) performs part of the processing within itself, network communication can be kept to a minimum. For example, static processes, like menus or edits, usually take place on the client-side. The server, on the other hand, is responsible for processes like updating and reporting.
There are three components to client-server environments: the client, the server (there may be multiple servers), and the network. The network bridges the physical and functional separation between the client and the server. The multiple connections possible between clients and multiple servers really provides the visual of a web or network. Networks provide a flexible environment where clients can mix and match hardware, software, and operating systems.
However, the very characteristic that make client-servers popular are also what make it the most vulnerable to breaches in security. It is precisely the distribution of services between client and server that open them up to damage, fraud, and misuse. Security consideration must include the host systems, personal computers (PCs), local area networks (LANs), global wide area networks (WANs), and users. Because security investments don’t produce immediately visible returns and client-server buyers sometimes don’t educate themselves about security, this area of development is often overlooked until a problem occurs.
This article will discuss the different components of client-server technology that require security. Finally, we will discuss endpoint security and its most common forms, such as firewalls and anti-virus technology.
Client and User Security
Desktops are the front-end system devices, the ones that deal most directly with user input. They are also the least secure environments in client-server models. Clients connect to servers and these connections, if left open or not secured, provide entry points for hackers and other intruders that may use data for nefarious purposes. Aside from physical client security in the form of disk drive locks or diskless workstations that prohibit the loading of unauthorized software or viruses, accessibility to all files stored on a workstation operating system is the other gaping security hole in clients.
For example, the machine assumes that whoever turns on the computer is the owner of all the files stored on it. They even have access to configuration files. This could result in sabotage or the leaking of sensitive data. The transmission of corrupted data may also occur on the level of the operating system, outside the realm of client-server application security, as data is transferred to different tiers of the architecture.
However, the primary culprits of breaching client security are not hackers or viruses, but the users themselves. The front-line of defense in client security is user identification and authentication. The easiest way to gain illegal access to computers is to get users’ login ID and passwords. Sometimes users pick short or easily guessed passwords or share their passwords with others.
Password management provides a security measurement for this by requiring a minimum amount of characters to be used in passwords checking passwords for guessability, and regularly asking users to change their passwords. For example, more organizations are adopting policies of ‘passphrases’ rather than passwords that are more complicated and harder to identify or guess.
According to ‘networkworld.com’, which conducts tests on new technology to compile its ‘best products’ issue, the best client-side security product is McAfee’s Secure Web Gateway. In its testing, it deflected most spyware attacks. The system contains a scheme (minimalist, multi-paradigm programming language) that proactively detects and blocks spyware. It also updates daily. Gateways are nodes on a network that create entrances to other networks. It routes traffic from workstations to broader networks. Therefore, securing the gateways will prevent malware from ever reaching the client. OmniQuad’s Antispy Enterprise also won high marks from ‘networkworld.com’ testers.
Server and Network Security
Security is often thought of only in terms of protecting software. However, any security plan should be implicated hierarchically at every level. Servers must be located in secure, access-controlled environments. Only authorized personnel should be allowed to supervise and administer it.
Essentially, server security is the controlling of access to the database server itself. The server must be attached to a stable power supply that provides backup up power if the there’s a problem with the supply. This enables the server to shut down in a way that protects data and causes the least amount of damage. They should comply with business standards in password policy to protect database access.
Encryption also protects data through advanced DES (Data Encryption Standard) mechanisms or cryptograms. The degree of encryption depends on government standards. Database servers should not be visible to the world. (Web servers, however, are and require specific security measurements, since they support anonymous connections.)
For security and performance issues, the database backend should never be on the same machine as the web server with its open connections. To secure the database, the server should be configured to accept only trusted IP addresses. If the database is a backend for a web server, the IP address of the web server should be the only address that can access the database server. Another security gap in servers emerges from increasingly dynamic applications that allow on-line upgrades and can infiltrate the database server.
Networks are vulnerable to intruders who ‘sniff’ or eavesdrop on networks that can contain sensitive company information, passwords, and other potential company weaknesses. Secure networks should conform to four principles that form a ‘trusted computing base’ (TCB). These are:
1) identification and authorization,
2) discretionary control
3) audit, and
4) object re-use.
Identification determines the user’s identity. The user is then authenticated through a password or the completion of a registration form or some other access-controlling barrier. Authentication also ensures the identity stays consistent across time. Authorization defines what the user is allowed to do, what processes users have access to. Discretionary access control (DAC) is a security system that gives users, processes, and devices specified permissions to gain access to system resources in clearly defined ways.
Audits are systematic evaluations of the security of a company’s information systems. Audits examine the most secure physical configuration of hardware and software connections, how information is handled, and user practices. Object reuse takes a storage medium that contains one or more objects. It protects network security by ensuring that all residual data from previous objects is removed before the storage can be re-assigned.
Endpoint Security, Firewalls, Anti-Virus Software, and Anti-Spyware
There are several types of client-server security strategies. One example of client-server security is called endpoint security. This type of security includes simpler forms of itself, such as firewalls and anti-virus software.
In endpoint security programs, security software in the form of a client program is downloaded to every endpoint or user device connected to the network being protected. The security program is hosted on a server or gateway. This centralizes security and takes care of updates, login verification and patches. A patch is a quick-fix for a programming bug that develops during product-testing.
Firewalls and anti-virus software offer the simplest examples of endpoint security software. Personal or desktop firewalls are software applications that protect single computers that are connected to the Internet. The connections are usually DSL or cable modem. Since these connections are always open and use static IP addresses, they are easy for intruders or hackers to break into. Firewalls work at the device level or link layer. This is between the physical machine and the transaction layer. It is the lowest level of Internet protocol, responsible for the physical connections between computers. It translates requests and responses into packets, decoding incoming packets by providing address and channel decoding. By acting on this level, firewalls control Internet connections, filter incoming and outgoing network traffic, and alert users to suspected intrusions.
Some of the top firewall products of 2007 are ZoneAlarm Pro, Outpost Firewall Pro, and Norton Personal Firewall. Anti-virus software is another example of simple endpoint security. It is a class of program that searches disk drives and other memory devices for computer viruses. The top anti-virus software applications for 2007 are BitDefender, Kaspersky, and F-Secure Anti-Virus.
Endpoint security is evolving to include other essentials such as the detection and prevention of intruders gaining access to a network, database, or workstation. Anti-spyware software is also increasing in popularity. Anti-spyware protects against programs that collect data on individuals or organizations without their knowledge for unknown uses. They can be secretly installed on computer through a new program or a virus. Some of the top anti-spyware products of 2007 include SpySweeper, CounterSpy, and Trend Micro Anti-Spyware.
