However, they have the same public duty to protect citizens' data and confidentiality, so the security implications are just as important to the small and medium-sized government agencies (SMGA) as they are to large government organizations.
Although SMGAs face many of the same technical, logistical and staffing challenges as traditional SMBs, security is one of the toughest aspects for the SMGAs to handle. Issues such as resources, budget constraints and a lack of specialized security talent are ever-present problems.
To many in SMGAs, security remains a dark art. It's a field where there's a high degree of specialization that's perceived to be out of reach for many. Information within the security field often seems to be available to only those in the know. Still, SMGAs need to make security a priority, no matter how difficult the field may be perceived.
Here's what they must focus on regarding security.
Firewalls: Governments - large and small - have long relied upon traditional firewalls for security. A firewall protects a site in several ways. First, it only allows connections for authorized services. A server might be running a Web service and a remote login service, but only the Web service should be accessible to the public. A firewall would prevent public access to other unauthorized services.
This protection is important because there was a time when many of the site attacks were through this unintended access. Superfluous services, such as the old finger protocol, allowed intruders to obtain administrator access to a device without even logging in locally. When an attacker gains administrator access from outside a network without local access, it's known as the dreaded "remote exploit."
While traditional firewalls helped prevent this by reducing the amount of unintended access, would-be attackers have adjusted their tactics. More exploits have been discovered in available services, and services have been used in ways that were never intended, in order to gain access to local networks and systems. It has become necessary not just to lock the doors, but also to patrol the hallways of the network, so to speak.
Keeping Web server patches updated has helped mitigate this issue, as have dutiful code audits by the various Web server vendors - Apache, Microsoft, etc. However, the landscape is always changing.
Previously the simple act of serving up a file was the Web's primary function. Web pages were largely static, and there wasn't much user interaction. But the Web has dramatically evolved.
Web Applications: Instead of static pages with limited uses, developers have created dynamic pages with nearly unlimited uses. Virtually the entire Internet is dynamic now, as just about anything useful on the Internet is a Web application, instead of a simple Web page.
Although Web applications have brought untold benefits to the Internet, they are another source of attacks. They often involve the Web application code with the underlying development platform - such as ASP, PHP, Java, .NET, etc. - or the underlying database layer - Microsoft SQL, MySQL, Oracle, etc.
Intrusion Detection Systems (IDS): IDS devices can combat this new threat. They actively sniff the network, searching for the telltale signs of a network attack, hacking attempt or successful intrusion. If such an event were detected, the IDS would report it either directly to staff, or a secondary-reporting system that would alert the staff.
The problem with this solution is that it doesn't do anything about an event except report
it. Hopefully someone receives the report, is able to determine if a security event has occurred and knows how to resolve it. There are automation systems that can automatically react based on what the IDS system reported, but the integration is typically not ideal.
Intrusion Prevention System (IPS): This device can actively block attacks as they occur with no manual intervention required. An IPS still reports the event, but it can often take appropriate action on its own.
IPS devices are typically generic to the entire network in that they work with all types of traffic that may traverse an organization's network infrastructure. Such traffic might include Web, FTP, remote desktop, streaming media, peer-to-peer or other protocols.
IPS systems must be deployed deliberately to ensure that ideal network access points are monitored. It doesn't do any good to put a guard at the front door if intruders enter through the side door.
Web Application Firewalls (WAF): A WAF looks at not only Internet Protocol address and port, but also unpacks the network payload and looks at the actual traffic coming into a Web site. WAFs are fluent in the language of Hypertext Transfer Protocol (HTTP). By looking into the HTTP payload itself, they can match traffic against a database of known exploits. Attacks can then be intercepted and stopped at the WAF, without ever reaching the Web application.
WAFs have the benefit of typically being much simpler to implement and maintain than an IPS because there's really only one place to put them in a network. With an IPS deployment, you need to determine the best monitoring points on your network and arrange the appropriate mirrored data ports. With a WAF, it's as simple as putting the device in line with traffic.
Application Delivery Controllers (ADC): WAFs have recently been implemented within ADCs, or load balancers as they are commonly called. All traffic for a site typically traverses the ADC, so it's the perfect place to perform this type of security check. By putting a WAF in an ADC, it's a simple matter of just turning the feature on to get the added security benefit of an application-aware firewall.
Acting as the Swiss Army knife of Web infrastructure deployment - load balancing, server health monitoring, WAFs, SSL acceleration/termination, etc. - ADCs allow a site to quickly and easily deploy Web infrastructure while providing PCI-DSS-compliant security.
