At least four "break-ins" to computer systems on the Internet occur each day according to the Computer Emergency Response Team at Carnegie-Mellon University. The actual number probably is much greater because it is feared that publicity about a specific system's vulnerability might invite other incidents. While automated library systems may not be popular targets, managers of library systems accessible over the Internet should examine the security issue. However, as more and more libraries provide access to their automated library system from the Internet, the issue of security becomes more important.
The most notorious type of break-in, corporate or government espionage, the intent of which is the theft of proprietary information, is probably of lesser interest to libraries. On the other hand, the most common type of break-in, vandalism by a hacker, the result of which is usually the damaging or alteration of files, has serious implications for libraries. A number of libraries already have been affected by this type of break-in.
The popular computerese term for a system security solution that deals with the problem of break-ins is a "firewall." The term is merely evocative and does not refer to a specific technology. The firewall is a connection or gateway between the host or internal network and the Internet that restricts the flow between them. The most common "firewalls" usually are categorized by one of the following labels: "packet-filtering," "circuit-level" (or host-based) and "application-level."
The first type, packet-filtering, usually consists of a router which filters the coming and going of "packets" of data.
Most automated library systems, which serve more than one site, already include one or more routers. A programmer can configure the filtering protocols of the router to allow only specific types of transmissions through the router. This approach is easy and relatively inexpensive to implement.
If the only access over the Internet is to an online catalog, packet-filtering is a good approach. However, if libraries in a consortium, or staff in remote branches, or staff working at home use Internet access for production use of the system-including the creation, editing, and deletion of acquisitions records; serials control, cataloging; and circulation-the programming of the router becomes very complex and subject to errors. The next level of firewall, circuit-level, should be considered.
Circuit-level firewalls involve the insertion of a computer between the host or internal network and external networks. This computer performs the packet-filtering duties of a router, but can be enhanced with advanced forms of authentication. This approach may be appropriate when a number of different applications are being accessed from the Internet by a variety of users.
If certain applications are particularly important to protect, the highest level of protection is an application-level firewall. This solution involves not only hardware, but extensive programming. Codes must be written to specify each application to be allowed through, and under what conditions. If a firewall vendor is used, the cost of this approach would be $30,000 and up. For further information: Cheswich, William R. and Steven Bellovin. Firewalls and Internet Security-Repelling the Wily Hacker. Reading, MA: Addison-Wesley, 1994.
To be added to an e-mail mailing list dedicated to firewalls, send the message "subscribe firewalls [your e-mail address]" to majordomo@greatcircle.com.
