You can use methods other than network topology to secure your network. Third-party routers use packet filtering to prevent unwanted access. File system security can prevent access to portions of a disk (or partition). User account security should be configured to control access of the Guest account and others. Log on authentication in FTP and Telnet can prevent unauthorized users from accessing your servers. You can also audit access to you Internet servers using Event Log.
Commercial products exist that can create firewalls between the Internet and your LAN. Most of these products are based on filtering packets. Many third-party routers used to connect your LAN to the Internet can be configured to filter packets based on the source or destination IP address. You are able to specify the IP addresses that are allowed into your LAN. Consult dedicated router vendors for more information about the packet filtering products available.
If you create an FTP server, you can and should use NTFS security settings to control specific access to files and directories and to configure the behavior of files and directories. This security method requires the disk or disk partition to be formatted as NTFS. It is a good idea keep the files available through FTP on a disk or disk partition separate from your operating system, application, or personal files.
You use File Manager to set permissions on NTFS partitions. See the Windows NT System Guide for more information about setting file permissions with File Manager.
A basic use of file system security is creating read-only directories so Internet users will not change files. However, NTFS security is flexible and can be used for creative problem solving.
One example of using file system security to control the behavior of directories is creating a drop box for your Internet customers to leave files in. By setting the permissions on the drop box directory to write only, Internet users can place files in the drop box directory, but cannot see or copy any of the files left there by other customers. Only internal users with appropriate permissions can access the files.
File system security can also be used with other Internet server services for additional security, although the inherent nature of most other Internet server services provide more security than an FTP server.
A primary security measure that should be observed at all times is guarding the Administrator account and administrative privilege on computers connected to the Internet. Only employees with appropriate security clearances should be given the passwords for these accounts.
External Internet users access your LAN under the Guest account. You should ensure that the permissions for the Guest account on your Internet gateway is configured to provide adequate security.
If your Internet users are using any Microsoft networking client, you can use Windows NT user accounts to validate these users and define the user's permissions. These uses can still access the system without a Windows NT user account using Guest or an anonymous FTP log on.
Also note that users of two computers on the Internet with Microsoft Windows-based networking software (such as Windows NT, Windows for Workgroups, LAN Manager, or MS-DOS clients) can issue net use commands, or use File Manager or Print Manager to connect to resource on the distant computer — even if that computer is on another continent. A hacker using Windows-based software could issue a net view command and then see a list of your corporate servers. Windows-based networking client security is controlled through Windows NT user account permissions and NTFS file permissions, just as it is on the local LAN.
The FTP and Telnet server services use the Windows NT user account database to authenticate users logging on.
Important FTP and Telnet logons use clear-text for username and passwords. This is a potential security weakness.
FTP always uses user-level security, meaning you must log on to use an FTP server. You can configure the FTP server service to allow only users with valid Windows NT accounts to log on. An FTP server can also be configured to permit anonymous log on. Anonymous log on requires the user to type anonymous as their username and their Internet email address as their password. Anonymous users access files under the Guest account. You can also allow only anonymous log to a Windows NT FTP server. Anonymous-only log on is useful because real passwords are not used, thus, a valid password cannot be revealed to network snoops.
The event log can be used to track access to all of the Internet server services. The FTP server service and Telnet server service can be configured to record logons in the event log. Other Internet server services can create entries each time a file is downloaded.