The security needs of Internet-based systems are very different from traditional networking. For example, there is no centralized infrastructure providing responsibility for network security. It is also on a huge global scale, with connected systems being open to a user base of potentially many millions. The initial conception and implementation of the Internet was to provide openness and robustness, and ensure the network was always available for all computers to connect to it. Even though the Internet was originally a network built for 'national defense', the security of confidential information was considered secondary, because only trusted users had access to it.
In order for a business to access the full potential of the Internet and the huge user base, it must open its network and provide a shop window to promote its affairs. While most visitors will be happy to look through this window, there will always be a few 'Peeping Toms' who will attempt to see things never intended for public scrutiny. Worse still, a small number of resourceful people will go one step further—and attempt to break the window, climb through, and without a doubt cause concern and damage.
The bandits of today's superhighway can be classified into three groups:
Of course, some of these loathsome rogues, or 'hackers', will be resident in more than one of these groups. As Internet technology expands, these people are always finding new and ingenious mechanisms for their attacks. Unfortunately, the severe damage they can cause is often not discovered until it is too late.
If Internet communications are to become a key component in an organization's IT strategy, a set of technologies and standards to outmaneuver these bandits is required. The technologies that we will discuss in this chapter, in order to provide secure Active Server Pages solutions, are Windows NT Security and Secure Channel Services.