TNO Physics and Electronics Laboratory


en/generiek_taal.gif (354 bytes)


This article was published earlier in: HSA H.Silver and Associates (UK) Ltd., Information Warfare conference, London 13-14th, 1997

By: H.A.M. Luiijf M.Sc. Eng. (Delft)
TNO Physics and Electronics Laboratory
P.O. Box 96864, 2509 JG Den Haag, The Netherlands

The Internet technology is rapidly being deployed, both in non-military and military environments. The reasons for the latter is that the current military environment is driven by cost reduction on one hand and trying to obtain an information advance over opposing forces on the other. New commercial-off-the-shelve (COTS) products and open standard Internet technologies are introduced in the daily military operations, especially in the peacekeeping arena.
A new Internet technology hype is intranet, where Internet technologies are applied to internal information networks.

Information security both in military and non-military environments, can sometimes be of utmost importance. The Internet environment is known for many information security threats. This paper discusses the main security issues in connecting infrastructures to open networks; the myths of firewalls and which lessons can be learned from earlier security breaches. This in the view of Information Defense.

Keywords: hacking, hackers, Internet, Intranet, information defence, information security, information warfare, firewall, COTS, PABX, telephone infrastructure


From the viewpoint of Information Defense the objective of this paper is to scare you about the insecurity of systems and networks that use Internet technologies. On the other hand, as soon as one understands the security issues and uses the technology in a well-balanced secure way, these (relatively new) wonderful technologies can be applied to increase the speed of information dissemination and intelligence gathering. From the view of Information Warfare (IW) these technologies help in obtaining an information advantage over opposing forces. Particularly during peacekeeping operations this might help to prevent escalation of conflicts.


The TNO Physics and Electronics Laboratory (TNO-FEL) is part of the Netherlands organization for Defence Research TNO, which is the main R&D organization for the Netherlands Ministry of Defence.

Seventy years ago, the predecessor of the TNO-FEL was established by the Netherlands Government to investigate "lethal beams".
The current research areas of TNO-FEL with 500 employees are: Operations Research and Business Management, Command & Control and Simulation, Telecommunications and Defence Electronics, and Observation Systems.

With respect to Information Warfare and Information Defence, TNO-FEL has many years of experience on the various subtopics of the broad Information Warfare and Defence arena.
Recently, we started a co-ordinated program on information (warfare and) defence, bringing together all our expertise which includes: command and control, electronic warfare and electronic defence, information security (a.o. firewall security, PABX security, threat and vulnerability analysis, evaluation criteria), infrastructure hardening, simulation and information infrastructure aspects of emergency management in the Netherlands.

Internet security

Internet is daily news. More and more commercial, industry and public organizations are connecting information servers to the Internet. A majority of the advertisements nowadays contain a World Wide Web address ("http://www.some-thing"). This despite the fact that the World Wide Web technology is only a few years old.

Intranets and Extranets

Intranet, the application of Internet technologies in the internal information network of an organization is a hype. Launched as a marketing slogan two years ago, organizations nowadays are scrambling to install an intranet. Even advertisements offering intranet installation services can be found in business magazines.

As intranet is a marketing invention, there are many definitions for the term "intranet". The term "extranet", the intranet extended to cooperative forces or friendly customer relations, makes the confusion even worse. The easiest way to clarify the confusion is to split the information services based upon Internet technologies from the networking infrastructure. In the following, the organization's own network infrastructure in the broadest extent, including mobile and telephone communications, will be regarded as being part of the intranet.

As intranet is a marketing invention, there are many definitions for the term "intranet". The term "extranet", the intranet extended to cooperative forces or friendly customer relations, makes the confusion even worse. The easiest way to clarify the confusion is to split the information services based upon Internet technologies from the networking infrastructure. In the following, the organization's own network infrastructure in the broadest extent, including mobile and telephone communications, will be regarded as being part of the intranet.

In the Intranet development curve we distinguish three levels of intranets: Basic Intranets (LAN connectivity of workstations with Email and WWW applications), Enhanced Intranets (multimedia information services and simple transactions, WWW generated from upon underlying database) and Advanced Intranets (complex transaction processing and organization critical processes). The first enhanced intranets are currently being installed; advanced intranets are expected around the year 2000.

Internet security and firewalls

"The only secure information system is the one that is turned off, locked in a safe and buried 5 meters down in a secret location… and I am not confident of that either"

Information security management is about taking calculated risks. Bad things (might) happen ! (ref: Murphy's law). Management is finding the balance between usability and information advance on one hand and the risk that a security threat becomes reality on the other hand. Note that "information security" encompasses not only the (military) confidentiality aspects, but also integrity, and availability.

Organizations look like fools when newspapers report that hackers have intruded their systems. Firewalls are sold by salespeople as the remedy for this hacker problem. How is it possible that systems of large, sensitive organizations like the US Air Force, Universal Studios, the Polish Government, Coca-Cola and ministries of several countries were hacked. Most of these organizations were "protected" by firewalls. Why did these firewalls fail?

Salespeople sell firewalls as the ultimate technical solution to connect an organization in a secure manner to public networks. Anyone should be able to find "his jewels" on the Internet, isn't it ? The model used is that of the organization should look like a castle protected by high walls surrounded by a deep castle-moat and a single entrance with a well-protected drawbridge: the firewall.
The function of the firewall is a single point of control for allowing or rejecting direction and type of information flows ("services") to and from the organization. There are several different firewall architectures. Prices range from US$ 8.000 up to US$ 250.000. This does not include many hours of consultancy or own hours of toil, sweat and tears.

Most of the time, the salesperson neglects to tell the IT-management that firewalls will solve only a small part of the security problem.

  • To most organizations it is unclear which organization interests need to be protected. Neither a security policy nor a security plan exists.
  • · Firewall installation and maintenance requires much toil and extensive technical knowledge. The staff configuring the firewall must have in depth knowledge of all communication protocols which must are (partially) allowed to pass through, as well as rudimentary knowledge of all other protocols that need to be rejected.
  • · Firewalls are applications that use the network layer software supported by the operating system. Both the firewall software and the network services/ operating system contain bugs and "features" that allow hackers to bypass the firewall easily.
  • · Most firewalls cannot protect you against all side effects of viruses, trojan horses and active code (Java, Javascript, ActiveX) hidden in electronic mail, net news and WWW-pages. They are not designed for that. For example, attachments of an Email might contain macro-viruses. The new Netscape Communicator supports the construction of Email messages in the form of web pages. Active code e.g. Java or Javascript may be included and passes the firewall unhindered.
  • · Daily, new possibilities and applications appear on the Internet. Users explore these applications long before the firewall security manager become aware of them. Firewalls are doomed to lag behind the new risks as a consequence of these new possibilities.
  • · Programming errors in the web client, e.g. in the Netscape browser or Microsoft's Internet Explorer, allow others to extract files from your PC or internal network during your browsing. Firewalls cannot protect you against these situations.
  • Web clients can bring down information services by triggering software errors in web servers. Even Microsoft's own information servers went down recently.
  • · Active daily management of firewalls is a necessity. The staff responsible for the maintenance of the firewall need to keep up-to-date with new technical developments, hacking threats and computer incident response messages. These need to be classified and, if necessary, result in preventive actions. The knowledge about a security hole in an operating system or network service found by hackers spreads around the globe in seconds.

Internal threats

Research studies by the UK National Computer Center (NCC), the American Society for Industrial Security (ASIS) and the Computer Security Institute (CSI; in close cooperation with the FBI) show that only 20% of the security incidents is caused by hackers and threats from the outside of an organization. The other 80% of the incidents originate within the castle walls of the organization. Thus firewalls give only protection against less than 20% of the incidents when coupling the internal network to a public network. Of course, this happens only in other organizations and not in my organization, many managers wrongfully thought before.

The stern reality of Internet security

Every IT-manager should now be aware of the security threats by hackers and other risks when connecting systems to the Internet, especially if it concerns sensitive organizations. Nevertheless, the security measures taken to protect these connections turn out to be very inadequate.

A security study by the US Defense Information Systems Agency involving over 38.000 Defense systems showed that one could enter two-third of the systems in an unauthorized way. Only 1 out of 150 system managers reported a breach of security. The US Government Accountancy Office (GAO) estimates for these systems that hackers "knock on the door" over 250.000 times per year.

Dan Farmer, one of the authors of SATAN, used SATAN to politely scan the security of a selection of web sites. Roughly one-third of the sensitive web sites showed large security weaknesses, meaning that one could get unauthorized access within 12 seconds (typing 2 to 3 commands). This is shown in the table under "red". Another third of the web sites could be broken into by more experienced hackers ("yellow indicator"). Interestingly enough, a random selection of web sites showed far better security level. A full report can be found at

Web site type
Number of web sites
Credit companies
Sex clubs etc.
Total sensitive
Control group

Almost weekly, new examples of hacked systems of sensitive organization are reported in news media. Some examples this year: "Department of Misjustice" (US Department of Justice), "Central Stupidity Agency" (CIA), a lively sex movie on the US Air Force home page, "The death squad home page" (the Los Angeles Police Department), "Hackpospolita Polska, Centrum Disinformacyjne" (the information web site of the Polish government), "a smoking ET" (Amnesti International) and at the Universal Studio's web site the "Lost World" logo with dinosaur was replaced by a "Duck World" logo.
On September 12th the Coca-Cola company found the statement "You'll begin to look what you drink, to look into your Big Mac… and then you'll begin to understand that you are sheeps." on their home page. On October 31st, Microsoft Office'97 pages were replaced by a "Halloween" page. On average, 40 hacked websites per month are reported by the hack 'stamp collector' Password files of many sites, including those of over 200 Dutch systems were found on a system in Italy.
The latest hacks, but surely enough not the last ones. It concerns organizations that should know better. The question to you is how secure are your systems and networks?

By the way, a study by the Carnegie Mellon university, showed that the average probability of a system being involved in an Internet security incident is once per 15 years. However, for high sensitive military and government sites, the odds are far worse, especially now hackers are equipped with automated tools.

Intranet and extranet security

The stern reality above shows a different picture as the ideal picture of a castle well protected by a (firewall) draw bridge. And in case you have a well managed, up-to-date secured firewall, why would hackers use that path as backdoors to you stronghold are wide open ? Years ago, the same concepts were used by the Trojans delivering a horse statue (with unexpected content). Why use the difficult way, when organizations open gates for insecure access [4].

Intranet, the network infrastructure of the organization in the broadest sense outreaches far beyond the "castle walls":

  • Managers (including high-ranking officers) take lap-tops to home and dock them at their office desk.
  • Users, especially managers, read their Email via a, often against the security policy, (GSM) telephone - modem connection.
  • (unsecured) teleworking.
  • Fax servers coupled to internal networks by people bypassing the security department.
  • Computer-telephony integration (CTI).
  • Video-teleconferencing.
  • Voice mail and Email boxes being listened to/read at distant locations via insecure lines.
  • Floppy disks that come and go.
  • Remotely maintained systems and PABXes.
  • Etceteras.
A new trend in society is that the working force is becoming more loosely connected to organizations. In the year 2015 it is expected that 25% of the people work at home, being hired to do tasks for multiple organizations.

All these new developments and trends result in a vague border between the outside and the inside of an organization. In future, this will be even more questionable. All these backdoors undermine the security model of the single firewall access to and from the organization.

Figure 2: fuzzy borders of the organization, the firewall "green lawn"
seems to have a sign "keep off the grass".
It might be in use as one of the many connectivity means.

The intranet and extranet developments are a hype. Looking at the insecurity of Internet connections as discussed before and the way organizations couple their internal networks to the outside world, one can conclude that internets are passed left, right, at the back and the front by the users. To remind you, in the organization or better said in the intranets about 80% of all security incidents take place.

Apart from the classical information technology security incidents, intranets and extranets are vulnerable to the following:

  • The management pays no attention to information security, security is not a topic "intra" their ears.
  • No threat and vulnerability analysis takes place. This causes security measures to become unrelated like loose sand. As can be expected from Murphy's Law, the most vulnerable weak spots will not be covered by security measures.
  • No preventive security measures will be taken at all.
  • In case of a computer emergency, no incident response team exists to take immediate and effective response.
  • · Intranet and extranet services intend to make it easier for the users within the organization to access information for doing their work more effectively. Users should become familiar to the wealth of information, thus why bother them with security. That users, hired people and not authorized people have access to the organization's strategic and tactical information (the "jewels") is overlooked. Reducing authorizations afterwards is a hell of a job as users claim that they need the information sources for their job. As the intranet is not built based upon an information model, it is hard to refuse those authorizations.
  • · Intranet technology looks so new, that organizations bypass their own IT department as they are slow (discussing security and responsibilities). They hire an external company to build the intranet. Security will be implemented in one of the last phases (if there is some money left).
  • Developers claim that Intranet technology requires dynamic code, as Java or ActiveX. Unfortunately, the combination of active code for intranet and user access to the Internet is deadly for the security of the intranet.
  • Network and system maintenance staff responsible for the technical information and the daily management are already overloaded. Security, most of the time, has the lowest priority, let alone that the system managers have time to learn and understand the security issues of a technologies.
  • Users install modem cards in their office systems giving them access from home or via GSM telephone to their Email. That hackers scan all phone numbers of the organization for backdoor modem accesses is overlooked.

The telephone intranet and extranet

A word or two on the telephone infrastructure of companies. As mentioned before we regard the PABX and its services as part of the companies Intranet. In many cases, the telephone infra-structure even extends across multiple departments in several buildings and/or cities. The maintenance of the telephone infrastructure and switch (PABX) is the responsibility of the technical maintenance department within organisations most of the time. The major change from complete hardware switches to fully computerised switches with many options went unnoticed by management. The fact that information security threats and vulnerabilities now also apply to the telephone system has gone unnoticed as well. Does your organisation control who and how many people know the access to the remote maintenance entrance of your telephone exchange? Do you apply the same strict password mechanisms to the PABX as you are applying to the access of your company systems via open networks? Is the re-direct calls service of your PABX secured against misuse by inside and outside people? (e.g. international *21 service to a private phone)

Conclusion: ""Do you know a better way to bring your sensitive information to the outside world than by using Intranets?"

The sooner you realize all these aspects and risks, the sooner you can start with the only way out: "integral information security".

The Solution

Are local networks (intranets) that insecure that one should not use these technologies ? Should users refrain from connecting to the Internet ? Are there no secure solutions ?
As stated earlier, information security management is managing risks. Risks can only be managed by:
  • Developing a security policy.
  • · Developing a threat and vulnerability analysis and based upon that a realistic, well balanced security plan.
  • Coaching the users to a higher level of security awareness.
  • Proper (labor intensive) management of firewalls and an open eye to backdoor entrances to the organization.

A good start is to start inside out with the network. Look at all communication possibilities with the organization, both by users and (through the eyes of) hackers. Then you are able to estimate the risks the organization takes. Firewalls, guards and other technical means are not the ultimate solution. One needs them as a (small) piece of the total security shield.

The technical aspect of information security is relatively small. Organization, procedures, education and security awareness requires the utmost exertion, but their pay-off is the highest.

Secure use of the Internet and intranet technologies is very valuable for both military and commercial organizations, it might give you an information advantage. But be sure that you have good first and second line defenses against the world of mostly internal (and some external) security threats and vulnerabilities.


  1. An Analysis of Security Incidents On the Internet 1989-1995; John D. Howard; April 7, 1997. or
  2. Who's reading your Email, Richard Behar, Fortune February 3, 1997, pp 29-36
  3. Information security web links maintained by the author: /instit/fel/intern/wkinfsec.html
  4. Information security web links maintained by the author: /instit/fel/intern/wkinfsec.html
  5. Information Warfare and Information Defence web links maintained by the author: /instit/fel/intern/wkinfdef.html
  6. A collection of collected hacked webpages as well as a registration of hacks:




Special links


Eric Luiijf



TNO-FEL. Making information work.