In the olden days, before AOL started advertising itself as the Internet, most company networks were private LANs or possibly Wide-Area Networks, consisting of a few LANs with dedicated links. In such a situation, the most effective computer security measure is obvious -- don't let unauthorized people in the 'server room' (or building). If they can't get physical access, and there's no external network access, you're pretty well covered.
Now that the Internet has made the world even smaller, and coffee shops are on the Net, that first and highest barrier -- of presence -- is gone. Of course everyone secures their servers with strong passwords (or deserves what they get), but the Internet can effectively give hackers access to your machine room, so you need to be much smarter about making up for that barrier. Intranets (and firewalls) can help you make up the loss of physical security.
As any tabloid magazine will be happy to tell you, the Internet contains nothing but destructive antisocial hackers. That's not completely false -- there are lots of people on the Internet trying to break into computer systems (for challenge, money, ego, destructiveness, or some other motivation). As a result, anyone on the Internet should be thoughtful and careful about security. One of the ways to be careful (though not necessarily thoughtful) is to buy a firewall system and interpose it between your self/business/valuable data and the anarchic Internet. Unfortunately, many people buy firewalls without knowing what they're getting or how to configure them, which doesn't provide much security and can easily prevent people from getting real work done.
In the 90s, an Intranet is basically everything on *your* side of the Internet connection -- the LAN or WAN used exclusively by employees (or whoever you authorize). You know much less about any computers or people on the far side of the Internet connection, so it's important to think about what services you offer on your servers, and who should have access to them. One important reminder: with Personal File Sharing and Personal Web Sharing, any Mac can be a server. Don't forget to consider personal computers as servers to be secured -- you can't afford that mistake.
A firewall, generally part of or closely coupled to your Internet connection, behaves something like a military checkpoint on a road -- the firewall has some knowledge about legitimate use of your servers by people on the Internet, and can block most types of network attacks as a result. Firewalls can also log suspicious and normal activities across your Internet link, and prevent users or employees from using specified external services (see http://www.dilbert.com/comics/dilbert/financial/tphbx.html).
TCP/IP traffic, the foundation of the Internet, uses 'port numbers' to identify the sending and receiving services. If you connect to a computer on port 80, you get its web server (if one is running). If you connect to port 25, you're talking to the SMTP server, which will accept E*Mail messages for delivery to local users or other servers. The principle behind a firewall is a simple one: there are millions of port-to-port combinations possible, but only a few are necessary to normal operation. You want outsiders to be able to connect to port 25 on your mail server, ports 80 and 443 on your web server, and port 21 on your FTP server (actually FTP is a bit more complicated, described below); this covers the major legitimate uses of computer resources by outsiders.
Compatible Systems includes a useful list of port numbers under 'port' on this page about firewall configuration http://flash.compatible.com/ini-html/ini_ip_filter.html. Well-established TCP/IP protocols generally use ports below 1024 -- those above 1024 are mostly left unspecified for client computers to use. Thus when you send mail, your mail program might connect from port 2000 on your desktop to port 25 on the mail server.
Traffic on the Internet actually runs on top of one of two protocols:
TCP or UDP (Universal Datagram Protocol). Each of these protocols has port numbers from 0 to 65,535; some services use UDP (SNMP), some use both (DNS and ping), and most use TCP. TCP and UDP are effectively equivalent for purposes of this discussion.
FTP and DNS are other important ports, but in many cases you can simplify matters by putting these servers *outside* the firewall, and blocking in-bound FTP and DNS completely. In this case, the external DNS server might have an abbreviated list of hosts, since outside users will only have legitimate need to connect to a few of the computers behind the firewall.
Tip: Normal FTP (file transfer protocol) works by opening a connection to a server and using the PORT command, which causes the server to open a new connection back to the client machine and transfer files over it. This is a security issue because a user outside the firewall might ask an FTP server behind the firewall to transfer files to/from other internal servers. PASV mode FTP (which web browsers generally use, and many firewall configurations require) asks the server to opens an additional port above 1024 which the client then connects to for the actual file transfer.
The most common features of firewalls are as follows:
A simple set of firewall rules might do the following (although they wouldn't be written in plain English):
"Allow Internet computers to connect to mail.example.com on port 25 ; allow mail.example.com to connect to outside computers on port 25; block all other port 25 traffic across the firewall." Port 25 is used by SMTP (Simple Mail Transfer Protocol) for sending mail on the Internet. Since the firewall only controls traffic crossing from one side to the other, this would prevent outsiders from using private internal servers, and prevent employees from sending mail directly through the firewall, which might be important if you want to log all sent mail.
"Allow Internet computers to connect to www.example.com on ports 80 & 443 ; allow any internal computer to connect to outside computers on ports 80 & 443 and log every URL along with requesting IP; block all other port 80 & 443 traffic across the firewall." Port 80 is the standard http (web browsing) port, and port 443 is used by https (Secure Sockets Layer -- encrypted web browsing). Again, this prevents outsiders from using private internal resources (such as Personal Web Sharing). It also logs employee web use, so administrators can tell if employees are surfing www.playboy.com -- many larger companies have corporate policies against non-work-related use of the Internet, and this is now quite feasible to track.
"Block all inbound DNS requests." If you run a public DNS server outside the firewall, and a private server inside, you can prevent outsiders from listing all your hosts.
"No FTP connections can come in. Outbound FTP connections must go through the firewall's proxy feature, requiring username/password for this service (in addition to any for the actual FTP site), and all transfers are logged." In this case, ftp.mycorp.dom might be hosted by an upstream ISP, outside the firewall, and employees may use it (through the firewall) or other FTP sites, but all their activity will be logged. Some financial institutions may only allow FTP GET -- not FTP PUT -- to the outside world, to prevent people inside the company from sharing proprietary information.
Firewall and proxy functionality are being built into software programs that run on multipurpose servers. If you're investigating these, consider your level of confidence in the firewall product and ask the vendor for details on the speed consequences of their implementation. Depending on the design, such a firewall might make the server it's running on faster or much slower.
Since the Intranet is a security concept, it's worth categorizing the most common types of attacks. Some techniques fall into multiple categories.
Now that you know the standard way to create an Intranet (use a firewall), what are the alternatives and other relevant technologies?
Proxy servers overlap in functionality with firewalls, but that's a topic for another day. Essentially, they aggregate traffic for one or more protocols, resulting in better speed and more control over the affected protocols.
One security alternative is Virtual Private Networking (VPN) http://www.cisco.com/warp/public/779/servpro/solutions/vpn/. With a VPN, you effectively use the Internet as your LAN (this makes people working in other locations happy, since they can make local calls to their ISP and have the same access as people at HQ). To prevent people from reading all your juicy data as it flows across the Internet, VPN schemes use encryption between all the member computers. The key question here is whether all the encryption work hampers network access. VPN vendors claim that modern computers aren't hampered by encryption (which, after all, is typically of something like a 28.8kbps-128kbps data stream, as opposed to the 100mbps of Fast Ethernet). VPN gives you much greater flexibility, but also increases complexity, as you now must install and manage software on everyone's computer. If VPNs sound interesting, consider a VPN-firewall hybrid, where the VPN encryption is used for dial-up but not Ethernet connectivity.
For low-security applications, you may not even need an Intranet -- many people use the Internet for low-risk activities, and use SSL for credit card transactions. These people may not need firewalls or VPNs, but be well served by reasonable passwords and some consciousness about what they type when using the Net. Each person or organization must balance comfort and simplicity versus protection from hackers (and although the news loves to exaggerate, hackers do exist and do attack systems all the time).