By early 1996, the Internet comprised over 80,000 subnetworks and nearly 10 million hosts. The fastest growing segment of Internet hosts within the U.S. are those within the commercial (.com) top-level domain, although the largest rate of growth is coming from outside of the U.S. These large number of organizations are connected to the Internet for reasons ranging from electronic mail and increased communication to sales and marketing. Being connected to the Internet for e-mail alone is almost worth the price of admission, but once connected many companies have found that for a small additional expense, their presence on the net can be greatly enhanced. The new direction -- making information servers for and about their organization.

Information servers, ranging from finger to the World Wide Web (WWW), can be used for both internal and external users. These servers can allow potential customers to learn about a company's products and services, prospective employees to learn about career opportunities, investors to learn something about a potential investment and its competition in the industry, or customers to download the latest software release. It can also be used to provide news, advertisements, research source material, information about someone's favorite topic, or access to timely information that might be otherwise difficult to find -- such as daily pictures of the comet Hyakutake (very timely at the moment that this article is being written).

This article will provide some food-for-thought for organizations trying to determine what information servers might be made available on the Internet. The article does not describe the technical details in actually implementing these servers, but provides some things to consider when doing so.

FINGER

Finger is an Internet utility that allows someone to learn about remote host systems and users on those systems. The command finger @hostname will display the username, real name, current process, and other information about all users currently logged in at the specified host. The command finger username@hostname returns specific information about a particular user at that host, including when that user last logged in; in some cases, additional information about that person may be displayed.

Finger was designed during a time when the ARPANET was small and the community generally trusted. I would argue that there is no really good reason today to enable the finger daemon (server) on any host on your network. No one, particularly someone from the outside, needs to know who is logged in to your systems nor what they are doing. This observation is not just to keep out the nosy. If someone wants to attack your system, one place to start is by password guessing. What better way to learn about a system than to get a list of usernames? Furthermore, most people still choose lousy passwords, often based on their name, telephone number, etc. and finger may give an attacker access to that information. Finger probes can also be used as the basis for IP address spoofing attacks.

There are some finger servers that have been modified to display a file specified by the system manager, such as a welcome message with the address of the system administrator. This is a good alternative to the normal finger server, since the message can provide some basic information that you might want distributed without giving away the store.

Two last comments. First, some security experts believe that any finger probe is an attack on your system and should be responded to. I think that this is overkill; Finger is a legitimate tool and lots of people use it out of real curiosity without nefarious intention. (Repeated finger probes, however, are possibly another story.) Second, some installations monitor finger probes and the pattern of their use, and attack back in cases of suspected attack; some go so far as to return bogus information to finger probes. Both of these strategies are only useful if you have the resources and the time; most of us just want to close the door and not check up on everyone who knocks.

TELNET

Telnet is the Internet's remote login utility. With Telnet, a user at a local host can login to any host on the Internet where that user has an account. Alternatively, some sites allow anyone to login from any remote host to use a local client; users can Telnet to internic.net, for example, and login as gopher or whois to use that host's client software in case the user does have their own Gopher or Whois client. Other sites use non-standard port numbers to allow external users to access specialized information; Telneting to the University of Colorado (culine.colorado.edu) using port numbers 859, 860, 862, 863, or 869, for example, displays the schedules of the National Basketball Association, National Hockey League, Major League Baseball, National Football League, or Canadian Football League, respectively.

For most sites, however, there may be no particular reason to enable the Telnet daemon at a host; it only provides a possible entry point for an intruder. Be aware that most routers have Telnet enabled, which is also a potential security vulnerability; the only console-access alternative to Telnet is usually to connect a terminal to the router's serial port.

If you must enable the Telnet server at a host, limit access from the outside as much as possible; usually the only bona fide hosts are those that are within your own network or other trusted networks. Do not supply a GUEST account unless absolutely necessary; if you must, isolate this host from other hosts as much as possible since once an intruder is in one host, it is a potential leaping point to other hosts on your internal network or on the Internet. Finally, consider using a non-standard port number for the Telnet service, if possible (Telnet usually responds on well-known port 23).

FILE TRANSFER PROTOCOL (FTP)

FTP allows users to login to remote systems for the specific purpose of transferring files. FTP is a very useful utility and should be made available if at all possible; it provides a mechanism for people to obtain new software releases, product announcements, technical specifications, service announcements, research papers, and other information from your company. I certainly recommend that such a service be provided if there is any information of this nature that you would like to make available.

Anonymous FTP is the most common way in which users can access an FTP site. These accounts have the username anonymous and usually use the password guest or the user's e-mail address; in the latter case, some sites verify the password by doing a reverse name lookup to ensure that the packet's source address matches the domain supplied in the password. Of course, once an FTP server is established, local users or customers can be provided individual accounts, as well.

When setting up the password file for the FTP server, carefully restrict which directories Anonymous FTP and other users can access. In general, Anonymous FTP users should only be allowed to download files. If you allow uploads, restrict the directories to where uploading can occur and monitor these directories carefully; do not allow your site to become a hacker's cache for stolen files. Some sites go so far as to hide the filenames in some directories; you can download files from those directories if you know the filename (which a customer service representative might tell you), but you cannot casually peruse the directory. Some sites go a step further and require that a user login, identify themselves, and verify some information; in turn, they are provided with a directory and file name which is valid for only a fixed period of time.

It should be noted that a Web server can be employed to allow external users to access files without using FTP procedures; the disadvantage is that the Web download approach will not provide the same (minimal) security and authentication as FTP. Alternatively, most Web browsers may be used to access FTP servers in lieu of a dedicated FTP client.

GOPHER

Gopher is an adjunct to FTP that provides a hierarchical, menu-driven organization to an FTP site. It also provides links to other sites with related information, as well as a search tool. Gopher, in fact, was one of the first commonly available utilities on the Internet that was easily used by non-techies, was not UNIX-based, and provided links to other Internet sites.

My recommendation is, in general, if you don't already have an existing Gopher server, don't implement one. My reasoning is that it just isn't necessary since you can create the same kind of hierarchical structure and functionality using a WWW server. Furthermore, implementing Gopher just adds one more service that has to be maintained and administered.

WORLD WIDE WEB

The WWW is thought by many to be the Internet. WWW browsers, such as Netscape Navigator and Mosaic, provide users with access to hypertext documents around the world, allowing users to view text, image, graphics, video, audio, and other types of information. The WWW accounted for an estimated 40% of all Internet traffic by the end of 1995. It is also undoubtedly the fastest growing Internet server type; in June 1995, it was estimated that only 17,000 Internet hosts had the name www, while this number was up to 76,000 by January 1996 [and up to 212,000 by July 1996] (and not all Web servers have the name www!).

My recommendation, of course, is to put a Web server on the Net. And do it now if you haven't done it already. In some industries, it is almost a requirement. Some other observations include:

• Don't overdo the graphics. Although visual esthetics are important, the real keys to a successful site are content, organization, and usefulness. If you do have a lot of graphics, offer a text-only alternative.
• Make the site easy to navigate; if appropriate, provide some sort of search tool.
• Match the communications link and server capability to the expected use.
• Publicize your site by getting indexed with the popular search tools, such as Yahoo!, Lycos, and WebCrawler.
• Keep the information on the site current and accurate; nothing is more irritating than visiting a site in March 1996 and seeing the notice Last revised: November 1994 or Visit our site again when we complete it in January 1996 (unfortunately I did not make either of these up!). Also, keep the links at your site up to date; I am always surprised at the number of sites that have invalid links and, in some cases, pointers to their own server that lead nowhere.
• Provide an e-mail link to webmaster.
• Don't force people to register with a username and password for access to free information; this only adds to password overload.
• Use secure WWW protocols where possible, such as Secure Hypertext Transfer Protocol (SHTTP) or the Secure Sockets Layer (SSL).
• User a commercial WWW server for commercial applications.

E-mail remains the most widely used application on the Internet and a mail server is essential for access to e-mail. In many cases, this requires a gateway between your internal e-mail software (such as IBM PROFS, Lotus cc:Mail or Notes, or Microsoft Mail) and the Simple Mail Transfer Protocol (SMTP).

If possible, e-mail addresses names should have some company-wide consistency to assist outsiders in finding people; my company uses first_initial.lastname; other companies use variants such as first_initiallastname or first_name_lastname. Some security experts suggest further that e-mail names should not match the user's LAN or host login name; this precaution prevents potential intruders from having access to bona fide usernames. In addition, define some functional e-mail addresses such as postmaster, info, jobs, sales, and webmaster to help outside users communicate with your company.

Some companies are finding that SMTP-based e-mail is more useful than proprietary e-mail systems and are actually abandoning the proprietary approach for a couple of reasons. First, SMTP-based e-mail systems allow remote e-mail access from anywhere in the world via the Internet, which may be accomplished at less cost than remote dial-up. Second, many people get more e-mail from the Internet than from internal users, so SMTP makes sense. Finally, many of today's SMTP mail clients, such as some Post Office Protocol (POP) and Eudora clients, have functionality similar to proprietary interfaces.

On a related note, many organizations host Internet e-mail discussion lists using tools such as majordomo or listserv. One advantage of hosting such a list is that it allows an organization to actively promote some issue for which it has a vested interest; it also allows an organization to appear to be at the leading edge of issues related to that topic. Although users automatically subscribe and unsubscribe to such lists, care should be taken before volunteering to host such a list; the amount of personnel resources required to administer the list, as well as hardware, software, and communications requirements will vary with the activity on the list. In addition, some list hosts have been threatened with legal action because of some of the alleged libelous comments made by list members.

NETNEWS

A NETNEWS server provides local user access to Usenet newsgroups. For many professionals, access to these newsgroups is essential for their work. If you do set up a Network News Transfer Protocol (NNTP) server, plan carefully for the specific newsgroups you want to receive since there are several thousand such lists. Some newsgroups generate just a few messages a day while others generate a hundred or more messages each day; furthermore, some of the lists are very graphics-intensive. Match the server capability (speed and disk space) and the communications link to the expected traffic.

Several sites on the Internet contain archives of various subsets of Usenet newsgroups. One of the best such sites may be found at gopher://gopher.bham.ac.uk/11/Usenet. While not the preferred way for most people to obtain Usenet information, it does provide an alternative access method.

DOMAIN NAME SYSTEM (DNS)

The DNS is the distributed database on the Internet that provides Internet Protocol (IP) address-to-host name translation, and defines a domain's mail and name server systems. If you have a very small site and your Internet Service Provider (ISP) provides the DNS service for you, you should probably let them. On the other hand, if your ISP does not offer DNS (and there are still a few of these) or if the ISP doesn't keep the DNS information as up-to-date as you'd like, you will have to run one yourself. Setting up a DNS database is not terribly hard, but improper configuration can block your access to the outside and/or remote users' access to your servers; some sites hire a consultant to set up the DNS files and then maintain the files themselves. Maintenance of DNS files is not difficult, but does require some administrative time.

SECURITY CONSIDERATIONS

A discussion on public information servers on the Internet would not be complete without at least a brief mention of security. Without some form of security and protection, your hosts are not merely attached to the Internet, but they are a part of it. A sufficient number of books and articles have been written about firewalls, Internet security, and hackers so that even the general public is aware of the security vulnerabilities of the Net.

At least one expert has observed that there are no secure sites on the Internet, only vigilant ones. When you employ an information server, you are inviting people to attach to a system on your corporate network. You should, therefore, employ as much security as you can afford -- determined by putting a price tag on the level of risk, the amount of exposure, and the cost of the corruption, theft, or loss of your company's data. In particular, critical information should not be placed on publicly accessible servers unless absolutely necessary; corporate servers should be placed behind some kind of firewall. Internal and external information servers should be isolated from each other. And all users should be made to understand their role in helping to keep the network secure.

Some sources describe four levels of Internet security, denoted the "Four Ps":

• Paranoid: No Internet connection at all; while this is the most secure environment possible, there is no connectivity to the outside.
• Prudent: Connected to the Internet with a set of rules that defaults to forbid all communication except what is explicitly allowed; also referred to as the "deny everything" scenario.
• Permissive: Connected to the Internet with a set of rules that defaults to allowing all communication except what is explicitly forbidden; also referred to as the "allow everything" scenario.
• Promiscuous: Connected to the Internet without any security.

The most reasonable level of security for most sites is the prudent one. Some form of firewall protection, such as packet filtering and/or proxy servers, should be employed with rules that specify what types of packets and/or applications are supported (Figure 1). FTP file transfer requests from the outside, for example, should only be allowed onto your LAN if you host an FTP server; in that case, these requests should only be allowed if directed to your FTP server and not to other systems. In addition, rules should be implemented that would block incoming and outgoing IP address spoofing attacks.

                              |  ---------------    |  ----
     ()                       |  |   Public    |    |--|PC|
    (  )                      |--|"Sacrificial"|    |  ----
   (    )                     |  | Information |    |
  (      )                    |  |   Server    |    |  ----
 (        )                   |  ---------------    |--|PC|
(          )      ----------  |                     |  ---- 
( Internet )------| Router |--|                     |
(          )      ----------  |                     |  -------------
 (        )                   |                     |  |  Private  |
  (      )                    |       ---------     |--|Information|
   (    )                     |-------|Bastion|-----|  |  Server   |
    (  )                      |       | Host  |     |  -------------
     ()                       |       ---------     |
                              |                     |

                           Outside                Inside
                           Network                Network

FIGURE 1. One possible configuration of Internet information servers and a firewall. The user's network is divided into two subnetworks, the so-called "outside network" and the "inside network." The outside network, or DMZ, only contains Internet information servers for the public; these are "sacrificial" systems because they do not contain critical information, in case of compromise, nor do they provide access to the user's inside network. The Bastion host (probably with proxy agents for all supported applications) acts as a gateway for all incoming and outgoing traffic between the user's trusted systems (which are all attached to the inside network; the server(s) on the outside network are not trusted) and the Internet. Note the use of Internet protocols and applications for private information servers, representing an "Intranet" capability protected from outside users. This configuration provides a moderate level of security; both more and less secure (and costly) firewall/Bastion host/server configurations are possible.

Many sites employ a "security through obscurity" philosophy; they maintain a low profile on the Internet, don't advertise host names, don't advertise user names, etc. This approach is doomed to fail since there are very few secrets on the Internet.

CONCLUSION

Using the Internet as a way to develop a market or attract investors, although not the main point of this article, cannot be over-emphasized. When Netscape Communications and Yahoo! went public, their stock was grabbed up and the prices soared. Why? Because the investment community already had experience using their products and decided that the investments made sense based on firsthand knowledge. Netscape, furthermore, developed the commercial WWW browser market so successfully by giving away their early software and has maintained their position as the WWW standards-setter by giving away beta versions of their software under development.

TABLE 1. Summary recommendations.

Information Service	Recommendation	Comments
Finger	No	May be OK with static message.
Telnet	No	Only if absolutely required, perhaps with non-standard port assignment.
FTP	Yes	--
Gopher	No	--
WWW	Yes	--
E-mail	Yes	--
Netnews	Maybe	If required.
DNS	Maybe	If required.

With the appropriate safeguards, the provision of information on the Internet is relatively simple, inexpensive, and riskfree -- and potentially very rewarding (Table 1). A few last recommendations:

• Minimize your exposure; don't put private information on a public server. Block public access to private information servers with some sort of firewall.
• Focus on content and organization. Make your information easy to find and worth finding. Some servers have the site's organizational map or description at a top-level page or directory, making it even easier for users to navigate.
• Match hardware, software, and communications facilities to expected use. Some companies, particularly small ones, find that even a slow PC and 56-kbps communications facility is adequate for demonstrating the use of a Web, file transfer, or other information server. As activity increases, however, more powerful processors with better software, as well as a higher-speed communications link, may be required for better reliability, performance, and response time; this is particularly true if you are offering some sort of service for paying customers.
• Be mindful of security. This cannot be stressed enough. There are plenty of people out there who think that if they can mess around with your system, then it is their right to do so. Also consider the attractiveness of your site to potential attackers; in some businesses, you may have to worry about competitors trying to break in while other sites (such as those that sell security products) may be highly attractive to crackers trying to "prove their mettle."
• Use the servers as an opportunity to reflect the corporate personality. Nothing personifies a company more than emphasizing the human element, with such things as brief biographies, personal home pages, etc. At the same time, respect employees' privacy; no one should have their name or other identifying information posted on an Internet server without their knowledge and permission.
• Don't oversell the network's capabilities. Many organizations thought they had a plan when they set up their Internet information servers and find that the site has taken on a life of its own. Information servers require administrative resources. Furthermore, the costs may be difficult to quantify and even harder to justify if you have to make a cost-benefit argument; many of the rewards are intangibles, such as corporate credibility (e.g., imagine being a computer or network vendor today without any form of Internet presence). Let users know that you are in the trial, setup, or learning phase. Solicit ideas from customers and your management about desired capabilities of the service. But be sure not to promise too much, too soon.
• Don't undersell either. It is very simple to get online with an Internet information server. What you end up with may not be what you start with or thought you'd end up with; that's probably ok. But don't wait too long to enhance the capabilities of your server; I know of at least one major switch vendor that set up their public Web server in mid-1996, even though every major competitor of theirs had Web sites up at least a year earlier. It costs nothing to experiment with style and form, and the nice thing about the Web is that you can immediately change anything you don't like or find that doesn't work.
• Plan for success!! Your users will need training. Your management will need to understand how the Internet can be a fundamental part of the corporate business plan. Be sure to consider the administrative costs of running such servers; for most small companies, Internet operations will not require a great deal of time, but does require constant care and feeding. Do not lock yourself into hardware or software that will be a dead-end; make sure that there is room for growth.