The Guide - Security Issues-- Network Security

Network Security

Home Network Security Cryptography Firewalls

Introduction

Can a networked system be truly secure? While that wired world has so much to offer security is one facet that people wonder about. From the most large and secure networked organisations to smaller companies have been hacked in spite of the network managers' efforts to attain the unreachable goal. It simply is not possible to render a networked system completely secure. This should be understood before applying the principles of security to the Internet or other networks. Proper security can be achieved only when the information is isolated, locked in a safe, surrounded by guards and rendered inaccessible. Some would argue that even then that there is not absolute security.

Networks were created to address the problems of data isolation in the early days of computing and networks became the communication bridges. But the explosion of information across the networks in the world has raised the specter of corporate espionage to new heights. Corporations today know that in the information age, information is power and those organizations who don't control their information aptly cannot gain competitive advantage.

Since security and privacy are the direct opposite of sharing and distribution and both of them have become the need of the day, network security must become a balance between providing appropriate access to those who need the information and safeguarding that information by denying access to those not authorized. In this impenetrable situation managers must plot a course between the risks of losing information so necessary to the enterprise's operation and the costs and constraints associated with an overly aggressive security solution.

Security Issues:
Before taking an in-depth look at security issues let us define the basic concepts involved in securing any object:

Vulnerability
is a potential, a possibility, a weakness, an opening. Vulnerability by itself may not pose a serious problem. It may depend on what tools are available to exploit that weakness.
A threat
is an action or tool that can exploit or expose a vulnerability and thereby compromise the integrity of a given system.
An attack
shows the details of how a threat could be used to exploit vulnerability. Situations exist where vulnerabilities are known and threats are developed, but no reasonable attack can be conceived to use it on a vulnerable system.
Countermeasures
are those actions taken to protect systems from attacks that threaten specific vulnerabilities. In the network security world, countermeasures consist of tools such as virus detection and cleansing, packet filtering, password authentication, and encryption.

A security scheme must be devised that must identify vulnerabilities and threats, anticipate potential attacks, assess whether they are likely to succeed or not, assess what the potential damage might be from successful attacks, and then implement countermeasures against those defined significant attacks. Hence security is all about identifying and managing risk, and security must be tailored to the needs, budget, and culture of each organization. The impact of an attack on an organisation would depend on the sensitivity of the data available on that system. Hence each organisation must consider the factors that should be defended and the ones that can be ignored and apply counter measures accordingly.

Security Threats:
Some generic security threats that organisations must deal with are the theft of information, the compromising or corruption of information, loss of confidentiality, and the disruption of service. Other threats which companies are dealing with is the introduction of malicious programs over the network or what may be termed as "computer virus" which fall under different categories like Trojan Horses, worms, and logic bombs as well as true viruses.

A Trojan horse
is a program that contains harmful code and it disguises itself as an attractive or useful program that lures users to execute it, and in doing so, damages the user's system.
A logic bomb
is a program that has a code that checks for certain conditions and when these conditions are met, it "detonates" to do its damage.
A worm
is a self-contained program that replicates itself across the network and therefore multiplies its damage by infecting many different nodes.

Other viruses may have a code that plants a version of itself in any program it can modify. E.g.: a virus had "infected" Microsoft Word, all subsequent documents which are opened by the user may only be saved as template files.

These are however not mutually exclusive threats. A logic bomb could fix a virus under the specified conditions, as could a Trojan horse deliver a worm.

In addition to planting programs on the computer there are threats involving the theft or compromise of information while it is in transit between endpoints of a network like in the case of Snooping, in which an attacker simply eavesdrops on electronic communications.

Security Policy While there are multiple technologies that can be brought to bear on the issues there is no amount of technology that can overcome a poorly planned, poorly implemented or nonexistent security policy. The security of any information in any organization today is primarily dependent on the quality of the security policy and the processes by which that organization imposes on itself. If the security procedures are lax, are not enforced uniformly, and allow gaping security holes to exist, no amount of technology will restore the security breaches. have access to each level of security.

Authentication A primary tool in securing any computer system is the ability to recognize and verify the identity of users. This security feature is known as authentication. Traditionally, special names and secret passwords have been used to authenticate users, but as the anecdote above demonstrates, the password is only as good as the users' ability to keep it secret and protect it from being abused by unauthorized users.

There are three generally accepted techniques for authenticating users to host machines.

Authentication by something the user knows. This is the password/username concept described above. There are two common approaches to password authentication, known as PAP and CHAP. PAP, which stands for Password Authentication Protocol, simply asks the requester to provide a "secret" password, and if the password provided is included in the user profiles, the requester is given access. CHAP (Challenge Handshake Authentication Protocol) takes the concept one step further by challenging the requester to encrypt a response to the challenge message. This, in effect, acts as a different password for each entry. Often, the CHAP mechanism is combined with an encrypting smart card, which uses an encryption key to encode the challenge message. Only if the challenge message is correct will the requester be granted access to the system.
Authentication by something the user has. In this technique, the user is given some kind of token, such as a magnetic stripe card, key, the user has a smart card equipped with a computer chip which can generate an encrypted code back to the computer system.
Authentication by physical characteristics. Here, the mechanism is to recognize some measure of the individual that presumably cannot be duplicated. Biometric techniques such as fingerprint ID, palm print ID, retinal scan, manual and digital signature, or voice recognition are used to validate the identity of the potential user.

Authentication is also necessary when two computers communicate with each other. For example, what should my host computer do when another computer asks to have a disk mounted which contains all of my organization's personnel data? How do I know that the requesting computer has a legitimate reason to access that information, and that it is not some external network hacker trying to steal information from my organization? In order to prevent such events, the Internet Engineering Task Force (IETF) has formed a working group by the name of IPSec (Internet Protocol Security). Additionally, there are a number of de facto standards - those which are developed by companies rather than by official committees, but which enjoy widespread acceptance. While many of these standards are under review and take some time to work their way through the approval process, two are worthy of mention here, IPSec's SKIP (Simple Key Management for Internet Protocol) and Livingston's RADIUS (Remote Authentication Dial In User Service).

SKIP is a technique for providing authentication and encryption security at the IP layer of the Internet architecture. It relies on the existence of an authority in the network which can issue a certificate to known trusted entities within the system. If an entity claiming to be a member of the system requests an action, the receiving computer system can have the requester present an encrypted certification that they are who they say they are. The certificate conforms to one of the methods of authentication, namely, a secret encoding technique and a secret key that is only available to trusted members of the system. The fact that SKIP operates at the very lowest protocol layers of the architecture has the advantage that it will protect all upstream applications as well, by preventing connections between systems which are not authorized. Since potential intruders cannot even establish connections, their ability to do malicious damage is severely restricted.

In the scenario depicted above, the Requesting Entity first gains a certificate by requesting one from the trusted certification authority (1), who validates the trustworthiness of the Requester by granting a certificate (2). Armed with this certificate, the Requester can now petition the host and presents the certificate along with the request of the host (3). The host, upon seeing the certificate will grant the information to the requester (4).

RADIUS is one of the more popular public network authentication protocols. The primary purpose of RADIUS is to offer centralized access control for remote dial-in users. RADIUS simplifies the administration of passwords, user names, profiles for remote users, and other security and accounting related information by placing all of the security in a central server, and issuing challenges to the user.

Integrity
Integrity refers to the completeness and fidelity of the message as it passes through the network. The key here is making sure that the data passes from the source to the destination without undetected alteration. Note the use of the word "undetected". We may not be able to thwart someone from tapping out messages and attempting to modify them as they move through the network, but we will be able to detect any attempt at modification and therefore reject the message if such a modification attempt is detectable.

If the order of transmitted data also is ensured, the service is termed connection-oriented integrity. The term anti-replay refers to a minimal form of connection-oriented integrity designed to detect and reject duplicated or very old data units.

Access Control
This concept relates to the accepting or rejecting of a particular requester to have access to some service or data in any given system. A service could be a program, a device such as a printer or a file system, and data could be a text file, an image, a collection of files, or any combination of the above. The real question is, what are the risks involved in allowing access to any of the system's services or information to individuals requesting such access? In some cases, such as the advertising Web page of an organization, the answer is that no damage could occur. The objective of such a page is precisely to spread the word about the organization, and therefore access control is not an issue. On the other hand, access control is a major issue if someone requests access to the file which contains the passwords for all of the users of the system.

It is therefore necessary to define a set of access rights, privileges, and authorizations, and assign these to appropriate people within the domain of the system under analysis.

The Open Systems Interconnection Model

The ISO has defined this as a standard for networking called the Open Systems Interconnection model (OSI). The model describes the flow of information between the physical network and applications.

Each layer communicates with the adjacent layer through an interface. The set of rules that the layers use to communicate logically with their counterpart on the other computer are called protocols. Data passes through each layer wrapped with a layer specific information. On the recipient computer each layer removes the layer specific information before passing it to the next layer.

The seven layers from bottom to top are:

The Physical layer
that is responsible for the physical transmission of the data across the physical network. This layer defines all the physical parts of the network such as cabling type, pin configuration etc.
The Data Link Layer converts the bit stream received from the physical layer to the data frames or packets that contains data. If the frame is not acknowledges then the data link layer retransmits the frame.
The Network layer addresses the messages and translates the logical address and name to the physical addresses. It routes packets from the source computer to the destination computer. The packets are broken up in to smaller pieces and reassembled at the destination computer.
The Transport Layer ensures that messages are delivered without errors in a proper sequence without errors or losses.
The Session Layer handles name recognition and other functions that permit two applications to communicate.
The Presentation Layer translates the applications data into a commonly recognized format for transmission. The intermediate format is translated back into its original format at the receiving end. The network redirector works at this level. Data compression, encryption and other conversions take place at this level.
The Application Layer services user applications like file transfer, messaging or database access.

Two Approaches to Security
Over time, two distinct approaches have evolved to applying security countermeasures: networked coupled security and application coupled security.

Network Coupled Security
In a Network coupled scheme, the focus is to make the network itself a trusted and secure subsystem so that the applications can assume the data being transmitted is safe, comes from authorized users and is being delivered to the appropriate recipients. If the network itself is secure, then the applications don't have to do anything special to operate in a secure environment they simply assume that all security functions are being performed by the network itself. This philosophy is very similar to that of the Internet and OSI architectures. In a secure network environment, applications can assume that the lower levels are handling the security.
Application Coupled Security
Proponents of this scheme argue that the application knows best what kind of security is required for that application. Therefore, control of the security aspects should rest in the application layer.

Different Tools for Different Layers
There is no shortage of technology available to secure an organization's Internet connections. More appropriate questions have to do with which tools to use at which layers to effect the secure communications.

Early on, router manufacturers recognized the key role they could play in this endeavor, and have placed filtering capabilities in their products to establish a primary front line of defense. A router's ability to examine and discriminate network traffic based on the IP packet addresses is known as a "screening router". Some advanced routers provide the capability to screen packets based upon other criteria such as the type of protocol (http, ftp, udp), the source address, and the destination address fields for a particular type of protocol. This way, a communications manager can build "profiles" of users who are allowed access to different applications based on the protocols. Such a case is shown below.

In this same figure, the packet filtering of the screening router is enhanced with authentication software which can add either password authentication or challenge authentication. In the scenario described above, simple filtering, even with profiles, cannot authenticate that the individual on the other end of the connection is in fact the individual who should have access to the applications and data residing on the server connected to the local LAN. Therefore, we need to add PAP/CHAP authentication to accomplish this, which provides another layer of security to the system.

The screening router either alone or in combination with authentication, is known as a "Firewall", because it keeps the "fire" of unsecured communications outside a protective "wall".

Another popular configuration, particularly for organizations which have WWW presence, is the use of a so called "bastion host". This concept consists of a double walled security layer. The outside wall, or perimeter wall, consists of a screening router which provides a first pass screen for the population of outside users who are allowed access to the Internet accessible applications in the Bastion Hosts, which sits in the "moat" between the two walls. A secondary router with or without authentication enhancements provides a second filter for those few privileged users who have access to the internal network. The bastion host concept is demonstrated below.

Protecting against unauthorized access to the data via controlling who is allowed to communicate with the protected servers will guard against many of the vulnerabilities of networks. However, these schemes do not prevent espionage and theft of the data which may be captured en route between two validated correspondents. This is an area where the addition of encryption and key management, as defined in the SKIP standard, will provide effective countermeasures. By encrypting the data and properly managing the keys to the encryption and decryption, data which is intercepted is rendered unusable, and at the same time unmodifiable, thereby adding a further layer of protection for the data.

Beyond this level, additional security is still available coupled to the applications, as mentioned earlier. For example, database systems also have authentication capabilities with user names and passwords as well as profiles, access control lists, and the like. It is possible to add yet more layers of security beyond those discussed so far by adding similar technologies to the application layer. In these schemes, applications could also issue challenge passwords beyond those required to gain access to the network, thereby increasing the security of the data by decreasing the odds that a single error (lost password, etc.) could compromise the application or the data. One common form of application level security is the use of Secure Socket Layer (SSL) directly coupled with the application. In order for SSL to work, both the Browser client and the Server application must support its use, making the application security aware. SSL is discussed further in the tools section of this paper.

Internet Security Toolkit
This section will describe the different technology tools available to deploy in developing security architecture for any given network.

Secure Sockets Layer (SSL)
The SSL is inserted between the TCP protocol and the application protocol. The SSL protocol operates in two phases. In the first phase, the sender and receiver agree on the read and write keys to be used, and then in the second phase data is encrypted using the keys chosen in the first phase. Authentication and secure key exchange is also achieved using the RSA public key encryption algorithm.

Hypertext Transport Protocol Secure (HTTPS)
By layering a version of SSL between HTTP and TCP, Netscape has developed a secure version of HTTP as well.

Proxy servers
A proxy server is a firewall implemented in a hardware unit such as a workstation on a NT server, rather than in a router. This device looks at all of the data in each packet, not just address and headers. In most cases, the proxy examines the content and replaces the network address in the packet with proxy destinations that are known to be secure. Besides hiding the network from the outside world, they provide more control over the actual data at the application level. However, because they inspect all of the data in each packet, there have been reports of some significant performance degradations in high traffic areas.

Encryption
Encryption is a technique as old as the Romans. It is simply the scrambling of the transmitted text using a set of rules (algorithms, which in today's world means mathematical manipulations) which is known to the recipient, but hopefully to no one else. The recipient can then use the same set of rules in reverse to unscramble the coded text and read the intended message.

There are two classes of encryption algorithms. They are:

Symmetric key: A symmetric key algorithm is one where the same key is used both to encode and decode the message. The most popular symmetric key algorithm is the Data Encryption Standard (DES), whose major advantage is that it is fast and widely implemented. Its major limitations are its relatively small key size (56 bits), which weakens the security of the algorithm, and the need to exchange a secret key between the communicating parties, before secure communication can be established. A variant of DES, Triple-DES or 3DES is based on using DES three times (normally in an encrypt-decrypt-encrypt sequence with three different, unrelated keys). Many people consider Triple-DES to be much safer than plain DES.
Asymmetric key: It is a surprising fact that there are some algorithms that are difficult to reverse, even when the algorithm, the key, and the encrypted data are all available, unless some other piece of information is known. A public key encryption system is based on an algorithm of this type. Two keys are generated. One is kept private and the other can be made public. Two systems that want to hold a secure conversation can exchange their public keys. When one system sends to the other, it will encrypt the message using the other system's public key. Even though an attacker might observe the exchange of keys and an encrypted message, the irreversiblity of the public key algorithm ensures that the data is secure.

The most popular public key algorithm is the RSA algorithm. (The name RSA is derived from the first letters of the surnames of the algorithms inventors, Ron Rivest, Adi Shamir, and Leonard Adleman).

Although public key algorithms solve the key distribution problem, they are much slower than symmetric key algorithms. When implemented in hardware, DES is up to 10,000 faster than RSA. If efficiency is required, a public key system can be used to securely exchange symmetric keys which can then be used for the bulk of the data transfer.

Application Gateways
All packets are addressed to an application on the gateway that relays the packets between the two communication points. In most application gateway implementations, additional packet filter machines are required to control and screen the traffic between the gateway and the networks. Typically, this is a use of bastion hosts. These are secure but inefficient, since they are not transparent to users and applications.

Screening Routers
One of the most cost efficient and ubiquitous techniques for securing a network, a screening router, sometimes known as a packet filtering router, will allow known users (known by their IP addresses) to connect to specified applications (determined by their port address), thereby limiting the connections of even those users allowed to enter through the firewall, and completely denying any connections to those not authorized to access any applications.

Authenticating Servers
Authenticating Servers are often used in conjunction with Screening Routers to provide authentication services, thus verifying that those users who claim to be originating from valid addresses are in fact who they say they are.

Firewalls

The term "firewall" has become a generic term which encompasses a spectrum of technologies intended to provide protection from communications attacks on an organization. Screening routers, application gateways, proxy servers, authentication servers, are all examples of firewalls in use today. It is possible, and often desirable, to combine these different technologies according to the needs of the organization and their budget limitations.

Home Network Security Cryptography Firewalls