Security Issues in Networks with Internet Access2 Landwehr, C.E. and D.M. Goldschlag. Security...

1

Landwehr, C.E. and D.M. Goldschlag. Security issues in networks with Internet access. Proceedings of the IEEE, Vol. 85, No. 12 (Dec.1997)1034-2051. This version of the paper differs in citation formats, pagination, and other minor details from the published version.This version available from NRL Code 5540 Web site: http://www.itd.nrl.navy.mil/ITD/5540/publications

Security Issues in Networks with Internet AccessCARL E. LANDWEHR, MEMBER, IEEE, AND DAVID M. GOLDSCHLAG 1

Invited Paper

1 Authors addresses: Carl E. Landwehr, Naval Research Laboratory, Code 5542, Washington, DC 20375-5337, Voice: (202)767-3381,

Fax:(202)404-7942, E-mail: [email protected]. David M. Goldschlag, Divx, 570 Herndon Parkway, Herndon, VA 20170,Voice:(703)708-4028, Fax: (703)708-4088, E-mail: [email protected]. This work was performed while both authors were with theNaval Research Laboratory.

This paper describes the basic principles of designing andadministering a relatively secure network. The principles areillustrated by describing the security issues a hypotheticalcompany faces as the networks that support its operationsevolve from strictly private, through a mix of Internet andprivate nets, to a final state in which the Internet is fullyintegrated into its operations, and the company participates ininternational electronic commerce. At each stage, thevulnerabilities and threats that the company faces, thecountermeasures that it considers, and the residual risk thecompany accepts are noted. Network security policy andservices are discussed, and a description of Internet architectureand vulnerabilities provides additional technical detailunderlying the scenario. Finally, a number of building blocksfor secure networks are presented that can mitigate some of thevulnerabilities.

Keywords: computer network security, internet,cryptography, authentication

I. INTRODUCTION

Historically, people developed networks so that theycould share expensive computing resources. Today, peoplebuy cheap computers in order to gain access to networks.The efficiency of e-mail for conducting internal businessdrives companies to build extensive local area networks,and demand for access to the Internet soon follows. Inmany cases, access to the Internet may already have beenarranged for particular machines that are not simultaneouslyattached to the in-house network. But company managersread the newspapers and are cautious about connecting.Should they be? More generally, what security issues needto be considered when one network is connected to another?

Securing a system always means consideringvulnerabilities, threats, countermeasures, and acceptablerisk. No system will be perfectly secure, particularly ifsecurity is deemed to include continuity of service. Simplyshutting down a system in the face of an attack,particularly in the case of a network, is rarely a viableapproach from the system owner's point of view, butmaintaining the availability of data that have beencorrupted or compromised is also of dubious value. The

security engineer seeks system designs that yieldreasonably secure operation in the anticipated threatenvironment.

We first outline some principles for designing andadministering a relatively secure network. Next, wedescribe the evolution of a hypothetical company'snetworks together with the vulnerabilities, threats,countermeasures, and risks the company faces and thechoices it makes. In Section 4, we discuss networksecurity policies and services more broadly and relate themto the example. For those wishing more technical detail,we summarize Internet architecture, vulnerabilities, andbuilding blocks that support both connectivity and securityin Sections 5 and 6. Section 7 summarizes and concludesthe paper.

II. PRINCIPLES FOR SECURE NETWORKING

We define a computer network to include the networkinfrastructure as well as attached devices. These devicesinclude computers, file servers, printers, scanners, modems,and more. In this context, there are several sets ofquestions to consider:

1) What are we trying to protect? Is it the secrecy orintegrity of data accessible over the network, the use ofthose network resources, or the availability of data andnetwork resources? Different applications will havedifferent concerns. In this paper, we focus moststrongly on protecting the confidentiality and integrityof data dispersed throughout the network, because thereare usually already strong commercial incentives forkeeping the system available.

2) What operations are authorized? Authorizationpolicies may be motivated both by the trust placed inthe source of an operation and the consequences ofunauthorized operations. A trusted source, such as abank teller working at a console, may be authorized toinvoke many operations. Untrusted sources, perhapscustomers at automated teller machines, may havefewer operations available.

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE 1997 2. REPORT TYPE

3. DATES COVERED 00-00-1997 to 00-00-1997

4. TITLE AND SUBTITLE Security Issues in Networks with Internet Access

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Naval Research Laboratory,Code 5542,4555 Overlook Avenue, SW,Washington,DC,20375

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT

18. NUMBEROF PAGES

23

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

2


3) What is the security perimeter? Often, a boundary oftrust is placed between machines inside a corporatenetwork and those outside. Machines inside thecorporate network are trusted, and machines outside thenetwork are not. Firewalls implement this sort ofperimeter security and are a prudent component ofnetwork security solutions.

The technical approach we advocate is to controlincoming connections to trusted machines and protect thedata on those machines. Incoming data must be interpretedwithin a restricted environment. Arriving e-mail, forexample, should not be able to invoke operating system(OS) operations outside of mail delivery. And incomingdata should not be trusted until some estimate of itstrustworthiness is obtained (e.g., by running executablesthrough a virus checking program). Data must be protectedtoo, while stored on disk, while in transit over thenetwork, and while being manipulated as part of acomputation on a user's machine. Different kinds ofprotection may be applied in different places: data movingover the Internet between corporate sites may be protectedcryptographically, while data moving over wires within abuilding may be protected by pressurized conduit.

Experience has revealed a number of principles thatshould guide designers and administrators when building anetwork that is to meet defined security requirements.These principles play a role both in planning and operatingthe network. Successful security may be boring --- itsconsequence is the absence of security problems. Yet asuccessful penetration, from the attacker's view, is one thatgoes undetected. So it is important to operate the systemwith vigilance.

• Know the configuration of the network's hardware andsoftware. What hardware (computers, cables, bridges,routers, switches, modems, printers, etc.) and softwareis running on the network? What communicationprotocols are being used (AppleTalk, Ethernet,TCP/IP, IPX, SNA, DECNET, NFS, Kerberos, etc.)Who is using the system and from where? What isdefined to be within the security perimeter and what isoutside? Without knowing the particular configurationof the network, security administrators cannot identifythe network's vulnerabilities, will not know whichsecurity patches to look for on an ongoing basis, andwill be unable to detect unauthorized changes that mayaffect the network's security.

Know the vulnerabilities of the configuration. Thevulnerabilities represent weak points in the systemthat could be exploited, accidentally or intentionally,and cause security to be compromised. Determining

the network's vulnerabilities requires considering boththe network's normal and exceptional behavior.Although many vulnerabilities have been widelypublicized ([ChBe 94], [FeMo 97]), detailedvulnerability information on newly discoveredvulnerabilities is often closely guarded. Manufacturersand incident response centers like CERT [CERT],CIAC [CIAC], AUSCERT [AUSCERT], and othermembers of FIRST [FIRST] distribute vulnerabilityinformation regularly. Other public Web sites([COAST], [W3C], [Stein], [NIH]) also providehelpful information and tools.

• Know the threat and consider it in relation to thevulnerabilities to assess the risk. The threatenvironment determines the kinds of attacks expected,and these usually depend strongly on the value of theresources contained in the system. When thoseresources are information, rather than material goods,their value can fluctuate with time and with externalevents, so the threat environment may change fromday to day, and any analysis needs to recognize thisfact. Is the company concerned about attacks frominsiders or outsiders? Are attacks likely to come fromvandals, disgruntled employees, thieves, or industrialspies seeking commercial gain? What kinds of usershave access to the system? What information do theyhave access to? Assuming the attacker knows thesystem's vulnerabilities, where are attacks likely tooccur? This information helps determine whatcountermeasures are needed. Knowledge of thevulnerabilities, threats, and countermeasures permitsan assessment of the residual risk present in thenetwork, which must be carefully studied to see ifappropriate trade-offs among cost, function, andsecurity have been made.

• Authenticate and authorize access to network resources.The network must authenticate a user before decidingwhether the user is authorized to access a resource.These resources may include OS calls and filesystemaccess. The level of authentication may differ acrossapplications: in a Web access, authentication may onlyidentify from what Internet Protocol (IP) address aconnection is being made. In a login, the user isauthenticated also. Authentication may itself introducevulnerabilities (if, for example passwords are relied onbut the user chooses a weak password or the passwordfile is stolen). Sessions may be authenticated as well(using, for example, Kerberos [SNS 88] [KPS 95],described in Section 5.3).

3


• Maintain audit logs. The combination ofauthentication and audit helps a security administratordetermine whether a security breach occurred, andwhere it came from. Logs must be carefullycontrolled, however: intruders may attempt to modifythe logs to hide evidence; and logs may containprivate information [GrMo 84].

• Have a plan to detect and respond to security incidents.This plan should include who should be informed,whether certain services should be (temporarily) shutdown, how lost data is to be restored, how normaloperation can be resumed, and so on. The plan shouldalso consider how to coordinate with other securityadministrators, to help trace the source of attacks.

• Ensure individual accountability. A single individualshould have overall responsibility for analysis, design,and implementation of security infrastructure (this isthe individual, whom we will refer to as the securitymanager, who should be concerned about all of theprevious principles in this list). Routine securityshould be made easy for individual users, but all usersshould also understand that they will be heldindividually accountable for the resources they control.

The next section shows how one hypothetical companymight apply these principles and approaches as itsnetworks grow from completely internal and private tofully integrated with the Internet.

III. THE NETWORKS OF THE TWOHANDS CORPORATION

The TwoHands Corporation develops, produces, andmarkets specialized gloves used in waste disposal and othersafety-related applications. In addition to its headquarters,located in a large city, it operates a research laboratory neara large university, which develops new glove designs andcoatings, and several factories and warehouses in differentparts of the country. The gloves are sold through wholesaleand retail outlets.

Automation at TwoHands began with the introductionof computers into the purchasing, accounting and payrollsystems in the administrative headquarters building, yearsago. Separately, word processing systems began to replacetypewriters on desks throughout the organization. Thesesystems typically shared a single printer or two amongseveral workstations, and cables were run among offices tosupport this. Over time, PCs connected by an Ethernetreplaced the specialized word processing system. Demandgrew for direct access to the purchasing and accountingsystems, and the mainframes that supported those functionswere replaced by servers that communicated with clients

that could be run from the many PCs.

Large orders for TwoHands products are taken by thesales force and transmitted to the headquarters, where theyare checked against inventories and production schedulesand dispatched to appropriate factories. TwoHands alsoreceives orders by mail from a catalog it distributes.

Orders are filled from inventory and also contribute todecisions on which particular gloves to produce, and inwhat quantity. Production schedules in turn drivepurchases of raw materials.

In the research laboratory, computers were introduced toperform scientific calculations. The company obtained thisservice first through a timesharing service bureau, accessedthrough dial-up telephone lines. Scientists initially usedsmall computers to control experimental equipment. Asthese machines became more capable, scientists used themfor scientific calculations and eventually for wordprocessing as well, and the timesharing service wasdiscontinued. As in the headquarters building, acommunications cable plant, separate from the telephonesystem, was gradually put in place. With this scene inmind, we identify five stages of development in theTwoHands networks and consider the operations, threats,vulnerabilities, countermeasures, and risks in each. Thefollowing descriptions illustrate and represent the securityconsiderations in the TwoHands environment; they are notintended to be comprehensive and complete.

A. Stage One: Private Networks Only

1) Mode of Operation

Customer orders arrive by telephone, fax, or postal mailand are entered into the order processing system. Officeoperations and word processing are handled with in-houseservers and desktop clients (PCs) connected by an in-houseLAN. A private network of lines leased from the telephonecompany connects the headquarters to the researchlaboratory, the factories, and the warehouses. Apart fromthese lines, there are no external connections to the LAN(or at least there are not supposed to be any). Theheadquarters, laboratories, and factories use E-mail over theprivate network to coordinate their activities and for otherpurposes, both formal and informal. This network isillustrated in

Figure 1.

2) Vulnerabilities

a) Unauthorized configuration of authorized software:An authorized user or administrator can configureauthorized software incorrectly resulting in misdelivery of

4


messages or other problems. A user can configure thenetwork interface on his computer so that all traffic thatpasses by on the LAN is available for browsing (packetsniffers). Passwords or sensitive corporate or personalinformation could be obtained in this way.

Headquarters

Research Lab

Factory

Warehouse

PhoneCompany

Private NetworkProprietary Protocols

PostalMail

Phone

Fax

Figure 1: Stage One: Private Networks Only

a) Insertion of malicious software: In the TwoHandsenvironment, client workstations have diskette drives, andusers can load arbitrary software with them. Authorizedusers may inadvertently introduce malicious software(viruses or Trojan horses) through diskettes brought fromhome and used on the company system.

b) Unauthorized external connections: Users can attachmodems to their PCs and hook them to the telephones ontheir desks. This opens a back door to the private LAN, ifthe computer is left running and the modem can answer thephone. Even if this is not the case, this connectionprovides another path for the user to download and installarbitrary software.

c) Unauthorized access to private network: An intrudermight gain physical access to the private network lines andtap them or eavesdrop on microwave links that form part ofthe private net.

3) Threats

Authorized users (insiders) may do something foolish orrisky, either because they don't understand the risk they aretaking, or they decide that the risk is justified becausetaking it will help them do their job, or they don't care. Adisgruntled insider might take such actions intentionally.Unauthorized users (outsiders) should not, in theory, be aproblem, if the system has no external connections, but adetermined opponent might gain physical access to theplant or search for unintended external connections. Anoutsider may also use “social engineering” to deceiveinsiders into taking insecure actions. Although the

network perimeter here is in theory well defined, the trustplaced in internal machines and users may not beappropriate. If an insider has attached a modem to a PC, anoutsider who discovers its phone number may be able tomasquerade as an insider.

4) Countermeasures

Passwords can be used to control access to individualclients and servers and provide some degree ofaccountability. Virus detection software can be installed onclients and servers. There are also packages available thatwill monitor changes to software configurations on a groupof systems attached to a LAN. These usually depend on aprogram running on the client to communicate changes toa monitor running on the server. It is possible to disablethe diskette drives on the clients and to install tamper-resistant hardware to prevent changes to the client (andserver) software and hardware configurations. Securityawareness training for the authorized users, so theyunderstand how their actions can affect system security, isessential; the security manager needs to arrange thetraining.

5) Risks

Permitting diskette drives and off-the-shelf hardware andsoftware leaves the systems open to the risks of users (orany personnel with physical access to the machines)installing additional, possibly malicious software orhardware.

6) What Happened

Trusting its (newly security-aware) employees and notexpecting significant outside attacks, TwoHands decided notto disable diskette drives or install tamper-resistanthardware. In order to provide some degree of protectionagainst the installation of unlicensed copies of commercialprograms, it installed a configuration monitoring program.Some users did in fact install games and other software, andeventually several clients were infected with a virus. Aftereradicating the virus with some difficulty, TwoHandspurchased virus checking software and required itsinstallation on all clients. It also reassessed its backupprocedures.

B. Stage Two: Private Networks Plus Read-Only WebServer

TwoHands decides to increase the visibility of itsproducts by putting descriptions, pictures, and orderinformation for its most popular products on the WorldWide Web. Orders will still be accepted in the same waysas before (postal mail, phone, fax).

5



Operations are unchanged, except that a Web site, notconnected to the internal networks, is established with acommercial Internet Service Provider (ISP). Customerscan review information on the Web site, including productspecifications, new product announcements, companytelephone numbers, and so on. A system administrator isplaced in charge of the Web site; the administrator isresponsible for installing new information, reporting onsources of queries and so on. This network is illustrated inFigure 2:

Headquarters

Research Lab

Factory

Warehouse

PhoneCompany


PostalMail

Phone

Fax

TwoHandsWeb Site

Internet

Figure 2: Stage Two: Private Networks PlusRead-Only Web Server

2) Vulnerabilities

a) Internet-based denial of service: The Web server, aslong at it is only providing catalog information, isvulnerable to denial of service attacks that originate in theInternet (e.g. an Internet administrator from outside thecompany who misconfigures a router so that traffic destinedfor TwoHands’ Web site is sent to a “black hole”).

b) Unauthorized changes to data on Web server: Ifthere is a bug in the web server that can be invoked byInternet users (e.g., by sending URLs so long that theyoverflow a buffer and corrupt internal software), or if theprotections of the ISP's Web server are penetrated in otherways, unauthorized users may be able to modify TwoHandscatalog information. The results are unpredictable; wronginformation could be placed in the catalog, or pointerscould be inserted that lead to bogus Web pages.

c) Web address spoofing: Some vulnerabilities comefrom operating in the World Wide Web environment thatare not technical in the same sense but are nonetheless real.For example, competitors or vandals could set up Websites with similar names (e.g., in addition to the correctwebsite, http://www.TwoHands.com, they could

establish http://www.TwoHands.org orhttp://www.ToHands.com) and place bogusinformation on them.

3) Threats

To the internal systems, the threats are unchanged. Thenew Web site, however, is accessible to anyone on theInternet, including people who make mistakes, as well asvandals (e.g., individuals who intentionally saturateTwoHands' Internet Service Provider with bogus traffic andprevent access by legitimate users).

4) Countermeasures

The primary countermeasures are to run a reliable Webserver package and keep abreast of advisories provided byorganizations such as the Computer Emergency ResponseTeam (CERT) [CERT], AUSCERT [AUSCERT], or othermembers of the Forum of Incident Response Teams(FIRST [FIRST]) as new flaws or attacks are discoveredand distributed. Access to the server should be limited tothe administrator, and the server host should provide onlythose capabilities it requires to act as a Web server. Itshould not provide a general execution environment, andany development activities should be conducted off-line.Backups of all information on the server should also bemaintained off-line. A good system administrator, (i.e.,one who carefully maintains the system configuration,understands its vulnerabilities, monitors it for possibleintrusions, and installs patches and updates as they aredistributed) is a key countermeasure.

5) Risks

TwoHands’ internal systems are no more at risk than inthe previous mode.

It runs the risk of denial of service or vandalism to itsWeb-based system. The information the server holds is bydefinition public, so confidentiality is not an issue. Novelattacks seem to surface in the Internet from time to timethat even the best system administrators have not haveanticipated or are powerless to repel. An example is theSYN-flooding denial of service attack that was mountedseveral times in 1996 before effective countermeasures weredeveloped ([CA21- 96], [SKKSSZ 97]). If the Web sitebecomes the company’s primary method for attractingsales, this could nevertheless be a significant risk. Acompany in a highly seasonal business (e.g., a floristwhose site is down for a day in the week before Valentine’sDay) might be more concerned.

6) What Happened

Initially, the Web site attracted no attention, butTwoHands began to advertise the site in print and to direct

6


queries to it, particularly from new customers, and thesite’s use grew over time. The ISP proved generallyreliable, but on one occasion, for no apparent reason, theISP was attacked by outsiders and service was unavailablefor several hours. Several times data on the Web serverwere modified, but TwoHands’ administrator could notdetect the means of attack. Correct data values werereloaded from backups.

C. Stage Three: Private Nets Plus Forms-Based WWWServer

Finding that the on-line catalog is attracting someattention, TwoHands decides to begin taking orders viaHTML forms. This entails implementing CGI scripts onthe existing Web server and providing a path for the ordersplaced to enter the private network.

Headquarters

Research Lab

Factory

Warehouse

PhoneCompany


PostalMail

Phone

Fax

TwoHandsWeb Site

Internet

Modem

Figure 3: Stage Three: Private Nets Plus Forms-Based WWW Server


The existing Web site is expanded substantially tosupport the anticipated additional processing required tohandle forms-based requests. Scripts are developed, tested,and installed. Each form submitted creates an e-mailmessage, which is posted to a separate account with thecommercial ISP. The order-taking staff periodically readsthe e-mail, accessing the ISP via modems attached to theirdesk-top clients. This network is illustrated in Figure 3.

2) Vulnerabilities

a) Compromise of order information: Unless specificmeasures are implemented to authenticate customers andprotect their communications with the server and the e-mailthat the server sends to the order-taking staff, the orderinformation may be compromised. If this information issensitive (e.g., it includes credit card numbers), thisvulnerability is significant.

b) Spoofing of order information: Outsiders may beable to forge e-mail that seems to have come from the Website but did not (and thereby, for example, flood the order-taking office with false requests).

c) Loss of control of Web site: Valid, but unsafescripts [CGI] can permit an outsider to “take over” a Website and thereby alter the information it provides, generatefalse requests, close it down, or initiate other maliciousactions. Since TwoHands is using a commercial ISP, theymay be vulnerable to weaknesses not only in their ownscripts but also to those in scripts provided by other clientsof the same ISP. This was in fact a vulnerability in stagetwo as well, but the consequences were less severe. If thee-mail generated by CGI scripts is delivered to a serverdifferent from the web site, the vulnerabilities of that siteare also a concern.

3) Threats

In addition to the threats already listed, outsiders mayeavesdrop on the orders placed, may place bogus orders, ormay gain control of the web server.

4) Countermeasures

A secure Web server (i.e. one that implements SSL[FKK 96] or SHTTP [ReSc 97] protocols [IETF]) can beused, and orders can be restricted to those originating fromWeb clients that converse in a secure mode (i.e.,information passed over the link is encrypted). Encryptionis not a panacea, but its use here would increase the levelof effort required for an outside snooper to eavesdropsuccessfully. Before scripts are installed, they must bechecked by a knowledgeable system administrator to besure they will not make the server vulnerable to well-known attacks. Vigilance on the part of the order-takingstaff is also a useful countermeasure; they should be alertfor unusual patterns of orders (or a lack of orders) thatmight indicate tampering with the Web server or phonyorders being placed. Depending on the size and volume oforders the company has, it may be reasonable to simplycall or send e-mail back to the individual placing the orderfor confirmation. This makes it harder for a spoofer tosucceed, since in addition to generating the initial falseorder, she would have to intercept the confirmationmessage and reply to it.

5) Risks

The increased dependence on Web technology bringssome increased risks. Establishing the Web site andassuring the scripts are safe requires some expertise. Asthe scripts and the system on which they are executedchange, good system administration is needed to assure thatflaws are not introduced and that any detected flaws are

7


removed. There is consequently some risk that occasionalproblems will occur. For TwoHands, compromise of theidentities of their customers or even of order informationmay not be a major concern, but loss of, say, a filecontaining customer credit card numbers might welldamage TwoHands reputation significantly. If acommercial ISP is used for the Web server and for e-mail,the ISP itself is trusted not to misbehave (just as thetelephone company is trusted in the pre-Internetoperations). If customers grow to depend on the Web-basedorder process and a denial of service attack is mounted,business may be lost. One fundamental issue here is thatTwoHands is storing sensitive customer information (creditcard numbers and orders) on a machine that TwoHandsitself would not trust to store company proprietaryinformation.

6) What Happened

TwoHands designed forms that permitted takingcomplete orders, including credit card numbers, so it movedto a Web server that supported SSL. It took care with itsforms and scripts, and the system worked well. E-mail wasdelivered to the same site that hosted the Web pages.However, another company that maintained Web pages onthe same server provided by the ISP was less careful andwas vulnerable to an attack through a script. When thatattack succeeded, the outsiders who initiated it gained accessto all information on the server, including that collected bythe TwoHands forms. The credit card numbers (which,although they were encrypted for transmission, were storedunencrypted on the server) could have been stolen, thoughit could not be determined whether this actually occurred.To protect its customers, TwoHands had to notify them ofthe problem.

D. Stage Four: Internet Service through Firewall withForms-Based WWW Server

As TwoHands’ communications with the outside worldchange, their internal networks, though still isolated, keeppace. The increasing popularity and decreasing cost ofTCP/IP networks leads TwoHands to organize its leasedlines as a corporate intranet to ease the integration of itsoffice and laboratory systems, to make internal and externalcommunication more uniform, and to reduce costs. Afterthe incident with the ISP provider, TwoHands decides toestablish its own connectivity to the Internet to gain bettercontrol of its sensitive information. A commercial firewallis purchased to support connectivity to the Internet fromthe corporate intranet, and the Web server is configured ona separate machine outside the firewall.


The processing of orders in the new architecture worksmuch as it did before, except that now the orders are e-mailed directly to order-takers’ accounts on servers attachedto the corporate intranet instead of to an external system.It is no longer necessary for these desktop clients to havemodems or phone lines attached, since they can send e-mailto Internet addresses directly from the local network.Internally, Web servers are used to front-end the inventorycontrol systems so order takers can check on stocks andplace orders using a forms-based interface similar to thatused by customers. In addition, TwoHands’ executivesbegin to use Internet e-mail to coordinate relationshipswith other companies. This is illustrated in Figure 4:

Headquarters

Research Lab

Factory

Warehouse

PhoneCompany

Private IntranetOpen Protocols: TCP/IP

PostalMail

Phone

Fax

TwoHandsWeb Site

Internet

Firewall

Figure 4: Stage Four: Internet Service throughFirewall with Forms-Based WWW Server

2) Vulnerabilities

a) Attacks on internal systems via misconfiguredfirewalls: Although it is supposed to be a security-enforcing box, the firewall also presents newvulnerabilities. Without the firewall, the internal networksare isolated from the Internet. If the firewall is carefullyconfigured, it can provide good protection from outsiders,but if not, it may only provide a false sense of security,and may permit outsiders to attack internal systems. Thebasic mechanisms used by firewalls vary, but they rangefrom filtering packets (i.e., simply refusing to deliverpackets that are suspicious based only on their addressinformation), to parsing the contents of packet sequences totry to determine whether they conform to expected behaviorfor a given service, to supporting proxy services forapplications so that only well-understood commands, ratherthan raw data, traverse the firewall. Configuring a firewallcorrectly for a given installation requires a clearunderstanding of a good deal of Internet infrastructure (seeSection 5). An inadequately configured firewall can, for

8


example, make internal hosts visible to the outside worldand therefore vulnerable to attack, it may pass traffic fromuntrusted hosts and ports that was supposed to be blocked,or it may provide an incorrect proxy server that letsmalicious traffic into the internal network.

b) Importing of malicious software or exporting ofsensitive information via properly configured firewall: Thefirewall, even if properly configured, provides an avenuethrough which insiders (or malicious software inadvertentlyinvoked by insiders) can leak information or importmalicious code [FeMo 97][Bell 97]. In fact, “fire-door”might be a more apt name for these devices, since theirpurpose is to be at least part-way open most of the time.The firewall also provides a path for leakage of informationthrough covert channels [Lamp 73]: malicious softwareinside the trust boundary could, for example vary thespacing within e-mail messages to communicateTwoHands’ projected earnings for the next quarter to adevious investor.

c) Compromise of identity of correspondents: Even iforder information is encrypted, it will be possible forobservers in the network to detect that traffic is flowingbetween TwoHands and its customers. This is notordinarily a concern for TwoHands, but the e-mail trafficwith executives of other companies might raise this issueif, for example, TwoHands were forming a strategicalliance with another company for business purposes and itdid not want this fact revealed prematurely.

d) Back doors into internal networks: Frequentlysystem administrators themselves find it convenient toinstall modems directly on host systems inside the firewall,so that they can work remotely. Users may make similararrangements if they find traversing the firewall toocumbersome. Any such links can render the entire internalnetwork vulnerable to outside attacks.

3) Threats

As in stage three, but now outsiders have theopportunity to try to penetrate the firewall and gain accessto the corporate intranet. The threat to the corporate Website is reduced in that it is no longer shared with othercompanies, but TwoHands also faces a greaterresponsibility for managing it correctly and securely. Inaddition, if the firewall is configured with HTTP proxies,inside users will have much greater online access toinformation from outside the company, including softwareand documents (and therefore viruses). Even if all ordersand e-mail messages are encrypted enroute and handledsuccessfully at the Web site, it will still be possible foroutsiders to observe which sites are exchanging messages

with TwoHands.

4) Countermeasures

The firewall itself is a countermeasure; without it,connection to the Internet would be even more risky.Vigilant management of the firewall and the Web site arenecessary as well. Users of the internal networks mustalso be vigilant, since each could inadvertently damage thesecurity of the system, either by importing dangerousmaterials or by creating a back door connection to outsidenetworks.

5) Risks

As noted, there is a risk that insiders may releasesensitive information to the Internet or import malicioussoftware that might damage internal operations or itselfcause sensitive information to be released. In addition tothe risk that the firewall is misconfigured so that anoutsider could gain control of it, flaws may be discoveredin the firewall itself, and these could be exploited by anoutsider. Insiders may also set up “tunnels” through thefirewall for legitimate purposes but that damage security.One of the ways a firewall protects systems from theInternet is to filter out certain kinds of packets. A tunnelencapsulates a message from one protocol in a secondprotocol and uses the facilities of the second protocol totraverse some part of the network. The encapsulation isstripped off at the destination and the original packetreappears. This facility is useful in many contexts, but itcan also be used to defeat the protection a firewall attemptsto provide. See Section 5 for further discussion. Thisstage in TwoHands’ evolution decreases perimeterprotection by connecting internal and external machineswithout changing the behavior of internal machines andusers. This approach weakens one part of its securityposture without compensating in another.

6) What Happened

TwoHands made the transition to the new form ofoperation successfully and operated without incident forsome time. After a time, management began to findunaccounted for software on many desktop clients and grewconcerned that unlicensed software and in some casesundesired software was running on corporate assets andcould cause legal problems. Much of the software appearedto have been downloaded from Web sites outside thecompany. An incident in which a “macro” virus (i.e., onethat operates in the context of an application program, suchas Microsoft Word) caused significant lost time broughtmatters to a head, and TwoHands developed a new corporatepolicy on configuration management and the use of theWorld Wide Web.

9


E. Stage Five: Virtual Private Networks

After successfully managing its own Internetconnection for the corporate Web site and unifying some ofthe communication protocols used for both intra-companyand Internet access, TwoHands decides to use the Internet asa Virtual Private Network (VPN) to reduce leased linecharges and make its network connectivity more flexible.The VPN consists of an Internet-connected firewall at eachcorporate site that encrypts traffic destined for any of theother sites and delivers it, using the Internet as thetransmission medium. The network is not private, in thesense that it contains no leased private lines, but it isvirtually private in that only the headers containing routinginformation are exposed to public view. At the same time,TwoHands begins to explore more effective use ofelectronic commerce.

Headquarters

Research Lab

Factory

Warehouse

VPN: Connections usingEncrypting Firewalls

TwoHandsWeb Site

Internet

Customer

Figure 5: Stage Five: Virtual Private Networks


Rather than leasing lines to carry data betweenTwoHands corporate sites, each site manages its ownInternet connection and runs an encrypting firewall.Communication between corporate sites is now carried overthe Internet and is encrypted between these firewalls to keepthe communication confidential. To save on long distancephone charges, faxes sent between corporate sites are sentas data messages over the VPN and then printed at theremote fax machine.

TwoHands also begins to unify the applications visibleto customers on its Web site with its internal applications.Inventory changes, new product introductions, anddiscontinued products are automatically replicated to theWeb-based catalog. The inventory systems of largecustomers and retailers are integrated with TwoHands’ordering system to place orders automatically in responseto low inventories. This requires, among other things,compatible cryptographic systems at TwoHands and thesecustomers. This network is illustrated in Figure 5.

2) Vulnerabilities

a) Contamination of internal databases via actions ofcooperating companies: The integration of customers’inventory systems with TwoHands’ ordering systemexposes internal processes to the outside.

b) Service delays/denial for intranet traffic due toInternet/ISP problems: Although communication over theInternet is less costly than leased lines, it does notguarantee service or bandwidth. Depending on the ISP andthe larger Internet backbone, delays may occur in deliveringimportant messages.

c) Compromise or delay of intranet traffic due tocrypto mismanagement: Both the encryption algorithmsand key management techniques used in the encryptingfirewalls present possible vulnerabilities to the VPN. Thefirewalls require manual entry of keys, and mistakes inrekeying can close down communications until the key isentered properly.

d) Compromise of sensitive internal information viainterception and decryption of properly managedcryptography: The public Internet now carries confidentialcorporate information (though in encrypted form).Although in theory this is no different than using leasedlines from the public phone system, the company mustcarefully select and configure the cryptography in theencrypting firewalls used in VPNs.

e) Compromise of internal traffic patterns: Even withencryption, outsiders may now infer when two ofTwoHands’ own corporate sites are communicating.

3) Threats

The threats are essentially the same as in stage four, butnow more internal corporate information is flowing overthe Internet, albeit in encrypted form, so somewhat moreinformation is open to interception. A more significantthreat might come from employees of other firms whosesystems are now more tightly coupled with TwoHands’systems. Accidental or malicious acts on their part mighttrigger incorrect orders or production schedules to be createdat TwoHands.

The automatic update of Web-based catalogs requiresmore communication between the public Web server andinternal inventory systems and makes the Web server amore desirable target. Also, since large customers’ needsnow generate orders automatically, it is crucial that thosesystems function correctly.

4) Countermeasures

Additional training in the operation of the encryptingfirewalls, particularly in dealing with their cryptographic

10


functions, can be provided to the system administrators ateach facility. The encrypting firewall can be configuredwith strong cryptography, if all corporate sites are in acountry that permits its use. International operations inthis mode may not be feasible at present unless specialexport licenses are obtained. By using the same companyas its ISP at all sites, TwoHands may be able to negotiatea guarantee of adequate capacity for communication withinits network.

5) Risks

First, relying on the Internet for communication and ona single ISP is, at present, riskier than relying on a singlephone company. Second, even the strongest cryptographyis vulnerable to attack, and long term keys must becarefully protected.

Finally, even though the shared keys in TwoHands’ andcustomers’ ordering systems adequately authenticate eachcompany and protect the confidentiality and integrity oftheir communications, a software malfunction of benign ormalicious origin can still place incorrect orders or processorders incorrectly.

6) What Happened

Overall the restructured system works well and longdistance telephone charges drop considerably. Theintegration of ordering, inventory, and production systemsmakes production more efficient. There are some snags,however. The single ISP supporting TwoHands VPN hasseveral days of poor service as it upgrades its network. Alarge customer’s ordering software malfunctions andautomatically places a gigantic order that is onlyintercepted by an alert plant supervisor.

F. Summary: TwoHands Network Security Through theStages

In stage one, virus checkers and configuration monitorshelp assure that undesired software is not present;password controls on desktop clients support theaccountability and authorization needs. At stage two,outsiders are provided with legitimate access to a corporatesystem (the Web site) but that site is segregated from theinternal systems and is operated as a read-only public site.Stage three introduces the storing of credit card numbers onthe ISP-supported Web site, at which point a resourcedirectly accessible to outsiders holds sensitive data. Theaccountability for securing CGI scripts on the ISP’s serveris unclear, and this contributes to the security failure.TwoHands addresses this problem in stage four byremoving its dependence on the ISP, but it also introducesa connection between its internal networks and the Internet

via a firewall. This makes it easier for employees todownload software and in the end causes the company toattempt more stringent configuration control. It alsomakes the internal corporate networks vulnerable toInternet-based attacks for the first time, though the firewallblocks some attacks and significantly reduces the reducesthe chance others will succeed. In stage five, additionalresponsibilities are placed on the administrators of theencrypting firewalls, since failures there may either denyservice or disclose corporate data. In addition, the linkingof the TwoHands production and inventory systems withthose of its customers and suppliers introduces newdependencies, but without clear accountability, and almostleads to a disaster.

IV. NETWORK SECURITY POLICY AND SERVICES

The description of TwoHands’ networks above does notexplicitly address security policy, but for any level ofnetwork security to be established and maintained,managers and users -- all affected parties -- must clearlyunderstand what assets they need to protect against whatthreats and to what degree [Land 97]. While it should beeasy to establish who owns a particular computer, it can bemore difficult to determine who specifically “owns” (andhence is responsible for the security of) a network linkingmany machines, perhaps among several buildings, within alarge company. Unless and until the company makes itclear who is in charge of the network, and who thereforedetermines what should be connected to it and how it is tobe administered, its security will be uncertain. Of courseestablishing such a policy is necessary, not sufficient. Inany system as dispersed as even a LAN within a singlebuilding, there will be opportunities for users to violatepolicy, either inadvertently or intentionally. Consequently,monitoring of the network connections and behavior willbe needed to some greater or lesser extent, depending on thepolicy, the users, and the environment.

We cannot specify every possible security policy and itsimplementation, but we can identify the elements ofsecurity policies appropriate for networks. From theseelements, an institution should be able to construct asecurity policy to meet its needs. Once the policy isconstructed, means for enforcing the policy, which will beadministrative as well as technical, must be decided.

The traditional elements of computer security policyaim to preserve the confidentiality, integrity, andavailability of data processed or stored by the computer.Network security services, such as those specified in [OSI]concern the delivery of data between sending and receivingnodes. Properties desired may include confidentiality

11


(protection against eavesdropping), integrity (protectionagainst data modification), authentication (assurance thatthe source of the data is accurately identified to therecipient), guaranteed delivery (assurance to the sender thatthe data will reach the recipient), and non-repudiation(inability of the sender to disavow data the recipientreceives).

Sometimes more specialized policies are needed. Forexample, a sender may wish to hide from third parties thefact that he is communicating with a certain recipient.While the content of a data packet can be hidden byencrypting it, its source and destination are generallyunprotected, so any eavesdropper can observe thatinformation [SGR 97]. Alternatively, a sender may wantto provide certain data anonymously in such a way that therecipient can assess the validity of the data withoutknowing its origin. This requirement arises in someelectronic cash schemes, in which a customer may wish topay as she does at a vending machine, with an anonymousbut validatable coin or banknote. At the same time, suchschemes may require some degree of traceability, so thatlarge scale money-laundering can be prevented or at leastdetected [Wayn 96].

Accountability and authorization are two principles toapply when considering how to implement policies such asthese. Accountability requires that actions can be traced toindividuals. Authorization requires that access to systemresources be limited to those individuals or agentsexplicitly authorized to use them. Authentication and auditmechanisms can be used to support these principles. Insome circumstances, as noted above, there may be reasonsto provide anonymity rather than accountability; thesesituations require special attention.

Returning to the TwoHands Corp., we can identify anumber of security policy concerns. Customer orderinformation, business records, and new technology underdevelopment in the research laboratory might all generatedata that should be protected against unauthorizedmodification or disclosure and that need to be availablewithout too much delay when required. In all stages,employees are trusted not to violate security policyintentionally, but some additional measures are taken to“keep honest people honest.” Also, it is clear in each casewho owns and maintains the nodes and links of thenetworks. TwoHands does not have any specialrequirements for supporting anonymous functions or forhiding the destinations of its network traffic.

V. INTERNET ARCHITECTURE AND VULNERABILITIES

A. Internet Architecture

To understand where and how information flowing onthe Internet can be disclosed, modified, or delayed, it isuseful to understand something of its structure.

1) Links

The primary links of the Internet are provided by linesleased from common carriers in countries around the world.In other words, they are part of the public switchedtelephone networks (PSTNs), although lines used forInternet traffic are usually distinct from those used for voicetraffic -- a line leased for Internet use will be dedicated tothat purpose. The actual media that carry the traffic arethus as varied as the telephone networks themselves,ranging from copper wire to optical fiber and satellitelinks. Internet protocols have been used successfully overradio and cellular phone links as well.

2) Nodes

The primary nodes of the Internet are called routers.These are computers programmed to accept and forwardpackets of data (which today may represent real-time voiceor video information as well as numbers or text) across thelinks. A router will be connected to two or more links. Itexamines each inbound packet for its destination addressand, based on its routing tables, determines over whichoutbound link the packet should be forwarded.

In addition to the routers, there are host computers,which represent the sources and destinations of the packetsthat are routed through the network. Additional types ofnetwork nodes include gateways and firewalls; both ofthese can be considered types of routers. Gateways thatconnect networks using different protocols to the Internetwill need to provide protocol translation services andaddressing services. Firewalls can filter incoming andoutgoing traffic, translate addresses and more.

Routing tables can be updated dynamically in order topermit the network to adapt both to outages and to newlinks. Although the original theory behind the Arpanet’sswitching scheme was to provide fully decentralized anddynamic routing, the tremendous size to which the Internethas grown has led to somewhat more hierarchical and staticrouting regimes in practice. Each packet in a seriesoriginating from a host attached to a local Internet ServiceProvider (ISP) and destined for a host attached to an ISP inanother country is likely to traverse the same route, andthat route is unlikely to include random ISPs in eithercountry. Rather, the packets will be sent from a local ISP“upwards” in the source country to major routers and

12


circuits controlled by the large common carriers, “across”to the major carriers in the destination country, and “down”to the local ISP that connects the destination host.

3) Addressing

Internet Protocol (IP) packets contain both source anddestination addresses, and software in the sending node isresponsible for providing both of these. The nextgeneration Internet Protocol (Version 6, or IPv6 [BrMa96]) will expand the IP address space substantially,allowing 128 bits for source and destination addresses incontrast with the 32 bits provided by the current IPv4scheme.

4) Domain Name System

Packets traverse the Internet using numerical addresses,but users and programs usually deal with more mnemonicaddresses in the form of Domain Names. The DomainName System (DNS) provides the infrastructure fortranslating domain names into IP addresses [RFC-1034,RFC-1035, RFC-2065].

DNS can provide more than a simple translation froman object name to an IP address. The resource recordsstored for a domain name that corresponds to a host, forexample, may indicate what operating system and versionnumber the host is running. Other resource records candesignate a host that processes incoming mail for thespecified domain, identify a name server for a domain, ormap an alias to the real domain name for a host.

The size of the Internet dictates that the DNS databaseis distributed among many servers (called Name Servers),none of which has a complete copy. A name server knowsthe parts of the domain tree for which it has completeinformation; it is said to be an Authority for those parts ofthe space.

Although DNS is a critical operational part of theInternet infrastructure, it has no strong securitymechanisms to assure data integrity or authentication.However, extensions to provide these services to securityaware resolvers or applications through the use ofcryptographic digital signatures are under review [RFC-2065]. These mechanisms are also being extended to theproposed dynamic update mechanisms [VTRB 96, East 97].

5) Protocols: IP, ICMP, UDP, and TCP

IP provides an unreliable, connectionless “best effort”delivery service that routes datagrams (packets) towards aspecified IP address. IP also includes a protocol forreporting errors, the Internet Control Message Protocol(ICMP); routers use ICMP messages to report deliveryfailures, misroutings, congestion, and related problems to

each other. Both Transmission Control Protocol (TCP)and User Datagram Protocol (UDP) are layered on top ofIP. Application programs can use TCP or UDP to sendmessages to applications running on remote hosts [Come91].

TCP uses IP services to implement a reliable,connection-oriented transport service. TCP tries toguarantee that messages it receives for transmission aredelivered to the correct address uncorrupted, withoutduplication, and in order. User Datagram Protocol (UDP)uses IP services to provide connectionless datagram service.UDP packets may be lost, duplicated, or delivered out oforder.

Both UDP and TCP incorporate the notion of ports todistinguish traffic sent to the same IP address but fordifferent recipients. A port number in both protocols is a16-bit integer. An application on one machine can sendUDP datagrams to different processes (listening to differentUDP ports) on a remote machine by addressing thedatagrams to different ports. UDP queues traffic for differentports independently. For TCP, the connection is thefundamental abstraction, and a connection is specified byits two endpoints. Each endpoint is a pair of integers(host, port), where host is the host’s IP address and port isa TCP port number on that host. This arrangementpermits, for example, a program that accepts incomingmail to use only one local TCP port even though it maybe communicating over many connections concurrently.TCP and UDP port numbers are independent, since eachmessage specifies its protocol as well as its destination IPaddress and port number, and in both protocols certainprotocol numbers are used, by convention, as the addressesfor particular services. Such a reserved, and advertised, portnumber is called a well-known port. The well known portfor e-mail delivery, for example, is TCP port 25; UDP port53 provides access to the Domain Name Service (as doesTCP port 53, but UDP is normally used for initial DNSqueries).

A TCP connection is opened with a “three-wayhandshake”: (1) the initiating host sends a “SYN” segmentwith its IP address and an arbitrary sequence number N, (2)the destination host replies by sending an acknowledgmentand another arbitrary sequence number M, and (3) theinitiator completes the protocol by acknowledging thesecond message. The sequence numbers are usedsubsequently to order traffic sent over the connection. The“SYN-flooding” attack referred to in Section 3.2 (StageTwo, Risks) represents an abuse of this protocol: theattacker sends repeated SYN segments, possibly fromdifferent (forged) IP addresses, but never replies to the

13


acknowledgments returned. This leaves the attacked hostwith many “half-open” connections, clogging the buffersallocated for this purpose. The continuing bogus requestsprevent legitimate open requests from being served.

Closing connections is slightly more complicated, asthere are various contingencies to consider -- for example,there may be segments en route at the time when one ofthe participants requests the that connection be closed

In UDP, of course, there are no connections, so there isno protocol to set them up or tear them down.

6) Application Layer Protocols: Telnet, FTP,SMTP, HTTP, SNMP

Most users access the Internet through programs thatcommunicate using application layer protocols. Theseprotocols support the transport of e-mail (SMTP) and files(FTP), the initiation of terminal sessions on remote hosts(Telnet), and the operations of World Wide Web Browsers(HTTP) and many other functions. These protocols mayuse TCP, UDP, or both to accomplish their functions.Typically, a host that supports a particular service, such ase-mail delivery, will have a process or processes that listenfor requests phrased in the appropriate protocol (such asSMTP) over a particular port, as noted above.

B. Vulnerabilities

Any system that is connected to the Internet and usesthe Internet to communicate with other systems inheritsmany well-known vulnerabilities. Some of these arise inthe Public Switched Telephone Networks (PSTNs) thatcarry Internet traffic among routers and hosts. Others comefrom the routers and hosts themselves. Many have to dowith the ways in which people use the Internet and come torely on it as a means to access both information andprocessing resources. This section categorizes a number ofsuch vulnerabilities by their location in the architecture.

1) Network

Sniffing. Since computer networks are sharedcommunication channels, data passing over these channelscan be intercepted. Such sniffing may be done by specialhardware, or by configuring a machine to be inpromiscuous mode, to accept all packets independent oftheir address.

Wardialing. Many networks can be accessed via modemconnections, and many such modems are installed outsidethe control of the system administrator. A common methodof identifying such connections is wardialing, in which anattacker programs a computer to connect to a series oftelephone numbers (e.g. all numbers starting +1(212)555-).

Any answers that are either a modem or a fax machine arelogged for further investigation.

2) Protocol

Data Link Layer Security. Address Resolution Protocol(ARP), which is used to translate Ethernet addresses on aLAN to IP addresses, is open to manipulation. Forinstance, UNIX System V does not check whether receivedARP packets are associated with an outstanding request.This could result in malicious responses to ARP requestsand unsolicited updates to ARP tables. The most likelyeffect is denial of service, though “man-in-the-middle”attacks, in which the attacker manipulates addresses so thattraffic between two hosts is routed through a compromisedmachine that masquerades as each host to the other, are alsopossible.

Network Layer Security. The implementation of IP isgenerally robust but can be manipulated. Routing is fairlyopen, which can lead to data not conforming to configuredrouting. IP packets can be injected directly onto thenetwork, as well. ICMP has no authentication, whichcould permit manipulation of routing. For example, amalicious user could subvert local routing tables, or ICMPcould permit unsolicited address mask reply packets. If anInternet Service Provider broadcasts incorrect routing tablesto major backbone providers, it can cause large quantitiesof traffic to be routed to itself, creating “black hole” anddenying service to large communities for significantperiods of time [BVW 97].

Network security can be further compromised by theprotocols used to manage the network routers. The SimpleNetwork Management Protocol (SNMP) has poorauthentication, and unless the routers are correctlyconfigured, they are vulnerable to maliciousreconfiguration.

Transport Layer Security. TCP has a weak mechanismfor assuring consistent use of port numbers. UNIXsystems assume that only privileged processes initiateconnections from ports with numbers less than 1024, butthere is no reason to assume that such processes are in facttrustworthy. In addition, TCP checksumming of IP packetsis not strong, leading to a potential for forgery, injection ofdata and tailgating of packets. The randomness of TCPinitial sequence numbers varies across UNIX systems,leading to a potential to inject packets into a connectionbetween two users.

IP Origin Forgery. The origin of an IP message canbe forged relatively easily. This in itself is not a seriousvulnerability. However, as many higher level protocols usethe IP origin as a form of identification, it becomes

14


serious. For instance, the r-commands (rlogin, rsh, etc.),which allow unauthenticated access between UNIXsystems, use IP source as a primary authentication method.

3) Application

Many of the higher level protocols can be exploited toattack systems connected to the Internet. Manyvulnerabilities are well known, such as those in versions ofthe sendmail system that allow an attacker to gain rootprivileges quickly. At this point, the attacker can stop auditof his actions, delete any previous audits, install malicioussoftware, read, modify, or delete user applications or data,and then use the current system as a platform for launchingan attack on further systems.

Although sendmail may contain the most infamousbugs, many other protocols and software componentscontain similar bugs and vulnerabilities. Many of thesebugs originate from simple coding errors, such as a failureto check array bounds. Indeed, with the applicationsoriginating in university environments, and being writtenprimarily with function rather than robustness in mind, itis not surprising that so many protocols and servers areopen to attack.

As an example of vulnerabilities in newer protocols,consider the World Wide Web. Web servers provideinformation in response to requests from Web browsers. Ifa request exploits a bug in the Web server, the Webserver’s security mechanisms may be bypassed.

More importantly, however, the Web encourages thesharing of many different types of information, rangingfrom plain text to forms of executable content. Some, likePostscript, can alter the behavior of a printer. Others, likeJava or ActiveX may allow access to resources and data onthe machine that should be inaccessible. Java programs areprecompiled and stored on a Web server. These mini-applications are known as Java applets and are downloadedto a network browser and executed locally. ActiveX is atechnology for distributing software over the Internet. TheActiveX analog of a Java applet is called a control. AnActiveX control may be embedded in a Web page where itmay be accessed via a network browser.

Java has been explicitly designed to address securityissues through various mechanisms that essentially restrictthe behavior of applets [McFe 97]. The most importantmechanism is that Java programs are interpreted instead ofbeing run in native code. The interpreter, the Java VirtualMachine (JVM) can prevent a program from executingoperations that violate the security policy, or it may querythe user before allowing such operations. Java itself is atype safe language; this type safety makes programs more

robust against certain types of errors, especially pointermanipulation problems. For efficient interpretation, Javaprograms are compiled to an intermediate bytecode.Arbitrary programs in this bytecode may not satisfy Java’slanguage safety rules, so bytecode is verified before eachexecution by the Java Bytecode Verifier.

Although Java’s basic model is secure, each of theselevels introduces room for bugs. The security policy maynot be specified correctly. The JVM assumes that thebytecode verifier finds certain classes of errors, so bugs inthe verifier may admit hostile programs to the JVM. Theinterpreter itself may not detect every possible attack.Finally, if Java is opened to ease access by Java programsto other parts of the OS (to make access to certainfunctions more efficient), Java security may be bypassed.

A number of implementation problems have beenidentified that allow Java applets to execute arbitrarymachine instructions, interfere with other applets, andbypass the Java Security Manager.

ActiveX controls are not restricted in any way, so usersmust trust the software developer. In order to identify thedeveloper, ActiveX controls may be digitally signed. If abrowser accesses a control which is not signed, or thecertificate is not recognized, then a dialog box is used towarn the user. This behavior is controlled by propertiesheld in the browser. ActiveX controls have been publishedon the Internet that close down machines, format harddisks, and install viruses. Relying on users to determinewhich ActiveX controls are safe to use is a dangerousstrategy. History teaches that users quickly become boredwith “warning” dialog boxes that appear very frequently.Users either stop paying attention to them or find a way toprevent their appearance.

4) Above The Application Layer

Finally, it is worth considering a few kinds ofvulnerabilities that occur above the application layer.

System access control and authorization data structures.A general vulnerability in systems connected to the Internetis the system password file. If a system password iscompromised, then the system may be wide open to avariety of attacks. Recently, flaws in Windows NT andWindows 95 were reported that permit hostile web pages tounobtrusively extract a user’s password and transmit it tothe page’s author, for example [Wayn 97].

Malicious software. A Trojan horse is a program thatmasquerades as a useful service but exploits rights of theprogram’s user -- rights not possessed by the author of theTrojan horse -- in a way the user does not intend. A viruscan be viewed as a Trojan horse that replicates itself by

15


copying its code into other program files [LBMC94]. Programs to detect and remove viruses has established asignificant niche for itself in the software market.Malicious software can be a problem at many levels. Avirus may take the form of object code that, when executed,copies itself to other executable files, for example, or itmay be a set of macro commands for a word processor(e.g., Microsoft Word) that copies itself into all of thedocument files created by that word processor on themachine where the virus is executed. Malicious softwareexecuted on Internet-connected machines has theopportunity to use Internet protocols and facilities topropagate itself or to communicate with its author, forexample, by mailing a copy of the password file.

Hidden application features: An application may storemuch more information in a file than is apparent when thefile is opened by that application. It is often impossible tofully review the contents of a computer file, so thatsensitive information can be exported from a systeminadvertently. Microsoft Word’s frequently used fastsaveoption provides an example. When text is deleted from adocument and the document is then saved again, Word doesnot delete the text: it merely inserts a note not to displaythe deleted text. The text can be recovered using anotherprogram which disregards Word’s instruction to itself.

VI. SECURITY BUILDING BLOCKS

A number of off-the-shelf technology products areavailable to mitigate the vulnerabilities outlined in thepreceding section. These products can be grouped under thefollowing broad headings: encryption, authenticationmechanisms, intrusion detection tools, securitymanagement tools, and firewalls. Businesses throughoutthe world are starting to use such methods - judiciouscombinations of firewalls, encryption and authenticationtechniques, for example - to create corporate “Intranets”that are both connected to the Internet and reasonablyprotected from it. They recognize that their networks arenot completely protected from the threats posed byconnection to the Internet, but believe that on balance thenet benefits outweigh the risks.

The Internet itself is an excellent source of informationon the topics listed below. Web-based repositories such as[COAST], [NIH], and [Stein] make security-related toolsand information easy to access.

1) Encryption: Privacy

How can the confidentiality of data be protected when itmoves over public channels? One way is to encrypt thedata [Schne 96]. Encryption uses an encryption algorithm

and a key to change some input, called plaintext, to someoutput, called ciphertext. The ciphertext looks like arandom string of bits to observers who do not know theappropriate decryption algorithm and key. Two classes ofencryption/decryption algorithms exist: symmetric andasymmetric. Symmetric algorithms, likes DES (theDigital Encryption Standard), use the same algorithm andkey for encryption and decryption. Imagine that Alice andBob want to communicate privately using DES. Theywould agree to use a single key K. If Alice wanted to senda message M to Bob, she would encrypt M using the DESalgorithm initialized with key K, which produces theciphertext. For this example, call this ciphertextDES(K,M). To anyone who does not know K, DES(K,M)appears to be a random string. Bob, however, can decryptthe message by applying DES again to the ciphertext usingkey K. The result, DES(K,DES(K,M)) is the originalplaintext, M. Bob can reply to Alice using DES with thesame or another key they have agreed to use. Anybodywho knows these keys can listen in on Alice and Bob'sconversation, so these keys must be kept secret.

Symmetric encryption/decryption algorithms such asDES use an already existing shared secret (the key K) toefficiently share new secrets (the message M). How canAlice and Bob choose a key if they do not already sharesome secret? This challenge is called the key distributionproblem. Until the early 1970s, when public keycryptography [DH], [RSA] was invented, keys weredistributed by some other means (for example, a trustedcourier).

Public key cryptography is also called asymmetricencryption because different keys are used for encryptionand decryption (communicating parties do not share a key).Instead, everyone has two keys: a public key (P) , whichis published widely, and a private (secret) key S, which theowner keeps secret to himself. In a public key scheme likeRSA, if Alice wants to send a private message M to Bob,she looks up Bob's public key (in some trusted directory,for example), P_Bob, and encrypts M, using the public keyalgorithm RSA, to produce the ciphertext RSA(P_Bob,M).Bob can decrypt this ciphertext by applying RSA again,using his private key, S_Bob. The result,RSA(S_BOB,RSA(P_Bob,M)) is M. Notice that whenusing RSA, unlike DES, Alice can send Bob a privatemessage without sharing a secret with Bob.

Alice does, however, need a reliable way to find outBob’s public key. In this context, a digital certificate, orsimply certificate, is a data structure that binds Bob’s nameand public key, digitally signed (see next section) by atrusted agent, known as a certification authority. Alice may

16


request a certificate for Bob from a certification authorityshe trusts. If a private key is compromised, the certificateauthority can announce this by distributing a certificaterevocation list (CRL) to its subcribers. The set ofmechanisms for operating a public key cryptosystem,including the maintenance of directories and certificates, isoften referred to as a public key infrastructure (PKI).

Asymmetric crypto-systems are computationallyexpensive to use. It is not practical to encrypt and decryptlong messages using public key cryptography (one sourceestimates that RSA, the only widely used public keyalgorithm, is, at its fastest, about 1000 times slower thanDES.) Therefore, public key cryptography is usually usedby two parties to choose a new key that will be used laterto encrypt messages using some efficient symmetriccrypto-system. The process of key distribution and privatecommunication is shown in Figure 6.

2) Encryption: Authentication

Both symmetric and asymmetric encryption techniques

can be used to authenticate data as well. That is, messagescan be cryptographically signed in such a way it provesthat only parties that know the key could have signed themessage. For example, if only data integrity, and notprivacy, is important, a message can be sent as plaintextalong with an encrypted hash of the message. Acryptographic hash function, like SHA or MD5, takes anarbitrarily long message and produces a short, fixed-sizeresult called a hash. Even small changes in the longmessage result in apparently random changes in the output,so it would be virtually impossible for an attacker toreplace the message with a different one, since the twomessages would have different hashes. Thus,authenticating the hash is nearly as safe as signing theoriginal message, but saves both computation time andcommunications bandwidth. If symmetric key encryptionis used, the encrypted hash is often called a messageauthentication code, or a MAC. All parties participatingin a communications session can produce and verify theseMACs.

Alice generatesa randomSession Key

RSA RSA

DES DES

and encrypts itusing Bob’sPublic Key

which Bob decrypts

using his Private Key.

Step 1: Key Distribution

Step 2: Private Communication

To: BOBFrom: ALICE

Re: Rogue Agents.

To: BOBFrom: ALICE

Re: Rogue Agents.

AXB DC QGH BE DAS GHI

Alice prepares

her plaintext

and encrypts itusing the pre-established

Session Key

and transmits

the ciphertext

which Bob can decrypt

using the same Session Key.

Session Key

and transmitstheencryptedSession Key

Figure 6: (a) Step 1: key distribution. (b) Step 2: private communication.

17


Public key crypto-systems can be used to identify thesender of a message. The process is like having the sendersign the message and is called a digital signature. RSA canproduce digital signatures, as well as do encryption,because the public and private keys are interchangeable.The digital signatures can be used to authenticate thesender.

If Alice wants to package a message M so the recipientcan verify that it is from her, she would encrypt M usingRSA and her private key, S_Alice. The resultingciphertext, RSA(S_Alice,M), is a digital signature thatcould only have been produced by Alice because only sheknows her secret key, S_Alice. The signed packaged wouldinclude both M and RSA(S_Alice,M). If Bob wants toverify that M was really written by Alice, he "unsigns" theassociated digital signature using Alice's public key,P_Alice. The result, RSA(P_Alice,RSA(S_Alice,M)), isM. If someone else tried to forge Alice's digital signatureusing some other private key, the unsigned message wouldnot match M. (Since public-key cryptographic operationsare computationally expensive, usually Alice would signonly the hash of the message.)

3) Encryption: Applications

Encryption [Schne 96] and digital signatures offersolutions to five important security requirements:confidentiality, access control, integrity, data originauthentication, and non-repudiation. Commercialencryption products (and some public domainimplementations) are available that provide encryptionservices at different protocol layers, including theapplication layer, session layer, and the IP layer. There arealso significant efforts underway to standardize access toencryption services by application programs (CryptoApplication Program Interfaces, or CAPI), so that a varietyof standards-based products can come to market (see [ICE97] for further information).

Application layer encryption refers to encryptionservices applied to structured data, where differentencryption and authentication procedures may be applieddepending on the type of the data. For example, in e-mail,the body of the message may be encrypted for the recipient,and signed by the sender. An application layer encryptionsystem based on public key certificates effectively involvesthree main components - a User Agent (UA) to which auser is authenticated, a repository of public keys for thepotential recipients of encrypted data, and an associatedencryption/digital signature capability. The UA acts onbehalf of the authenticated user, so any digital signaturecreated by the UA on his behalf can only be as strong asthe original authentication between the user and the UA,

the integrity of the UA, or the strength of the encryptionalgorithm. Encryption is performed by the system forspecific recipients, which may include the originator.Several standards have been developed for the exchange ofencrypted e-mail, including those for Privacy EnhancedMail (PEM; see [Schn 96] p. 577 ff. for a summary), PGP[Zimm95], and Secure / Multipurpose Internet MailExtensions (S/MIME), currently documented in InternetDrafts. Subsequently, commercial application levelencryption systems such as “Entrust” from EntrustTechnologies, Inc. have been developed. In its basic form,the Entrust system includes a Public Key Infrastructure anda tool for encrypting and signing or decrypting and readingsignatures. Entrust also includes a toolkit for softwarevendors to allow them to integrate these capabilities intotheir products. At present there are already e-mail, e-formand word processing applications which are “Entrustaware”. So far no applications which have been made orare evolving to be “Entrust aware” are real-timeapplications (e.g. video-conferencing), although thereappears to be no fundamental restriction against this use.

Session encryption acts in a similar way to anapplication encryption system, except that the authenticatedentities will be the agents participating in the session.These may be, for example, a web browser and server. Alldata transmitted between the agents during a session will beencrypted but will be in the clear when presented to theapplications. Typical session encryption would notauthenticate users but rather applications on hosts.Examples of current session-based systems are SSL (SecureSockets Layer), initially developed by NetscapeCommunications, Inc., and widely deployed in Webbrowsers and servers. SSL has two phases: in the firstphase, the handshaking phase, the applications (typically aclient and server) authenticate each other 2 and agree on asession key; in the second phase, applications transmitencrypted data using that key. It is typically easier tomodify applications to use session encryption than it is tointroduce application layer encryption, because sessionlevel encryption is basically another type ofcommunications channel. Instead of opening of vanillaTCP connection, an SSL connection is opened. Also, theuse of SSL is nearly transparent to the user of a browserbecause only the server needs a cryptographic certificate,while encrypted e-mail will remain more complex to useuntil it is more fully integrated into e-mail application

2 In the first versions of SSL, the client authenticated the

server, but not vice versa; mutual authentication wassubsequently added.

18


programs and until more users have cryptographiccertificates.

IP layer encryption is used by some commerciallyavailable products that permit using the Internet as asubstitute for a dedicated private line, although these tendto be relatively expensive and key management may be anissue. A pair of these products, each acting as a gatewaybetween a private network and the Internet, will route alltraffic to each other via Internet routers, which will seecleartext IP headers but encrypted payloads. The address ofthe actual destination system can be hidden in the encryptedpayload, so that the Internet routers only see the addressesof the encrypting gateways. Firewalls that provide VirtualPrivate Networks (VPNs) use essentially this approach.VPNs are useful and they effectively protectcommunications between sites that are behind theencrypting firewalls; however, generalized web browser ande-mail delivery are not protected. The Internet Protocol isbeing extended with a security option, IPSEC, (see [RFC-1825, -1826, and -1827], which are under revision at thiswriting, and [Bell 96] for a description of vulnerabilities)and key distribution mechanisms that will support moreflexible use of encryption at the IP layer.

4) Authentication Mechanisms

Passwords remain by far the most common form ofuser authentication. Users must choose, or be provided,unguessable passwords, and reusable passwords shouldnever be passed over the Internet in the clear. There areboth software and hardware technologies supporting one-time passwords [Hall 94]; disclosure of these passwordsdoes not compromise the system. Encrypting the actualsession prevents password sniffing and session hijacking.

One widely used authentication system is Kerberos[SNS 88], which is publicly available and can providereliable authentication over open networks such as theInternet. Kerberos is a secret key authentication systemthat involves a central database keeping copies of the secretkeys of all users. It uses DES or other algorithms forencryption and authentication, and allows entities tocommunicate over networks and to prove their identity toeach other while thwarting eavesdropping or reply attacks.It also provides for data stream integrity and secrecy. Whena user wishes to access a service, she authenticates herselfto the Key Distribution Center (KDC) instead and asks fora ticket to communicate with the service. The ticket isonly readable by the service, and it identifies the user andspecifies the key the user will use when contacting theservice. The KDC returns this ticket and the embedded keyto the user. The user sends the ticket to the service. Byusing the embedded key, the user and service can

authenticate themselves to each other, because each isconfident that no one but themselves and the KDC knowthe key, and the KDC is trusted. Its dependence on a centraldatabase limits the ability of Kerberos to scale to very largeuser communities, but it has been used effectively insystems with thousands of users. And, of course, Kerberosis not without vulnerabilities, but new releases typicallyresolve known issues.

5) Intrusion Detection

Despite the best efforts of the protocol designers,implementers, and system administrators, it is prudent toassume that attacks will occur and some, unfortunately,will succeed. Therefore, it is vitally important that ameans to detect and respond to these attacks is installed toprotect critical information services. Both commercial andgovernment developed intrusion detection products candetect known attacks and alert administrators.

Current intrusion detection systems are of two types:network based and host based. Network based intrusiondetection systems pull each packet as it enters themonitored network and examine a series of them forpatterns matching known attack methodologies. When apossible attack is discovered, the administrator is alertedand must take action to prevent further intrusions. Thesetools are similar to virus checkers, in that, as new attacksare discovered the tool must be modified to allow thediscovery of these potential new attacks. Samplegovernment products available are Network SecurityMonitor (NSM) and Network Intrusion Detection System(NIDS). Commercial products available are Net Ranger,Intruder Alert, CMDS and others. Tripwire [KiSp94] is afreely available and widely used UNIX utility that can alerta system administrator to changes in file systems that maysignal an intrusion.

Host based intrusion detection systems are required tobe run as background processes on each individual hostwithin the monitored network. These systems detectprobes of host ports, password guessing and other knownattack methods, which are captured as part of the auditingfeatures (if turned on) of the host. Intrusion detectionsystems can also build a profile of a host or user’s typicalbehavior and alert an administrator about unusual activity.

There is some overlap between host based and networkbased pattern matching capabilities, and running the twoin concert will sometimes yield two copies of the samedetection alert. These techniques cannot detect allpotential attacks and will provide some false alarms,however they can reduce the risk of undetected intrusions. Itis difficult, however, to characterize precisely either the

19


absolute or relative effectiveness of alternative tools.

6) Security Management Tools

A number of tools exist that can be used by bothattackers and system managers to test the security of asystem. Widely available ones include:

SATAN . Security Analysis Tool for AuditingNetworks (SATAN) is a network vulnerability toolkit,using a WWW front-end. In its simplest (and default)mode, it gathers as much information about remote hostsand networks as possible by examining such networkservices as finger, NFS, NIS, ftp and tftp, rexd, and otherservices. The information gathered includes the presence ofvarious network information services as well as potentialsecurity flaws - usually in the form of incorrectly setup orconfigured network services, well-known bugs in system ornetwork utilities, or poor or ignorant policy decisions. Itcan then either report on this data or use a simple rule-based system to investigate any potential securityproblems. Users can then examine, query, and analyze theoutput with an HTML browser, such as Mosaic, Netscape,or Lynx. While the program is primarily geared towardsanalyzing the security implications of the results, a greatdeal of general network information can be gained whenusing the tool, including network topology, networkservices running, and types of hardware and software beingused on the network.

However, the real power of SATAN comes into playwhen it is used in exploratory mode. Based on the initialdata collection and a user configurable rule set, it willexamine the avenues of trust and dependency and iteratefurther data collection runs over secondary hosts. This notonly allows the users to analyze their own network orhosts, but also to examine the real implications inherent innetwork trust and services and help them make reasonablyeducated decisions about the security level of the systemsinvolved. SATAN should prove to be most useful whenused by the system or security administrators who own orare responsible for the security of the systems involved.

Internet Security Scanner (ISS) can perform a scan on ahost or network, to test for a common set of security flawsand errors in configuration. It is designed to carry out asimple vulnerability test on a network of computers inorder to highlight systems that are vulnerable and may beused to gain access to more secure and important systems.

ISS highlights the risks of mixing secure and insecuremachines on the same network. All hosts should besecured to the same level as the highest machine on thenetwork. If a host is easy to penetrate then it will becomethe weak link in the security chain. An intruder can use

this to exploit the configurations of other hosts. The securehosts may not be insecurely set up but if they trust a hostthat isn’t then they also become vulnerable

tiger. The tiger software suite, produced by the TexasA & M University, is a set of Bourne shell scripts, Cprograms and data files that are used to perform a securityaudit of UNIX systems. It has pre-defined configurationdatabases for AIX 3.x as well as many other systems.

The tiger suite has one primary goal: report ways inwhich root can be compromised. While checks areperformed for other purposes, most of the checks aredirected at this goal. The primary assumption made is thatany UID other than 0 can be obtained and that any GID canbe obtained by unauthorized persons.

The checks performed extend to cover other means ofgaining root access, e.g. cron, inetd and setuid executables.Access through these methods is checked to see if any user,other than root, can alter any of the configuration filesassociated with these utilities. Specific checks areperformed to see if anything in the root executable path canbe modified by a normal user. All user accounts will havethese checks performed but special attention is paid to theroot account.

crack. crack is a dictionary based password guessingtool. To have a more complete understating of theimplications of this kind of attack a brief description of theUNIX password encoding system is required.

UNIX passwords are not stored in the clear. A newpassword chosen by the user is encrypted using the DESalgorithm. The encrypted password is then modified bydeleting selected bits and re-encrypting it (for details onthis, and other aspects of UNIX security, see [GaSp 96]).The result is a 14 character string from which the originalpassword cannot be deduced. This string (which is nowakin to a hash of the original password) is stored. When auser attempts to login, the computer checks the validity ofthe typed password by encrypting it in the same manner,and comparing the result against the stored string. If theyare identical, then the password is valid.

snoop. Snoop is a promiscuous-mode IP packet sniffer.The present Sun operating system, Solaris, provides toadministrators a command snoop for the capture andinspection of ethernet packets. By default it uses both thenetwork interface and the streams buffer modules to capturepackets, then displays a single line summary of each packetseen. It can also provide a far more detailed packetdescription, including information from the ethernet layerupwards to the top layer. This utility can also be used tomonitor certain protocols and to sniff for authenticationdata, for example the rexec service.

20


7) Firewalls

A firewall is a system (one or more pieces of hardwareand software) that acts as a barrier between two networksegments, such as a protected enclave handling sensitiveinformation and the Internet. A firewall can be consideredthe technical implementation of a security policy. Itupholds the security policy of a network when connectingthat network to a second network which has a less stringentsecurity policy.

Firewalls are of two general types: packet filters andapplication gateways. A packet filtering firewall can beimplemented on a router that screens packets beforeforwarding them between ports on the router. Filtering iscontrolled by a set of rules that make forwarding decisionsbased on the source and destination addresses in the IPpacket, the packet’s protocol, and the router port(identifying the physical network) the packet came from.Since all of this information is available for each packet,these decisions do not require the firewall to rememberanything about prior traffic, so they are called stateless.Packet filtering firewalls are usually fast and cheap, andthey can handle many different protocols. However,implementing a security policy as a set of filtering rulesmay be complicated, and some information that may beuseful (or necessary) in making filtering decisions may notbe available in a single packet (e.g., the identity of thesource user). Although stateful packet filters (which keepsome record of previous traffic) may be able to extractadditional information from a series of IP packets, this maybe done more easily via application gateways.

Application gateways, or proxy firewalls, filterapplication level data streams instead of IP packets. Aclient application, instead of making a connection directlyto some server, makes a connection to an applicationspecific proxy running on the firewall. Depending on thesecurity policy, the proxy decides whether to make aconnection on the client's behalf to the destination server.The proxy may require additional authentication of theclient and may filter the connection based on content andcontext. Since the proxy is application specific, it may behardened to trap protocol specific attacks (fields that are toolong, for example). By hardening the proxy, one mayavoid the need to harden individual applications onmachines inside the firewall. Also, since connections tothe outside always originate from the firewall, a proxyfirewalls hides the internal structure of the network.

However, proxy firewalls are typically slower and moreexpensive than packet filtering firewalls. And, not allapplications use connection based communication (e.g.,audio and video is often broadcast using UDP).

SOCKS [SOCKS] is a proxy package with manyextensions. The proxy server can run monitoring,auditing, and intrusion detection systems. SOCKS canauthenticate clients using a variety of mechanismsincluding simple passwords, one-time passwords, andcryptographic challenge response. Just as clientapplications have to be proxy aware to use a proxyfirewall, client applications have to be made SOCKS readyto communicate through a SOCKS server, and codelibraries exist for making applications SOCKS ready.Unlike application proxies, the SOCKS server may notfilter out application specific attacks, because it does notinterpret the protocol data stream.

The security provided by firewalls is sometimeslikened to the crunchy outer shell of a candy that is soft andchewy on the inside, in that once the firewall is penetrated(or circumvented) the intruder may find the internal systemseasy to manipulate. The implication is that firewalls mustnot be seen as a panacea that reduces the need to administerthe internal systems so that they remain as secure aspossible.

VII. SUMMARY AND CONCLUSION

It is impossible to provide a comprehensive treatmentof network security in a paper as short as this one must be,and any such treatment that goes into vulnerabilities andcountermeasures in technical detail will soon be obsolete.Readers desiring a fuller understanding of both theproblems and current solutions should consult thereferences and (particularly for current information) the Websites listed.

We have focused on the security implications ofattaching private networks to the Internet, but from theenterprise’s view, security is a property of the system as awhole, not merely of its parts. If sensitive information isdisclosed or modified improperly, or if critical services aredenied to the enterprise or its customers, system securityhas been breached.

Designing a system that provides needed functions atacceptable risk and cost is an art that calls for carefulbalancing of these factors. Operating such a system callsfor continuing vigilance, since, unless a denial of serviceattack is mounted, an intact, secure system may appear tooperate just the same as a penetrated, insecure one. Wehave enumerated a number of principles that have provenuseful in designing and operating systems that meetsecurity requirements, and illustrated them through theaccount of the TwoHands Corporation’s networks.

Connecting an internal network to the Internet increases

21


the functions a system can provide. It can permit flexiblecommunication with a wide range of individuals andenterprises, thereby enabling more convenient and efficientcorporate operations. But it can also expose systems to amuch wider variety of attacks than they previously faced.Further, systems are complicated, individual services havepeculiar characteristics, and combinations are oftenunpredictable. Nevertheless, careful attention to the systemdesign and operation can in most cases reduce the risks ofInternet connection to an acceptable level.

Most network security controls now focus on theperimeter of the network, but the actions of individualusers are crucial, too. Training users to behave responsiblyis essential. The user’s workstation is an extension of theuser, and operates under his authority. Eventually, it mustbe secured as well.

ACKNOWLEDGEMENT

The authors gratefully acknowledge the contributions ofthe members of Technical Panel 11, Secure InformationSystems, of The Technical Cooperation Program to thedevelopment of Sections 5 and 6. In particular, thanks aredue to Alex Scott of the United Kingdom, Vincent Taylorand Paul Devlin of Canada, Peter Drewer of Australia, andJohn McLean, Michael Harrison, and Dwayne Allain of theUS. Michael Reed of NRL provided helpful review andcomment. We also appreciate the comments of theanonymous referees.

REFERENCES

[AUSCERT] Australian Computer Emergency ResponseTeam. http://www.auscert.org.au

[Bell 96] Bellovin, S.M. Problem Areas for the IPSecurity Protocols. Proc. of the Sixth Usenix UNIXSecurity Symposium, July, 1996. Available at URL:ftp://ftp.research.att.com/dist/smb/badesp.ps

[Bell 97] S. Bellovin. Network and Internet Security. InThe Computer Science and Engineering Handbook, A.B. Tucker, Jr., editor, CRC Press, 1997, Chapter 92,pages 1949-1961, ISBN 0-8493-2909-4.

[BrMa 96] Bradner, Scott, and Allison Mankin, Eds. IPng,Internet Protocol Next Generation. Addison-Wesley,Massachusetts, 1996.

[BVW 97] Barret, R., S. Vonder Haar, and R. Whitestone.Routing Snafu causes Internet Outage. Inter@ctiveWeek Online, April 25, 1997, 2:55 p.m. PDT.http://www.zdnet.com/intweek

[CA21- 96] Computer Emergency Response Team. TCPSYN Flooding and IP Spoofing Attacks. CERTAdvisory 96.21, September, 1996:ftp://info.cert.org/pub/cert_advisories/CA^~96.21.tcp_syn_flooding

[ChBe 94] Cheswick, W. R. and S. M. Bellovin.Firewalls and Internet Security: Repelling the WilyHacker. Addison-Wesley, Massachusetts, 1994, ISBN0-201-63357-4.

[CERT] Computer Emergency Response Team.http://www.cert.org

[CGI] CGI-security:http://www.cerf.net/~paulp/cgi-security/

[CIAC] Computer Incident Advisory Capability.http://ciac.llnl.gov/

[COAST] Computer Operations, Audit and SecurityTechnology Homepage. URL:http://www.cs.purdue.edu/coast

[Come 91] Comer, Douglas E. Internetworking withTCP/IP, Vol. I. Prentice-Hall, New Jersey, 1991.

[DH] W. Diffie and M.E. Hellman. New Directions inCryptography, IEEE Transactions on Information Theory,v IT-22, n. 6, Nov. 1976, pp. 644-654.

[East 97] Eastlake, D., 3rd. Secure Domain Name SystemDynamic Update. Internet-Draft <draft-ietf-dnssec-update-04.txt>, 4 Feb 1997.

[FeMo 97 Ferbrache, D., and S. Mort. Malicious Softwareand Hacking. In The Computer Science andEngineering Handbook, A. B. Tucker, Jr., editor, CRCPress, 1997, Chapter 93, pages 1962-1979, ISBN 0-8493-2909-4.

[FIRST] Forum of Incident Response and Security Teams.http://www.first.org/

[FKK 96] Freier, A.O., P. Karlton, and P. Kocher. TheSSL Protocol, Version 3.0. Internet Draft, November18, 1996. <draft-ietf-tls-ssl-version3-00.txt> . Available at URL:http://ds.internic.net/internet-drafts/draft-ietf-tls-ssl-version3-00.txt

[FNC] Federal Networking Council Resolution:Definition of “Internet” Oct. 24, 1995. Available atURL:http://www.fnc.gov/Internet_res.html

[GaSp 96] Garfinkel, S. and E. Spafford. Practical UNIXand Internet Security, Second Edition. O’Reilly &Associates, Inc., 1996, ISBN: 1-56592-148-8.

22


[GrMo 84] F. T. Grampp and R. H. Morris. UNIXOperating System Security. AT&T Bell LaboratoriesTechincal Journal, 63(8): pp.1649-1672, October1984.

[Hall 94] N. M. Haller. The S/Key One-Time PasswordSystem. In Proc. Internet Society Symp. on Networkand Distributed System Security, San Diego, CA,February 1994.

[ICE 97] International Cryptographic Experiment (ICE)Web page. URL:http://www.tis.com/docsw/research/crypto/ice/index.html#WEBLINKS This webpage includes links to a wide variety of informationsources on standards for cryptographic applicationsprogramming interfaces and standard interfaces forsecurity services.

[IETF] Internet Engineering Task Force.http://www.ietf.org/

[KiSp 94] Kim, G.H. and E.H. Spafford. Writing,Supporting, and Evaluating Tripwire: A PublicallyAvailable Security Tool. Purdue Technical ReportCSD-TR-94-019, Computer Science Department,Purdue University, 12 March 1994. This report andmuch relevant information is available at the COASTcomputer security archive, URL:http://www.cs.purdue.edu/coast/

[KPS 95] Kaufman, C., R. Perlman, and M. Speciner.Network Security: Private Communications in aPublic World. Prentice-Hall, Englewood Cliffs, NJ,ISBN 0-13-061466-1.

[Lamp 73] B. Lampson. A Note on the ConfinementProblem. Communications of the ACM, Vol. 16, No.10, 1973.

[Land 97] Landwehr, C.E. Protection (Security) Models andPolicy. In The Computer Science and EngineeringHandbook, A. B. Tucker, Jr., editor, CRC Press,1997, Chapter 90, pages 1914-1928, ISBN 0-8493-2909-4.

[LBMC 94] Landwehr, C. E., A.R. Bull, J. P.McDermott, and W. S. Choi. A taxonomy ofcomputer program security flaws. ACM ComputingSurveys, Vol. 26, No. 3, (Sept 1994) 211-254.

[McFe 97] McGraw, Gary and Ed Felten. Java Security:Hostile Applets, Holes, and Antidotes. John Wiley &Sons, 1997.

[NIH] http://www.alw.nih.gov/Security/

[OSI] Open Systems Interconnection -- Basic ReferenceModel -- Part 2: Security Architecture. ISO/IEC

7498-2.

[ReSc 97] Rescorla, E., and A. Schiffman. SecureHypertext Transport Protocol. Internet Draft, March1997. <draft-ietf-wts-shttp-04.txt> Available atURL http://ds.internic.net/internet-drafts/draft-ietf-wts-shttp-04.txt

[RSA] R.L. Rivest, A. Shamir, and L.M. Adleman. AMethod for Obtaining Digital Signatures and Public-KeyCryptosystems, Communications of the ACM, v. 21, n.2, Feb. 1978, pp. 120-126.

[RFC-1034] Mockapetris, P. Domain Names - Conceptsand Facilities. RFC 1034, Nov. 1987.

[RFC-1035] Mockapetris, P. Domain Names -Implementation and Specification. RFC 1035, Nov.1987.

[RFC-1825] Atkinson, R. Security Architecture for theInternet Protocol. RFC 1825, August, 1995.

[RFC-1826] Atkinson, R. IP Authentication Header.RFC-1826, August, 1995.

[RFC-1827] Atkinson, R. IP Encapsulating SecurityPayload. RFC-1827 August, 1995.

[RFC-2065] Eastlake, D., 3rd, C. Kaufman. DomainName System Security Extensions. RFC-2065, Jan.,1997

[Schn 96] Schneier, B. Applied Cryptography: Protocols,Algorithms and Source Code in C, Second Edition,John Wiley and Sons, 1996, ISBN 0-471-11709-9.

[SKKSSZ 97] Schuba, C.L., I.V. Krsul, M.G. Kuhn,E.H. Spafford, A. Sundaram, D. Zamboni. Analysisof a Denial of Service Attack on TCP. Proc 1997IEEE Symp. on Security and Privacy, pp. 208-223.ISBN 0-8186-7828-3.

[SOCKS] http://www.socks.nec.com

[SNS 88] J. Steiner, B. C. Neuman, and J. I. Schiller.Kerberos: An Authentication Service for OpenNetwork Systems. Proceedings of the WinterUSENIX Conference, Dallas, Texas, 1988.

[Stein] L. D. Stein. The WWW Security FAQ. URL:http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html

[SGR 97] Syverson, P. F., D.M. Goldschlag, and M.G.Reed. Anonymous Connections and Onion Routing,Proc. 1997 IEEE Symp. on Security and Privacy, pp.44-54. ISBN 0-8186-7828-3. See also URL:http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/

[VTRB 96] Vixie, P. (Ed.), S. Thomson, Y. Rekhter, J.

23


Bound. Dynamic Updates in the Domain NameSystem. Internet Draft, <draft-ietf-dnsind-dynDNS-11.txt>

[Wayn 96] Peter Wayner. Digital Cash: Commerce on theNet, AP Professional, Chestnut Hill, Mass., 1996

[Wayn 97] Peter Wayner. Security holes threaten Microsoftgame plan. New York Times (CyberTimes section)March 28, 1997.

[W3C] W3C Security Resources. URL:http://www.w3.org/pub/WWW/Security/

[Zimm95] Philip R. Zimmerman. The Official PGPUser’s Guide. MIT Press, Cambridge, 1995.

Carl E. Landwehr (member, IEEE) received theB.S. degree from Yale University, New Haven, CT, and thePh.D. degree from the University of Michigan, Ann Arbor.

He is the Head of the Computer Security section of theCenter for High Assurance Computer Systems at the U.S.Naval Research Laboratory, where he has been since 1976.His research interests currently center on practical methodsfor designing and building systems of computers that canprovide high assurance that critical properties will beenforced, and in particular on identifying simplecomponents that can be combined with off-the-shelfsystems to support system security. He recently served ona National Research Council panel investigating securityand privacy issues in medical information systems, and heserves as an Expert Consultant to the North Atlantic TreatyOrganization on computer security. He is an AssociateEditor of the High Integrity Systems Journal. He also hasbeen an Associate Editor of the Journal of ComputerSecurity.

Dr. Landwehr is an Associate Editor of IEEETRANSACTIONS ON SOFTWARE ENGINEERING. He editsCipher, the electronic newsletter and Web site(http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher) of theIEEE Computer Society’s Technical Committee onSecurity and Privacy. He received the InternationalFederation for Information Processing Silver Core for hiswork as Founding Chair of its Working Group 11.3 onDatabase Security. He received the IEEE ComputerSociety Golden Core for his work on behalf of itsTechnical Committee on Security and Privacy.

David M. Goldschlag received thePh.D. degree incomputer science from the University of Texas at Austin in1992.

He conducted computer security research at the U.S.Naval Research Laboratory and the National SecurityAgency. He currently is with Divx, Herndon, VA, wherehe works on intellectual property protection. His researchinterests are in cryptography, security, automated theoremproving, and system design and analysis, particularly onhow to structure systems so that critical function isisolated and easy to analyze and implement.

Date post:	29-Sep-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Security Issues in Networks with Internet Access2 Landwehr, C.E. and D.M. Goldschlag. Security...

Documents