Internetwork Security Overview
- May 17, 2002
Consider this. You have a house composed only of four walls, a floor and a ceiling. This is a special house with no windows or doors. Let's assume the shell of the house is impenetrable; it is one hundred percent secure. I would agree, there is no point in having a house if you can not enter it and use it as most houses are used. So, you put a door in the shell and some windows, but, being very security conscious, you put a lock on them, and when you go out, you close and lock your windows. However, even though you have a lock on your door it still provides a means of entering the house, and the glass windows also provide a simple means of entry.
Computer systems are very similar. Let's say you have one laptop computer, only you operate it, and very few people know about it or know what you use it for. Assume that it is never connected to a network of any kind and it is with you wherever you go. For the sake of argument, let's say it is one hundred percent secure. Now, common knowledge would suggest that any computer is limited in use if only one person operates it and it does not take advantage of the wealth of resources found on most networks, including the Internet. So, you create users on the computer and connect to the network, but being very security conscious you give the users a username and password, and you take well-known precautions as recommended by the computer system's operating system vendor. Just like our house in the first example, you have created doors to the computer system, and where there is a will there is a way in through that door.
I am not putting forward an argument to rid the computer world of networks and the Internet, nor would I want to remove the doors and windows in my house and fill them with bricks so that neither I nor anyone else could get inside. That said, it is important to note that as soon as you allow users other than the owner of a computer system to utilize what it holds either physically or via the network, you create a security problem. Each time a user is added, a new software program or hardware device is installed, or a configuration change is made, the security professional has to consider what door (secure or insecure) this is creating to the secure domain.
Local Area Networking (LAN) and the connection to other networks allow users to share resources. These resources have grown considerably in size as networks have developed over the years. Common applications of the network such as email, file storage, and printer sharing were simply not possible without linking computers and the required resources together. As the need to communicate effectively with computers rose, so did the need for industry standard protocols, which were not tied to particular vendors and allowed interoperability. To serve this important need, the International Standards Organization (ISO) Open Systems Interconnect (OSI) Seven Layer model was born.
The ISO OSI Seven Layer model is a theoretical high level representation of each of the essential elements of communication between two or more systems. Figure 1.1 shows this relationship, together with typical communications protocols which work at each layer. The Physical layer, layer one, concerns the physical medium and the electrical signals that carry the transmitted data. Access onto a local shared network or point-to-point link is provided by the Data-Link layer, layer two. Layer three is the Network layer. The main functions provided by the Network layer are logical addressing and routing decisions. The Transport layer takes responsibility for the successful delivery of information from source to destination, and whether it's error-free or not. Layer 5, the Session Layer, is responsible for the creation, control, and eventual tear down of a communications session. The Presentation layer provides a matching function to the format each computer is using to represent the information transmitted or received, by employing compression or encryption schemes if necessary. The Application layer, as its name suggests, is associated with user application communication protocols.
Figure 1.1 The ISO OSI Seven Layer model, and associated protocols
The openness of this standard and the protocol suits which have emerged (from proprietary to de facto) by definition allow the introduction of new protocols to run side-by-side over the existing protocol infrastructure provided they conform to the requirements of their transport protocol.
The ability to transparently introduce application protocols on a network and have visibility of data transmission are key tools for anyone who wishes to perform compromising functions on or to a computer system. The media used in most LANs tend to be of an intrusive nature, in which a computer can be added or used to tap into the network to provide this visibility.
Although the Internet originated in the 1960s following the United States Department of Defense Internetwork of military bases, the global Internet of today is placed in the hands of the public domain. No one owns the Internet. Only prevailing standards, globally accepted etiquette, and many large vendors mildly govern the way we communicate. The fact that any data transmitted traverses across many service provider links from source to destination suggests that the opportunities for anyone to visualize, intercept, or alter information are plentiful.
The definition of an intranet is often misunderstood. From a user's perspective, an intranet is very similar to the global Internet. However, instead of the information pertinent to a user's needs being widely distributed and maintained by many different bodies, all of the information pertinent to a company and its users is kept on local servers situated on the corporate LAN. Obviously, this has many advantages, and quickly accessing information (from searching to data retrieval) is one of them. This characteristic of the intranet can be very attractive to the information criminal. If the users in a company require access to this central storage of information throughout their working day and use it as a means of gaining a competitive advantage in the marketplace, it would be catastrophic to the business if this information were either distorted or inaccessible. Furthermore, if the information was copied and then supplied to a rival company, then the competitor could use that same information to balance the competitive advantage. The fact that most intranets hold data in one place, albeit distributed among many servers located logically in the same place, means that the hacker only has to break the security defenses in one area.
Often overlooked is the fact that the corporate intranet can house the source of security attacks. Security hacks can come from the inside just as often as from the outside. This will be discussed later on, as it is a rule not to be dismissed. It is crucial to realize that security breaches can occur under the same roof that houses the data the administrators are trying to protect. When you give a user the privilege to access or manipulate certain information, the user instantly becomes an authorized internal user; something a security device, such as a firewall, will not protect against.
Most users on an intranet tend not to be as security conscious as the security administrator would like. Some users may not realize that it is not a good idea to write down passwords, for example. Dangers often result from effects of restrictive security policies. For example, a user may have slow access to the Internet through a firewall, and to speed up the access may prompt a decision to purchase a modem and connect through the phone network to an Internet Service Provider (ISP). This should not cause too much concern apart from one seemingly minor detail: The computer is connected to the corporate LAN and the Internet at the same time, providing a bridge from the Internet to the now insecure network. This highlights another way that a firewall cannot protect your networkif a connection does not pass through it! It is not an easy task in a large user environment to check for incidents such as this; however, it would be better to provide unrestricted access to the Internet so that the user would have no reason to break the security policy.
An extranet is the opposite of an intranet. An extranet is of particular use to a company who wishes to extend its corporate network to its customers. This could be done for many reasons, including efficient electronic communications and customer loyalty. Although communications from email to money transfers can be done using a dedicated link between the two parties, possibly over a Virtual Private Network (VPN), there still remains a series of security risks to both companies.
A private network is often regarded as a link from one site to another, for the sole use of the user. A VPN utilizes a public medium to transmit data from one point to another. The private nature is created through the use of encryption techniques before data is transmitted across the public medium, commonly the Internet. The virtual part is derived from the fact that the network is not strictly private, as others are using the Internet, but the particular connection used allows no other users visibility of communication.
Each of the companies has opened a door for the other to view private information. Suppose one company buys widgets and the other supplies widgets. Although relations could be good between the two companies, if the buying company was to find out that the supplier gives a better price for goods to another customer, it could damage the relationship. The supplying company needs to cordon off the information it will let the buyer see from the information it will not.
Internet security is a means of controlling who accesses what, when, and for what reason. Control is a very important word here. There are three main types of controls with which a security system should be deployed. Note that each of these types of control can come in many different forms of attack.
Control the reading of datawho will you allow to read your confidential information?
Control editing of datawho can add data to your files? Who can delete data from your files?
Control who can control your controlthis may seem strange, but if someone can control what you can read or edit then they can control someone else, or more importantly, lock you or one of your customers out of a system.
Global computer communications have been around in one form or another for over forty years. In the minds of some executive IT managers, computer security is a myth, one created by futuristic escapist film writers who picture an adolescent fifteen-year-old, who in a few key strokes, breaks into the United States military headquarters and simulates a nuclear war. Although most say they have a secure computer system, they effectively put a tick in the box and treat it as fait accompli. Very few people actually realize that the information contained in their computer systems is valuable to someone else. As I was writing this book I was forced to face the fact that someone could have accessed my PC and stolen this manuscript! What if they had attempted to publish it as their own? It really makes you think about securing what is important to you. There have been many security breaches over the years involving cases where hackers have broken into military establishments, communications companies have suffered theft from fraud, and government records have been viewed, edited, and sometimes deleted. If you're still not convinced, a search on the Internet will return hundreds of links to hackers' sites where they boast of their "successes."
When the Internet was confined to computer programmers, business attention was scarce and no one really took it seriously. Computer crime over the public Internet was targeted mainly to the military, government and large universities.
In today's Internet, businesses from the one man band to the large corporation see the Internet as a new way to reach customers that for whatever reason they could not reach before. This obviously leads to new targets for the information thief.
From a business perspective, why should a company secure itself against the Internet? The standard answer is, "to stop hackers," although a better answer would be, "to stop hackers from causing unwanted effects!" These include:
- Violating sexual harassment policy
- Organizing industrial espionage
- Spreading viruses
- Sending junk email
- Misinterpretation of information
- Breaching of confidentiality
- Destroying your reputation
- Stealing product licenses
Hackers come in many different flavors, as does the thief that breaks into your house or your life.
There are hackers that hack for fun, looking at new programs or protocols for security flaws. This may seem like harmless fun, and indeed if the security professional wishes to protect the security domain against attack then the search for security holes should be an ongoing task. Similarly, a manufacturer who produces home security products is constantly looking at ways a burglar can bypass an alarm system.
Then there is the hacker who will break into computer systems for financial or commercial gain, just like the thief that steals your car or threatens a bank clerk. Some hackers intrude for the sake of vengeance, for example, if an experienced programmer has been ill treated by a former employer. Their intent may not be to penetrate a security defense, but to deny access to any user of the system. Then there is the hacker who would be considered more socially unacceptable than any other, the one who may wish to break into a computer to gain files from, for example, a child protection register.
Broadly speaking, there are two ways of permitting or denying access to and from computers, connections, and users. One is to deny any and all communication and then specify each combination of computer, connection, and user that is allowed. A second way is to allow any and all communication and then specify each combination of computer, connection, and user that should be denied. There are obvious reasons for each approach to security. The first method is much more secure, because the administrator has the greatest control over what happens. The second method tends to be more user friendly, as it is more open in the way connections are allowed. Even though this method is considered the least secure, it is possible, with careful security device configuration and strict security policy enforcement, for it to be as secure as the first. Again, common sense should prevail. When unsure whether to deny a computer, connection, or user from accessing your system, block first and ask questions later. It is better to be safe than sorry.
Remember, there is no such thing as a secure network. Even though you have deployed firewalls around your network, installed content filtering software, educated and trained your users, there is still a door to your network which can be unlocked. The security professional should be on constant guard, monitoring access for attempted security strikes, as well as the internal users of the system, as they can be the extra pair of eyes when it comes to noticing the real trends in performance. After all, they may have put most of the information there, so they will know if someone has tampered with it.
One area of a prospective employee's resume often overlooked is their credentials which suggest they can be trusted with the power to control access to your company's information. One school of thought would suggest that former hackers may be the best candidates, as they know all of the cracks and possible prevention techniques. However, most employers may decide, for many reasons, that trusting the company's money to a hacker may not be the most sensible thing to do.
The security professional should constantly be assessing the strength of protection offered by the security domain. When I put this forward in security consultations I am often asked what the best overall method is to successfully achieve this. First of all, know your security domain, the security devices, both hardware and software, know their limitations and where holes in your security can develop under certain circumstances. Second, look at your network security as you would your own home. Go outside your house, lock your doors and windows as you would normally, and then look at how a thief would enter, and what could be stolen. Obviously you would not want to perform any destructive testing, as this would defeat the purpose. An example of how you would apply this to the shell of your internetworking security system would be to act as if you were one of the hackers mentioned previously, and try to break your security defenses from the inside and outside. It can sometimes be easier for someone else to "check your spelling" than if you did it yourself, so why not throw down the gauntlet to one of your colleagues to see if he or she can penetrate your security? You may be surprised!
It would be ideal if security defenses were unobtrusive, either in terms of performance or access. However, we do not live in an ideal world, and unfortunately, security devices such as firewalls add extra delays in the overall latency of computer systems and the Internet. Still, companies need to be secure; hopefully we have established that. Yet if this security inhibits communication or the mere presence on the Internet, then its effectiveness suffers dramatically.
There clearly needs to be a balance between security and usability. As mentioned before, users will only tolerate a slow system for so long; after that they will find ways to bypass a security policy, process, or device. Also, in an ever-increasing commercial Internet, customers will only stand for so much security like entering usernames and passwords, before they decide to take their business elsewhere. If your security prevents the use of certain applications, an adamant customer may look to another service supplier.
So, how do we achieve this balance ? First, look at what you are trying to protect. Assess what effect the loss, change, or theft of particular information would have on the business. Obviously, if you hold personnel records on a system, you need to protect them; however, if you are holding football results, you might need only a low level of security.
There are many devices and methods to securing a computer system. There are two main types of security protection, technical and non-technical. When the topic of Internet security is raised, people often look to technology first, assuming it must be a complicated task. By far, the best way is to start with the things closer to homeusers. User training in adhering to security policies and procedures is the most effective way to stop internal access information from reaching the outside. Common practices like writing a username and password on a keyboard should be removed. I have seen many examples of passwords on display in a publicly accessible area, where anyone could read it, take a wild guess at the username, and essentially have all the information required to access the system.
Physical security is also often overlooked. Controlling access to the room where the heart of your computer system is located is the first step in physical security, as is the restriction of who can use a user's terminal. When you leave your computer (whether for lunch or a meeting), teach people to log out. Leaving yourself logged on makes accessing your files or the company's files easy. Always make sure any network wiring that is not in use is not connected to the network hub, switch, or routing infrastructure, and any such ports are in an administratively shutdown state.
The more technically involved security techniques can be regarded at the various layers of the OSI model. In each layer, the relevant precautions can be applied to the network you are trying to secure.
Bridges and switches work at the data link or Media Access Control (MAC) layer. Each device on common networks has a unique, manufacturer-assigned address. Filtering a source or destination MAC address will restrict what devices can communicate or pass onto another segment of the same LAN. MAC layer security is often considered to be administratively time consuming depending on the environment and whether central resources are addressed on their MAC identity. The best security implementations are done in a layered fashion; the more doors there are to open, the harder the security is to crack, and therefore applying MAC layer filtering in an unspecific way can ease the load on other upper layer devices.
The Internet Protocol (IP) is the network layer protocol used on the Internet. Devices such as routers work at this layer. The most widely used routers have an Access Control List (ACL) facility. Each packet that enters the router is subjected to the ACL applied to that particular interface, and is either permitted or denied, depending on how the ACL is configured. Filtering can be done on source, destination, transport, and application protocol, or a combination of these. ACLs are a relatively cost-effective way of providing security between subnets or partitions of an internal internetwork.
So far, the devices we've explored control which device can talk to which resource using which application. The next security check is authentication. We must ask, "Who is using a device to connect to a resource for a particular application?" Many software-based authentication programs are available, including RADIUS and TACACS. A more indepth discussion on how these authentication schemes work can be found in Chapter 12, "Authentication."
Firewalls have other security functions, which take the effort of security into another dimension: Anti-IP spoofing mechanisms, Network Address Translation (NAT), and Anti-Denial of Service are some examples.
Figure 1.2 illustrates the increase in security as you move from a user's desktop terminal through the LAN, switch, router, authentication server, and firewall. One important point to note is although theoretically a firewall is the most advanced all-around security device, a security administrator should not rely only on the firewall to guarantee protection against a successful attack.
Figure 1.2 Increase in security through the internetwork device
A firewall has to satisfy many requirements in addition to maintaining security measures. Performance would be the next most important feature. Even in a moderately utilized network, a firewall has to filter, process, and route thousands of packets every second. But in addition to providing a thin defense against attack, some of the less secure devices can also filter network traffic that has no need to hit the firewall. Server advertisements, routing updates, and server keep-alive are examples of packets which are not a threat to security and do not need to pass through the firewall, but hit the firewall all the same. This requires that the firewall process the packet through its rules only to eventually drop the packet, wasting valuable processing power and log space.
There have been many advancements over the past few years in ways of authenticating a user's credentials. The most pioneering advancements have been in biometrics, retinal scanning, and fingerprint identification. These tools are not as widely used as they should be, and cost is certainly a factor that controls this adoption. However, the ability to prove a user's authenticity based on a human's physically unique characteristics is a large step towards a more secure method of access.
To combat the security problem caused by the openness and standardization of internetworks, "security by obscurity" has been a technique adopted by many security system designers. If you deploy a security technique in an unusual way, or add a hardware or software component, the chances of someone finding a hole in your security should be reduced due to the fact that you are not using the system in the usual way. This assumes the unusual component is created and added in a secure way.
To summarize, Internetwork security is implemented to control the confidentiality, integrity, and availability of your information by any means. We need to intensify security measures because of the openness of modern day communications. Computer hacks are real threats to security, and there is no such thing as a truly secure system. Your computer system and internetwork must be secure, and reassessment should occur frequently. Security should not be intrusive; if it is, users will find a way around the system for their own ease. Above all, before any security is implemented, remember:Common sense rules!