Internetworking: Beyond Connectivity
The demand for wider connectivity and greater bandwidth has been the driving force behind the growth in the Internet infrastructure almost from the beginning. It's nearly inconceivable that the NSFNET backbone was once based on T1 lines, when today cable modems and DSL bring almost that much bandwidth into private homes.
Although there will always be a demand for more bandwidth, it's increasingly clear that simple connectivity is becoming a commodity service. There will also be more demand for providing value-added services on top of Internet connectivity. Therefore, we must look at the state of internetworking beyond the issue of connectivity.
The virtual private network (VPN) is perhaps the first major attempt to make the network more than just an interconnection medium. Security and service quality are essential for the network to satisfy the needs of business communication.
Placing these value-added functions in the end systems is the only choice when the network itself is a simple interconnect. However, this approach has drawbacks: Management of these systems is not scalable, and quality of service (QoS) requirements simply cannot be placed at the end-system aloneall the devices along the traffic path should work together to ensure QoS guarantees.
Increasingly, the trend is to shore up the infrastructure from the inside, adding functionality to provide or support security and service quality in the network. Certainly, better-equipped networks will make the deployment of services such as VPNs easier and more transparent.
As soon as valuable information is stored on computers connected to a network, the information becomes vulnerable to inspection, modification, or deletion by malicious partieshence the need for network security. We can separate network security issues into two broad categories: issues for public networks and issues for private networks.
Public Network Security
To function correctly, the public Internet depends on many systems. Often, these systems comprise servers distributed around the Internet; the servers exchange information with each other to provide a global view of the Internet. Because the services reside in the Internet and the information exchange is done over the Internet, they're subject to the vulnerabilities that VPNs try to guard against. Two systems in particular are critical for the operation of the Internet: the routing system and DNS.
The routing system in the Internet is composed of many routers grouped into management domains called autonomous systems (ASs). To forward packets appropriately, the routers exchange connectivity and other information among themselves. Within an AS, these exchanges are accomplished via interior routing protocols such as RIP (Routing Information Protocol), OSPF (Open Shortest Path First), and IGRP (Interior Gateway Routing Protocol). Routing information exchanges between ASs are handled via exterior gateway protocols such as BGP (Border Gateway Protocol).
It's imperative that the routing information be as accurate as possible so that the routers can forward packets correctly. Routers working from incorrect information will misroute IP packets, causing them to traverse other routers unnecessarily and wasting valuable resources. The integrity of the routing infrastructure relies on all the routers working collectively in a secure and scalable manner. The current Internet routing infrastructure is not secure; efforts such as securing OSPF and BGP are underway.
DNS is a distributed service that maps domain names (such as http://www.yahoo.com) into IP addresses (such as 220.127.116.11). DNS is organized in a hierarchical structure, with its root servers administered by ICANN (the Internet Corporation for Assigned Names and Numbers). The dynamic nature of domain names means that mappings between the domain names and IP addresses are constantly changing and must be updated often. Clearly, both DNS system-update messages and records inside the DNS servers should be secured against attacks. This is especially necessary for the top-level DNS root servers. DNS protocol extensions have been defined to authenticate the data in DNS and provide key distribution services (RFC 2065), and DNS dynamic update operations have also been defined that use digital signatures to secure updates and restrict updates to those authorized to perform them (RFC 2137).
Private Network Security
The security concerns of public networks also exist in private networks. However, because private networks often fall within a single administrative authority, it's usually easier to exert control over private network infrastructures. Consequently, the security issues surrounding private networks mostly have to do with preventing unauthorized access while facilitating authorized access to private data. The four basic VPN technologiestunneling, authentication, access control, and data integrity and confidentialityare essential to private network security, whether or not they're used to build a VPN.
A security attack can be mounted to gain unauthorized access to private data or to prevent legitimate access to data (both private and public). In the first type, the attacker intrudes into the private network. Intrusion-detection systems (IDSs) are used to identify these situations.
The latter type of attack is the denial-of-service (DoS) attack. Although DoS attacks can be launched against both private and public networks, it's more difficult to disrupt the entire public network infrastructure; it's much easier to attack a smaller private network, which may contain single points of failure.
There are several ways to guard against a DoS attack. Redundant connectivity over geographically diverse routes adds reliability to the network. Firewalls drop packets from suspicious addresses and ports. Looking for certain attack signatures can also help detect and, hopefully, thwart the attack. Content-smart switches that can analyze application behavior can also be used.
Compromised hosts not only leave data vulnerable, but can be used to perform a distributed DoS attack. In this attack, compromised computers become launching pads for other DoS attacks. Extensive logging can help detect such attacks, but not until some time after the fact.