|
|
Any one responsible for the security of a trusted network will be concerned when connecting it to an untrusted network. In the case of connections to the Internet this concern may be based largely on anecdotal evidence gleaned from widespread media coverage of security breaches. A closer inspection of the facts and statistics behind some of the media coverage will, however, only serve to deepen that concern. For example, the US National Computer Security Agency (NCSA) asserts that most attacks to computer systems go undetected and unreported, citing attacks made against 9000 Department of Defence computers by the US Defence Information Systems Agency (DISA). These attacks had an 88 per cent success rate and went undetected by more than 95 per cent of the target organisations. Only 5 percent of the 5 per cent that detected an attack, a mere 22 sites, reacted to it [Cobb95].
It is noteworthy that these sites belong to the US Department of Defence (DoD) and were not commercial sites, which may give security less priority than the DoD.
NCSA also quote the FBI as reporting that in more than 80 percent of FBI investigated computer crimes, unauthorised access was gained through the Internet [Cobb95].
Putting a value on the damage done by such attacks is difficult but a 1995 survey conducted by Ernst & Young, a New York based accounting firm, reported that one third of businesses connected to the Internet reported up to 100 000 USD in financial loss over a two year period due to malicious acts by computer users outside the firm. A little more than two percent of connected companies reported losses of more than 1M USD [McGa95].
There is amazement in the computer security industry at the level of ignorance to the problem. To understand the risks often involves a steep learning curve and they have few real parallels in everyday life, for example nobody worries that a burglar will be able to trick their front door into opening by posting cryptic messages through the letterbox. When there is a good "hacker" story to report the press goes into frenzy, but the general level of awareness is still surprisingly low. For example the Sunday Times which prides itself on providing accurate coverage of IT issues published an article recently that claimed that most businesses worry too much about Internet security. The article goes on to explain that encryption is all that is needed to be completely secure. The article focuses purely on privacy of communication and completely misses the possibility of an attack originating from the Internet [Bray96].
Despite fears about security, organisations are increasingly coming to regard a presence on the Internet as an important part of their strategic planning. Security concerns will not be allowed to prevent organisations from exploiting the commercial opportunities the Internet is perceived to offer. As a result organisations have to find ways to manage the security issue. This ties growth in the Internet security market directly to growth in the Internet. The compound annual growth rate (CAGR) of the Internet firewall market between 1995 and 2000 is projected to be 174% [IDC96] driven by rapid growth of both the Internet (see table 1), and Intranets [Nadi96]. The most significant trend driving this growth is the rapid and aggressive deployment of World Wide Web servers for both Internet and Intranet use. Unit shipments of web server software are expected to grow from 127 000 units in 1995 to just more than 5 million units in 2000 [IDC96]. Although the IT industry has traditionally enjoyed rapid development this level of growth is unprecedented.
It is difficult to separate figures for the European or UK firewall markets from the world wide statistics quoted in the literature. 1996 may see similar levels of activity in Europe and the UK to those seen in the USA in 1995(1). A 1995 survey of government agencies and fortune 500 companies conducted by the Computer Security Institute [CSI95b] found that while 78% of respondents used the Internet, 39% did not have a firewall. Similarly 40% of the audience at a February 1996 NSCA conference devoted to firewalls and Internet security did not have a firewall [Book96].
Hosts |
Domains |
Network Class |
|
(000s) |
(000s) |
A |
B |
C | |
|
Jan 93 |
1313 |
21 |
54 |
3206 |
4998 |
Apr 93 |
1486 |
22 |
58 |
3409 |
6255 |
Jul 93 |
1776 |
26 |
67 |
3728 |
9972 |
Oct 93 |
2056 |
28 |
69 |
3849 |
12615 |
Jan 94 |
2217 |
30 |
74 |
4043 |
16422 |
Jul 94 |
3212 |
46 |
89 |
4493 |
20628 |
Oct 94 |
3864 |
56 |
93 |
4831 |
32098 |
Jan 95 |
4852 |
71 |
91 |
4979 |
34340 |
Jul 95 |
6642 |
120 |
91 |
5390 |
56057 |
Jan 96 |
9472 |
240 |
92 |
5655 |
87924 |
|
Table 1 : Growth of the Internet |
|
Source : Network Wizards Internet Domain Survey, January 1996, available from HTTP://www.nw.com/ |
Given that approximately 40% of the fortune 500 companies using the Internet have still to install a firewall and that the Internet continues to double annually, it is little surprise that the security auditing business is booming [Book96]. Organisations are finding that they do not have the in-house skills or knowledge necessary to assess either the current situation or the potential risks, and are wrestling with what level of security they require. The rest of this chapter investigates what is meant by the term Internet security - often the starting point when an organisation calls in an external consultant [Hews96].
The hardware, software and information that constitute computer systems is increasingly mission-critical. Protecting them can be as important as protecting other valuable resources, such as money, buildings, or employees. The purpose of computer security is to protect computer resources through the selection and application of appropriate safeguards.
Internet security protects computer resources against the risks and threats that arise as a result of a connection to the Internet.
Computer security supports the organisation's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
A networked computer system may not be constrained to a single organisation(2). In an inter-organisational system, computer security benefits each organisation. Electronic commerce by definition is inter-organisational and effective security is essential to its success(3). Security on the buyer's system also benefits the seller as the buyer's system is less likely to be used for fraud, or otherwise negatively affect the seller, and vice-versa.
If a system has external users then its owners have a responsibility [NIST95] to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure. In addition to sharing information about security, organisation managers "should act in a timely, co-ordinated manner to prevent and to respond to breaches of security" [NIST95] to help prevent damage to others.
Computers and the environments they operate in are extremely dynamic. Changes in the system or the environment can create new vulnerabilities and it is almost inevitable that a system's users and operators will discover new ways to intentionally or unintentionally bypass or subvert security. It is therefore necessary to reassess the security of computer systems regularly to provide effective computer security.
Providing effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security field and that extends throughout the entire information life cycle.
There are three general areas of concern when a trusted network is attached to an untrusted network:-
The computer and network security measures that are taken by an organisation are intended to minimise the potential for these to occur by means of the four fundamental components that make up computer network security :-
The first component of computer security is authentication, or ensuring that users and computers are who they claim to be by establishing proof of identity. This is usually accomplished based on one, or a combination, of something you are (a biometric e.g., such characteristics as a voice pattern, handwriting or a fingerprint), something you know (a secret e.g., a password, Personal Identification Number (PIN), or cryptographic key) or something you have (a token e.g., an credit card or a smart card).
For example acquaintances can authenticate your identity (to a point) based on your physical features(4). Banks authenticate you based on something you have such as your credit card, and something you know, often your mother's maiden name. One-time passwords, or passwords that can only be used once then expire, are generally based on something you have. An example of this type of authentication are the one-time pads(5) used by the intelligence services during the second world war.
The lack of strong authentication has inhibited the development of electronic commerce. It is still necessary for contracts, legal documents and official letters to be produced on paper. Strong authentication is then, a key requirement if the Internet is to be used for electronic commerce [Ranu95e]. Strong authentication is generally based on modern equivalents of the one time pad. For example tokens are used in place of one-time pads and are stored on smart cards or disks, or in some cases the authenticating computer will generate a challenge which the user enters into a small device similar to a calculator to generate the correct response.
Authentication is an important part of everyday life. Letters are printed on headed paper and signed by the author. Digital signatures fulfil a similar requirement, although they are much more trustworthy as they are based on mathematical encryption algorithms and attest to the contents of a message as well as its author. Digital signatures are based on public key, or asymmetric encryption. The concept of public key encryption was introduced in 1976 by Whitfield Diffie and Martin Hellman [Diff76] in order to solve the key management problem that exists with secret key or symmetric encryption(6). Asymmetric cryptography uses key pairs, one key in the key pair is called the public key and the other is called the private key. Either key can be used to encrypt the message, but once encrypted only the other key in the pair can be used to decrypt it. It is immediately apparent that two scenarios are possible, one where the private key is used to encrypt the message and hence the public key is used to decrypt it, and vice-versa. By encrypting the message using the receiver's public key, the sender is assured that only the receiver can decrypt it confidentially. To digitally sign a message the sender passes the message through a hashing algorithm(7) to produce the message digest which he then encrypts with his private key. The output is called a digital signature and is attached to, and sent with, the message. In order to verify the signature the receiver also passes the message through the same hashing algorithm to re-create the message digest, and then decrypts the sender's digital signature using the sender's public key. If the message did not originate from the sender, or if its contents were altered, then the two digests will not match.
Under normal circumstances the private key is kept secret by the individual, but the public key is distributed as required. There is no need for the sender and receiver to share a secret key, however, asymmetric encryption key management still requires public keys to be distributed in an authenticated or trustworthy manner.
One means of achieving this is to use a certification authority. The main attribute of a certification authority is that it is trusted by a group of users to create certificates on their behalf [Chad94]. The certification authority verifies a user's public key by digitally signing it. This creates a certified public key, referred to as a certificate(8). The certification authority's digital signature attests that the public key is valid, and guarantees that it cannot be altered in any way.
One such certification authority is VeriSign Incorporated who began issuing key pairs and certificates in late April 1996 [Clar96] and have trademarked the term "Digital ID". Security aware applications are required to make use of certificates and secure e-mail tools and browsers for the World Wide Web are now becoming available. When the certificate details have been installed in the client software (i.e. browser) they are automatically provided along with the client's requests allowing the server to authenticate you.
Identification and Authentication is a critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.
Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls).
Access control often requires that the system be able to identify and differentiate users. For example, access control is often based on least privilege, which refers to the granting to users of only those accesses required to perform their duties. User accountability requires the linking of activities on a computer system to specific individuals and, therefore, requires the system to identify users.
Access controls provide a technical means of controlling what information users can utilise, the programs they can run, and the modifications they can make.
Computer-based access controls are called logical access controls [NIST95]. Logical access controls can prescribe not only who or what (e.g., in the case of a process) is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally to the computer system being protected or may be implemented in external devices.
Logical access controls can help to protect :-
The concept of access modes is fundamental to access control. Common access modes, which can be used in both operating systems and applications, include the following :-
· Read
In deciding whether to permit someone to use a system resource logical access controls examine whether the user is authorised for the type of access requested based on access criteria such as :-
· Time
Identity - It is probably fair to say that the majority of access controls are based upon the identity of the user (either human or process), which is usually established through identification and authentication.
Roles - Access to information may also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access. Examples of roles include data entry clerk, purchase officer, project leader and programmer. Access rights are grouped by role name, and the use of resources is restricted to individuals authorised to assume the associated role. An individual may be authorised for more than one role, but may be required to act in only a single role at a time. Changing roles may require logging out and then in again, or entering a role-changing command. The use of roles can be a very effective means of providing access control.
Location - Access to particular system resources may also be based upon physical or logical location for example, users can be restricted based upon network addresses (e.g., users from sites within a given organisation may be permitted greater access than those from outside).
Time - Time-of-day or day-of-week restrictions are common limitations on access. For example, use of confidential personnel files may be allowed only during normal working hours and denied at all other times.
Transaction - Another approach to access control can be used by organisations handling transactions (e.g., account inquiries). Phone calls may first be answered by a computer that requests that callers key in their account number and perhaps a PIN. Some routine transactions can then be made directly, but more complex ones may require human intervention. In such cases, the computer, which already knows the account number, can grant a clerk, for example, access to a particular account for the duration of the transaction. When completed, the access authorisation is terminated. This means that users have no choice in which accounts they have access to, which can reduce the potential for mischief. It also prevents users from casually browsing through accounts thereby improving confidentiality.
Service Constraints - Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are pre-established by the resource owner/manager. For example, a particular software package may only be licensed by the organisation for five users at a time. Access would be denied for a sixth user, even if the user were otherwise authorised to use the application. Access may also be selectively permitted based on the type of service requested. For example, users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers.
External Access Controls - External access controls are a means of controlling interactions between the system and outside people, systems, and services. External access controls use a wide variety of methods, often including firewalls as will be discussed in later chapters.
Integrity is the degree to which something is free from corruption, i.e. whether or not something has been damaged, altered, added or removed. In addition to improving authentication, digital signatures also improve the level of confidence in the integrity of a message as discussed earlier in this chapter.
Integrity does not apply only to messages however. The integrity of files and applications is also very important. One of the most common means of gaining unauthorised access to a computer system is to install altered copies of operating system programs that provide access to the intruder when they are executed(9). It is important therefore that the integrity of operating system components can be verified. Attackers themselves understand this well, as is illustrated by [Shim95] which describes how an attacker who, whilst being monitoring began, immediately upon discovering that one of his back door programs had been removed, to compare copies of other files he had replaced with the originals that he had stored elsewhere.
The integrity of anti-virus software should also be verified regularly. Most packages on the market perform a self-verification of their integrity. The problem with this is that rogue software would presumably not be designed to point out that it differed from the original. In cases such as this verification of integrity should be independent in order to be trustworthy.
In some cases the integrity of data files is also often assumed to be verified by the application software. Whilst the application software will generally notify the user of damage or corruption to the file it will not generally report that Company A has been removed from a list of companies tendering for a major contract for example. Again integrity needs to be verified independently.
Both message digests and digital signatures can attest to the integrity of files in all of these cases. The point is that in order to be trusted independent verification is required.
Confidentiality is the degree to which the privacy or secrecy of something can be trusted. The confidentiality of most paper based communication is entrusted to envelopes. Most messages transmitted over the Internet cannot claim even this level of confidentiality, being more akin to postcards. The lack of privacy (or confidentiality) on the Internet applies equally to files transferred over it, and information moving to and from World Wide Web clients and servers.
E-mail, File Transfer and World Wide Web applications accounted for approximately half of the bytes transferred on the Internet backbone in 1994(10) [MERI94]. Regardless of what the data was, the vast majority of this traffic was transmitted without any regard for its confidentiality.
Initiatives to correct this state of affairs have been underway for some time and are likely to come to fruition in 1996, for example, Web Browsers that are able to use certificates and therefore make use of the Privacy Enhanced Mail (PEM) standard and Secure Multipurpose Internet Mail Extensions (S/MIME) standards. These will be discussed in more detail in chapter 2.
The first step in protecting a computer or network of computers is to establish a security policy that addresses each of the components of computer security that have been described above. In the case of computer networks such a policy is generally referred to as a Network Security Policy.
The Network Security Policy identifies the threats against which protection is required, and defines the required level of protection. The Network Security Policy will itself contain several different policies, for example a Network Service Access Policy and System Specific Policies.
The Network Security Policy will be based on a security strategy such as Least Privilege, Defence In Depth, Choke Point, Weakest Link ,Fail Safe Stance etc. These and other strategies are discussed in chapter 4. The role of the security strategy can be illustrated with a small example :
Strategy 1 : Everything is forbidden unless explicitly permitted.
Strategy 2 : Everything is permitted unless explicitly forbidden.(11)
Implementations of both of these strategies can be found in organisations. They adopt philosophically opposing views of how to implement security.
Some understanding of the services available on the Internet, and the risks these present, is required before an effective network security policy can be developed.
The next chapter introduces the Internet protocols and services. Chapter 3 then introduces computer security risks and attacks, and chapter 4 addresses netwrok security policy. Once a security strategy and policy have been decided a means of implementing them is required. The generic term "Firewall" is increasingly being used to describe the combination of hardware, software and management activities that are used to effect the network security policy. The theory and architecture of firewalls is presented in chapter 5.
(1) There are some barriers to this however. As the Internet facilitates the trend towards increasing globalisation, issues such as export restrictions of , for example, cryptography technology, are presenting interesting problems for governments on both sides of the Atlantic. The size of the North American market tends to generate a critical mass for de-facto standards that are often based on technology that is subject to export restrictions in the USA. European governments are concerned about issues of national security that would arise from their reliance on foreign owned and developed security technology.
(2) [Ches94] identified joint ventures and mergers as posing particular problems in terms of computer security as security itself is generally constrained to a single organisation.
(3) In the same way that preventing the forgery of bank notes is essential to the success of commerce based on paper money.
(4) A slightly macabre example is when friends or family have to identify (i.e. authenticate) a corpse.
(5) A one-time pad, sometimes called the Vernam cipher [Vern26], is said to offer perfect secrecy as it is based on an entirely random string of bits that is the same length as the plaintext message. The plaintext message and the string of random bits are combined using a bitwise exclusive-or operation to produce the ciphertext. Because the string of bits is entirely random, an opponent with infinite computational resources can only guess the plaintext if he sees the ciphertext.
Key management issues render the one-time pad impractical as the secret key, since it can only be used once, and it is as long as the message itself. The one-time pad did see use in the second world war however, over diplomatic channels that required exceptionally high security.
Analysis of the one-time pad is one of the cornerstones of modern cryptography [Shan49].
For more information about one time pads (including a picture of one captured from the Russians by MI5 see [Ranu95b].
(6) Symmetric encryption is based on both the sender and receiver of the encrypted message knowing and using the same secret key. Unless the two parties are together and alone the possibility exists that whilst they try to agree upon a secret key a third party will discover it. The generation, storage and transmission of keys is called key management and is something that affects all cryptography systems. Because all keys in symmetric cryptography must remain secret the key management problem is particularly difficult.
(7) A hash function H is a mathematical transformation that takes the variable sized input m and returns a fixed-size string, which is called the hash value h (i.e. h = H(m)) Examples of well known hash functions are MD2 (Message Digest 2), MD4, MD5, SHA (Secure Hash Algorithm). As hash functions are generally faster than asymmetric encryption algorithms, the digital signature of a document is typically computed by computing the digital signature of its hash value, which is small (128 bits for MD5) compared to the document itself. It is not feasible for anyone to either find a message with a given hash value or to find two messages that have the same value as there are 2n possibilities, where n is the number of bits in the hash value (128 bits for MD5). If either were possible it would be possible to attach a false message to a sender's signature.
Because hash functions are one-way functions, i.e. the function cannot be reversed, a document's hash value (also called its digest) can be made public without revealing the contents of the document itself. This is important in digital timestamping where, by using hash functions, one can have a document timestamped without revealing its contents to the timestamping service.
(8) The most widely accepted format for certificates is defined by the CCITT X.509 international standard [CCIT88]. Further refinements are found in the PKCS set of standards and the PEM standard (RFCs 1421-1424).
(9) Such a means of access to a computer system is often referred to as a "back door" to the system
(10) NSFNET performance statistics have been collected, processed, stored, and reported by the Merit Network since 1988, in the early stages of the NSFNET project. During December 1994, the numbers contained in Merit's statistical reports began to decrease, as NSFNET traffic began to migrate to the new NSF network architecture. In the new architecture, traffic is exchanged at interconnection points called NAPs (Network Access Points.) Each NAP provides a neutral interconnection point for U.S.-based and international network service providers. On April 30, 1995, the NSFNET Backbone Service successfully made the transition to the new network architecture. Although the reports are inclusive through to the end of the NSFNET service, the November 1994 reports were the last to reflect the nature of the NSFNET backbone traffic in its entirety.
(11) [Wack95] argues that strategy 1 is much harder to implement than strategy 2. Whilst this is true of routers and packet filters it is not necessarily true of application gateways. Furthermore, dual-homed hosts intrinsically deny everything unless it is permitted.