Communications and Network Security - Communications Security - Computer Security Basics, 2nd Edition (2011)

Computer Security Basics, 2nd Edition (2011)

Part III. Communications Security

Chapter 8. Communications and Network Security

The cost of maintaining secure communications links can be great. In a time when remote access to the corporate IT infrastructure is critical, imagine the expense of securing the link to every traveling salesperson or home-based telecommuter. Encryption is an obvious answer, but as we saw in the previous chapter, to provide encryption and do it right is burdensome. Further, the Internet is a hostile environment for the security conscious. Crackers and other attackers seek to co-opt communications both to eavesdrop and to steal.

And the problem is coming home. In the “always on” mode that tends to follow broadband communications such as DSL and cable modems, attackers can attempt to acquire sensitive data, steal identities, and take over hardware by planting malicious code, all while the computer owner is sleeping.

Still, the Internet is such an effective way to put the people of an organization near where the action is and where the customers are, that rolling back to an earlier era seems unlikely. If we are to effectively leverage the Internet, there must be a way to use it without becoming a victim to those who seek to misuse it. Bad guys will attempt to intercept our communications, or worse.

The modern approach to network security, particularly for remote access, but also for point-to-point links, is called the Virtual Private Network. It is “private” because while it appears to travel over the same wide area network as other traffic, its internal encryption mechanisms serve to keep the transmitted data safe from prying eyes. It is “virtual” because there is no need to invest in the infrastructure of buildings, wires, cable plant, and technical services, other than the nominal (by comparison) fee charged by the service provider. More VPN information is available in the section "Through the Tunnel.”

Whether you work on a lone laptop or a clustered supercomputer, you undoubtedly need access to a network and to the Internet. Networks let you share information (such as messages and files), as well as resources (such as printers and other remote computers). This type of communication is vital to most organizations. Information that can’t be shared in a timely fashion among users—in different parts of an office, a country, or the world—may rapidly lose its value. But sharing information over communications lines creates increased dangers of interception. From a computer security point of view, networks are the most vulnerable component of a system configuration. The number of possible users, the ease of access from remote, and sometimes anonymous, locations, and the opportunity for error introduced by the global complexity of the Internet, all contribute to this vulnerability. For this reason, computer and network security have increased steadily in their importance to individuals, commercial users, and to government and military organizations.

What Makes Communication Secure?

Communications security protects information while it’s being transmitted over unsecured networks, which would be any network that you do not control, whether owned by you or by a service provider. Secure communication enforces the security principles introduced in earlier chapters.

Secrecy or confidentiality

Secure communication keeps information from being transmitted to anyone not authorized to receive it. Secrecy means that intruders can’t tap into communications lines and messages will go to their intended recipients, without being viewed by others. In highly secure systems, secrecymight also mean that information can’t be passed—either deliberately or because of delivery errors—to systems or networks not cleared to process that level of information.

Accuracy or integrity

Secure communication keeps information from being lost, changed, or repeated during transmission. The information is delivered exactly as sent.

Authenticity

Secure communication keeps users on either side of a transmission from being able to forge a message.

Nonrepudiation

Secure communication means that a receiver is certain that the message sender is who it is expected to be. Security also means that a message sender will be unable to later on deny having sent a given message.

Availability

Secure communication keeps the network working efficiently. Availability is a particularly important concept for networks, where even a minor slowdown in service can have a reverberating effect on an entire network. "Denial of service,” described later in this chapter, is a particularly virulent problem for network security. Think of availability as having to do with robustness, and the ability to resist attacks which could slow down or compromise the communications process.

How can you make a communication secure? Here are the main approaches:

Keep the communication from being intercepted

Protect your communications equipment (so an intruder can’t attack a network switch or any other equipment), and choose the most secure communications medium (so an intruder can’t tap the line).

Encrypt the data you’re sending

If you’re concerned primarily about protecting the secrecy of a communication, encryption (described in Chapter 7) is an excellent solution, regardless of whether the medium and the equipment are physically secure. Certain encryption techniques can also ensure the accuracy and authenticity of a communication. A powerful method of automatically encrypting data during communications is the Virtual Private Network. Using VPNs, workers at home can have secure access to the same resources they would be able to access at the corporate site. Corporate VPNs are used in point-to-point links.

Control access to your systems and to your networks

Proper authentication of users helps ensure that only authorized users can enter the network and that once in, they can access only approved resources. Configure your network for security. For complete protection from the outside, set up an airwall: no external connections, no floppy drives, no USB-port memory sticks. Just the computer on your network, nothing more. To protect your own trusted local area network without completely cutting off communication to the outside world, set up a gateway computer sometimes called a firewall to isolate your local users. A firewall looks at each transmission and decides if it originates from or is destined to an Internet address that is listed as desirable to receive (i.e., a friend or a foe).

Within the security perimeter of a local network, users may be able to communicate freely

It is possible that an eavesdropping attack could take place within the secured area. An intrusion detection system (IDS) can monitor the internal traffic and look for packets that seem malicious or are sourced from known trouble spots.

APPROPRIATE TECHNOLOGY

I’ll discuss some of the most important methods for message security in this chapter, but there are other approaches as well. Consider one of the methods used to protect radio communications in the Pacific during World War II, as reported by David Kahn in The Codebreakers (Scribner). The Marines protected against eavesdroppers by having native Navahos on either side of the communication speak to each other in their own language. Because so few people speak Navaho, and because Navaho is an extremely difficult language to learn, particularly as an adult, there was virtually no chance that communications between “codetalkers” could be understood or counterfeited by the enemy. As with operating-system security, you’ll have to decide on the best method, or combination of methods, for your own equipment, environment, and assessment of the importance of your information.

Communications Vulnerabilities

There are many points of vulnerability when information is being communicated.

The media itself (e.g., the telephone line, the cabling, or the radio transmission) may be vulnerable. Different types of media vary significantly in how easy they are to tap. Simple cordless telephones can be intercepted very easily, and conventional telephone taps are both easy and inexpensive to implement. Cellular phones vary in complexity. Coaxial cable is somewhat more difficult to tap. Fiber-optic cable is probably the most secure medium. The IEEE 802.11x wireless standard (Wi-Fi) has gone through several iterations of security in order to keep it safe from prying eyes, although in the eyes of some, the effort has not succeeded. The 802.11i standard addresses security directly. (See the section "Network Media" later in this chapter.)

Communications equipment (e.g., switching systems, routers, signaling equipment, or testing equipment) is another point of vulnerability. The nodes where communications lines meet are very vulnerable to attack. It’s extremely important to keep unauthorized people away from all communications equipment, starting with card-key access to the premises and continuing on through putting a lock on every telecommunications room door. Damage to a switching system can have a disastrous effect on a network. Communications equipment is also vulnerable to natural disasters (e.g., power problems) and to error (e.g., noise on the line).

Telephone and network connections are very vulnerable to attack. It’s often easier to break into a system over a network than it is onsite. Physical controls obviously aren’t effective against remote access. Using telephone and network connections, an attacker can spend a lot more time trying to break into a system remotely than would be possible onsite—and can usually stay anonymous as well.

Communications Threats

There are a number of special terms commonly used to describe communications threats.

Masquerade

Occurs when someone (an imposter) pretends to be an authorized user.

Playback or replay

Occurs when someone records a legitimate message (perhaps a funds transfer), and later sends it again.

Repudiation

Occurs when someone denies that she sent or received a message.

Denial of service

Occurs when someone or something dominates system resources, stopping or slowing down system or network performance.

Distributed denial of service

A coordinated denial of service attack that originates from many sources at once.

Denial of service is a problem for operating systems as well as networks. If someone shuts off power, fills up a storage device or disk, or creates more processes than the system can support, no one will be able to get any work done. If server resources aren’t available on an equitable basis, some users will be very unhappy. One example of a network denial of service attack is message flooding, in which someone sends so many requests (perhaps meaningless messages) to a system that the system’s resources are overloaded, and the system may crash as a result.

Communications interceptions, or taps, are another special network concern. There are two basic types of taps:

Passive taps

Threaten the secrecy of the information that’s being transmitted. Taps of this kind usually involve wiretapping or radio interception of transmitted data. Through electronic eavesdropping or monitoring, the intruder intercepts the information but doesn’t attempt to modify it. It’s very easy to tap telephone lines and lines connecting terminals, especially in telecommunications rooms where connections are plentiful, and splice points abound. A single splice, or an induction loop around a terminal wire, can successfully intercept many different types of communications.

Active taps

Threaten the authenticity of the information that’s being transmitted. Active taps usually involve breaking into a communications line and deliberately modifying information. In addition to tampering directly with the contents of the information, the intruder might threaten the transmission by tampering with its routing or authenticity—by changing the apparent origin of a message, by rerouting it to another destination, by replaying a previous message (to create a false message), or by falsifying an acknowledgment of a genuine message.

Modems

The simplest type of communication involves a single user communicating with a computer via a modem. A modem (short for modulator/demodulator) is a device that lets you connect to a computer from a terminal using an ordinary telephone line. Your computer can also use a modem to communicate with another computer. Many point-of-sale terminals, credit-card scanners, and automatic teller machines (ATMs) work using modems, which convert digital bits to tones that can be transmitted over the telephone line. Using a modem is efficient because the technology is low cost and the Public Switched Telephone Network is readily accessible. Modems introduce security risks because they allow anyone to call your computer or modem-connected device. Attackers can track down your computer by dialing endless numbers using software that operates automatically, trying every number in turn until it finds one that answers with a modem’s characteristic noise. Once connected, the intruder still needs to crack your login defenses, but connecting to the computer is the first step.

In most modern configurations in which modems are used, remote access servers (RAS) handle most security chores. These servers, using protocols such as TACACS and RADIUS, and DIAMETER employ techniques such as automatic callback, in which a user dials into the remote access server to notify the server that the user wishes to connect, and then hangs up. The server then calls the user. This not only ensures security, it also makes the telephone connect charges the responsibility of the server end, where bulk calling rates are more likely to apply. Once the RAS server authenticates the caller, the user then can execute network transactions according to whatever privileges have been stored in the user’s security profile.

In most parts of the world, modem access is being replaced by wireless access or by some form of broadband access. With a broadband system, the security procedures employed resemble network security in general. This is because most high-speed access networks use the same protocols as local area networks, such as TCP/IP. An authentication server may still be employed to handle the chore of verifying users’ identities—and keeping visitors isolated until it is certain they are supposed to be present.

HINTS FOR MODEM SECURITY

§ Be sure unauthorized users can’t easily get access to your telephone and modem.

§ Don’t publicize your computer’s telephone number.

§ Don’t put call forwarding on your telephone line if you have a callback modem on your computer. Call forwarding can let someone who’s learned a password forward the call from the authorized terminal to his own (unauthorized) terminal.

§ Be sure your modem works properly with the systems you’re accessing. For example, make sure the modem hangs up the telephone when you log out. Make sure the modem hangs up the telephone, and the system logs you out if you get disconnected. Otherwise, someone else might get access to your account—either accidentally or deliberately.

Networks

This section defines the most important terms you’ll encounter when reading about networks, and it provides a brief history of where networks came from. Because the goal of this chapter is to summarize a number of network issues relevant to security, not to provide a comprehensive description of networking as such, we’re only touching on the major networking topics, without trying to be too rigorous or complete. There are a number of good books describing network concepts in much greater detail.

Network Terms

A network is a data communications system that allows a number of systems and devices to communicate with each other. Networks allow users to send and receive messages, and to access network services such as shared information and devices. A message is a generic name for a single unit of communication that’s transmitted over a network. A message might actually be an electronic mail message, a file, a document, an image, or any other integral piece of information.

A PC or other system that is capable of processing information can be called a network node. A computer system that is accessed by a user working from a remote location is called a host, while the device by which a user connects to the host is called a terminal or remote terminal. In modern practice, most terminals are actually PCs that are running terminal emulation software. A PC that is connected to a network may thus be called either a host or a node, depending on the context. Generally speaking, a host is a PC or server, while a node is more of a generic term for any device or appliance that connects to the network, PCs and servers included.

At a very low level of message communication and routing, we can discuss network communications in two categories: connection-oriented and connectionless.

Connection-oriented communications are often compared to telephone communications. With a telephone call, you pick up the telephone, dial the number, establish that the person you want to talk to is there, carry on your conversation, say goodbye, and hang up. For the duration of your conversation, a dedicated connection called a circuit is established between you and the person you’re talking to. No other conversations take place on the circuit until your conversation is complete, and you give up the circuit. In network terms, you establish a session —an environment in which you can send and receive messages. Think of setting up a session as being the equivalent of establishing eye contact with someone you wish to communicate with before speaking. The two sides of the communication typically agree upon, or negotiate, the characteristics of the communication. With connection-oriented communications, the order of your messages is clear and predictable. The first sentence of your telephone conversation is immediately followed by the second. Connection-oriented communications are said to be reliable. Reliable means the network guarantees that it will deliver your data. It detects and reports any data that’s missing, duplicated, or out of order.

In contrast, connectionless communications are often compared to U.S. mail communications. You compose a letter, write an address on the envelope, and put the letter in a mailbox. You don’t need to establish that the person you’re writing is available at the other end. Eventually, the letter will be left at its destination, and the recipient will open, read, and possibly respond to it. With this type of communication, the order of delivery can’t be predicted. Two letters, placed in the same mailbox on the same day may be delivered on two different days. Even if they arrive together, there’s no way to control which the recipient will open first. Connectionless communications are said to be unreliable. Unreliable means the network does not guarantee that it will deliver your data. There’s no sure way of telling whether a message has been delivered, or whether data is missing, duplicated, or out of order. Typically, network software deals with the problem of unreliable communications by simply retransmitting a communication if it doesn’t receive an acknowledgment after a certain amount of time.

Many networks use packet-switching technologies. With packet-switching networks, all communications traffic is broken into small blocks called packets. Each message may consist of many packets. Each packet has identifying information associated with it. At the sending end, a message is broken into individual packets, each of which is transmitted through the network as an individual entity. At the receiving end, the message is reassembled from its component packets. Using the identifying information associated with the packets, the message is then routed to its proper destination. With packet-switching technology, a computer connected to a network via a single telephone line could simultaneously hold many conversations over that channel.

Packet switching is the most popular network paradigm in use today, but the packets may not be identically sized. This complicates switching because buffers must be set to accommodate the largest packet anticipated. Asynchronous Transfer Mode uses cell-based switching. ATM cells are very small but contain uniform packets of 53 bytes in length. Five of these are for addressing and control; the other 47 are for data. The small cells allow all switching circuits to be optimized for the same length, greatly increasing throughput.

Multiple networks can connect to form interconnected networks known as internetworks. The Internet can be thought of as the ultimate network of interconnected networks. A common method of connecting networks is via a gateway—a system, or node, that’s part of two networks. Communications from one network to another pass through the gateway that’s attached to both of them. From a user’s point of view, networks connected by gateways appear to be a single network.

There are many types of network configurations, called topologies. A topology is the way the nodes of a network are connected together. Examples of topologies are bus, ring, and star configurations. Interestingly, a logical topology of a bus, for example, may actually be implemented by running a single wire to each node from a central point or hub. This makes the physical topology a star. A logical ring may take the same shape of a physical star, as is the case with a technology such as token ring, or the topology may be an actual ring, as is the case with a fiber-optic technology such as FDDI.

Protocols and layers

Two systems or users who want to exchange messages must agree on a common protocol. A network protocol is a set of rules for how information is exchanged over a communications network. The protocol dictates the formats and the sequences of the messages passed between the sender and the receiver. It establishes the rules for sending and receiving messages and for handling errors. The protocol doesn’t need to know the details of the hardware being used or the particular communications method.

The purpose of a protocol model is to provide a conceptual basis for describing how to communicate within a network in a way that’s independent of the specific rules of the protocol that’s being used.

The concept of layering is central to the development of a protocol suite or a protocol family. Layering divides the communications process into several, relatively independent component processes called layers. Each layer provides specific functions and communication with the layers above and beneath it. A protocol model specifies the general characteristics of each layer of services in a network protocol suite. The purpose of a protocol layer is to provide network services (i.e., to transmit and receive data) to the systems or users who are communicating in the layer above it. Within each layer, the two sides of the communication implement the protocols appropriate to the layer.

Examples of protocol suites are Open Systems Interconnection (OSI), TCP/IP, IBM’s Systems Network Architecture (SNA), Xerox’s Xerox Network System (XNS), Digital Equipment Corporation’s DECnet and Digital Network Architecture (DNA), and Apple’s AppleTalk. Of these, TCP/IP is the most popular, and OSI is the most theoretical. In fact, the OSI protocol model has become the reference model to which other protocols are compared. This greatly simplifies talking and writing about network layers, because any protocol or system can be spoken of by comparing and contrasting it to the OSI model. You can’t get very deep into networking without speaking of OSI layers: WANs, MANs, and LANs.

Computer networks fall into three general categories:

WANs

Wide area networks are large-scale (sometimes called long-haul) networks that span a large geographic area, usually larger than a single city or metropolitan area. Worldwide military networks, public telephone networks, and large funds transfer networks, are examples of WANs. WAN systems are usually connected by leased, high-speed, long distance data circuits, typically using a packet-switched technology.

MANs

Metropolitan area networks are middle-sized networks that may serve an intermediate area such as a small city or a metropolitan area. MAN systems are usually connected by technologies such as coaxial cable or microwave.

LANs

Local area networks are networks that are optimized for a small- to moderate-sized geographic area. Although LANs are typically intended for use with a smaller population of users than WANs and MANs, some LANs can support 1,000 or more users. Office and department networks are examples of LANs. LANs often connect PC systems via technologies such as Ethernet cable or fiber optics. Usually LANs are broadcast networks. Instead of routing a message directly from one system to another, LANs typically broadcast messages to every system in the network. Although inherently any system can hear every transmission, by convention each system listens only for messages intended for it.

For completeness, there are a few more ANs that have entered the lexicon:

WLANs

Wireless local area networks are networks that roughly parallel LANs, except that the connection to the work area (the line to the end user) is a radio link, typically some form of IEEE 802.11.

CANs

Campus area networks are the enterprise networks that serve a number of related structures, as in a large company or a college campus.

BANs

Building area networks consist of the integrated cabling systems that comprise the building lifelines, for example, the wires connecting environmental systems, including heating, ventilation, and air conditioning (HVAC), surveillance and security (but not fire or life safety, which use an independent network). Telecommunications and network cabling is a possible target for assimilation into the BAN. Office towers would provide connectivity just at they now provide vertical transport (elevators and escalators) and hot and cold running water. In network security terms, a BAN must be highly secure lest an attacker quite literally shut down the building.

PANs

Personal area networks consist of the myriad of devices worn or carried by individuals that can interconnect, sometimes on an ad hoc basis or autonomously. Thus the pocket organizer that receives updates via Bluetooth when you walk near your desk is part of the PAN.

Some Network History

During the early days of computing, communications links connected central processors to remote terminals and other devices such as printers and remote job entry stations. This technology provided the basis for the first computer networks.

In the 1960s, there was a great expansion in the development of computers and the use of remote multiplexers and concentrators. These devices made network communication more economical by collecting all traffic from a set of peripheral devices in the same area and sending it on a single link to a central processor. Concurrently, special processors called frontends were developed to free the CPU from having to handle all communications functions. The challenge during these early days of communications was to figure out how to transmit information efficiently and reliably.

The late 1960s and early 1970s saw the establishment of the first large-scale, general-purpose data networks. The ARPANET network, funded by the Department of Defense Advanced Research Projects Agency (ARPA, now known as DARPA), connected geographically distributed military, university, and research computer systems. The ARPANET was the first wide-area network and the first to use packet-switching technology, which revolutionized computer communication. The original ARPANET allowed different host systems to communicate on the same network via a standard network control program.

In the 1970s, IBM and Xerox also introduced their first networks—IBM’s SNA and Xerox’s XNS. Xerox PARC also introduced Ethernet packet-switching technology, which was standardized by Xerox, Digital Equipment Corporation, and Intel in 1978 as a network technology that allowed systems to communicate directly, without requiring the use of a central network authority. Ethernet was the first true local area network.

The present-day Internet began to take shape in the 1970s, when DARPA started converting machines to use the TCP/IP protocol suite. By 1983, TCP/IP had become the network standard for the ARPANET. TCP/IP allows systems on different networks to communicate. It’s named for its two major protocols—TCP (Transmission Control Protocol) and IP (Internet Protocol). TCP/IP has become tremendously popular because it provides a way to connect systems based on different computers and communications equipment without being concerned about the details of their physical connections.

In the 1980s, IBM introduced the first PC local area network, and interest in the use of networks in small areas such as offices grew dramatically. The 1980s also saw the introduction of the Open Systems Interconnection Basic Reference Model, which is described in Appendix A.

Over the years, new communications technologies have developed, new network media have been introduced, and tremendous growth has occurred in the use of both wide area networks and local area networks. Today’s network challenges include building workable network products based on standards such as OSI, developing standards for network security, and incorporating trusted system concepts and requirements into network implementations.

HINTS FOR NETWORK SECURITY

§ Protect your physical cables. A vandal can disable a local area network or a part of a larger network by cutting a single wire.

§ Consider the use of conduit, even if it exceeds local fire or building codes. For the most security, seal the cables in plastic and fill the conduits with pressurized gas. If an intruder breaks through a pipe of this kind, a pressure sensor detects the drop in pressure and shuts off traffic or sounds a warning.

§ Lock all telecommunications rooms and wiring closets.

§ Provide extra physical security for any special systems on your network, for instance, a backup device or backup tape or disk library.

§ Use secure offsite storage for backups so that if anything happens to the main facility, a copy of the data will still be intact.

§ Provide firewalls and intrusion detection systems for protection both on the network perimeter and interior.

§ Use trusted network authentication and encryption products.

Network Media

In communications systems, electronic signals may be carried on any of the following types of network media: twisted pair cable, coaxial cable, fiber-optic cable, microwave, and satellite. Each has functional advantages and disadvantages, and each has security consequences. A network may combine several of these media—for example, each building on a campus might be cabled with local Ethernet cable, but fiber may be used between buildings or floors of buildings. The guidelines in the previous sidebar, "Hints for Network Security,” provide some general network security hints. Supplement these with specific rules for your own cabling and environment.

The entire collection of cables in your facility is generally referred to as the cable plant. Interior cabling generally follows a specific and logical architecture called a structured cabling system. Cabling between buildings is called outside plant, or OSP cabling. OSP follows a different set of rules dealing with rights of way, usage of poles, and depth of burial. Adhering to the appropriate codes and standards will almost always make your network more reliable, and in most cases it will be easier to secure, because unauthorized attachments will be easier to spot.

Twisted pair cable

Twisted pair is the type of cable used most often for telephone systems and for LANs. Twisted pair cable is the cheapest type of conventional cabling, but it’s limited in distance and bandwidth (and thus in the number of communications it can carry on a single line). It’s called twisted pair because it consists of two insulated wires twisted together. Twisting wires together allows them to mutually cancel out the creation of magnetic fields, which can rob energy and create a potential for eavesdropping. Twisting pairs also allows both halves of each circuit to experience noise and interference in the same way, simplifying filtering.

These days a single twisted pair cable is a rarity. In most cases, the pairs will be bundled into groups of four, and covered with a common sheath or jacket. Sometimes a shield is added to control electromagnetic emissions. There are security problems with twisted pair cable, because it’s very easy to tap into a twisted pair communication. For this reason, wiring pathways and spaces should be locked where possible.

Coaxial cable

Coaxial cable was formerly used to connect network devices, although its current role is primarily for video, as a medium for cable modems, and as antenna leads on wireless access points. Coaxial cable is frequently made of copper and it’s more expensive than twisted pair cable, and more resistant to electromagnetic interference. Like twisted pair, coaxial cable may be shielded to control emissions.

There are two techniques for transmitting a signal over a coaxial cable: baseband and broadband. With baseband, only a single channel is transmitted. With broadband, many channels, including video, voice, and data, can be carried simultaneously over greater distances. Coaxial cable has some of the same security problems as twisted pair; it’s very easy to tap into a coaxial communication.

Fiber-optic cable

Fiber-optic cable carries signals as light waves rather than as electrical impulses. It offers many functional advantages (e.g., speed, longer distances, cost), and it provides far better security than other types of cable. For example:

Fiber is difficult to tap

Fiber-optic cable is a very difficult medium for intruders to tap because it’s not electrical, and it doesn’t radiate. It can’t be tapped by induction devices or located by metal detectors. Any tampering with a fiber-optic network is readily detected, so it’s difficult to insert a listening device in the cable.

Fiber is resistant to interference

Because fiber-optic cable is immune to electromagnetic interference (EMI) and radio frequency interference (RFI) and doesn’t create its own electromagnetic interference, it’s particularly appropriate in environments where such interference might be a problem (e.g., radar corridors, areas with heavy electrical equipment, or areas with equipment used to monitor critical data).

Fiber is resistant to hazards

Fiber-optic cable is the right choice in hazardous environments such as wet or corrosive areas, areas near high-voltage lines, and areas of frequent lightning or power surges.

Microwave

Microwave or wireless usually isn’t an exclusive medium for a network. Instead, it’s used in conjunction with other networks—for example, as a gateway between two LANs separated by some geographical distance (e.g., across a campus, a body of water, or a city). Microwave is less secure than fiber, coaxial, and twisted pair cable because communications can be intercepted through the air via an antenna. The only way to increase wireless security is to encode the transmissions; however, that adds a layer of complexity to the communications process. Unfortunately, the Wired Equivalency Protocol (WEP) or as some say, Wired Equivalent Privacy (WEP), security system that was originally issued for Wi-Fi can be cracked. An alternative, Wi-Fi Protected Access (WPA), is similar to Microsoft’s Simple Secure Networking (SSN), which is built into the Windows XP operating system. WPA offers greatly improved security. Users who have Cisco equipment can use a technology called LEAP. The ultimate answer—so far—seems to be the IEEE 802.11i standard, which defines the Temporal Key Integrity Protocol (TKIP), and which is designed to accommodate the Advanced Encryption Standard.

An older kind of microwave system, called a fixed microwave system, provides longer paths for wireless links. Often these systems work as relays, with a signal taking several hops before reaching its eventual destination. These paths too are vulnerable to eavesdropping. Fixed microwave has been replaced in many applications by fiber optics, which offers greater bandwidth and easier maintenance.

Another microwave system, IEEE 802.16 (WiMAX) promises to offer wider range than 802.11. This system grew out of proposals for dispersed, localized low-power wireless cable TV systems, similar in topology to a cellular telephone network.

Satellite

Like microwave, satellite is often used with other networks to connect two distant points. Because of the delays implicit in satellite communication, satellite may be appropriate for certain types of computer communications (e.g., file transfers), but not for other types (e.g., terminal interactions). From a security point of view, satellite is not very secure. Like microwave communications, satellite communications can be intercepted through the air via an antenna. Nevertheless, satellite is increasing in importance in those areas that lack good wired infrastructure. As with microwave communications, encryption services can protect data if required, but at a cost of bandwidth or reduced speed.

Network Security

In the early days of networks, a network administrator usually had tight control over whether a system could connect to another remote system. These days, with the proliferation of interconnected networks and easy remote access and resource sharing, it’s often impossible to identify—never mind to trust—all of the points of access to a system.

There are a number of different strategies for accomplishing security in a network environment. The choice of which and how many strategies to use depends largely on the type and scope of the network, the level of trust that can be placed in the users, and the value of the data that’s being transmitted.

NETWORK SECURITY STANDARDS

Several standards are important to network security:

The Institute of Electrical and Electronic Engineers (IEEE) has developed a set of standards, called 802 standards, primarily for local area networks; some of these standards, such as those used for wireless, are still in the proposal stage and have not yet been published as final standards. Others have been through extensive modification, with additions being noted as letters at the end of the standard’s name. For instance, the standard for transmission of power over the cables used to connect devices by Ethernet (Power over Ethernet, or PoE) has the name IEEE 802.3af.

The early 802 standards, which include 802.1 through 802.10, basically address the lowest two layers of the OSI model. 802.10 is a standard for interoperable LAN security, known as SILS, which is oriented to the exchange of data in multivendor networks.

The X.400 standards developed by ISO and CCITT (Comité Consultatif Internationale Telegraphique et Telephonique, today called International Telecommunications Union—Telecommunications division, or ITU-T) are OSI-oriented protocols for message handling (for example, in electronic mail systems). They include standards for secure messaging.

The X.500 standards developed by ISO and CCITT are standards for naming. They allow users and programmers to identify an object (e.g., a file, a disk, etc.) without knowing the location of the object in a network or the path required to reach it. X.500 includes standards for authentication and secure naming. Most current authentication services depend on a system of parameters defined in the X.500.

The X.500 standard is such a comprehensive system that in most cases an X.500 directory is usually accessed using a streamlined tool called Lightweight Directory Access Protocol.

Most network security mandated by government projects follows a series of standards found in a series of publications called the Federal Information Processing Standards.

Access Control Methods

An interesting problem with security is that not only must information be protected from outsiders, it must sometimes be protected from insiders as well. For instance, patient information in a doctor’s office can be accessed by medical staff, and in fact in an emergency should be readily available. However, vendors who visit the office must not be allowed to see it, nor should cleaners or facility maintenance personnel. Keeping information stratified inside an organization is a form of access control. Various methods that control access to network environments are described in the following sections.

Discretionary access control

In an operating system, discretionary access control (DAC) can be used to restrict file access to certain users or groups. In a network environment, DAC may restrict access to certain remote users and/or systems. A particular network service might be available only to a certain group, which might be defined in a network environment as a particular Internet address (e.g., all the users of a particular system in the network).

Role-based access control

In many cases, it is not so much the person as their position in the organization that determines whether or not they should have access to a given record or file. Engineers rarely need access to payroll data. They would likely look up coworkers’ salaries, get jealous or gloat, and perhaps post the information on the Internet somewhere. Accountants rarely require access to the wind-tunnel test data of the secret new fighter aircraft. It might not mean much to them, and they may try to correct minor math errors they may come across. (On the other hand, this can be an advantage. One very sensitive national defense project was discovered to be flawed when the calculations regarding thrust of a rocket engine were found to contain an incorrect formula. The engineers did not detect their error mathematically; it first showed up when a computer artist modeled the burn on PC and the graphic results changed unexpectedly at the point where the formula was flawed.) To separate information by department rather than by person is called role-based access control.

Mandatory access control

Every system in a trusted network must label its data with security attributes (e.g., sensitivity labels, information labels, login IDs, etc.). This way, the sensitivity of the data will be recognized if the data is sent to another system. Because different networks support different security policies, these labels are not necessarily in the same format.

In certain types of secure networks, each system may effectively have a label. Mandatory access control keeps TOP SECRET data, for example, from being sent over the network to a system labeled as SECRET. It is actually quite challenging to insure that no TOP SECRET documents are read by persons with only SECRET clearance, a condition called read down. Similarly, it must be made impossible for persons with SECRET clearance to save documents with a TOP SECRET classification (write up).

Auditing

In a network environment, additional networking events must be audited on both sides of the network connection. Examples include establishing or dropping a network connection, security violations such as lost or misrouted data, and failure of a network component.

Perimeters and Gateways

The simplest way to protect a network from access by unauthorized users is to keep that network physically secure—for example, to provide physical protection of all internal network switches and connections, no telephone connections, and no network cabling to the outside world. As mentioned previously, such a system can be nicknamed as an airwall, because there is a effectual gap between external elements and internal elements. But with trends toward wider communication, most organizations will at least occasionally have to communicate with outside systems and networks. Communication between trusted and untrusted networks must have very clear rules associated with it.

A trusted local area network can be thought of as being inside a security perimeter. Inside the perimeter, access controls and other security features determine who can access what information. For example, in a trusted system supporting multilevel military security, some users are cleared to access TOP SECRET data, others only SECRET, CONFIDENTIAL, or UNCLASSIFIED data. In a fairly simple network environment, all information originating outside the trusted network might be treated at a single sensitivity level. In such an environment, a gateway system, known as a firewall, or a firewall computer if it is built out of a PC with two network cards, might separate the trusted system or network from the untrusted systems or networks outside it. Untrusted systems can communicate with trusted systems only through a single communications channel controlled by a trusted gateway. The gateway controls traffic from both inside and outside the network and effectively isolates the trusted network from the outside world. Because the firewall protects the other machines within the perimeter, security can be concentrated on the firewall.

In the simplest case, where everything inside the perimeter is trusted and everything outside is untrusted, the gateway system labels and filters data. When information is imported into a trusted system from an untrusted system, the gateway system puts a sensitivity label (usually “UNCLASSIFIED”) on this data. When information is exported from a trusted system to an untrusted system, the gateway system filters that information by exporting only data that the untrusted system is allowed to process (usually UNCLASSIFIED data). If multilevel security is supported, more complex network solutions are required to regulate access to the different security levels, as described in the next section.

Security in Heterogeneous Environments

More and more modern networks are attempting to serve heterogeneous computing environments. Networks must have facilities for supporting a whole range of security environments, corresponding to the host systems they serve.

Using a trusted gateway to partition trusted networks from untrusted networks, as described in the previous section, works only if communications from outside the trusted network can be treated at a single level of security. In more complex environments supporting multilevel communications, more complex solutions are needed.

On the trusted network side, a system must make decisions about requests originating outside the trusted network. It must regulate which information remote users are cleared to access, and it must control which system services remote users are granted. In standard networks, in which the security attributes of the remote user aren’t transmitted, the local system doesn’t have sufficient information to make access decisions. This can lead to major security problems. For example, if a trusted network server on the trusted network side processes requests on behalf of an untrusted remote user, the security of the whole system is at risk.

There must be some way to propagate to the local process (the process on the trusted network side) the security attributes of the remote user (the process on the untrusted network side). This isn’t as simple as sending a “TOP SECRET” label, for example, from one side to the other. Even if a user is cleared for TOP SECRET information on one system, he’s not necessarily given the same courtesy when he accesses another system. Each system in the network must be able to compare the attributes of the process performing an operation with those of the file or other object on which the operation is performed, and make access decisions that are appropriate to the local system’s security policy. To do otherwise invites incredible risk, especially in this day when snippets of code are passed readily between computers for execution.

Encrypted Communications

Encryption, a process that transforms information into another form that cannot be read by unauthorized users, is a very important part of network security. Because information is so vulnerable to attack when it’s being transmitted over a network, encryption offers a strong assurance that even if the information is intercepted, it won’t be comprehensible. (See Chapter 7 for a detailed description of encryption.)

In addition to protecting the secrecy of messages transmitted over a network by transforming them into data that appears to be unintelligible, encryption can also ensure the integrity and authenticity of those messages. Message authentication provides a critical network security tool; it ensures that a message was received in exactly the form sent. At the sending end, the encryption process appends a message authentication code to the encrypted message. At the receiving end, the decryption process independently calculates a message authentication code and compares it with the code sent with the message. If the two are identical, the message was sent and received accurately.

A digital signature is another network security tool that provides electronic evidence that you, and only you, sent a signed message. Because the message incorporates a secret key that only you possess, it can’t be forged. It’s an immutable proof that you sent a message.

A message that’s proved to be authentic by an outside authority, sometimes called a notary, is said to be arbitrated. As with a traditional notary, who provides independent evidence that someone is who she claims to be, a digital notary attests that a message is genuine. The notary may also provide proof that the message was sent and received at a particular, recorded point in time. This keeps the message from being repudiated by the sender and/or the receiver later on.

There are two communications levels at which encryption can be performed, each with different implications for network security: end-to-end encryption and link encryption.

End-to-end encryption

With end-to-end encryption (sometimes called off-line encryption), a message is encrypted when it’s transmitted and decrypted when it’s received. The network may not even need to be aware that the message is encrypted. This type of encryption sometimes may be selected as an option by the user. The message remains encrypted through the entire communications process, from start to finish, as shown in Figure 8-1. See "End-to-End and Link Encryption" in Chapter 7 for more information.

End-to-end encryption

Figure 8-1. End-to-end encryption

Link encryption

With link encryption (sometimes called online encryption), a message is encrypted when it is transmitted, but is decrypted and then encrypted again each time it passes through a network communications node. The message may therefore be encrypted, decrypted, and reencrypted a number of times during the communications process, and the message is exposed within each node, as shown in Figure 8-2. With link encryption, the encryption is performed just before the message is physically transmitted. Encryption is typically invisible to the user; it is simply part of the transmission process. See "End-to-End and Link Encryption" in Chapter 7 for more information

Link encryption

Figure 8-2. Link encryption

Through the Tunnel

One popular technique of encrypting traffic as it travels over a link is called tunneling. As mentioned previously, one of the problems with encrypting a link is that the headers and trailers of each packet, which are the points in the packet where the addressing occurs, have to remain in the clear. This may reveal as much information as if the packet itself was open. (Encoded messages to the enemy’s Weapons of Mass Destruction department must always be looked at carefully.)

To encrypt the addresses requires that the network be secured in its entirety, drastically increasing expenses. At the very least it requires a system of leased lines, to which no unauthorized parties have access. Maintaining such a network can also be quite expensive, and it doesn’t truly guarantee that the lines are not monitored by spies, only that they are not supposed to be. In addition, the cost of such networks may vary by the mile or by the amount of capacity used. This means that the more you use your network, the more costly it can become. In other words, it is difficult to scale a network that consists of many dedicated circuits.

Tunneling is the basis of a host of secure technologies. To create a tunnel, packets are placed in a wrapper, which contains the network addressing information. While the wrapper is in place, it handles the navigation through the network. The actual packets are securely encoded inside the wrapper. Once the wrapper carries the packet across the uncontrolled network, the wrapper can be taken off, and the packet decrypted so that its address can be interpreted normally within the secure domain.

Tunnels are the basis of virtual private networking (VPN). Basically, a VPN is a private network that uses a public network, often the Internet, to connect remote users and sites together. Because the network behaves as if it was under private control even though it is not, it is called a virtual private network. A VPN uses virtual, non-physical connections that are routed through a public network or the Internet to tunnel packets from the company’s private network to the remote site. This means that the user can obtain the utility of dedicated links without having to maintain all those links.

VPNs for remote access

VPNs have grown in popularity because they support remote access service. In recent years, many organizations have increased the mobility of their workers by allowing more employees to telecommute. Employees also continue to travel and face an increasing need to stay “plugged in” to the company network. Leased lines don’t support mobile workers well because the lines fail to extend to people’s homes or their travel destinations. Companies that don’t use VPNs must resort to implementing specialized “secure dial-up” services. To log in to a dial-up intranet, a remote worker must call into a company’s remote access server using either a toll-free number or a local number. The overhead of maintaining such a system internally, coupled with the possibility of high long distance charges incurred by travelers, make use of VPNs instead an appealing option here.

Figure 8-3 illustrates a VPN remote access solution. A remote node (client) wanting to log into the company VPN calls into a local server connected to the public network. The VPN client establishes a connection to the VPN server maintained at the company site. Once the connection has been established, the remote client can communicate with the company network just as securely over the public network as if it resided on the internal LAN itself.

VPN Remote Access Architecture

Figure 8-3. VPN Remote Access Architecture

VPNs for internetworking

A simple extension of the VPN remote access architecture allows an entire remote network (rather than just a single remote client) to join the local network. Rather than a client-server connection, a server-server VPN connection joins two networks to form an extended intranet or extranet.

VPNs inside the firewall

Intranets can also use VPN technology to implement controlled access to individual subnets on the private network. In this mode, VPN clients connect to a VPN server that acts as a gateway to computers behind it on the subnet. Note that this type of VPN use does not involve an ISP or public network cabling. However, it does take advantage of the security features and convenience of VPN technology.

VPN tunneling protocols

Several interesting network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols are listed next. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. Security has improved over the years.

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, its best features were combined with PPTP to create a new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model—thus the origin of its name. Refer to Appendix A for more information on the OSI mode.

Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec) is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can be used simply as the encryption scheme within L2TP or PPTP. IPSec exists at the network layer (Layer Three) in OSI. IPSec is covered more fully in a later section.

Network Security Tasks

Providing a secure connection between sender and receiver is a technical challenge. It is divided into several subtechnologies that are described in the following sections.

Communications integrity

Communications integrity services ensure that network communications are transmitted accurately. This means that messages aren’t forged, modified during transmission, or repudiated by either the sender or the receiver of the messages. (See Table 8-1.)

Table 8-1. Communications integrity services

Service

Meaning

Authentication

Proves the identity of the user and system sending a message. Ensures that unauthorized users can’t pretend to be another (called a masquerade). Authentication also ensures that an unauthorized user can’t record and then resend a previously sent message (called a playback or a replay attack).

Network security techniques: encryption, passwords, digital signature, timestamp on message.

Communications field integrity

Protects the accuracy and integrity of the message. Ensures that the message, including specific message fields (such as the protocol header used for routing) are not changed (via message stream modification)—either deliberately or accidentally.

Nonrepudiation

Proves that a message has been sent and received. Ensures that the sender can’t deny that he sent the message, and that the recipient can’t deny that he received it.

Denial of service

Denial of service services are designed to ensure that the network keeps working and that all services needed by users are fully available. This means that the network supports good system administration and that there are methods for keeping threats such as message flooding and worms out of the network. (See Table 8-2.)

Table 8-2. Denial of service services

Service

Meaning

Continuity of operations

Keeps the network working efficiently, even if components fail or the network is attacked.

Network security techniques: redundant or fault-tolerant systems and devices, ability to reconfigure network in an emergency.

Protocol-based protection

Detects network problems (e.g., slowdown in transmission) using existing protocol services.

Network security techniques: measurement of transmission rates between systems (compare with minimum) and waiting time for responses (compare with threshold).

Network management

Monitors overall network performance to detect network attacks (e.g., message flooding, replays), failures (e.g., message overload, noise), or inequities (some users or processes having a processing advantage over others).

Network security techniques: restriction of resources via network administration (e.g., limited CPU time, number of jobs, number of disks and tapes, number of files, file size).

Compromise protection

Compromise protection services are designed to keep information transmitted over the network a secret from those not authorized to access it. This means that the network provides methods for keeping intruders out of the network—both physically and remotely. (See Table 8-3.)

Table 8-3. Compromise protection services

Service

Meaning

Data confidentiality

Protects data from being intercepted by unauthorized users during transmission.

Network security techniques: physical protection of cabling, access controls.

Traffic flow confidentiality

Protects data characteristics (e.g., message length, frequency, destination) from being analyzed by an intruder (called traffic analysis). Such an analysis might allow an observer to infer information; a classic example is that a pattern of messages between a general and troops in the field could predict that the troops are about to launch an attack.

Network security techniques: covert channel analysis, padding messages (to disguise their actual characteristics), sending noise or spurious messages.

Selective routing

Avoids particular threats to data by routing messages to avoid certain networks or systems (e.g., systems in certain countries or certain suspicious network nodes).

Network security techniques: network configuration, periodic deletion or modification of messages.

Securing Communications

To sum up, you need to provide data privacy, authenticity, integrity, and protection against replay attacks for network traffic whether communications are between a client and a server, between two servers, or between two clients. You also need to provide protection when clients access the network remotely, in case you do not want to use a VPN. PPTP and L2TP can provide the security that you need for remote access. The technique discussed next, IPSec, is not designed to be used for VPN remote access.

Internet Protocol Security (IPSec)

To secure communications over the Internet, which is an open network, requires some additional tools. Internet Protocol Security (IPSec) can provide security across public networks or private networks that you may lease but do not control or for which you cannot guarantee physical security.

IPSec was designed by the Internet Engineering Task Force. It defines IP packet formats and related infrastructure to provide end-to-end strong authentication, integrity, antireplay, and if you add an encryption layer, message confidentiality for traffic on networks.

An automatic key management service, using the IETF-defined Internet Key Exchange (IKE) based on RFC 2409, can be integrated into the connection. Using IKE provides Kerberos authentication, public/private key signatures, and passwords to establish authenticity and to establish trusted communications between computers. The latter two technologies have been discussed earlier. Kerberos will be detailed in the next section.

Once two communicating computers have authenticated each other, they use computer algorithms to generate encryption keys that are known only to the two computers. This allows them to protect the data against modification or interpretation by attackers who may be lurking in the network. The generated keys are created in bulk, because they are automatically refreshed according to IPSec policy settings defined by the administrator, and only a true communications partner would have the correct next key. Making sure both computers start from the same position is the task of the IKE, which insures that the type and strength of keys to use for authentication, and which type of security should be applied to the application traffic being communicated, are the same at each end of the link.

Kerberos

Kerberos is an authentication system for open systems and networks. Developed by Project Athena at the Massachusetts Institute of Technology, Kerberos can be added to any existing network protocol. Historically, Kerberos has been used with Unix-oriented protocols such as Sun’s Network File System and in the exchange of certificates. Kerberos uses an encryption system based on the Data Encryption Standard (described in Chapter 7). Each user has a private authentication key.

How does Kerberos work? Like its namesake, the many-headed dog who guards the entrance to the underworld, Kerberos guards the data transmitted between machines that communicate over the network. Kerberos uses cryptographic keys known as tickets to protect the security of the messages you send to the system—and the messages the system sends back to you. Kerberos never transmits passwords, even in encrypted form, on the network. Passwords reside only in a highly secure machine called a key server. Kerberos performs authentication both when you log into the system and when you request any type of network service (e.g., a printer or a mail system).

The Kerberos authentication sequence works like this:

1. When you log in, you enter your login name. The login process sends your login name to the Kerberos key distribution service, which returns the following to you:

o An encrypted session key—a temporary key you use to communicate with the Kerberos ticket granting service (described later).

o An encrypted ticket for the Kerberos ticket granting service.

2. You enter your password. The login process uses your password as a private key to decrypt the session key and the ticket sent to you by the key distribution service. If the decryption works, you’re authenticated.

3. When you request a network service (e.g., mail), the system sends your temporary session key and your ticket granting ticket to the Kerberos ticket granting service. Each service has its own password. The ticket granting service returns a temporary key and a ticket for use with the service. The system uses your session key to decrypt the key and the ticket.

4. To make the connection to the service, the system sends the service your session key, your temporary service key, and your service ticket. If the server can decrypt the request sent to it, you’re allowed to use the service.

Summary

The computer and operating system safeguards described in this book protect information very effectively as long as the information remains safely in the computer, under the operating system’s control. But, in the world of networks, and the Internet, information is increasingly on the move—being shared and communicated among different users on different systems across the globe. Information that’s protected securely by an operating system becomes much more vulnerable when it’s being transmitted—over telephone lines or network connections, via satellite or microwave. Whether you are sending your thoughts via electronic mail, presenting your new sales plan using a shared document session, or simply transferring data files, once the information enters the wild, your materials are potentially available to anyone. Instead of being available to only a relatively small population of users within your own organization, your computer system potentially becomes open to attack by anyone who has access to a modem or a network connection. Appropriate steps, such as are detailed in this chapter, must be taken.