Académique Documents
Professionnel Documents
Culture Documents
Paul Innella
This paper describes the present state of information security with specific concentration on secure networks. Additionally, the history of network development and its dependency on security will be explained thoroughly. The state in which network security finds itself is a result of a number of threats to its integrity. Using a variety of preventative measures, including firewalls and encryption, the degree of network security can be raised considerably. Finally, a discussion of a development strategy, which follows the software engineering life cycle model, will reveal a sound method for properly securing a network.
I. Introduction
Security on the Internet and on Local Area Networks is now at the forefront of computer related issues. The technical jargon of the day is information warfare and network security, and there are valid reasons for their rise in importance. Throughout the evolution of networking and the Internet, the threats to information and networks have risen dramatically. Many of these threats have become cleverly exercised attacks causing damage or committing theft. Consequently, the public has become more conscious of the need for network security and so too has the government. Protective tools and techniques exist to combat security threats; nevertheless, only with the proper implementation will they succeed. Consequently, this paper is a discussion of network security, its history, the threats and responses to those threats, and the method of designing a secure network that follows the process model for software engineering.
comparison to the US, demonstrated further the importance of information since Iraq today is now at or below par with most third-world nations. [COH95] Controlling information and preventing its loss is so essential that information security has become indispensable. Information security is the necessary means by which critical information is controlled and its loss is prevented. Information security deals with those administrative policies and procedures for identifying, controlling, and protecting information from unauthorized manipulation. This protection encompasses how information is processed, distributed, stored, and destroyed. [SHA94] In order for information security to be achieved, several attributes must first be attained. Information that is distributed, whether through a network, on disk, or on paper, must be done so in a secure fashion. Educational training must be given to all individuals involved with specific information and especially to those required to secure that information. Classification and clear demarcation of information into different sensitivity levels is another necessary step in securing information. Information must be monitored and tracked consistently and continuously throughout its existence. Finally, securing a network is the most important piece of information security. Information security is in essence all of the aforementioned measures for securing vital information and network security is the key to doing so; as a result, network security will be discussed in greater detail in the sections that follow.
does not resolve any of the concerns for network security. Nevertheless, this demonstrates the governments awareness of developing security issues. Similar to the immature nature of softwares evolution so too grew networks, the Internet, and network security. Therefore, in the fall of 1988 the world saw evidence of the true threats that existed to network security. The Internet Virus was launched at that time, and all of the 60,000 computers on the Internet were crippled for two entire days. Although the 1980s foreshadowed the networked world to come, and the security issues that would stem from it, it is the ensuing decade in which network security becomes the absolute necessity that it is today. The current decade has seen network and Internet growth that far exceeds the imaginations of their creators. The corporate world designs its business infrastructure around network architectures. Global business requires networks that link the corporate world together. In addition, the Internet has grown to connect easily over two million computers on one massive and primarily uncontrolled network. [COH95] As separate entities, the security issues for the Internet and the global corporate networks are difficult to maintain. Now, however, the corporate networks are merging with the Internet to develop Internet businesses, web-based business transactions, and much more. Consequently, the security matters are incredible. For the first time since the birth of the PC revolution almost two decades ago, security is the top-line item concern. Security is historically an afterthought. Operating systems are generally not considered secure with few notable exceptions. Ethernet-based networks are veritable sieves of information. Plain-text data expose information resources in their most native form. Dial-up access for telecommuters expose the innards of a corporate entity as obviously as if a banks vault were left open and unguarded. The result is that this massive global infrastructure we have constructed has no fundamental security mechanisms built in to protect itself. [STA95] The stage is thus set for unbelievable information sharing on both levels of unimportance and extreme necessity and so the need for network security is paramount to prevent against countless threats.
V. Network Threats
The history of network security has been delineated, leading now into some of the numerous potential threats to information on a network. Threats to network security range from harmless pranks to devastating crimes of destruction and theft. Breaches in network security occur internally by employees and externally by hackers. In a recent attack on the Texas A&M University computer complex, which consists of 12,000 interconnected PCs, workstations, minicomputers, mainframes, and servers, a wellorganized team of hackers was able to take virtual control of the complex. [STA95] Penetrations into a network can occur through password sniffers, IP snooping, and EMail attacks. Further damage can be accomplished through the use of viruses, worms, Trojan horses, and logic bombs. These are only a few of the countless techniques and devices used by people who are motivated by monetary gain, malicious intent, or simply the challenge. The following sections will describe these threats to network security and give some examples of actual occurrences as well as their effects on a network. 5
Internal threats to a network are a major source of strain on the level of security attained by that network. These threats generally stem from either disgruntled or unethical employees. Disgruntled employees are generally not content with their salary, position, or working environment. As a result, they intend to seek compensation for their current state of affairs by doing harm to a corporations network. A couple of years ago, for example, at General Dynamics Corp.s space division in San Diego, a programmer, unhappy with the size of his paycheck, planted a logic bomb a computerized equivalent of a real bomb designed to wipe out a program to track Atlas missile parts. [ALE96] Dishonest employees are those who intend to profit from the manipulation of data stored on a network. These people are interested in altering accounting or financial data to embezzle and increase their monetary gains. AT&T discovered that some of their employees were dishonest because they had purchased a pay-per-minute telephone number. They then programmed AT&T telephones to call that number repeatedly and thus reaped the rewards at AT&Ts expense. Other methods of breaching network security internally include reading other peoples E-Mail, using EMail as a means of anonymously harassing other people, placing a virus on the network with the intent of doing harm, delivering proprietary information to outside sources, physical hardware and software theft, violating software license agreements, and using network resources for outside business. Whatever method used, internal threats to a network are serious concerns for the integrity of that networks security. External threats to network security, generally referred to as hackers, can be equally and sometimes more dangerous than internal threats. To obtain entry into a network or view sensitive information, hackers must use password sniffers, IP snooping, and E-Mail attacks. Password sniffers actually work with the execution of a packet sniffer that monitors traffic on a network passing through the machine on which the sniffer resides. The sniffer acquires the password and log-on name used when the source machine attempts to connect to other machines and saves this information in a separate file later obtained by the hacker. IP spoofing involves the capturing of the information in an Information Packet (IP) to obtain the necessary address name of a machine that has a trusted relationship with yet another machine. In doing so, a hacker can then act as one of the machines and use the trusted relationship to gain entry into the other machine where any number of actions can be performed. Finally, E-Mail is extremely vulnerable and quite susceptible to a number of different attacks. Once a letter is sent, before the letter leaves your computer, it sits in a temporary area of the disk, called a spool area, waiting to be sent. While it sits there, it is possible for your system administrator to read the letter. If the mail software is improperly set up, anybody can read your letter. [BAR96] As the letter travels from gateway to router to destination server, it can be read at almost any point along the way. Regardless of the method used to gain entry onto a network or view communications therein, hackers can truly jeopardize a networks security and potentially do severe damage to the data and systems within. There is certainly a great deal to be aware of with regard to network security. There are internal threats from employees who have access to the network. There are additional threats from external sources that do not have access to the network, but use different methods to obtain entry. Regardless of whether the threat is from within or from outside of the network, there are many different tools available to both entities, 6
making them more dangerous still. In the ensuing paragraphs, some of the means used by potential threats to network security will be discussed. The Virus is potentially one of the most dangerous threats to network security. Viruses can corrupt or destroy data, alter files, and possibly bring a network to a halt. Fred Cohen, author of Protection and Security on the Information Superhighway, has been credited with developing the first virus for what he contends was a means of testing computer security. Cohen defines a virus as a program that can infect other programs by modifying them to include a, possibly evolved, version of itself. [ALE96] There are two kinds of viruses, those that operate with the use of executable files and others that infect the boot sector of a disk. In either case, the virus attaches itself to any files that it comes in contact with while the infected file is being executed or while the virus code in the boot sector is loaded into memory. The virus is then launched depending on how it was designed. Certain viruses launch at a given date while others instantiate themselves after the file they have attached themselves to is executed a specific number of times. Once the virus is launched, a multitude of possible scenarios can occur. Each virus is written to perform different functions ranging from the humorous to the malicious such as destroying all of the data on a computers hard drive. The virus is a dangerous threat to network security, and it can exist in many different forms as will be discussed shortly. Two types of viruses, Stealth viruses and Polymorphic viruses, are amongst the most threatening kinds because they have been developed to outsmart anti-virus scanners. Stealth viruses are designed to perform their intended function while remaining undetected by anti-virus software. One method of accomplishing this task is by completely disabling the anti-virus softwares scanning mechanism. Since anti-virus scanners many times look to detect changes in file sizes, certain Stealth viruses can send back the original size to the scanner yet still change the actual file size. One last version of the Stealth viruses will alter the boot sector while maintaining a copy of the original to which it refers the anti-virus scanner. Polymorphic viruses are labelled as such because they disguise themselves in several different fashions. One method is for the virus to reproduce itself by modifying itself each time so as not to make any identical copies. Certain polymorphic viruses will scramble their internal code to remain undetected, and yet others still create additional unnecessary bits of code internally to differ it from previous copies. Anti-virus scanners cannot possibly trace each instance of the virus because they all differ, so some will remain undetected while others are removed. These two viruses are quite dangerous, and although there are many different types, only these two will be described in detail. Several famous viruses have occurred since 1988 when Fred Cohen stumbled on the first of its kind, two of which will be discussed: the Friday the Thirteenth virus and the Michelangelo virus. The Friday the Thirteenth virus was discovered in the computer systems at Hebrew University in Jerusalem. The virus had been programmed to be activated on May 13, 1988, with a time bomb set to delete all files on all systems infected. The virus also included instructions to explode every Friday the thirteenth after May 13, 1988. May 13, 1988 was selected because it happened to be the fortieth anniversary of the last day of the existence of the nation of Palestine, as ruled by Great Britain under the Balfour Mandate. [SHA94] The Friday the Thirteenth virus was of the 7
type that attached itself to files, and in this case, it would attach itself to executable DOS files. Every times it propagated, it would grow the successive file by 1,800 bytes. Once an infected executable was launched via the DOS execution program, the virus would infect any other program run with that utility. One of the most famous viruses to date was the Michelangelo virus. This virus acquired its name because it was to be launched on March 6, 1992, Michelangelos 517th birthday. The virus was accidentally shipped with a certain hardware vendors PC software. Michelangelo was supposed to completely wipe the hard drive on any PC that was infected on what was being referred to by the media as Doomsday of the PC. [SHA94] At the conclusion of this disastrous day for PCs, there was minimal damage indeed. The benefits, however, were the incredible attention that was now being placed on this particular threat and network security as a whole. Viruses are indeed a serious threat to network security, but there are many others as well. Additional forms of malicious software, such as Trojan horses, worms, and logic bombs exist as threats to network security. A Trojan horse is a software package that maintains the image of functionality, but in fact carries a hidden virus or time bomb or allows for intrusion. An example of the Trojan horse, was the AIDS Information Introductory Disk, Version 2.0, that accompanied a periodical sold in Great Britain. The purpose of the software was to perform a risk assessment test on a persons personality and report their likelihood of contracting the AIDS virus. The program succeeded in its marketed task, but it also launched a virus. Another piece of harmful software is a worm that is not like viruses in that a worm is actually a program that is executing while it performs its function. Worms tend to travel networks, like the Internet, and are sophisticated enough to try different password combinations and to look for loopholes in programs that are running on the targeted system. They dont infect other programs, although they may carry a virus that does. [ALE96] Finally, logic bombs and time bombs are designed within an existing piece of software to be executed either as a result of a certain event occurring or at a particular time, respectively. For example, a software engineer developed a database for a company and was not certain that he was going to receive his due payment. When his doubts were confirmed, he telephoned the company and instructed them to open a particular file four times in a row. Upon doing so, the database erased all of the data within its tables. The time bomb would behave in a similar fashion, but at a specified time. These three programs are yet additional threats to the integrity of a secure network.
techniques can be implemented at the network software level. The proper combination of these methods will provide a good deal of protection against most of the sources that threaten network security. Physical Security is an initial concern when designing a secure network. The easiest and best means of protecting important machines like servers is to secure them under lock and key. Next, make sure to use wiring that is the least susceptible to eavesdropping and snooping. Copper wiring can be connected to with greater ease than other types of cable, and is thus more vulnerable. Fiber cabling is somewhat more secure and is recommended over copper. In either case, the cabling should be run such that it cannot easily be connected to without the network administrators knowledge. These protective steps in the physical layer are not nearly enough to design a completely secure network, but they are certainly necessary and should be used in conjunction with the remaining preventative measures. The next step in taking precautionary measures against network security threats is to adhere to the following three fundamental axioms of network administration: Track the activities of [network] users and spot attempts to breach security. Restrict the access of each user to specific files and applications. [Finally,] identify and authenticate people who log into the [network]. [ALE96] The first two of these actions are relatively straightforward. Monitor the integrity of the network and ensure that all known attempts to compromise it are resolved. Additionally, thoroughly set file and directory permissions such that only those users who require access to particular files and directories will have rights or attributes to do so. The final step in administering a secure network is proper authentication. This issue deserves a little more discussion than the previous two. Authentication is the process through which users gain access to local and remote machines on a network by identification and validation. For the most part, authentication involves the processing of a user id and password, and many networks require different passwords for each software package. One solution to the use of multiple passwords for different programs is the single sign-on solution where each user is only required to remember one password and the remaining passwords are referenced from a database. This solution prevents the writing down of multiple passwords by users, which poses a natural threat to network security. Additionally, the use of single sign-on reduces network administration tasks thus allowing more time to prevent breaches in network security. Another important item to remember is to disable a users id and password when the user is no longer a part of the network. Finally, the password itself requires a certain amount of attention since it is the key with which many hackers open up doors to a network. When designing a password, there are several guidelines for passwords that should not be used including your name or any close variation of your name, a password of fewer than eight characters, your car make or serial number, your medicare number, your user ID, your bank account number, any part of your address, your initials, a date or time, a password that contains nothing but numbers or nothing but letters, or a word spelled backwards. [PFA97] In order to create a good password, it is recommended to take the first letter of each word in a phrase, including a number. A good example of this would be four score and seven years ago our forefathers, which would yield the 9
password: 4s&7yaof. Variations of capital and small letters further increase the strength of a password. Proper authentication is an integral part of the administrative step in securing a network. Firewalls are yet another measure used in increasing the level of security in a network. A firewall is in essence a portal through which information enters and exits. On one side of the portal is the internal network that must remain secure, and on the other is the information needed from the outside world combined with the undesirable threats of external networks. Heres how a firewall works. The White Knight rides up to the castle and yells out Hail to the King, or something equally friendly, and the watchguards lower the drawbridge. The knight reaches the other side of the drawbridge and the guards raise the gate. But then the guards make the White Knight get off his horse and take off his armor so that they can get a close look at him. For good measure, they also rummage through his bags for anything that looks out of place. [ALE96] Firewalls are added protection against unwanted intrusion. Three of the major types of firewalls, listed in order of increasing quality and price, are packet-filtering routers, application-level gateways, and circuit-level gateways. Although it is not the best available firewall, a positive step in increasing network security is the use of packet-filtering routers. A packet filtering router allows the network to determine which connections can pass through the router into the local area network and which connections will be denied. The application-level gateway is designed specifically as a firewall that authenticates the user for individual applications. Its primary function is to identify and validate the user and then provide access to specific applications such as E-Mail or file browsers depending on which one the user is requesting. Finally, a circuit-level gateway performs all of the packet-filtering that a router does and a bit more. The primary enhancement is the use of identification and authentication before an insider can access your in-house network. That I&A can be based on remote users using a password generator, for example. [ALE96] There are still, however, holes in firewalls that can be exploited. It is the combination of many preventative techniques and network security strategies that will be discussed later which enable a network to be secure. Encryption is another method by which network security is heightened. An encrypted document cant be read by anyone who does not possess the key, or the formula thats used to translate the original text into ciphertext (the encrypted text). [PFA97] Two methods of encryption, Cryptext and Kerberos, are tools that can be used to increase network security by encrypting documents on the network. Cryptext is a 160bit key encryption package that is virtually impossible to decipher. Most encryption tools use 40-bit keys because of strict United States laws that prohibit the export of software that uses encryption with keys greater than 40 bits. Kerberos was originally developed at MIT to secure its campus-wide network of computers. To simplify the Kerberos protocol significantly, each client on the network requesting access to an application or file server must first obtain a ticket from the Kerberos server. The ticket is provided to the client, but it is encrypted with the key that resides only on the application or file server. Additionally, a session key is included such that communication can exist between the client and the server. The client then takes the ticket combined with an authenticator, 10
which is a timestamp and certain other unique identifiers, and sends its request to the application server. The application server finally decrypts the ticket and returns yet another encrypted acceptance reply to the client, completing the Kerberos cycle. Both forms of encryption add an additional layer of security to the network. Several other miscellaneous techniques can be applied to enhance network security. Anti-virus software, such as McAfees VirusScan, must be installed on any machine that is resident on the network. In addition, the files that the anti-virus software relies on must be updated periodically due to the constant development of new viruses. Another important technique for securing a network is disabling cookies from Internet browsers. Cookies are text files that Web servers write to your hard disk transparently as technical people like to say that is, without your knowing. These files are used to store information, such as preference choices, your user ID and password, or a list of the advertisements you have viewed. The next time you access the site, your browser uploads any cookies that this Web site might have left behind previously. [PFA97] Finally, networks that provide E-Mail should also require authentication with a software package such as PGP to prevent against E-Mail spoofing. These are the remainder of the techniques that are listed herein to secure against threats to a network, but this list is only a portion of the possible measures that can be taken to prevent against network security breaches. Used properly, and in combination, these techniques do provide a concrete foundation for a secure network.
notions are the foundation for the process of network security design that follows shortly hereafter. In order to completely design and develop a secure network, it is recommended that the software process model be adhered to and simulated. Network security should be initiated at the beginning of a network design and development processes and be managed throughout the life cycle. [SHA94] The three generic phases of the software engineering process are definition, development and maintenance. These stages can be further broken down into eight different steps that complete the software process model. The eight levels of the software process model will all together be the framework for the creation of a secure network. These eight steps are system requirements, concept formulation, systems definition, engineering design, design verification, production and installation, operations, and retirement. Each of these phases will be described further along with the network securitys role within each stage. The preliminary stage, the systems requirements phase, is necessary in developing the initial list of aims and intended outcomes because of a defined necessity. In other words, the need for network security will be assessed and the result or effect of addressing that need predicted. This phase will be the initial persuasive stage for making the transition towards securing the network. The choice to be made here will be whether the need for an increased level of network security exists and is practical. The application of network security policies, procedures, and countermeasures should be driven by defined and quantifiable needs. [SHA94] Recognition of the need for network security and the definition of its intended effects lead to the next phase of concept formulation. During the concept formulation phase in the software engineering process, different methods of attaining the goals derived in the systems requirements phase are considered. The positive and negative aspects of each of these plans of attack are then observed and noted. Furthermore, other options for these methods are equally debated. While designing and developing network security, this phase would entail an analysis of different network security solution such as the OSI/ISO approach. Finally, a plan would have to be developed during this stage dependent on which approach was chosen to provide security across the network. The strategy produced at this time would detail how the remaining phases would unfold. While the preceding two phases are occurring, another task, risk analysis, is simultaneously taking place. As with the software engineering process model, network security design and development requires proper risk analysis before the completion of the network security design. Performing a comprehensive risk analysis with technically qualified security engineers is the most important network security activity. [SHA94] Risk analysis is divided into three different stages of assessment composed of sensitivity assessment, risk assessment, and economic assessment. Sensitivity assessment attempts to perform those actions that are necessary to define the need used in the systems requirement phase. Essentially, the level of importance of the network data is determined and the need is based upon the results of that assessment. Risk assessment is the most significant activity of the overall risk analysis. It is used to define threats against a 12
network, vulnerability of the network, and the risk levels that result from the postulated exploitation of network vulnerabilities by the defined threats against the network. [SHA94] Certain simple questions help to facilitate the assessment of a networks susceptibility to a risk becoming a reality. Networks that do not have some sort of backup system are at risk, and those that do should backup every day. Another risk is not having a disaster recovery plan, anti-virus software, or access control software or hardware. Networks are more prone to risk if they do not adhere to the password practices that were outlined earlier. The lack of encryption is yet another risk for network security. Finally, economic assessment is the expected value of loss given that risks become a reality. Risk analysis is a necessary step that occurs during the initial phases of the process model revealing important information that will be assimilated into the design of the secure network. The next phase in the process model for software engineering is systems definition. During this stage, actual system specifications are created detailing exactly the operation of the system. Tailored to meet the needs of developing a secure network, this phase would explain the behavior of the network in any foreseeable situation. It would further attempt to predict its actions in an unforeseeable scenario, using the information gathered from risk analysis. The outcome of this phase would be the choice to proceed or discontinue the network security development based upon the information gathered and the system specifications designed. Having decided to continue in the software engineering process, the next stage encountered is the engineering design phase. At this point, the specifications produced in the previous phase are used to develop a design that explains in great detail the means by which each of those specifications will be realized. The engineering design, for example, would detail how the network would repel a hacker attempting an IP spoof by utilizing cicruit-level gateways; this threat would have been described in the specifications from the systems definition phase. Depending on which paradigm of the software engineering model is in use, prototypes are developed at this phase. This phase is yet another essential stage in the overall development of a secure network. Before continuing to the next phase, the determination must be made as to whether or not the design should be transformed into a product. After the design has been completed, it must be substantiated in the design verification phase. This phase is essentially the period of testing, scrutinizing in particular the systems usability, security, and sustainability. Using the previous example of the hacker attempting an IP spoof, this stage would test the feasibility of that hacker circumventing the circuit-level gateway. At the conclusion of this phase, the decision must be made to discontinue the process or proceed and fully develop the designed secure network. The production and installation phase will facilitate the completion of the designed system, in this case the secure networks development. The fully verified secure network will have measured up to the standards detailed in the design. Additionally, the network will have been tested to see that it meets all of the goals laid out in the systems requirements phase. During this phase, the secure network is installed 13
and operational. Provided the previous phases were completed thoroughly and with due diligence, this phase will be the rewarding stage in which the design and development becomes a reality and security on the network is the result. Nevertheless, the process of securing a network is evolutionary and thus the need for the following phase. The operations phase is considered the stage for management of the system with the focus on discovering need for improvement. During this phase, the network security will be challenged continuously to find loopholes. With this information, updates to the network are performed, and the process continues. Due to the increasing number of new threats to network security, this process must be continual and evolving as long as the network security system is still effective. Eventually, many systems reach the final stage of the process model, the retirement phase. Systems that can no longer receive gain by modifying or enhancing their design must be retired. The network, for example, that cannot be improved to prevent against external threats must be resigned. So concludes the process model for software engineering, and the model by which a secure network should be designed and developed. The process model for software engineering is sound and effective. The creation of a secure network emulates this process model in the hopes of attaining an equally concrete method for the design and development of network security.
VIII. Summary
In summary, networks must be secure in order to prevent against threats to their integrity, otherwise the loss or misuse of information can be catastrophic. This paper set upon defining the role of network security, and hoped to explain further how to achieve that role with the help of certain fundamental software engineering precepts. This solution presents some of the basic tenets to fighting network security threats, but a vast assortment of alternative tools and methods were not discussed. The changing strategy for developing a secure network coincides with the creation of new threats; therefore, it is an evolutionary process constantly changing to meet new requirements. In conclusion, computers and software are a part of a world-wide network, no longer existing in limited constraints, making them more susceptible to information abuse and more in need of network security.
14
References
[ALE96] [BAR96] [COH95] [KRO92] [PFA97] [SHA94] [STA95] [UDE98] Alexander, Michael, The Underground Guide to Computer Security, Addison-Wesley Publishing Company, 1996. Barrett, Daniel J., Bandits on the Information Superhighway, OReilly & Associates, Inc., 1996. Cohen, Frederick B., Protection and Security on the Information Superhighway, Johen Wiley & Sons, Inc., 1995. Krol, Ed, The Whole Internet, OReilly & Associates, Inc., 1992. Pfaffenberger, Bryan, Protect Your Privacy on the Internet, Johen Wiley & Sons, Inc., 1997. Shaffer, Steven L., and Alan R. Simon, Network Security, Academic Press, 1994. Stallings, William, Internet Security Handbook, IDG Books Worldwide, Inc., 1995. Udell, J., In Search of SSL Spidering, BYTE, February 1998, pp. 97100.
15