Section 8.3. Networks | Computer Security Basics

8.3. Networks

This section defines the most important terms you'll encounter when reading about networks, and it provides a brief history of where networks came from. Because the goal of this chapter is to summarize a number of network issues relevant to security, not to provide a comprehensive description of networking as such, we're only touching on the major networking topics, without trying to be too rigorous or complete. There are a number of good books describing network concepts in much greater detail.

8.3.1. Network Terms

A network is a data communications system that allows a number of systems and devices to communicate with each other. Networks allow users to send and receive messages, and to access network services such as shared information and devices. A message is a generic name for a single unit of communication that's transmitted over a network. A message might actually be an electronic mail message, a file, a document, an image, or any other integral piece of information.

A PC or other system that is capable of processing information can be called a network node. A computer system that is accessed by a user working from a remote location is called a host, while the device by which a user connects to the host is called a terminal or remote terminal. In modern practice, most terminals are actually PCs that are running terminal emulation software. A PC that is connected to a network may thus be called either a host or a node, depending on the context. Generally speaking, a host is a PC or server, while a node is more of a generic term for any device or appliance that connects to the network, PCs and servers included.

At a very low level of message communication and routing, we can discuss network communications in two categories: connection-oriented and connectionless.

Connection-oriented communications are often compared to telephone communications. With a telephone call, you pick up the telephone, dial the number, establish that the person you want to talk to is there, carry on your conversation, say goodbye, and hang up. For the duration of your conversation, a dedicated connection called a circuit is established between you and the person you're talking to. No other conversations take place on the circuit until your conversation is complete, and you give up the circuit. In network terms, you establish a session an environment in which you can send and receive messages. Think of setting up a session as being the equivalent of establishing eye contact with someone you wish to communicate with before speaking. The two sides of the communication typically agree upon, or negotiate, the characteristics of the communication. With connection-oriented communications, the order of your messages is clear and predictable. The first sentence of your telephone conversation is immediately followed by the second. Connection-oriented communications are said to be reliable. Reliable means the network guarantees that it will deliver your data. It detects and reports any data that's missing, duplicated, or out of order.

In contrast, connectionless communications are often compared to U.S. mail communications. You compose a letter, write an address on the envelope, and put the letter in a mailbox. You don't need to establish that the person you're writing is available at the other end. Eventually, the letter will be left at its destination, and the recipient will open, read, and possibly respond to it. With this type of communication, the order of delivery can't be predicted. Two letters, placed in the same mailbox on the same day may be delivered on two different days. Even if they arrive together, there's no way to control which the recipient will open first. Connectionless communications are said to be unreliable. Unreliable means the network does not guarantee that it will deliver your data. There's no sure way of telling whether a message has been delivered, or whether data is missing, duplicated, or out of order. Typically, network software deals with the problem of unreliable communications by simply retransmitting a communication if it doesn't receive an acknowledgment after a certain amount of time.

Many networks use packet-switching technologies. With packet-switching networks, all communications traffic is broken into small blocks called packets. Each message may consist of many packets. Each packet has identifying information associated with it. At the sending end, a message is broken into individual packets, each of which is transmitted through the network as an individual entity. At the receiving end, the message is reassembled from its component packets. Using the identifying information associated with the packets, the message is then routed to its proper destination. With packet-switching technology, a computer connected to a network via a single telephone line could simultaneously hold many conversations over that channel.

Packet switching is the most popular network paradigm in use today, but the packets may not be identically sized. This complicates switching because buffers must be set to accommodate the largest packet anticipated. Asynchronous Transfer Mode uses cell-based switching. ATM cells are very small but contain uniform packets of 53 bytes in length. Five of these are for addressing and control; the other 47 are for data. The small cells allow all switching circuits to be optimized for the same length, greatly increasing throughput.

Multiple networks can connect to form interconnected networks known as internetworks. The Internet can be thought of as the ultimate network of interconnected networks. A common method of connecting networks is via a gatewaya system, or node, that's part of two networks. Communications from one network to another pass through the gateway that's attached to both of them. From a user's point of view, networks connected by gateways appear to be a single network.

There are many types of network configurations, called topologies. A topology is the way the nodes of a network are connected together. Examples of topologies are bus, ring, and star configurations. Interestingly, a logical topology of a bus, for example, may actually be implemented by running a single wire to each node from a central point or hub. This makes the physical topology a star. A logical ring may take the same shape of a physical star, as is the case with a technology such as token ring, or the topology may be an actual ring, as is the case with a fiber-optic technology such as FDDI.

8.3.1.1. Protocols and layers

Two systems or users who want to exchange messages must agree on a common protocol. A network protocol is a set of rules for how information is exchanged over a communications network. The protocol dictates the formats and the sequences of the messages passed between the sender and the receiver. It establishes the rules for sending and receiving messages and for handling errors. The protocol doesn't need to know the details of the hardware being used or the particular communications method.

The purpose of a protocol model is to provide a conceptual basis for describing how to communicate within a network in a way that's independent of the specific rules of the protocol that's being used.

The concept of layering is central to the development of a protocol suite or a protocol family. Layering divides the communications process into several, relatively independent component processes called layers. Each layer provides specific functions and communication with the layers above and beneath it. A protocol model specifies the general characteristics of each layer of services in a network protocol suite. The purpose of a protocol layer is to provide network services (i.e., to transmit and receive data) to the systems or users who are communicating in the layer above it. Within each layer, the two sides of the communication implement the protocols appropriate to the layer.

Examples of protocol suites are Open Systems Interconnection (OSI), TCP/IP, IBM's Systems Network Architecture (SNA), Xerox's Xerox Network System (XNS), Digital Equipment Corporation's DECnet and Digital Network Architecture (DNA), and Apple's AppleTalk. Of these, TCP/IP is the most popular, and OSI is the most theoretical. In fact, the OSI protocol model has become the reference model to which other protocols are compared. This greatly simplifies talking and writing about network layers, because any protocol or system can be spoken of by comparing and contrasting it to the OSI model. You can't get very deep into networking without speaking of OSI layers: WANs, MANs, and LANs.

Computer networks fall into three general categories:

WANs: Wide area networks are large-scale (sometimes called long-haul) networks that span a large geographic area, usually larger than a single city or metropolitan area. Worldwide military networks, public telephone networks, and large funds transfer networks, are examples of WANs. WAN systems are usually connected by leased, high-speed, long distance data circuits, typically using a packet-switched technology.
MANs: Metropolitan area networks are middle-sized networks that may serve an intermediate area such as a small city or a metropolitan area. MAN systems are usually connected by technologies such as coaxial cable or microwave.
LANs: Local area networks are networks that are optimized for a small- to moderate-sized geographic area. Although LANs are typically intended for use with a smaller population of users than WANs and MANs, some LANs can support 1,000 or more users. Office and department networks are examples of LANs. LANs often connect PC systems via technologies such as Ethernet cable or fiber optics. Usually LANs are broadcast networks. Instead of routing a message directly from one system to another, LANs typically broadcast messages to every system in the network. Although inherently any system can hear every transmission, by convention each system listens only for messages intended for it.

For completeness, there are a few more ANs that have entered the lexicon:

WLANs: Wireless local area networks are networks that roughly parallel LANs, except that the connection to the work area (the line to the end user) is a radio link, typically some form of IEEE 802.11.
CANs: Campus area networks are the enterprise networks that serve a number of related structures, as in a large company or a college campus.
BANs: Building area networks consist of the integrated cabling systems that comprise the building lifelines, for example, the wires connecting environmental systems, including heating, ventilation, and air conditioning (HVAC), surveillance and security (but not fire or life safety, which use an independent network). Telecommunications and network cabling is a possible target for assimilation into the BAN. Office towers would provide connectivity just at they now provide vertical transport (elevators and escalators) and hot and cold running water. In network security terms, a BAN must be highly secure lest an attacker quite literally shut down the building.
PANs: Personal area networks consist of the myriad of devices worn or carried by individuals that can interconnect, sometimes on an ad hoc basis or autonomously. Thus the pocket organizer that receives updates via Bluetooth when you walk near your desk is part of the PAN.

8.3.2. Some Network History

During the early days of computing, communications links connected central processors to remote terminals and other devices such as printers and remote job entry stations. This technology provided the basis for the first computer networks.

In the 1960s, there was a great expansion in the development of computers and the use of remote multiplexers and concentrators. These devices made network communication more economical by collecting all traffic from a set of peripheral devices in the same area and sending it on a single link to a central processor. Concurrently, special processors called frontends were developed to free the CPU from having to handle all communications functions. The challenge during these early days of communications was to figure out how to transmit information efficiently and reliably.

The late 1960s and early 1970s saw the establishment of the first large-scale, general-purpose data networks. The ARPANET network, funded by the Department of Defense Advanced Research Projects Agency (ARPA, now known as DARPA), connected geographically distributed military, university, and research computer systems. The ARPANET was the first wide-area network and the first to use packet-switching technology, which revolutionized computer communication. The original ARPANET allowed different host systems to communicate on the same network via a standard network control program.

In the 1970s, IBM and Xerox also introduced their first networksIBM's SNA and Xerox's XNS. Xerox PARC also introduced Ethernet packet-switching technology, which was standardized by Xerox, Digital Equipment Corporation, and Intel in 1978 as a network technology that allowed systems to communicate directly, without requiring the use of a central network authority. Ethernet was the first true local area network.

The present-day Internet began to take shape in the 1970s, when DARPA started converting machines to use the TCP/IP protocol suite. By 1983, TCP/IP had become the network standard for the ARPANET. TCP/IP allows systems on different networks to communicate. It's named for its two major protocolsTCP (Transmission Control Protocol) and IP (Internet Protocol). TCP/IP has become tremendously popular because it provides a way to connect systems based on different computers and communications equipment without being concerned about the details of their physical connections.

In the 1980s, IBM introduced the first PC local area network, and interest in the use of networks in small areas such as offices grew dramatically. The 1980s also saw the introduction of the Open Systems Interconnection Basic Reference Model, which is described in Appendix A.

Over the years, new communications technologies have developed, new network media have been introduced, and tremendous growth has occurred in the use of both wide area networks and local area networks. Today's network challenges include building workable network products based on standards such as OSI, developing standards for network security, and incorporating trusted system concepts and requirements into network implementations.

Hints for Network Security

Protect your physical cables. A vandal can disable a local area network or a part of a larger network by cutting a single wire.
Consider the use of conduit, even if it exceeds local fire or building codes. For the most security, seal the cables in plastic and fill the conduits with pressurized gas. If an intruder breaks through a pipe of this kind, a pressure sensor detects the drop in pressure and shuts off traffic or sounds a warning.
Lock all telecommunications rooms and wiring closets.
Provide extra physical security for any special systems on your network, for instance, a backup device or backup tape or disk library.
Use secure offsite storage for backups so that if anything happens to the main facility, a copy of the data will still be intact.
Provide firewalls and intrusion detection systems for protection both on the network perimeter and interior.
Use trusted network authentication and encryption products.

8.3.3. Network Media

In communications systems, electronic signals may be carried on any of the following types of network media: twisted pair cable, coaxial cable, fiber-optic cable, microwave, and satellite. Each has functional advantages and disadvantages, and each has security consequences. A network may combine several of these mediafor example, each building on a campus might be cabled with local Ethernet cable, but fiber may be used between buildings or floors of buildings. The guidelines in the previous sidebar, "Hints for Network Security," provide some general network security hints. Supplement these with specific rules for your own cabling and environment.

The entire collection of cables in your facility is generally referred to as the cable plant. Interior cabling generally follows a specific and logical architecture called a structured cabling system. Cabling between buildings is called outside plant, or OSP cabling. OSP follows a different set of rules dealing with rights of way, usage of poles, and depth of burial. Adhering to the appropriate codes and standards will almost always make your network more reliable, and in most cases it will be easier to secure, because unauthorized attachments will be easier to spot.

8.3.3.1. Twisted pair cable

Twisted pair is the type of cable used most often for telephone systems and for LANs. Twisted pair cable is the cheapest type of conventional cabling, but it's limited in distance and bandwidth (and thus in the number of communications it can carry on a single line). It's called twisted pair because it consists of two insulated wires twisted together. Twisting wires together allows them to mutually cancel out the creation of magnetic fields, which can rob energy and create a potential for eavesdropping. Twisting pairs also allows both halves of each circuit to experience noise and interference in the same way, simplifying filtering.

These days a single twisted pair cable is a rarity. In most cases, the pairs will be bundled into groups of four, and covered with a common sheath or jacket. Sometimes a shield is added to control electromagnetic emissions. There are security problems with twisted pair cable, because it's very easy to tap into a twisted pair communication. For this reason, wiring pathways and spaces should be locked where possible.

8.3.3.2. Coaxial cable

Coaxial cable was formerly used to connect network devices, although its current role is primarily for video, as a medium for cable modems, and as antenna leads on wireless access points. Coaxial cable is frequently made of copper and it's more expensive than twisted pair cable, and more resistant to electromagnetic interference. Like twisted pair, coaxial cable may be shielded to control emissions.

There are two techniques for transmitting a signal over a coaxial cable: baseband and broadband. With baseband, only a single channel is transmitted. With broadband, many channels, including video, voice, and data, can be carried simultaneously over greater distances. Coaxial cable has some of the same security problems as twisted pair; it's very easy to tap into a coaxial communication.

8.3.3.3. Fiber-optic cable

Fiber-optic cable carries signals as light waves rather than as electrical impulses. It offers many functional advantages (e.g., speed, longer distances, cost), and it provides far better security than other types of cable. For example:

Fiber is difficult to tap: Fiber-optic cable is a very difficult medium for intruders to tap because it's not electrical, and it doesn't radiate. It can't be tapped by induction devices or located by metal detectors. Any tampering with a fiber-optic network is readily detected, so it's difficult to insert a listening device in the cable.
Fiber is resistant to interference: Because fiber-optic cable is immune to electromagnetic interference (EMI) and radio frequency interference (RFI) and doesn't create its own electromagnetic interference, it's particularly appropriate in environments where such interference might be a problem (e.g., radar corridors, areas with heavy electrical equipment, or areas with equipment used to monitor critical data).
Fiber is resistant to hazards: Fiber-optic cable is the right choice in hazardous environments such as wet or corrosive areas, areas near high-voltage lines, and areas of frequent lightning or power surges.

8.3.3.4. Microwave

Microwave or wireless usually isn't an exclusive medium for a network. Instead, it's used in conjunction with other networksfor example, as a gateway between two LANs separated by some geographical distance (e.g., across a campus, a body of water, or a city). Microwave is less secure than fiber, coaxial, and twisted pair cable because communications can be intercepted through the air via an antenna. The only way to increase wireless security is to encode the transmissions; however, that adds a layer of complexity to the communications process. Unfortunately, the Wired Equivalency Protocol (WEP) or as some say, Wired Equivalent Privacy (WEP), security system that was originally issued for Wi-Fi can be cracked. An alternative, Wi-Fi Protected Access (WPA), is similar to Microsoft's Simple Secure Networking (SSN), which is built into the Windows XP operating system. WPA offers greatly improved security. Users who have Cisco equipment can use a technology called LEAP. The ultimate answerso farseems to be the IEEE 802.11i standard, which defines the Temporal Key Integrity Protocol (TKIP), and which is designed to accommodate the Advanced Encryption Standard.

An older kind of microwave system, called a fixed microwave system, provides longer paths for wireless links. Often these systems work as relays, with a signal taking several hops before reaching its eventual destination. These paths too are vulnerable to eavesdropping. Fixed microwave has been replaced in many applications by fiber optics, which offers greater bandwidth and easier maintenance.

Another microwave system, IEEE 802.16 (WiMAX) promises to offer wider range than 802.11. This system grew out of proposals for dispersed, localized low-power wireless cable TV systems, similar in topology to a cellular telephone network.

8.3.3.5. Satellite

Like microwave, satellite is often used with other networks to connect two distant points. Because of the delays implicit in satellite communication, satellite may be appropriate for certain types of computer communications (e.g., file transfers), but not for other types (e.g., terminal interactions). From a security point of view, satellite is not very secure. Like microwave communications, satellite communications can be intercepted through the air via an antenna. Nevertheless, satellite is increasing in importance in those areas that lack good wired infrastructure. As with microwave communications, encryption services can protect data if required, but at a cost of bandwidth or reduced speed.