Section 8.4. Network Security

8.4. Network Security

In the early days of networks, a network administrator usually had tight control over whether a system could connect to another remote system. These days, with the proliferation of interconnected networks and easy remote access and resource sharing, it's often impossible to identifynever mind to trustall of the points of access to a system.

There are a number of different strategies for accomplishing security in a network environment. The choice of which and how many strategies to use depends largely on the type and scope of the network, the level of trust that can be placed in the users, and the value of the data that's being transmitted.

Network Security Standards

Several standards are important to network security:

The Institute of Electrical and Electronic Engineers (IEEE) has developed a set of standards, called 802 standards, primarily for local area networks; some of these standards, such as those used for wireless, are still in the proposal stage and have not yet been published as final standards. Others have been through extensive modification, with additions being noted as letters at the end of the standard's name. For instance, the standard for transmission of power over the cables used to connect devices by Ethernet (Power over Ethernet, or PoE) has the name IEEE 802.3af.

The early 802 standards, which include 802.1 through 802.10, basically address the lowest two layers of the OSI model. 802.10 is a standard for interoperable LAN security, known as SILS, which is oriented to the exchange of data in multivendor networks.

The X.400 standards developed by ISO and CCITT (Comité Consultatif Internationale Telegraphique et Telephonique, today called International Telecommunications UnionTelecommunications division, or ITU-T) are OSI-oriented protocols for message handling (for example, in electronic mail systems). They include standards for secure messaging.

The X.500 standards developed by ISO and CCITT are standards for naming. They allow users and programmers to identify an object (e.g., a file, a disk, etc.) without knowing the location of the object in a network or the path required to reach it. X.500 includes standards for authentication and secure naming. Most current authentication services depend on a system of parameters defined in the X.500.

The X.500 standard is such a comprehensive system that in most cases an X.500 directory is usually accessed using a streamlined tool called Lightweight Directory Access Protocol.

Most network security mandated by government projects follows a series of standards found in a series of publications called the Federal Information Processing Standards.

8.4.1. Access Control Methods

An interesting problem with security is that not only must information be protected from outsiders, it must sometimes be protected from insiders as well. For instance, patient information in a doctor's office can be accessed by medical staff, and in fact in an emergency should be readily available. However, vendors who visit the office must not be allowed to see it, nor should cleaners or facility maintenance personnel. Keeping information stratified inside an organization is a form of access control. Various methods that control access to network environments are described in the following sections.

8.4.1.1. Discretionary access control

In an operating system, discretionary access control (DAC) can be used to restrict file access to certain users or groups. In a network environment, DAC may restrict access to certain remote users and/or systems. A particular network service might be available only to a certain group, which might be defined in a network environment as a particular Internet address (e.g., all the users of a particular system in the network).

8.4.1.2. Role-based access control

In many cases, it is not so much the person as their position in the organization that determines whether or not they should have access to a given record or file. Engineers rarely need access to payroll data. They would likely look up coworkers' salaries, get jealous or gloat, and perhaps post the information on the Internet somewhere. Accountants rarely require access to the wind-tunnel test data of the secret new fighter aircraft. It might not mean much to them, and they may try to correct minor math errors they may come across. (On the other hand, this can be an advantage. One very sensitive national defense project was discovered to be flawed when the calculations regarding thrust of a rocket engine were found to contain an incorrect formula. The engineers did not detect their error mathematically; it first showed up when a computer artist modeled the burn on PC and the graphic results changed unexpectedly at the point where the formula was flawed.) To separate information by department rather than by person is called role-based access control.

8.4.1.3. Mandatory access control

Every system in a trusted network must label its data with security attributes (e.g., sensitivity labels, information labels, login IDs, etc.). This way, the sensitivity of the data will be recognized if the data is sent to another system. Because different networks support different security policies, these labels are not necessarily in the same format.

In certain types of secure networks, each system may effectively have a label. Mandatory access control keeps TOP SECRET data, for example, from being sent over the network to a system labeled as SECRET. It is actually quite challenging to insure that no TOP SECRET documents are read by persons with only SECRET clearance, a condition called read down. Similarly, it must be made impossible for persons with SECRET clearance to save documents with a TOP SECRET classification (write up).

8.4.2. Auditing

In a network environment, additional networking events must be audited on both sides of the network connection. Examples include establishing or dropping a network connection, security violations such as lost or misrouted data, and failure of a network component.

8.4.3. Perimeters and Gateways

The simplest way to protect a network from access by unauthorized users is to keep that network physically securefor example, to provide physical protection of all internal network switches and connections, no telephone connections, and no network cabling to the outside world. As mentioned previously, such a system can be nicknamed as an airwall, because there is a effectual gap between external elements and internal elements. But with trends toward wider communication, most organizations will at least occasionally have to communicate with outside systems and networks. Communication between trusted and untrusted networks must have very clear rules associated with it.

A trusted local area network can be thought of as being inside a security perimeter. Inside the perimeter, access controls and other security features determine who can access what information. For example, in a trusted system supporting multilevel military security, some users are cleared to access TOP SECRET data, others only SECRET, CONFIDENTIAL, or UNCLASSIFIED data. In a fairly simple network environment, all information originating outside the trusted network might be treated at a single sensitivity level. In such an environment, a gateway system, known as a firewall, or a firewall computer if it is built out of a PC with two network cards, might separate the trusted system or network from the untrusted systems or networks outside it. Untrusted systems can communicate with trusted systems only through a single communications channel controlled by a trusted gateway. The gateway controls traffic from both inside and outside the network and effectively isolates the trusted network from the outside world. Because the firewall protects the other machines within the perimeter, security can be concentrated on the firewall.

In the simplest case, where everything inside the perimeter is trusted and everything outside is untrusted, the gateway system labels and filters data. When information is imported into a trusted system from an untrusted system, the gateway system puts a sensitivity label (usually "UNCLASSIFIED") on this data. When information is exported from a trusted system to an untrusted system, the gateway system filters that information by exporting only data that the untrusted system is allowed to process (usually UNCLASSIFIED data). If multilevel security is supported, more complex network solutions are required to regulate access to the different security levels, as described in the next section.

8.4.4. Security in Heterogeneous Environments

More and more modern networks are attempting to serve heterogeneous computing environments. Networks must have facilities for supporting a whole range of security environments, corresponding to the host systems they serve.

Using a trusted gateway to partition trusted networks from untrusted networks, as described in the previous section, works only if communications from outside the trusted network can be treated at a single level of security. In more complex environments supporting multilevel communications, more complex solutions are needed.

On the trusted network side, a system must make decisions about requests originating outside the trusted network. It must regulate which information remote users are cleared to access, and it must control which system services remote users are granted. In standard networks, in which the security attributes of the remote user aren't transmitted, the local system doesn't have sufficient information to make access decisions. This can lead to major security problems. For example, if a trusted network server on the trusted network side processes requests on behalf of an untrusted remote user, the security of the whole system is at risk.

There must be some way to propagate to the local process (the process on the trusted network side) the security attributes of the remote user (the process on the untrusted network side). This isn't as simple as sending a "TOP SECRET" label, for example, from one side to the other. Even if a user is cleared for TOP SECRET information on one system, he's not necessarily given the same courtesy when he accesses another system. Each system in the network must be able to compare the attributes of the process performing an operation with those of the file or other object on which the operation is performed, and make access decisions that are appropriate to the local system's security policy. To do otherwise invites incredible risk, especially in this day when snippets of code are passed readily between computers for execution.

8.4.5. Encrypted Communications

Encryption, a process that transforms information into another form that cannot be read by unauthorized users, is a very important part of network security. Because information is so vulnerable to attack when it's being transmitted over a network, encryption offers a strong assurance that even if the information is intercepted, it won't be comprehensible. (See Chapter 7 for a detailed description of encryption.)

In addition to protecting the secrecy of messages transmitted over a network by transforming them into data that appears to be unintelligible, encryption can also ensure the integrity and authenticity of those messages. Message authentication provides a critical network security tool; it ensures that a message was received in exactly the form sent. At the sending end, the encryption process appends a message authentication code to the encrypted message. At the receiving end, the decryption process independently calculates a message authentication code and compares it with the code sent with the message. If the two are identical, the message was sent and received accurately.

A digital signature is another network security tool that provides electronic evidence that you, and only you, sent a signed message. Because the message incorporates a secret key that only you possess, it can't be forged. It's an immutable proof that you sent a message.

A message that's proved to be authentic by an outside authority, sometimes called a notary, is said to be arbitrated. As with a traditional notary, who provides independent evidence that someone is who she claims to be, a digital notary attests that a message is genuine. The notary may also provide proof that the message was sent and received at a particular, recorded point in time. This keeps the message from being repudiated by the sender and/or the receiver later on.

There are two communications levels at which encryption can be performed, each with different implications for network security: end-to-end encryption and link encryption.

8.4.5.1. End-to-end encryption

With end-to-end encryption (sometimes called off-line encryption), a message is encrypted when it's transmitted and decrypted when it's received. The network may not even need to be aware that the message is encrypted. This type of encryption sometimes may be selected as an option by the user. The message remains encrypted through the entire communications process, from start to finish, as shown in Figure 8-1. See "End-to-End and Link Encryption" in Chapter 7 for more information.

Figure 8-1. End-to-end encryption

8.4.5.2. Link encryption

With link encryption (sometimes called online encryption), a message is encrypted when it is transmitted, but is decrypted and then encrypted again each time it passes through a network communications node. The message may therefore be encrypted, decrypted, and reencrypted a number of times during the communications process, and the message is exposed within each node, as shown in Figure 8-2. With link encryption, the encryption is performed just before the message is physically transmitted. Encryption is typically invisible to the user; it is simply part of the transmission process. See "End-to-End and Link Encryption" in Chapter 7 for more information

Figure 8-2. Link encryption

8.4.6. Through the Tunnel

One popular technique of encrypting traffic as it travels over a link is called tunneling. As mentioned previously, one of the problems with encrypting a link is that the headers and trailers of each packet, which are the points in the packet where the addressing occurs, have to remain in the clear. This may reveal as much information as if the packet itself was open. (Encoded messages to the enemy's Weapons of Mass Destruction department must always be looked at carefully.)

To encrypt the addresses requires that the network be secured in its entirety, drastically increasing expenses. At the very least it requires a system of leased lines, to which no unauthorized parties have access. Maintaining such a network can also be quite expensive, and it doesn't truly guarantee that the lines are not monitored by spies, only that they are not supposed to be. In addition, the cost of such networks may vary by the mile or by the amount of capacity used. This means that the more you use your network, the more costly it can become. In other words, it is difficult to scale a network that consists of many dedicated circuits.

Tunneling is the basis of a host of secure technologies. To create a tunnel, packets are placed in a wrapper, which contains the network addressing information. While the wrapper is in place, it handles the navigation through the network. The actual packets are securely encoded inside the wrapper. Once the wrapper carries the packet across the uncontrolled network, the wrapper can be taken off, and the packet decrypted so that its address can be interpreted normally within the secure domain.

Tunnels are the basis of virtual private networking (VPN). Basically, a VPN is a private network that uses a public network, often the Internet, to connect remote users and sites together. Because the network behaves as if it was under private control even though it is not, it is called a virtual private network. A VPN uses virtual, non-physical connections that are routed through a public network or the Internet to tunnel packets from the company's private network to the remote site. This means that the user can obtain the utility of dedicated links without having to maintain all those links.

8.4.6.1. VPNs for remote access

VPNs have grown in popularity because they support remote access service. In recent years, many organizations have increased the mobility of their workers by allowing more employees to telecommute. Employees also continue to travel and face an increasing need to stay "plugged in" to the company network. Leased lines don't support mobile workers well because the lines fail to extend to people's homes or their travel destinations. Companies that don't use VPNs must resort to implementing specialized "secure dial-up" services. To log in to a dial-up intranet, a remote worker must call into a company's remote access server using either a toll-free number or a local number. The overhead of maintaining such a system internally, coupled with the possibility of high long distance charges incurred by travelers, make use of VPNs instead an appealing option here.

Figure 8-3 illustrates a VPN remote access solution. A remote node (client) wanting to log into the company VPN calls into a local server connected to the public network. The VPN client establishes a connection to the VPN server maintained at the company site. Once the connection has been established, the remote client can communicate with the company network just as securely over the public network as if it resided on the internal LAN itself.

Figure 8-3. VPN Remote Access Architecture

8.4.6.2. VPNs for internetworking

A simple extension of the VPN remote access architecture allows an entire remote network (rather than just a single remote client) to join the local network. Rather than a client-server connection, a server-server VPN connection joins two networks to form an extended intranet or extranet.

8.4.6.3. VPNs inside the firewall

Intranets can also use VPN technology to implement controlled access to individual subnets on the private network. In this mode, VPN clients connect to a VPN server that acts as a gateway to computers behind it on the subnet. Note that this type of VPN use does not involve an ISP or public network cabling. However, it does take advantage of the security features and convenience of VPN technology.

8.4.6.4. VPN tunneling protocols

Several interesting network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols are listed next. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP): Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. Security has improved over the years.
Layer Two Tunneling Protocol (L2TP): The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, its best features were combined with PPTP to create a new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI modelthus the origin of its name. Refer to Appendix A for more information on the OSI mode.
Internet Protocol Security (IPSec): Internet Protocol Security (IPSec) is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can be used simply as the encryption scheme within L2TP or PPTP. IPSec exists at the network layer (Layer Three) in OSI. IPSec is covered more fully in a later section.

8.4.7. Network Security Tasks

Providing a secure connection between sender and receiver is a technical challenge. It is divided into several subtechnologies that are described in the following sections.

8.4.7.1. Communications integrity

Communications integrity services ensure that network communications are transmitted accurately. This means that messages aren't forged, modified during transmission, or repudiated by either the sender or the receiver of the messages. (See Table 8-1.)

Table 8-1. Communications integrity services
Service	Meaning
Authentication	Proves the identity of the user and system sending a message. Ensures that unauthorized users can't pretend to be another (called a masquerade). Authentication also ensures that an unauthorized user can't record and then resend a previously sent message (called a playback or a replay attack). Network security techniques: encryption, passwords, digital signature, timestamp on message.
Communications field integrity	Protects the accuracy and integrity of the message. Ensures that the message, including specific message fields (such as the protocol header used for routing) are not changed (via message stream modification)either deliberately or accidentally.
Nonrepudiation	Proves that a message has been sent and received. Ensures that the sender can't deny that he sent the message, and that the recipient can't deny that he received it.

8.4.7.2. Denial of service

Denial of service services are designed to ensure that the network keeps working and that all services needed by users are fully available. This means that the network supports good system administration and that there are methods for keeping threats such as message flooding and worms out of the network. (See Table 8-2.)

Table 8-2. Denial of service services
Service	Meaning
Continuity of operations	Keeps the network working efficiently, even if components fail or the network is attacked. Network security techniques: redundant or fault-tolerant systems and devices, ability to reconfigure network in an emergency.
Protocol-based protection	Detects network problems (e.g., slowdown in transmission) using existing protocol services. Network security techniques: measurement of transmission rates between systems (compare with minimum) and waiting time for responses (compare with threshold).
Network management	Monitors overall network performance to detect network attacks (e.g., message flooding, replays), failures (e.g., message overload, noise), or inequities (some users or processes having a processing advantage over others). Network security techniques: restriction of resources via network administration (e.g., limited CPU time, number of jobs, number of disks and tapes, number of files, file size).

8.4.7.3. Compromise protection

Compromise protection services are designed to keep information transmitted over the network a secret from those not authorized to access it. This means that the network provides methods for keeping intruders out of the networkboth physically and remotely. (See Table 8-3.)

Table 8-3. Compromise protection services
Service	Meaning
Data confidentiality	Protects data from being intercepted by unauthorized users during transmission. Network security techniques: physical protection of cabling, access controls.
Traffic flow confidentiality	Protects data characteristics (e.g., message length, frequency, destination) from being analyzed by an intruder (called traffic analysis). Such an analysis might allow an observer to infer information; a classic example is that a pattern of messages between a general and troops in the field could predict that the troops are about to launch an attack. Network security techniques: covert channel analysis, padding messages (to disguise their actual characteristics), sending noise or spurious messages.
Selective routing	Avoids particular threats to data by routing messages to avoid certain networks or systems (e.g., systems in certain countries or certain suspicious network nodes). Network security techniques: network configuration, periodic deletion or modification of messages.

8.4.8. Securing Communications

To sum up, you need to provide data privacy, authenticity, integrity, and protection against replay attacks for network traffic whether communications are between a client and a server, between two servers, or between two clients. You also need to provide protection when clients access the network remotely, in case you do not want to use a VPN. PPTP and L2TP can provide the security that you need for remote access. The technique discussed next, IPSec, is not designed to be used for VPN remote access.

8.4.8.1. Internet Protocol Security (IPSec)

To secure communications over the Internet, which is an open network, requires some additional tools. Internet Protocol Security (IPSec) can provide security across public networks or private networks that you may lease but do not control or for which you cannot guarantee physical security.

IPSec was designed by the Internet Engineering Task Force. It defines IP packet formats and related infrastructure to provide end-to-end strong authentication, integrity, antireplay, and if you add an encryption layer, message confidentiality for traffic on networks.

An automatic key management service, using the IETF-defined Internet Key Exchange (IKE) based on RFC 2409, can be integrated into the connection. Using IKE provides Kerberos authentication, public/private key signatures, and passwords to establish authenticity and to establish trusted communications between computers. The latter two technologies have been discussed earlier. Kerberos will be detailed in the next section.

Once two communicating computers have authenticated each other, they use computer algorithms to generate encryption keys that are known only to the two computers. This allows them to protect the data against modification or interpretation by attackers who may be lurking in the network. The generated keys are created in bulk, because they are automatically refreshed according to IPSec policy settings defined by the administrator, and only a true communications partner would have the correct next key. Making sure both computers start from the same position is the task of the IKE, which insures that the type and strength of keys to use for authentication, and which type of security should be applied to the application traffic being communicated, are the same at each end of the link.

8.4.9. Kerberos

Kerberos is an authentication system for open systems and networks. Developed by Project Athena at the Massachusetts Institute of Technology, Kerberos can be added to any existing network protocol. Historically, Kerberos has been used with Unix-oriented protocols such as Sun's Network File System and in the exchange of certificates. Kerberos uses an encryption system based on the Data Encryption Standard (described in Chapter 7). Each user has a private authentication key.

How does Kerberos work? Like its namesake, the many-headed dog who guards the entrance to the underworld, Kerberos guards the data transmitted between machines that communicate over the network. Kerberos uses cryptographic keys known as tickets to protect the security of the messages you send to the systemand the messages the system sends back to you. Kerberos never transmits passwords, even in encrypted form, on the network. Passwords reside only in a highly secure machine called a key server. Kerberos performs authentication both when you log into the system and when you request any type of network service (e.g., a printer or a mail system).

The Kerberos authentication sequence works like this:

When you log in, you enter your login name. The login process sends your login name to the Kerberos key distribution service, which returns the following to you:
- An encrypted session keya temporary key you use to communicate with the Kerberos ticket granting service (described later).
- An encrypted ticket for the Kerberos ticket granting service.
You enter your password. The login process uses your password as a private key to decrypt the session key and the ticket sent to you by the key distribution service. If the decryption works, you're authenticated.
When you request a network service (e.g., mail), the system sends your temporary session key and your ticket granting ticket to the Kerberos ticket granting service. Each service has its own password. The ticket granting service returns a temporary key and a ticket for use with the service. The system uses your session key to decrypt the key and the ticket.
To make the connection to the service, the system sends the service your session key, your temporary service key, and your service ticket. If the server can decrypt the request sent to it, you're allowed to use the service.