Preface

Team-Fly

In general parlance, the term TCP/IP refers to an entire suite of communications protocols that center around the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The emerging use of TCP/IP networking has led to a global system of interconnected hosts and networks that is commonly referred to as the Internet.^[1] The Internet was created initially to help foster communications among government-sponsored research groups and grew steadily to include most educational institutions, commercial organizations, and government agencies.

During the last decade, the Internet has experienced a triumphant advance. Today, it is the world's largest computer network and has been doubling in size each year.^[2] With this phenomenal growth rate, the Internet's size is increasing faster than any other network ever created, including even the public-switched telephone network (PSTN).^[3] As such, the Internet is commonly seen as the basis and first incarnation of an information superhighway, or national information infrastructure (NII) as, for example, promoted by the U.S. government.

But in spite of this exacting role, the initial, research-oriented Internet and its communications protocols were designed for a more benign environment than now exists. It could, perhaps, best be described as a collegial environment, where the users were mutually trusting each other and were interested in a free and open exchange of information. In this environment, the people on the Internet were the people who actually built the Internet. Later, when the Internet became more useful and reliable, these people were joined by others. With fewer common goals and more people, the Internet steadily twisted away from its original intent.

Today, the Internet environment is much less collegial and trustworthy. It contains all the dangerous situations, nasty people, and risks that one can find in society as a whole. Along with the well-intentioned and honest users of the Internet, there are always people who intentionally try to break into computer systems and networks connected to it. Consequently, the Internet is plagued with the kind of delinquents who enjoy the electronic equivalent of writing on other people's walls with spray paint, tearing off mailboxes, or sitting in the street honking their car horns. In this new environment, the openness of the Internet has turned out to be a double-edged sword. Since its very beginning, but especially since its opening in the late 1990s and its ongoing commercialization in the new millenium, the Internet has become a popular target to attack. The number of security breaches has in fact escalated more than in proportion to the growth of the Internet as a whole.

Many security problems with networks in general and the Internet in particular have received public attention, and the media have carried stories of high-profile malicious attacks by way of the Internet against government, business, and academic sites. Perhaps the first and most significant incident was the Internet Worm, launched by Robert T. Morris, Jr., on November 2, 1988 [1, 2]. The Internet Worm flooded thousands of hosts interconnected to the Internet and woke up the Internet community accordingly. Since then, reports of network-based attacks, such as password sniffing, IP spoofing and sequence number guessing, session hijacking, flooding, and other distributed denial of service attacks, as well as exploitations of well-known design limitations and software bugs, have grown dramatically [3–5]. In addition, the use and wide deployment of executable content, such as that provided by Java applets and ActiveX controls, for example, have provided new possibilities to attack hosts and entire sites.^[4]

The Internet Worm gained a lot of publicity and led to increased awareness of security issues on the Internet. In fact, the Computer Emergency Response Team (CERT)^[5] that is operated by the Software Engineering Institute at Carnegie Mellon University was created in the aftermath of the Internet Worm, and other CERTs have been founded in many countries around the world.^[6] Today, the CERT at Carnegie Mellon University serves as CERT coordination center (CERT/CC). The CERT/CC receives an average of three to four new computer security incident reports each day (and this number is not likely to decrease in the future). Taking further into account that many security incidents go unnoticed and unreported, the situation is scary, to say the least.

Many Internet breaches are publicized and attract the attention of the Internet community. For example, early in 1994, thousands of passwords were captured by sniffer programs that had been remotely installed on compromised hosts on various university networks connected to the Internet. At the end of the same year, IP spoofing, sequence number guessing, and TCP SYN flooding attacks were successfully combined by Kevin Mitnick to attack several computer centers, including, for example, the San Diego Center for Supercomputing [6]. This story actually shocked the world when it became The New York Times headline news on January 23, 1995. In the second half of the 1990s, several forms of denial of service (DoS) attacks were launched, such as e-mail bombing and TCP SYN flooding. In February 2000, some distributed denial of service (DDoS) attacks were successfully launched against some of the largest and most widely known Internet sites, such as Yahoo!, Amazon, eTrade, eBay, CNN, and ZDNet. A few months later, the ILOVEYOU virus and a series of imitators shocked the world by successfully attacking the messaging infrastructures and intranet environments of leading companies and organizations throughout the world. The incidents showed that executable content and configuring computer systems in a way that such content is automatically executed is one of the most dangerous things one can do from a security point of view.

Despite the fact that unscrupulous people make press headlines with various types of attacks, the vulnerabilities they exploit are usually well known. For example, security experts have warned against passwords transmitted in the clear since the very beginning of internetworking, and Robert T. Morris, Jr., described IP spoofing and sequence number attacks for BSD UNIX version 4.2 when he was with AT&T Bell Laboratories in 1985 [7, 8]. Also, the vulnerabilities that are exploited by DoS and DDoS attacks and the threats related to executable content are known and particularly well documented.

Today, individuals, commercial organizations, and government agencies depend on the Internet for communications and research, and thus have much more to lose if their sites are successfully attacked. As a matter of fact, virtually everyone on the Internet is vulnerable, and the Internet's security problems are the center of attention, generating much fear throughout both the computer and communications industries. Concerns about security problems have already begun to chill the overheated expectations about the Internet's readiness for full commercial activity, possibly delaying or preventing it from becoming a mass medium for the NII, or even the global information infrastructure (GII).

Several studies have independently shown that many individuals and companies are abstaining from joining the Internet simply because of security concerns. At the same time, analysts are warning companies about the dangers of not being connected to the Internet. In this conflicting situation, almost everyone agrees that the Internet needs more and better security. In a workshop held by the Internet Architecture Board (IAB) in 1994, scaling and security were nominated as the two most important problem areas for the Internet architecture as a whole [9]. This has not changed and it is not likely that it will change in the foreseeable future. For example, in November and December 1996, Dan Farmer conducted a security survey of approximately 2,200 computing systems on the Internet.^[7] What he found was indeed surprising: Almost two-thirds of the more interesting sites had some serious security problems that could have been exploited by determined attackers. Meanwhile, these numbers have been confirmed by many independent investigations about the security status of the Internet.

But security in general and Internet security in particular are vague terms that may mean various things to different people. Security is a property that is not provable by nature. The best we can show is resistance against a certain set of attacks we know and with which we are familiar. There is nothing in the world that can protect us against new types of attack. For example, timing attacks, differential fault analysis (DFA), differential power analysis (DPA), and other side-channel attacks against hardware devices that are designed to securely store cryptographic keys have gained a lot of attention in the recent past. In this book, we are not going to give a formal definition of what exactly is security. Instead, we focus on technologies that are available today and that can be used to provide network security in terms of access control and communication security services. The assumption is that if a network is able to provide these services, there are at least some obstacles to overcome in order to successfully launch an attack. If the security services are well designed, properly implemented, and strictly enforced, the resulting obstacles are too big to be overcome by occasional intruders (they may still be negligibly small for professional hackers and intelligence agencies).

Obviously, the same technologies that are used to secure the Internet as a whole can also be used to secure parts of it. As the term "intranet" refers to a TCP/IP-based corporate or enterprise network, any book that focuses on TCP/IP and Internet security automatically addresses intranet security as well. As a matter of fact, the title "intranet security" better reflects the scope of any book on TCP/IP and Internet security, since it is usually not the Internet as a whole that must be protected, but only well-defined parts of it (these parts are usually an intranet or a set of interconnected but logically separated intranets). Consequently, Internet and Intranet Security has been chosen as a title for this book. This title reflects our interest in both standardized security technologies for the entire Internet, as well as security technologies that can be used and deployed within intranet environments. This title has remained valid for the second edition of the book.

In addition to Internet and Intranet Security, I have written several companion books for Artech House, including Authentication Systems for Secure Networks (1996), Security Technologies for the World Wide Web (2000), and Secure Messaging with PGP and S/MIME (2001). The latter two books have been published—along with this book—in Artech House's Computer Security Series.^[8]

Internet and Intranet Security has been written to serve the needs of computer and network professionals that have interest in understanding, establishing, and supporting secure TCP/IP-based networks. I also hope that this book provides sufficient background to help security professionals propose approaches to secure commercial applications for the Internet.

The book is tutorial in nature but still requires familiarity with the fundamentals of computer networks and distributed systems, as well as cryptography and the use of cryptographic protocols in networked and distributed systems. Many of the references cited throughout the book are tutorial and may be used to obtain additional background information. In particular, I recommend [10–13] for an introduction to computer networks and distributed systems. In regard to cryptography, I recommend [14–16], and in regard to the use of cryptographic protocols in networked and distributed environments, I recommend [17–20]. Historical notes can be found in [21–23]. A good source for contemporary information are various information pages offered on the World Wide Web (WWW) by companies actively working in the field, as well as the frequently asked questions (FAQs) periodically posted to the corresponding USENET newsgroups. Finally, [24] and [25] provide interesting considerations about computer and Internet security in general.

In short, Internet and Intranet Security introduces and discusses security technologies that are available today to provide Internet and Intranet security in terms of access control and communication security services. As such, it does not cover issues related to the security of the underlying operating systems. There are many books, mainly on computer security and hacking, that address issues related to (network) operating system security. Consequently, we do not review this area in the book.

Internet and Intranet Security is organized into four parts:

• Part I, Fundamentals, introduces and briefly elaborates on the fundamentals that are necessary to read and understand the book.

• Part II, Access Control, addresses technologies that can be used to provide access control services to corporate intranets connected either to other intranets or extranets, or to the Internet as a whole.

• Part III, Communication Security, addresses technologies and security protocols that have been proposed, specified, implemented, and deployed for the network access, Internet, transport, and application layer of the Internet model.

• Part IV, Discussion, concludes with final remarks and some selected topics.

Contrary to the first edition of this book, this second edition of Internet and Intranet Security no longer includes a glossary. This is because in May 2000, an Internet Security Glossary was published as informational RFC 2828 (or FYI 36, respectively) [26]. This document can be used as a reference for anyone working in the field. However, the second edition of Internet and Intranet Security still includes a list of abbreviations and acronyms. References are included at the end of each chapter. At the end of the book, an About the Author section is included to tell you a little bit about me. Finally, there is an index to help you find particular terms.

Internet and intranet security is such a fast-moving field that I have to reserve the right to be out of date or simply wrong. While time brings new technologies and outdates current technologies, I have attempted to focus on the fundamentals and conceptual approaches to provide Internet and intranet security. By the time this book is published, several of my comments will probably have moved from the future to the present, and from the present to the past.

Because of the nature of this book, it is also necessary to mention some company, product, and service names. It is, however, only fair to mention that the presence or absence of a specific name neither implies any criticism or endorsement, nor does it imply that the corresponding company, product, or service is necessarily the best one available. For a more comprehensive product overview, I recommend the annually published Computer Security Products Buyers Guide from the Computer Security Institute (CSI).^[9] It provides a good and very comprehensive source for information about products that are commercially available.

Whenever possible, I have added uniform resource locators (URLs) as footnotes to the text. The URLs point to corresponding information pages provided in the WWW. While care has been taken to ensure that the URLs are valid now, unfortunately, due to the dynamic nature of the Web, I cannot guarantee that these URLs and their contents remain valid forever. In regard to these URLs, I apologize for any information page that may have been removed or replaced since the writing and publishing of this book. To make the problem less severe, I have not included very specific URLs that are likely to be removed or replaced soon.

I would like to take the opportunity to invite you as a reader of this book to let me know your opinions and thoughts. If you have something to correct or add, please let me know. If I have not expressed myself clearly, please let me know. I appreciate and sincerely welcome any comment or suggestion in order to update the book in the next edition. The best way to reach me is to send electronic mail to rolf.oppliger@esecurity.ch. You can also visit the book's Web home page at http://www.esecurity.ch/Books/iis2e.html. In the future, I will use this page to periodically post additional information and materials regarding the topic of the book (e.g., slides that can be used to teach courses or lectures with the book).

REFERENCES

1. E. H. Spafford, "The Internet Worm: Crisis and Aftermath," Communications of the ACM, Vol. 32, 1989, pp. 678–688.

2. J. A. Rochlis and M. W. Eichin, "With Microscope and Tweezers: The Worm from MIT's Perspective," Communications of the ACM, Vol. 32, 1989, pp. 689–703.

3. P. J. Denning, Computers Under Attack: Intruders, Worms, and Viruses, ACM Press/Addison-Wesley, New York, 1990.

4. P. G. Neumann, Computer-Related Risks, ACM Press/Addison-Wesley, New York, 1995.

5. J. D. Howard, An Analysis of Security Incidents on the Internet 1989 1995, Ph.D. thesis, Carnegie Mellon University, April 1997.

6. T. Shimomura with J. Markoff, Takedown, Hyperion, New York, 1996.

7. R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP Software, Computer Science Technical Report No. 117, AT&T Bell Laboratories, Murray Hill, NJ, February 1985.

8. S. M. Bellovin, "Security Problems in the TCP/IP Protocol Suite," ACM Computer Communication Review, Vol. 19, No. 2, 1989, pp. 32–48.

9. R. Braden, et al., "Report of the IAB Workshop on Security in the Internet Architecture (February 8–10, 1994)," Request for Comments 1636, June 1994.

10. F. Halsall, Data Communications, Computer Networks and Open Systems, 4th Edition, Addison-Wesley, Reading, MA, 1996.

11. A. S. Tanenbaum, Computer Networks, 3rd Edition, Prentice-Hall, Englewood Cliffs, NJ, 1998.

12. D. E. Comer and R. E. Droms, Computer Networks and Internets, 2nd Edition, Prentice-Hall, Englewood Cliffs, NJ, 1998.

13. D. Comer, Internetworking with TCP/IP: Vol. I: Principles, Protocols, and Architecture, 4th Edition, Prentice-Hall, Englewood Cliffs, NJ, 2000.

14. D. Stinson, Cryptography Theory and Practice, CRC Press, Boca Raton, FL, 1995.

15. B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, John Wiley & Sons, New York, 1996.

16. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1996.

17. M. Purser, Secure Data Networking, Artech House, Norwood, MA, 1993.

18. W. Ford, Computer Communications Security: Principles, Standard Protocols and Techniques, Prentice Hall, Englewood Cliffs, NJ, 1994.

19. C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World, Prentice Hall, Englewood Cliffs, NJ, 1995.

20. W. Stallings, Cryptography and Network Security, 2nd Edition, Prentice-Hall, Englewood Cliffs, NJ, 1998.

21. D. Kahn, Sezing the Enigma, Houghton Mifflin, Boston, MA, 1991.

22. D. Kahn, The Codebreakers, Revised Edition, Scribner, New York, 1996.

23. S. Singh, The Code Book: The Secret History of Codes and Codebreaking, Fourth Estate, London, UK, 1999.

24. B. Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, New York, 2000.

25. R. Power, Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace, Que, Indianapolis, IN, 2000.

26. R. Shirey, "Internet Security Glossary," Request for Comments 2828, May 2000.

^[1]Note the definite article and the capital letter "I" in the term "Internet." More generally, the term "internet" is used to refer to any TCP/IP-based internetwork.

^[2]K. G. Coffman and A. M. Odlyzko, "Internet Growth: Is There a ‘Moore's Law’ for Data Traffic?" to be published.

^[3]Only mobile networks experience similar growth rates.

^[4]Visit the home page of DigiCrime at URL http://www.digicrime.com to convince yourself that executable content is, in fact, dangerous.

^[5]http://www.cert.org

^[6]Most of these CERTs are members of the Forum of Incident Response and Security Teams (FIRST).

^[7]http://www.fish.com/survey/

^[8]Refer to http://www.esecurity.ch/serieseditor for an overview about the Artech House Computer Security Series and the scheduled and available books published in the series.

^[9]http://www.gocsi.com

Team-Fly