Chapter 1: Introduction


As mentioned in the Preface, this book assumes that the reader is familiar with the fundamentals of computer networks and distributed systems in general, and TCP/IP networking in particular. You may refer to [1 “4] for a comprehensive introduction, or Chapter 2 of [5] for a corresponding summary. Against this background, we overview the scope of the book in this chapter. In particular, we introduce the Internet and the World Wide Web (WWW) in Sections 1.1 and 1.2, distinguish between vulnerabilities, threats, and countermeasures in Section 1.3, and introduce a generic security model in Section 1.4.

1.1    Internet

The emerging use of TCP/IP networking has led to a global system of interconnected hosts and networks that is commonly referred to as the Internet. [1] The Internet was created initially to help foster communications among government-sponsored researchers and grew steadily to include educational institutions, government agencies, and commercial organizations. In fact, the Internet has experienced a triumphant advance during the past decade . Today, it is the world s largest computer network and has been doubling in size each year. With this phenomenal growth rate, the Internet s size is increasing faster than any other network ever created, including even the public-switched telephone network (PSTN). [2] Early in 1998, more than 2 million Web servers and more than 30 million computer systems were connected to the Internet [6] and these numbers have steadily increased meanwhile. Consequently, the Internet is may be seen as the basis and first incarnation of an information superhighway, or national information infrastructure (NII) as, for example, promoted by the U.S. government. [3]

But in spite of its exacting role, the initial, research-oriented Internet and its TCP/IP communications protocol suite were designed for a more benign environment than now exists. It could, perhaps, best be described as a collegial environment, where the users trusted each other and were interested in a free and open exchange of information. In this environment, the people on the Internet were the people who actually built the Internet. Later on, when the Internet became more useful and reliable, these people were joined by others with different ethical interests and behaviors. With fewer common goals and more people, the Internet steadily twisted away from its original intent.

Today, the Internet environment is much less collegial and trustworthy. It contains all the dangerous situations, nasty people, and risks that one can find in society as a whole. Along with the well-intentioned and honest users of the Internet, there are also people who intentionally try to break into computer systems connected to it. Consequently, the Internet is plagued with the kind of delinquents who enjoy the electronic equivalent of writing on other people s walls with spray paint, tearing off mailboxes, or hanging around in the streets annoying the neighborhood. In this environment, the openness of the Internet has turned out to be a double-edged sword. Since its very beginning, but especially since its opening in the 1990s and its ongoing commercialization, the Internet has become a popular target to attack. The number of security breaches has in fact escalated faster than the growth of the Internet as a whole. [4]

Security problems on the Internet receive public attention, and the media carry stories of high-profile malicious attacks via the Internet against government, business, and academic sites. Perhaps the first and still most significant incident was the Internet Worm, launched by Robert T. Morris, Jr. on November 2, 1988 [7, 8]. The Internet Worm flooded thousands of hosts connected to the Internet and woke up the Internet community accordingly . It gained a lot of publicity and led to increased awareness of security issues on the Internet. In fact, the computer emergency response team (CERT [5] ) that is operated by the Software Engineering Institute at Carnegie Mellon University was created in the aftermath of the Internet Worm, and other CERTs have been founded in various countries around the world. [6] Today, the CERT at Carnegie Mellon University serves as the CERT Coordination Center (CERT/CC) for the Internet community.

Since the Internet Worm incident, reports of network-based attacks, such as password sniffing, IP spoofing, sequence number guessing, session hijacking, flooding, and other denial-of-service (DOS) attacks, as well as exploitations of well-known bugs and design limitations, have grown dramatically [9 “11]. In addition, the use and wide deployment of executable content, such as provided by Java applets and ActiveX controls, has provided new possibilities to attack hosts or entire sites. [7]

Many Internet breaches are publicized and attract the attention of the Internet community, while numerous incidents go unnoticed. For example, early in 1994, thousands of passwords were captured by sniffer programs that had been remotely installed on compromised hosts on various university networks connected to the Internet. At the end of the same year, sequence number guessing attacks were successfully launched by Kevin Mitnick against several computing centers, including Tsutomu Shimomura s San Diego Center for Supercomputing [12]. This story actually shocked the world when it became The New York Times headline news on January 23, 1995. In 1996, several forms of DOS attacks were launched, such as e-mail bombing and TCP SYN flooding [13]. Also late in 1996, Dan Farmer conducted a security survey of approximately 2,200 computing systems on the Internet. [8] What he found was indeed surprising: almost two- thirds of the more interesting Internet or Web sites had serious security problems that could have been exploited by determined attackers .

Several Web sites of large companies and federal offices have been vandalized, and Webjacking has become a popular activity for casual Internet hackers. [9] More recently, macro viruses and distributed denial of service (DDoS) attacks have troubled the Internet community considerably. The trend to more and highly automated attacks is likely to continue in the future.

In spite of the fact that unscrupulous people make press headlines with various types of attacks, the vulnerabilities they exploit are usually well known. For example, security experts warned against passwords transmitted in cleartext at the very beginning of (inter)networking, and Robert T. Morris, Jr., described sequence number guessing attacks for BSD UNIX version 4.2 when he was with AT&T Bell Laboratories in 1985 [14, 15]. Some of the problems related to Internet security are a result of inherent vulnerabilities in the TCP/IP protocols and services, while others are a result of host configuration and access controls that are poorly implemented or too complex to administer. Additionally, the role and importance of system administration is often shortchanged in job descriptions, resulting in many administrators being, at best, part-time and poorly prepared. This is further aggravated by the tremendous growth and speed of the Internet as a whole.

Today, individuals, commercial organizations, and government agencies depend on the Internet for communication and research, and thus have much more to lose if their sites are compromised. In fact, virtually everyone on the Internet is vulnerable, and the Internet s security problems are the center of attention, generating much fear throughout the computer and communications industries. Concerns about security problems have already begun to chill the overheated expectations about the Internet s readiness for full commercial activity, possibly delaying or preventing it from becoming a mass medium for the NII or the global information infrastructure (GII). Several studies have independently shown that many individuals and companies are abstaining from joining the Internet simply because of security concerns. At the same time, analysts are warning companies about the dangers of not being connected to the Internet. In this conflicting situation, almost everyone agrees that the Internet needs more and better security. In a workshop held by the Internet Architecture Board (IAB) in 1994, scaling and security were nominated as the two most important problem areas for the Internet architecture as a whole [16]. This has not changed so far and is not likely to change in the future [17]. It is particularly true for the WWW and Web-based applications.

[1] Note the definite article and the capital letter ˜ ˜I in the term ˜ ˜the Internet. More generally , the term ˜ internet is used to refer to any TCP/ IP-based internetwork, whereas the term ˜ intranet is used to refer to a TCP/ IP-based corporate or enterprise network.

[2] Only mobile networks experience similar growth rates.

[3] http://nii.nist.gov

[4] There are several statistics that illustrate this point. For example, refer to the publications of the Computer Security Institute (CSI) at http://www.gocsi.com or the reports and articles published by the CERT Coordination Center (CERT/CC) at http://www.cert.org.

[5] http://www.cert.org

[6] Many of these CERTs are member organizations of the Forum of Incident Response and Security Teams (FIRST).

[7] Refer to the WWW home page of DigiCrime at URL http://www.digicrime.com to convince yourself that executable content is in fact dangerous.

[8] http://www.trouble.org/survey

[9] Note, however, that the real losses caused by Webjacking activities are comparably small, since the Web pages that are vandalized are often located outside the firewall in a so-called demilitarized zone (for easy access by the casual Web user ).




Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net