The Security Process

You need to think of this whole security business as a combination of processes, procedures, and policies. The security of information involves both human and technical factors. The human factors are addressed by the policies that are enforced in the organization. The technology components include the tools you install on the systems with which you work. There are several parts to this process, and each is described in the following sections.

Antivirus Software

Computer viruses are one of the most annoying trends happening today. It seems that almost every week someone invents a new virus to damage systems. Some of these viruses do nothing more than give you a great big "gotcha"; others destroy systems, contaminate networks, and wreak havoc on computer systems.

The business of providing software to computer users to protect them has become a huge industry. Several very good and well-established suppliers of antivirus software exist. New virus protection methods come on the scene almost as fast as new viruses. Antivirus software scans the computer's memory, disk files, and incoming and outgoing e-mail. The software typically uses a virus definition file that is updated regularly by the manufacturer. Fortunately, these virus definition files are usually updated every two weeks or so. If these files are kept up to date, the computer system will be relatively secure. Unfortunately, most people don't keep them up to date. Users will exclaim that a new virus is out, because they just got it. Upon examination, you will discover that in most cases their virus definition file is months out of date.

As you can see, the product part of the system will break down if the definition files are not updated on a regular basis.

Access Control

The process of establishing access control is critical. Access control defines how users and systems communicate and in what manner. Access control protects information from unauthorized access. Three basic models are used to explain access control. We will look at each in the following sections.

Mandatory Access Control (MAC)

The Mandatory Access Control (MAC) model is a static model that uses a predefined set of access privileges to files on the system. The system administrators establish these parameters and associate them with an account, files, or resources. The MAC model can be very restrictive. In a MAC model, administrators establish access. Administrators are also the only people who can change access. Users cannot share resources dynamically unless the static relationship already exists.

Discretionary Access Control (DAC)

The Discretionary Access Control (DAC) model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an Access Control List (ACL) that identifies the users who have authorization to that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

Role-Based Access Control (RBAC)

The Role-Based Access Control (RBAC) model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide. The user can perform a certain function or duty based on the role they are assigned. An example of this might be a role called "salesperson." Salesperson can access only the information that is established for that role. They may be able to access this information from any station in the network, based strictly on role. A sales manager may have a different role that allows access to all of the individual salesperson information.

The RBAC model is very common in administrative roles in a network. In order to back up data files on computers, limited privileges are needed. These privileges are assigned to a person called a backup operator. The backup operator only has access to the rights or privileges predefined for that role.

Authentication

Authentication proves that the user or system is actually who they say they are. One of the most critical parts of a security system is authentication. This is part of a process that is also referred to as Identification and Authentication (I&A). The identification process starts when a user ID or logon name is typed into a sign-on screen. Authentication is accomplished by challenging the claim about who is accessing the resource. Without authentication, anybody can claim to be anybody.

Authentication systems or methods are based on one or more of these three factors:

• Something you know – a password or PIN

• Something you have – a smart card or an identification device

• Something you are – your fingerprints or retinal pattern

Systems also authenticate each other using similar methods. Frequently systems will pass private information between each other to establish identity. Once authentication has occurred, two systems can communicate in the manners specified in the design.

There are several common methods of authentication. Each has advantages and disadvantages that must be considered when evaluating authentication schemes or methods.

Username/Password

A username and password are unique identifiers for a logon process. When users sit down in front of a computer system, the first thing a security system requires is that they establish who they are. Identification is typically confirmed through a logon process. Most operating systems use a user ID and password to accomplish this. The logon process identifies to the operating system, and possibly the network, that you are who you say you are. Figure 1.3 illustrates this logon and password process. Notice that the operating system compares this information to the stored information from the security processor and either accepts or denies the logon attempt. The operating system may establish privileges or permissions based on stored data about that particular ID.

Figure 1.3: A logon process occurring on a workstation

Challenge Handshake Authentication Protocol (CHAP)

Challenge Handshake Authentication Protocol (CHAP) is a protocol that challenges a system to verify identity. CHAP protocol does not use a user ID/ password mechanism. Instead, the initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and if the information matches, the server grants authorization. If the response fails, the session fails and the request phase starts over. Figure 1.4 illustrates the CHAP procedure. This handshake method involves three steps and is usually automatic between systems.

Figure 1.4: CHAP authentication

Certificates

Certificates are another common form of authentication. A server or certificate authority can issue a certificate that will be accepted by the challenging system. Certificates can be either physical access devices, such as smart cards, or electronic certificates that are used as part of the logon process. A simple way to think of them is hall passes at school. Figure 1.5 illustrates a certificate being handed from the server to the client once authentication has been established. If you have a hall pass, you can wander the halls of school. If your pass is invalid, the hallway monitor can send you to the principal's office.

Figure 1.5: A certificate being issued once identification has been verified

Security Tokens

Security tokens are similar to certificates. Security tokens contain the rights and access privileges of the token bearer as part of the token. Many operating systems generate a token that is applied to every action taken on the computer system. If your token does not grant you access to certain information, that information will either not be displayed or your access will be denied. The authentication system creates a token every time a user or a session begins. At the completion of a session, the token is destroyed. Figure 1.6 shows a security token that contains the logon ID and access privileges.

Figure 1.6: Security token authentication

Kerberos

Kerberos is a relatively new authentication protocol. Originally designed by MIT, Kerberos is becoming very popular as an authentication method. Kerberos allows for a single sign-on to a distributed network.

The Kerberos authentication process uses a Key Distribution Center (KDC) to orchestrate the entire process. The KDC authenticates the principle. Principles can be users, programs, or systems. The KDC provides a ticket to the principle. Once this ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request or service is performed by another principle.

Kerberos is growing in popularity and will likely become a common standard in network environments over the next few years. The only significant weakness of Kerberos is that the KDC is a single point of failure. If the KDC goes down, the authentication process will stop. Figure 1.7 shows the Kerberos authentication process and the ticket being presented to systems that are authorized by the KDC.

Figure 1.7: Kerberos authentication process

Multi-Factor

When two or more of these access methods are included as a part of the authentication process, you are implementing a multi-factor system. A system that uses smart cards and passwords is referred to as a two-factor authentication system. Two-factor authentication is shown in Figure 1.8. This example requires both a smart card and a logon password process.

Figure 1.8: Two-factor authentication

Smart Cards

A smart card is a type of badge or card that can allow access to multiple resources including buildings, parking lots, and computers. Each area or computer will have a reader in which you can either insert your card or have it scanned. This card contains information about your identity and access privileges. Figure 1.9 depicts a user inserting a smart card into a reader to verify identity. The reader is connected to the workstation and validates against the security system. This increases the security of the authentication process because you must be in physical possession of the smart card to use the resources. Of course, if the card becomes lost or stolen, the person who finds the card will have access to the resources allowed by the smart card.

Figure 1.9: The smart card authentication process

Biometrics

Biometric devices use physical characteristics to identify the user. They are becoming more common in the business environment. Biometric systems include hand scanners, retinal scanners, and soon possibly DNA scanners. In order to gain access to resources, you must pass a physical screening process. In the case of a hand scanner, this may include fingerprints, scars, and actual markings on your hand. Retinal scanners compare your eye's retinal pattern to a stored retinal pattern to verify your identity. DNA scanners will examine a unique portion of your DNA structure in order to verify that you are who you say you are.

Practical Matters

You can set up many different parameters and standards to force the people in your organization to conform. In establishing these parameters, it is very important that you consider the capabilities of the people who will be working with these policies. If you are working in an environment where people are not particularly computer-savvy, you may spend a great deal of time helping people remember and recover passwords. Many organizations have had to re-evaluate their security guidelines after they have already gone to great expense and length to implement high security systems.

Setting authentication security, especially in supporting users, can become a very high maintenance activity for network administrators. On the one hand, you want people to be able to authenticate themselves easily; on the other hand, you want to establish security that protects your company's resources.

Be wary of popular names or current trends that make certain passwords predictable. For example, during the first release of Star Wars, two of the most popular passwords used on college campuses were C3PO and R2D2. This created a security problem for campus computer centers.

Multi-Factor Authentication and Security

The owner of your company is becoming increasingly concerned about computer security and the laxness of users. She reports that users are regularly leaving the office at the end of the day without signing out of their accounts. The company is attempting to win a contract working with the government that will require additional security measures to be taken. What would you suggest to the owner?

The best suggestion would be to consider implementing a multi-factor authentication system. This system could consist of a smart card and a logon/password process. Most smart card readers can be configured to require that the card remain inserted in the reader while the user is logged on. If the smart card were removed, say at the end of the day, the workstation would automatically log the user out. By requiring a logon/password process, you can still provide reasonable security if the smart card is stolen.

This solution provides reasonable security, and it does not significantly increase security costs. The government will probably require additional access control, such as perimeter alarms and physical access control to sensitive areas. These measures, however, will not force users to logout when they leave their workstations.

Services and Protocols

Many services and protocols are available for computer users to utilize. Web, mail, and other protocols are available to facilitate communications between systems. Each protocol or service you support in a computer network opens increased vulnerabilities and potential security problems.

Everyday someone finds a new vulnerability in the commonly used services and protocols in computer systems and network.

In the following sections, a few of the common protocols will be presented to explain why services and protocols are such a key part of security.

Common Protocols and Services

If your environment is like most, you will need to offer several protocols for your users. Some of the more common protocols that you should offer include mail, Web, Internet access, and some control protocols. Offering these services is normal in an Internet-enabled environment:

Mail Most customers will want to enable e-mail systems for use in an organization. This means your security plan must include support for e-mail traffic. This includes both inbound and outbound mail. Several ports are used in the e-mail process.

Web Many businesses are implementing web-based strategies for communications. These strategies include a server-based product and a client-based product (a browser). Browsers can communicate with services using several ports. These ports allow information to be sent and received by the client or server.

Telnet Telnet is a service that allows remote users to access a system using terminal emulation. Telnet is becoming less common today, but it is still in use on a large scale. Telnet connections are generally unsecured and unprotected.

File Transfer Protocol (FTP) FTP is a file transfer protocol used extensively on the Internet. FTP sessions are not encrypted. Many FTP implementations do not encrypt the logon or passwords at the beginning of the session.

Network News Transfer Protocol (NNTP) The NNTP protocols allow employees to access news servers over the Internet. This is accomplished by sending and receiving messages to USENET servers that store and forward messages. There are over 14,000 forums in use for Usenet. These forums are called newsgroups.

Domain Name Service (DNS) DNS is used to resolve system names to Internet addresses. It is a very common service and in use on most networks. If you have a website to advertise your products or services, DNS allows you tell external users where your server is located. DNS translates web addresses, such as www.sybex.com, to TCP/IP addresses, such as 192.168.0.110.

Internet Control Message Protocol (ICMP) The Internet Control Message Protocol provides network messaging tools, such as Ping. Ping is a utility that allows you to verify whether or not a system is reachable or up. ICMP makes many aspects of communications easier in the Internet environment.

Nonessential Protocols and Services

Many networks support a large number of protocols and services for information access. Nonessential protocols should be disabled or turned off. This includes services and protocols that are inherently unsecured. Below is a partial list of services that should not be offered on your network:

• NetBios services

• UNIX RPC

• NFS

• X services

• R services, such as rlogin and rexec

• Telnet

• FTP

• TFTP (Trivial File Transfer Protocol)

• Netmeeting

• Remote Control Systems

• SNMP (Simple Network Management Protocol)

These protocols are not recommended because they send passwords over the network unencrypted, they have little if any security capability, or they expose the system to vulnerabilities because of the very nature of the activities they perform. These protocols are covered in later chapters in more detail.