, University of Maryland Laboratory for Telecommunications Sciences
, National Security Agency Laboratory for Telecommunications Sciences
Pages: pp. 24-28
Abstract—Let's face it. Security is usually discarded when it contends with performance. But as the world becomes more tightly interconnected, organizations are feeling a greater need to rediscover network security.
"Network security is the most important thing on the planet." We have heard these words uttered with great conviction many times. However, the first time it causes any inconvenience to system owners, administrators, or users, the same people hasten to add "except when it impacts performance, system complexity, or cost." Let's face it. Security is usually discarded when it contends with performance. The reason is simple, and at one time it may have even been valid: Performance directly contributes to the bottom line while security provides only indirect benefits. But as the world becomes more tightly interconnected, organizations are feeling a greater need to rediscover network security.
There are plenty of reasons. The massive surge of interest in the Internet, along with the emerging use of low-cost residential broadband networking for homes and small enterprises, has given rise to a concentrated study of network security practices. 1 The explosive growth of networking technology continues to redefine the rules for maintaining the privacy and integrity of electronic data. 2,3 There is a staggering amount of personal, commercial, governmental, and military information in the various networking infrastructures worldwide. This vast connectivity also poses monumental risks. Almost anyone can reach out to the network, which often means almost anyone can reach in. In short, network security is an issue that can no longer be postponed.
Fortunately, security measures do not have to be expensive or complicated—a reality the networking community has only recently taken to heart. Network security itself, however, must be better understood and embraced, preferably before a compromise occurs. The articles in this issue are intended to alert you to the risks and some solutions and to encourage you to develop and implement security methodologies and strategies before—rather than after—an incident.
A thread that spans most definitions of network security is the intent to consider the security of the network as a whole, rather than as an endpoint issue. A comprehensive network security plan must encompass all the elements that make up the network and provide five important services:
An effective plan is also built on a thorough understanding of security issues, including the potential attackers, the needed level of security, and the factors that make a network vulnerable to attack. This understanding helps you define the level of security that is appropriate for the information the network contains and the environment in which it operates.
Before you can determine how much time and effort to spend on your security strategy, you must identify your potential attacker. Is it a 14-year-old looking for a moment of fun and fame or a well-financed organization with specific economic objectives? Are you the only target or are you in a class of targets, such as banks? If the target is you specifically, protection will be more difficult, since one-on-one attackers are not often easily discouraged. If the objective is to attack a class of targets, you may need only enough security to motivate the attacker to move to another target in the class.
You will need to estimate the threshold of pain you and your potential attackers are willing to tolerate—the threshold representing the resources you and your potential attackers are willing to commit. As a system owner, you need to know what you are protecting, what its value is to you, and what its potential value is to others.
The statement "when you have nothing, you have nothing to lose" rarely applies to networks. Consider the world's vast network infrastructure—personal information within homes, technical and marketing information on corporate systems, and political and military information on government systems. Clearly there is much to lose. Intellectual property is a valuable asset. The protection of marketing information, product announcements, and pricing plans is often crucial to a company's financial success.
There are also more subtle consequences of an attack. Depending on the type of business, the subsequent publicity about the attack can cause both investors and consumers to lose confidence in the company. For example, customers may be reluctant to provide sensitive personal information to a company if they know its infrastructure has been successfully attacked. Such a loss may stall electronic commerce and other activities that require sensitive or private information.
Network security strategies, methods, and devices are used to raise the level of pain your opposition must endure to punch a hole in your system. It is impossible to ensure absolute security. You can ratchet up the level of effort an attacker will need to expend, but the amount of investment and level of defensive effort committed to security should be guided by the threat profile. You must understand this trade-off before your plan can incorporate the right balance between the level of security and the threat.
Probably the most common risk is a poorly administered system. System administrators have ignored or disabled security features when the security product or facility implementing these features is complicated. System users often circumvent security procedures if the procedures degrade performance. In such cases, designers of the security strategy think the network is secure, but it has been fundamentally compromised because people are not following through with its implementation.
Social engineering is another common problem that leads to system vulnerabilities. It is not a technical assault on the network components, but a direct or indirect effort to learn about the characteristics and potential vulnerabilities of a system through social means: A person leans over your shoulder to observe your password, learns about a targeted system by eavesdropping on conversations, or tricks a valid user into disclosing his password on a system of interest. Users who create easily guessed passwords or never change their passwords add to the problem.
Logging can cause problems at two extremes. Too little logging is an obvious problem. When a problem is detected, there may be insufficient information to reconstruct what happened. The opposite may also be true. Too much logging obfuscates the situation and often leads to poor security practices. For example, security devices may generate enormous logs for later analysis, but the analysis may be performed only when some specific problem is encountered. The logs may accumulate into a larger and larger queue that may be deleted or trimmed before the data analysis is complete. Too little logging, too much logging, and too little analysis are still important problems.
Apathy is another source of risk. Network owners often do not take the business of providing network security seriously. They make excuses when it becomes inconvenient. It's "too hard" because of the administrative burden; it's "too expensive" because devices such as firewalls must be purchased and supported. Another popular excuse is "we don't have anything people would want, so we won't be attacked." Network owners who don't see the value of the intellectual property within their systems generally fail to treat its security seriously.
Once you have shaped your network security plan, you can begin to incorporate the appropriate technology to provide a secure environment. Several items may be common to many plans, but not all the elements we describe here must be in place. What you use should be based on a thorough assessment of the risks present and your plan's objectives. Many security devices—from stand-alone products to protocols incorporated into network elements—have been developed. 5 The brief description of firewalls and intrusion detection we offer is only a sample of popular devices.
Firewalls enforce an access policy by operating as a gateway between two networks. 6 There are two major classes. Packet filter firewalls examine endpoint identifiers in datagrams passing through a link to determine if each packet should be allowed to proceed. For example, an IP packet filter can examine the source and destination IP addresses, the port being used, and the specified protocol field. Depending on the firewall's degree of sophistication, it might also maintain the state associated with each IP flow so that flows can be statistically analyzed.
Proxy firewalls act as a mediator between two devices attempting to communicate through the firewall. They terminate a flow at one side of the firewall, provide some proxy service to examine the data within the flow, and then re-create the flow in the network at the other side of the firewall. As an example, a telnet or ftp session from a network endpoint within a protected enclave to an external network element would be staged at the firewall as an intermediate flow.
Network intrusion detection devices try to detect and call attention to odd and suspicious behavior. Anomaly detection devices use statistical methods to try to detect activity that deviates from normal behavior. These devices generate logs and alert system administrators when they detect suspicious activity. Misuse detection devices examine traffic and use patterns, and try to identify a pattern that they can compare to signatures or scenarios known to be dangerous or suspicious. These devices can be applied only against known attack patterns. In the same way popular virus checkers are updated with signatures used to check system memory and files, misuse detection devices must be periodically updated with new signatures as new attacks are detected and characterized.
Protection against unauthorized people physically accessing network elements and the protection and security of systems personnel are often overlooked. Consider time locks on bank safes. These were developed when thieves realized they could visit bank employees at off-hours and encourage them to return to the bank to open the vault without the risk of an audience. In similar ways, systems people may be at risk of being encouraged to provide access to their networks either through force, threats, or enrichment. Physical access to network elements must be protected, and access provided only to trusted people.
No system is absolutely secure. With a field so vast and vague, no one can anticipate all the possible breaches. The goal of the network security articles in this issue is to give you a deeper understanding of the fundamentals an effective network security plan must address. Cryptography, for example, provides the fundamental mechanisms for privacy, authentication, and integrity that are at the heart of most security plans. The sidebar " Simplified Example of Public-Key Cryptography" shows how this mechanism works. Communication protocols are also fundamental, enabling the current explosive growth in network connectivity.
The problems and solutions for both Internet and Web users are complex and still developing. Some of the articles we've included describe current problems and propose solutions. Others describe future challenges and the technology envisioned to meet them. We hope these articles will serve as an additional resource for those who are ready to take network security seriously. Our capacity to protect information worldwide will grow only when more network owners begin to plan for and consider these complex issues.
Certain terms are common within the security literature and may not be defined in a particular article. The following terms are fundamental elements of cryptology and network security.
Plaintext or cleartext: The message you wish to protect.
Ciphertext: The result of transformation of plaintext through encryption to obscure content.
Key: A parameter of the encryption algorithm.
Encipher (encrypt): To transform plaintext to ciphertext.
Decipher (decrypt): To transform ciphertext to plaintext.
Symmetric key algorithms: Encryption schemes in which the same key used to encrypt a message can be used to decrypt it. Also known as secret-key, single-key, or one-key algorithms.
Asymmetric key algorithms: Encryption schemes that use two mathematically related keys. Messages encrypted using one key can be decrypted using the other key. An important aspect is that the decryption key cannot reasonably be determined from the encryption key. A user will make his encryption key, denoted as the public key, known, but the decryption key is not disclosed. The decryption key is often called the private or secret key. Also known as public-key algorithms.
Digital signature: A way to verify the originator of a message using an asymmetric key algorithm in reverse. For example, if Bob encrypts a message with his own private key, Alice, decrypting the message with Bob's public key, knows that Bob generated the message.
Figure 1 illustrates how public-key cryptography works. The original message (1) is passed through a cryptographic one-way hash function (2) that results in a small digest. The original message can be quite long, but the hash value is a small number of bytes. The result of the hash function is encrypted (3) with the private key of the sender, in this case, Bob. Bob is responsible for maintaining his private key (4).1How public-key cryptography works.
The encrypted hash value acts as a digital signature (5), as explained later. The digital signature is added to the original message to form the message to be transmitted (6).
The entire message to be transmitted is first encrypted (7) with the public key of the receiver (8), in this case, Alice. The message is transported to Alice over the untrusted network (9). The received message is decrypted (10) with Alice's private key (11). Only people who possess Alice's private key can decrypt a message that has been encrypted with Alice's public key. This is the essence of public-key cryptography. Alice is responsible for maintaining her private key.
The received message (12) should be composed of the original message and the digital signature. The original message portion of the received message is passed through the same cryptographic one-way hash function that Bob (the sender) used (13). The digital signature is decrypted (14) with Bob's public key (15). Bob's public key may be obtained, for example, by a certificate-issuing authority as described below.
Alice compares the result of the hash of the original message portion of the received message to the decrypted value of the digital signature portion of the received message. If the two values are the same, Alice can be sure that Bob originated the message. If the values are different, Alice received a message that was either damaged in transit or sent by someone other than Bob.
The digital signature provides some assurance that the sender is who he claims to be and that the integrity of the message has been verified. Often an exchange is used to securely obtain a session key that the two parties will then use in future communication during that session. This allows symmetric encryption to be used, which significantly reduces computational complexity over asymmetric (public-key) encryption.
Alice's public key is provided to Bob through some mechanism. There are many ways to securely exchange public keys. One way is through a trusted third party, such as a certificate-issuing institution. This is an organization Bob trusts to provide Alice's true public key. The public key is typically delivered to Bob through the same untrusted network, so the issuing organization digitally signs the message that contains the key.