Pages: pp. 38-41
This issue of IEEE Internet Computing presents three articles exploring the theme of "Widely Deployed Internet Security Solutions." This topic highlights the three characteristics that we think define relevant security innovations today: deployability, orientation toward solving a problem, and suitability to the Internet environment.
The focus on deployment reflects the frustration, shared by the majority of the computer security research community, over the glaring gap between state-of-the-art security research and state-of-the-art security practice. As a technology, computer security emerged with the development of time-sharing and multi-user systems. Security technology research remains an active academic field, attracting much interest from government, military, and commercial sectors. Despite this interest, the distance is huge between what is possible as demonstrated in research and what is practiced in the real world.
Although a tremendous amount of new research is published each year (see the sidebar " Security Research Resources" for a list of relevant conferences, journals, and Web sites), the commercial adoption rate of this research is miserably low compared with adoption rates for other technologies, such as high-speed networking. In fact, you can count on one hand the number of innovative and effective security technologies that have been widely deployed in the past three decades:
Why such a gap exists is a mystery, and to attempt an analysis is beyond the scope of this article. Our emphasis on deployment for this special issue is a small effort toward narrowing this gap. In the end, we failed to attract articles that explain why certain security technologies are adopted while others are not—Any historians out there reading this?—but succeeded in getting articles that dissect and discover problems with a few emerging security standards.
Our second focus, on solutions rather than merely technology, derives from our observation that the five technologies listed above solve some pressing problems:
It is worth noting, however, that these five technologies—although they came out of commercial settings—benefited a great deal from prior research. Pattern matching, reverse engineering, fast indexing, and searching are key to anti-virus software. Cryptography in general, and one-way functions in particular, provide the foundation for onetime passwords. TCP/IP, pattern recognition, application-specific integrated circuit (ASIC) design, and virtual private networks (VPNs) underpin some modern firewalls. SSL is a fairly straightforward application of public-key systems, secure handshake protocols, and encryption. Java security traces its roots to operating system security, access-control algorithms, and object-oriented system design.
Nevertheless, inventing a security technology and turning that technology into a solution are two different things. For example, even though public-key systems existed at least as early as 1976, it was not until the early 1990s that the technology found its biggest application in SSL. Therefore, pushing for solutions instead of technologies is our way of nudging researchers to pay attention to the "last mile problem": How do we turn a great invention into an effective solution?
Third, our theme focuses on the Internet—not only because the world is becoming more connected each day, but also because security issues manifest themselves more urgently in a networked environment. For example,
Our concern here with today's networked environment does not imply that there are no longer security problems inside individual network nodes. In fact, in many aspects, security issues for a single node (for example, OS security, Java VM security) are technically more challenging than network security issues. However, it is more convenient—and convenience is what commercial systems look for—to assume that network nodes are controlled and trusted by their owners (which is not an unreasonable assumption in the case of cell phones and pagers) and to worry only about network-level security.
All of the articles in this issue have the characteristics we were looking for: they focus on standards for wide deployment of security technologies. They describe practical solutions. The technologies they discuss fall within the Internet context.
The article "Network Address Translators: Effects on Security Protocols and Applications in the TCP/IP Stack," by Shiuh-Pyng Shieh et al. (pp. 42-49), studies the intrinsic conflict between the use of NATs to translate and hide network addresses and the essential requirement in some security protocols to carry and identify users' actual network addresses. The authors' conclusion that many protocols would not function properly in a NAT environment is significant, given NATs' widespread use.
The article, "Key Exchange in IPSec: Analysis of IKE," by Radia Perlman and Charlie Kaufman (pp. 50-56), identifies several problems with the IKE mechanism in IPSec, an Internet Engineering Task Force-proposed standard also included in IPv6, and suggests several improvements.
The article, "A Transport-Level Proxy for Secure Multimedia Streams," by King P. Fung and Rocky K.C. Chang (pp. 57-67), examines the inadequacies of SOCKS, the IETF's firewall traversal standard, and proposes an extension for better multimedia streaming support.
We look forward to continued work in this area and to the day when computer security practice catches up with computer security research.
Shiuh-Pyng Shieh, Fu-Shen Ho, Yu-Lun Huang, and Jia-Ning Luo
NATs implement a method for connecting a network with private IP addresses to the global Internet of unique IP addresses. NATs have been widely deployed in the past few years as a way to alleviate the shortage of address space in IPv4. Because they can hide the inside network topology from the outside world, NATs offer a level of security, but not when a protocol requires end-to-end IP addresses, as many security protocols and applications do.
Radia Perlman and Charlie Kaufman
IPSec is a proposed standard for securing real-time communications on the Internet. It has been criticized for being overly complex, partially by allowing too many options for accomplishing essentially the same thing. Criticism has focused mainly on the part of the standard that addresses data packet encodings. The Internet Key Exchange part has its own complexities, which have not been as thoroughly studied—until now.
King P. Fung and Rocky K.C. Chang
Firewalls must offer secure traversal services to applications, but current techniques cannot meet the requirements of increasingly popular multimedia streaming applications. The authors propose an extension to the SOCKS transport-level standard proxy. The extension provides complete support for UDP-based multimedia streaming applications.
Many conferences, journals, and Web sites publish the latest in security research. Some of these are listed below.
ACM Conference on Computer and Communications Security • http://www.acm.org/sigsac/#CONF
ACM Symposium on Access Control Models and Technologies • http://www.acm.org/sigsac/#CONF
Annual Computer Security Applications Conference • http://www.acsac.org
European Symposium on Research in Computer Security • http://www.laas.fr/~esorics/
IEEE Symposium on Security and Privacy • http://www.ieee-security.org/
IEEE Computer Security Foundations Workshop • http://www.ieee-security.org/
IFIP Working Conference on Dependable Computing and Fault Tolerance • http://www.dependability.org/wg10.4/
Network and Distributed System Security Symposium • http://www.isoc.org/ndss01/
Usenix Security Symposium • http://www.usenix.org/events/sec2000/
ACM Transactions on Information and System Security • http://www.acm.org/tissec/
Journal of Computer Security • http://www.iospress.nl/
Internet Engineering Task Force • http://www.ietf.org/
Links to Internet Requests for Comment and working drafts.
IETF Security Area Working Groups • http://www.ietf.org/html.charters/wg-dir.html#Security_Area
Computer Security Resource Center at the National Institute of Standards and Technology • http://csrc.nist.gov/
Links to news, policies, and U.S. federal standards (often widely used outside the U.S. federal government).
Public Key Cryptography Standards, RSA Laboratories • http://www.rsasecurity.com/rsalabs/pkcs/
Links to public-key cryptography standards documents, mailing lists, and news.
We would like to thank all those who submitted their work, as well as the hard-working reviewers who made available their precious time to ensure the high quality of IEEE Internet Computing articles. We would also like to express our appreciation to Internet Computing's editorial board for making this issue possible, and to the staff for ensuring smooth production.