Computer, Network & Internet Security
Computer, Network & Internet Security
An Introduction to Security
i
Security Manual
Compiled By:
S.K.PARMAR, Cst
This publication is for informational purposes only. In no way should this publication by interpreted as offering
legal or accounting advice. If legal or other professional advice is needed it is encouraged that you seek it from
the appropriate source. All product & company names mentioned in this manual are the [registered] trademarks
of their respective owners. The mention of a product or company does not in itself constitute an endorsement.
The articles, documents, publications, presentations, and white papers referenced and used to compile this
manual are copyright protected by the original authors. Please give credit where it is due and obtain
permission to use these. All material contained has been used with permission from the original author(s) or
representing agent/organization.
ii
TableofContent
1.0 INTRODUCTION........................................................................................................................................................... 2
1.1 BASIC INTERNET TECHNICAL DETAILS ........................................................................................................................ 2
1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol ............................................................................ 2
1.1.2 UDP:User Datagram Protocol............................................................................................................................ 2
1.1.3 Internet Addressing ............................................................................................................................................. 3
1.1.4 Types of Connections and Connectors ............................................................................................................ 3
1.1.5 Routing .................................................................................................................................................................. 6
1.2 Internet Applications and Protocols...................................................................................................................... 6
1.2.1 ARCHIE..................................................................................................................................................................................6
1.2.2 DNS — Domain Name System...........................................................................................................................................7
1.2.3 E-mail — Electronic Mail......................................................................................................................................................7
1.2.4 SMTP — Simple Mail Transport Protocol..........................................................................................................................7
1.2.5 PEM — Privacy Enhanced Mail..........................................................................................................................................8
1.2.6 Entrust and Entrust-Lite .......................................................................................................................................................8
1.2.7 PGP — Pretty Good Privacy ...............................................................................................................................................8
1.2.8 RIPEM — Riordan's Internet Privacy-Enhanced Mail......................................................................................................9
1.2.9 MIME — Multipurpose Internet Mail Extensions ..............................................................................................................9
1.3 File Systems ............................................................................................................................................................ 9
1.3.1 AFS — Andrew File system ................................................................................................................................................9
1.3.2 NFS — Network File System ..............................................................................................................................................9
1.3.3 FTP — File Transfer Protocol ...........................................................................................................................................10
1.3.4 GOPHER..............................................................................................................................................................................10
1.3.5 ICMP — Internet Control Message Protocol...................................................................................................................10
1.3.6 LPD — Line Printer Daemon.............................................................................................................................................11
1.3.7 NNTP — Network News Transfer Protocol .....................................................................................................................11
1.3.8 News Readers.....................................................................................................................................................................11
1.3.9 NIS — Network Information Services ..............................................................................................................................11
1.3.10 RPC — Remote Procedure Call .....................................................................................................................................12
1.3.11 R-utils (rlogin, rcp, rsh).....................................................................................................................................................12
1.3.12 SNMP — Simple Network Management Protocol........................................................................................................12
1.3.13 TELNET .............................................................................................................................................................................12
1.3.14 TFTP ? Trivial File Transfer Protocol.............................................................................................................................12
1.3.15 Motif...................................................................................................................................................................................13
1.3.16 Openwindows....................................................................................................................................................................13
1.3.17 Winsock..............................................................................................................................................................................13
1.3.18 Windows — X11 ...............................................................................................................................................................13
1.3.19 WAIS — Wide Area Information Servers ......................................................................................................................13
1.3.20 WWW — World Wide Web .............................................................................................................................................13
1.3.21 HTTP — HyperText Transfer Protocol ..........................................................................................................................13
2.0 SECURITY ................................................................................................................................................................... 16
2.1 SECURITY POLICY ...................................................................................................................................................... 16
2.1.0 What is a Security Policy and Why Have One? ............................................................................................ 16
2.1.1 Definition of a Security Policy .......................................................................................................................... 17
2.1.2 Purposes of a Security Policy .......................................................................................................................... 17
2.1.3 Who Should be Involved When Forming Policy?.......................................................................................... 17
2.1.4 What Makes a Good Security Policy? ............................................................................................................ 18
2.1.5 Keeping the Policy Flexible .............................................................................................................................. 19
2.2 THREATS..................................................................................................................................................................... 19
2.2.0 Unauthorized LAN Access ............................................................................................................................... 21
2.2.1 Inappropriate Access to LAN Resources ....................................................................................................... 21
2.2.2 Spoofing of LAN Traffic..................................................................................................................................... 23
2.2.3 Disruption of LAN Functions ............................................................................................................................ 24
iii
2.2.4 Common Threats ............................................................................................................................................... 24
2.2.4.0 Errors and Omissions .....................................................................................................................................................24
2.2.4.1 Fraud and Theft ...............................................................................................................................................................25
2.2.4.2 Disgruntled Employees...................................................................................................................................................25
2.2.4.3 Physical and Infrastructure.............................................................................................................................................25
2.2.4.4 Malicious Hackers ...........................................................................................................................................................26
2.2.4.5 Industrial Espionage........................................................................................................................................................26
2.2.4.6 Malicious Code ................................................................................................................................................................27
2.2.4.7 Malicious Software: Terms.............................................................................................................................................27
2.2.4.8 Foreign Government Espionage ...................................................................................................................................27
2.3 SECURITY SERVICES AND MECHANISMS INTRODUCTION.......................................................................................... 27
2.3.0 Identification and Authentication ..................................................................................................................... 28
2.3.1 Access Control ................................................................................................................................................... 30
2.3.2 Data and Message Confidentiality .................................................................................................................. 31
2.3.3 Data and Message Integrity ............................................................................................................................. 33
2.3.4 Non-repudiation ................................................................................................................................................. 34
2.3.5 Logging and Monitoring .................................................................................................................................... 34
2.4 ARCHITECTURE OBJECTIVES ..................................................................................................................................... 35
2.4.0 Separation of Services...................................................................................................................................... 35
2.4.0.1 Deny all/ Allow all ............................................................................................................................................................35
2.4.1 Protecting Services ........................................................................................................................................... 36
2.4.1.0 Name Servers (DNS and NIS(+))..................................................................................................................................36
2.4.1.1 Password/Key Servers (NIS(+) and KDC) ...................................................................................................................36
2.4.1.2 Authentication/Proxy Servers (SOCKS, FWTK)..........................................................................................................36
2.4.1.3 Electronic Mail..................................................................................................................................................................37
2.4.1.4 World Wide Web (WWW)...............................................................................................................................................37
2.4.1.5 File Transfer (FTP, TFTP) ..............................................................................................................................................37
2.4.1.6 NFS ...................................................................................................................................................................................38
2.4.2 Protecting the Protection .................................................................................................................................. 38
2.5 AUDITING .................................................................................................................................................................... 38
2.5.1 What to Collect................................................................................................................................................... 38
2.5.2 Collection Process............................................................................................................................................. 38
2.5.3 Collection Load .................................................................................................................................................. 39
2.5.4 Handling and Preserving Audit Data............................................................................................................... 39
2.5.5 Legal Considerations ........................................................................................................................................ 40
2.5.6 Securing Backups.............................................................................................................................................. 40
2.6 INCIDENTS ................................................................................................................................................................... 40
2.6.0 Preparing and Planning for Incident Handling............................................................................................... 40
2.6.1 Notification and Points of Contact ................................................................................................................... 42
2.6.2 Law Enforcement and Investigative Agencies .............................................................................................. 42
2.6.3 Internal Communications.................................................................................................................................. 44
2.6.4 Public Relations - Press Releases.................................................................................................................. 44
2.6.5 Identifying an Incident ....................................................................................................................................... 45
2.6.5.1 Is it real? ...........................................................................................................................................................................45
2.6.6 Types and Scope of Incidents ......................................................................................................................... 46
2.6.7 Assessing the Damage and Extent................................................................................................................. 47
2.6.8 Handling an Incident ......................................................................................................................................... 47
2.6.9 Protecting Evidence and Activity Logs ........................................................................................................... 47
2.6.10 Containment ..................................................................................................................................................... 48
2.6.11 Eradication........................................................................................................................................................ 49
2.6.12 Recovery........................................................................................................................................................... 49
2.6.13 Follow-Up.......................................................................................................................................................... 49
2.6.14 Aftermath of an Incident ................................................................................................................................. 50
2.7 INTRUSION M ANAGEMENT SUMMARY ........................................................................................................................ 50
2.7.0 Avoidance ........................................................................................................................................................... 51
2.7.1 Assurance........................................................................................................................................................... 51
2.7.2 Detection............................................................................................................................................................. 52
iv
2.7.3 Investigation ....................................................................................................................................................... 52
2.8 MODEMS ..................................................................................................................................................................... 52
2.8.0 Modem Lines Must Be Managed..................................................................................................................... 52
2.8.1 Dial-in Users Must Be Authenticated.............................................................................................................. 53
2.8.2 Call-back Capability........................................................................................................................................... 53
2.8.3 All Logins Should Be Logged........................................................................................................................... 54
2.8.4 Choose Your Opening Banner Carefully........................................................................................................ 54
2.8.5 Dial-out Authentication...................................................................................................................................... 54
2.8.6 Make Your Modem Programming as "Bullet-proof" as Possible ................................................................ 54
2.9 DIAL UP SECURITY ISSUES ........................................................................................................................................ 55
2.9.0 Classes of Security Access Packaged for MODEM Access ....................................................................... 55
2.9.1 Tactical and Strategic Issues in Selecting a MODEM Connection Solution ............................................. 56
2.9.2 Background on User Access Methods and Security .................................................................................... 57
2.9.3 Session Tracking and User Accounting Issues............................................................................................. 60
2.9.4 Description of Proposed Solution to Dial-Up Problem ................................................................................. 61
2.9.5 Dissimilar Connection Protocols Support....................................................................................................... 63
2.9.6 Encryption/Decryption Facilities ...................................................................................................................... 63
2.9.7 Asynchronous Protocol Facilities .................................................................................................................... 63
2.9.8 Report Item Prioritization .................................................................................................................................. 64
2.9.9 User Profile “Learning” Facility ........................................................................................................................ 64
2.10 NETWORK SECURITY ............................................................................................................................................... 64
2.10.0 NIST Check List............................................................................................................................................... 65
2.10.0.0 Basic levels of network access:...................................................................................................................................65
2.10.1 Auditing the Process ....................................................................................................................................... 65
2.10.2 Evaluating your security policy ...................................................................................................................... 66
2.11 PC SECURITY ........................................................................................................................................................... 66
2.12 ACCESS .................................................................................................................................................................... 67
2.12.0 Physical Access............................................................................................................................................... 67
2.12.1 Walk-up Network Connections ...................................................................................................................... 68
2.13 RCMP GUIDE TO MINIMIZING COMPUTER THEFT................................................................................................... 68
2.13.0 Introduction....................................................................................................................................................... 68
2.13.1 Areas of Vulnerability and Safeguards......................................................................................................... 69
2.13.1.0 PERIMETER SECURITY .............................................................................................................................................69
2.13.1.1 SECURITY INSIDE THE FACILITY............................................................................................................................69
2.13.2 Physical Security Devices .............................................................................................................................. 70
2.13.2.0 Examples of Safeguards ..............................................................................................................................................70
2.13.3 Strategies to Minimize Computer Theft........................................................................................................ 73
2.13.3.0 APPOINTMENT OF SECURITY PERSONNEL........................................................................................................73
2.13.3.1 MASTER KEY SYSTEM...............................................................................................................................................73
2.13.3.2 TARGET HARDENING ................................................................................................................................................74
2.13.4 PERSONNEL RECOGNITION SYSTEM .................................................................................................... 74
2.13.4.0 Minimizing Vulnerabilities Through Personnel Recognition ....................................................................................74
2.13.5 SECURITY AWARENESS PROGRAM ....................................................................................................... 75
2.13.5.0 Policy Requirements .....................................................................................................................................................75
2.13.5.1 Security Awareness Safeguards .................................................................................................................................76
2.13.6 Conclusion........................................................................................................................................................ 76
2.14 PHYSICAL AND ENVIRONMENTAL SECURITY ........................................................................................................... 76
2.14.0 Physical Access Controls............................................................................................................................... 78
2.14.1 Fire Safety Factors.......................................................................................................................................... 79
2.14.2 Failure of Supporting Utilities......................................................................................................................... 80
2.14.3 Structural Collapse.......................................................................................................................................... 81
2.14.4 Plumbing Leaks ............................................................................................................................................... 81
2.14.5 Interception of Data......................................................................................................................................... 81
2.14.6 Mobile and Portable Systems........................................................................................................................ 82
2.14.7 Approach to Implementation.......................................................................................................................... 82
2.14.8 Interdependencies........................................................................................................................................... 83
v
2.14.9 Cost Considerations..................................................................................................................................... 84
2.15 CLASS C2: CONTROLLED ACCESS PROTECTION –AN INTRODUCTION ................................................................. 84
2.15.0 C2 Criteria Simplified ...................................................................................................................................... 84
2.15.1 The Red Book .................................................................................................................................................. 85
2.15.2 Summary .......................................................................................................................................................... 87
3.0 IDENTIFICATION AND AUTHENTICATION ......................................................................................................... 92
3.1 INTRODUCTION............................................................................................................................................................ 92
3.1.0 I&A Based on Something the User Knows ............................................................................................... 93
3.1.0.1 Passwords ........................................................................................................................................................................93
3.1.0.2 Cryptographic Keys.........................................................................................................................................................94
3.1.1 I&A Based on Something the User Possesses........................................................................................ 94
3.1.1.0 Memory Tokens ...............................................................................................................................................................94
3.1.1.1 Smart Tokens...................................................................................................................................................................95
3.1.2 I&A Based on Something the User Is......................................................................................................... 97
3.1.3 Implementing I&A Systems .............................................................................................................................. 98
3.1.3.0 Administration ..................................................................................................................................................................98
3.1.3.1 Maintaining Authentication .............................................................................................................................................98
3.1.3.2 Single Log-in ....................................................................................................................................................................99
3.1.3.3 Interdependencies...........................................................................................................................................................99
3.1.3.4 Cost Considerations........................................................................................................................................................99
3.1.4 Authentication .................................................................................................................................................. 100
3.1.4.0 One-Time passwords....................................................................................................................................................102
3.1.4.1 Kerberos .........................................................................................................................................................................102
3.1.4.2 Choosing and Protecting Secret Tokens and PINs ..................................................................................................102
3.1.4.3 Password Assurance ....................................................................................................................................................103
3.1.4.4 Confidentiality.................................................................................................................................................................104
3.1.4.5 Integrity ...........................................................................................................................................................................105
3.1.4.6 Authorization ..................................................................................................................................................................105
4.0 RISK ANALYSIS....................................................................................................................................................... 108
4.1 THE 7 PROCESSES ................................................................................................................................................... 108
4.1.0 Process 1 - Define the Scope and Boundary, and Methodology.............................................................. 108
4.1.0.1 Process 2 - Identify and Value Assets ...................................................................................................... 108
4.1.0.2 Process 3 - Identify Threats and Determine Likelihood.......................................................................... 110
4.1.0.3 Process 4 - Measure Risk........................................................................................................................... 111
4.1.0.4 Process 5 - Select Appropriate Safeguards ............................................................................................. 112
4.1.0.5 Process 6 - Implement And Test Safeguards .......................................................................................... 113
4.1.0.6 Process 7 - Accept Residual Risk.............................................................................................................. 114
4.2 RCMP GUIDE TO THREAT AND RISK ASSESSMENT FOR INFORMATION TECHNOLOGY........................................ 114
4.2.1 Introduction....................................................................................................................................................... 114
4.2.2 Process ............................................................................................................................................................. 114
4.2.2.0 Preparation .....................................................................................................................................................................115
4.2.2.1 Threat Assessment .......................................................................................................................................................118
4.2.2.2 Risk Assessment ...........................................................................................................................................................122
4.2.2.3 Recommendations ........................................................................................................................................................124
4.2.3 Updates ............................................................................................................................................................ 125
4.2.4 Advice and Guidance...................................................................................................................................... 126
4.2.5 Glossary of Terms ........................................................................................................................................... 127
5.0 FIREWALLS .............................................................................................................................................................. 130
5.1 INTRODUCTION.......................................................................................................................................................... 130
5.2 FIREWALL SECURITY AND CONCEPTS ..................................................................................................................... 131
5.2.0 Firewall Components ...................................................................................................................................... 131
5.2.0.0 Network Policy ...............................................................................................................................................................131
5.2.0.1 Service Access Policy...................................................................................................................................................131
5.2.0.2 Firewall Design Policy...................................................................................................................................................132
vi
5.2.1 Advanced Authentication................................................................................................................................ 133
5.3 PACKET FILTERING .................................................................................................................................................. 133
5.3.0 Which Protocols to Filter................................................................................................................................. 134
5.3.1 Problems with Packet Filtering Routers ....................................................................................................... 135
5.3.1.0 Application Gateways ...................................................................................................................................................136
5.3.1.1 Circuit-Level Gateways.................................................................................................................................................138
5.4 FIREWALL ARCHITECTURES..................................................................................................................................... 138
5.4.1 Multi-homed host ............................................................................................................................................. 138
5.4.2 Screened host .................................................................................................................................................. 139
5.4.3 Screened subnet.............................................................................................................................................. 139
5.5 TYPES OF FIREWALLS .............................................................................................................................................. 139
5.5.0 Packet Filtering Gateways.............................................................................................................................. 139
5.5.1 Application Gateways ..................................................................................................................................... 139
5.5.2 Hybrid or Complex Gateways ........................................................................................................................ 140
5.5.3 Firewall Issues ................................................................................................................................................. 141
5.5.3.0 Authentication ................................................................................................................................................................141
5.5.3.1 Routing Versus Forwarding..........................................................................................................................................141
5.5.3.2 Source Routing ..............................................................................................................................................................141
5.5.3.3 IP Spoofing .....................................................................................................................................................................142
5.5.3.4 Password Sniffing..........................................................................................................................................................142
5.5.3.5 DNS and Mail Resolution .............................................................................................................................................143
5.5.4 FIREWALL ADMINISTRATION ................................................................................................................................. 143
5.5.4.0 Qualification of the Firewall Administrator ................................................................................................ 144
5.5.4.1 Remote Firewall Administration ................................................................................................................. 144
5.5.4.2 User Accounts............................................................................................................................................... 145
5.5.4.3 Firewall Backup ............................................................................................................................................ 145
5.5.4.4 System Integrity............................................................................................................................................ 145
5.5.4.5 Documentation.............................................................................................................................................. 146
5.5.4.6 Physical Firewall Security ........................................................................................................................... 146
5.5.4.7 Firewall Incident Handling........................................................................................................................... 146
5.5.4.8 Restoration of Services ............................................................................................................................... 146
5.5.4.9 Upgrading the firewall .................................................................................................................................. 147
5.5.4.10 Logs and Audit Trails................................................................................................................................. 147
5.5.4.11 Revision/Update of Firewall Policy .......................................................................................................... 147
5.5.4.12 Example General Policies......................................................................................................................... 147
5.5.4.12.0 Low-Risk Environment Policies..............................................................................................................................147
5.5.4.12.1 Medium-Risk Environment Policies.......................................................................................................................148
5.5.4.12.2 High-Risk Environment Policies.............................................................................................................................149
5.5.4.13 Firewall Concerns: Management ............................................................................................................. 150
5.5.4.14 Service Policies Examples........................................................................................................................ 151
5.5.5 CLIENT AND SERVER SECURITY IN ENTERPRISE NETWORKS ............................................................................. 153
5.5.5.0 Historical Configuration of Dedicated Firewall Products ........................................................................ 153
5.5.5.1 Advantages and Disadvantages of Dedicated Firewall Systems.......................................................... 153
5.5.5.2 Are Dedicated Firewalls A Good Idea?..................................................................................................... 155
5.5.5.3 Layered Approach to Network Security - How To Do It.......................................................................... 155
5.5.5.4 Improving Network Security in Layers - From Inside to Outside ........................................................... 157
5.5.5.5 Operating Systems and Network Software - Implementing Client and Server Security.................... 158
5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are The Norm - and
They Are Not Just IP ................................................................................................................................................. 159
5.5.5.7 Client Attacks - A New Threat .................................................................................................................... 159
5.5.5.8 Telecommuting Client Security Problems - Coming to Your Company Soon ..................................... 160
5.5.5.9 Compromising Network Traffic - On LANs and Cable Television It’s Easy ......................................... 162
5.5.5.10 Encryption is Not Enough - Firewall Services Are Needed As Well ................................................... 163
5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception. Even for Singular Protocol
Suites... ....................................................................................................................................................................... 163
5.5.5.12 Protecting Clients and Servers on Multiprotocol Networks - How to Do It ........................................ 164
vii
5.5.5.13 New Firewall Concepts - Firewalls with One Network Connection..................................................... 164
6.0 CRYPTOGRAPHY.................................................................................................................................................... 167
6.1 CRYPTOSYSTEMS ..................................................................................................................................................... 167
6.1.0 Key-Based Methodology ................................................................................................................................ 167
6.1.1 Symmetric (Private) Methodology ................................................................................................................. 169
6.1.2 Asymmetric (Public) Methodology................................................................................................................. 170
6.1.3 Key Distribution................................................................................................................................................ 172
6.1.4 Encryption Ciphers or Algorithms.................................................................................................................. 175
6.1.5 Symmetric Algorithms ..................................................................................................................................... 175
6.1.6 Asymmetric Algorithms ................................................................................................................................... 178
6.1.7 Hash Functions ................................................................................................................................................ 178
6.1.8 Authentication Mechanisms ........................................................................................................................... 179
6.1.9 Digital Signatures and Time Stamps ............................................................................................................ 180
7.0 MALICIOUS CODE .................................................................................................................................................. 182
7.1 WHAT IS A VIRUS? ................................................................................................................................................... 182
7.1.0 Boot vs File Viruses......................................................................................................................................... 183
7.1.1 Additional Virus Classifications...................................................................................................................... 183
7.2 THE NEW MACRO VIRUS THREAT............................................................................................................................ 183
7.2.0 Background ...................................................................................................................................................... 184
7.2.1 Macro Viruses: How They Work.................................................................................................................... 186
7.2.2 Detecting Macro Viruses ................................................................................................................................ 187
7.3 IS IT A VIRUS? .......................................................................................................................................................... 189
7.3.0 Worms ............................................................................................................................................................... 190
7.3.1 Trojan Horses................................................................................................................................................... 192
7.3.2 Logic Bombs..................................................................................................................................................... 192
7.3.3 Computer Viruses............................................................................................................................................ 193
7.3.4 Anti-Virus Technologies.................................................................................................................................. 194
7.4 ANTI-VIRUS POLICIES AND CONSIDERATIONS ........................................................................................................ 195
7.4.0 Basic "Safe Computing" Tips ......................................................................................................................... 196
7.4.1 Anti-Virus Implementation Questions ........................................................................................................... 197
7.4.2 More Virus Prevention Tips............................................................................................................................ 198
7.4.3 Evaluating Anti-Virus Vendors....................................................................................................................... 198
7.4.4 Primary Vendor Criteria .................................................................................................................................. 199
8.0 VIRTUAL PRIVATE NETWORKS: INTRODUCTION......................................................................................... 202
8.1 MAKING SENSE OF VIRTUAL PRIVATE NETWORKS ................................................................................................. 202
8.2 DEFINING THE DIFFERENT ASPECTS OF VIRTUAL PRIVATE NETWORKING ............................................................ 202
8.2.0 Intranet VPNs.................................................................................................................................................. 204
8.2.1 Remote Access VPNs..................................................................................................................................... 205
8.2.2 Extranet VPNs.................................................................................................................................................. 206
8.3 VPN ARCHITECTURE ............................................................................................................................................... 207
8.4 UNDERSTANDING VPN PROTOCOLS ....................................................................................................................... 208
8.4.0 SOCKS v5 ........................................................................................................................................................ 208
8.4.1 PPTP/L2TP....................................................................................................................................................... 209
8.4.2 IPSec ................................................................................................................................................................. 211
8.5 MATCHING THE RIGHT TECHNOLOGY TO THE GOAL ............................................................................................... 212
9.0 WINDOWS NT NETWORK SECURITY ................................................................................................................ 215
9.1 NT SECURITY MECHANISMS .................................................................................................................................... 215
9.2 NT TERMINOLOGY.................................................................................................................................................... 215
9.2.0 Objects in NT.................................................................................................................................................... 215
9.2.1 NT Server vs NT Workstation ........................................................................................................................ 216
9.2.2 Workgroups ...................................................................................................................................................... 216
viii
9.2.3 Domains ............................................................................................................................................................ 217
9.2.4 NT Registry....................................................................................................................................................... 217
9.2.5 C2 Security ....................................................................................................................................................... 218
9.3 NT SECURITY MODEL .............................................................................................................................................. 219
9.3.0 LSA: Local Security Authority ....................................................................................................................... 219
9.3.1 SAM: Security Account Manager .................................................................................................................. 220
9.3.2 SRM: Security Reference Monitor................................................................................................................. 220
9.4 NT LOGON................................................................................................................................................................ 221
9.4.0 NT Logon Process........................................................................................................................................... 222
9.5 DESIGNING THE NT ENVIRONMENT ........................................................................................................................ 222
9.5.0 Trusts and Domains ........................................................................................................................................ 223
9.6 GROUP M ANAGEMENT ............................................................................................................................................. 226
9.7 ACCESS CONTROL ................................................................................................................................................... 228
9.8 MANAGING NT FILE SYSTEMS ................................................................................................................................ 229
9.8.0 FAT File System .............................................................................................................................................. 229
9.8.1 NTFS File System ........................................................................................................................................... 230
9.9 OBJECT PERMISSIONS ............................................................................................................................................. 231
9.10 MONITORING SYSTEM ACTIVITIES ......................................................................................................................... 232
10.0 UNIX INCIDENT GUIDE ........................................................................................................................................ 234
10.1 DISPLAYING THE USERS LOGGED IN TO YOUR SYSTEM....................................................................................... 235
10.1.0 The “W” Command........................................................................................................................................ 235
10.1.1 The “finger” Command.................................................................................................................................. 236
10.1.2 The “who” Command .................................................................................................................................... 236
10.2 DISPLAYING ACTIVE PROCESSES.......................................................................................................................... 237
10.2.0 The “ps” Command ....................................................................................................................................... 237
10.2.1 The “crash” Command.................................................................................................................................. 238
10.3 FINDING THE FOOTPRINTS LEFT BY AN INTRUDER ................................................................................................ 238
10.3.0 The “last” Command ..................................................................................................................................... 239
10.3.1 The “lastcomm” Command .......................................................................................................................... 240
10.3.2 The /var/log/ syslog File................................................................................................................................ 241
10.3.3 The /var/adm/ messages File ...................................................................................................................... 242
10.3.4 The “netstat” Command................................................................................................................................ 243
10.4 DETECTING A SNIFFER ........................................................................................................................................... 243
10.4.1 The “ifconfig” Command............................................................................................................................... 244
10.5 FINDING FILES AND OTHER EVIDENCE LEFT BY AN INTRUDER ............................................................................ 244
10.6 EXAMINING SYSTEM LOGS .................................................................................................................................... 246
10.7 INSPECTING LOG FILES.......................................................................................................................................... 247
APPENDIX A : HOW MOST FIREWALLS ARE CONFIGURED ............................................................................ 251
ix
x
Forward
I would like to thank all the authors, and organizations that have provided
me with materials to compile this manual. Some of the material
contained in this manual were a part of a larger document. It is strongly
recommended that if anyone has an interest in learning more about a
particular topic to find these documents on the Internet and read them.
SUNNY
1
1.0 Introduction
The Internet utilizes a set of networking protocols called TCP/IP. The applications
protocols that can be used with TCP/IP are described in a set of Internet
Engineering Task Force (IETF) RFCs (Request For Comment). These documents
describe the "standard" protocols and applications that have been developed to
support these protocols. Protocols provide a standard method for passing
messages. They define the message formats and how to handle error conditions.
Protocols are independent of vendor network hardware, this allows communication
between various networks with different hardware as long as they communicate
(understand) the same protocol. The following diagram provides a conceptual
layering diagram of the protocols.
The UDP has less overhead and is simpler than TCP. The concept is basically the
same except that UDP is not concerned about lost packets or keeping things in
order. It is used for short messages. If it does not receive a response, it just resends
the request. Thjs type of protocol transfer method is called a “connectionless
protocol.”
2
1.1.3 Internet Addressing
All computers on the Internet must have a distinct network address to be able to
efficiently communicate with each other. The addressing scheme used within the
Internet is a 32 - bit address segmented into a hierarchical structure. IP addresses
consist of four numbers, each less than 256 which are separated by periods.
(#.#.#.#) At the lowest level, computers communicate with each other using a
hardware address (on LANs, this is called the Medium Access Control or MAC
address). Computer users, however, deal with 2 higher levels of abstraction in order
to help visualize and remember computers within the network. The first level of
abstraction is the IP address of the computer (e.g. 131.136.196.2) and the second
level is the human readable form of this address (e.g. manitou.cse.dnd.ca). This
address scheme is currently under review as the address space is running out.
Address Resolution Protocol (ARP) can be used by the computer to resolve IP
addresses into the corresponding hardware addresses.
There are two types of computer hosts connected to the Internet: server hosts and
client hosts. The server host can be described as an “information provider”. This
type of host contains some type of resource or data which is available to other hosts
on the Internet. The second type of host connected to the Internet is the client host
which can be described as an “information retriever”. The client host will access
resources and data located on the server hosts, but usually will not provide any
resources back to the server host.
Both server and client host computers can be connected to the Internet by various
methods that offer different communication capabilities dependent on varied
communications surcharges.
An important point for the network security investigator to remember is that most
dial-up TCP connections, either SLIP or PPP, assign the IP address to a connected
machine dynamically. This means that when a system dials-up to the Internet
Service Provider (ISP), the ISP assigns an IP address at that point. It also means
that the address for the dialer may change each and every time the system
connects. This can cause serious problems for the investigator when attempting to
trace access back through firewall and router logs for specific IP addresses. You will
need to work closely with the victim and the ISP to properly track which system was
assigned a particular IP address when the system connected to the ISP at a
particular point in time.
3
Host Access Connections: The most limited type of network access is available as a
user account on a host which is directly connected to the Internet. The user will then
use a terminal to access that host using a standard serial connection. This type of
connection is usually the most inexpensive form of access.
Sneaker-Net Connections: This type of connection is by far the most limiting, since
the computer has no electrical connection to the Internet at all. This type of
connection is the most secure because there is no direct access to the user's
computer by a hacker. If information and programs are required on the computer
they must be transferred from a networked computer to the user's computer via
magnetic media or manually.
All computers with direct, SLIP, and PPP connections must have their own IP
address, and their security administrators must be aware of the vulnerability
concerns associated with these connections. Communications channels work both
ways: a user having access to the Internet implies that the Internet also has access
to that user. Therefore, these computers must be protected and secured to ensure
the Internet has limited access. A terminal user calling using an Internet host has
fewer concerns since the host is where the Internet interface lies. In this situation
the host must take all necessary security precautions.
To connect the various sub-networks and pieces of the Internet together, hardware
equipment is required. The following are definitions of the various terms which are
use to describe this equipment.
4
the communicating source system and destination system
are on the same side of the bridge, the bridge will not
forward the frame to the other side of the bridge.. The
bridge makes no modification to any packets it forwards,
and the bridge operates at layer 2 (data-link) of the OSI
Network Model.
5
attack. Some cyberwalls also include intrusion detection
software to allow the system to detect an attack of specific
types in progress and effect some levels of defense against
them.
Readers are cautioned that these terms are not always used in a consistent manner
in publications which can cause confusion or misconceptions.
1.1.5 Routing
There are two types of routing used by the Internet: source routing and dynamic
routing. The Internet is a very robust networking system. The network routers will
automatically (dynamically) send out messages to other routers broadcasting routes
to known domains and addresses. If a network or router goes down, packets can be
dynamically rerouted to the destination. The user does not usually know how a
packet will be routed to the destination. The packet could be rerouted through an
untrusted network and intercepted. A router connected to the Internet should be
configured to ignore dynamic routing changes and the routing tables should remain
static. If the routing tables must be changed, then they should be changed by the
network administrator after understanding the reasons for the changes.
Unfortunately this is not usually convenient for Internet connected routers. This is
another example of when a tradeoff must be made. If the router is configured in this
manner then the dynamic routing that the Internet depends on would be disabled. In
this situation your network could be cut off (completely or partially) until the Network
Administrator makes the required changes in the routing tables.
The second type of routing is known as source routing. In this method of routing a
user is able to define a route for the packet between the source and destination. All
packets returning to the destination will follow the route information given. A hacker
can use a source routed packet to spoof another address. Computers and routers
connected to external networks should be configured to ignore source routed
packets.
The Internet is a global collection of networks all using the TCP/IP network protocol
suite to communicate. The TCP/IP protocols allow data packets to be transmitted,
and routed from a source computer to a destination computer. Above this set of
protocols reside the applications that allow users to generate data packets. The
following sections describe some of the more common applications as well as some
security vulnerabilities and concerns.
1.2.1 ARCHIE
Archie is a system for locating public files available via anonymous ftp (see ftp for
vulnerability information). A program is run by an Archie site to contact servers with
public files and the program builds a directory of all the files on the servers. Archie
can then be used to search the merged directories for a filename and will provide a
list of all the files that match and the servers on which the files reside. Public Archie
servers are available and can be accessed using telnet, e-mail or an Archie client.
Once the filename/server pair has been found using Archie, ftp can be used to get
the file from the server. Archie can be used to find security related information(e.g. if
one looks up firewall, Archie will give all the matches and locations for information
on firewalls). Archie is limited in that it can only match on filenames exactly (e.g. if
the file contains information on firewalls but the author named it burnbarrier, Archie
will not find it if the search was for firewalls).
6
Archie can be exploited to locate anonymous ftp sites that provide world writable
areas that can then be used to store and disseminate illegal versions of software. In
this case, a hacker uses the Internet tool to gain legitimate access to the database
and then misuse the information.
Electronic mail is probably the most widely used application on the Internet.
Messages are transported using a specific message format and the simple mail
transport protocol (SMTP). This protocol offers no security features at all. E-mail
messages can be read by a hacker residing on the network between the source and
destination of the message. As well, SMTP e-mail messages can be forged or
modified very easily. The SMTP protocol offers no message integrity or sender
authentication mechanisms.
Some security and a higher level of trust can be provided to SMTP by applying
some cryptographic measures to the message. If message integrity or sender
authentication are required then the application of a digital signature is called for. A
digital signature allows a user to authenticate the e-mail message just as a written
signature authenticates a document in today's paper world. Message confidentiality
can be obtained by applying an encryption algorithm to the message prior to
sending it.
7
program which allows remote computers more access than required to drop off e-
mail.
SMTP is also commonly implemented in Post Office Protocol version 3 servers (also
known as POP3) and the new IMAP4 protocol used on newer e-mail servers on
Internet.
PEM is a set of standards for adding a security overlay to Internet e-mail providing
message confidentiality and integrity. This set of standards describes a security
protocol that can be used above the common Simple Mail Transport Protocol
(SMTP) or the UNIX-to-UNIX Copy Protocol (UUCP). The PEM security
enhancements provide three security services: message integrity, message origin
authentication, and message confidentiality. The PEM enhancements can be used
as a foundation to provide non-repudiation for electronic commerce applications.
Currently the PEM standard defines the use of the RSA public key algorithm to be
used for key management and digital signature operations, and the DES algorithm
is included for message confidentiality encryption.
The PEM protocols rely on the trusted distribution of the public keys. PEM public
keys are distributed within an X.509 certificate. These certificates are digitally signed
by a certification authority. The PEM user trusts a certification authority to provide
public key certificates. The certification authorities can also cross certify public key
certificates from another certification authority. The certification authorities are
distributed in a hierarchical structure with the Internet Policy Registration Authority
(IPRA) at the top. The IPRA will certify the certification authorities. The IPRA is a
non-government, private agency and may or may not be trusted by an organization.
PGP is a public key encryption package to protect e-mail and data files. It lets you
communicate securely with people you've never met, with no secure channels
needed for prior exchange of keys. It's well featured and fast, with sophisticated key
management, digital signatures, data compression, and good ergonomic design.
This program provides the RSA algorithm for key management and digital
signatures, and uses the IDEA algorithm to provide confidentiality. The program is
available for non-commercial use to Canadian citizens from the site
ftp://ftp.wimsey.bc.ca. There is commercial version of this program for sale from
ViaCrypt, and an international version available as well. The international version
has the message encryption (IDEA algorithm) functionality removed.
8
1.2.8 RIPEM — RIORDAN'S INTERNET PRIVACY-ENHANCED MAIL
MIME is an Internet Engineering Task Force (IETF) solution that allows users to
attach non-text objects to Internet messages. A MIME-capable e-mail client can be
configured to automatically retrieve and execute data files that are attached to an e-
mail message. The MIME standard provides a standard method of providing
attachments to e-mail messages. Some of the MIME e-mail programs allow the user
to configure what type of attachments are accepted and how they are interpreted,
other programs are not configurable. Users are cautioned to disable the automatic
execution and interpretation of mail attachments. The attachments can be examined
and processed after the user responds to prompt. In this configuration the user is
warned that an attachment is going to be processed and the user has the option of
cancelling that processing if they are unsure of the consequences.
AFS is a networked file system with similar functionality to NFS. This file system is
newer in design and can interoperate (to some degree) with NFS file systems.
Unlike NFS, the AFS designers placed security in the protocol and incorporated the
Kerberos authentication system into the file protocol.
NFS is a Remote Procedure Call (RPC) based facility which utilizes port 2049. This
facility allows NFS-capable clients to mount a file system on a NFS server located
on the network. Once the NFS file system has been mounted it is treated like a local
file system. If an internal system exports a file system to external systems, then the
file system is available to a hacker across the network. Even if the file system is
exported to only a select set of clients the possibility of a hacker spoofing one of
those clients is possible. As well, it might be possible for a hacker to hijack an
existing NFS connection. NFS should never be allowed across a firewall to an
external network such as the Internet.
9
1.3.3 FTP — FILE TRANSFER PROTOCOL
FTP allows a user to transfer text or binary files between two networked computers
using ports 20 and 21. The ftp protocol uses a client-server structure with a client
program opening a session on a server. There are many "anonymous ftp servers"
located across the Internet. An anonymous server allows anyone to log on and
retrieve information without any user identification and authentication (the user gives
the username "anonymous" or "ftp").
If an anonymous ftp server allows world writable areas then the server could be
used to distribute malicious or illegal software. A server could also be the source of
computer viruses, trojan horses or other malicious software.
ftp://info.cert.org/pub/tech_tips/anonymous_ftp
1.3.4 GOPHER
For those trivia hounds, it was originally developed at a U.S. university whose
mascot was a gopher…
The ICMP protocol is used to determine routing information and host status. An
ICMP redirect packet is used to inform a router or computer about "new and
improved" routes to a destination. These packets can be forged providing false
routes to a destination to allow an attacker to spoof another system.
Another common ICMP packet is known as the ICMP unreachable message. These
packets indicate problems with a route to a destination address. A false ICMP
unreachable message could be used to deny access to another network or host. If
this type of vulnerability is of concern to your organization then the routing server or
firewall can be configured to ignore ICMP unreachable messages. The drawback of
this configuration is that if the packet is genuine and a host is actually unreachable,
the network routing tables will still not be updated and users will not know that the
host is not available. They will simply be denied access.
10
Ping is a common ICMP based service. Ping sends a packet to a given destination
which in effect says "Are you alive?" The destination returns an acknowledgement to
the ping or an ICMP unreachable message may be returned by a routing system in
the path. PING also has an ugly and sordid history in its use in network attacks and
in network infiltrations.
ICMP packets should be filtered and not allowed across network boundaries.
NNTP is an application level protocol which is used to distribute news groups. This
protocol provides an unauthenticated and unsecured transfer service. The
information passed between computers using this protocol is not encrypted and can
be read by anyone with a network monitoring device located in the information
pathway. Since there is no authentication, neither the integrity nor the source of the
information can be guaranteed.
Network news readers are applications which provide the user with access to NNTP.
The news readers usually do not require privileges to run and therefore can only get
access to the files owned by the user running the news reader. One concern with
these applications is that they do not control the flow of information. An organization
cannot control the content of the message; the news reader will not screen
information.
NIS was originally developed and known as "yp or yellow pages". The NIS protocol
acts in a client server type of fashion where the server provides user and host
information to a client. The NIS system provides a central password and host file
system for networks of computers. It is possible for a hacker to inform an NIS client
to use another NIS server to authenticate logins. If this was successful then a
hacker could gain unauthorized access to the client computer.
A hacker can use the NIS protocol to gain information about the network
configuration including host and usernames. The more information that a hacker has
available, the easier it is to break into a system. NIS should never be allowed across
a firewall to an external network such as the Internet.
11
1.3.10 RPC — REMOTE PROCEDURE CALL
The unfortunate thing about RPC’s is that programs, such as certain Windows 32 bit
applications, require RPCs to operate. Because so many ports must be opened to
support the RPC functionality, the additional application flexibility also causes major
and serious security problems.
1.3.11 R-UTILS (RLOGIN, RCP, RSH)
These utilities came with the original Berkly version of UNIX. These utilities allow a
"trusted" user from a known host to login or execute commands on another network
computer. No user identification and authentication is required, since these systems
assume a trusted user and host. If a hacker was to spoof one of the trusted hosts,
then unauthorized access could be possible. These utilities should never be allowed
across a firewall to the Internet.
1.3.13 TELNET
Telnet is also used as the connection method for most network infrastructure
devices such as routers, bridges and lower-level hardware such as CSU/DSU
facilities on leased lines and frame relay connections. It has great potential to allow
a hacker access to a great deal of very sensitive hardware that can cripple a
network if compromised.
1.3.14 TFTP ? TRIVIAL FILE TRANSFER PROTOCOL
TFTP is mainly used for remotely booting another networked computer and
operates on port 69. A computer can initiate a tftp session to a boot server and
transfer the system boot information it requires to start up. This protocol should be
disabled if not required and should never be allowed across a firewall to the Internet.
TFTP can also be used to transfer and deposit information to a networked
12
computer. An attacker could use this protocol to grab sensitive data, password files
or to deposit compromised system files. TFTP should not be allowed.
TFTP is also the most common protocol used to download bootstrap kernel software
for diskless systems such as routers. Compromise of TFTP host systems on a
network can cause a great deal of security problems for a customer network.
1.3.15 MOTIF
1.3.16 OPENWINDOWS
1.3.17 WINSOCK
Winsock is a Microsoft Windows dynamic link library providing TCP/IP port services
to windows applications. These services allow users to run many Internet tools,
such as Archie, Cello, ftp, Gopher, Mosaic and telnet on an MS-DOS/MS-Windows
computer.
This is another of the WWW family of applications and protocols. (see http for
vulnerability information)
WWW is a new family of applications and protocols developed to provide users with
a convenient method of accessing information across the Internet. (see http for
vulnerability information)
HTTP is the application level protocol used to access world wide web (WWW)
servers and information. Http is similar to the Gopher protocol; it transfers an
information block and a data type description to the client. The client program
(Internet Explorer, Mosaic, Lynx, and Netscape Navigator are common client
applications) is responsible for interpreting the information and presenting it to the
user in the correct form. As with the Gopher protocol, executable code is a valid
data type to be retrieved. Some client programs can be configured to automatically
13
interpret and process the information that is retrieved. If this protocol is supported
care should be taken to configure client programs to prompt prior to executing any
script or executable programs. Any executable code retrieved should be scanned for
viruses, trojan horses or other malicious activities before being executed.
Another standard in progress is the SSL or Secure Sockets Layer activity. This
standard provides a security layer between the TCP and application protocol layers.
SSL can be used to provide integrity (proof of sender) and confidentiality for any
TCP data stream. This security protocol can be used with all applications level
protocols not just http.
14
Section References
15
2.0 Security
2.1 Security Policy
2.1.0 What is a Security Policy and Why Have One?
Your goals should be communicated to all users, operations staff, and managers
through a set of security rules, called a "security policy." We are using this term,
rather than the narrower "computer security policy" since the scope includes all
types of information technology and the information stored and manipulated by the
technology.
16
2.1.1 Definition of a Security Policy
A security policy is a formal statement of the rules by which people who are given
access to an organization's technology and information assets must abide.
The main purpose of a security policy is to inform users, staff and managers of their
obligatory requirements for protecting technology and information assets. The
policy should specify the mechanisms through which these requirements can be
met. Another purpose is to provide a baseline from which to acquire, configure and
audit computer systems and networks for compliance with the policy. Therefore, an
attempt to use a set of security tools in the absence of at least an implied security
policy is meaningless.
Another major use of an AUP is to spell out, exactly, the corporate position on
privacy issues and intellectual property issues. In some countries, if the company
does not explicitly state that e-mail is not secure, it is considered to be so and any
breach could cause privacy and confidentiality liabilities. It is very important to spell
out what is and is not acceptable in intellectual transfers and storage and what the
corporate privacy policies are to prevent litigation about same.
An Appropriate Use Policy (AUP) may also be part of a security policy. It should
spell out what users shall and shall not do on the various components of the system,
including the type of traffic allowed on the networks. The AUP should be as explicit
as possible to avoid ambiguity or misunderstanding. For example, an AUP might list
any prohibited USENET newsgroups. (Note: Appropriate Use Policy is referred to as
Acceptable Use Policy by some sites.)
In order for a security policy to be appropriate and effective, it needs to have the
acceptance and support of all levels of employees within the organization. It is
especially important that corporate management fully support the security policy
process otherwise there is little chance that they will have the intended impact. The
following is a list of individuals who should be involved in the creation and review of
security policy documents:
17
audit personnel. Involving this group is important if resulting policy statements are
to reach the broadest possible acceptance. It
is also relevant to mention that the role of legal counsel will also vary from country to
country.
18
7. An Information Technology System & Network Maintenance Policy
which describes how both internal and external maintenance
people are allowed to handle and access technology. One
important topic to be addressed here is whether remote
maintenance is allowed and how such access is controlled.
Another area for consideration here is outsourcing and how it is
managed.
There may be regulatory requirements that affect some aspects of your security
policy (e.g., line monitoring). The creators of the security policy should consider
seeking legal assistance in the creation of the policy. At a minimum, the policy
should be reviewed by legal counsel.
Once your security policy has been established it should be clearly communicated
to users, staff, and management. Having all personnel sign a statement indicating
that they have read, understood, and agreed to abide by the policy is an important
part of the process. Finally, your policy should be reviewed on a regular basis to see
if it is successfully supporting your security needs.
In order for a security policy to be viable for the long term, it requires a lot of flexibility
based upon an architectural security concept. A security policy should be (largely)
independent from specific hardware and software situations (as specific systems tend to
be replaced or moved overnight). The mechanisms for updating the policy should be
clearly spelled out. This includes the process, the people involved, and the people who
must sign-off on the changes. It is also important to recognize that there are exceptions to
every rule. Whenever possible, the policy should spell out what exceptions to the general
policy exist. For example, under what conditions is a system administrator allowed to go
through a user's files. Also, there may be some cases when multiple users will have
access to the same userid. For example, on systems with a "root" user, multiple system
administrators may know the password and use the root account.
2.2 Threats
A threat can be any person, object, or event that, if realized, could potentially
cause damage to the LAN. Threats can be malicious, such as the intentional
modification of sensitive information, or can be accidental, such as an error in a
calculation, or the accidental deletion of a file. Threats can also be acts of nature,
19
i.e. flooding, wind, lightning, etc. The immediate damage caused by a threat is
referred to as an impact.
Identifying threats requires one to look at the impact and consequence of the threat
if it is realized. The impact of the threat, which usually points to the immediate near-
term problems, results in disclosure, modification, destruction, or denial of service.
The more significant long-term consequences of the threat being realized are the
result of lost business, violation of privacy, civil law suits, fines, loss of human life or
other long term effects. The approach taken here is to categorize the types of
impacts that can occur on a LAN so that specific technical threats can be grouped
by the impacts and examined in a meaningful manner. For example, the technical
threats that can lead to the impact ‘LAN traffic compromise’ in general can be
distinguished from those threats that can lead to the impact ‘disruption of LAN
functionalities’. It should be recognized that many threats may result in more than
one impact; however, for this discussion a particular threat will be discussed only in
conjunction with one impact. The impacts that will be used to categorize and discuss
the threats to a LAN environment are:
20
• Disclosure of LAN traffic - results from an individual accessing or reading
information and possibly revealing the information in an accidental or
unauthorized intentional manner as it moves through the LAN.
• Spoofing of LAN traffic - results when a message appears to have been sent
from a legitimate, named sender, when actually the message had not been.
• Disruption of LAN functions - results from threats that block LAN resources
from being available in a timely manner.
LANs provide file sharing, printer sharing, file storage sharing, etc. Because
resources are shared and not used solely by one individual there is need for control
of the resources and accountability for use of the resources. Unauthorized LAN
access occurs when someone, who is not authorized to use the LAN, gains access
to the LAN (usually by acting as a legitimate user of LAN). Three common methods
used to gain unauthorized access are password sharing, general password
guessing and password capturing. Password sharing allows an unauthorized user to
have the LAN access and privileges of a legitimate user; with the legitimate user’s
knowledge and acceptance. General password guessing is not a new means of
unauthorized access. Password capturing is a process in which a legitimate user
unknowingly reveals the user’s login ID and password. This may be done through
the use of a trojan horse program that appears to the user as a legitimate login
program; however, the trojan horse program is designed to capture passwords.
Capturing a login ID and password as it is transmitted across the LAN unencrypted
is another method used to ultimately gain access. The methods to capture cleartext
LAN traffic, including passwords, is readily available today. Unauthorized LAN
access can occur by exploiting the following types of vulnerabilities:
One of the benefits of using a LAN is that many resources are readily available to
many users, rather than each user having limited dedicated resources. These
resources may include file stores, applications, printers, data, etc. However, not all
resources need to be made available to each user. To prevent compromising the
security of the resource (i.e. corrupting the resource, or lessening the availability of
the resource), only those who require the use of the resource should be permitted to
utilize that resource. Unauthorized access occurs when a user, legitimate or
unauthorized, accesses a resource that the user is not permitted to use.
Unauthorized access may occur simply because the access rights assigned to the
resource are not assigned properly. However, unauthorized access may also occur
21
because the access control mechanism or the privilege mechanism is not granular
enough. In these cases, the only way to grant the user the needed access rights or
privileges to perform a specific function is to grant the user more access than is
needed, or more privileges than are needed. Unauthorized access to LAN resources
can occur by exploiting the following types of vulnerabilities:
• use of system default permission settings that are too permissive to users,
• improper use of administrator or LAN manager privileges,
• data that is stored with an inadequate level or no protection assigned,
• lack of or the improper use of the privilege mechanism for users,
• PCs that utilize no access control on a file level basis.
Disclosure of Data
As LANs are utilized throughout an agency or department, some of the data stored
or processed on a LAN may require some level of confidentiality. The disclosure of
LAN data or software occurs when the data or software is accessed, read and
possibly released to an individual who is not authorized for the data. This can occur
by someone gaining access to information that is not encrypted, or by viewing
monitors or printouts of the information. The compromise of LAN
data can occur by exploiting the following types of vulnerabilities:
• improper access control settings,
• data, that has been deemed sensitive enough to warrant encryption, stored in
unencrypted form,
• application source code stored in unencrypted form,
• monitors viewable in high traffic areas,
• printer stations placed in high traffic areas,
• data and software backup copies stored in open areas.
Because LAN users share data and applications, changes to those resources must
be controlled. Unauthorized modification of data or software occurs when
unauthorized changes (additions, deletions or modifications) are made to a file or
program.
When undetected modifications to data are present for long periods of time, the
modified data may be spread through the LAN, possibly corrupting databases,
spreadsheet calculations, and other various application data. This can damage the
integrity of most application information.
When undetected software changes are made, all system software can become
suspect, warranting a thorough review (and perhaps reinstallation) of all related
software and applications. These unauthorized changes can be made in simple
command programs (for example in PC batch files), in utility programs used on
multi-user systems, in major application programs, or any other type of software.
They can be made by unauthorized outsiders, as well as those who are authorized
to make software changes (although the changes they make are not authorized).
These changes can divert information (or copies of the information) to other
destinations, corrupt the data as it is processed, or harm the availability of system or
LAN services.
PC viruses can be a nuisance to any organization that does not choose to provide
LAN users the tools to effectively detect and prevent virus introduction to the LAN.
Currently viruses have been limited to corrupting PCs, and generally do not corrupt
22
LAN servers (although viruses can use the LAN to infect PCs). [WACK89] provides
guidance on detecting and preventing viruses.
The unauthorized modification of data and software can occur by exploiting the
following types of vulnerabilities:
• write permission granted to users who only require read permission to access,
• undetected changes made to software, including the addition of code to create a
trojan horse program,
• lack of a cryptographic checksum on sensitive data,
• privilege mechanism that allow unnecessary write permission,
• lack of virus protection and detection tools.
The disclosure of LAN traffic occurs when someone who is unauthorized reads, or
otherwise obtains, information as it is moved through the LAN. LAN traffic can be
compromised by listening and capturing traffic transmitted over the LAN transport
media (tapping into a network cable, listening to traffic transmitted over the air,
misusing a provided network connection by attaching an analysis device, etc.).
Many users realize the importance of confidential information when it is stored on
their workstations or servers; however, it is also important to maintain that
confidentiality as the information travels through the LAN. Information that can be
compromised in this way includes system and user names, passwords, electronic
mail messages, application data, etc. For example, even though passwords may be
in an encrypted form when stored on a system, they can be captured in plaintext as
they are sent from a workstation or PC to a file server. Electronic mail message files,
which usually have very strict access rights when stored on a system, are often sent
in plaintext across a wire, making them an easy target for capturing. The
compromise of LAN traffic can occur by exploiting the following types of
vulnerabilities:
Messages transmitted over the LAN need to contain some sort of addressing
information that reports the sending address of the message and the receiving
address of the message (along with other pieces of information). Spoofing of LAN
traffic involves (1) the ability to receive a message by masquerading as the
legitimate receiving destination, or (2) masquerading as the sending machine and
sending a message to a destination. To masquerade as a receiving machine, the
LAN must be persuaded into believing that the destination address is the legitimate
address of the machine. (Receiving LAN traffic can also be done by listening to
messages as they are broadcast to all nodes.) Masquerading as the sending
machine to deceive a receiver into believing the message was legitimately sent can
23
be done by masquerading the address, or by means of a playback. A playback
involves capturing a session between a sender and receiver, and then retransmitting
that message (either with the header only, and new message contents, or the whole
message). The spoofing of LAN traffic or the modification of LAN traffic can occur by
exploiting the following types of vulnerabilities:
A variety of threats face today's computer systems and the information they
process. In order to control the risks of operating an information system, managers
and users must know the vulnerabilities of the system and the threats, which may
exploit them. Knowledge of the threat environment allows the system manager to
implement the most cost-effective security measures. In some cases, managers
may find it most cost-effective to simply tolerate the expected losses.
The following threats and associated losses are based on their prevalence and
significance in the current computing environment and their expected growth. The
list is not exhaustive; some threats may combine elements from more than one
area.
Users, data entry clerks, system operators, and programmers frequently make
unintentional errors, which contribute to security problems, directly and indirectly.
Sometimes the error is the threat, such as a data entry error or a programming error
that crashes a system. In other cases, errors create vulnerabilities. Errors can
occur in all phases of the system life cycle. Programming and development errors,
often called bugs, range in severity from benign to catastrophic. In the past decade,
software quality has improved measurably to reduce this threat, yet software "horror
stories" still abound. Installation and maintenance errors also cause security
problems. Errors and omissions are important threats to data integrity. Errors are
caused not only by data entry clerks processing hundreds of transactions per day,
but also by all users who create and edit data. Many programs, especially those
designed by users for personal computers, lack quality control measures. However,
24
even the most sophisticated programs cannot detect all types of input errors or
omissions.
The computer age saying "garbage in, gospel out" contains a large measure of truth.
People often assume that the information they receive from a computer system is
more accurate than it really is. Many organizations address errors and omissions in
their computer security, software quality, and data quality programs.
25
a broken water pipe. System owners must realize that more loss is associated with
fires and floods than with viruses and other more widely publicized threats. A loss of
infrastructure often results in system downtime, sometimes in unexpected ways.
For example, employees may not be able to get to work during a winter storm,
although the computer system may be functional.
Hackers, sometimes called crackers, are a real and present danger to most
organizational computer systems linked by networks. From outside the
organization, sometimes from another continent, hackers break into computer
systems and compromise the privacy and integrity of data before the unauthorized
access is even detected. Although insiders cause more damage than hackers do,
the hacker problem remains serious and widespread.
The effect of hacker activity on the public switched telephone network has been
studied in depth. Studies by the National Research Council and the National
Security Telecommunications Advisory Committee show that hacker activity is not
limited to toll fraud. It also includes the ability to break into telecommunications
systems (such as switches) resulting in the degradation or disruption of system
availability. While unable to reach a conclusion about the degree of threat or risk,
these studies underscore the ability of hackers to cause serious damage.
The hacker threat often receives more attention than more common and dangerous
threats. The U.S. Department of Justice's Computer Crime Unit suggests three
reasons. First, the hacker threat is a more recently encountered threat.
Organizations have always had to worry about the actions of their own employees
and could use disciplinary measures to reduce that threat. However, these controls
are ineffective against outsiders who are not subject to the rules and regulations of
the employer.
Secondly, organizations do not know the purposes of a hacker; some hackers only
browse, some steal, some damage. This inability to identify purposes can suggest
that hacker attacks have no limitations. Finally, hacker attacks make people feel
vulnerable because the perpetrators are unknown.
Industrial espionage is on the rise. The most damaging types of stolen information
include manufacturing and product development information. Other types of
information stolen include sales and cost data, client lists, and research and
planning information.
Within the area of economic espionage, the Central Intelligence Agency states that
the main objective is obtaining information related to technology, but that information
on U.S. government policy deliberations concerning foreign affairs and information
on commodities, interest rates, and other economic factors is also a target. The
Federal Bureau of Investigation concurs that technology-related information is the
26
main target, but also cites corporate proprietary information such as negotiating
positions and other contracting data as a target.
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other
"uninvited" software. Malicious code is sometimes mistakenly associated only with
personal computers, but can also attack systems that are more sophisticated.
However, actual costs attributed to the presence of malicious code have resulted
primarily from system outages and staff time involved in repairing the systems.
Nonetheless, these costs can be significant.
Trojan Horse: A program that performs a desired task, but also includes unexpected
(and undesirable) functions. Consider as an example an editing program for a
multi-user system. This program could be modified to randomly delete one of the
users' files each time they perform a useful function (editing) but the deletions are
unexpected and definitely undesired!
The number of known viruses is increasing, and the rate of virus incidents is
growing moderately. Most organizations use anti-virus software and other
protective measures to limit the risk of virus infection.
Identification and authentication - is the security service that helps ensure that
the LAN is accessed by only authorized individuals.
27
Access control - is the security service that helps ensure that LAN resources are
being utilized in an authorized manner.
Data and message confidentiality - is the security service that helps ensure that
LAN data, software and messages are not disclosed to unauthorized parties.
Data and message integrity - is the security service that helps ensure that LAN
data, software and messages are not modified by unauthorized parties.
Non-repudiation - is the security service by which the entities involved in a
communication cannot deny having participated. Specifically the sending entity
cannot deny having sent a message (non-repudiation with proof of origin) and the
receiving entity cannot deny having received a message (non-repudiation with proof
of delivery).
Logging and Monitoring - is the security service by which uses of LAN resources
can be traced throughout the LAN.
The first step toward securing the resources of a LAN is the ability to verify the
identities of users [BNOV91]. The process of verifying a user’s identity is referred to
as authentication. Authentication provides the basis for the effectiveness of other
controls used on the LAN. For example the logging mechanism provides usage
information based on the userid. The access control mechanism permits access to
LAN resources based on the userid. Both these controls are only effective under the
assumption that the requestor of a LAN service is the valid user assigned to that
specific userid.
Identification requires the user to be known by the LAN in some manner. This is
usually based on an assigned userid. However the LAN cannot trust the validity that
the user is in fact, who the user claims to be, without being authenticated. The
authentication is done by having the user supply something that only the user has,
such as a token, something that only the user knows, such as a password, or
something that makes the user unique, such as a fingerprint. The more of these that
the user has to supply, the less risk in someone masquerading as the legitimate
user.
A requirement specifying the need for authentication should exist in most LAN
policies. The requirement may be directed implicitly in a program level policy
stressing the need to effectively control access to information and LAN resources, or
may be explicitly stated in a LAN specific policy that states that all users must be
uniquely identified and authenticated.
28
consisting of pronounceable syllables have more potential of being remembered
than generators that produce purely random characters. [FIPS180] specifies an
algorithm that can be used to produce random pronounceable passwords.
Password checkers are programs that enable a user to determine whether a new
passwords is considered easy-to-guess, and thus unacceptable.
Password-only mechanisms, especially those that transmit the password in the clear
(in an unencrypted form) are susceptible to being monitored and captured. This can
become a serious problem if the LAN has any uncontrolled connections to outside
networks. Agencies that are considering connecting their LANs to outside networks,
particularly the Internet, should examine [BJUL93] before doing so. If, after
considering all authentication options, LAN policy determines that password-only
systems are acceptable, the proper management of password creation, storage,
expiration and destruction become all the more important. [FIPS 112] provides
guidance on password management. [NCSC85] provides additional guidance that
may be considered appropriate.
Because of the vulnerabilities that still exist with the use of password-only
mechanisms, more robust mechanisms can be used. [BNOV91] discusses
advances that have been made in the areas of token-based authentication and the
use of biometrics. A smartcard based or token based mechanism requires that a
user be in possession of the token and additionally may require the user to know a
PIN or password. These devices then perform a challenge/response authentication
scheme using realtime parameters. Using realtime parameters helps prevent an
intruder from gaining unauthorized access through a login session playback. These
devices may also encrypt the authentication session, preventing the compromise of
the authentication information through monitoring and capturing.
Locking mechanisms for LAN devices, workstations, or PCs that require user
authentication to unlock can be useful to users who must leave their work areas
frequently. These locks allow users to remain logged into the LAN and leave their
work areas (for an acceptable short period of time) without exposing an entry point
into the LAN.
Modems that provide users with LAN access may require additional protection. An
intruder that can access the modem may gain access by successfully guessing a
user password. The availability of modem use to legitimate users may also become
an issue if an intruder is allowed continual access to the modem.
Mechanisms that provide a user with his or her account usage information may alert
the user that the account was used in an abnormal manner (e.g. multiple login
failures). These mechanisms include notifications such as date, time, and location of
last successful login, and number of previous login failures. The type of security
mechanisms that could be implemented to provide the identification and
authentication service are listed below.
29
• real-time user verification mechanism,
• cryptography with unique user keys.
This service protects against the unauthorized use of LAN resources, and can be
provided by the use of access control mechanisms and privilege mechanisms. Most
file servers and multi-user workstations provide this service to some extent.
However, PCs which mount drives from the file servers usually do not. Users must
recognize that files used locally from a mounted drive are under the access control
of the PC. For this reason it may be important to incorporate access control,
confidentiality and integrity services on PCs to whatever extent possible.
Access control mechanisms exist that support access granularity for acknowledging
an owner, a specified group of users, and the world (all other authorized users). This
allows the owner of the file (or directory) to have different access rights than all
other users, and allows the owner to specify different access rights for a specified
group of people, and also for the world. Generally access rights allow read access,
write access, and execute access. Some LAN operating systems provide additional
access rights that allow updates, append only, etc.
A LAN operating system may implement user profiles, capability lists or access
control lists to specify access rights for many individual users and many different
groups. Using these mechanisms allows more flexibility in granting different access
rights to different users, which may provide more stringent access control for the file
(or directory). (These more flexible mechanisms prevent having to give a user more
access than necessary, a common problem with the three level approach.) Access
control lists assign the access rights of named users and named groups to a file or
directory. Capability lists and user profiles assign the files and directories that can
be accessed by a named user.
User access may exist at the directory level, or the file level. Access control at the
directory level places the same access rights on all the files in the directory. For
example, a user that has read access to the directory can read (and perhaps copy)
any file in that directory. Directory access rights may also provide an explicit
negative access that prevents the user from any access to the files in the directory.
Some LAN implementations control how a file can be accessed. (This is in addition
to controlling who can access the file.) Implementations may provide a parameter
that allows an owner to mark a file sharable, or locked. Sharable files accept
multiple accesses to the file at the same time. A locked file will permit only one user
to access it. If a file is a read only file, making it sharable allows many users to read
it at the same time.
30
These access controls can also be used to restrict usage between servers on the
LAN. Many LAN operating systems can restrict the type of traffic sent between
servers. There may be no restrictions, which implies that all users may be able to
access resources on all servers (depending on the users access rights on a
particular server). Some restrictions may be in place that allow only certain types of
traffic, for example only electronic mail messages, and further restrictions may allow
no exchange of traffic from server to server. The LAN policy should determine what
types of information need to be exchanged between servers. Information that is not
necessary to be shared between servers should then be restricted.
• access control mechanism using access rights (defining owner, group, world
permissions),
• access control mechanism using access control lists, user profiles, capability
lists,
• access control using mandatory access control mechanisms (labels),
• granular privilege mechanism,
The data and message confidentiality service can be used when the secrecy of
information is necessary. As a front line protection, this service may incorporate
mechanisms associated with the access control service, but can also rely on
encryption to provide further secrecy protection. Encrypting information converts it to
an unintelligible form called ciphertext, decrypting converts the information back to
its original form. Sensitive information can be stored in the encrypted, ciphertext,
form. In this way if the access control service is circumvented, the file may be
accessed but the information is still protected by being in encrypted form. (The use
of encryption may be critical on PCs that do not provide an access control service
as a front line protection.)
31
A strong policy statement should dictate to users the types of information that are
deemed sensitive enough to warrant encryption. A program level policy may dictate
the broad categories of information that need to be stringently protected, while a
system level policy may detail the specific types of information and the specific
environments that warrant encryption protection. At whatever level the policy is
dictated, the decision to use encryption should be made by the authority within the
organization charged with ensuring protection of sensitive information. If a strong
policy does not exist that defines what information to encrypt, then the data owner
should ultimately make this decision.
Cryptography can be categorized as either secret key or public key. Secret key
cryptography is based on the use of a single cryptographic key shared between two
parties . The same key is used to encrypt and decrypt data. This key is kept secret
by the two parties. If encryption of sensitive but unclassified information (except
Warner Amendment information) is needed, the use of the Data Encryption
Standard (DES), FIPS 46-2, is required unless a waiver is granted by the head of
the federal agency. The DES is a secret key algorithm used in a cryptographic
system that can provide confidentiality. FIPS 46-2 provides for the implementation of
the DES algorithm in hardware, software, firmware or some combination. This is a
change from 46-1 which only provided for the use of hardware implementations. For
an overview of DES, information addressing the applicability of DES, and waiver
procedures see [NCSL90].
Public key cryptography is a form of cryptography which make use of two keys: a
public key and a private key. The two keys are related but have the property that,
given the public key, it is computationally infeasible to derive the private key [FIPS
140-1]. In a public key cryptosystem, each party has its own public/private key pair.
The public key can be known by anyone; the private key is kept secret. An example
for providing confidentiality is as follows: two users, Scott and Jeff, wish to exchange
sensitive information, and maintain the confidentiality of that information. Scott can
encrypt the information with Jeff’s public key. The confidentiality of the information is
maintained since only Jeff can decrypt the information using his private key. There
is currently no FIPS approved public-key encryption algorithm for confidentiality.
Agencies must waive FIPS 46-2 to use a public-key encryption algorithm for
confidentiality. Public key technology, in the form of digital signatures, can also
provide integrity and non-repudiation.
32
2.3.3 Data and Message Integrity
The data and message integrity service helps to protect data and software on
workstations, file servers, and other LAN components from unauthorized modification.
The unauthorized modification can be intentional or accidental. This service can be
provided by the use of cryptographic checksums, and very granular access control and
privilege mechanisms. The more granular the access control or privilege mechanism, the
less likely an unauthorized or accidental modification can occur.
The data and message integrity service also helps to ensure that a message is not
altered, deleted or added to in any manner during transmission. (The inadvertent
modification of a message packet is handled through the media access control
implemented within the LAN protocol.) Most of the security techniques available
today cannot prevent the modification of a message, but they can detect the
modification of a message (unless the message is deleted altogether).
The use of electronic signatures can also be used to detect the modification of data
or messages. An electronic signature can be generated using public key or private
key cryptography. Using a public key system, documents in a computer system are
electronically signed by applying the originator’s private key to the document. The
resulting digital signature and document can then be stored or transmitted. The
signature can be verified using the public key of the originator.
If the signature verifies properly, the receiver has confidence that the document was
signed using the private key of the originator and that the message had not been
altered after it was signed. Because private keys are known only to their owner, it
may also possible to verify the originator of the information to a third party. A digital
signature, therefore, provides two distinct services: nonrepudiation and message
integrity. FIPS PUB 186, Digital Signature Standard, specifies a digital signature
algorithm that should be used when message and data integrity are required.
The message authentication code (MAC) described above can also be used to
provide an electronic signature capability. The MAC is calculated based on the
contents of the message. After transmission another MAC is calculated on the
contents of the received message. If the MAC associated with the message that
was sent is not the same as the MAC associated with the message that was
received, then there is proof that the message received does not exactly match the
message sent. A MAC can be used to identify the signer of the information to the
receiver. However, the implementations of this technology do not inherently provide
nonrepudiation because both the sender of the information and the receiver of the
information share the same key. The types of security mechanisms that could be
implemented to provide the data and message integrity service are listed below.
33
• message authentication codes used for software or files,
• use of secret key based electronic signature,
• use of public key digital signature,
• granular privilege mechanism,
• appropriate access control settings (i.e. no unnecessary write permissions),
• virus detection software,
• workstations with no local storage (to prevent local storage of software and
files),
• workstations with no diskette drive/tape drive to prevent introduction of uspect
software.
• use of public key digital signatures.
2.3.4 Non-repudiation
This service performs two functions. The first is the detection of the occurrence of a
threat. (However, the detection does not occur in real time unless some type of real-
time monitoring capability is utilized.) Depending on the extensiveness of the
logging, the detected event should be traceable throughout the system. For
example, when an intruder breaks into the system, the log should indicate who was
logged on to the system at the time, all sensitive files that had failed accesses, all
programs that had attempted executions, etc. It should also indicate sensitive files
and programs that were successfully accessed in this time period. It may be
appropriate that some areas of the LAN (workstations, fileservers, etc.) have some
type of logging service.
The second function of this service is to provide system and network managers with
statistics that indicate that systems and the network as a whole are functioning
properly. This can be done by an audit mechanism that uses the log file as input and
processes the file into meaningful information regarding system usage and security.
A monitoring capability can also be used to detect LAN availability problems as they
develop. The types of security mechanisms that could be used to provide the
logging and monitoring service are listed below.
34
2.4 Architecture Objectives
There are many services which a site may wish to provide for its users, some of
which may be external. There are a variety of security reasons to attempt to isolate
services onto dedicated host computers. There are also performance reasons in
most cases, but a detailed discussion is beyond to scope of this document.
The services which a site may provide will, in most cases, have different levels of
access needs and models of trust. Services which are essential to the security or
smooth operation of a site would be better off being placed on a dedicated machine
with very limited access (see "deny all" model), rather than on a machine that
provides a service (or services) which has traditionally been less secure, or requires
greater accessibility by users who may accidentally suborn security.
Some of the services which should be examined for potential separation are
outlined in the section on service protection. It is important to remember that
security is only as strong as the weakest link in the chain. Several of the most
publicized penetrations in recent years have been through the exploitation of
vulnerabilities in electronic mail systems. The intruders were not trying to steal
electronic mail, but they used the vulnerability in that service to gain access to other
systems.
If possible, each service should be running on a different machine whose only duty
is to provide a specific service. This helps to isolate intruders and limit potential
harm.
There are two diametrically opposed underlying philosophies which can be adopted
when defining a security plan. Both alternatives are legitimate models to adopt, and
the choice between them will depend on the site and its needs for security.
The first option is to turn off all services and then selectively enable services on a
case by case basis as they are needed. This can be done at the host or network
level as appropriate. This model, which will here after be referred to as the "deny
all" model, is generally more secure than the other model described in the next
paragraph. More work is required to successfully implement a "deny all"
configuration as well as a better understanding of services. Allowing only known
services provides for a better analysis of a particular service/protocol and the design
of a security mechanism suited to the security level of the site.
The other model, which will here after be referred to as the "allow all" model, is
much easier to implement, but is generally less secure than the "deny all" model.
Simply turn on all services, usually the default at the host level, and allow all
protocols to travel across network boundaries, usually the default at the router level.
As security holes become apparent, they are restricted or patched at either the host
or network level.
Each of these models can be applied to different portions of the site, depending on
functionality requirements, administrative control, site policy, etc. For example, the
35
policy may be to use the "allow all" model when setting up workstations for general
use, but adopt a "deny all" model when setting up information servers, like an email
hub. Likewise, an "allow all" policy may be adopted for traffic between LAN's
internal to the site, but a "deny all" policy can be adopted between the site and the
Internet.
Be careful when mixing philosophies as in the examples above. Many sites adopt
the theory of a hard "crunchy" shell and a soft "squishy" middle. They are willing to
pay the cost of security for their external traffic and require strong security
measures, but are unwilling or unable to provide similar protections internally. This
works fine as long as the outer defenses are never breached and the internal users
can be trusted. Once the outer shell (firewall) is breached, subverting the internal
network is trivial.
The Internet uses the Domain Name System (DNS) to perform address resolution
for host and network names. The Network Information Service (NIS) and NIS+ are
not used on the global Internet, but are subject to the same risks as a DNS server.
Name-to-address resolution is critical to the secure operation of any network. An
attacker who can successfully control or impersonate a DNS server can re-route
traffic to subvert security protections. For example, routine traffic can be diverted to
a compromised system to be monitored; or, users can be tricked into providing
authentication secrets. An organization should create well known, protected sites to
act as secondary name servers and protect their DNS masters from denial of
service attacks using filtering routers.
Password and key servers generally protect their vital information (i.e., the
passwords and keys) with encryption algorithms. However, even a one-way
encrypted password can be determined by a dictionary attack (wherein common
words are encrypted to see if they match the stored encryption). It is therefore
necessary to ensure that these servers are not accessible by hosts which do not
plan to use them for the service, and even those hosts should only be able to
access the service (i.e., general services, such as Telnet and FTP, should not be
allowed by anyone other than administrators).
36
2.4.1.3 ELECTRONIC MAIL
Electronic mail (email) systems have long been a source for intruder break-ins
because email protocols are among the oldest and most widely deployed services.
Also, by it's very nature, an email server requires access to the outside world; most
email servers accept input from any source. An email server generally consists of
two parts: a receiving/sending agent and a processing agent. Since email is
delivered to all users, and is usually private, the processing agent typically requires
system (root) privileges to deliver the mail. Most email implementations perform both
portions of the service, which means the receiving agent also has system privileges.
This opens several security holes which this document will not describe. There are
some implementations available which allow a separation of the two agents. Such
implementations are generally considered more secure, but still require careful
installation to avoid creating a security problem.
The Web is growing in popularity exponentially because of its ease of use and the
powerful ability to concentrate information services. Most WWW servers accept
some type of direction and action from the persons accessing their services. The
most common example is taking a request from a remote user and passing the
provided information to a program running on the server to process the request.
Some of these programs are not written with security in mind and can create
security holes. If a Web server is available to the Internet community, it is especially
important that confidential information not be co-located on the same host as that
server. In fact, it is recommended that the server have a dedicated host which is not
"trusted" by other internal hosts.
Many sites may want to co-locate FTP service with their WWW service. But this
should only occur for anon-ftp servers that only provide information (ftp-get).
Anon-ftp puts, in combination with WWW, might be dangerous (e.g., they could
result in modifications to the information your site is publishing to the web) and in
themselves make the security considerations for each service different.
FTP and TFTP both allow users to receive and send electronic files in a
point-to-point manner. However, FTP requires authentication while TFTP requires
none. For this reason, TFTP should be avoided as much as possible.
Improperly configured FTP servers can allow intruders to copy, replace and delete
files at will, anywhere on a host, so it is very important to configure this service
correctly. Access to encrypted passwords and proprietary data, and the
introduction of Trojan horses are just a few of the potential security holes that can
occur when the service is configured incorrectly. FTP servers should reside on their
own host. Some sites choose to co-locate FTP with a Web server, since the two
protocols share common security considerations However, the practice isn't
recommended, especially when the FTP service allows the deposit of files (see
section on WWW above). Services offered internally to your site should not be
co-located with services offered externally. Each should have its own host.
TFTP does not support the same range of functions as FTP, and has no security
whatsoever. This service should only be considered for internal use, and then it
should be configured in a restricted way so that the server only has access to a set
of predetermined files (instead of every world-readable file on the system).
Probably the most common usage of TFTP is for downloading router configuration
37
files to a router. TFTP should reside on its own host, and should not be installed on
hosts supporting external FTP or Web access.
2.4.1.6 NFS
The Network File Service allows hosts to share common disks. NFS is frequently
used by diskless hosts who depend on a disk server for all of their storage needs.
Unfortunately, NFS has no built-in security. It is therefore necessary that the NFS
server be accessible only by those hosts which are using it for service. This is
achieved by specifying which hosts the file system is being exported to and in what
manner (e.g., read-only, read-write, etc.). Filesystems should not be exported to any
hosts outside the local network since this will require that the NFS service be
accessible externally. Ideally, external access to NFS service should be stopped by
a firewall.
2.5 Auditing
This section covers the procedures for collecting data generated by network activity,
which may be useful in analyzing the security of a network and responding to
security incidents.
Audit data should include any attempt to achieve a different security level by any
person, process, or other entity in the network. This includes login and logout,
super user access (or the non-UNIX equivalent), ticket generation (for Kerberos, for
example), and any
other change of access or status. It is especially important to note "anonymous" or
"guest" access to public servers.
The actual data to collect will differ for different sites and for different types of
access changes within a site. In general, the information you want to collect
includes: username and hostname, for login and logout; previous and new access
rights, for a change of access rights; and a timestamp. Of course, there is much
more information which might be gathered, depending on what the system makes
available and how much space is available to store that information.
One very important note: do not gather passwords. This creates an enormous
potential security breach if the audit records should be improperly accessed. Do not
gather incorrect passwords either, as they often differ from valid passwords by only
a single character or transposition.
The collection process should be enacted by the host or resource being accessed.
Depending on the importance of the data and the need to have it local in instances
38
in which services are being denied, data could be kept local to the resource until
needed or be transmitted to storage after each event.
There are basically three ways to store audit records: in a read/write file on a host,
on a write-once/read-many device (e.g., a CD-ROM or a specially configured tape
drive), or on a write-only device (e.g., a line printer). Each method has advantages
and disadvantages.
File system logging is the least resource intensive of the three methods and the
easiest to configure. It allows instant access to the records for analysis, which may
be important if an attack is in progress. File system logging is also the least reliable
method. If the logging host has been compromised, the file system is usually the
first thing to go; an intruder could easily cover up traces of the intrusion.
Collecting audit data on a write-once device is slightly more effort to configure than
a simple file, but it has the significant advantage of greatly increased security
because an intruder could not alter the data showing that an intrusion has occurred.
The disadvantage of this method is the need to maintain a supply of storage media
and the
cost of that media. Also, the data may not be instantly available.
Line printer logging is useful in system where permanent and immediate logs are
required. A real time system is an example of this, where the exact point of a failure
or attack must be recorded. A laser printer, or other device which buffers data (e.g.,
a print server), may suffer from lost data if buffers contain the needed data at a
critical instant. The disadvantage of, literally, "paper trails" is the need to keep the
printer fed and the need to scan records by hand. There is also the issue of where
to store the, potentially, enormous volume of paper which may be generated.
Audit data should be some of the most carefully secured data at the site and in the
backups. If an intruder were to gain access to audit logs, the systems themselves,
in addition to the data, would be at risk.
Audit data may also become key to the investigation, apprehension, and
prosecution of the perpetrator of an incident. For this reason, it is advisable to seek
the advice of legal council when deciding how audit data should be treated. This
should happen before an incident occurs.
If a data handling plan is not adequately defined prior to an incident, it may mean
that there is no recourse in the aftermath of an event, and it may create liability
resulting from improper treatment of the data.
39
2.5.5 Legal Considerations
One area concerns the privacy of individuals. In certain instances, audit data may
contain personal information. Searching through the data, even for a routine check
of the system's security, could represent an invasion of privacy.
The above examples are meant to be comprehensive, but should motivate your
organization to consider the legal issues involved with audit data.
2.6 Incidents
2.6.0 Preparing and Planning for Incident Handling
40
Learning to respond efficiently to an incident is important for a number of reasons:
As in any set of pre-planned procedures, attention must be paid to a set of goals for
handling an incident. These goals will be prioritized differently depending on the
site. A specific set of objectives can be identified for dealing with incidents:
Due to the nature of the incident, there might be a conflict between analyzing the
original source of a problem and restoring systems and services. Overall goals (like
assuring the integrity of critical systems) might be the reason for not analyzing an
incident. Of course, this is an important management decision; but all involved
parties must be aware that without analysis the same incident may happen again.
41
time and recovery.
For each type of communication contact, specific "Points of Contact" (POC) should
be defined. These may be technical or administrative in nature and may include
legal or investigative agencies as well as service providers and vendors. When
establishing these contact, it is important to decide how much information will be
shared with each class of contact. It is especially important to define, ahead of time,
what information will be shared with the users at a site, with the public (including the
press), and with other sites.
42
Making contacts and finding the proper channels early on will make responding to
an incident go considerably more smoothly.
If your organization or site has a legal counsel, you need to notify this office soon
after you learn that an incident is in progress. At a minimum, your legal counsel
needs to be involved to protect the legal and financial interests of your site or
organization. There are many legal and practical issues, a few of which are:
On the other hand, an organization's legal council may advise extreme caution and
suggest that tracing activities be halted and an intruder shut out of the system. This,
in itself, may not provide protection from liability, and may prevent investigators from
identifying the perpetrator.
The balance between supporting investigative activity and limiting liability is tricky.
You'll need to consider the advice of your legal counsel and the damage the intruder
is causing (if any) when making your decision about what to do during any particular
incident.
Your legal counsel should also be involved in any decision to contact investigative
agencies when an incident occurs at your site. The decision to coordinate efforts
with investigative agencies is most properly that of your site or organization.
Involving your legal counsel will also foster the multi-level coordination between your
site and the particular investigative agency involved, which in turn results in an
efficient division of labor. Another result is that you are likely to obtain guidance that
will help you avoid future legal mistakes.
43
Finally, your legal counsel should evaluate your site's written procedures for
responding to incidents. It is essential to obtain a "clean bill of health" from a legal
perspective before you actually carry out these procedures.
It is vital, when dealing with investigative agencies, to verify that the person who
calls asking for information is a legitimate representative from the agency in
question. Unfortunately, many well intentioned people have unknowingly leaked
sensitive details about incidents, allowed unauthorized people into their systems,
etc., because a caller has masqueraded as a representative of a government
agency. (Note: this word of caution actually applies to all external contacts.)
There is no one established set of rules for responding to an incident when the local
government becomes involved. Normally (in the U.S.), except by legal order, no
agency can force you to monitor, to disconnect from the network, to avoid telephone
contact with the suspected attackers, etc. Each organization will have a set of local
and national laws and regulations that must be adhered to when handling incidents.
It is recommended that each site be familiar with those laws and regulations, and
identify and get know the contacts for agencies with jurisdiction well in advance of
handling an incident.
It is crucial during a major incident to communicate why certain actions are being
taken, and how the users (or departments) are expected to behave. In particular, it
should be made very clear to users what they are allowed to say (and not say) to
the outside world (including other departments). For example, it wouldn't be good for
an organization if users replied to customers with something like, "I'm sorry the
systems are down, we've had an intruder and we are trying to clean things up." It
would be much better if they were instructed to respond with a prepared statement
like, "I'm sorry our systems are unavailable, they are being maintained for better
service in the future."
Public relations departments can be very helpful during incidents. They should be
involved in all planning and can provide well constructed responses for use when
contact with outside departments and organizations is necessary.
One of the most important issues to consider is when, who, and how much to
release to the general public through the press. There are many issues to consider
when deciding this particular issue. First and foremost, if a public relations office
exists for the site, it is important to use this office as liaison to the press. The public
relations office is trained in the type and wording of information released, and will
help to assure that the image of the site is protected during and after the incident (if
44
possible). A public relations office has the advantage that you can communicate
candidly with them, and provide a buffer between the constant press attention and
the need of the POC to maintain control over the incident.
If a public relations office is not available, the information released to the press must
be carefully considered. If the information is sensitive, it may be advantageous to
provide only minimal or overview information to the press. It is quite possible that
any information provided to the press will be quickly reviewed by the perpetrator of
the incident. Also note that misleading the press can often backfire and cause more
damage than releasing sensitive information.
2.6.5.1 IS IT REAL?
This stage involves determining if a problem really exists. Of course many if not
most signs often associated with virus infection, system intrusions, malicious users,
etc., are simply anomalies such as hardware failures or suspicious system/user
behavior. To assist in identifying whether there really is an incident, it is usually
helpful to obtain and use any detection software which may be available. Audit
information is also extremely useful, especially in determining whether there is a
network attack. It is extremely important to obtain a system snapshot as soon as
one suspects that something is wrong. Many incidents cause a dynamic chain of
events to occur, and an initial system snapshot may be the most valuable tool for
identifying the problem and any source of attack. Finally, it is important to start a log
book. Recording system events, telephone conversations, time stamps, etc., can
lead to a more rapid and systematic identification of the problem, and is the basis for
subsequent stages of incident handling.
45
There are certain indications or "symptoms" of an incident that deserve special
attention:
1. System crashes.
2. New user accounts (the account RUMPLESTILTSKIN has been
unexpectedly created), or high activity on a previously
low usage account.
3. New files (usually with novel or strange file names,
such as data.xx or k or .xx ).
4. Accounting discrepancies (in a UNIX system you might
notice the shrinking of an accounting file called
/usr/admin/lastlog, something that should make you very
suspicious that there may be an intruder).
5. Changes in file lengths or dates (a user should be
suspicious if .EXE files in an MS DOS computer have
unexplainedly grown by over 1800 bytes).
6. Attempts to write to system (a system manager notices
that a privileged user in a VMS system is attempting to
alter RIGHTSLIST.DAT).
7. (Data modification or deletion (files start to disappear).
8. Denial of service (a system manager and all other users
become locked out of a UNIX system, now in single user mode).
9. Unexplained, poor system performance
10. Anomalies ("GOTCHA" is displayed on the console or there
are frequent unexplained "beeps").
11. Suspicious probes (there are numerous unsuccessful login
attempts from another node).
12. Suspicious browsing (someone becomes a root user on a UNIX
system and accesses file after file on many user accounts.)
13. Inability of a user to log in due to modifications of his/her
account.
Along with the identification of the incident is the evaluation of the scope and impact
of the problem. It is important to correctly identify the boundaries of the incident in
order to effectively deal with it and prioritize responses.
In order to identify the scope and impact a set of criteria should be defined which is
appropriate to the site and to the type of connections available. Some of the issues
include:
46
9. Is law enforcement involved?
The analysis of the damage and extent of the incident can be quite time consuming,
but should lead to some insight into the nature of the incident, and aid investigation
and prosecution. As soon as the breach has occurred, the entire system and all of
its components should be considered suspect. System software is the most
probable target. Preparation is key to be able to detect all changes for a possibly
tainted system. This includes checksumming all media from the vendor using a
algorithm which is resistant to tampering.
Assuming original vendor distribution media are available, an analysis of all system
files should commence, and any irregularities should be noted and referred to all
parties involved in handling the incident. It can be very difficult, in some cases, to
decide which backup media are showing a correct system status. Consider, for
example, that the incident may have continued for months or years before
discovery, and the suspect may be an employee of the site, or otherwise have
intimate knowledge or access to the systems. In all cases, the pre-incident
preparation will determine what recovery is
possible.
If the system supports centralized logging (most do), go back over the logs and look for
abnormalities. If process accounting and connect time accounting is enabled, look for
patterns of system usage. To a lesser extent, disk usage may shed light on the incident.
Accounting can provide much helpful information in an analysis of an incident and
subsequent prosecution. Your ability to address all aspects of a specific incident strongly
depends on the success of this analysis.
Certain steps are necessary to take during the handling of an incident. In all
security related activities, the most important point to be made is that all sites should
have policies in place. Without defined policies and goals, activities undertaken will
remain without focus. The goals should be defined by management and legal
counsel in advance.
One of the most fundamental objectives is to restore control of the affected systems
and to limit the impact and damage. In the worst case scenario, shutting down the
system, or disconnecting the system from the network, may the only practical
solution.
As the activities involved are complex, try to get as much help as necessary. While
trying to solve the problem alone, real damage might occur due to delays or missing
information. Most administrators take the discovery of an intruder as a personal
challenge. By proceeding this way, other objectives as outlined in the local policies
may not always be considered. Trying to catch intruders may be a very low priority,
compared to system integrity, for example. Monitoring a hacker's activity is useful,
but it might not be considered worth the risk to allow the continued access.
When you respond to an incident, document all details related to the incident. This
will provide valuable information to yourself and others as you try to unravel the
course of events. Documenting all details will ultimately save you time. If you don't
document every relevant phone call, for example, you are likely to forget a
47
significant portion of information you obtain, requiring you to contact the source of
information again. At the same time, recording details will provide evidence for
prosecution efforts, providing the case moves in that direction. Documenting an
incident will also help you perform a final assessment of damage (something your
management, as well as law enforcement officers, will want to know), and will
provide the basis for later phases of the handling process: eradication, recovery,
and follow-up "lessons learned."
Failure to observe these procedures can result in invalidation of any evidence you
obtain in a court of law.
2.6.10 Containment
Sometimes this decision is trivial; shut the system down if the information is
classified, sensitive, or proprietary. Bear in mind that removing all access while an
incident is in progress obviously notifies all users, including the alleged problem
users, that the administrators are aware of a problem; this may have a deleterious
effect on an investigation. In some cases, it is prudent to remove all access or
functionality as soon as possible, then restore normal operation in limited stages. In
other cases, it is worthwhile to risk some damage to the system if keeping the
system up might enable you to identify an intruder.
This stage should involve carrying out predetermined procedures. Your organization
or site should, for example, define acceptable risks in dealing with an incident, and
48
should prescribe specific actions and strategies accordingly. This is especially
important when a quick decision is necessary and it is not possible to first contact all
involved parties to discuss the decision. In the absence of predefined procedures,
the person in charge of the incident will often not have the power to make difficult
management decisions (like to lose the results of a costly experiment by shutting
down a system). A final activity that should occur during this stage of incident
handling is the notification of appropriate authorities.
2.6.11 Eradication
Once the incident has been contained, it is time to eradicate the cause. But before
eradicating the cause, great care should be taken to collect all necessary
information about the compromised system(s) and the cause of the incident as they
will likely be lost when cleaning up the system.
Software may be available to help you in the eradication process, such as anti-virus
software. If any bogus files have been created, archive them before deleting them.
In the case of virus infections, it is important to clean and reformat any media
containing infected files. Finally, ensure that all backups are clean. Many systems
infected with viruses become periodically re-infected simply because people do not
systematically eradicate the virus from backups. After eradication, a new backup
should be taken.
Removing all vulnerabilities once an incident has occurred is difficult. The key to
removing vulnerabilities is knowledge and understanding of the breach.
2.6.12 Recovery
Once the cause of an incident has been eradicated, the recovery phase defines the
next stage of action. The goal of recovery is to return the system to normal. In
general, bringing up services in the order of demand to allow a minimum of user
inconvenience is the best practice. Understand that the proper recovery procedures
for the system are extremely important and should be specific to the site.
2.6.13 Follow-Up
Once you believe that a system has been restored to a "safe" state, it is still possible
that holes, and even traps, could be lurking in the system. One of the most
important stages of responding to incidents is also the most often omitted, the
follow-up stage. In
the follow-up stage, the system should be monitored for items that may have been
missed during the cleanup stage. It would be prudent to utilize some of the tools
mentioned in chapter 7 as a start. Remember, these tools don't replace continual
system monitoring and good systems administration practices.
49
The most important element of the follow-up stage is performing a postmortem
analysis. Exactly what happened, and at what times? How well did the staff
involved with the incident perform? What kind of information did the staff need
quickly, and how could they have gotten that information as soon as possible?
What would the staff do differently next time?
In the wake of an incident, several actions should take place. These actions can be
summarized as follows:
If an incident is based on poor policy, and unless the policy is changed, then one is
doomed to repeat the past. Once a site has recovered from and incident, site policy
and procedures should be reviewed to encompass changes to prevent similar
incidents. Even without an incident, it would be prudent to review policies and
procedures on a regular basis. Reviews are imperative due to today's changing
computing environments.
The whole purpose of this post mortem process is to improve all security measures
to protect the site against future attacks. As a result of an incident, a site or
organization should gain practical knowledge from the experience. A concrete goal
of the post mortem is to develop new proactive methods. Another important facet of
the aftermath may be end user and administrator education to prevent are
occurrence of the security problem.
50
The primary goal of intrusion management is to prevent intrusions entirely. We can
address that goal by implementing a program of effective security controls. Those
controls should be present at every interface point within an information
management system. Effective controls grow out of effective information security
policies, standards and practices. Organizations should impose controls aimed at
mitigating threats against functional areas of vulnerability at each interface point.
There are six such functional areas of vulnerability:
• Security policy
• Standards and practices
• Security Awareness
• Incident response planning
• Disaster planning
• Training of security and IT Audit personnel
• Evaluating the results of a successful intrusion ("lessons learned" feedback)
2.7.1 Assurance
• IT audits
• Intrusion testing
• Vulnerability testing
• Security reviews
• Risk assessments on new systems
Using appropriate tools, we can test our systems for these vulnerabilities and through
proper configuration or use of third party products we can ensure that appropriate steps
are taken to reduce or eliminate them. Tools that we should use are of two types:
preventative and detective. Preventative tools include those that we use to perform initial
evaluation and configuration. Detective tools are intended to ensure that any change to
the configuration is detected.
51
In broad terms, we may consider that type of monitoring to be an audit function.
Thus, we see that auditing is an important part of the intrusion management
process. However, many organizations have subdivided the monitoring function
between Information Security and IT Auditing. The security personnel monitor on a
full time basis, while audits occur periodically to ensure that monitoring is effective.
How your organization splits these tasks, or if they split them at all, is probably a
function of organization size and resources.
2.7.2 Detection
The third step is Detection. This is somewhat different from the detective controls
present during the avoidance and testing steps. In this case we are talking about
detecting an intrusion attempt in real time. The real time aspect of detection is
important. Knowing that an attack is in progress and being able to take immediate
action greatly improves the odds of successfully terminating the intrusion and
apprehending the perpetrator.
Real time detection depends upon having a "watch dog" system that sits in the
background and watches all activities involving the device under surveillance. The
watch dog also must be able to interpret what constitutes an attack.
2.7.3 Investigation
Attacks often are not discovered until well after the fact. That problem constitutes
strike one in the intrusion management ball game. Strike two comes when the
attacker has been clever enough to cover his or her tracks effectively. If the logs are
not complete, protected from tampering and retained long enough, it's strike three
and your investigation never gets to first base.
2.8 Modems
52
Don't allow users to install a modem line without proper authorization. This includes
temporary installations (e.g., plugging a modem into a facsimile or telephone line
overnight). Maintain a register of all your modem lines and keep your register up to
date. Conduct regular (ideally automated) site checks for unauthorized modems.
The reality at most companies is that there are more and more laptop computers
being used on desktops. Practically every one of them has a MODEM either built-in
or in a PCCARD slot. This means the number of actual MODEMs in corporate
networks is growing dramatically without the care and security require of such
installations. It is ludicrous to think that they can be eliminated, but it is also
important to set policies and technology in place to ensure that the desktop MODEM
installed on a laptop does not become the back-door entry point into a corporate
network.
Remember that telephone lines can be tapped, and that it is quite easy to intercept
messages to cellular phones. Modern high-speed modems use more sophisticated
modulation techniques, which makes them somewhat more difficult to monitor, but it
is prudent to assume that hackers know how to eavesdrop on your lines. For this
reason, you should use one-time passwords if at all possible.
It is helpful to have a single dial-in point (e.g., a single large modem pool) so that all
users are authenticated in the same way.
Users will occasionally mis-type a password. Set a short delay – say two seconds -
after the first and second failed logins, and force a disconnect after the third. This
will slow down automated password attacks. Don't tell the user whether the
username, the password, or both, were incorrect.
53
This feature should be used with caution; it can easily be bypassed. At a minimum,
make sure that the return call is never made from the same modem as the incoming
one. Overall, although call-back can improve modem security, you should not
depend on it alone.
Display a short banner, but don't offer an "inviting" name (e.g., University of XYZ,
Student Records System). Instead, give your site name, a short warning that
sessions may be monitored, and a username/password prompt. Verify possible
legal issues related to
the text you put into the banner.
Never allow dial-out from an unauthenticated dial-in call, and consider whether you
will allow it from an authenticated one. The goal here is to prevent callers using
your modem pool as part of a chain of logins. This can be hard to detect,
particularly if a hacker sets up a path through several hosts on your site.
At a minimum, don't allow the same modems and phone lines to be used for both
dial-in and dial-out. This can be implemented easily if you run separate dial-in and
dial-out modem pools.
54
Program your modems to reset to your standard configuration at the start of each
new call. Failing this, make them reset at the end of each call. This precaution will
protect you against accidental reprogramming of your modems. Resetting at both
the end and the beginning of each call will assure an even higher level of confidence
that a new caller will not inherit a previous caller's session.
Check that your modems terminate calls cleanly. When a user logs out from an
access server, verify that the server hangs up the phone line properly. It is equally
important that the server forces logouts from whatever sessions were active if the
user hangs up unexpectedly.
Because of the common use of MODEMs and the relatively low expense, it is simple
for anyone to acquire and use MODEM technology to dial-up and connect to any
system that supports MODEM connectivity. This supports the ability for criminals
and competitive elements to acquire technology to infiltrate computer and network
systems and engage in illegal or, at a minimum, highly annoying activities centered
around the ability to disrupt operations, steal information , etc.
In the security access business, there are the following types of systems available
for providing differing levels of security facilities for dial-up MODEM access:
• MODEMs with internal security facilities. These systems provide some levels of
password authorization and access methods and are fairly inexpensive. They
are also vendor proprietary and provide limited flexibility in multiple protocol
remote access environments.
• MODEM pool management systems. These tools usually run on a PC or
equivalent system and provide specific numbers of dial-up ports with some
management software to provide minimal security facilities as well as user
accounting for very specific protocols or terminal access facilities. These are
useful for small sites or sites where all access is always the same protocol
method and high levels of security and reporting are not required.
• Asynchronous access software/hardware facilities. Many vendors of specific
protocol server solutions provide MODEM dial-up asynchronous protocol access
methods which allow dial-up to file and mail servers utilizing their own
proprietary methods. This allows ease of user access, but these packages limit
their security facilities to whatever the server provides, which is usually
password-only authentication, and are limited to whatever user tracking facilities
the server technology allows which is also limited at best.
• Multiprotocol server facilities. Vendors of asynchronous connection hardware
and software are providing all-in-a-box units that allow customers to dial-up to
the box and the user select a connection protocol such as AppleTalk, IP, IPX,
DECnet or a proprietary protocol of choice. These solutions are very versatile,
but frequently provide single password facilities for users and usually provide no
tracking software of user activities whatsoever. Also, these boxes are limited to
the number of supported dial-up ports and usually do not support security
55
facilities for simple terminal emulation to systems such as IBM's MVS/XA and
OS/400, UNIX, OpenVMS, etc.
• Terminal servers. Many vendors of terminal servers allow MODEM connection
facilities which allow many dial-up user connections. These devices are
becoming more flexible as they not only offer the traditional terminal access
facilities for terminal emulation to mini's, supermini's, mainframes and
supercomputers, they also are supporting asynchronous access to TCP/IP's
SLIP and PPP protocols, AppleTalk, IPX, etc. The problem with this approach is
an extremely limited security access facility (it is frequently limited to a terminal
server-wide password which everyone has access to use), limited access
speeds, non-flexibility of hardware and limited user tracking and reporting.
• "Small" routers. Many of the major router vendors are building small,
inexpensive router systems that provide asynchronous access facilities as well
as router access software to existing LAN and WAN resources. These provide
extremely limited security facilities, if any at all, but are useful due to their
inexpensiveness and ease of integration in to existing networks.
• All-inclusive MODEM and remote access control systems. This is a relatively
new class of MODEM access security system that allows terminal emulation
facilities, remote protocol access capabilities, user authentication methods,
security facilities (passwords, accounting, session tracking, live monitoring,
exception handling, alarms, etc.), user menu facilities, user profile tracking and
multiple hardware facility access (Ethernet/802.3, token ring/802.5, FDDI, ISDN,
ISDN-B, ATM, etc.) all at the same time from the same facility. These types of
systems are complex and very capable and are rapidly becoming the system of
choice for sites with many differing types of dial-up requirements for many
different types of systems.
While this does not provide an all-inclusive list of access facilities, it serves as an
illustration of what has traditionally been available. Most of these tools are limited to
either a traditional RS-232, RS449, RJ11 or RJ45 interface to a given system. In
some of the server access facilities, Ethernet/802.3 or token ring/802.5 LAN access
are also supported for access to remote servers as well as local resources.
In most sites considering dial-up facilities, the need is real and is not going away.
Many companies are becoming more mobile and the need for remote dial-up access
is becming critical. It is estimated in 1999 that over 60% of all computers that will be
sold will be notebook sized or smaller. This, coupled with the trend towards docking-
station systems that can be moved at will, provides a market for remote access that
is growing dramatically and does not show any signs of diminishing. Further,
practically all consumer-level computers come equipped with a 56kbps V.90
MODEM.
Where most sites fail in their tactical and strategic planning for such facilities is in
the expectation that they can contain the requirement for dial-up and that they can
dictate the user's options. What happens in many situations is the users will
implement their own solutions and not provide any feedback to IT facilities until it
has become firmly entrenched in the deliverable solutions for management. As a
result, the opportunity to control the unauthorized facilities is reduced to nil and the
IT groups must deal with a myriad of dial-up options based upon what was planned
and what happened "on its own."
56
If dial-up solutions are in place, it is tactically wise to implement substitute solutions
that provide the following features:
• Does not affect the user's computing budget. People always like something they
feel is "free."
• Does not impose too much more additional effort to use
• Provides a substantial improvement over the current method of dial-up such that
the new method is immediately attractive regardless of new user effort required
to use it
• Allows greater user flexibility, speed and access facilities
While most of this is common sense, it is interesting how many companies provide
an inferior solution to current user access methods or a one-for-one solution which
irritates users with new procedures and facilities. No one wants to deal with a step-
back in productivity or technology. Stepping forward, however, has to show a
reasonable increase in productivity or user-desired features or it will be
unacceptable as well.
Of importance in the selection of any solution is the realization that MODEMs are,
technologically, on the way out as digital communications replace analog facilities in
the phone systems of the world. Some telecommunications providers already
provide direct ISDN and ISDN-B facilities which allow a technology called unbundled
ISDN services. In this offering, the local equipment company (the LEC), provides a
T1 connection to the customer site, divided into 24 separate 56kbps digital
channels. At the LEC, MODEM emulation is provided to a dial-up user which is
converted to a digital channel access to one of the channels to the customer. The
effect is that the customer does not need to purchase any MODEMs, the user
population can use existing MODEM technologies and when the phone system goes
pure digital in the future, there are no corporate MODEM banks to replace. Since
the trend is to go digital, the need to support ISDN, ISDN-B and ATM is crucial for
long term user satisfaction and in the support of alternate connection technologies in
the future.
57
Some of the security flaws with this level of access in the general systems area are:
• The steps above allow the opportunity to exploit flaws in the access method as it
is by rote, mechanical in nature, and easily analyzed
• Simple access methods simplify user access efforts, but do not keep general
security intact. Because users share information and also leave security access
information in compromising locations, the information must change or be
generally compromised
• Most system access methods are highly susceptible to an exhaustive attack
from the terminal access methods (dial-up, X.29, and others) via something as
small as a personal computer
• Many users are never physically seen by the systems personnel and their login
information is frequently transmitted to them via phone call or facsimile, which is
highly subject to be compromised
Few operating systems provide intensive monitoring and activity recording facilities
to help trace sources of intrusion and to also detect unauthorized usage
• Few companies trace employees who have left the firm and properly clean up
access methods for employees. The result are accounts that exist, sometimes
for years, before they are deleted or even changed.
• For companies with highly mobile employees or employees that travel
extensively, dial-back MODEM management is extensive and time consuming.
Further, within the next 12-24 months from this writing, many MODEM devices
will be rendered in-effective due to pure digital phone systems such as ISDN
coming on-line and replacing current analog offerings
• Dial-back MODEM units are not compatible, in some cases, with foreign system
access due to CEPT or ITU-T incompatibilities with phone systems (ITU-T
E.163 POTS and V series standards), carrier frequencies, DTMF tone levels,
and other electronic incompatibilities. As such, some dial-back systems will not
work with some foreign phone systems which can cause problems for a
multinational corporation.
• None of the current systems direct user logins to a specific destination; they
only restrict access to “a” system of some sort
• No current user interface logins allow for protocol security for asynchronous
connections via DECnet Phase IV, TCP/IP PPP or SLIP links, asynchronous
AppleTalk or other types of protocols that support an asynchronous interface
• Security encryption cards and other electromechanical interface devices are
frequently lost and are expensive to replace and manage
• Dial-back modems are subject to abuse by use of phone system features such
as call forwarding
For these reasons and others too numerous to mention in a short summary, the
author, Dr. Hancock, believes that many currently available commercial dial-up
access security products are inadequate for a secure information access method to
systems on a computer network.
With the rise of computer crime via dial-up access, there is a natural paranoia that
systems professionals are required to recognize: dial-up access makes system
access possible for non-authorized individuals and this exposure must be
minimized. The reasons for keeping non-authorized individuals out of customer
systems include:
58
• Isolation of company proprietary data from unauthorized individuals (such as
food and drug filings, patent data, primary research data, market information,
demographics, corporate financial data, test and research results, etc.)
• Potential for external sources to “taint” valid data, causing the data to appear
valid and cause irreparable harm
• Potential safety hazards if manufacturing or other production systems were
accessed from external sources and process control software were changed or
modified in some way
There are many other examples, but these give the general issues on why
restrictive connectivity is required at customer sites. Also, as recent as late 1993,
customer research centers have experienced multiple attempts at system
compromise from external sources via dial-up and X.29 terminal pad connection.
While no specific break-in was detected, the attempts have been numerous and
getting more creative with time. It was deemed necessary to improve terminal
connectivity security procedures.
Some customers have used dial-back MODEMs and hardware security cards for
user terminal access.
The dial-back MODEMs, while previously useful, are now easier to violate due to
new phone system facilities offered by regional telephone companies. Facilities
such as call forwarding, call conferencing and other facilities that will be offered via
Signaling System 7 (SS7) and Integrated Services Digital Network (ISDN)
connectivity facilities make the general functionality of dial-back MODEMs easier to
violate (dial-back facilities could be re-routed via the phone system to other
locations other than the phone number expected and desired) and a total lack of
security on the phone network itself helps to propagate this effort.
In recent months, the hackers magazine 2600 has published articles on how to
provide remote call-forwarding and how to “hack” public phone switching systems
and access a variety of information including call routing tables. With this type of
information, potential disruptors of corporate dial-up methods can forward calls to
any desired location.
Devices such as security identification cards, approximately the size of a credit card
and possessing verification algorithms that allow exact identification of a user, are
very secure provided that they are not shared between users. They are also
somewhat expensive (est. $60.00 per user) and are easily destroyed (sat upon,
placed in washing machines, etc.) or lost. Because of accounting problems and the
size of the dial-up population, some former employees have left customer’s employ
and taken their cards with them making recovery virtually impossible. There are also
some terminal connection facilities in which security identification cards will not work
and this requires another approach to the problem.
59
Such cards work by the user entering a number when prompted by the destination
system, in a specified amount of time, that is visible in an LCD window in the card.
This number is synchronized with the destination system and, algorithmically, the
number should decypher to a valid combination the system will accept.
Another type of security access method, called a token card, works on the concept
that the card cannot possibly be in any one else's possession. This is accomplished
by installation of token hardware and software in notebook computers and, in some
cases, in the inclusion in operating system ROMs on the motherboard of the remote
system. While secure and the loss levels are low, the costs are serious and severely
restrict the types of remote systems that may access a centralized dial-up method
as well as the type of dial-up or remote access method available.
In many circumstances there is the problem of identifying who has left the firm (and
when) so that their security card information may be removed from the access
database. At present, there are former customer employees that have left their firms
some time ago and are still identified as being active users in the security card
database. While this is mostly an accounting and tracking problem, there is no
automated “user X has not logged in via dial-up in Y amount of time” facilities to
allow tracking of user activity levels.
Even with proper accounting and user tracking, there is a recurring expense
required for the use of security identification cards (replacements, failed units,
damaged units, etc.) and this is growing due to the number of people desiring
access to the system resources at customer sites.
A major problem with security cards and token cards is the problem of user
accounting and session tracking. Many products provide a method by which users
may be accounted for in terms of access time and line identification, but that is
about it. There are no investigative tracking facilities, session tracking facilities,
session capture (for the extreme cases), user profiling and many other required
features for proper investigation of penetrations or improper activities.
In any dial-up solution, there is the need to provide reports on user access, where
the user connected and rudimentary reporting of times, activity levels and dates of
access for accounting facilities.
Where many companies find problems after implementation are the issues of
tracking down breaches of security or monitoring specific user activities for users
performing activities that are considered counterproductive to corporate goals or
illegal. Even if the system is successful in keeping out unwanted intruders, many
company security breaches are from employees or contractors working within the
company facilities. Tracking of activities is important when attempting to isolate
60
internal breaches, the most common type, and when trying to isolate illegal
activities.
Tracking may be done in a variety of manners. The easiest is when the system is
set up to detect deviations from established access and activity patterns and reports
alarms on deviations. Unfortunately, setting up such facilities is non-trivial in larger
dial-up environments where there may be hundreds or thousands of accounts. What
is needed is software facilities that will establish a normalization baseline on a user-
by-user basis and then provide a method to report anomalies and deviations from
established operations.
Once the dial-up system has detected deviations, reporting and session
management/capture facilities need to be activated to properly identify user actions
and track activities to the keystroke level. This provides a chain of evidence of
malfeasance and can be used to procecute a malicious user or to prove the
innocence of falsely accused users. Evidence is essential in any security breach or
suspected misuse of system and network resources. Keeping people off of systems
is not terribly difficult and there are well established manners in which this is done.
Tracking them, developing a reliable trail of activity patterns and evidence that may
be used for procecution is difficult and the system has to be designed from the start
to provide this level of information.
Reporting for user access needs to be very dynamic for the production of
accounting report for chargeback and also
The author, has implemented various types of secure access systems for various
types of customers requiring dial-up network access without using dial-back
MODEMs. The most productive and flexible method to do this is to use an
intermediate network connection to provide connectivity and access services. This
may be accomplished through the use of a local Ethernet, terminal servers, and a
small 32-bit or 64-bit system to provide dial-up connection authorization.
Graphically, the connection path would appear as follows:
MODEM Pool
Terminal Server
Security Ethernet
Main Backbone
61
In a typical usage scenario, users dial up to a customer specified phone number
pool with V.32bis, V.34, V.90 or similar MODEMs (this allows 300 through 56Kbps
async dial-up). The number pool, due to the nature of the software, could be a toll-
free access number (800-type in the U.S. and Canada) or a connection number and
ID on a public data network (X.25/X.29). The security access server(s) would then
automatically connect the user to special login security software that would ask for a
username, password, and any other type of required information. In this manner,
should it be necessary, a terminal emulation request, an asynchronous protocol
connection (such as PPP, SLIP or async AppleTalk) could be authorized or other
type of connection protocol. Following authorization and authentication of the user
over the dial-up connection, the security system software would connect the dialed-
up user to a system on the main Ethernet backbone at the customer’s site. This
would allow the secure access server system to provide very specific connection
facilities on a user-by-user basis and at the system and network manager’s
discretion. Based upon previous implementations at other facilities, this type of
connectivity would prove useful to customers where security is a serious concern
and yet remote access to the network and systems thereon is essential to fulfilling
corporate needs and goals.
• Access password upon initial MODEM or system connection to the secure front-
end in a manner similar (but not the same as) to many pre-user password
security methods. This allows connection but does not divulge the corporate
identity, which is usually the first place that a “hacker” would receive information
on what company is being attacked.
• The user would then be required to log in to the destination system via normal
log-in procedures for that system.
62
upgrades for a considerable time). At a meeting of the ISO group working on the
X.75 test, serious problems were raised with the issues of secure cards and credit
card authorization facilities in public access networks and it was decided that a
considerable amount of additional work is required before these can effectively be
used for secure access.
One feature of remote access facilities are their ability to connect to remote systems
via network or async connection(s). The user may log in to the remote access
system and then be connected to a networked system on the corporate network in a
variety of ways.
Some remote access systems use the ANSI Data Encryption Standard (DES) for
encryption and decryption of files in U.S. installations and an exportable hashing
algorithm for installations outside the U.S. This is due to exportation of encryption
technologies laws in the U.S. and is not a reflection on the vendor's desire for
customers in the international marketplace to have less secure installations than
those in the U.S. The vendors in the U.S. have no control over this law and must
comply.
Some remote access products do not store sensitive files on disk in an unencrypted
manner. All screen captures, user information and other files that are sensitive in
nature are encrypted in real-time and stored on disk in an encrypted form. Should
files be backed-up and moved to another system, the files will be unintelligible when
printed or sent to a terminal screen.
Remote access products with session and information capturing facilities have the
ability for a system manager to store captured data for a user in a file. When stored,
the file buffers are encrypted prior to being written to disk. If the system manager
wishes to view the file, the file is retrieved from disk and decrypted “on-the-fly” and
viewed with a special encrypt/decrypt editor.
Secure remote access servers often provide the ability for the system manager to
set up specific user accounts for asynchronous DECnet access, TCP/IP's SLIP
protocol, asynchronous AppleTalk and others. The user must go through the
standard security login dialog and, when the user has been authenticated, the line is
automatically modified and converted to an asynchronous protocol port. Some
63
systems allow multiple protocol access and a user menu may be provided for
access to various protocol services.
Some remote access servers allow the system manager to set priorities (critical,
urgent and routine) on various data items in the system. In this manner, as security
exception reports are generated they may be printed in priority order. When a
security exception report is read by the systems or security manager, the report may
be organized such that high-priority items are at the beginning of the report,
precluding a search operation to find what is truly important in the report.
When designing secure remote access servers, the author found that one of the
worst situations was the lack of knowledge of who logged in to systems “when.”
While some operating system environments could allow the system manager the
flexibility to specify login times to be at specific times of the day, these facilities are
very rarely used as it was deemed too difficult to set up and figure out what times of
the day the user is active.
Some systems now have an autoprofiling feature, which may be enabled for the
entire system or on a user-by-user basis. This allows the secure access server to
“learn” how a user interacts with systems on the network. The secure access server
collects activity levels and time of day parameters, stores them and sets up,
automatically, an activity profile for the user. If the user attempts to log in to the
secure access system at times not specified by the profile, access is denied.
Further, if operating parameters during a login session exceed the learned “norm,”
the user may be disconnected. Obviously, there are user-by-user overrides
available to the system manager that may be set-up to allow individual user
flexibility. For large user count sites, this feature has proven to be very valuable and
allows establishment of activity patterns and detection of abnormalities (this is the
first step to detecting illicit connectivity).
64
3. Which people do you need to protect the resources from?
4. What are the possible threats? (Risk assessment)
5. How important is each resource?
Unless your local network is completely isolated, (standalone) Your will need to
address the issue of how to handle local security problems that result from a remote
site. As well as problems that occur on remote systems as a result of a local host or
user.
What security measures can you implement today? and further down the road?
*Always re-examine your network security policy to see if your objectives and
network circumstances have changed. (every 6 months is ideal.)
NIST Checklist for functions to consider when developing a security system The
National Institute for Standards and Technology (NIST) has developed a list for what
they refer to as Minimal Security Functional Requirements for Multi-User
Operational Systems. The major functions are listed below.
65
2.10.2 Evaluating your security policy
1. Does your policy comply with law and with duties to third parties?
2. Does your policy compromise the interest of your employees, your company or
third parties?
3. Is your policy practical, workable and likely to be enforced?
4. Does your policy address all of the different forms of communication and record
keeping within your organization?
5. Has your policy been properly presented and agreed to by all concerned parties?
With adequate policies, passwords, and precautions in place, the next step is to
insist that every vender, supplier, and consultants with access to your system
secure their computers as adequately as you secure yours. Also, work with your
legal department or legal advisors to draft a document that upon signing it would
recognize that the data they are in contact with is yours.
2.11 PC Security
One of the most critical security issues, one that has been compounded by the
micro and LAN/WAN revolution, is a lack of awareness, by executives and users, to
the vulnerability of their critical and sensitive information. Microcomputers have
unique security problems that must be understood for effective implementation of
security measures. These problems include;
• Physical Accessibility
• Hardware
• Software
• Data Communications
• Networking
• Disaster Recovery
Physical Accessibility
• Hardware Solutions
• Locks
• Desk Mounts
• Enclosures
• Steel Cables
Disk locks are also available to prevent access to hard drives and diskette drives.
Planning and diligent administration are the keys to securing microcomputers and
the information they process.
66
Things to consider in regards to system security
Software Solutions
Viruses have left a number of corporations sadder but all the wiser. A virus can
change data within a file, erase a disk, or direct a computer to perform
system-slowing calculations. Viruses may be spread by downloading programs off
of a bulletin board, sharing floppy diskettes, or communicating with an infected
computer through a network, by telephone or through the Internet. Anti-virus
products are a necessity for the detection, eradication and prevention of viruses. In
addition, micro security policy should define permissible software sources, bulletin
board use, and the types of applications that can be run on company computers.
The policy should also provide standards for testing unknown applications and limit
diskette sharing.
Data Residue is data that is stored on erased media. Such data can often be read
by subsequent users of that media. This presents a danger in sharing files on
diskettes that once contained sensitive or confidential data. This problem also exists
for hard drives. One solution available to companies is the use of degausser
products. Primarily used by the US government, corporate America is now finding
these effective tools for preventing the disclosure of sensitive information.
2.12 Access
Keep original and backup copies of data and programs safe. Apart from keeping
them in good condition for backup purposes, they must be protected from theft. It is
important to keep backups in a separate location from the originals, not only for
damage considerations, but also to guard against thefts.
Portable hosts are a particular risk. Make sure it won't cause problems if one of
your staff's portable computer is stolen. Consider developing guidelines for the kinds
of data that should be allowed to reside on the disks of portable computers as well
as how the data should be protected (e.g., encryption) when it is on a portable
computer.
Other areas where physical access should be restricted is the wiring closets and
important network elements like file servers, name server hosts, and routers.
67
2.12.1 Walk-up Network Connections
Consider whether you need to provide this service, bearing in mind that it allows any
user to attach an unauthorized host to your network. This increases the risk of
attacks via techniques such as IP address spoofing, packet sniffing, etc. Users and
site management must appreciate the risks involved. If you decide to provide
walk-up connections, plan the service carefully and define precisely where you will
provide it so that you can ensure the necessary physical access security.
If you are providing walk-up access for visitors to connect back to their home
networks (e.g., to read e-mail, etc.) in your facility, consider using a separate subnet
that has no connectivity to the internal network.
Keep an eye on any area that contains unmonitored access to the network, such as
vacant offices. It may be sensible to disconnect such areas at the wiring closet, and
consider using secure hubs and monitoring attempts to connect unauthorized hosts.
2.13.0 Introduction
Increasingly, media reports bring to light incidents of thefts occurring in offices at
any time of the day or night. Victims include government departments, the private
sector and universities in Canada and in the United States. The targets: computers
and computer components. Perpetrators include opportunists, petty thieves, career
criminals, organized gangs, people legally in contact with the products, e.g.
transportation and warehouse workers, as well as individuals working in the targeted
environment.
While incidents of this nature have increased dramatically in the last few years, the
number of reported incidents reflect only a portion of the total number of
occurrences. One reason for this is that government institutions, the private sector
and universities alike are often reluctant to report such incidents, for fear they’ll be
ridiculed or that their operations will be negatively affected.
This publication identifies the primary areas of vulnerability that may lead to loss of
assets (computer components) and proposes safeguards designed to minimize the
risks of losing these components. Samples of physical security devices are
described, and strategies are offered for minimizing computer and component theft.
68
2.13.1 Areas of Vulnerability and Safeguards.
The following checklist can help determine the security posture of the perimeter:
• Is the building secured at ground or grade level by locked doors, using heavy-
duty commercial hardware (locks, hinges)?
• Are the windows at ground level either fixed or locked with heavy-duty
commercial hardware?
• Are trade entrances locked or controlled or are they wide open to strangers?
• Are rooftop openings locked with heavy-duty commercial hardware if accessible
from outside the building?
• Does the building have an outside ladder? If so, is the ladder secure?
• Is it protected with a ladder barrier to prevent unauthorized access to the roof?
• Do employees work during the evening?
• Is there sufficient lighting surrounding the building, including the parking lot and
service entrances?
• Alarm grade level doors and windows against opening and breakage.
• Ensure day and night security patrols are conducted by security personnel.
• Monitor the building perimeter by CCTV.
• Install entry security controls for single-tenant facilities, or in facilities shared
with other government departments requiring the same level of security.
• Whenever possible, avoid multi-tenant buildings where private tenants do not
want entry controls.
• Surround the building with tamper-proof lighting fixtures. Position the security
lighting to prevent deep shadows from the building or vegetation, so intruders
can be noticed.
69
such areas do not have to enter the secure perimeter. Every facility should have a
reception zone, accessed directly from the public-access zone, where visitors, if
necessary, wait for service or for permission to proceed to an operational or secure zone.
If this process cannot be accommodated then each floor must be secured. Other security
vulnerabilities include the improper use of a guard force and granting unlimited access to
all areas of the building’s working or technical areas, e.g, electrical and telephone rooms.
Many different devices are available on the market, including alarms, locks, cabinets,
cable kits, lock-down plates and special security screws. One company has marketed
theft retrieval software that notifies police of a stolen PC’s whereabouts. The use of
security seals tamper-evident labels and ultraviolet detection lamps is also being
implemented.
The RCMP has not endorsed these products, other than containers, because the
majority have not been tested to evaluate their effectiveness. Some of the products
may be useful, but may not be cost-effective. In many instances, it is more cost-
effective to protect the working area than it is to tie down or alarm each PC.
Cabinets enclose the entire computer, including the monitor, keyboard, printer and
CPU. Cabinets are usually metal or composite materials, making them difficult to
break into. Information on approved cabinets is available from Public Works and
Government Services Canada.
70
Alarms are installed either inside or outside each CPU unit. The alarms do not
prevent the theft of computer equipment but they usually act as a deterrent. In
addition, people in the vicinity or at a central location are alerted by a loud piercing
sound if the equipment is moved or if the alarm is tampered with.
Anchoring pads and cables are used to anchor devices to desks and tabletops,
using high-strength adhesive pads or cables. Once the pad is installed on the table
or desk, it is very difficult to remove, and the adhesive usually ruins the finish.
Cables are probably the most common physical securing devices, and the least
expensive. Steel cables are passed through metal rings that are attached to the
equipment and a desk or table. Although cables prevent anyone from quickly
walking away with a piece of equipment, they can be cut. Another anchoring method
is the use of steel locking plates and cables to secure a variety of computer
components and office equipment to desks or tables. The bottom plate is either
bolted to the desk or fastened with adhesive. The top and bottom plates slide
together and are secured with a high-security lock.
71
Secure lid locks help prevent intrusion into PC servers and routers and protect
microprocessors and memory chips. The metal construction is crushproof, with no
adhesive or cables to damage the equipment.
Secure drive locks prevent the introduction of external viruses to PCs and networks,
avert the removal of sensitive corporate files by unauthorized individuals, deter the
introduction of unauthorized software to PCs and networks and prevent booting from
the floppy drive.
72
Security software uses anti-theft retrieval encryption stealth technology to locate
stolen computers. Upon a customer’s report of computer theft, the company initiates
its tracking feature. As soon as the stolen computer is connected to a telephone
line, the software turns off the modem’s speaker and silently dials the company’s
tracking line, giving the PC’s current location. The company then informs law
enforcement officials, who can obtain a search warrant and retrieve the computer.
Computer theft cannot be eliminated, but can be reduced by implementing a few simple
strategies.
Departments must appoint a departmental security officer (DSO). The DSO should have
direct access to the deputy head to report probable security breaches and illegal acts, as
warranted and in accordance with the DSO’s mandate. The DSO is responsible for
developing, implementing, maintaining, coordinating and monitoring a departmental security program.
An appropriate master key system must be developed, and comply with the following
guidelines:
• All perimeter doors should be keyed alike and not placed on the master key
system.
• Restricted access areas should be keyed differently and not placed on the
master key system.
• All utility rooms should be keyed alike, in groups.
73
2.13.3.2 TARGET HARDENING
Target hardening creates an environment, which makes it difficult for the aggressor to
reach a target. The goal of target hardening is to prevent a successful attack through the
use of barriers to reduce the adversary’s speed of progress, leading to the adversary
either giving up the idea of an attack, or taking enough time that a response force can
react.
74
• Identification cards must be available for presentation, if necessary.
• Issue an identification (ID) card to all employees. An ID card should contain the
individual’s photograph, name and signature, the name of the issuing
department, a card number and an expiry date. The individual’s screening level
can also be displayed, if desired, unless a Threat and Risk Assessment (TRA)
recommends otherwise.
• Issue a building pass or access badge to employees who require regular access
to restricted areas, indicating their authorization to enter specific zones.
• Allow for additional processes to verify identity, where warranted.
Departments using ID cards or authorization badges must develop procedures for their
use, including:
The Security Policy of the Government of Canada (GSP) requires that departments
implement a security awareness program for all personnel, to define their security
responsibilities. Security awareness training is an essential element of a
comprehensive and effective security program. Such training is a continuing series
of activities, with two overall objectives:
Without the full cooperation of management, the security awareness program will
not succeed and the employees will not cooperate. In these times of restraint, the
75
security staff needs the cooperation of all employees. Managers must get involved
and show leadership to enhance awareness in their departments. Building badges
distinguish employees from visitors, contractors or trade persons, and have shown
good results in reducing crime. When building badges were implemented during the
Gulf War and every government employee was required to wear an ID badge or a
building badge, computer theft was almost non-existent. Once the Gulf War ended,
some government departments discontinued the use of badges. Had the badge
process been continued, theft in the federal government would have been kept to a
minimum. It should be impressed upon staff at all levels that security is part of their
every day duties, and not an option or someone else’s job.
• Inform management and all employees, new and old, of the operations of the
building during working and silent hours.
• Instruct employees to alert security staff whenever they notice unescorted
strangers or visitors without identification badges around their area.
• Lock up laptops at all times when not in use, during coffee breaks, at lunch time
and even when at home, because of the value of the asset and of the
information they contain.
2.13.6 Conclusion
Computer theft cannot be eliminated, but departments can greatly reduce it by
following these simple rules:
• Implement an identification system for employees, visitors and trade
persons,
• Provide adequate security for the facility and ensure that barriers exist
for the protection of computers, through the use of physical security
devices, electronic intrusion detection or a security-cleared guard force,
• Implement a security awareness program that suits the department, and
• Inform employees they will be held responsible for government assets
lost or stolen because of carelessness.
Although there are no simple solutions, computer theft can be controlled in a cost-
effective manner through a team effort from everyone in the workplace — ministers,
directors, managers and all employees.
1. The physical facility is usually the building, other structure, or vehicle housing
the system and network components. Systems can be characterized, based
upon their operating location, as static, mobile, or portable. Static systems are
installed in structures at fixed locations. Mobile systems are installed in vehicles
that perform the function of a structure, but not at a fixed location. Portable
systems are not installed in fixed operating locations. They may be operated in
wide variety of locations, including buildings or vehicles, or in the open. The
physical characteristics of these structures and vehicles determine the level of
such physical threats as fire, roof leaks, or unauthorized access.
76
2. The facility's general geographic operating location determines the
characteristics of natural threats, which include earthquakes and flooding; man-
made threats such as burglary, civil disorders, or interception of transmissions
and emanations; and damaging nearby activities, including toxic chemical spills,
explosions, fires, and electromagnetic interference from emitters, such as
radars.
3. Supporting facilities are those services (both technical and human) that underpin the
operation of the system. The system's operation usually depends on supporting
facilities such as electric power, heating and air conditioning, and
telecommunications. The failure or substandard performance of these facilities may
interrupt operation of the system and may cause physical damage to system
hardware or stored data.
77
Moreover, if such access is gained, it may be very difficult to determine what
has been modified, lost, or corrupted.
• Physical Theft. System hardware may be stolen. The magnitude of the loss is
determined by the costs to replace the stolen hardware and restore data stored
on stolen media. Theft may also result in service interruptions.
This section discusses seven major areas of physical and environmental security
controls:
Physical access controls restrict the entry and exit of personnel (and often
equipment and media) from an area, such as an office building, suite, data center,
or room containing a LAN server.
The controls over physical access to the elements of a system can include controlled
areas, barriers that isolate each area, entry points in the barriers, and screening
measures at each of the entry points. In addition, staff members who work in a restricted
area serve an important role in providing physical security, as they can be trained to
challenge people they do not recognize.
Physical access controls should address not only the area containing system hardware,
but also locations of wiring used to connect elements of the system, the electric power
service, the air conditioning and heating plant, telephone and data lines, backup media
and source documents, and any other elements required system's operation. This means
that all the areas in the building(s) that contain system elements must be identified.
It is also important to review the effectiveness of physical access controls in each area,
both during normal business hours, and at other times particularly when an area may be
unoccupied. Effectiveness depends on both the characteristics of the control devices
used (e.g., keycard-controlled doors) and the implementation and operation. Statements
to the effect that "only authorized persons may enter this area" are not particularly
effective. Organizations should determine whether intruders can easily defeat the
controls, the extent to which strangers are challenged, and the effectiveness of other
control procedures. Factors like these modify the effectiveness of physical controls.
Corrective actions can address any of the factors listed above. Adding an additional
barrier reduces the risk to the areas behind the barrier. Enhancing the screening at
an entry point can reduce the number of penetrations. For example, a guard may
78
provide a higher level of screening than a keycard-controlled door, or an anti-
passback feature can be added. Reorganizing traffic patterns, work flow, and work
areas may reduce the number of people who need access to a restricted area.
Physical modifications to barriers can reduce the vulnerability to surreptitious entry.
Intrusion detectors, such as closed-circuit television cameras, motion detectors, and
other devices, can detect intruders in unoccupied spaces.
79
• Fire Detection. The more quickly a fire is detected, all other things being equal,
the more easily it can be extinguished, minimizing damage. It is also important
to accurately pinpoint the location of the fire.
• Fire Extinguishment. A fire will burn until it consumes all of the fuel in the
building or until it is extinguished. Fire extinguishment may be automatic, as with
an automatic sprinkler system or a HALON discharge system, or it may be
performed by people using portable extinguishers, cooling the fire site with a
stream of water, by limiting the supply of oxygen with a blanket of foam or
powder, or by breaking the combustion chemical reaction chain.
Each of these factors is important when estimating the occurrence rate of fires and
the amount of damage that will result. The objective of a fire-safety program is to
optimize these factors to minimize the risk of fire.
Systems and the people who operate them need to have a reasonably well
controlled operating environment. Consequently, failures of heating and air-
conditioning systems will usually cause a service interruption and may damage
hardware. These utilities are composed of many elements, each of which must
function properly.
This same line of reasoning applies to electric power distribution, heating plants, water,
sewage, and other utilities required for system operation or staff comfort. By identifying
the failure modes of each utility and estimating the MTBF and MTTR, necessary failure
threat parameters can be developed to calculate the resulting risk. The risk of utility
failure can be reduced by substituting units with lower MTBF values. MTTR can be
reduced by stocking spare parts on site and training maintenance personnel. And the
outages resulting from a given MTBF can be reduced by installing redundant units under
the assumption that failures are distributed randomly in time. Each of these strategies
can be evaluated by comparing the reduction in risk with the cost to achieve it.
80
2.14.3 Structural Collapse
A building may be subjected to a load greater than it can support. Most commonly
this is a result of an earthquake, a snow load on the roof beyond design criteria, an
explosion that displaces or cuts structural members, or a fire that weakens structural
members. Even if the structure is not completely demolished, the authorities may
decide to ban its further use, sometimes even banning entry to remove materials.
This threat applies primarily to high-rise buildings and those with large interior
spaces without supporting columns.
While plumbing leaks do not occur every day, they can be seriously disruptive. The
building's plumbing drawings can help locate plumbing lines that might endanger
system hardware. These lines include hot and cold water, chilled water supply and
return lines, steam lines, automatic sprinkler lines, fire hose standpipes, and drains.
If a building includes a laboratory or manufacturing spaces, there may be other lines
that conduct water, corrosive or toxic chemicals, or gases.
As a rule, analysis often shows that the cost to relocate threatening lines is difficult
to justify. However, the location of shutoff valves and procedures that should be
followed in the event of a failure must be specified. Operating and security
personnel should have this information immediately available for use in an
emergency. In some cases, it may be possible to relocate system hardware,
particularly distributed LAN hardware.
Depending on the type of data a system processes, there may be a significant risk if
the data is intercepted. There are three routes of data interception: direct
observation, interception of data transmission, and electromagnetic interception.
81
2.14.6 Mobile and Portable Systems
Like other security measures, physical and environmental security controls are
selected because they are cost-beneficial. This does not mean that a user must
conduct a detailed cost-benefit analysis for the selection of every control. There are
four general ways to justify the selection of controls:
1. They are required by law or regulation. Fire exit doors with panic bars and
exit lights are examples of security measures required by law or regulation.
Presumably, the regulatory authority has considered the costs and benefits and
has determined that it is in the public interest to require the security measure. A
lawfully conducted organization has no option but to implement all required
security measures.
2. The cost is insignificant, but the benefit is material. A good example of this
is a facility with a key-locked low-traffic door to a restricted access. The cost of
keeping the door locked is minimal, but there is a significant benefit. Once a
significant benefit/minimal cost security measure has been identified, no further
analysis is required to justify its implementation.
3. The security measure addresses a potentially "fatal" security exposure
but has a reasonable cost. Backing up system software and data is an
example of this justification. For most systems, the cost of making regular
backup copies is modest (compared to the costs of operating the system), the
organization would not be able to function if the stored data were lost, and the
cost impact of the failure would be material. In such cases, it would not be
necessary to develop any further cost justification for the backup of software
and data. However, this justification depends on what constitutes a modest cost,
and it does not identify the optimum backup schedule. Broadly speaking, a cost
that does not require budgeting of additional funds would qualify.
4. The security measure is estimated to be cost-beneficial. If the cost of a
potential security measure is significant, and it cannot be justified by any of the
first three reasons listed above, then its cost (both implementation and ongoing
operation) and its benefit (reduction in future expected losses) need to be
analyzed to determine if it is cost-beneficial. In this context, cost-beneficial
82
means that the reduction in expected loss is significantly greater than the cost of
implementing the security measure.
Arriving at the fourth justification requires a detailed analysis. Simple rules of thumb do
not apply. Consider, for example, the threat of electric power failure and the security
measures that can protect against such an event. The threat parameters, rate of
occurrence, and range of outage durations depend on the location of the system, the
details of its connection to the local electric power utility, the details of the internal power
distribution system, and the character of other activities in the building that use electric
power. The system's potential losses from service interruption depends on the details of
the functions it performs. Two systems that are otherwise identical can support functions
that have quite different degrees of urgency. Thus, two systems may have the same
electric power failure threat and vulnerability parameters, yet entirely different loss
potential parameters.
This example shows systems with a wide range of risks and a wide range of
available security measures (including, of course, no action), each with its own cost
factors and performance parameters.
2.14.8 Interdependencies
Physical and environmental security measures rely on and support the proper
functioning of many of the other areas discussed in this handbook. Among the most
important are the following:
83
2.14.9 Cost Considerations
There has been a fair amount of confusion about what is meant by "C2
compatibility". Windows NT has, for example, been tested and rated C2 compliant,
but only under a very specific set of circumstances. However, simply because a
system or system component is "C2 compliant" doesn't mean that it may be
considered completely secure under all conditions. Unfortunately, the "C2" label has
come to be a catch-all designation appearing to encompass many security features
which, in fact, it does not.
Using the above example as a starting point, Windows NT workstations are only C2
compliant when they are not connected to a multi-user system (network) of any kind
and when they have their A: drives disconnected at the hardware level. There are a
few other restrictions that, if violated, negate the C2 compliance.
1. Security Policy
2. Accountability
3. Assurance (operational and life cycle)
4. Documentation
Security Policy: Discretionary Access Control - The system defines and controls
access between named users and named objects. The enforcement mechanism
(self/group/public controls, access control lists, etc.) allows users to specify and
control sharing of these objects by named individuals, groups or both and provides
controls to limit propagation of access rights. Objects must be protected from
unauthorized access either by explicit user action or default. The controls are
capable of including or excluding access to the granularity of a single user.
84
Accountability: Identification and Authentication - All users must identify
themselves before performing any other actions that the system is expected to
mediate. Some protected mechanism such as passwords must be used to
authenticate the user's identity. The system must protect authentication data so that
it cannot be accessed by any unauthorized user. The system must be able to
enforce individual accountability by uniquely identifying each user and providing the
capability of associating the identity with all auditable actions taken by the individual.
Accountability: Audit - The system must be able to create, maintain and protect
from modification or unauthorized access or destruction an audit trail of access to
the objects it protects. It must record the following types of events: use of
identification and authentication mechanism, introduction of objects into a user's
address space, deletions of objects, actions taken by system administrators and
security officers, and other security-relevant events. For each recorded event the
system must record the date and time, user, type of event and success or failure of
the event. If the event is the introduction of an object into the user's address space
(such as file open or program execution) the name of the object must be included.
Life Cycle Assurance: Security Testing - The security mechanisms of the system
must be tested and found to work as presented in system documentation. Testing
must insure that there are no obvious ways for an unauthorized user to bypass or
otherwise defeat the security protection mechanisms of the system. This must
include a search for obvious flaws that would allow a violation of resource isolation
or that would permit unauthorized access to the audit or authentication data.
By extension, the Red Book applies the C2 standard criteria to the network
environment. The Red Book's purpose is to interpret the Orange Book's standalone
85
standards as the may be applied to a network. The Red Book places responsibility
for the security of the network not on a manufacturer, but on the network's sponsor.
This differentiation acknowledges that a device, regardless of its Orange Book rating
as delivered from the manufacturer, becomes a component of the multivendor
network when it is interconnected. As such, it takes on some of the characteristics of
the network, interacts with other components of the network and may have its own
characteristics altered by these interactions. The manufacturer no longer
controls the security mechanisms of the device for these reasons. The Red Book
places the system-wide responsibility with the network sponsor.
Policy - The Red Book defines two types of policy within the network environment:
Secrecy and Data Integrity. The document defines them as follows:
Secrecy Policy: The network sponsor shall define the form of the discretionary secrecy
policy that is enforced in the network to prevent unauthorized users from reading the
sensitive information entrusted to the network.
Data Integrity Policy: The network sponsor shall define the discretionary integrity
policy to prevent unauthorized users from modifying, viz., writing, sensitive
information. The definition of data integrity presented by the network sponsor refers
to the requirement that the information has not been subjected to unauthorized
modification in the
network.
86
specifications and procedures to assist the system administrator(s) maintain
cognizance of
the network configuration. These specifications and procedures address the
following:
2.15.2 Summary
Finally, vendors often represent products as "C2 compliant" implying that the
product has undergone and passed the rigid C2 testing process employed by the
NCSC. In most cases this is misleading. Very few PC-based systems have
undergone and completed such testing. In fact, there are no current (July, 1996)
network systems that are officially rated C2.
C2 compliance, per se, is usually not a requirement for commercial systems. In fact,
there are a number of "standards" that purport to be taking the place of C2 for the
commercial world. These new criteria, such as "Extended C2" and "Commercial C2"
are, generally, simply extensions of the original C2 standard. We do not recommend
slavish adherence to C2 as a method of securing today's commercial networks.
Rather, we believe that the principles upon which the C2 standard is built offer an
87
excellent measuring stick for the over-all security of the corporate computing
environment.
However, as many security and audit professionals point out, the architecture of the
system is only the beginning. It is at least as important to ensure that the policies,
standards and practices which the C2 environment enforces are current and
appropriate. The system administrators must be well-trained and empowered to do
their jobs properly. There must be periodic risk assessments and formal audits to
ensure compliance with policies. Finally, there must be a firm system of
enforcement, both at the system and administrative levels.
88
Section References
2.1 Fraser, B. ed. RFC 2196. Site Security Handbook. Network Working Group,
September 1997.
Chapter 2.
Fites, P., and M. Kratz. "Policy Development." Information Systems Security: A Practitioner's
Reference. New York, NY: Van Nostrand Reinhold, 1993. pp. 411-427.
Lobel, J. "Establishing a System Security Policy." Foiling the System Breakers. New York,
NY:McGraw-Hill, 1986. pp. 57-95.
Menkus, B. "Concerns in Computer Security." Computers and Security. 11(3), 1992. pp.211-
215.
Office of Technology Assessment. "Federal Policy Issues and Options." Defending Secrets,
Sharing Data: New Locks for Electronic Information. Washington, DC: U.S Congress, Office of
Technology Assessment, 1987. pp. 151-160.
Peltier, Thomas. "Designing Information Security Policies That Get Results." Infosecurity
News.4(2), 1993. pp. 30-31.
President's Council on Management Improvement and the President's Council on Integrity and
Efficiency. Model Framework for Management Control Over Automated Information System.
[MART89] Martin, James, and K. K. Chapman, The Arben Group, Inc.; Local
Area Networks, Architectures and Implementations, Prentice Hall,
1989.
89
[NCSC87] A Guide to Understanding Discretionary Access Control in Trusted
Systems, NCSC-TG-003, Version 1, September 30, 1987
[WACK89] Wack, John P., and L. Carnahan; Computer Viruses and Related
Threats: A Management Guide, NIST Special Publication 500-166,
August 1989.
[KLEIN] Daniel V. Klein, "Foiling the Cracker: A Survey of, and Improvements to,
Password Security", Software Engineering Institute. (This work was sponsored in
part by the Department of Defense.)
[GILB89] Gilbert, Irene; Guide for Selecting Automated Risk Analysis Tools,
NIST Special Publication 500-174, October, 1989.
[KATZ92] Katzke, Stuart W. ,Phd., "A Framework for Computer Security Risk
Management", NIST, October, 1992.
[NIST85] Federal Information Processing Standard (FIPS PUB) 112, Password Usage, May,
1985.
[TODD89] Todd, Mary Anne and Constance Guitian, Computer Security Training
Guidelines,NIST Special Publication 500-172, November, 1989.
90
2.6. Fraser, B. ed. RFC 2196. Site Security Handbook. Network
Working Group, September 1997. Chapter 4.6.
Alexander, M., ed. "Secure Your Computers and Lock Your Doors." Infosecurity News.
4(6),1993. pp. 80-85.
Archer, R. "Testing: Following Strict Criteria." Security Dealer. 15(5), 1993. pp. 32-35.
Breese, H., ed. The Handbook of Property Conservation. Norwood, MA: Factory Mutual
Engineering Corp.
Miehl, F. "The Ins and Outs of Door Locks." Security Management. 37(2), 1993. pp. 48-53.
National Bureau of Standards. Guidelines for ADP Physical Security and Risk Management.
Peterson, P. "Infosecurity and Shrinking Media." ISSA Access. 5(2), 1992. pp. 19-22.
Roenne, G. "Devising a Strategy Keyed to Locks." Security Management. 38(4), 1994.pp. 55-
56.
Zimmerman, J. "Using Smart Cards - A Smart Move." Security Management. 36(1), 1992. pp.
32-36.
91
3.0 Identification and Authentication
3.1 Introduction
For most systems, identification and authentication (I&A) is the first line of defense.
I&A is a technical measure that prevents unauthorized people (or unauthorized
processes) from entering a computer system.
I&A is a critical building block of computer security since it is the basis for most
types of access control and for establishing user accountability. Access control often
requires that the system be able to identify and differentiate among users. For
example, access control is often based on least privilege, which refers to the
granting to users of only those accesses required to perform their duties. User
accountability requires the linking of activities on a
A typical user identification
computer system to specific individuals and,
could be JSMITH (for Jane
therefore, requires the system to identify users.
Smith). This information can
be known by system
• Identification is the means by which a user
administrators and other
provides a claimed identity to the system.
system users. A typical user
• Authentication is the means of establishing
authentication could be Jane
the validity of this claim.
Smith's password, which is
Computer systems recognize people based on the kept secret. This way system
authentication data the systems receive. administrators can set up
Authentication presents several challenges: Jane's access and see her
collecting authentication data, transmitting the activity on the audit trail, and
data securely, and knowing whether the person system users can send her e-
who was originally authenticated is still the person mail, but no one can pretend to
using the computer system. For example, a user be Jane.
may walk away from a terminal while still logged
on, and another person may start using it. There
are three means of authenticating a user's identity
which can be used alone or in combination: For most applications, trade-
offs will have to be made among
security, ease of use, and ease
• something the individual knows (a secret e.g.,
a password, Personal Identification Number of administration, especially in
(PIN), or cryptographic key) modern networked
environments.
• something the individual possesses (a token
e.g., an ATM card or a smart card)
• and something the individual is (a biometric e.g., such characteristics as a voice
pattern, handwriting dynamics, or a fingerprint).
While it may appear that any of these means could provide strong authentication,
there are problems associated with each. If people wanted to pretend to be
someone else on a computer system, they can guess or learn that individual's
password; they can also steal or fabricate tokens. Each method also has drawbacks
for legitimate users and system administrators: users forget passwords and may
lose tokens, and administrative overhead for keeping track of I&A data and tokens
can be substantial. Biometric systems have significant technical, user acceptance,
and cost problems as well.
This section explains current I&A technologies and their benefits and drawbacks as
they relate to the three means of authentication. Although some of the technologies
make use of cryptography because it can significantly strengthen authentication.
92
3.1.0 I&A Based on Something the User Knows
The most common form of I&A is a user ID coupled with a password. This technique
is based solely on something the user knows. There are other techniques besides
conventional passwords that are based on knowledge, such as knowledge of a
cryptographic key.
3.1.0.1 PASSWORDS
Improving Password Security
Password generators. If users
In general, password systems work by requiring
are not allowed to generate their
the user to enter a user ID and password (or
own passwords, they cannot pick
passphrase or personal identification number).
easy-to-guess passwords. Some
The system compares the password to a
generators create only
previously stored password for that user ID. If
pronounceable nonwords to help
there is a match, the user is authenticated and
users remember them. However,
granted access.
users tend to write down hard-to-
Benefits of Passwords. Passwords have been remember passwords.
successfully providing security for computer Limits on log-in attempts.
systems for a long time. They are integrated into Many operating systems can be
many operating systems, and users and system configured to lock a user ID after
administrators are familiar with them. When a set number of failed log-in
properly managed in a controlled environment, attempts. This helps to prevent
they can provide effective security. guessing of passwords.
Password attributes. Users can
Problems With Passwords. The security of a be instructed, or the system can
password system is dependent upon keeping force them, to select passwords
passwords secret. Unfortunately, there are many (1) with a certain minimum
ways that the secret may be divulged. All of the length, (2) with special
problems discussed below can be significantly characters, (3) that are unrelated
mitigated by improving password security, as to their user ID, or (4) to pick
discussed in the sidebar. However, there is no fix passwords which are not in an
for the problem of electronic monitoring, except to on-line dictionary. This makes
use more advanced authentication (e.g., based on passwords more difficult to guess
cryptographic techniques or tokens). (but more likely to be written
down).
1. Guessing or finding passwords. If users select Changing passwords. Periodic
their own passwords, they tend to make them changing of passwords can
easy to remember. That often makes them reduce the damage done by
easy to guess. The names of people's stolen passwords and can make
children, pets, or favorite sports teams are brute-force attempts to break
common examples. On the other hand, into systems more difficult. Too
assigned passwords may be difficult to frequent changes, however, can
remember, so users are more likely to write be irritating to users.
them down. Many computer systems are Technical protection of the
shipped with administrative accounts that password file. Access control
have preset passwords. Because these and one-way encryption can be
passwords are standard, they are easily used to protect the password file
"guessed." Although security practitioners itself.
have been warning about this problem for Note: Many of these techniques are
years, many system administrators still do not discussed in FIPS 112, Password Usage
change default passwords. Another method of and FIPS 181, Automated Password
Generator.
learning passwords is to observe someone
entering a password or PIN. The observation
can be done by someone in the same room or by someone some distance away
using binoculars. This is often referred to as shoulder surfing.
93
2. Giving passwords away. Users may share their passwords. They may give their
password to a co-worker in order to share files. In addition, people can be
tricked into divulging their passwords. This process is referred to as social
engineering.
3. Electronic monitoring. When passwords are transmitted to a computer system,
they can be electronically monitored. This can happen on the network used to
transmit the password or on the computer system itself. Simple encryption of a
password that will be used again does not solve this problem because
encrypting the same password will create the same ciphertext; the ciphertext
becomes the password.
4. Accessing the password file. If the password file is not protected by strong
access controls, the file can be downloaded. Password files are often protected
with one-way encryption so that plain-text passwords are not available to
system administrators or hackers (if they successfully bypass access controls).
Even if the file is encrypted, brute force can be used to learn passwords if the
file is downloaded (e.g., by encrypting English words and comparing them to the
file).
Passwords Used as Access Control. Some mainframe operating systems and many
PC applications use passwords as a means of restricting access to specific
resources within a system. Instead of using mechanisms such as access control
lists, access is granted by entering a password. The result is a proliferation of
passwords that can reduce the overall security of a system. While the use of
passwords as a means of access control is common, it is an approach that is often
less than optimal and not cost-effective.
Although the authentication derived from the knowledge of a cryptographic key may
be based entirely on something the user knows, it is necessary for the user to also
possess (or have access to) something that can perform the cryptographic
computations, such as a PC or a smart card. For this reason, the protocols used are
discussed in the Smart Tokens section of this chapter. However, it is possible to
implement these types of protocols without using a smart token. Additional
discussion is also provided under the Single Log-in section.
Although some techniques are based solely on something the user possesses, most
of the techniques described in this section are combined with something the user
knows. This combination can provide significantly stronger security than either
something the user knows or possesses alone. Objects that a user possesses for
the purpose of I&A are called tokens. This section divides tokens into two
categories: memory tokens and smart tokens.
Memory tokens store, but do not process, information. Special reader/writer devices
control the writing and reading of data to and from the tokens. The most common
type of memory token is a magnetic striped card, in which a thin stripe of magnetic
material is affixed to the surface of a card (e.g., as on the back of credit cards). A
common application of memory tokens for authentication to computer systems is the
automatic teller machine (ATM) card. This uses a combination of something the user
possesses (the card) with something the user knows (the PIN). Some computer
systems authentication technologies are based solely on possession of a token, but
94
they are less common. Token-only systems are more likely to be used in other
applications, such as for physical access.
Benefits of Memory Token Systems. Memory tokens when used with PINs provide
significantly more security than passwords. In addition, memory cards are
inexpensive to produce. For a hacker or other would-be masquerader to pretend to
be someone else, the hacker must have both a valid token and the corresponding
PIN. This is much more difficult than obtaining a valid password and user ID
combination (especially since most user IDs are common knowledge).
Another benefit of tokens is that they can be used in support of log generation
without the need for the employee to key in a user ID for each transaction or other
logged event since the token can be scanned repeatedly. If the token is required for
physical entry and exit, then people will be forced to remove the token when they
leave the computer. This can help maintain authentication.
95
There are many different types of smart tokens. In general, smart tokens can be
divided three different ways based on physical characteristics, interface, and
protocols used. These three divisions are not mutually exclusive.
• Physical Characteristics. Smart tokens can be divided into two groups: smart
cards and other types of tokens. A smart card looks like a credit card, but
incorporates an embedded microprocessor. Smart cards are defined by an
International Standards Organization (ISO) standard. Smart tokens that are not
smart cards can look like calculators, keys, or other small portable objects.
• Interface. Smart tokens have either a manual or an electronic interface. Manual
or human interface tokens have displays and/or keypads to allow humans to
communicate with the card. Smart tokens with electronic interfaces must be
read by special reader/writers. Smart cards, described above, have an
electronic interface. Smart tokens that look like calculators usually have a
manual interface.
• Protocol. There are many possible protocols a smart token can use for
authentication. In general, they can be divided into three categories: static
password exchange, dynamic password generators, and challenge-response.
• Static tokens work similarly to memory tokens, except that the users
authenticate themselves to the token and then the token authenticates the user
to the computer.
• A token that uses a dynamic password generator protocol creates a unique
value, for example, an eight-digit number, that changes periodically (e.g., every
minute). If the token has a manual interface, the user simply reads the current
value and then types it into the computer system for authentication. If the token
has an electronic interface, the transfer is done automatically. If the correct
value is provided, the log-in is permitted, and the user is granted access to the
system.
• Tokens that use a challenge-response protocol work by having the computer
generate a challenge, such as a random string of numbers. The smart token
then generates a response based on the challenge. This is sent back to the
computer, which authenticates the user based on the response. The challenge-
response protocol is based on cryptography. Challenge-response tokens can
use either electronic or manual interfaces.
There are other types of protocols, some more sophisticated and some less so. The
three types described above are the most common.
Smart tokens offer great flexibility and can be used to solve many authentication
problems. The benefits of smart tokens vary, depending on the type used. In
general, they provide greater security than memory cards. Smart tokens can solve
the problem of electronic monitoring even if the authentication is done across an
open network by using one-time passwords.
1. One-time passwords. Smart tokens that use either dynamic password
generation or challenge-response protocols can create one-time passwords.
Electronic monitoring is not a problem with one-time passwords because each
time the user is authenticated to the computer, a different "password" is used.
(A hacker could learn the one-time password through electronic monitoring, but
would be of no value.)
2. Reduced risk of forgery. Generally, the memory on a smart token is not
readable unless the PIN is entered. In addition, the tokens are more complex
and, therefore, more difficult to forge.
96
3. Multi-application. Smart tokens with electronic interfaces, such as smart cards,
provide a way for users to access many computers using many networks with
only one log-in. This is further discussed in the Single Log-in section of this
chapter. In addition, a single smart card can be used for multiple functions, such
as physical access or as a debit card.
97
person's speech pattern may change under stressful conditions or when suffering
from a sore throat or cold.
Due to their relatively high cost, biometric systems are typically used with other
authentication means in environments requiring high security.
3.1.3.0 ADMINISTRATION
For biometric systems, this includes creating and storing profiles. The administrative
tasks of creating and distributing authentication data and tokens can be a
substantial. Identification data has to be kept current by adding new users and
deleting former users. If the distribution of passwords or tokens is not controlled,
system administrators will not know if they have been given to someone other than
the legitimate user. It is critical that the distribution system ensure that
authentication data is firmly linked with a given individual.
So far, this chapter has discussed initial authentication only. It is also possible for
someone to use a legitimate user's account after log-in. Many computer systems
handle this problem by logging a user out or locking their display or session after a
certain period of inactivity. However, these methods can affect productivity and can
make the computer less user-friendly.
98
3.1.3.2 SINGLE LOG-IN
3.1.3.3 INTERDEPENDENCIES
There are many interdependencies among I&A and other controls. Several of them have
been discussed in the section.
In general, passwords are the least expensive authentication technique and generally the
least secure. They are already embedded in many systems. Memory tokens are less
expensive than smart tokens, but have less functionality. Smart tokens with a human
99
interface do not require readers, but are more inconvenient to use. Biometrics tend to be
the most expensive.
For I&A systems, the cost of administration is often underestimated. Just because a
system comes with a password system does not mean that using it is free. For
example, there is significant overhead to administering the I&A system.
3.1.4 Authentication
Authentication is the means of establishing the validity of this claim. There are three
means of authenticating a user's identity which can be used alone or in combination:
something the individual knows (a secret -- e.g., a password, Personal Identification
Number (PIN), or cryptographic key); something the individual possesses (a token -
- e.g., an ATM card or a smart card); and something the individual is (a biometrics --
e.g., characteristics such as a voice pattern, handwriting dynamics, or a fingerprint).
100
• Describe how the access control mechanism supports individual accountability
and audit trails (e.g., passwords are associated with a user identifier that is
assigned to a single individual).
• Describe the self-protection techniques for the user authentication mechanism
(e.g., passwords are stored with one-way encryption to prevent anyone
[including the System Administrator] from reading the clear-text passwords,
passwords are automatically generated, passwords are checked against a
dictionary of disallowed passwords, passwords are encrypted while in
transmission).
• State the number of invalid access attempts that may occur for a given user
identifier or access location (terminal or port) and describe the actions taken
when that limit is exceeded.
• Describe the procedures for verifying that all system-provided administrative
default passwords have been changed.
• Describe the procedures for limiting access scripts with embedded passwords
(e.g., scripts with embedded passwords are prohibited, scripts with embedded
passwords are only allowed for batch applications).
• Describe any policies that provide for bypassing user authentication
requirements, single-sign-on technologies (e.g., host-to-host, authentication
servers, user-to-host identifier, and group user identifiers) and any
compensating controls.
• If digital signatures are used, the technology must conforms with FIPS 186,
(Digital Signature Standard) and FIPS 180, (Secure Hash Standard) issued by
NIST, unless a waiver has been granted. Describe any use of digital or
electronic signatures. Address the following specific issues:State the digital
signature standards used. If the standards used are not NIST standards, please
state the date the waiver was granted and the name and title of the official
granting the waiver.
• Describe the use of electronic signatures and the security control provided.
For many years, the prescribed method for authenticating users has been through
the use of standard, reusable passwords. Originally, these passwords were used by
users at terminals to authenticate themselves to a central computer. At the time,
there were no networks (internally or externally), so the risk of disclosure of the clear
text password was minimal. Today, systems are connected together through local
networks, and these local networks are further connected together and to the
Internet. Users are logging in from all over the globe; their reusable passwords are
often transmitted across those same networks in clear text, ripe for anyone
in-between to capture. And indeed, the CERT* Coordination Center and other
response teams are seeing a tremendous number of incidents involving packet
sniffers which are capturing the clear text passwords.
With the advent of newer technologies like one-time passwords (e.g., S/Key), PGP,
and token-based authentication devices, people are using password-like strings as
secret tokens and pins. If these secret tokens and pins are not properly selected
and protected, the authentication will be easily subverted.
101
3.1.4.0 ONE-TIME PASSWORDS
• the password is used over and over (hence the term "reusable"), and
• the password passes across the network in clear text.
Several authentication techniques have been developed that address this problem.
Among these techniques are challenge-response technologies that provide
passwords that are only used once (commonly called one-time passwords). There
are a number of products available that sites should consider using. The decision to
use a product is the responsibility of each organization, and each organization
should perform its own evaluation and selection.
3.1.4.1 KERBEROS
Kerberos relies on a symmetric key database using a key distribution center (KDC)
which is known as the Kerberos server. A user or service (known as "principals")
are granted electronic "tickets" after properly communicating with the KDC. These
tickets are used for authentication between principals. All tickets include a time
stamp, which limits the time period for which the ticket is valid. Therefore, Kerberos
clients and server must have a secure time source, and be able to keep time
accurately.
The practical side of Kerberos is its integration with the application level. Typical
applications like FTP, telnet, POP, and NFS have been integrated with the Kerberos
system. There are a variety of implementations which have varying levels of
integration. Please see the Kerberos FAQ available at http://www.ov.com/misc/krb-
faq.html for the latest information.
When selecting secret tokens, take care to choose them carefully. Like the selection
of passwords, they should be robust against brute force efforts to guess them. That
is, they should not be single words in any language, any common, industry, or
cultural acronyms, etc. Ideally, they will be longer rather than shorter and consist of
pass phrases that combine upper and lower case character, digits, and other
characters.
Once chosen, the protection of these secret tokens is very important. Some are
used as pins to hardware devices (like token cards) and these should not be written
down or placed in the same location as the device with which they are associated.
Others, such as a secret Pretty Good Privacy (PGP) key, should be protected from
unauthorized access.
102
One final word on this subject. When using cryptography products, like PGP, take
care to determine the proper key length and ensure that your users are trained to do
likewise. As technology advances, the minimum safe key length continues to grow.
Make sure your site keeps up with the latest knowledge on the technology so that
you can ensure that any cryptography in use is providing the protection you believe
it is.
While the need to eliminate the use of standard, reusable passwords cannot be
overstated, it is recognized that some organizations may still be using them. While
it's recommended that these organizations transition to the use of better technology,
in the mean time, we have the following advice to help with the selection and
maintenance of traditional passwords. But remember, none of these measures
provides protection against disclosure due to sniffer programs.
103
While there is no definitive answer to this dilemma, a password policy should
directly address the issue and provide guidelines for how often a user should
change the password. Certainly, an annual change in their password is usually not
difficult for most users, and you should consider requiring it. It is recommended that
passwords be changed at least whenever a privileged account is compromised,
there is a critical change in personnel (especially if it is an administrator!), or when
an account has been compromised. In addition, if a privileged account password is
compromised, all passwords on the system should be changed.
3.1.4.4 CONFIDENTIALITY
There will be information assets that your site will want to protect from disclosure to
unauthorized entities. Operating systems often have built-in file protection
mechanisms that allow an administrator to control who on the system can access, or
"see," the contents of a given file. A stronger way to provide confidentiality is
through encryption. Encryption is accomplished by scrambling data so that it is very
difficult and time consuming for anyone other than the authorized recipients or
owners to obtain the plain text. Authorized recipients and the owner of the
information will possess the corresponding decryption keys that allow them to easily
unscramble the text to a readable (clear text) form. We recommend that sites use
encryption to provide confidentiality and protect valuable information.
104
3.1.4.5 INTEGRITY
As an administrator, you will want to make sure that information (e.g., operating
system files, company data, etc.) has not been altered in an unauthorized fashion.
This means you will want to provide some assurance as to the integrity of the
information on your systems. One way to provide this is to produce a checksum of
the unaltered file, store that checksum offline, and periodically (or when desired)
check to make sure the checksum of the online file hasn't changed (which would
indicate the data has been modified).
Some operating systems come with checksumming programs, such as the UNIX
sum program. However, these may not provide the protection you actually need.
Files can be modified in such a way as to preserve the result of the UNIX sum
program! Therefore, we suggest that you use a cryptographically strong program,
such as the message digesting program MD5, to produce the checksums you will be
using to assure integrity.
There are other applications where integrity will need to be assured, such as when
transmitting an email message between two parties. There are products available
that can provide this capability. Once you identify that this is a capability you need,
you can go about identifying technologies that will provide it.
3.1.4.6 AUTHORIZATION
Another approach is to attach to an object a list, which explicitly contains the identity
of all, permitted users (or groups). This is an Access Control List (ACL). The
advantage of ACLs are that they are easily maintained (one central list per object)
and it's very easy to visually check who has access to what. The disadvantages are
the extra resources required to store such lists, as well as the vast number of such
lists required for large systems.
105
Section References
Alexander, M., ed. "Keeping the Bad Guys Off-Line." Infosecurity News. 4(6), 1993. pp. 54-65.
American Bankers Association. American National Standard for Financial Institution Sign-On
Authentication for Wholesale Financial Transactions. ANSI X9.26-1990. Washington,
DC,February 28, 1990.
Feldmeier, David C., and Philip R. Kam. "UNIX Password Security - Ten Years Later."
Crypto'89 Abstracts. Santa Barbara, CA: Crypto '89 Conference, August 20-24, 1989.
Haykin, Martha E., and Robert B. J. Warnar. Smart Card Technology: New Methods for
Computer Access Control. Special Publication 500-157. Gaithersburg, MD: National Institute of
Standards and Technology, September 1988.
Kay, R. "Whatever Happened to Biometrics?" Infosecurity News. 4(5), 1993. pp. 60-62.
National Bureau of Standards. Password Usage. Federal Information Processing Standard
Publication 112. May 30, 1985.
National Institute of Standards and Technology. Guideline for the Use of Advanced
Authentication Technology Alternatives. Federal Information Processing Standard Publication
Sherman, R. "Biometric Futures." Computers and Security. 11(2), 1992. pp. 128-133.
Smid, Miles, James Dray, and Robert B. J. Warnar. "A Token-Based Access Control System
for Computer Networks." Proceedings of the 12th National Commuter Security Conference.
National Institute of Standards and Technology, October 1989.
Steiner, J.O., C. Neuman, and J. Schiller. "Kerberos: An Authentication Service for Open
Network Systems." Proceedings Winter USENIX. Dallas, Texas, February 1988. pp. 191-202.
Troy, Eugene F. Security for Dial-Up Lines. Special Publication 500-137, Gaithersburg,
MD:National Bureau of Standards, May 1986.
Swanson, Marianne and Guttman, Barbara . Generally Accepted Principles and Practices for
Securing Information Technology Systems. Special Publication 800-14. Gaithersburg, MD:
National Institute of Standards and Technology, September 1996.
106
3.1.4 Fraser, B. ed. RFC 2196. Site Security Handbook. Network
Working Group, September 1997. Chapter 4.1.
107
4.0 Risk Analysis
4.1 The 7 Processes
4.1.0 Process 1 - Define the Scope and Boundary, and Methodology
The scope of the risk management effort must also be defined. The scope can be
thought of as a logical outline showing, within the boundary, the depth of the risk
management process. The scope distinguishes the different areas of the LAN
(within the boundary) and the different levels of detail used during the risk
management process. For example some areas may be considered at a higher or
broader level, while other areas may be treated in depth and with a narrow focus.
Asset valuation identifies and assigns value to the assets of the LAN. All parts of the
LAN have value although some assets are definitely more valuable than others. This
step gives the first indication of those areas where focus should be placed. For
108
LANs that produce large amounts of information that cannot be reasonably
analyzed, initial screening may need to be done. Defining and valuing assets may
allow the organization to initially decide those areas that can be filtered downward
and those areas that should be flagged as a high priority.
Different methods can be used to identify and value assets. The risk methodology
that an organization chooses may provide guidance in identifying assets and should
provide a technique for valuing assets. Generally assets can be valued based on
the impact and consequence to the organization. This would include not only the
replacement cost of the asset, but also the effect on the organization if the asset is
disclosed, modified, destroyed or misused in any other way.
Because the value of an asset should be based on more than just the replacement
cost, valuing assets is one of the most subjective of the processes. However, if
asset valuation is done with the goal of the process in mind, that is, to define assets
in terms of a hierarchy of importance or criticality, the relativeness of the assets
becomes more important than placing the "correct" value on them.
The risk assessment methodology should define the representation of the asset
values. Purely quantitative methodologies such as FIPS 65 may use dollar values.
However having to place a dollar value on some of the consequences that may
occur in today’s environments may be sufficient to change the perception of the risk
management process from being challenging to being unreasonable.
Many risk assessment methodologies in use today Figure 4.3 - Defining the LAN
require asset valuation in more qualitative terms. Configuration
While this type of valuation may be considered Hardware configuration - includes servers,
more subjective than a quantitative approach, if the workstations, PCs, peripheral devices, external
scale used to value assets is utilized consistently connections, cabling maps, bridges or gateway
connections, etc. Software configuration -
throughout the risk management process, the
includes server operating systems, workstation
results produced should be useful. Figure 4.2 and PC operating systems, the LAN operating
shows one of the simplest methods for valuing system, major application software, software
assets. Throughout this discussion of the risk tools, LAN management tools, and software
management process, a simple technique for under development. This should also include
valuing assets (as shown in Figure 4.2), the location of the software on the LAN and
determining risk measure, estimating safeguard from where it is commonly accessed.
cost, and determining risk mitigation will be Data - Includes a meaningful typing of the
dataprocessed and communicated through the
presented. This technique is a simple, yet valid LAN, as well as the types of users who
technique; it is being used here to show the generally access the data. Indications of where
relationship between the processes involved in risk the data is accessed, stored and processed on
management. The technique is not very granular the LAN is important. Attention to the
and may not be appropriate for environments where sensitivity of the data should also be
replacement costs, sensitivities of information and considered.
consequences vary widely.
One of the implicit outcomes of this process is that a detailed configuration of the
LAN, as well as its uses is produced. This configuration should indicate the
hardware incorporated, major software applications used, significant information
processed on the LAN, as well as how that information flows through the LAN. The
degree of knowledge of the LAN configuration will depend on the defined boundary
and scope. Figure 4.3 exemplifies some of the areas that should be included.
After the LAN configuration is completed, and the assets are determined and
valued, the organization should have a reasonably correct view of what the LAN
consists of and what areas of the LAN need to be protected.
109
4.1.0.2 Process 3 - Identify Threats and Determine Likelihood
The outcome of this process should be a strong indication of the adverse actions
that could harm the LAN, the likelihood that these actions could occur, and the
weaknesses of the LAN that can be exploited to cause the adverse action. To reach
this outcome, threats and vulnerabilities need to be identified and the likelihood that
a threat will occur needs to be determined.
The degree to which threats are considered will depend on the defined boundary
and scope defined for the risk management process. A high level analysis may point
to threats and vulnerabilities in general terms; a more focused analysis may tie a
threat to a specific component or usage of the LAN. For example a high level
analysis may indicate that the consequence due to loss of data confidentiality
through disclosure of information on the LAN is too great a risk. A more narrowly
focused analysis may indicate that the consequence due to disclosure of personnel
data captured and read through LAN transmission is too great a risk. More than
likely, the generality of the threats produced in the high level analysis, will, in the
end, produce safeguard recommendations that will also be high level. This is
acceptable if the risk assessment
was scoped at a high level. The more narrowly focused assessment will produce a
safeguard that can specifically reduce a given risk, such as the disclosure of
personnel data.
This process may uncover some vulnerabilities that can be Figure 4.4 Assigning Likelihood
corrected by improving LAN management and operational Measure
controls immediately. These improved controls will usually
reduce the risk of the threat by some degree, until such The likelihood of the threat occurring
time that more thorough improvements are planned and can be normalized as a value that
implemented. For example, increasing the length and ranges from 1 to 3. A 1 will indicate a
composition of the password for authentication may be low likelihood, a 2 will indicate a
one way to reduce a vulnerability to guessing passwords. moderate likelihood and a 3 will
indicate a high likelihood.
Using more robust passwords is a measure that can be
quickly implemented to increases the security of the LAN.
Concurrently, the planning and implementation of a more
advanced authentication mechanism can occur.
Existing LAN security controls should be analyzed to determine if they are currently
providing adequate protection. These controls may be technical, procedural, etc. If a
110
control is not providing adequate protection, it can be considered a vulnerability. For
example, a LAN operating system may provide access control to the directory level,
rather than the file level. For some users, the threat of compromise of information
may be too great not to have file level protection. In this example, the lack of
granularity in the access control could be considered a vulnerability.
111
Figure 4.5 provides an example of a one dimensional approach for calculating risk.
In this example, the levels of risk are now normalized (i.e. low, medium and high)
and can be used to compare risks associated with each threat. The comparison of
risk measures should factor in the criticality of the components used to determine
the risk measure. For simple methodologies that
only look at loss and likelihood, a risk measure that Figure 4.6 - Calculating Cost
was derived from a high loss and low likelihood may Measure
result in the same risk measure as one that resulted
In this example cost measure, the cost
from a low loss and high likelihood. In these cases, of the safeguard is the amount needed
the user needs to decide which risk measure to to purchase or develop and implement
consider more critical, even though the risk each of the mechanisms. The cost can
measures may be equal. In this case, a user may be normalized in the same manner as
decide that the risk measure derived from the high was the value for potential loss
loss is more critical than the risk measure derived incurred. A 1 will indicate a
from the high likelihood. mechanism with a low cost, a 2 will
indicate a mechanism with a moderate
cost, and a 3 will indicate a mechanism
With a list of potential threats, vulnerabilities and with a high cost.
related risks, an assessment of the current security
situation for the LAN can be determined. Areas that
have adequate protection will not surface as contributing to the risk of the LAN
(since adequate protection should lead to low likelihood) whereas those areas that
have weaker protection do surface as needing attention.
The purpose of this process is to select appropriate safeguards. This process can
be done using risk acceptance testing.
The relationship between risk acceptance testing and Figure 4.7 - Comparing Risk
safeguard selection can be iterative. Initially, the and Cost
organization needs to order the different risk levels
To calculate risk/cost relationships use
that were determined during the risk assessment.
the risk measure and the cost measure
Along with this the organization needs to decide the associated with each threat/
amount of residual risk that it will be willing to accept mechanism relationship and create a
after the selected safeguards are implemented. ratio of the risk to the cost (i.e.,
These initial risk acceptance decisions can be risk/cost). A ratio that is less than 1
factored into the safeguard selection equation. When will indicate that the cost of the
the properties of the candidate safeguards are mechanism is greater than the risk
known, the organization can reexamine the risk associated with the threat. This is
generally not an acceptable situation
acceptance test measures and determine if the (and may be hard to justify) but should
residual risk is achieved, or alter the risk acceptance not be automatically dismissed.
decisions to reflect the known properties of the Consider that the risk value is a
safeguards. For example there may be risks that are function of both the loss measure and
determined to be too high. However after reviewing the likelihood measure. One or both
the available safeguards, it may be realized that the of these may represent something so
currently offered solutions are very costly and cannot critical about the asset that
the costly mechanism is justified. This
be easily implemented into the current configuration
situation may occur when using simple
and network software. This may force the methodologies such as this one.
organization into either expending the resources to
112
reduce the risk, or deciding through risk acceptance that the risk will have to be
accepted because it is currently too costly to mitigate.
Many sources exist that can provide information on potential safeguards. The
methodology discussed here defines safeguards in terms of security services and
mechanisms. A security service is the sum of mechanisms, procedures, etc. that are
implemented on the LAN to provide protection. The security services (and
mechanisms) provided in Section 2 can be used as a starting point. The security
services should be related to the threats defined in the risk assessment.
In most cases the need for a specific service should be readily apparent. If the risk
acceptance results indicate that a risk is acceptable, (i.e., existing mechanisms are
adequate) then there is no need to apply additional mechanisms to the service that
already exists.
After the needed security services are determined, consider the list of security
mechanisms for each service. For each security service selected, determine the
candidate mechanisms that would best provide that service. Using the
threat/vulnerability/risk relationships developed in the previous processes, choose
those mechanisms that could potentially reduce or eliminate the vulnerability and
thus reduce the risk of the threat. In many cases, a threat/vulnerability relationship
will yield more than one candidate mechanism. For example the vulnerability of
using weak passwords could be reduced by using a password generator
mechanism, by using a token based mechanism, etc. Choosing the candidate
mechanisms is a subjective process that will vary from one LAN implementation to
another. Not every mechanism presented in Section 2 is feasible for use in every
LAN. In order for this process to be beneficial, some filtering of the mechanisms
presented needs to be made during this step.
When a measure (or cost) is assigned to the safeguard, it can be compared to the
other measures in the process. The safeguard measure can be compared to the risk
measure (if it consists of one value, as shown in Figure 4.7) or the components of
the risk measure. There are different ways to compare the safeguard measure to
the risk measure. The risk management methodology chosen by the organization
should provide a method to select those effective safeguards that will reduce the
risk to the LAN to an acceptable level.
113
(or the assumption of no conflict) of the interaction should be detailed. It should be
recognized that not only is it important that the safeguard perform functionally as
expected and provide the expected protections, but that the safeguard does not
contribute to the risk of the LAN through a conflict with some other safeguard or
functionality.
4.2 RCMP Guide to Threat and Risk Assessment For Information Technology
4.2.1 Introduction
This guide is intended to assist practitioners in assessing the threats and risks to
Information Technology (IT) assets held within their organizations, and in making
recommendations related to IT security. The objective of a threat and risk assessment
(TRA) is to involve the various players and gain their support, to enable management
to make informed decisions about security and to recommend appropriate and cost-
effective safeguards. An assessment of the adequacy of existing safeguards also
forms part of the TRA process. Where this assessment indicates that safeguards are
inadequate to offset vulnerabilities, additional safeguards are recommended. Also,
where the TRA indicates that certain safeguards are no longer needed, the elimination
of those safeguards is recommended. A TRA does not result in the selection of
mechanisms of prevention, detection and response to reduce risks; instead, it simply
indicates the areas where these mechanisms should be applied, and the priorities,
which should be assigned to the development of such mechanisms. Within the context
of risk management, the TRA will recommend how to minimize, avoid, and accept risk.
Planning for the TRA process encompasses establishing the scope of the project,
determining the appropriate methodology, setting the time frame, identifying the key
players and allocating resources to perform the assessment. Those involved in the
TRA process must be cautioned to protect the sensitivity of working papers produced
during the process. These working papers often contain information related to the
vulnerability of systems and environments, and should be protected at a level
commensurate with the most sensitive information available on those systems.
4.2.2 Process
114
1. Preparation: determining what to protect;
2. Threat Assessment: determining what to protect against,
consequences of a threat;
3. Risk Assessment: determining whether existing or proposed
safeguards are satisfactory; and
4. Recommendations: identifying what should be done to reduce the
risk to a level acceptable to senior
management.
4.2.2.0 PREPARATION
Prior to the actual conduct of the TRA, it is necessary to establish its scope, which will
include the systems under consideration, the interconnectivity with other systems and the
profile of the user community. The entire TRA process will often span a number of
systems and environments. Thus, in determining the scope, care must be taken to
ensure that priorities are set to determine an appropriate order of assessment, i.e. that
areas of primary concern or sensitivity are assessed first.
Once the scope of the TRA has been established, the practitioner can establish a
representative team of users of the system under consideration. For example, let us
suppose that the system contains several applications used by a variety of groups within
the institution. To provide a valid cross section of the information required to conduct the
TRA, users, developers, and telecommunications and operations staff must be selected
for the team. This team will (at a later step) provide the practitioner with the information
required to identify known threats and their potential impact.
All organizations have certain security concerns that are directly related to the nature of
their business. The practitioner should document these special concerns, as they will be
instrumental in determining the appropriateness of existing security measures and in
making recommendations for improvements.
Once the preliminary work is completed, the practitioner can establish the current profile
of the organization's security posture. These parameters establish what is known as the
security baseline for the TRA process. It is from this baseline that the risks are assessed,
and any updates to the TRA are prepared. For example, when a particular safeguard is
recommended, that safeguard and its defining recommendation are referred directly to
the baseline. A baseline against which recommendations can be made is necessary for
two reasons:
115
The first point provides the practitioner with a means of determining what changes
have been made to the environment and how security has been impacted by those
changes. The second point allows the practitioner to identify the difference between
the current security profile and any future requirements for security, given the changes
to the environment, which have taken place since the baseline was established.
Identifying IT assets according to their physical and logical groupings can be a difficult
task, depending on the size of the organization and the soundness of supporting
activities such as materiel management and the availability of comprehensive
inventories. The practitioner must identify those assets that form the IT environment,
and then assign a value to them. The participants identified in the preparation stage
will be instrumental in identifying and assigning value to assets. In the case of IT
applications, the "owners" of the information processed by those applications are
responsible for preparing the statement of sensitivity which will detail the specific
sensitivity requirements for each application in terms of confidentiality, integrity and
availability.
The practitioner must consider several aspects contributing to the worth of an asset
including, but not limited to, the initial cost of the item. An asset may have an acquired
value that far outweighs the initial cash outlay. Consider the example of the data
collected by geologists during a summer survey of a remote northern area. The project
objective may be to collect the data while the area is accessible and interpret and
analyze the data over the winter months. The value could be considered to be equal to
the cost of the survey in terms of scientists' time, support and travel costs. However,
suppose the data is lost in September (therefore not available) and the area is
inaccessible until spring. The geologists will have lost an entire year's work plus the
cost of the initial survey in that the data must be gathered again the following summer.
The asset value must be increased by the costs associated with an additional year's
support, time and travel costs as well as any uniqueness in time, conditions and
opportunity.
Confidentiality
To assess the impact of loss of confidentiality, practitioners must relate the level of
sensitivity of the data to the consequences of its untimely release. The data must be
appropriately classified or designated according to the following levels:
116
UNCLASSIFIED OR UNDESIGNATED basic information
DESIGNATED varying levels, personal information,
sensitive business information
CONFIDENTIAL compromise could cause injury to the
national interest
SECRET compromise could cause serious injury to
the national interest
TOP SECRET compromise could cause exceptionally
grave injury to the national interest
CONFIDENTIALITY CONSIDERATIONS
CHECKLIST
Is the information sensitive in the national interest, i.e.
classified?
Is the information personal?
What is the consequence of loss of confidentiality of this
information?
TABLE 1 - Confidentiality
Integrity
Integrity is used in the context of accuracy and completeness of the information
accessible on the system and of the system itself. Where integrity requirements are
high, as is the case with financial transactions in banking systems, the potential
financial losses will indicate the appropriate levels of investment in safeguards.
INTEGRITY CONSIDERATIONS
CHECKLIST
Impact of inaccurate data.
Impact of incomplete data.
TABLE 2 - Integrity
Availability
The system, to be considered available, must be in place and useable for the intended
purpose. While the complete loss of data processing capability is unlikely, it could occur.
Unscheduled downtimes of varying degrees of severity are certain. The practitioner must
assist the users in establishing how much they rely on the system's being available to
provide the expected service. The users must clearly define for the systems staff the
maximum acceptable levels of downtime. In this context, the term "availability" relates to
continuity of service.
117
importance of applications to each group. The practitioner must also recognize that
availability requirements often change during the lifespan of the application. The user
community should document for the systems staff the impact of the loss of availability
of the IT systems, support personnel and data.
The practitioner must determine all critical components involved in the provision of
essential service that could be vulnerable to threats. These critical components are
also considered to be "assets" for the purposes of the TRA.
Statements of Sensitivity
The CIA requirements are documented in the statements of sensitivity (SOSs). The
preparation of a statement of sensitivity should be a prerequisite to the implementation
of a new application or changes to existing ones. Applications developed and
implemented without statements of sensitivity often do not allow for the necessary
security requirements to adequately protect the information available on the system.
The statement of sensitivity should be prepared by the responsibility centre, which
provides data to, and uses or has ownership of, the application. The analysis that
leads to the preparation of the statement of sensitivity is sometimes conducted by a
number of different people each of whom has some interest in the system or data
under consideration.
The user representation for completing the statement of sensitivity could be one person
or several, depending on the size and complexity of the application being assessed.
A separate statement of sensitivity is required for each major application used on the
computer system or anticipated for installation. For example, payroll and inventory
would each require a statement of sensitivity, even if they are to be run on the same
system. The sensitivity-related valuation of assets is not necessarily linked to
numerical values associated with initial or replacement costs; but rather is linked to a
relative value associated with the application's requirements for confidentiality, integrity
and availability.
The second step of the TRA process is the Threat Assessment. The threat concepts
of class, likelihood, consequence, impact and exposure are highlighted. Specific threat
118
events such as earthquakes, hacker attempts, virus attacks etc. fall into a particular
threat class, depending on the nature of the compromise. Examples of threats within
each class can be found in Figure 3.
• Compromising Emanations
DISCLOSURE • Interception
• Improper Maintenance Procedures
• Hackers
• Earthquake
INTERRUPTION • Fire
• Flood
• Malicious Code
• Power Failure
• Earthquake
DESTRUCTION • Fire
• Flood
• Power Spikes
REMOVAL • Theft of Data
• Theft of Systems
FIGURE 3 - Sample Threats
Description of Threat
The threats that may target the assets under consideration must be described by the
practitioner. These threats may originate from either deliberate or accidental events.
Classes of Threats
The practitioner will classify the threats into one of the five main classes of threats:
disclosure, interruption, modification, destruction and removal or loss.
Disclosure
Assets that have a high confidentiality requirement are sensitive to disclosure. This
class of threats compromises sensitive assets through unauthorized disclosure of the
sensitive information.
Interruption
Interruption relates primarily to service assets. Interruption impacts the availability of
the asset or service. A power outage is an example of a threat, which falls into the
interruption class.
119
Modification
The primary impact of this class of threats is on the integrity requirement. Recall that
integrity, as defined in the GSP, includes both accuracy and completeness of the
information. A hacker attempt would fall into this class of threat if changes were made.
Destruction
A threat, which destroys the asset, falls into the destruction class. Assets that have a
high availability requirement are particularly sensitive to destruction. Threats such as
earthquake, flood, fire and vandalism are within the destruction class.
Removal or Loss
When an asset is subject to theft or has been misplaced or lost, the impact is primarily
on the confidentiality and availability of the asset. Portable computers or laptops are
particularly vulnerable to the threat of removal or loss.
Threat Likelihood
The practitioner must consider, on a per-asset basis, both the type of threat that the
asset may be subjected to and the likelihood of the threat. The likelihood of threat can
be estimated from past experience, from threat information provided by lead agencies
and from sources such as other organizations or services.
Likelihood levels of low, medium and high are used according to the following
definitions (Source: Government of Canada Security Policy):
During this process, the practitioner seeks to answer the question "What is the
consequence of each particular threat?" This consequence is related to the losses or
other consequences (both real and perceived) which could result from a specific threat
being successful.
The mapping of the consequence onto one of the three impact ratings (exceptionally
grave, serious, less serious) would vary according to departmental priorities. For
example, in one department a loss of trust might be regarded as serious injury in terms
120
of impact, while in another department, the same loss of trust might be considered to
be exceptionally grave injury. The impact assessment allows the practitioner to
determine the impact to the organization in terms of the real and perceived costs
associated with the loss of confidentiality, integrity, and availability.
The identification of exposure allows the organization to rank the risk scenario
according to the likelihood and impact, and thus assign a priority.
This general exposure rating for data and assets is outlined in Table 4 where impact
takes precedence over likelihood. This table provides a means of prioritizing the impact
through a rating that considers only the likelihood of a particular threat and the associated
impact on the organization should the threat materialize. Table 4 does not consider the
safeguards employed to counterbalance a particular threat.
IMPACT (INJURY)
MEDIUM 7 6 3
LOW 4 2 1
121
ASSET THREAT ASSESSMENT
AGENT/ CLASS OF LIKELIHO CONSEQU IMPACT EXPOSURE
THREAT OD OF ENCE OF (INJURY) RATING
EVENT OCCURR OCCURRE
ENCE NCE
This definition leads the risk assessment process into an evaluation of the
vulnerabilities and the likelihood that a vulnerability would be exploited by a threat in
the presence of either existing or proposed security measures.
Vulnerabilities
Attention should be paid to times during which the asset is most vulnerable, for
example, during periods of public access and unrestricted access or while in transit.
In some instances, an asset has an associated time sensitivity. For example, the
information may be sensitive while under review or development (e.g. budget) and
then may lose its sensitivity upon release to the public.
There are three possible security posture scenarios in the threat and safeguards
environment. The first is identified in Figure 2 as an equilibrium state. This state of
equilibrium is the most desirable security posture. In this environment, threats are
122
identified and appropriate safeguards are in place to reduce the associated risks to
a level, which is acceptable to the organization's senior management.
• likelihood of threat,
• possible motive for exploiting the vulnerability, Figure3
• value of the asset to the organization and to the
threat agent, and
• effort required to exploit the vulnerability.
Figure4
Risk
The practitioner will be able to decide the priority for each component of the risk
management program based on items such as the nature of identified threats and
the impact on the organization. Having reviewed the existing safeguards and
vulnerabilities, the practitioner establishes the adequacy of safeguards and
recommends change. For an example of establishing risk for deliberate threat
scenarios, refer to Annex E.
123
• establishing vulnerabilities, and
• determining the level of risk based on a number of factors.
Table 6 provides a sample summary sheet for entering the risk assessment
information on a per-asset basis.
4.2.2.3 RECOMMENDATIONS
The closing phase of the TRA process includes the proposal of recommendations.
These recommendations are intended to improve the security posture of the
organization through risk reduction, provide considerations for business recovery
activities should a threat cause damage, and identify implementation constraints.
Once safeguards that would augment the existing safeguards and improve the
security profile are proposed, the risk posture can be re-evaluated as low, medium
or high.
Proposed Safeguards
At this point in the process, the practitioner has analyzed the nature of the threats,
the impact of successful threats, and the organization's vulnerability to these threats
and has subsequently judged the risk to be low, medium, or high. Where the
practitioner perceives that the risk can be reduced, appropriate recommendations
are made. The practitioner may recommend a number of scenarios, each with an
associated effect and cost, from which senior management will make an appropriate
selection.
Projected Risk
In some instances, proposed safeguards will reduce or eliminate some, but not all,
risks. For such instances, the resulting projected risk should be documented and
signed off by senior management. For example, the initial risk assessment
indicated a high risk situation, and several safeguards were recommended by the
TRA team. In the presence of these additional safeguards, the risk is re-evaluated
as being moderate to low. Thus the priority level of this scenario is reduced but not
eliminated, and senior management should acknowledge and accept or reject the
124
projected risk levels. Rejecting the risk implies that other safeguards must be
sought to further reduce or eliminate the risk.
Impact ratings of 9 should be looked at first because they represent events that
have high likelihood and very serious impact. In some instances the change in risk
level from high to low is desirable, in particular where the exposure rating is high.
• completely satisfactory;
• satisfactory in most aspects;
• needs improvement.
The risks of deliberate threats to the organization have been established by way of
the Risk Assessment Grid described in Appendix E. For accidental threats, the risk
will be assessed according to their history within the organization or similar
institutions and the observed effectiveness of associated safeguards in each
comparable environment. The highest priority must be assigned to those threats
posing a high risk to the organization. For each of these threats, the practitioner will
propose safeguards to eliminate the risk or reduce it to a level acceptable to senior
management. The adequacy of each of these proposed safeguards must be
evaluated as completely satisfactory, satisfactory in most aspects, or needs
improvement.
The practitioner establishes the appropriateness and interdependencies of
safeguards, and answers such questions as: Are safeguards in conflict? Does one
safeguard offset the usefulness of another? Does the safeguard overcompensate
the threat? What threats have not been fully compensated for? What is the risk that
vulnerabilities which are not fully compensated for are likely to be exploited and by
whom?
4.2.3 Updates
The TRA is considered to be a vital, living document, which is essential to meeting
the security objectives of the organization. The TRA must be updated at least
annually, or whenever an occurrence reveals a deficiency in the existing
assessment. The TRA should also be updated whenever changes are planned to
the systems or environments in which the IT processing occurs, which could create
new risks or redundant safeguards.
Regular Review
Regular reviews allow the practitioner to revisit the TRA document and assess
whether the IT security requirements within the organization have changed. These
regular reviews are necessary in light of both the dynamics of the technologies in
place to support IT and the dynamics of technologies available to threat agents to
help them attack the IT systems of the organization.
125
Systems Changes
Changes to systems can greatly impact the security profile; therefore, every change
must be assessed. The TRA document provides the practitioner with a baseline
against which the effects of these changes can be measured. Examples of
changes include the move of an organization from stand-alone PCs to a Local Area
Network environment, the introduction of new applications to existing systems, the
introduction of Wide Area Network capability to existing IT environments, a change
in communications links or protocols used to move information between
departmental units, or a change in the level of the most sensitive information on the
system.
Threats
Sources of historical threat information vary, depending on the type of information
sought. For threat information based on events that have already occurred within
the organization, the practitioner should consult the Departmental Security Officer.
For threat information related to investigations under the Criminal Code of Canada
involving IT assets, the practitioner should consult the OIC, Information Technology
(IT) Security Branch of the RCMP. Where threat information relates to COMSEC,
the practitioner should consult the Communications Security Establishment. The
Canadian Security Intelligence Service (CSIS) provides threat information and
advice on threat assessment when requested.
TRA Process
Advice and guidance on the TRA process as described in this document are
available through the OIC,IT Security Branch of the RCMP.
126
4.2.5 Glossary of Terms
127
Section References
4.1 Guideline for the Analysis Local Area Network Security., Federal
Information Processing Standards Publication 191, November 1994.
Chapter 3.4.
[MART89] Martin, James, and K. K. Chapman, The Arben Group, Inc.; Local
Area Networks, Architectures and Implementations, Prentice Hall,
1989.
[WACK89] Wack, John P., and L. Carnahan; Computer Viruses and Related
Threats: A Management Guide, NIST Special Publication 500-166,
August 1989.
[KLEIN] Daniel V. Klein, "Foiling the Cracker: A Survey of, and Improvements to,
Password Security", Software Engineering Institute. (This work was sponsored in
part by the Department of Defense.)
[GILB89] Gilbert, Irene; Guide for Selecting Automated Risk Analysis Tools,
NIST Special Publication 500-174, October, 1989.
[KATZ92] Katzke, Stuart W. ,Phd., "A Framework for Computer Security Risk
Management", NIST, October, 1992.
[NIST85] Federal Information Processing Standard (FIPS PUB) 112, Password Usage,
May,1985.
[TODD89] Todd, Mary Anne and Constance Guitian, Computer Security Training
Guidelines,NIST Special Publication 500-172, November, 1989.
128
Management Guide, NBS Special Publication 500-120, January,
1985.
129
5.0 Firewalls
5.1 Introduction
Perhaps it is best to describe first what a firewall is not: A firewall is not simply a router,
host system, or collection of systems that provides security to a network. Rather, a
firewall is an approach to security; it helps implement a larger security policy that defines
the services and access to be permitted, and it is an implementation of that policy in
terms of a network configuration, one or more host systems and routers, and other
security measures such as advanced authentication in place of static passwords. The
main purpose of a firewall system is to control access to or from a protected network (i.e.,
a site). It implements a network access policy by forcing connections to pass through the
firewall, where they can be examined and evaluated. A firewall system can be a router, a
personal computer, a host, or a collection of hosts, set up specifically to shield a site or
subnet from protocols and services that can be abused from hosts outside the subnet. A
firewall system is usually located at a higher level gateway, such as a site's connection to
the Internet, however firewall systems can be located at lower-level gateways to provide
protection for some smaller collection of hosts or subnets.
The main function of a firewall is to centralize access control. A firewall serves as the
gatekeeper between the untrusted Internet and the more trusted internal networks. If
outsiders or remote users can access the internal networks without going through the
firewall, its effectiveness is diluted. For example, if a traveling manager has a modem
connected to his office PC that he or she can dial into while traveling, and that PC is also
on the protected internal network, an attacker who can dial into that PC has circumvented
the firewall. Similarly, if a user has a dial-up Internet account with a commercial ISP, and
sometimes connects to the Internet from their office PC via modem, he or she is opening
an unsecured connection to the Internet that circumvents the firewall.
• Your data
Secrecy - what others should not know
Integrity - what others should not change
Availability - your ability to use your own systems
• Your resources
Your systems and their computational capabilities
• Your reputation
Confidence is shaken in your organization
Your site can be used as a launching point for crime
You may be used as a distribution site for unwanted data
You may be used by impostors to cause serious problems
You may be viewed as “untrusted” by customers and peers
130
As with any safeguard, there are trade-offs between convenience and security.
Transparency is the visibility of the firewall to both inside users and outsiders going
through a firewall. A firewall is transparent to users if they do not notice or stop at the
firewall in order to access a network. Firewalls are typically configured to be transparent
to internal network users (while going outside the firewall); on the other hand, firewalls are
configured to be non-transparent for outside network coming through the firewall. This
generally provides the highest level of security without placing an undue burden on
internal users.
The main reasons for systems and computers not being secure are
• Lack of password encryption
• Lack of personnel with experience
• Lack of management backing
• Authority
• Responsibility
• Legal and political issues
• Lack of recurring effort
• Budget
• Network policy,
• Advanced authentication mechanisms,
• Packet filtering, and Application gateways.
There are two levels of network policy that directly influence the design, installation and
use of a firewall system. The higher-level policy is an issue-specific, network access
policy that defines those services that will be allowed or explicitly denied from the
restricted network, how these services will be used, and the conditions for exceptions to
this policy. The lower-level policy describes how the firewall will actually go about
restricting the access and filtering the services that were defined in the higher level policy.
The following sections describe these policies in brief.
The service access policy should focus on Internet-specific use issues as defined above,
and perhaps all outside network access (i.e., dial-in policy, and SLIP and PPP
connections) as well. This policy should be an extension of an overall organizational
policy regarding the protection of information resources in the organization. For a firewall
to be successful, the service access policy must be realistic and sound and should be
131
drafted before implementing a firewall. A realistic policy is one that provides a balance
between protecting the network from known risks, while still providing users access to
network resources. If a firewall system denies or restricts services, it usually requires the
strength of the service access policy to prevent the firewall's access controls from being
modified on an ad hoc basis. Only a management-backed, sound policy can provide this.
A firewall can implement a number of service access policies, however a typical policy
may be to allow no access to a site from the Internet, but allow access from the site to the
Internet. Another typical policy would be to allow some access from the Internet, but
perhaps only to selected systems such as information servers and e-mail servers.
Firewalls often implement service access policies that allow some user access from the
Internet to selected internal hosts, but this access would be granted only if necessary and
only if it could be combined with advanced authentication.
The firewall design policy is specific to the firewall. It defines the rules used to implement
the service access policy. One cannot design this policy in a vacuum isolated from
understanding issues such as firewall capabilities and limitations, and threats and
vulnerabilities associated with TCP/IP. Firewalls generally implement one of two basic
design policies:
A firewall that implements the first policy allows all services to pass into the site by
default, with the exception of those services that the service access policy has identified
as disallowed. A firewall that implements the second policy denies all services by default,
but then passes those services that have been identified as allowed. This second policy
follows the classic access model used in all areas of information security.
The first policy is less desirable, since it offers more avenues for getting around the
firewall, e.g., users could access new services currently not denied by the policy (or even
addressed by the policy) or run denied services at non-standard TCP/UDP ports that
aren't denied by the policy. Certain services such as X Windows, FTP, Archie, and RPC
cannot be filtered easily [Chap92], [Ches94], and are better accommodated by a firewall
that implements the first policy. The second policy is stronger and safer, but it is more
difficult to implement and may impact users more in that certain services such as those
just mentioned may have to be blocked or restricted more heavily.
The relationship between the high level service access policy and its lower level
counterpart is reflected in the discussion above. This relationship exists because the
implementation of the service access policy is so heavily dependent upon the capabilities
and limitations of the firewall system, as well as the inherent security problems
associated with the wanted Internet services. For example, wanted services defined in
the service access policy may have to be denied if the inherent security problems in
these services cannot be effectively controlled by the lower level policy and if the security
of the network takes precedence over other factors. On the other hand, an organization
that is heavily dependent on these services to meet its mission may have to accept
higher risk and allow access to these services. This relationship between the service
access policy and its lower level counterpart allows for an iterative process in defining
both, thus producing the realistic and sound policy initially described.
The service access policy is the most significant component of the four described here.
The other three components are used to implement and enforce the policy. (And as
132
noted above, the service access policy should be a reflection of a strong overall
organization security policy.) The effectiveness of the firewall system in protecting the
network depends on the type of firewall implementation used, the use of proper firewall
procedures, and the service access policy.
Some of the more popular advanced authentication devices in use today are called one-
time password systems. A smartcard or authentication token, for example, generates a
response that the host system can use in place of a traditional password. Because the
token or card works in conjunction with software or hardware on the host, the generated
response is unique for every login. The result is a one-time password that, if monitored,
cannot be reused by an intruder to gain access to an account. [NIST94a] and [NIST91a]
contain more detail on advanced authentication devices and measures.
Since firewalls can centralize and control site access, the firewall is the logical place for
the advanced authentication software or hardware to be located. Although advanced
authentication measures could be used at each host, it is more practical and manageable
to centralize the measures at the firewall. Figure above illustrates that a site without a
firewall using advanced authentication permits unauthenticated application traffic such as
TELNET or FTP directly to site systems. If the hosts do not use advanced authentication,
then intruders could attempt to crack passwords or could monitor the network for login
sessions that would include the passwords. Figure above also shows a site with a firewall
using advanced authentication, such that TELNET or FTP sessions originating from the
Internet to site systems must pass the advanced authentication before being permitted to
the site systems. The site systems may still require static passwords before permitting
access, however these passwords would be immune from exploitation, even if the
passwords are monitored, as long as the advanced authentication measures and other
firewall components prevent intruders from penetrating or bypassing the firewall.
• source IP address,
• destination IP address,
• TCP/UDP source port, and
• TCP/UDP destination port.
133
Not all packet filtering routers currently filter the source TCP/UDP port, however more
vendors are starting to incorporate this capability. Some routers examine which of the
router's network interfaces a packet arrived at, and then use this as an additional filtering
criterion. Some UNIX hosts provide packet filtering capability, although most do not.
Filtering can be used in a variety of ways to block connections from or to specific hosts or
networks, and to block connections to specific ports. A site might wish to block
connections from certain addresses, such as from hosts or sites that it considers to be
hostile or untrustworthy. Alternatively, a site may wish to block connections from all
addresses external to the site (with certain exceptions, such as with SMTP for receiving
e-mail).
Adding TCP or UDP port filtering to IP address filtering results in a great deal of flexibility.
Recall from Chapter 1 that servers such as the TELNET daemon reside usually at
specific ports, such as port 23 for TELNET. If a firewall can block TCP or UDP
connections to or from specific ports, then one can implement policies that call for certain
types of connections to be made to specific hosts, but not other hosts. For example, a
site may wish to block all incoming connections to all hosts except for several firewalls-
related systems. At those systems, the site may wish to allow only specific services, such
as SMTP for one system and TELNET or FTP connections to another system. With
filtering on TCP or UDP ports, this policy can be implemented in a straightforward fashion
by a packet filtering router or by a host with packet filtering capability.
he first rule allows TCP packets from any source address and port greater than 1023 on
the Internet to the destination address of 123.4.5.6 and port of 23 at the site. Port 23 is
the port associated with the TELNET server, and all TELNET clients should have
unprivileged source ports of 1024 or higher. The second and third rules work in a similar
fashion, except packets to destination addresses 123.4.5.7 and 123.4.5.8, and port 25 for
SMTP, are permitted. The fourth rule permits packets to the site's NNTP server, but only
from source address 129.6.48.254 to destination address 123.4.5.9 and port 119
(129.6.48.254 is the only NNTP server that the site should receive news from, thus
access to the site for NNTP is restricted to only that system). The fifth rule permits NTP
traffic, which uses UDP as opposed to TCP, from any source to any destination address
at the site. Finally, the sixth rule denies all other packets - if this rule weren't present, the
router may or may not deny all subsequent packets. This is a very basic example of
packet filtering. Actual rules permit more complex filtering and greater flexibility.
• tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and
routers, can also be used to read any file on the system if set up incorrectly,
134
• X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X
window displays including all keystrokes,
• RPC, port 111, Remote Procedure Call services including NIS and NFS, which can
be used to steal system information such as passwords and read and write to files,
and
• rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured
can permit unauthorized access to accounts and commands.
Other services, whether inherently dangerous or not, are usually filtered and possibly
restricted to only those systems that need them. These would include:
While some of these services such as TELNET or FTP are inherently risky, blocking
access to these services completely may be too drastic a policy for many sites. Not all
systems, though, generally require access to all services. For example, restricting
TELNET or FTP access from the Internet to only those systems that require the access
can improve security at no cost to user convenience. Services such as NNTP may seem
to pose little threat, but restricting these services to only those systems that need them
helps to create a cleaner network environment and reduces the likelihood of exploitation
from yet-to-be-discovered vulnerabilities and threats.
Often times, exceptions to rules need to be made to allow certain types of access that
normally would be blocked. But, exceptions to packet filtering rules sometimes can make
the filtering rules so complex as to be unmanageable. For example, it is relatively
straightforward to specify a rule to block all inbound connections to port 23 (the TELNET
server). If exceptions are made, i.e., if certain site systems need to accept TELNET
connections directly, then a rule for each system must be added. Sometimes the addition
of certain rules may complicate the entire filtering scheme. As noted previously, testing a
complex set of rules for correctness may be so difficult as to be impractical.
Some packet filtering routers do not filter on the TCP/UDP source port, which can make
the filtering rule set more complex and can open up ``holes'' in the filtering scheme.
[Chap92] describes such a problem with sites that wish to allow inbound and outbound
SMTP connections. As described in section , TCP connections include a source and
destination port. In the case of a system initiating an SMTP connection to a server, the
source port would be a randomly chosen port at or above 1024 and the destination port
135
would be 25, the port that the SMTP server “listens” at. The server would return packets
with source port of 25 and destination port equal to the randomly-chosen port at the
client. If a site permits both inbound and outbound SMTP connections, the router must
allow destination ports and source ports > 1023 in both directions. If the router can filter
on source port, it can block all packets coming into the site that have a destination port >
1023 and a source port other than 25. Without the ability to filter on source port, the router
must permit connections that use source and destination ports > 1024.
Users could conceivably run servers at ports > 1023 and thus get “around” the filtering
policy (i.e., a site system's telnet server that normally listens at port 23 could be told to
listen at port 9876 instead; users on the Internet could then telnet to this server even if the
router blocks destination port 23).
Another problem is that a number of RPC (Remote Procedure Call) services are very
difficult to filter effectively because the associated servers listen at ports that are assigned
randomly at system startup. A service known as portmapper maps initial calls to RPC
services to the assigned service numbers, but there is no such equivalent for a packet
filtering router. Since the router cannot be told which ports the services reside at, it isn't
possible to block completely these services unless one blocks all UDP packets (RPC
services mostly use UDP). Blocking all UDP would block potentially necessary services
such as DNS. Thus, blocking RPC results in a dilemma.
Packet filtering routers with more than two interfaces sometimes do not have the
capability to filter packets according to which interface the packets arrived at and which
interface the packet is bound for. Filtering inbound and outbound packets simplifies the
packet filtering rules and permits the router to more easily determine whether an IP
address is valid or being spoofed. Routers without this capability offer more impediments
to implementing filtering strategies.
Related to this, packet filtering routers can implement both of the design policies
discussed in section 2.4.1. A rule set that is less flexible, i.e., that does not filter on source
port or on inbound and outbound interfaces, reduces the ability of the router to implement
the second and more stringent policy, deny all services except those expressly permitted,
without having to curtail the
types of services permitted through the router. For example, problematic services such
as those that are RPC-based become even more difficult to filter with a less-flexible rule
set; no filtering on source port forces one to permit connections between ports > 1023.
With a less-flexible rule set, the router is less able to express a stringent policy, and the
first policy, permit all services except those expressly permitted, is usually followed.
Readers are advised to consult [Chap92], which provides a concise overview of packet
filtering and associated problems. While packet filtering is a vital and important tool, it is
very important to understand the problems and how they can be addressed.
To counter some of the weaknesses associated with packet filtering routers, firewalls
need to use software applications to forward and filter connections for services such as
TELNET and FTP. Such an application is referred to as a proxy service, while the host
running the proxy service is referred to as an application gateway. Application gateways
and packet filtering routers can be combined to provide higher levels of security and
flexibility than if either were used alone.
As an example, consider a site that blocks all incoming TELNET and FTP connections
using a packet filtering router. The router allows TELNET and FTP packets to go to one
136
host only, the TELNET/FTP application gateway. A user who wishes to connect inbound
to a site system would have to connect first to the application gateway, and then to the
destination host, as follows:
• a user first telnets to the application gateway and enters the name of an internal host,
• the gateway checks the user's source IP address and accepts or rejects it according
to any access criteria in place,
• the user may need to authenticate herself (possibly using a one-time password
device),
• the proxy service creates a TELNET connection between the gateway and the
internal host,
• the proxy service then passes bytes between the two connections, and
• the application gateway logs the connection.
This example points out several benefits to using proxy services. First, proxy services
allow only those services through for which there is a proxy. In other words, if an
application gateway contains proxies for FTP and TELNET, then only FTP and TELNET
may be allowed into the protected subnet, and all other services are completely blocked.
For some sites, this degree
of security is important, as it guarantees that only those services that are deemed
``trustworthy'' are allowed through the firewall. It also prevents other untrusted services
from being implemented behind the backs of the firewall administrators.
Another benefit to using proxy services is that the protocol can be filtered. Some firewalls,
for example, can filter FTP connections and deny use of the FTP put command, which is
useful if one wants to guarantee that users cannot write to, say, an anonymous FTP
server.
Application gateways have a number of general advantages over the default mode of
permitting application traffic directly to internal hosts. These include:
• information hiding, in which the names of internal systems need not necessarily be
made known via DNS to outside systems, since the application gateway may be the
only host whose name must be made known to outside systems,
• robust authentication and logging, in which the application traffic can be pre-
authenticated before it reaches internal hosts and can be logged more effectively
than if logged with standard host logging,
• cost-effectiveness, because third-party software or hardware for authentication or
logging need be located only at the application gateway, and
• less-complex filtering rules, in which the rules at the packet filtering router will be less
complex than they would if the router needed to filter application traffic and direct it to
a number of specific systems. The router need only allow application traffic destined
for the application gateway and reject the rest.
137
would serve as the route to the destination system and thereby intercept the connection,
and then perform additional steps as necessary such as querying for a one-time
password. User behavior stays the same, however at the price of requiring a modified
client on each system.
In addition to TELNET, application gateways are used generally for FTP and e-mail, as
well as for X Windows and some other services. Some FTP application gateways include
the capability to deny put and get command to specific hosts. For example, an outside
user who has established an FTP session (via the FTP application gateway) to an
internal system such as an anonymous FTP server might try to upload files to the server.
The application gateway can filter the FTP protocol and deny all puts to the anonymous
FTP server; this would ensure that nothing can be uploaded to the server and would
provide a higher degree of assurance than relying only on file permissions at the
anonymous FTP server to be set correctly.
user@emailhost
where emailhost is the name of the e-mail gateway. The gateway would accept mail from
outside users and then forward mail along to other internal systems as necessary. Users
sending e-mail from internal systems could send it directly from their hosts, or in the case
where internal system names are not known outside the protected subnet, the mail would
be sent to the application gateway, which could then forward the mail to the destination
host. Some e-mail gateways use a more secure version of the sendmail program to
accept e-mail.
[Ches94] defines another firewall component that other authors sometimes include under
the category of application gateway. A circuit-level gateway relays TCP connections but
does no extra processing or filtering of the protocol. For example, the TELNET
application gateway example provided here would be an example of a circuit-level
gateway, since once the connection between the source and destination is established,
the firewall simply passes bytes between the systems. Another example of a circuit-level
gateway would be for NNTP, in which the NNTP server would connect to the firewall, and
then internal systems' NNTP clients would connect to the firewall. The firewall would,
again, simply pass bytes.
A dual-homed firewall is a firewall with two network interfaces cards (NICs) with each
interface connected to a different network. For instance, one network interface is typically
connected to the external or untrusted network, while the other interface is connected to
138
the internal or trusted network. In this configuration, an important security tenet is not to
allow traffic coming in from the untrusted network to be directly routed to the trusted
network - the firewall must always act as an intermediary.
Routing by the firewall shall be disabled for a dual-homed firewall so that IP packets from
one network are not directly routed from one network to the other.
• The source and destination addresses and ports contained in the IP packet header
are the only information that is available to the router in making decision whether or
not to permit traffic access to an internal network.
• They don’t protect against IP or DNS address spoofing.
• An attacker will have a direct access to any host on the internal network once access
has been granted by the firewall.
• Strong user authentication isn’t supported with some packet filtering gateways.
• They provide little or no useful logging.
139
Because an application gateway is considered as the most secure type of firewall, this
configuration provides a number of advantages to the medium-high risk site:
• The firewall can be configured as the only host address that is visible to the outside
network, requiring all connections to and from the internal network to go through the
firewall.
• The use of proxies for different services prevents direct access to services on the
internal network, protecting the enterprise against insecure or misconfigured internal
hosts.
• Strong user authentication can be enforced with application gateways.
• Proxies can provide detailed logging at the application level.
Application level firewalls should be configured such that out-bound network traffic
appears as if the traffic had originated from the firewall (i.e. only the firewall is visible to
outside networks). In this manner, direct access to network services on the internal
network is not allowed. All incoming requests for different network services such as
Telnet, FTP, HTTP, RLOGIN, etc., regardless of which host on the internal network will
be the final destination, must go through the appropriate proxy on the firewall.
Applications gateways require a proxy for each service, such as FTP, HTTP, etc., to be
supported through the firewall. When a service is required that is not supported by a
proxy, an organization has three choices:
Deny the service until the firewall vendor has developed a secure proxy - This is the
preferred approach, as many newly introduced Internet services have unacceptable
vulnerabilities.
Develop a custom proxy - This is a difficult task and should be undertaken only by very
sophisticated technical organizations.
Pass the service through the firewall - Using what are typically called “plugs,” most
application gateway firewalls allow services to be passed directly through the firewall with
only a minimum of packet filtering. This can limit some of the vulnerability but can result in
compromising the security of systems behind the firewall.
Low Risk
When an in-bound Internet service not supported by a proxy is required to pass
through the firewall, the firewall administrator shall define the configuration or
plug that will allow the required service. When a proxy is available from the
firewall vendor, the plug must be disabled and the proxy made operative.
Medium-high Risk
All in-bound Internet services must be processed by proxy software on the
firewall. If a new service is requested, that service will not be made available
until a proxy is available from the firewall vendor and tested by the firewall
administrator. A custom proxy can be developed in-house or by other vendors
only when approved by the CIO.
5.5.2 Hybrid or Complex Gateways
Hybrid gateways combine two or more of the above firewall types and implement them in
series rather than in parallel. If they are connected in series, then the overall security is
enhanced; on the other hand, if they are connected in parallel, then the network security
perimeter will be only as secure as the least secure of all methods used. In medium to
high-risk environments, a hybrid gateway may be the ideal firewall implementation.
140
Firewall Security Risk
4 recommended choice
3 effective option
2 acceptable
1 minimal security
0 unacceptable
Packet filtering 0 1 4
Application Gateways 3 4 2
Hybrid Gateways 4 3 2
Digital Certificates: Digital certificates use a certificate generated using public key
encryption.
A clearly defined policy has to be written as to whether or not the firewall will act as a
router or a forwarder of Internet packets. This is trivial in the case of a router that acts as
a packet filtering gateway: the firewall (router in this case) has no option but to route
packets. Applications gateway firewalls should generally not be configured to route any
traffic between the external interface and the internal network interface, since this could
bypass security controls. All external to internal connections should go through the
application proxies.
141
5.5.3.3 IP SPOOFING
Password sniffing can be very simple and done with considerable ease. Encryption of
passwords is a system-to-system capability IF the operating systems are a matched pair
(same OS, usually same version) then the passwords are usually encrypted in a session.
Perhaps the biggest problem is that users tend to use the same user ID and password on
all systems they may use in a network. If one system is compromised then this leads to a
compromise of all systems.
There are many public domain password “grabbers” available on the Internet.
These programs are free and readily available.
Example:
http://www.geocities.com/SiliconValley/Bay/4854/snoopie.zip
DOS-based TCP-specific password grabber and filter software
Download, unpack, load drivers, grab passwords off internal nets
Any protocol analyzer that is used by system administrators can grab passwords
(there are over 75 of them on the market, many software-only). A good programmer
can write their own in about 45 minutes. Password crypto is frequently no help: it
only works when OS-to-OS are the same OS’s (e.g. NT-to-NT, UNIX-to-UNIX)
Flags: 0x00
Status: 0x00
Packet Length:85
Timestamp: 15:35:27.247
Filter: IP
Ethernet Header
Destination: 00:00:0c:19:99:49
Source: 00:05:a8:00:84:3b
Protocol Type:0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5
Precedence: 0
Type of Service: %000
Unused: %00
Total Length: 67
Identifier: 19528
Fragmentation Flags: %010 Do Not Fragment
Fragment Offset: 0
Time To Live: 255
IP Type: 0x06 TCP
Header Checksum: 0xdde2
Source IP Address: 192.246.254.153
Dest. IP Address: 129.170.16.79
No Internet Datagram Options
TCP - Transport Control Protocol
Source Port: 2050
Destination Port: 21 FTP - File Transfer Protocol
Sequence Number: 1241405969
Ack Number: 1629760546
Offset: 5
Reserved: %000000
142
Code: %011000
Ack is valid
Push Request
Window: 17688
Checksum: 0xf86c
Urgent Pointer: 0
No TCP Options
FTP Control - File Transfer Protocol
FTP Command: 0x50415353 (PASS) Password
Password:
rmasey@network-1 72 6d 61 73 65 79 40 6e 65 74 77 6f 72 6b 2d 31
.com 2e 63 6f 6d
Newline Sequence: 0x0d0a
Frame Check Sequence: 0x06c1fd4a
On the Internet, the Domain Name Service provides the mapping and translation of
domain names to IP addresses, such as mapping server1.acme.com to 123.45.67.8.
Some firewalls can be configured to run as a primary, secondary, or caching DNS server.
Deciding how to manage DNS services is generally not a security decision. Many
organizations use a third party, such as an Internet Service Provider, to manage their
DNS. In this case, the firewall can be used as a DNS caching server, improving
performance but not requiring your organization to maintain its own DNS database.
If the organization decides to manage its own DNS database, the firewall can (but
doesn’t have to) act as the DNS server. If the firewall is to be configured as a DNS server
(primary, secondary, or caching), it is necessary that other security precautions be in
place. One advantage of implementing the firewall as a DNS server is that it can be
configured to hide the internal host information of a site. In other words, with the firewall
acting as a DNS server, internal hosts get an unrestricted view of both internal and
external DNS data. External hosts, on the other hand, do not have access to information
about internal host machines. To the outside world, all connections to any host in the
internal network will appear to have originated from the firewall. With the host information
hidden from the outside, an attacker will not know the host names and addresses of
internal hosts that offer service to the Internet.
If the firewall is to run as a DNS server, then the firewall must be configured to hide
information about the network so that internal host data are not advertised to the outside
world.
The best type of a network security setup is one that is multi tiered or layered. This type
of a setup allows for built in redundancy.
Two firewall administrators (one primary and secondary) shall be designated by the Chief
Information Security Officer (or other manager,) and shall be responsible for the upkeep
of the firewall. The primary administrator shall make changes to the firewall and the
secondary shall only do so in the absence of the former so that there is no simultaneous
or contradictory access to the firewall.
143
Each firewall administrator shall provide their home phone number, pager
number, cellular phone number and other numbers or codes in which they can
be contacted when support is required.
An individual that is assigned the task of firewall administration must have a good hands-
on experience with networking concepts, design, and implementation so that the firewall
is configured correctly and administered properly. Firewall administrators should receive
periodic training on the firewalls in use and in network security principals and practices.
The most secure method of protecting against this form of attack is to have strong
physical security around the firewall host and to only allow firewall administration from an
attached terminal. However, operational concerns often dictate that some form of remote
access for firewall administration be supported. In no case should remote access to the
firewall be supported over untrusted networks without some form of strong
authentication. In addition, to prevent eavesdropping, session encryption should be used
for remote firewall connections.
Low
Any remote access over untrusted networks to the firewall for administration must use
strong authentication, such as one time passwords and/or hardware tokens.
Medium
The preferred method for firewall administration is directly from the attached terminal.
Physical access to the firewall terminal is limited to the firewall administrator and backup
administrator.
Where remote access for firewall administration must be allowed, it should be limited to
access from other hosts on the ORGANIZATION internal network. Such internal remote
access requires the use of strong authentication, such as one time passwords and/or
hardware tokens. Remote access over untrusted networks such as the Internet requires
end to end encryption and strong authentication to be employed.
144
High
All firewall administration must be performed from the local terminal - no access to the
firewall operating software is permitted via remote access. Physical access to the firewall
terminal is limited to the firewall administrator and backup administrator.
Only the firewall administrator and backup administrators will be given user
accounts on the ORGANIZATION firewall. Any modification of the firewall
system software must be done by the firewall administrator or backup
administrator and requires approval of the Network Services Manager
The firewall (system software, configuration data, database files, etc. ) must be backed
up daily, weekly, and monthly so that in case of system failure, data and configuration
files can be recovered. Backup files should be stored securely on a read-only media so
that data in storage is not over-written inadvertently and locked up so that the media is
only accessible to the appropriate personnel.
Another backup alternative would be to have another firewall configured as one already
deployed and kept safely so that in case there is a failure of the current one, this backup
firewall would simply be turned on and used as the firewall while the previous is
undergoing a repair.
The firewall’s system integrity database shall be updated each time the firewall
is configuration is modified. System integrity files must be stored on read only
media or off-line storage. System integrity shall be checked on a regular basis
on the firewall in order for the administrator to generate a listing of all files that
may have been modified, replaced, or deleted.
145
5.5.4.5 Documentation
It is important that the operational procedures for a firewall and its configurable
parameters be well documented, updated, and kept in a safe and secure place. This
assures that if a firewall administrator resigns or is otherwise unavailable, an experienced
individual can read the documentation and rapidly pick up the administration of the
firewall. In the event of a break-in such documentation also supports trying to recreate the
events that caused the security incident.
The firewall shall be configured to log all reports on daily, weekly, and monthly
bases so that the network activity can be analyzed when needed.
Firewall logs should be examined on a weekly basis to determine if attacks have
been detected.
The firewall administrator shall be notified at anytime of any security alarm by
email, pager, or other means so that he may immediately respond to such
alarm.
The firewall shall reject any kind of probing or scanning tool that is directed to it
so that information being protected is not leaked out by the firewall. In a similar
fashion, the firewall shall block all software types that are known to present
security threats to a network (such as Active X and Java) to better tighten the
security of the network.
5.5.4.8 Restoration of Services
Once an incident has been detected, the firewall may need to be brought down and
reconfigured. If it is necessary to bring down the firewall, Internet service should be
disabled or a secondary firewall should be made operational - internal systems should
not be connected to the Internet without a firewall. After being reconfigured, the firewall
must be brought back into an operational and reliable state. Policies for restoring the
firewall to a working state when a break-in occurs are needed.
146
network is not left wide open. While the restoration is going on, the backup
firewall shall be deployed.
To optimize the performance of the firewall, all vendor recommendations for processor
and memory capacities shall be followed.
The firewall administrator must evaluate each new release of the firewall
software to determine if an upgrade is required. All security patches
recommended by the firewall vendor should be implemented in a timely manner.
Hardware and software components shall be obtained from a list of vendor-
recommended sources. Any firewall specific upgrades shall be obtained from the vendor.
NFS shall not be used as a means of obtaining hardware and software components.
The use of virus checked CDROM or FTP to a vendor’s site is an appropriate method.
The firewall administrator(s) shall monitor the vendor’s firewall mailing list or maintain
some other form of contact with the vendor to be aware of all required upgrades. Before
an upgrade of any of the firewall component, the firewall administrator must verify with
the vendor that an upgrade is required. After any upgrade the firewall shall be tested to
verify proper operation prior to going operational.
User
All users who require access to Internet services must do so by using
ORGANIZATION-approved software and Internet gateways.
147
A firewall has been placed between our private networks and the Internet to
protect our systems. Employees must not circumvent the firewall by using
modems or network tunneling software to connect to the Internet.
Some protocols have been blocked or redirected. If you have a business need
for a particular protocol, you must raise the issue with your manager and the
Internet security officer.
Manager
A firewall shall be placed between the ORGANIZATION’s network and the
Internet to prevent untrusted networks from accessing the ORGANIZATION
network. The firewall will be selected by and maintained by the Network
Services Manager.
All other forms of Internet access (such as via dial-out modems) from sites
connected to the ORGANIZATION wide-area network are prohibited.
All users who require access to Internet services must do so by using
ORGANIZATION-approved software and Internet gateways.
Technician
All firewalls should fail to a configuration that denies all services, and require a
firewall administrator to re-enable services after a failure.
Source routing shall be disabled on all firewalls and external routers (see
section 0).
The firewall shall not accept traffic on its external interfaces that appear to be
coming from internal network addresses (see section 0).
The firewall shall provide detailed audit logs of all sessions so that these logs
can be reviewed for any anomalies.
Secure media shall be used to store log reports such that access to this media
is restricted to only authorized personnel.
Firewalls shall be tested off-line and the proper configuration verified.
The firewall shall be configured to implement transparency for all outbound
services. Unless approved by the Network Services manager, all in-bound
services shall be intercepted and processed by the firewall.
Appropriate firewall documentation will be maintained on off-line storage at all
times. Such information shall include but not be limited to the network diagram,
including all IP addresses of all network devices, the IP addresses of relevant
hosts of the Internet Service Provider (ISP) such as external news server,
router, DNS server, etc. and all other configuration parameters such as packet
filter rules, etc. Such documentation shall be updated any time the firewall
configuration is changed.
5.5.4.12.1 MEDIUM-RISK ENVIRONMENT POLICIES
User
When you are off-site, you may only access internal systems by using
ORGANIZATION-approved one-time passwords and hardware tokens to
authenticate yourself to the firewall. Any other means of accessing internal
systems is prohibited.
148
Manager
Strong authentication using ORGANIZATION-approved one-time passwords
and hardware tokens is required all remote access to internal systems through
the firewall.
The network security policy shall be reviewed on a regular basis (every three
months minimum) by the firewall administrator(s) and other top information
(security) managers. Where requirements for network connections and services
have changed, the security policy shall be updated and approved. If a change is
to be made, the firewall administrator shall ensure that the change is
implemented and the policy modified.
The details of the ORGANIZATION internal trusted network should not be
visible from outside the firewall.
Technician
The firewall will be configured to deny all services not expressly permitted and
will be regularly audited and monitored to detect intrusions or misuse.
The firewall shall notify the system administrator in near-real-time of any item
that may need immediate attention such as a break-in into the network, little disk
space available, or other related messages so that an immediate action could
be taken.
The firewall software will run on a dedicated computer - all non-firewall related
software, such as compilers, editors, communications software, etc., will be
deleted or disabled.
The firewall will be configured to deny all services not expressly permitted and
will be regularly audited and monitored to detect intrusions or misuse.
5.5.4.12.2 HIGH-RISK ENVIRONMENT POLICIES
User
All non-business use of the Internet from ORGANIZATION systems is forbidden.
All access to Internet services is logged. Employees who violate this policy are
subject to disciplinary action.
Your browser has been configured with a list of forbidden sites. Any attempts to
access those sites will be reported to your manager.
Manager
All non-business use of the Internet from ORGANIZATION systems is forbidden.
All access to Internet services is logged. Employees who violate this policy are
subject to disciplinary action.
Technician
All access to Internet services is logged. Summary and exception reports will be
prepared for the network and security managers.
149
5.5.4.13 Firewall Concerns: Management
Email Users have a single external email Does not reveal business info.
address
150
5.5.4.14 Service Policies Examples
Policy
Service Inside to Outside to Inside Sample Policy
Outside
Status Auth Status Auth
FTP y n y y FTP access shall be allowed
from the internal network to
the external. Strong
authentication shall be
required for FTP access
from the outside to the
inside.
Telnet y n y y Telnet access shall be
allowed from the inside
network to the outside
network. For the telnet from
the outside to the inside
network, authentication shall
be required.
Rlogin y n y y rlogin to ORGANIZATION
hosts from external networks
requires written approval
from the Network Services
Manager and the use of
strong authentication.
HTTP y n n n All WWW servers intended
for access by external users
will be hosted outside the
ORGANIZATION firewall. No
inbound HTTP will be
allowed through the
ORGANIZATION firewall.
SSL y n y y Secure Sockets Layer
sessions using client side
certificates is required when
SSL sessions are to be
passed through the
ORGANIZATION firewall.
POP3 n n y n The ORGANIZATION Post
Office Protocol server is to
be hosted inside the
ORGANIZATION firewall.
The firewall will pass POP
traffic only to the POP
server. The use of APOP is
required.
NNTP y n n n No external access will be
allowed to the NNTP server.
151
Real n n n n There is currently no
Audio business requirement for
supporting streaming audio
sessions through the
ORGANIZATION firewall.
Any business units requiring
such support should contact
the Network Services
Manager.
Lp y n n n Inbound lp services are to be
disabled at the
ORGANIZATION firewall
finger y n n n Inbound finger services are
to be disabled at the
ORGANIZATION firewall
gopher y n n n Inbound gopher services are
to be disabled at the
ORGANIZATION firewall
whois y n n n Inbound whois services are
to be disabled at the
ORGANIZATION firewall
SQL y n n n Connections from external
hosts to internal databases
must be approved by the
Network Services Manager
and used approved SQL
proxy services.
Rsh y n n n Inbound rsh services are to
be disabled at the
ORGANIZATION firewall
Other, n n n n Access to any other service
such not mentioned above shall
as NFS be denied in both direction
so that only Internet services
we have the need for and we
know about are allowed and
all others are denied.
An organization may wish to support some services without using strong authentication.
For example, an anonymous FTP server may be used to allow all external users to
download open information. In this case, such services should be hosted outside the
firewall or on a service network not connected to corporate
networks that contain sensitive data. The table that follows summarizes a method of
describing such policy for a service such as FTP.
152
Table 1 - Summarized Security Policy
Internet
A dedicated firewall has distinct performance and security advantages. First off, you
gain total performance of the system dedicated to the function of firewall services (if
nothing else is on the system, there is nothing else for the firewall software to
compete with for CPU access). Second, a dedicated firewall system helps increase
security of the firewall itself as the number of privileged users who have access to
the firewall system are much less than other systems and are usually carefully
screened so that those individuals who do have access to the firewall are in
positions of trust within the company. Finally, any other software which runs on a
firewall that is NOT the firewall software or the operating environment puts the
firewall at risk simply due to failures of the software “killing” the firewall, other
software creating system security holes, software bugs and errors in non-firewall
153
software “opening” up the system in some manner or other such problems. The less
amount of software on a firewall, the better for performance and firewall security.
Dedicated firewalls have their disadvantages as well. Many are based on the UNIX
operating system or its variants which are not known for their “user friendliness.”
While many vendors have strived to put a graphical interface on their firewall
products when running under the UNIX environments, most still rely on UNIX
properties to help make the firewall work and this requires anywhere from minimal
UNIX skills to expert-level UNIX skills to configure and manage the firewall system.
Another problem with UNIX systems as firewalls is the availability of source code for
the UNIX environment. While there are valid arguments for such availability, there
are as many arguments against as if a “good” consumer can read the source code
and discover how something works, so can an “evil” attacker who wants to attack a
UNIX-based firewall system or systems being protected in the UNIX environments.
Some of the problems associated with a UNIX firewall have to do with the
availability of in-house expertise and the logistics of getting a UNIX system set-up
properly to be a firewall system. It is no coincidence that most UNIX-based firewalls
require a customized version of the UNIX environment being used to patch and
control system security “holes” that may be used by an attacker to gain access.
Then there is the definition and management of the UNIX system for firewall
operations which usually require UNIX-specific management commands and
facilities as well as the “tightening up” of the UNIX environment to close commonly
used network and system interfaces. In many UNIX-based firewalls, firewall rule
bases require the writing of either UNIX shell scripts or scripts in the perl language
to provide firewall functionality. While companies who make such products will
argue towards their approach, and there is nothing wrong with that, there is a certain
amount of UNIX-based work that must happen on any UNIX-based firewall to make
it work correctly and to manage the computational environment properly.
Dedicated firewalls which are, in fact, router systems with filters in them have many
of the same concerns as a dedicated firewall running other applications at the same
time. Firewall functions are different than routing functions. By putting both functions
in the same hardware processor system, either function could “kill” the other
function at a maximum or cause problems and security holes at a minimum - just
like a firewall which runs other applications at the same time. There are plenty of
CERT and CIAC alerts issued over the last few years on router vendors for their
firewall filtering failures which were due to bugs or problems in the routing facilities
which allowed the firewall function in the router to either be bypassed or breached.
Having a dedicated router with screening functions is ONE layer in a properly
defined network security set up. Network security means multiple layers of
protection and putting all the protection facilities in a singular router/firewall
combination means that if the unit is breached, there is an entire trusted network to
attack with no other warning or security mechanism.
154
5.5.5.2 Are Dedicated Firewalls A Good Idea?
Security wise, an emphatic yes - for the reasons previously mentioned and plenty
more. But, to satisfy tight budgets and management who do not understand the true
requirements for security systems, it is more and more common to use a firewall
system as a multi-function computer where firewall functionality is one component of
the system. But even dedicated security firewalls are not a total network solution -
they remain a single level in security management of network environments. True,
functional network security must be a layered approach and use different types of
security technologies to ensure proper control over data as it moves around any
network between systems.
Internet
In the above configuration, if an attacker were to get “around” the firewall system,
the server is vulnerable to attack from the network.
Adding screening filters for incoming packets into a router adds another layer to the
network security architecture:
Internet
155
At this point, the security manager would be wise to insert some duplicate security
rules into the router filter rule base and the firewall security rule base for some of the
more important security functions. This would allow detection of a first-layer breach
of the router by security facilities in the firewall. For instance, if a TELNET filter were
placed in the router that denied all TELNET access, this would supposedly stop
TELNET functions from arriving to the firewall system. If the firewall also had filters
in it denying a TELNET connection from the untrusted Internet side of its
connections, then if a TELNET connection should arrive, the security manager
knows immediately that something very ugly has happened in the router for the
TELNET attempt to even reach the firewall and it’s time to find out what is going on
in the router.
Putting filters in a screening router has the following effects to the security hierarchy:
• Pre-screens security threats and dismisses them from the connection path
• Offloads security checking from the firewall except in the case of a failure by the
router to properly screen the attempted function
• Offloads packet filtering functions from the firewall
• Allows secondary security exception failure detection by the firewall of a router
where the security filter in the router has failed for some reason and still does
not allow the security exception condition to reach the trusted network side
Another layer of security is possible by using a switching bridge in the hub to control
traffic directions and provide additional layers of packet filtering. By using hub-based
virtual local area network (VLAN) software in the switching bridge (this is available
from some switching bridge vendors - but not all), the network path is further
protected from attackers. This might be configured as follows:
Internet
There are situations where using network security firewall software on an active
client or server system acts as another security layer in the implementation of a
layered network security architecture. This concept, while functionally similar in
implementation to the shared system-firewall concepts previously explored, is not
the same from a security rule base situation and from a performance situation.
Further, this concept is different in that the security threat is lesser in this
configuration as it is predisposed that there is a real firewall in the network path
BEFORE the system being accessed (running network security firewall software)
156
that has pre-screened connection facilities coming towards the client or server.
Adding server-based network security firewall software allows a final layer of
network security prior to reaching the server operating environment:
Internet
In the above configuration, there are at least four layers of network security before
the server’s operating assets are accessed. This is far superior to a singular network
layer solution as is usually implemented via a singular dedicated firewall or through
the use of a screening router as the firewall. Additional network security layers may
be added via authentication facilities, encryption, digital signatures and other
security methods that are used in the various layers of network protocols (including
applications). Oddly enough, properly implemented many network security methods
may be added in such a manner as to be transparent to the user’s activities as long
as the user is attempting to access authorized systems and facilities.
With a layered network defense environment the chances of actual network attacks
getting to sensitive data are greatly minimized and the opportunities to detect
inappropriate security behavior before it reaches a significant asset are greatly
improved.
157
hierarchy. Proper network security is a bi-directional effort - not just from outside to
inside, but inside to outside as well.
5.5.5.5 Operating Systems and Network Software - Implementing Client and Server
Security
System security on a client or server system is the function of the following general
items:
158
Using accounting statistics and averaging methods for individual functions will
tip off the security professional that someone or something is acting outside the
normal operating pattern and deserves attention. Also, attempts to modify the
accounting facilities are a sure sign that someone wants to cover their tracks
and this should tip off the security team that something unusual and unwanted is
going on.
• Security Add-ons. One item often overlooked are system additions by 3rd
party companies that provide additional security facilities to an operating
environment. These might include system security management software,
encryption systems, key exchange facilities, authentication facilities (such as
token card and key certificate management software) and many other items. All
of these items still do not address the issues of protocol security, but they do
increase the difficulty to attack the operating system environment being
protected.
5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are
The Norm - and They Are Not Just IP
159
With Apple Computer’s MacOS V7.1 and later versions, AppleTalk protocol was
included in all versions of the operating system with functionality to not only access
servers, but also to allow the client to publish itself as a disk service in a network
and allow other clients to access the disk services. This is called peer-to-peer
access as there is no intermediary system required for the connection to be made
and maintained. Other vendors, noticeably Microsoft, have followed suit and
included peer-to-peer services in their operating systems when shipped for
consumption.
In the very near future (beginning in late 1996), high-speed residential connections
will be more and more popular. The author has been directly involved in using a
7mbps connection from his home to the Internet for $19.95 per month via the local
cable television network. This connection “looks” like a standard Ethernet
connection (it even provides a standard RJ45 UTP connection on the set-top box
connection to the cable broadband network) and even works like one with the client
software. It also means that it was a trivial matter for the author to load up protocol
analysis software on his workstation client and see, quite literally, activity on the
cable television network by other persons in the neighborhood including Internet
Service Provider (ISP) passwords by other users, files being transferred and popular
locations that other neighbors access on the network. Therefore, there is basically
NO security when all traffic can be seen in the clear on the network by nodes using
the network.
160
Internet Service
Provider (ISP)
Telco
Network
MODEM
Router Remote
Workstation
Router
Internet
For telecommuters, the need to support more than IP will also be the norm.
Companies are adding IP generously to their internal systems, but they are also
keeping protocols they have invested in for some time such as IPX, AppleTalk and
NetBEUI. Therefore, for some considerable timeframe, the need to support IP and
other protocols for telecommuting will be required in most corporate environments.
161
RF MODEM
(Set Top Cable
Residential
Network Adapter
Workstation
1-9mbps capable)
Internet Service
Provider (ISP)
RF MODEM RF MODEM
(Set Top Cable (Set Top Cable
Router Remote
Network Adapter Network Adapter
Workstation
1-9mbps capable) 1-9mbps capable)
Router
Cable Television Coaxial/Fiber
Network (Emulates a LAN)
Internet
Since most client computers do not include the ability to provide a firewall facility in
the client remote or residential computer, the chances of being attacked when
connected to public high-speed networks is extremely good as well as having a high
potential for success. A 1996 U.S. General Accounting Office report showed over
240,000 attempts at attacking the U.S. Department of Defense (DoD) unclassified
networks and they suggested that over 64% of the attacks were successful. It is well
known that the DoD takes security very seriously. So, what is going to happen to the
potential millions of telecommuters who connect to their office facilities with no
network security facilities and who leave their home-based systems on all day while
at the office and also while connected to the high-speed network provided by the
cable television vendor? Free-lance attacks will be the norm and easily
accomplished.
5.5.5.9 Compromising Network Traffic - On LANs and Cable Television It’s Easy
To simplify the matter, the chances of collecting data on in-path transactions on the
Internet via a dial-up connection requires some specific levels of expertise. In the
case of connections to cable television, very inexpensive or “free” network analysis
software is available for PC and Macintosh systems and can allow the connection’s
data to be viewed in ASCII and sensitive information freely seen.
162
It should be noted that on intranets, most other protocols do not have encryption as
well and those who do usually only use the encryption function for session
establishment or, in the case of Novell Netware, for password security. The problem
is that for some devices, such as Netware-aware printers, encryption is not always
supported for passwords so it is commonly disabled to allow users access to
printers. Just because a security feature exists does not mean that it is used
properly or at all.
On corporate enterprise networks, it is the norm for the users to have a common
format for user ID’s and passwords to keep them from being too confused when
accessing many different systems and servers. Therefore securing one protocol is
not good enough. If the user accesses another network system using the same user
ID and password as is used on an encrypted protocol session and the second
protocol is unencrypted, then the password is compromised even for the encrypted
session. To properly protect network connectivity, all protocols must be encrypted
for all transactions and then all packets must be controlled (firewalled) when they
arrive at the destination to keep users from accessing sensitive information and to
protect the user’s client system integrity.
Even in those situations where encryption capabilities have been introduced into
client systems via encryption MODEMs or via software facilities in a specific
protocol, this does not solve the end-to-end network security problem. Encryption is
very good for authentication of a specific remote entity and is also very good for
“hiding” any transaction over the network from observers of the traffic being
transferred. The problem is that encryption is very much like giving someone you
trust the keys to your house in such a manner that no one can see your friend
accessing your house and no one can see what your friend is doing between his/her
house and your house. This is good. What is not so good is that encryption does not
stop a trusted user from still attacking the destination system’s services that are
offered. For instance, encryption may ensure that only corporate users get access to
a system but encryption does not restrict, to a very fine degree, what a trusted user
may be allowed to access and extract from the server. It’s very much like letting
someone you trust in the front door and not placing any restrictions on where
someone is allowed to go in the house and what they are not allowed to deliver or
remove from the house.
Firewall facilities, at the destination or the source of a network session, when used
with encryption facilities add the additional filtering and security controls that are
needed for network security on a client or a server. Encryption ensures that the
connection is allowed and protected from observation. Firewall facilities on the client
or server restrict where incoming or outgoing connections can access data on
entities on the client or server. By setting up specific firewall rule bases on the client
and server in addition to encryption software, the security manager can properly
protect system resources from systematic and asymmetric network attacks.
5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception. Even for
Singular Protocol Suites...
On corporate intranets, IP is not the only protocol used. Therefore, any network
security solution that is used must include support for any corporate protocol.
Further, any remote solutions must provide support for whatever protocol is required
163
to access the corporate facilities plus supply facilities for any cooperative protocol to
be passed over the connection link (this is typically called “tunneling”).
Even if IP is decided to be the main corporate protocol now and in the future, it is a
known fact that IP will get periodic lobotomies to support additional network types,
addressing types, applications and other technological changes. This means that
the need to run the “old” version of IP and the “new” version of IP at the same time
on the same systems is highly likely while conversions are in progress on any
network. Any network manager can tell you horror stories about converting from one
version to another version of practically any protocol. And, practically without
exception, most companies want to run the new version and the old version at the
same time during testing before going to the new version due to potential problems
and outages that happen with any new protocol environment. Therefore, any
protocol security solution must be multiple protocol capable - even if it is only for the
same protocol suite and is required to run multiple versions of the same protocol
suite.
So, how do you protect a server or client from network attack on the trusted,
multiprotocol network? How do you protect remote clients that are used by
telecommuters from localized attack or asymmetric attacks from other sources on a
public-accessible network?
With the proper network security architecture, there are some basic, major elements
required on each and every system to make such a feat work:
There are a lot of other items which make life easier (like remote management) that
are not critical to the security function but certainly very useful. Without the four
major facilities listed above, there is not much likelihood of providing a useful set of
network security facilities for end-to-end connections.
Historically, firewall systems filter data from an untrusted network to/from a trusted
network. With the need for end-to-end security, there is a need to provide the
functionality of a firewall with VPNs at the workstation and singly-connected server
level. In this scenario, the firewall software treats the singular network connection on
a node as the untrusted side of the network and the node itself as the trusted side of
the network. Any connection going out of the client or server is considered to be a
trusted connection. A general hardware connection diagram would be as follows:
164
Client System with Trusted Hub Internal Server
Firewall & VPN With Switching with Firewall and
Software Bridge & VLAN VPN Software
Application Application
In the above architecture, both the client and the server treat all incoming
connections through their internal firewall facilities as “untrusted.” All outgoing
connections are considered as sourced from the “trusted” side.
165
Section References
5.0 Wack, John P. and Carnahan Lisa J., Keeping Your Site Comfortably Secure:
An Introduction to Internet Firewalls. NIST Special Publication 800-10, U.S. Dept of
Commerce.
5.5.4 Guttman, Barbara and Bagwill, Robert. Implementing Internet Firewall Security
policy. Nist Special Publication 800-XX. U.S Dept of Commerce. April 1998.
166
6.0 Cryptography
Cryptography is the science of securing data. It addresses four major concerns—
confidentiality, authentication, integrity and non-repudiation. Encryption is the
transformation of data into an unreadable form, using an encryption/decryption key.
Encryption ensures privacy and confidentiality, keeping information hidden from anyone
for whom it is not intended including those who can see the encrypted data.
6.1 Cryptosystems
A cryptosystem obeys a methodology (procedure). It includes: one or more encryption
algorithms (mathematical formulae); keys used with the encryption algorithms; a key
management system; plain text (the original text); and, ciphertext (the original text that
has been obscured).
key key
However, the main problem with any key-based methodology is how to create and move
the keys securely among communicating parties. How does one establish a secure
channel between the parties prior to transmitting keys?
Another problem is authentication. There are two potential areas of concern here:
• The message is encrypted by whomever holds the key at a given moment. This
should be the owner of the key; but if the system has been compromised, it
could be a spoofer.
• When the communicating parties receive the keys, how do those parties know
that the keys were actually created and sent by the proper authority?
167
TERM MEANING POTENTIAL CONFUSION
Symmetric Uses one key which both encrypts and Often called private or private-
methodology decrypts using the same symmetric key methodology
encryption algorithm
The key is distributed to the two
communicating parties in a secure
manner prior to transfer of encrypted
data
Asymmetric Uses symmetric encryption algorithms Often called public or public-
methodology and symmetric keys to encrypt data key methodology
Uses asymmetric encryption
algorithms and asymmetric keys to
encrypt the symmetric key. The two
keys are created and are linked
together. The symmetric key
encrypted with one must be decrypted
by the other (in either direction) using
the same asymmetric encryption
algorithm.
The two linked asymmetric keys are
created together. One must be
distributed to the owner, and the other
to the party which is keeping these
keys (often called the CA) in a secure
manner prior to transfer of data
Private key (1) Symmetric methodology Uses a single key which can
both encrypt and decrypt. See
above.
Private key (2) Symmetric (private) encryption key Symmetric private key
Private key (3) Asymmetric private encryption key Asymmetric private key
Asymmetric keys are created
as pairs that are linked
together. The words private
key often mean the half of the
asymmetric key pair that is
kept private.
The asymmetric private key is
a totally different thing from the
symmetric private key.
Public key (1) Asymmetric methodology Uses a pair of keys, both of
which are created together
and are linked. Anything
encrypted by one must be
decrypted by the other.
Public key (2) Asymmetric (public) encryption key Asymmetric keys are created
as pairs that are linked
together.
168
The words public key often
mean the half of the
asymmetric key pair which is
made publicly available.
Session key Symmetric (private) encryption key Used by asymmetric
methodology for the actual
data encryption of data using
symmetric methodologies
Simply a symmetric private
key (see above)
Encryption Mathematical formula Symmetric keys are required
algorithm for symmetric algorithms
Asymmetric keys are required
for asymmetric algorithms
You cannot use symmetric
keys with asymmetric
algorithms, and vice versa
Private Use symmetric algorithms and Used by symmetric (private)
cryptosystems symmetric (private) keys to encrypt cryptosystems
data
Public Use asymmetric algorithms and Used by asymmetric (public)
cryptosystems asymmetric keys to encrypt session cryptosystems only
keys
uses symmetric algorithms and
symmetric keys to encrypt data
Public/private Many asymmetric cryptosystem Usually not clarified that
vendors define their methodologies as asymmetric methodologies
public/private use symmetric methodologies
to actually encrypt data
Symmetric key encryption algorithms use small-length keys and can quickly encrypt large
quantities of data.
169
3. Sender applies the fast symmetric encryption/decryption algorithm with the
symmetric private key to the package (plaintext and attached digital signature) to
produce the ciphertext. Authentication happens inherently because only the
sender has the symmetric private key and can encrypt the package. Only the
receiver holding the symmetric private key and can decrypt this package
4. Sender transfers the ciphertext. The private symmetric key is never transmitted
over the unsecured communication lines.
5. Receiver applies the same symmetric encryption/decryption algorithm with the
same symmetric key (which the receiver already has) to the ciphertext to
produce the original plaintext and digital signature. This authenticates whoever
holds the private key.
6. Receiver detaches the digital signature from the plaintext
7. Receiver creates a digital signature by hashing the plaintext
8. Receiver compares the two digital signatures to prove message integrity
(unaltered data)
All asymmetric cryptosystems are subject to shortcut attacks as well as brute force, and
therefore, must use much larger keys than symmetric cryptosystems to provide
equivalent levels of security. This immediately impacts computing cost, although using
elliptic curve algorithms may reduce this problem. Bruce Schneier in his book “Applied
Cryptography: Protocols, Algorithms, and Source Code in C” provides the following table
comparing equivalent key lengths:
170
It is important in asymmetric cryptosystems that the session and asymmetric keys must
be comparable in terms of the security they produce. If a short session key is used (e.g.
40 bit DES), it does not matter how large the asymmetric keys are. Hackers will attack
the session key instead. The asymmetric public keys are susceptible to brute-force
attacks partly because it is difficult to change them. Once broken, all current and future
communication is compromised, often without anyone knowing.
1. Create and distribute the asymmetric public and private keys securely. The
asymmetric private key is delivered to the owner. The asymmetric public key is
stored in an X.500 database and managed by the Certification Authority (CA).
Users must implicitly trust the secure creation, distribution and management of
the keys. Further, if the creator and the person or system managing the keys
are different, then the end user must implicitly trust that the creator of the keys
has actually deleted his copies.
2. Create a digital signature by hashing the plaintext. Encrypt the resulting digital
signature using the sender’s asymmetric private key and attach the resulting
string to the plaintext (only the sender has created the digital signature).
3. Create a private symmetric key used only for this transmission (the session key),
and apply it and the symmetric encryption/decryption algorithm to the plaintext
and attached encrypted digital signature to produce the ciphertext.
4. The problem of sending the session key to the receiver must now be addressed
5. Make certain the sender has the Certification Authority’s (CA) asymmetric public
key. Interception of unencrypted requests for the public key is a common form
of attack. There may be a whole hierarchy of certificates attesting to the validity
of the CA’s public key. X.509 describes different methods for establishing user
access to the CA public keys, all of which provide an entry point to spoofers, and
show that there is no system that guarantees the identity of the CA.
6. Ask the CA for the receiver’s asymmetric public key. This process is vulnerable
to the man-in-the-middle attack. The receiver’s asymmetric public key has been
‘digitally signed’ by the CA. This means that the CA has used the CA’s
asymmetric private key to encrypt the receiver’s asymmetric public key. Since
only the CA holds the CA’s asymmetric private key, then the receiver’s
asymmetric public key came from the CA
7. Once received, decrypt the receiver’s asymmetric public key using the CA’s
asymmetric public key and an asymmetric encryption/decryption algorithm.
Implicit trust in the CA and that the CA is not compromised are required. If the
CA is compromised, the entire infrastructure is unusable. Those holding the
public key can encrypt, but there is no way of knowing if the key has been
compromised. (When you requested the CA’s public key, did you actually
receive the CA’s public key or something else?)
8. Using the receiver’s asymmetric public key (now received from the CA and
decrypted) and an asymmetric encryption/decryption algorithm, encrypt the
session key. Only those holding the receiver’s public key can encrypt, but there
is no way of knowing if the key has been compromised
9. Attach the encrypted session key to the ciphertext (which includes the previously
encrypted digital signature
10. Transfer the package (ciphertext that includes the digital signature and the
attached encrypted session key). The encrypted session key is transmitted
across the unsecured network and is an obvious target for various types of
attacks.
11. Receiver detaches the encrypted session key from the ciphertext
12. The problem of decrypting the session key by the receiver must now be
addressed
171
13. Make certain the receiver has the CA’s asymmetric public key. The same
comments as above can be made here.
14. Using the receiver’s asymmetric private key and the same asymmetric
encryption/decryption algorithm, receiver decrypts the session key
15. Receiver applies the same symmetric encryption/decryption algorithm with the
now unencrypted symmetric key (session key) to the ciphertext to produce the
plaintext and attached hash or digital signature
16. Receiver detaches the hash from the plaintext
17. Receiver asks the CA for the sender’s asymmetric public key
18. Once received, receiver decrypts the sender’s asymmetric public key using the
CA’s public key and the correct asymmetric encryption/decryption algorithm.
The same comments as above can be made here.
19. Using the sender’s asymmetric public key and an asymmetric
encryption/decryption algorithm, receiver decrypts the hash string
20. Create a digital signature by hashing the plaintext
21. Compare the two hashes to prove that the data has not been altered
Symmetric methodologies squarely face up to this fact and define how keys are to be
moved between the parties before communication can take place. How this is done
depends upon the security required. For lower security requirements, sending keys by a
delivery mechanism of some kind (such as postal mail or a parcel delivery service) may
be adequate. Banks use the postal service to deliver PINs, which are, in essence, easily
crackable symmetric keys that may or may not unlock other keys, or your money! Very
high security requirements may require hand delivery of keys, possibly in parts by several
people.
Asymmetric methodologies try to get around the problem by encrypting the symmetric
key and attaching it to the encrypted data. They then try to make it possible to distribute
the asymmetric keys used to encrypt the symmetric key by employing a CA to store the
public asymmetric key. The CA in turn digitally signs the keys with the CA’s private
asymmetric key. Users of the system must also have a copy of the CA’s public key. In
theory, this means that the communicating parties do not need to know about each other
ahead of secure communication.
The problem still remains, however. The asymmetric key pair must be created together.
Both keys, whether they can be made publicly available or not, must be sent securely to
the owner of the key, as well as to the Certification Authority. The only way to do this is
by some kind of delivery mechanism for low security requirements, and hand-delivery for
high security requirements.
• X.509 assumes that keys are securely distributed and does not address the
issue other than identifying it. There are no standards covering this area. To be
safe, keys (whether symmetric or asymmetric) must be hand-delivered. Even
then, people could be intimidated or bribed.
• There is no mechanism in place to reliably validate what system is actually
talking to what system. The man-in-the-middle attack is an attack by a spoofer
masquerading as the CA and getting the data before it is realized the spoofer
172
was actually in the picture. All the spoofer has to do is to capture the request to
the CA and substitute his own keys in its place. This type of spoofer has come
and gone long before users become aware that something might be wrong.
• The digital signing by the CA of a key still does not prove the authenticity of the
key because the CA’s own key could have been compromised. X.509 describes
digital signing of CA keys by higher level CAs, and describes this as a
certification path (a hierarchy of CA public keys). X.509 discusses the problems
associated with verifying the correctness of a public key, suggesting that it can
only operate if there is an unbroken chain of trusted points in the directory
between the users required to authenticate. The standards do not offer any
mechanism to get around this.
• X.509 assumes the user has prior access to the CA’s public key. How this is
achieved is not defined in the standards document.
• Compromise of the Certification Authority is a very real threat. Compromise of
the CA means that ALL users of the system are compromised. And no one
might ever know. X.509 assumes that storage of all keys, including the CA keys,
is secure. The deployment of X.500 directory systems (where X.509 keys are
stored) is difficult and prone to misconfiguration. There are very few people
available today with the technical knowledge required to manage these systems
properly. Further, it is a well-known fact that people in trusted positions can be
subverted—kidnapped or bribed.
• The CA may become a bottleneck. To provide for fault tolerance, X.509
suggests that the CA database be replicated or shadowed by using the X.500
standard directory services; this considerably raises the cost of the
cryptosystem. If spoofing occurs, it is difficult to identify which system was
attacked. Furthermore all the data must be sent across communication lines
somehow when the data is being distributed.
• An X.500 directory system is costly to install, configure and maintain. Access to
this directory is either by using an outside subscription service or by an
organization providing its own. The X.509 certificate is based on each individual
possessing a unique name. The allocation of names is the responsibility of yet
another trusted authority, the naming authority.
• Full keys, even though encrypted, are transmitted across the unsecured
communications medium.
In spite of these major drawbacks, users must blindly trust the asymmetric cryptosystem.
173
PROCEDURE COMMENTS
Physically distribute Couriers and hand delivery are two examples. Of the two, hand
the keys delivery is better.
Secure organizations have written procedures surrounding key
distribution
Can be audited and logged, although open to compromise by
individuals
Used by both symmetric and asymmetric cryptosystems. In
spite of claims that asymmetric cryptosystems avoid the problem
of physical delivery of keys, the problem actually exists. X.509
assumes that the creator will release the asymmetric private key
to the user (and/or the asymmetric public key to the CA) in a
physically secure manner, and that suitable physical security
measures are in place so that the creator and data operations
are free from tampering.
Issue a common key Could be used by both symmetric and asymmetric
from a central cryptosystems
issuing authority
As each user must be able to communicate with the central
authority securely in the first place, this is yet another situation
where initial key exchange is a problem
If the central authority is compromised, further requests for keys
are at risk; keys already in place may be safe depending on the
cryptosystem
Allow access to Used by asymmetric cryptosystems
public keys from a
Users must blindly trust the entire system
centralized
certification authority A single security breach compromises the entire system
and provide private
keys to users Hierarchical system of attestation leads to more potential
intruder entry points—a CA must publicize its asymmetric public
key and provide a certificate from a higher-level CA validating it.
This sets up a hierarchy of CAs.
CA asymmetric private keys must be stored securely because
compromise could result in undetectable forgeries
Web of trust Used by asymmetric cryptosystems
Users distribute and track each other’s keys, and trust in an
informal, distributed fashion
Diffie-Hellman Exchange of a secret key over an insecure medium by two
users without any prior secrets
Cannot be used to encrypt or decrypt messages
Based on the difficulty of taking logarithms in finite fields. If the
elements are carefully chosen, and are large, then the discrete
logarithm problem is computationally infeasible.
Vulnerable to man-in-the-middle attacks
Patented by PKP (Public Key Partners)
174
6.1.4 Encryption Ciphers or Algorithms
Key-based algorithms disguise data so that it cannot be read by anyone without a
decryption key. They are divided into two classes depending on the cryptography
methodology they directly support. Please read Schneier’s Applied Cryptography for a
full description of the algorithms.
175
TYPE DESCRIPTION
DES (Data Encryption Popular, product cipher used by the Data Encryption
Standard) Standard of the US Government
64-bit block cipher, 64-bit key (only 56 are needed), 16
rounds
Operates in four modes:
• ECB—Electronic Code Book (native DES), using two
distinct algorithms
• CBC—Cipher Block Chaining in which the encryption of
each block depends upon the encryption of the previous
block
• OFB—Output Feedback, used as a random number
generator
• CFB—Cipher Feedback, used for message
authentication codes
3-DES or Triple DES 64-bit block cipher, using the DES cipher 3 times, three
distinct 56-bit keys
Strong under all attacks
Chained 3-DES Standard Triple-DES with the addition of a feedback
mechanism such as CBC, OFB or CFB
Very strong under all attacks
FEAL (Fast Block cipher, used as an alternative to DES
Encryption Algorithm)
Broken, although new versions have been proposed
IDEA (International 64-bit block cipher, 128-bit key, 8 rounds
Data Encryption
Recently proposed; although it has not yet received enough
Algorithm)
scrutiny for full confidence, it is considered superior to DES
Skipjack Developed by NSA as part of the US Government Clipper
and Capstone projects
Classified as secret, although its strength does not depend
only on the secrecy of the algorithm
64-bit block cipher, 80-bit keys used in ECB, CFB, OFB or
CBC modes, 32 rounds
RC2 64-bit block cipher, variable key sizes
Approximately twice as fast as DES
Can be used in same modes as DES including triple
encryption
Confidential algorithm proprietary to RSA Data Security
RC4 Stream cipher, byte-oriented, variable key size
Approximately 10 times as fast as DES
176
Confidential algorithm proprietary to RSA Data Security
RC5 32, 64 or 128-bit variable block size, 0 to 2048 variable key
size, 0 to 255 rounds
A fast block cipher
Proprietary to RSA Data Security
CAST 64-bit block cipher, 40 to 64 bit keys, 8 rounds
No known way to break other than brute force
Generally, the particular S-boxes used (which form the
strength of the algorithm) are not made public
Blowfish 64-bit block cipher, variable, up to 448-bit key, 16 rounds,
each consisting of a key-dependent permutation and a key-
and-data-dependent substitution
Faster than DES
Designed for 32-bit machines
One-time pad A proven unbreakable cipher
The key (same length as the text) is the next ‘n’ bits of
randomly created bits found on a pad to which both the
sender and the receiver have access. As soon as the bits
are used, they are destroyed and the next bits on the pad are
used for the next encryption
Stream ciphers Fast, symmetric encryption algorithms, usually operating on
bits (not blocks) of data
Developed as an approximation of the one-time pad which,
while not as secure as the one-time pad, are at least practical
177
6.1.6 Asymmetric Algorithms
Asymmetric algorithms are used by asymmetric cryptosystem methodologies in order to
encrypt a symmetric session key (which is actually used to encrypt the data).
Two distinct keys are used—one that is publicly available, and the other that is kept
private and secret. Usually both keys perform encryption and decryption functions.
However, data encrypted by one can only be decrypted by the companion key.
TYPE DESCRIPTION
TYPE DESCRIPTION
178
6.1.8 Authentication Mechanisms
These mechanisms securely and reliably confirm identity or authenticity.
TYPE DESCRIPTION
Passwords or PINs Something a user knows and shares with the entity at the
(Personal Identification other end
Numbers)
Typically part of a two way handshake
Can be exchanged in both directions to obtain mutual
authentication
One-time password Password provided is never reused
Time is often used as the constantly changing value on
which the password is based
CHAP (Challenge One side initiates an authentication exchange, is presented
Handshake with a unique and unpredictable challenge value, and based
Authentication on a secretly shared value, is able to calculate and return an
Protocol) appropriate response
Can be used to provide user authentication as well as
device authentication
Callback Dialing in over a telephone to a server which is configured to
dial back to a specified number associated with the user
179
6.1.9 Digital Signatures and Time Stamps
A digital signature provides data integrity, but does not provide confidentiality. The digital
signature is attached to the message and both can be encrypted if confidentiality is
desired. The addition of a timestamp to a digital signature provides a limited form of non-
repudiation.
TYPE COMMENTS
DSA (Digital Signature Public key algorithm used for digital signatures but not for
Authorization) encryption
Private hashing and public verification—only one person can
produce the hash for a message, but everyone can verify that
the hash is correct
Based on the difficulty of taking logarithms in finite fields
RSA Patented RSA digital signature proves the contents of a
message as well as the identity of the signer
The sender creates a hash of the message, and then encrypts
it with the sender’s private key. The receiver uses the
sender’s public key to decrypt the hash, hashes the message
himself, and compares the two hashes.
MAC (Message Digital signature, using hashing schemes similar to MD or
Authentication Code) SHA, but the hash value is a function of both the pre-image
and a private key
DTS (Digital Issues timestamps which associate a date and time with a
Timestamp Service) digital document in a cryptographically strong manner
180
Section References
6.0 Chandler, Janet, Cryptography 101: Technical White Paper, Signal 9 Solutions,
Kanata Ontario.
181
7.0MaliciousCode
Computer viruses are programs which replicate themselves, attach themselves to other
programs, and perform unsolicited and often malicious actions. Self-replication is the key
trait that distinguishes viruses from other destructive programs. For instance, a Trojan
Horse is a program which performs unsolicited actions, but it cannot replicate and spread
on its own.
Critical to a virus' "success" is the ability to remain undetected for a long enough
period to replicate and spread to new hosts. By the time the virus' presence is
revealed, through unusual computer "behavior," damage to data or taunting
messages, it usually will have been quite some time since the original infection took
place.
This delay in time, between infection and manifestation, obviously makes it more
difficult to trace the origin of the virus and/or the route it took to reach one's system.
So delays are often made an inherent "feature" within a virus' design. A virus may
monitor for a trigger event, which is a computer condition that, when it occurs, will
cause the virus' payload to be delivered.
Examples of trigger events include dates (such as March 6 for the infamous
Michelangelo virus), times, number of file saves or disk accesses, or file sizes.
Specific keystroke sequences, in any predictable combination, can also be triggers.
A payload is an action performed by a virus - usually, but not always, the action that
reveals the virus' presence. Examples of payloads include:
• "Amusing" or political messages (such as the Nuclear macro virus which asks
for a ban on the French nuclear testing)
• Prevention of access to one's disk drives (the Monkey virus)
182
7.1.0 Boot vs File Viruses
Before the inception and rapid proliferation of the Macro category, most IBM-compatible
and Macintosh viruses fell into two basic categories: Boot, such as "Michelangelo" and
File, such as "Jerusalem."
Boot viruses activate upon system start-up and are more common. They infect a
system's floppy or hard disk and then spread (by replicating and attaching) to any
logical disks available. File viruses are actually programs which must be executed in
order to become active, and include executable files such as .com, .exe and .dll.
Once executed, file viruses replicate and attach to other executable files. Since
most viruses attach at the beginning or end of processes, their execution goes
unnoticed.
Other troublesome general virus sub-classes that are active today include Stealth
(active and passive), Multipartite, Encrypted, Polymorphic, and Macro.
Stealth viruses (such as "Tequila") are difficult to detect because, as their name
implies, they actually disguise their actions. Passive Stealth viruses can increase a
file's size, yet present the appearance of the original file size, thus evading Integrity
Checking - one of the most fundamental detection tactics.
Active Stealth viruses may be written so that they actually attack installed anti-virus
software (generic or brand-specific), rendering the product's detection tools useless.
Multipartite viruses, such as "Natas," have the characteristics of both boot and file
viruses. "Cascade" is a well-known Encrypted virus. The challenge of Encrypted
viruses is not primarily one of detection, per se. The encryption engine of this type of
virus masks its viral code – making identification, as opposed to detection, more
difficult.
If you send or receive documents or spreadsheets, chances are your computer has been
or will be infected at one time or another by a macro virus. Relatively new on the
computing scene, these computer viruses are spreading faster than most anti-virus
software makers can find ways to detect and remove them. Macro viruses are now the
most prevalent computer viruses in the world, largely due to the new way in which they
spread--they attach themselves to word processor and spreadsheet documents, which
often are transmitted as e-mail attachments via the Internet throughout the world.
This new means of virus proliferation calls for new methods of virus detection. One
such approach is based on intelligent, rule-based scanning -- a technique that
searches for and removes even macro viruses never before analyzed. This
approach combines the following elements:
183
• OLE2 technology to efficiently extract only that portion of files that can carry
viruses
• Pattern matching for detection of known viruses, as well as intelligent rule-based
scanning to detect unknown viruses
7.2.0 Background
Despite a significant increase in the usage of anti-virus products, the rate of computer
virus infection in corporate America has nearly tripled in the past year, according to a
survey released in April 1997 by the International Computer Security Association (ICSA),
formerly the National Computer Security Association. Virtually all medium and large
organizations in North America experienced at least one computer virus infection
firsthand, and the survey indicated that about 40 percent of all computers used in the
surveyed companies would experience a virus infection within a year.
Macro viruses, which unlike their predecessors, are carried in common word
processing documents and spreadsheets, are the biggest problem, representing
80% of all infections. Moreover, the instances of macro virus infection doubled about
every four months in 1996. This makes these viruses the fastest to spread in the
history of the ICSA.
The Number One macro virus encountered in the survey, by far, was the Concept
virus, also known as prank macro, wm-Concept, winword.Concept,
wordmacro.Concept, ww6, and ww6macro. Within months of its discovery in the fall
of 1995, the Concept virus accounted for more than three times the number of virus
encounters reported for the previous leader, the "Form virus." Today, the Concept
virus has infected almost one-half of all ICSA survey sites (see Figure 1).
Figure 1. The Concept virus and other Word macro viruses were the
dominant viruses encountered in 1997, according to a virus prevalence
survey conducted by the International Computer Security Association.
Perhaps even more worrying than the meteoric rise in infections by this particular
virus is what it bodes for the future. Microsoft Word™, Microsoft Excel™,
and other document and spreadsheet files were once thought to be immune to
184
infection. Since these virus carriers are now the most prevalent types of files
exchanged in the world, the threat of viruses has evolved in a big way. With the
exponential growth of the Internet for e-mail and file exchange, macro viruses now
represent the most widespread virus threat ever.
"Macro viruses are incredibly successful viruses," says Eva Chen, CTO of Trend
Micro. "Because they hitchhike on document and spreadsheet files, they can travel
both on floppy diskettes and across computer networks as attachments to electronic
mail. Then they spread quickly by taking advantage of e-mail, groupware, and
Internet traffic."
Adding to growing concern about these viruses is the ease of their creation. Prior to
the macro virus era, creating a virus required some knowledge of assembly
language or other complex programming language. Today, almost anyone can write
a macro virus using Visual Basic, which uses English-like commands (see Figure 2).
There is even a guided step-by-step template for creating Word macro viruses
available on the Internet.
Figure 2. Macro viruses written in visual basic are easier to write than
their assembly language predecessors.
While most of the more than 500 macro viruses known at the time of this writing are
not destructive, many cause a considerable loss of productivity and staff time.
Average financial cost per ‘virus disaster,’ according to the ICSA, rose to $8366 in
1997, and Figure 3 shows that virus incident costs are shifting from predominantly
low levels to intermediate levels. Concept restricts file saving operations, and other
macro viruses have been known to manipulate information, control data storage,
and even reformat hard drives. This potential destructiveness has system
administrators buzzing about how to address this new threat.
185
Figure 3. According to the ICSA 1997 Computer Virus Prevalence Survey,
the stated costs of virus incidents tended to shift from less than $2000
to the range of $2000-$99,000 [1].
The answer is that there is more to today's word processing or spreadsheet file than
meets the eye.
Traditional files like these consist solely of text. But today's increasingly
sophisticated word processing and spreadsheet files carry macros with them that
can provide a variety of features to your documents and spreadsheets. For
example, macro commands can perform key tasks, such as saving files every few
minutes, or they can prompt you to type in information, such as a name and address
into a form letter. These macros, part of the document itself, travel with the file as it
is transferred from user to user, either via floppy diskette, file transfer, or e-mail
attachment.
Some of these macro commands have special attributes that force them to execute
automatically when the user performs various standard operations. For example,
Word uses five predefined macros, including the AutoOpen macro, which executes
when a user opens a Word document, and AutoClose, which runs when you close
the document.
186
Macro viruses gain access to word processing and spreadsheet files by attaching
themselves to the executable portion of the document--in AutoOpen, AutoExec,
AutoNew, AutoClose, AutoExit, and other file macros. For example, the Concept
virus attaches itself to AutoOpen and FileSaveAs in Word
(See Figure 4).
Macro viruses are particularly difficult to eradicate because they can hide in
attachments to old e-mail messages. For example, the administrator of a network
infected by a macro virus may take pains to eliminate it. But when an employee
returns from a vacation and opens an e-mail attachment with the virus and forwards
it to others on the network, the virus can spread again, necessitating a second
round of detection and disinfection.
This migration of viruses to word processing and spreadsheet files mirrors user
computing patterns. In fact, this parallel evolution of viruses and computing media
has been going on for years. When the primary means of exchanging files was the
floppy diskette, the most prevalent viruses were boot sector infectors, which resided
on the first sector of a diskette. Later, the wide use of internal networks built around
file servers allowed viruses to spread by modifying executable files. Today, the
ICSA reports that commonly exchanged word processed and spreadsheet files sent
over the Internet as e-mail attachments are the most common carrier of viruses [1].
The increase in virus incidence despite rising anti-virus usage can lead to but one
conclusion. "It is obvious that existing virus protection software isn't working," says
187
Chen. "Traditional methods have not been successful in combating viruses entering
networks from new entry points--e-mail and the
Internet." Hence, the Concept virus seems to be aptly named, since dealing with it
and viruses like it reliably and effectively requires new concepts in virus detection.
The traditional approach to virus detection has been to gather samples of suspicious
code, conduct analysis, create new virus signature files, and distribute them to
customers.
Unfortunately, the Concept virus and other macro viruses often elude these
techniques for several reasons. The ease with which these viruses can be
developed, coupled with the vast number of word processing and spreadsheet
documents exchanged throughout the world every day via the Internet, is leading to
the rapid proliferation of many variants of each macro virus. Essentially, macro
viruses are spreading and mutating so fast that anti-virus software designed to
detect and remove them is obsolete soon after it is shipped to users.
This enables detection and cleaning of even those macro viruses that have not yet
been captured and analyzed. But implementing this approach is not easy, requiring
intelligent, rule-based scanning.
188
To efficiently extract only the macro portion of each word processed or spreadsheet
file it examines, this new approach is based on OLE2 (object linking and
embedding) technology. Files such as those created in Word are also based on
OLE2 structure, which organizes each file into discreet components (e.g., document
and objects).
This new approach examines the document portion of the file only to identify key
information about the macros that accompany the document, such as the locations
of the macros (i.e., which "object" locations contain macros, as expressed in the
macro table). The anti-virus technology does not scan the (sometimes very long)
text portion of the file, since this portion cannot contain viruses. In addition to
maintaining high-speed scanning performance, this approach reduces the likelihood
of false positive virus indications -- possible when large text files are scanned.
After extracting the macro code, this approach compares it with patterns from known
viruses. If a match is found, the user is alerted. Otherwise, the anti-virus software
applies a comprehensive set of intelligent binary rules that can detect the presence
of almost all macro viruses. For example, if the macro code indicates it would
reformat a hard drive without prompting the user for approval to do so, the user
would be alerted of the virus. This is one part of several sets of such checks that are
performed. Since some macro viruses are activated when files are simply opened,
virus detection is performed on files before they are even opened by any
application.
Application Popularity- The more common and "horizontal" the application, the
greater the risk. More specialized or vertical market-specific programs aren't
attractive enough to offer a large "breeding ground" for macro viruses.
Macro Language Depth- The extent of the application's macro language affects a
virus writer's ability to create a successful macro virus. Macro Implementation- Not
all programs embed macro commands into data files. For instance, AmiPro
documents will not necessarily contain "invisible" macro information. The easier it is
to transfer and execute the macro from within the application, the faster the spread
of the virus.
7.3 Is It a Virus?
As awareness of computer viruses has grown, so has the tendency to blame "some kind
of virus" for any and every type of computing problem.
In fact, more cases of "not a virus" are encountered by customer support staff at
anti-virus vendors than are actual virus infections, and not only with inexperienced
189
users. Typical symptoms of viral infection such as unusual messages, screen color
changes, missing files, slow operation, and disk access or space problems may all
be attributable to non-virus problems.
Possible culprits include lost CMOS data due to a faulty system battery, another
user's misuse, fragmented hard disks, reboot corruption, or even a practical joke.
For instance, some PCs play the Happy Birthday song through their speakers every
November 13. Sounds like a virus payload, but it happens only in computers
containing BIOS chips from a certain batch that was sabotaged by a former
programmer at the BIOS vendor. Switching out the BIOS chip eliminates the annual
singing message.
Non-virus threats to user systems include Worms, Trojan Horses and Logic Bombs.
In addition to the potential for damage these programs can bring by themselves, all
three types can also be used as vehicles for virus program propagation.
7.3.0 Worms
Network worm programs use network connections to spread from system to system,
thus network worms attack systems that are linked via communications lines. Once
active within a system, a network worm can behave as a computer virus, or it could
implant Trojan horse programs or perform any number of disruptive or destructive
actions. In a sense, network worms are like computer viruses with the ability to
infect other systems as well as other programs. Some people use the term virus to
include both cases.
• a network mail facility, in which a worm can mail a copy of itself to other
systems,
• a remote execution capability, in which a worm can execute a copy of itself on
another system,
• a remote login capability, whereby a worm can log into a remote system as a
user and then use commands to copy itself from one system to the other.
The new copy of the network worm is then run on the remote system, where it may
continue to spread to more systems in a like manner. Depending on the size of a
network, a network worm can spread to many systems in a relatively short amount
of time, thus the damage it can cause to one system is multiplied by the number of
systems to which it can spread.
190
• searches for other systems to infect by examining host tables or similar
repositories of remote system addresses
• establishes a connection with a remote system, possibly by logging in as a
user or using a mail facility or remote execution capability
• copies itself to the remote system and causes the copy to be run
The network worm may also attempt to determine whether a system has previously
been infected before copying itself to the system. In a multi-tasking computer, it may
also disguise its presence by naming itself as a system process or using some other
name that may not be noticed by a system operator.
The activation mechanism might use a time bomb or logic bomb or any number of
variations to activate itself. Its objective, like all malicious software, is whatever the
author has designed into it. Some network worms have been designed for a useful
purpose, such as to perform general "house-cleaning" on networked systems, or to
use extra machine cycles on each networked system to perform large amounts of
computations not practical on one system. A network worm with a harmful objective
could perform a wide range of destructive functions, such as deleting files on each
affected computer, or by implanting Trojan horse programs or computer viruses.
Two examples of actual network worms are presented here. The first involved a
Trojan horse program that displayed a Christmas tree and a message of good cheer
(this happened during the Christmas season). When a user executed this program,
it examined network information files, which listed the other personal computers that
could receive mail from this user. The program then mailed itself to those systems.
Users who received this message were invited to run the Christmas tree program
themselves, which they did. The network worm thus continued to spread to other
systems until the network was nearly saturated with traffic. The network worm did
not cause any destructive action other than disrupting communications and causing
a loss in productivity [BUNZEL88].
The second example concerns the incident whereby a network worm used the
collection of networks known as the Internet to spread itself to several thousands of
computers located throughout the United States. This worm spread itself
automatically, employing somewhat sophisticated techniques for bypassing the
systems' security mechanisms. The worm's replication mechanism accessed the
systems by using one of three methods:
By using a combination of these methods, the network worm was able to copy itself
to different brands of computers, which used similar versions of a widely used
operating system. Many system managers were unable to detect its presence in
their systems, thus it spread very quickly, affecting several thousands of computers
within two days. Recovery efforts were hampered because many sites
disconnected from the network to prevent further infections, thus preventing those
sites from receiving network mail that explained how to correct the problems.
It was unclear what the network worm's objective was, as it did not destroy
information, steal passwords, or plant viruses or Trojan horses. The potential for
191
destruction was very high, as the worm could have contained code to effect many
forms of damage, such as to destroy all files on each system.
An example of a Trojan horse program that would be very difficult to detect would be
a compiler on a multi-user system that has been modified to insert additional code
into certain programs as they are compiled, such as a login program. The code
creates a trap door in the login program, which permits the Trojan horse's author to
log onto the system using a special password. Whenever the login program is
recompiled, the compiler will always insert the trap door code into the program; thus,
the Trojan horse code can never be discovered by reading the login program’s
source code. For more information on this example, see [THOMPSON84].
Trojan horse programs are introduced into systems in two ways, they are initially
planted and unsuspecting users copy and run them. They are planted in software
repositories that many people can access such as on personal computer network
servers, publicly accessible directories in a multi-user environment, and software
bulletin boards. Users are then essentially duped into copying Trojan horse
programs to their own systems or directories. If a Trojan horse program performs a
useful function and causes no immediate or obvious damage, a user may continue
to spread it by sharing the program with other friends and co-workers. The compiler
that copies hidden code to a login program might be an example of a deliberately
planted Trojan horse that could be planted by an authorized user of a system, such
as a user assigned to maintain compilers and software tools.
Logic Bombs are a favored device for disgruntled employees who wish to harm their
company after they have left its employ. Triggered by a timing device, logic bombs
192
can be highly destructive. The "timer" might be a specific date (i.e., the logic bomb
that uses Michelangelo's birthday date to launch "his" virus embedded within). An
event can also be the designed-in trigger (such as after the perpetrator's name is
deleted from a company's payroll records).
Computer viruses, like Trojan horses, are programs that contain hidden code, which
performs some usually unwanted function. Whereas the hidden code in a Trojan
horse program has been deliberately placed by the program's author, the hidden
code in a computer virus program has been added by another program, that
program itself being a computer virus or Trojan horse. Thus, computer viruses are
programs that copy their hidden code to other programs, thereby infecting them.
Once infected, a program may continue to infect even more programs. In due time,
a computer could be completely overrun as the viruses spread in a geometric
manner.
The flag may be necessary because without it, programs could be repeatedly
infected and grow noticeably large. The replication mechanism could also perform
other functions to help disguise that the file has been infected, such as resetting the
program file's modification date to its previous value, and storing the hidden code
within the program so that the program's size remains
the same.
The activation mechanism checks for the occurrence of some event. When the
event occurs, the computer virus executes its objective, which is generally some
unwanted, harmful action. If the activation mechanism checks for a specific date or
time before executing its objective, it is said to contain a time bomb. If it checks for a
193
certain action, such as if an infected program has been executed a preset number
of times, it is said to contain a logic bomb. There may be any number of variations,
or there may be no activation mechanism other than the initial execution of the
infected program.
As with Trojan horse programs, computer viruses can be introduced into systems
deliberately and by unsuspecting users. For example, a Trojan horse program
whose purpose is to infect other programs could be planted on a software bulletin
board that permits users to upload and download programs. When a user
downloads the program and then executes it, the program proceeds to infect other
programs in the user's system. If the computer virus hides itself well, the user may
continue to spread it by copying the infected program to other disks, by backing it
up, and by sharing it with other users. Other examples of how computer viruses are
introduced include situations where authorized users of systems deliberately plant
viruses, often with a time bomb mechanism. The virus may then activate itself at
some later point in time, perhaps when the user is not logged onto the system or
perhaps after the user has left the organization.
However, it is still the critical element in the fight against viruses. As stated before,
non-virus problems may appear to be virus related, even to sophisticated users.
Without anti-virus software, there is no conclusive way to rule out viruses as the
source of such problems and then arrive at solutions.
Effective anti-virus software must be capable of performing three main tasks: Virus
Detection, Virus Removal (File Cleaning) and Preventive Protection. Of course,
detection is the primary task ad the anti-virus software industry has developed a
number of different detection methods, as follows.
194
• Limitations - Negative effect on system resource utilization; May flag "legal"
system calls and therefore be obtrusive; Limited success facing the gamut of
virus types and legal function calls.
All five techniques can usually perform on-access or on-demand scans, for both network
servers and work-stations. On-access scanning is analogous to a building'' automatic
sprinkler system –virus scanning is automatically initiated on file access, such as when a
disk is inserted, a file is copied or a program is executed. On-demand scanning is more
like a fire extinguisher - requiring user initiation (but may also be set up to continue
scanning at regular intervals or at system startup).
The best anti-virus software in the world cannot protect you if it is not deployed
systematically throughout the enterprise (even if "the enterprise" is a single home-
based computer!).
Many people think they can dismiss a disk, shared or e-mailed file because it came
from someone they know and trust. What they aren't considering is that their friend
colleague, customer or vendor is working on another system, with its own set of
vulnerabilities from different outside conditions.
Computer users must recognize that the virus threat is too pervasive today to be
ignored by anyone...the number of users who never come into contact with others'
files is small and becoming smaller every day, especially with the tremendous
growth of online services and Internet usage.
195
7.4.0 Basic "Safe Computing" Tips
For offices or homes with one or two computers, following these basic rules faithfully is
probably adequate protection. However, in organizations with multiple PCs, especially in
networks, a sound anti-virus strategy will necessarily be more complex.
All organizations are different in the way they operate and the industries they serve, so no
one anti-virus scheme is correct for all enterprises. However, at the very least, a
company's program should include ongoing user education and a system for tracking
virus activity (suspect and real) in addition to using anti-virus software.
Ultimately, your goal is to provide consistent, effective protection and a "damage control
and recovery" plan for virus infections that may occur despite your efforts. In addition, and
perhaps most importantly, you want to achieve this while minimizing any negative impact
on staff productivity and system/network resources.
196
4. The operational pace of the enterprise
Every organization has an inherent pace of operations, mostly dependent on the
nature of its business. No matter how "busy" it is, a research laboratory's pace will
not be as fast as that of a securities brokerage firm. In general, the faster the pace of
operations, the greater the risk of virus infection because of the faster rate at which
new data is being generated and distributed. faster pace = more frequent
new data = greater risk !
Even within a specific location of the enterprise, there may be computers for which you
need to sacrifice some level of anti-virus security in order to maintain necessary
throughput and/or productivity. Cost is another factor that must be balanced against
"ideal" protection levels, for all equipment and personnel in the organization.
• Are there any PCs that should not be included in the anti-virus program? (For
instance, computers that are isolated, diskless or used solely for manual data entry.)
• What special procedures should apply to the headquarters network, as opposed to
branch offices?
• How should user reports of suspected virus activity be handled? What is a realistic
(vs desired) response time?
• In response to an apparent virus infection, what procedures should users be
authorized and trained to perform by themselves?
• How should suspected and/or actual virus infections, and resulting counter
measures, be recorded and reported? (It is important to log routine anti-virus scans
as well as suspicious situations.)
• Who is responsible for maintaining these possibly exhaustive records?
• What improvements to existing backup procedures might be necessary? (Note that
the common practice of rotating backup media might cause clean data to be
replaced by infected data.)
• An anti-virus policy and procedures manual will need to be created and then
maintained...who will take charge?
• How will you establish a "baseline" virus-free environment for the new anti-virus
program to maintain?
• How will the schedule for adoption of a new virus control program be established?
How will you balance simultaneous needs for speed and low cost?
• Who will provide the funding for the anti-virus program staff, development and
software? Is upper management fully behind the program?
197
7.4.2 More Virus Prevention Tips
• Write-protect any data source diskette before inserting it in the drive, and then use
anti-virus software to scan it before doing anything else.
• Include in your policy and training that employees who work on computers at home
must follow the same anti-virus procedures they use at the office (whether on
personal machines or company-supplied portables.)
• Even with the above policy in place, handle disks brought back from employees'
homes as foreign disks, following the write-protect and scanning procedure
• Consider any suspicious computer behavior to be possible virus-related and follow-
up accordingly.
• Files that must be received from outside the organization, such as from the Internet,
should be downloaded directly to quarantined scanning areas whenever possible.
• You may want to consider dedicating an isolated computer (not connected in any
way to the network) to the task of testing all new files and/or diskettes. Then all files
on the control machine can be systematically scanned for viruses before anyone has
access to them. (Note that some compressed files may have to be decompressed
before scanning.)
The larger your network, and/or the more sensitive your enterprise's data security
position, the more you should seek guidance from industry peers and the anti-virus
software industry before finalizing your plan.
Although anti-virus software companies design their products to detect and remove
viruses, there is more to making a smart choice than comparing detection rates and/or
product prices.
The fact that anti-virus software is necessary for everyone in the enterprise means that it
must work alongside a variety of applications, and probably on multiple computing
platforms within the location. Therefore, a common anti-virus product that can work
"seamlessly" throughout the enterprise is desirable, for both cost-effectiveness and
simpler administration.
The software must also be effective against the majority of common and damaging
viruses, yet be as unobtrusive to productivity as possible. (Bear in mind that this is as
important for user compliance as for the bottom line - if users feel hampered by anti-virus
procedures they may "overlook" them in their haste to get work done.)
Another major factor to consider is the burgeoning number of viruses - as many as 200
new ones each month. Anti-virus software that does not include regular updates cannot
provide adequate protection for long.
198
7.4.4 Primary Vendor Criteria
To ensure that you are providing the best possible solution, the anti-virus vendor you
ultimately choose should satisfy the following primary criteria:
While investigating anti-virus vendors and products, be sure to also assess these cost of
ownership issues:
In determining what is needed from the vendor, and the best contract arrangements,,
evaluators should also consider their in-house support and training resources, as well as
the organization's growth potential and plans for introducing any new computing
platforms.
199
Section References
7.1 NAI White Paper. “Current Computer Virus Threats, Countermeasures and
Strategic Solutions”.1997
7.2 Landry, Linda, Trapping the World's Most Prevalent Viruses. Trend Micro, Inc.
1998
"ICSA 1997 Computer Virus Prevalence Survey, ICSA.
"Roll-Your-Own Macro Virus," Virus Bulletin, September, 1996, p. 15.
Joe Wells, "Concept: Understanding the Virus and Its Impact," Trend Micro, Incorporated.
"ICSA 1997 Computer Virus Prevalence Survey, ICSA.
7.3 NAI White Paper. “Current Computer Virus Threats, Countermeasures and
Strategic Solutions”.1997
7.3.0 Wack, John P and Carnahan, Lisa J. Computer Viruses and Related Threats:A
Management Guide. NIST Special Publication 500-166. U.S Dept of Commerce
BUNZEL88 Bunzel, Rick; Flu Season; Connect, Summer 1988.
DENNING88 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June,
1988.
DENNING89 Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April,
1989.
FIPS73 Federal Information Processing Standards Publication 73, Guidelines for Security of
Computer Applications; National Bureau of Standards, June, 1980.
MACAFEE89 McAfee, John; The Virus Cure; Datamation, Feb 15, 1989.
NBS120 NBS Special Publication 500-120; Security of Personal Computer Systems: A
Management Guide; National Bureau of Standards, Jan 1985.
SPAFFORD88 Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue
Technical Report CSD-TR-823, Nov 28, 1988.
7.3.1 Wack, John P and Carnahan, Lisa J. Computer Viruses and Related Threats:A
Management Guide. NIST Special Publication 500-166. U.S Dept of Commerce
BUNZEL88 Bunzel, Rick; Flu Season; Connect, Summer 1988.
DENNING88 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June,
1988.
DENNING89 Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April,
1989.
FIPS73 Federal Information Processing Standards Publication 73, Guidelines for Security of
Computer Applications; National Bureau of Standards, June, 1980.
MACAFEE89 McAfee, John; The Virus Cure; Datamation, Feb 15, 1989.
SPAFFORD88 Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue
Technical Report CSD-TR-823, Nov 28, 1988.
200
THOMPSON84 Thompson, Ken; Reflections on Trusting Trust (Deliberate Software Bugs);
Communications of the ACM, Vol 27, Aug 1984.
7.3.2 NAI White Paper. “Current Computer Virus Threats, Countermeasures and
Strategic Solutions”.1997
7.3.3 Wack, John P and Carnahan, Lisa J. Computer Viruses and Related Threats:A
Management Guide. NIST Special Publication 500-166. U.S Dept of Commerce
BUNZEL88 Bunzel, Rick; Flu Season; Connect, Summer 1988.
DENNING88 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June,
1988.
DENNING89 Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April,
1989.
FIPS73 Federal Information Processing Standards Publication 73, Guidelines for Security of
Computer Applications; National Bureau of Standards, June, 1980.
MACAFEE89 McAfee, John; The Virus Cure; Datamation, Feb 15, 1989.
SPAFFORD88 Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue
Technical Report CSD-TR-823, Nov 28, 1988.
7..3.4 NAI White Paper. “Current Computer Virus Threats, Countermeasures and
Strategic Solutions”.1997
7.4 NAI White Paper. “Current Computer Virus Threats, Countermeasures and
Strategic Solutions”.1997
201
8.0 Virtual Private Networks: Introduction
8.1 Making Sense of Virtual Private Networks
The VPN market is on the verge of explosive growth. A virtual private network (VPN)
broadly defined, is a temporary, secure connection over a public network, usually
the Internet. Though the term is relatively new, everyone from the telcos, to
operating system vendors, to firewall suppliers and router companies has rushed to
offer some type of VPN capability. Why? Because VPNs make sense, and as a
result, the market is expected to reach at least several billion dollars by the year
2001.
By leveraging the Internet, VPNs offer significant cost savings, greater flexibility, and
easier management relative to traditional internetworking methods, such as leased
lines and dial-up remote access.
However, choosing an appropriate solution from the recent flood of VPN offerings
can be a difficult task for information technology managers who have no spare time.
Each solution presents varying levels of security, performance, and usability, and
each has its benefits and drawbacks.
Before online business can truly reach its potential, corporations must feel comfortable
using the Internet as the backbone for secure communication. VPNs are the first real
step toward that end. When implemented correctly, they protect networks from viruses,
snoops, corporate spies, and any other known threat that results from mistakes in
configuration, poorly implemented access controls, lack of system management, weak
authentication, and "back-door" entry points to the network.
202
Sample VPN Requirements to Consider
Security Interoperability Ease-of-Use
• Can the VPN support • Is the VPN based on • Does the VPN offer
Strong authentication, public standards? a low-impact client
including token cards, for the desktop?
smart cards, biometrics • Can the VPN be Is the client
(i.e. fingerprint and iris integrated easily transparent to the
scanning),x.509 with perimeter end-user?
certificates and Kerberos? security, such as a • Does the VPN
• Can the VPN support firewall or router? permit single
strong encryption, • Is the VPN sign-on, or does
including key sizes compatible with the user have to
40, 56, and 128 and other protocols such log on each time an
ciphers RC4, DES, as IPv4, IPSec, and application is
and Triple DES? PPTP/L2TP? launched?
• Can the VPN filter • Can the VPN • Can the VPN
datastreams, support all critical system scale to
including viruses, file authentication and support hundreds
types, Java and encryption of thousands of
Active X, and standards? users?
protocols such as • Can the VPN • Does the VPN
FTP, Telnet, etc.? support all centralize
• Can the VPN support application types? management of the
role-based access • Can the VPN security system?
control according to function in a • Does the VPN run
parameters such as cross-platform on standard NT
type of environment, and UNIX
authentication, type including all operating
of encryption, user Windows and UNIX systems?
identity, time of day, operating systems?
source address, • Does the VPN map
destination address, to standard NT,
and type of Netware, RADIUS,
application? and ACE
• Can the VPN monitor, databases?
log, and audit all • Does the VPN
network traffic? support a variety of
• Does the VPN have methods of load
some type of alarm to balancing?
notify an
administrator of
specific events?
The three fundamental features that define virtual private networking are encryption,
authentication, and access control. While strong authentication and encryption are critical
components of the VPN, they are relatively simple to deploy and verify. Access control,
on the other hand, is relatively complex because its deployment is tied intimately to every
other security tool. Roughly speaking, the security of a VPN is a function of how tightly
authentication, encryption, and access control are connected. If one component is
lacking, the VPN will be lacking.
Where a company might use a guarded gate in the physical world to block all
unauthorized visitors, a firewall might be used in the analogous VPN world. Until
203
recently, that's as far as the comparison could be drawn, because in the VPN world
there hasn't been a way to provide varying levels of access. Now, with emerging
VPN technologies and solutions, companies can verify someone's identity with
strong authentication technologies like token cards, digital certificates, or even
fingerprints. Once identified, users are granted access to resources according to
very detailed profiles based on identity and often a user's role within a larger group.
VPNs are also beginning to provide tools to monitor a user's activity once inside the
corporate network.
General Case
When the two endpoints of a data channel are relatively trusted, a company can
comfortably opt for a VPN solution that focuses on performance over security, which
is limited to the strength of the encryption and authentication methods between the
two routers. High volumes of data are often exchanged between LANs on an
intranet VPN, so the premium is wisely placed on speed and smooth interoperability.
The LANs that are connected by centralized corporate databases or other
enterprise-wide computing resources should appear to be part of the same
corporate network. Many of the firewall, router, and frame relay vendors, as well as
204
some of the ISPs, are offering solutions that adequately secure intranet VPNs while
transferring data quickly and reliably.
Security threats often come from within an organization. In fact, according to a study
issued jointly by the FBI and the Computer Security Institute, almost half of all
computer break-ins occur within a company.
Corporations are just now beginning to realize the advantages the Internet offers over
traditional direct dial-up remote access. Many corporations, burdened by the effort of
maintaining large modem pools and the expense associated with long distance charges,
are finding that using the Internet as a backbone for remote access is much more
affordable and easier to implement and maintain than traditional solutions.
In any remote access VPN scenarrio, usability is an importan criterion. Most security
flaws are attributed to configuration errors, so the easier the system is to manage, the
less likely is the chance for oversight. On the client side, simplicity is critical because
many traveling employees and telecommuters either lack the technical proficiency or the
access to technical resources for troubleshooting. Clients should not have to manually
build a VPN tunnel, "manually" meaning having to launch VPN software each time the
user wants to establish a secure communication channel. Instead, the VPN software
should launch automatically at start-up and run transparently in the background. On the
server side, centralized and easy management is essential because monitoring large
numbers of users and adding and removing users on a regular basis can quickly become
chaotic and can create a security risk.
General Case
With most remote access VPNs, it is assumed that a corporation trusts the person at the
other end of the link, which is typically a traveling or remote salesperson. Rather than
worrying that the employee might do damage to the network or steal proprietary
information, the company is probably more concerned with the unknown element
between the two end points. These companies will generally assume a "transparent
access" policy, best described as: "The remote employee should have unfettered access
to all resources that would be available to them if they were sitting at their desk at
corporate headquarters."
The priority, therefore, becomes encrypting the data in transit so that only the intended
recipient can decipher it. Most VPNs can meet this basic security requirement, so
evaluators should consider additional criteria, such as the strength of the encryption
cipher and the authentication method for providing additional security.
205
Highly Secure Case
The industries that are the most leery of any kind of security risk, such as the
financial, health, and government sectors, are paradoxically the earliest adopters of
VPN technologies, which have the perception of being less secure than traditional
means of networking. In reality, the best VPN technologies are much more secure
than most leased lines and dial-up remote access, because highly secure VPNs
encrypt all data and generally provide very detailed user profiles for access control.
Highly secure remote access solutions are deployed by sophisticated IT shops with
a strong understanding of the security risks inherent in any network communication.
These shops generally adopt a "controlled access" policy for their remote users.
This is best described by the following policy statement: "The remote employee
should have tightly controlled access to specific resources on the network according
to the requirements of their job function."
Any time a company wants to provide varying levels of access so that different
resources can be made available to different employees when appropriate, or when
a company wants to prevent "back-door" holes into the network, which is common in
some systems, then a more robust VPN solution is recommended. In other words, a
highly secure VPN should be able to intercept network traffic destined for a
particular host, add the required encryption, identify individual users, and apply
restrictions and filter content accordingly.
Unlike intranets that are relatively isolated, extranets are intended to reach partners,
customers, and suppliers, as well as remote employees. Securing that wide area
network requires diligence and the right tools. An extranet VPN needs to be able to
provide a hierarchy of security, with access to the most sensitive data being nested
under the tightest security control. It should secure all applications, including TCP
and UDP applications, such as Real Audio, FTP, etc.; corporate vertical
applications, such as SAP, BAAN, PeopleSoft, Oracle, etc.; and "homegrown"
applications, such as Java, Active X, Visual Basic, etc. Because most corporate
computing environments are heterogeneous with many legacy systems, a sound
VPN solution should be extremely versatile and interoperable with multiple
platforms, protocols, and authentication and encryption methods.
206
protected resources to potential threats, so companies should only consider
implementing the most secure breed of VPNs.
The security elements of a VPN can be prioritized differently, but with an extranet
VPN, all the fundamental pieces 3/4 encryption, authentication, and access control
3/4 should be integrated tightly with some type of perimeter security. Usually this
means a company will place a VPN proxy server behind an impenetrable firewall
that blocks all unauthenticated traffic. Any traffic that is allowed in is then funneled
through a common portal directly to the VPN server, which filters traffic according to
company policy. It is essential for the connection between the firewall and the VPN
to be strong and reliable, and the client software should be as transparent as
possible.
The most secure VPNs are built around a "directed" architecture, as opposed to a
bi-directional "tunneled" method. Directed VPNs transmit encrypted information at a
higher level in the networking protocol stack than tunneled VPNs, and security and
control increase as functionality moves up the network hierarchy. Directed VPNs act
as proxy servers, which means they do not open any direct connections into
corporate networks, preventing IP addresses from being "spoofed," or mapped.
Tunneling hides information in IP packets at the packet level, exposing them more
easily to attack. Because all data is proxied in directed VPNs, administrators can tell
at a glance who has been trying to gain access to the network and how often.
Unlike tunneled VPNs, directed VPNs protect connected networks from each other’s
security flaws. Directed VPNs do not assume a two-way trusted relationship
between connecting parties. If security is breached in the directed model, only the
attacked network is exposed, not the linked networks. In the tunneled model, when
one network is attacked, each successive network is susceptible to the same
attacker. In the directed model, each company's IS managers can set their own
access privileges and be confident they are not exposing their networks to unknown
security problems.
Tunneled VPNs, as the name implies, open tunnels within the Internet and secure
information traveling through them with basic packet filtering. This approach gives
participating companies weakly secured access to each other's networks, with no
way to fine-tune access control. These types of solutions often mistakenly start with
the faulty assumption that there should be peer-to-peer trust among companies
connected by VPNs. When trading partners or customers are involved, that is rarely
the reality.
207
individual users, not just IP addresses, either through passwords, token cards,
smart cards, or any other method of authentication. Passwords are usually sufficient
for casual office use, but they are not considered as secure as token or smart cards.
Employees are often careless with their passwords, and they rarely change their
codes, whereas token and smart cards change the passcode on a regular basis,
often as frequently as every 60 seconds.
The VPN security market is young, and standards are still evolving, but a handful of
protocols have emerged as the leading choices for building VPNs. An IS manager
should not have to base his or her purchasing decision on the technology used, but
understanding the benefits of each protocol may help clarify the related strengths
and weaknesses of different VPN end products. Although there are many possible
security approaches for creating a VPN, the following protocols show the most
promise for lasting in the market, whether for the quality of their design or their
financial backing.
8.4.0 SOCKS v5
SOCKS v5 was originally approved by the IETF as a standard protocol for authenticated
firewall traversal, and, when combined with SSL, it provides the foundation for building
highly secure VPNs that are compatible with any firewall. It is most appropriately applied
to VPNs that require the highest degree of security, since its strength is access control.
Advantages
SOCKS v5 controls the flow of data at the session, or circuit, layer, which maps
approximately to layer five of the OSI networking model. Because of where it functions in
the OSI model, SOCKS v5 provides far more detailed access control than protocols
operating at the lower layers, which permit or reject packets based solely on source and
destination IP addresses. SOCKS v5 establishes a virtual circuit between a client and a
host on a session-by-session basis and provides monitoring and strong access control
based on user authentication without the need to reconfigure each new application.
208
Because SOCKS v5 and SSL operate at the session layer, they have the unique
ability to interoperate on top of IPv4, IPSec, PPTP, L2TP, or any other lower-layer
VPN protocol. In addition, SOCKS v5 and SSL have more information about the
applications running above them than do lower-layer protocols, so they can provide
very sophisticated methods of securing traffic.
SOCKS v5 stands out as the only VPN approach to use a directed architecture,
which essentially protects destination computers by proxying traffic between source
and destination computers. When used in conjunction with a firewall, data packets
are passed through a single port in the firewall (port 1080 by default) to the proxy
server, which then filters what is sent forward to a destination computer. This
prevents administrators from having to open multiple holes in their firewall for
different applications. For additional security, the VPN proxy server hides the
address structure of the network, making it more difficult for confidential data to be
cracked. Another design advantage of SOCKS v5 is that the client is non-intrusive. It
runs transparently on the user's desktop and does not interfere with networking
transport components, as do lower-layer protocols, which often replace the Winsock
DLL, TCP/IP stack, and low-level drivers, interfering with desktop applications.
SOCKS v5 is also highly flexible. It works easily with multiple security technologies
and platforms, which is critical for IS professionals managing heterogeneous
computing environments. It offers modular plug-in support for many authentication,
encryption, and key management methods, providing IS managers the freedom to
adopt the best technologies for their needs. Plug-and-play capabilities include
access control tools, protocol filtering, content filtering, traffic monitoring, reporting,
and administration applications. SOCKS v5 can filter data streams and applications,
including Java applets and ActiveX controls, according to very detailed
specifications.
SOCKS v5 is the only VPN protocol that can interoperate with other VPN protocols,
such as PPTP, IPSec, and L2TP, and it is ready for implementation today. Because
the SOCKS v5 protocol is designed specifically for highly secure environments,
analysts expect that SOCKS v5 and appropriate plug-ins will be used primarily for
highly secure remote access and the extension of private client networks across
multiple organizational perimeters.
Disadvantages
8.4.1 PPTP/L2TP
One of the most widely known VPN security choices is Point-to-Point Tunneling
Protocol (PPTP) from Microsoft. It is embedded in Microsoft’s Windows NT v4.0
operating system and is used with Microsoft’s Routing and Remote Access Service.
It sits at the datalink layer, which maps approximately to layer two of the OSI model.
It encapsulates PPP with IP packets and uses simple packet filters and the
Microsoft Domain networking controls to provide access control. PPTP and its
successor, L2TP, are seen as tools to extend the current PPP dial-up infrastructure
supported by Microsoft, most ISPs, and the remote access hardware vendors.
209
Layer Two Transport Protocol (L2TP) has evolved from the combination of
Microsoft’s PPTP protocol and Cisco Systems' Layer 2 Forwarding (L2F). It supports
multiple, simultaneous tunnels for a single client and is targeted at the telco and ISP
markets. With L2TP, the end user dials up a local ISP POP without encryption, and
the ISP, acting as an agent for the end user, creates an encrypted tunnel back into
the secure destination.
PPTP and L2TP have received broad support from the current leaders in the remote
access services market, which includes Cisco, Bay Networks, 3Com, Shiva, and
Microsoft, because they provide an effective way for these vendors to migrate their
current corporate dial-up products to Internet-based methods of building tunnels.
Analysts predict that PPTP and L2TP will play a dominant role in the Internet-based
remote access market when security requirements are relatively low.
Advantages
IS professionals running Microsoft-centric shops will find PPTP and L2TP ready-
made to work with their systems. Because they use packet-filtering that makes use
of existing network routers, they are typically less complicated to implement, and
they are transparent to end users.
Most VPNs secure TCP/IP traffic, but PPTP and L2TP support additional networking
protocols such as Novell’s IPX, NetBEUI, and AppleTalk. They also support flow
control, which keeps traffic from overwhelming clients and servers. They enhance
network performance by minimizing dropped packets, thus cutting down on re-
transmission.
Disadvantages
PPTP and L2TP are typical tunneled approaches to VPN security, which means they
encapsulate non-secure IP packets within secure IP packets. They use IP frames to
create an open data passageway between two computer systems. Once a tunnel is
open, source and destination identification is no longer required. The tunnel is bi-
directional, so while it encrypts data traveling along the Internet, it does not provide a way
to monitor or control what gets passed between the two points.
One often overlooked limitation is that PPTP and L2TP are limited to 255 concurrent
connections. In addition, end users are required to manually establish a tunnel prior
to connecting to the intended resource, which can be a hassle. Also, the selection of
authentication and encryption standards is very limited, and currently no strong
encryption or authentication is supported.
Another concern is that there are currently no versions of PPTP or L2TP available
for older Microsoft operating systems or UNIX. PPTP is still very narrowly targeted
for Microsoft-specific networking.
PPTP and L2TP are currently only proposed standards. PPTP is presently
supported by Microsoft’s Windows NT 4.0 server, NT workstation, and Windows 95.
210
Remote access vendors, such as Ascend and Shiva, are backing L2TP, and
Microsoft plans to incorporate L2TP into Windows NT server version 5.0.
8.4.2 IPSec
Internet Protocol Security (IPSec) has gained a lot of recent attention in the industry.
It evolved from the IPv6 movement, and as a standard promoted by the IETF, IPSec
will be a broad-based, open solution for VPN security that will facilitate
interoperability between VPNs. IPSec can be configured to run in two distinct modes
3/4 tunnel mode and transport mode. In tunnel mode, IPSec encapsulates IPv4
packets within secure IP frames to secure information from one firewall to another.
In transport mode, information is encapsulated in such a way that it can be secured
from endpoint to endpoint. In other words, the security wrapper does not obscure
the end routing information as it does in the tunnel mode. Tunnel mode is the most
secure method for deploying IPSec, but it results in significant overhead on a per-
packet basis.
IPSec has had a very slow adoption cycle due primarily to dissension among the
various IETF committees over key management standards and other issues.
Intranet VPN applications using IPSec should start to be introduced to the market
sometime in 1998. Commercial implementations using IPSec are still relatively
immature, but the greatest supporters of the standard are the router vendors and
the VPN hardware vendors who hope to usurp the router vendors in the market for
building intranet (LAN-to-LAN) VPNs. Analysts predict that IPSec will be the primary
standard for this segment of the VPN market.
Advantages
IPSec defines a set of standard protocols for authentication, privacy, and data integrity
that are transparent to the application and the underlying network infrastructure. Unlike
PPTP, IPSec supports a wide variety of encryption algorithms, such as DES, Triple DES,
and IDEA. It also checks the integrity of transmitted packets to make sure they have not
been tampered with en route.
IPSec was designed to provide security between multiple firewalls and routers,
which makes it an optimum solution for LAN-to-LAN VPNs. IPSec's promise is that,
because it is a natural extension to IP, it could be applied very broadly to the VPN
market, ensuring interoperability among VPNs running over TCP/IP.
Disadvantages
For a number of years now, IPSec has been held out to the Internet community as the
way to do secure networking. While IPSec holds great promise and will be a critical
standard in IP-based networking, to date many attempts to deploy IPSec have been
frustrated by the IETF committee infighting, which has delayed true interoperability
between IPSec implementations. IPSec will likely be very successful in the LAN-to-LAN
environments, but it will be of limited utility in the client/server configuration over the next
few years.
211
This makes them impractical to use in dynamic address environments, which are
common to Internet service providers.
IPSec does not support network protocols other than TCP/IP. As a standard, it does
not specify a methodology for access control other than simple packet filtering. And,
because it uses IP addressing as part of its authentication algorithm, it is seen as
less secure than some of the higher-layer protocols that identify individual users.
Corporations are finding that without Internet connectivity, they cannot compete in
their respective markets. The Internet offers immediate access to information, which
is tremendously beneficial as long as it is not coupled with security risks. Vendors
are offering a number of VPN options to provide the necessary security to make
internetworking worthwhile, but no solution today can solve every corporate need for
secure communications. Each has its own benefits and drawbacks. Network
administrators should carefully consider their priorities and base their decision on
matching criteria. While some VPNs are easy to set up, others are more secure.
And those that are fast may lack interoperability. The one certainty corporations can
count on is an evolving market.
Each corporation has its own business style. Smaller shops may just need to
provide their traveling sales representatives with a way to remotely access the
corporate network. The larger the organization, the more likely it is to use an intranet
to share information among its employees and branch offices. As security is added
to VPNs, companies are extending those intranets and implementing full extranets.
Considering that VPNs are moving in the direction of secure extranet VPNs, which
are basically supersets of remote access and intranet VPNs, network managers
should carefully review the scalability and potential of VPN solutions to support
future business-to-business transactions over untrusted networks.
In general, the better performing pure VPN solutions will be targeted at the intranet
(LAN-to-LAN) and less secure remote access VPN environments, and the more
secure policy-based VPNs will be targeted at the extranet (business-to-business)
and highly secure remote access VPN environments. VPNs that are implemented at
layers two and three of the OSI model should demonstrate better performance than
those at higher layers, and VPNs at layer five and above should offer much greater
security. With that in mind, the following recommendations reflect the best practices
for the different approaches to VPN
implementation.
212
VPNs based on SOCKS v5 are best used by companies that need to provide highly
secure, client-to-server connectivity for comprehensive business solutions, such as
building a supply-chain extranet or highly secure remote access infrastructure.
Because SOCKS v5 is an open standard that sits at the session layer, it can operate
apart from lower-level protocols or add value to the VPN tunneling protocols that
lack security features like access controls.
As mentioned earlier, PPTP and its variant, L2TP, are most appropriately used for
remote access VPNs, as long as the limited encryption and authentication seem
sufficient, and as long as Windows is the platform used. PPTP and L2TP will more
than adequately meet many IT shops' basic remote access requirements.
According to a November 1997 issue of The Forrester Report, the VPN market is
still immature, but early adopters of VPNs, ranging from start-ups to Fortune 50
companies, have been optimistic. Forrester predicted that the appeal of VPNs will
broaden as security, performance, and interoperability wrinkles are smoothed out.
One Forrester respondent from an aerospace company summed up a common
forecast, saying, "Our VPN usage will explode over the next two years. Any
application we need to share 3/4 internal Web, database access, personnel data,
and benefits 3/4 will run over the network." Whatever solution a corporation decides
on, it should adopt a security framework that can utilize the best of evolving
technologies, function in a heterogeneous corporate environment, and map real-
world trust relationships to the network.
213
Section References
214
9.0WindowsNTNetworkSecurity
9.1 NT Security Mechanisms
_6HFXULW\_0HFKDQLVPV
Many DOE sites have been upsizing from Windows 3.11 or Windows 95 to the
Windows NT operating system. In today’s environment, it is important to migrate to
Windows NT because it was built from its inception to incorporation networking,
security and audit reporting as services within the operating system.
Since NT is built to be secure, you don’t have to worry about someone breaking into
your system, right? Wrong. NT provides the ability to have a highly secure system
only with the correct configuration and object access controls. Operating systems
don’t make security problems go away. There is not an operating system available
today that can provide you with a complete security solution.
Remember you must define a security plan that defines the level of security needed
in your organization, and integrate Windows NT with its security features into that
plan. Security plans must detail both physical and logical security measures, to build
the best protection against intrusion on your systems.
9.2 NT Terminology
9.2.0 Objects in NT
Described in this section are the basic concepts in the Windows NT environment.
The concept of objects is important to the overall security theme in this operating
system. The difference between the different types of NT software is defined, as
well as the difference between domains and workgroups. Other terminology
included in this section is concepts regarding the NT Registry and C2 Security.
Most elements in the NT operating system are represented as objects. Objects can
be files, directories, memory, devices, system processes, threads, or desktop
windows. Objects are what provide the NT operating system with a high level of
security. They hide data from the outside and provide information only as defined by
the object’s functions. This gives layer of protection against external processes
accessing internal data directly. NT obtains its high security level by preventing
programs direct access to objects. All actions on objects must be authorized and
performed by the operating system.
215
• System Access Control List (ACL) controls the creation of auditing messages.
There are two types of objects: container objects and non-container objects.
Container objects hold other objects; non-container objects do not have the ability to
include other objects. Directories are container objects and files are non-container
objects. Child objects created within a parent container inherit permissions from the
parent object.
9.2.2 Workgroups
216
Warning: Security for Workgroups with systems running Windows
95, Windows 3.x, or Windows for Workgroups is virtually eliminated
due to the fact that anyonecan access the computers and copy files to
a diskette. There is no secure logon process or object access controls
to prevent users from accessing sensitive files. Therefore, the
workgroup model is not recommended unlessthe systems are all
running Windows NT.
9.2.3 Domains
Domain Controller
A PDC is a server in the domain that maintains the security and user account
databases for that domain. Other servers in the domain can act as BDCs that hold a
copy of the security database and user account information. The PDC, as well as
the BDC can authenticate logon requests.
The BDC provides the network with a backup in case the PDC crashes important
data will not be lost. Only one PDC is permitted in each domain. The master copy of
the Security Account Manager (SAM) database is located on the PDC, where all
account modifications are made. The BDCs are not permitted to make any
modifications to the databases.
9.2.4 NT Registry
The Registry is a database that contains applications, hardware, and device driver
configuration data, as well as network protocols and adapter card settings. This data
is stored in the registry to provide a repository that stores and checks configuration
data in one centralized location.
The functions of many files are combined in the Registry including the
CONFIG.SYS, AUTOEXE.BAT, SYSTEM.INI, WIN.INI, PROTOCOL.INI,
LANMAN.INI, CONTROL.INI and other .INI files. It is a fault-tolerant database that is
difficult to crash. Log files provide NT with the ability to recover and fix the database
if the system fails.
217
• HKEY_CLASSES_ROOT: Includes data pertaining to object linking and
embedding (OLE) and file-class associations.
• HKEY_CURRENT_USERS: Contains information about users currently logged
on the system, which includes the user’s profile groups, environment variables,
desktop settings, network connections, printers and application preferences.
• HKEY_USERS: Stores all actively loaded user profiles, including profiles of any
users who have local access to the system. Remote user profiles are stored in
the Registry of the remote machine.
Each of the subtrees contains value entries which are called keys, and each key can
have many subkeys. The data in the four Registry subtrees is derived from sets of
files called hives. Each hive consists of two files: data and log files. Each hive
represents a group of keys, subkeys, and values that are rooted at the top of the
Registry hierarchy.
9.2.5 C2 Security
C2 represents the highest level of security in its class. Windows NT 3.5 Server, as a
standalone system, was designed from the ground up to comply with the NCSC’s
C2 level requirements, and has been successfully evaluated as such. Certain
processes such as identification, authentication, and the ability to separate accounts
for operator and administrator functions, have met B2 requirements, an even higher
level of security. These processes fulfill requirements for the B2 Trusted Path and
B2 Trusted5 Facility Management.
Have no network access to the system. Remove or disable floppy disk drives.
Change standard file system access to be more restrictive.
218
• Object reuse: Memory is protected to prevent read access after it is freed from a
process. When objects are deleted, users will be denied access to the object
even when that object’s disk space has been reallocated.
• Identification and authentication: Users must uniquely identify themselves
before any access to the system is obtained. This is accomplished by entering a
unique name, password, and domain combination, which will produce a users
unique identity.
• Auditing: Must be able to create, maintain, and protect against modifications of
an audit trail of access to objects. Access to the audit information must be
restricted to a designated administrator.
1
9.3 NT Security Model
7_6HFXULW\_0RGHO
The Windows NT security model affects the entire Windows NT operating system. It
provides a central location through which all access to objects is verified so that no
application or user gets access without the correct authorization.
NT Security Subsystem
The LSA is the heart of the security subsystem. It has the responsibility of validating
local and remote logons to all types of accounts. It accomplishes this by verifying
the logon information from the SAM database. It also provides the following
services:
219
Figure 2: NT Security Model
The SAM manages a database which contains all user and group account
information. SAM provides user validation services which are used by the LSA, and
are transparent to the user. SAM is responsible for checking logon input against the
SAM database and returning a secure identifier (SID) for the user, as well as a SID
for each group to which the user belongs. When a user logs on, the LSA creates an
access token which includes the SID information along with the user’s name and
associated groups.
From this point on, every process that runs under this user's account will have a
copy of the access token. When a user requests access to an object, a comparison
is made between the SID from the access token and the object’s access
permissions list to validate that the user has the correct permissions to access the
object.
The SAM database supports a maximum of 10,000 accounts. SAM databases may
exist on one or more NT systems, depending on the network configuration. The
types of network configurations include:
• When separate user accounts are on each system, the local SAM database is
accessed.
• The SAM database is located on the domain controller when a single domain
with a centralized source of user accounts is the configuration.
• In the master domain configuration, where user accounts are also centralized,
the SAM database is located on the Primary Domain Controller (PDC), which is
copied to all Backup Domain Controllers (BDC) in the master domain.
The SRM runs in kernel mode and is a component of the Windows NT Executive. It
is responsible for the enforcement of access validation and audit generation policies
required by the LSA. SRM provides services for access validation to objects and
access privileges to user accounts. It also protects objects from being accessed by
220
unauthorized users. To ensure that objects are protected regardless of their type,
the SRM maintains only one copy of the access validation code on the system.
Instead of accessing objects directly, users requesting access to objects must have
SRM validation. The steps used to determine user access to objects are as follows:
9.4 NT Logon
Windows NT logon processes provide mandatory logon for user identification and
cannot be disabled. Before accessing any resources on the system, the users go
through the logon process so that the security subsystem can authenticate the user
name and password.
221
To protect against an application running in background mode, such as a Trojan
logon program, the logon process begins with a Welcome message box that
requests the user to press Ctrl, Alt and Del keys before activating the actual logon
screen.
Note: The Ctrl, Alt, Del sequence guarantees that a valid Windows
NT logon sequence will be initiated. This key sequence should always
be used when logging on to a machine, even if it appears that the
logon screen is already displayed.
Logon Banner
The LSA now constructs the access token. The access token is
connected with each process the user runs.
This process and token information together form a subject. When
a user requests access to an object, the contents of the subject’s
token are compared to the object’s ACL through an access
Figure 4 NT LOGIN
validation procedure. This access validation procedure grants or
denies permission to the user’s request.
For example, many areas of an organization may need access to data located within
the financial domain; however, user in the financial domain probably doesn’t need
222
access to data within the medical domain. Additional ways to protect your systems
are achieved by group management, access control of objects, and file system
configurations, which are all discussed in this section.
7UXVWV_DQG_'RPDLQV
9.5.0 Trusts and Domains
Trust Relationships
Trusts are an administrative way to link together two domains allowing one domain’s
users access to the other domain. Trust relationships between domains are a way to
centralize administrative tasks. They enable user accounts and groups to be used in
a domain outside of where those accounts originated. Trusts combine two or more
domains into an administrative group. There are two parts to a trust: the trusted
domain and the trusting domain. The trusted domain makes accounts available for
use in the trusting domain. Users only need one name and password to access
multiple domains.
Trust relationships are defined in only one direction. To obtain a two-way trust, both
domains must trust each other. The trusted domain is where the accounts reside,
known as the account domain. The trusting domain contains the resources, known
as the resource domain.
223
Figure 5: Trust Relationships
• Single Domain
• Master Domain
• Multiple Master Domain
The Single Domain is the best model for organizations with fewer than 10,000
users. There is only one domain in this model; therefore there is no administration of
trust relationships. Administration of user accounts is centralized, and global groups
are used for accessing resources.
224
Master Domain Model
The Master Domain model includes multiple domains, with one being the master
domain. The master domain is trusted by all other resource domains, but does not
trust any of them. The resource domains do not trust each other. This model
provides the benefits of centralized administration and multiple domains.
The Multiple Master Domain model is used for organizations with computer
resources grouped into logical divisions, such as by departments or location. This
model is identical to the Master Domain model except that there is more than one
master domain. All master domains have a two-way trust with each other. Each
resource domain trusts all master domains, but the resource domains do not trust
each other. Since master domains trust each other, only one copy of the user
account database is needed. This model is designed for organizations with more
than 10,000 users.
225
Figure 7: Multiple Master Domain Model
For example, if a directory is established for the Payroll Department to hold their
common files, it is much easier for a system administrator to have everyone in the
Payroll Department in a group and then assign that group permissions on the
directory and the files in it. Otherwise, the system
administrator would have to go through and assign permissions to every user in the
Payroll Department.
In addition, groups can be used to restrict the access a collection of users has to
certain objects. For example, the system administrator could utilize the Payroll
226
group to prevent the users in the Payroll Department from printing to a printer in a
remote location (because their data could be
potentially very sensitive), while allowing access for all other users, by placing a
deny ACE for the Payroll group in the ACL for the printer. It is normally easier to
administer rights by granting them to groups and then making the users who need
the right a member of the group. For example,
if there are users who need to logon to a server locally, create a group called Local
Logon. Add the users to the group, and grant the Log on Locally right to the group.
This group could then be reused again should this group of users need some other
common right or access permission.
• Local Groups
• Global Groups
• Special Groups
Local Groups
Local groups are maintained on a local system or domain and may have user
accounts or global groups as members. At the local system level, local groups
would be used to administer permissions and rights for the system on which they
reside. At the domain level, local groups would be used to administer permissions
and rights on Windows NT Servers within the domain where the groups reside. To
summarize, local groups are only utilized in the user account database for the local
system or domain where they are created.
Windows NT provides some built-in local groups each with established permissions
and rights. At the local system level they are:
Global Groups
227
and then makes the global groups members of the local groups. Windows NT
provides two built-in global groups each with established permissions and rights.
They are:
Special Groups
Special groups are created by Windows NT for unique or specific purposes and can
not be viewed, changed, or have members added to them in the User Manager. A
user’s membership to a special group is determined by how they access resources
on the system. Special groups may be assigned access permissions in some cases
and may be seen when a system administrator is assigning permissions on
Windows NT objects.
Note: If the user were the system administrator or other user that is a
member of the Administrators group, the Administrator group would
be a member of the Creator Owner group.
The special group that system administrators must pay close attention to is the
Everyone group. As stated above, all users logged on are members of this group.
Therefore, any access permissions assigned to the Everyone group allowing or
denying access to objects is by default assigned to all users.
For example, if a file should only be accessed by a certain group, the system
administrator could not assign permissions to that group allowing file access and
then assign permissions to the Everyone group denying file access. Since Windows
NT acts on all deny ACEs before allow ACEs, it would stop when it found the deny
ACE for the Everyone group and no one would be allowed access including the
group with permissions assigned to allow access to the file.
Each file and directory object has an Access Control List (ACL) that contains a list of
Access Control Entries (ACEs). ACEs provide information regarding access or
auditing permissions to the object for a user or group of users. Along with the file
system, they protect objects from unauthorized access. There are three different
types of ACEs:
228
• System Audit
• Access Allowed
• Access Denied
System Audit is a system ACE used for logging security events and audit
messages. Access Allowed and Access Denied are known as discretionary ACEs.
They are prioritized by the type of access: Denied and Granted.
Deny always overrides grant access. If a user belongs to a group with Access
Denied privileges to an object, the user will be denied access regardless of any
granted access he possesses from his own user account, or in other groups to
which he is included.
Discretionary ACLs allow owners to control the access of their objects. Controls over
objects can be applied to individual users, multiple users, and groups. They can be
set by the object’s owner, a user who has an administrator account, or any user with
correct permissions to control resources on the system. If a discretionary ACL is not
specified for an object, a default ACL is created. Default ACL file objects inherit
access controls from their parent directories.
User Rights
Due to NT’s modular approach of file system management, multiple file systems are
supported. NT uses low-level drivers as a part of the NT Executive to support each
file system. This provides the ability to expand to additional file systems as they are
introduced by simply installing a new
driver.
The File Allocation Table (FAT) file system is named after it’s organizational method.
The FAT file system was originally designed for small disks and simple directory
structures. Its design has since evolved to support larger disks and more powerful
systems. It is most widely used for systems that run the DOS operating system.
The FAT file system doesn’t support the security features or the automatic disk
restoration utilities that NT provides. Using the FAT file system is not recommended
for volumes shared across the network. The following configurations do require the
FAT file system structure:
229
• FAT is the only file system available for formatting diskettes on Windows NT.
• RISC-based systems must provide a FAT partition to boot system files.
• NT provides a tool to secure the FAT system partition on this type of system.
Tip: If there is no need to boot DOS, and the system is not an RISC
architecture, using FAT file systems are not recommended.
NTFS was developed to support the Windows NT file and directory security
features. It is the only file system available on NT that provides the capability to
assign permissions to individual files. The NTFS driver that allows access to an
NTFS volume is loaded in NT so unauthorized users cannot access NTFS volumes
by booting the system from a DOS diskette.
NTFS also prevents users from undeleting files or directories that have been
removed from NTFS volumes. Since NT doesn’t give undeleted programs access to
work on an NTFS volume, even files that still exist on the disk are not available.
NTFS provides file system recovery where disk activities can be logged to enabling
activities to be restored in the case of a system crash.
Chances of corrupting data, due to power or hardware failures, are small with NTFS.
NTFS file system security is only valid if the ability to access the system from DOS,
or another operating system is eliminated. The following precautions for physical
security should be examined:
NTFS vs FAT
NTFS provides extended security features not available with the FAT file system.
NTFS is built for speed. It uses a binary tree structure for directories to reduce the
access time needed to locate files.
230
Shares
The Shared Directory feature in the File Manager allows sharing of files and
directories over the network. Shared object permissions can be established for FAT
or NTFS file structures. The user must be a member of the Administrator group or
Server Operator group to work with shared directory permissions. Users are unable
to access files on a system through the network until there is a shared directory
available.
Once a directory has been shared on the system, users can log on to that system
and be able to access the shared directory. To use the directory, the user must
assign the share to an unassigned drive letter. When the directory is assigned a
drive letter, the share can be accessed just like another hard disk on the system.
Directory sharing can be viewed and stopped by an Administrator or Server
Operator.
File and directory permissions are the foundation of most user-controlled security in
Windows NT. Permissions are the rules associated with a particular object, which
describe which users can access what objects, and how they have access to the
objects. Object permissions for files are only available for files stored on NTFS
volumes. File and directory permissions are cumulative, but the No Access
permission overrides all other permissions.
• No Access
• Read
• Change
• Full Control
• Special Access
• List
• Add
• Read
Object Ownership
Object ownership allows the user to change permissions on the owned object. The
user who is the creator of a file or directory is usually the owner. Users can’t give
away ownership of their objects, but they can give other users permission to take
ownership. This prevents users from creating objects and making them appear to be
owned by another user. Ownership of a file or directory can be taken by an
Administrator without the owner’s consent, but the Administrator can’t transfer
ownership to others. Administrators cannot access private files without leaving some
trails behind, because after claiming ownership, Administrators cannot return
ownership to the original owner.
231
9.10 Monitoring System Activities
There are two types of security monitoring: status and event monitoring. Status
monitoring involves current states or processes of the system. Event monitoring
evaluates audit trails, which occurs after processes have finished running. Auditing
is provided to evaluate the control structure, assess risk, determine compliance,
report on exceptions and make improvements to the system. Systems should be
evaluated against the organization’s security policies and compliant technical
platforms to the security implementation standards.
232
Section References:
233
10.0 Unix Incident Guide
If you suspect or have been notified that your computer system has been or is under
attack, you must determine:
234
10.1 Displaying the Users Logged in to Your System
If you suspect that there is an active intruder on your system, first determine where
they are and what they are doing. This section shows you how to use these
commands to find out who is on your system:
The “w” command gives you a general overview of all users and their active
programs on the system. A sample output is shown here.
The first line displayed, the status line, gives general information: the present time,
how long the system has been running, and the load on the system for various
periods of time. The rest of the output from the “w” command shows you who is
currently logged in to the system, which TTY they are using, and what each user is
currently doing.
Verify that:
Vulnerabilities
The output listing from the “w” command can be easily modified to hide a skilled
intruder’s existence on the system.
235
10.1.1 The “finger” Command
Another command that displays who is on the system is the “finger” command.
A sample output is shown here. The “finger” command shows you who is currently
logged in to the system, which TTY they are using, the time they logged in, and
where they are logged in from.
Verify that:
Vulnerabilities
The output from the “finger” command can easily be modified to hide a skilled
intruder’s existence.
The “who” command lists information about the users currently on the system.
This information is retrieved from the /etc/utmp file. A sample output is shown
here. This command lists who is currently logged in to the system, which TTY they
are using, login time, and where they are logged in from.
Verify that:
Vulnerabilities
The output from the “who” command can easily be modified to hide a skilled
intruder’s existence, as the command gets its information from the /etc/utmp file.
236
10.2 Displaying Active Processes
The “ps -agux” command lists the processes that are executing on your system.
The command’s “a” parameter displays all processes running on the system, not
just those owned by you. The command’s “g” parameter displays all processes, as
opposed to those which “ps” decides are simply “interesting” (refer to the “ps” man
page for the definition of “interesting”).
The “u” parameter displays user-oriented output. The “x” parameter includes
processes without control terminals.
The “ps” command is a reliable way to see what programs are being executed on
the system. A shortened sample output is shown here.
Vulnerabilities
In some cases, compromised systems have been found to contain a Trojaned
version of “ps” which does not display intruder processes. Also, if an invalid process
is running but has a valid process name, it may be difficult to distinguish the
suspicious process. For example, intruders
often run sniffer processes under names such as “sendmail” or “inetd”.
237
10.2.1 The “crash” Command
You can use the “crash” command to list all processes. This functions as a
cross-check against the “ps” command. That is, finding a process with “crash”
output that does not appear in “ps” output (matching pids). Once you execute
“crash,” you will receive a “>” prompt. Type proc in response and quit when
you are finished running “crash”.
• processes that do not appear in the ps list (use the PID column to identify)
• a high value in the CPU column
• unusual commands in the NAME column
Vulnerabilities
Names can be faked. Like any command, “crash” can be Trojaned.
If you suspect that an intruder has been on your system but is gone, use the
commands and files described in this section to find the “footprints” the intruder may
have left behind. This section shows you how to use these commands and files:
238
10.3.0 The “last” Command
The “last” command displays information about logins and logouts on the system
from the /var/adm/wtmp file. If you can determine the username the intruder used to
log in, this command can show you how long the intruder was logged in and where
they logged in from. The command’s “-n” parameter is used to display the last n
entries in the /var/adm/wtmp file.
The first column contains the username, followed by the terminal device the user is
connected to. If the connection used a network device, the name of a remote
system is displayed in the next column. For serial devices such as dial-up modems,
the column will be blank. This is followed by the login and logout time and an
indication of the length of the session.
• examine the log entries made around the time of the suspected attack for ones
that appear to be out of the ordinary, including logins to accounts that had
previously been dormant, logins from unexpected locations, logins at unusual
times, and short login times a missing /var/adm/wtmp file or one with gaps in the
output (this may indicate that an intruder attempted to hide their existence)
As a general rule, many system administrators never delete this file. Therefore, it
can be quite large and include activity from when the system was first loaded.
Vulnerabilities
An intruder who breaks into a system can hide their tracks by deleting or modifying
the /var/adm/wtmp file.
239
10.3.1 The “lastcomm” Command
The “lastcomm” command displays the last commands executed. This command is
only available if you have process accounting turned on. With this command, you
can see every command issued by anyone on the system. A sample output is
shown here.
This command is an excellent way of seeing what a user did while on your system
because it lists all commands executed by all users.
Vulnerabilities
This command produces a file that tends to get quite large very quickly as it saves
the data needed to track the commands issued by every user. You should
periodically rename it so that you can manage smaller files.
The “lastcomm” command only tracks the command that ran a program, but not
what actions were taken after the program started (for example, it may show the
editor being run, but not which files were opened after the initialization of the editor).
Many times, attacks are not discovered until days after the actual event. And in
these cases, the accounting logs may have been purged by the time the attack is
discovered. The biggest potential intruder-style vulnerability is that the data is kept
in the file /var/adm/pacct, which the intruder can
easily delete and perhaps modify if the proper privileges are obtained.
240
10.3.2 The /var/log/ syslog File
The /var/log/syslog file is a file that contains messages relating to various types of
connections to your system. The content of this file is defined by the /etc/syslog.conf
file. The results of this command contain extremely long lines; a shortened sample
of this file is shown here.
Most messages are from the sendmail program, and display the status of messages
sent and received by your system. This file may also contain in.telnetd connection
messages and other previously defined messages.
Telnet connections, both incoming and outgoing, should be examined. A short file
may be suspicious, as it may indicate that this file has been edited or deleted. A
‘hole’ in the file
(a large chunk of time when no messages occur) may indicate that an intruder
deleted the messages related to their time on the system. Note that this ‘hole’ may
be useful in tracking down when the intruder used the system. In general, look for
things that may appear out of the ordinary.
Vulnerabilities
In many cases, the /var/log/syslog file is world writable and must remain so for
operational reasons. Therefore, its data may be suspect and untrustworthy.
This file tends to be very long. Investigating all connections, especially sendmail
messages, can be difficult. This is because at least one line is written to the
/var/log/syslog file for each mail message. In addition, users tend to delete
messages and forget exactly who sent them the messages, when they were
received, and what they were about.
241
10.3.3 The /var/adm/ messages File
The /var/adm/messages file usually contains a listing of all messages that are
sent to the console. The actual content of this file is defined in the
/etc/syslog.conf file. A sample of this file is shown here.
In the sample file above, you would make sure that “user1” is a valid user logging
into the aaa root privileged account.
Vulnerabilities
Once an intruder obtains root access, this file can be modified or deleted quite
easily. Also, if the syslog.conf file is compromised, logging to this file may be
discontinued.
242
10.3.4 The “netstat” Command
The “netstat” command displays listening and connected processes. You should
compare the output from this command with the output from the “last -n” command.
The command’s “-a” parameter is used to display the status of all sockets.
• you have a telnet connection that does not correlate with the output from the
“who” or “w” commands other network connections
Vulnerabilities
In some cases, compromised systems have been found to contain a Trojaned
version of “netstat” that does not show connections to or from the source of the
intrusion.
Sniffers are a major source of contemporary attacks. This section shows you how to
use the “ifconfig” command to determine if a sniffer has been installed.
243
10.4.1 The “ifconfig” Command
Vulnerabilities
Like any command, “ifconfig” can be Trojaned. If you suspect that a sniffer has been
installed, obtain “cpm” from CIAC or CERT and run it. The cpm tool will test the
network interface directly and report if it is in promiscuous mode.
This section describes various files that have been found on compromised systems.
Because file names can be easily changed, the actual name of the file may be
different than the file names listed in this section. Many times, intruders try to hide
files; methods for achieving and detecting this will be also be described.
When you look for files left behind by an intruder, you should:
Obtaining a Baseline of What Your Normal Operating System Looks Like To obtain
a baseline of your normal operating system, you should periodically run the
244
commands described in this document. Record and become familiar with the output
from these commands. Also, obtain and periodically use SPI and Tripwire.
Finding Files and File and Directory Names Commonly Used by Intruders The file
names given in this section are commonly used by intruders. Start by looking for
these file names, but realize that, as intruders learn that their bogus file names are
discovered, they will change them. You must ultimately look for a name or names
that do not belong.
Suspicious Files
Often, the best indication of whether or not a system has been compromised comes
from a thorough examination of its file systems. The creation or modification of files
is often a strong indication of intruder activity on a system. Occasionally, the intruder
will modify (“Trojan”) system
programs to hide the intrusion. Some system administrators have discovered that a
command such as “ps” will be Trojaned to ignore the intruder’s processes. Keep this
in mind when running any command, because if a command has been Trojaned,
the results of the command will be questionable.
The “find” command, run preferably as root, will list all files that have been modified
in the previous n days: Note that many intruders routinely change file modification
times to hide changes made to the system. Many of these modifications may still be
detected by examining a file’s inode change time, which is more difficult for an
intruder to forge. The following command will locate all files with inode change times
that have changed in the last n days:
While examining the results generated by the above commands, consider the
hidden files and directories often used by attackers described in the next section,
245
Setuid Files
Unix systems allow users to temporarily elevate their privileges through a
mechanism called setuid. When a file with the setuid attribute is executed by a user,
the program is given the effective access rights of the owner of the file. For
example, the “login” program is typically a setuid file owned by root. When a user
invokes “login”, the program is able to access the system with super-user privileges
instead of the user’s normal privileges. Intruders often create setuid files that enable
them to quickly gain root access during later visits to the system. Often, the file is
placed in a hidden directory or has a hidden filename (e.g., “.sh”). Setuid files
appear in directory lists with an “s” in place of the “x” in the execute bit position. For
example, the output of the “ls -l .sh” command would display output similar to the
following:
Note that a typical Unix system contains dozens of legitimate setuid programs
necessary for normal operation of the system. Setuid files that should be suspected
include:
To list all setuid files on your system, use the following command:
All Unix systems provide some level of accounting, recording the actions of both
users and system processes. The amount of information recorded can vary
significantly depending on both the version of Unix and its configuration. The default
for many systems is to record little more than login/logout times for users. At the
other end of the spectrum, systems running at an Orange Book C2 level of
assurance can easily generate several megabytes of log information per hour.
246
Unusual or inappropriate system activity can often be discovered in the results from
this command. For example, “lastcomm” output indicating repeated executions of
the “tftp” program might indicate attempts to steal password files using TFTP. For
information on enabling process accounting on a specific Unix system, refer to the
man page for “acct”. Refer to the previous discussion of the “lastcomm” command
for more information and a sample output.
Many system process events generate messages. For example, the “su” utility often
makes a log entry when a user attempts to become the “super-user.” These
messages may prove useful in discovering unusual activity possibly caused by an
intruder.
These messages are often archived in log files for later examination. Commonly
used files include /var/log/syslog and /var/adm/messages; however, the file names
may vary from system to system. Refer to the sections about these files in this guide
or to the man page for “syslog” for more information.
~/.history
Some shells, tcsh for example, keep a record of the most recently executed
commands for each user. This information is usually stored in a file in the user’s
home directory and is often called “.history”. Examining this file may allow the
reconstruction of the recent activities of a specific user.
/etc/passwd
Look for:
• new accounts
• changed uid
• no password
• a “+::” entry
~/.forward
The ~/.forward file is used to manipulate E-mail forwarding. When examining this
file, look for any
suspicious entries (that is, would it make sense for a legitimate user to manipulate
his or her E-mail in that manner?).
247
The ~/.rhosts file can be used to allow remote access to a system and is sometimes
used by intruders to create easy backdoors into a system. If this file has recently
been modified, examine it for evidence of tampering. Initially and periodically verify
that the remote host and user names
in the files are consistent with local user access requirements. View with extreme
caution a “+” entry; this allows users from any host to access the local system.
An older vulnerability is systems set up with a single “+” in the /etc/hosts.equiv file.
This allows any other system to log in to your system. The “+” should be replaced
with specific system names. Note, however, that an intruder cannot gain root
access through /etc/rhosts entries.
~/ftp Files
Directories which can be written to by anonymous FTP users are commonly used for
storing and exchanging intruder files. Do not allow the user “ftp” to own any
directories or files.
Determining if System Executables Have Been Trojaned SPI or Tripwire must be set
up before an exposure in order to determine if your system executables have been
Trojaned.
Use your CD-ROM to make sure you have a good copy of all your system
executables, then run the above mentioned products according to the instructions
that accompany them to create a basis for later comparison. Periodically, run SPI or
Tripwire to detect any modification of the system executables.
/etc/inetd.conf
Print a baseline listing of this file for comparison. Look for new services.
/etc/aliases
Look for unusual aliases and those that redirect E-mail to unlikely places. Look for
suspicious commands.
cron
Look for new entries in cron tab, especially root’s. Look at each user’s table.
/etc/rc*
Look for additions to install or reinstall backdoors or sniffer programs. Use SPI or
Tripwire to detect changes to files.
NFS Exports
Use the “showmount -a” command to find users that have file systems mounted.
248
Check the /etc/exports (or equivalent) file for modifications. Run SPI or Tripwire to
detect changes.
Note that the change time displayed by the “ls -lc” command can be changed and
the command itself can be Trojaned.
249
Section References:
Pichnarczyk, Karen, Weeber, Steve & Feingold, Richard. “Unix Incident Guide: How
to Detect an Intrusion CIAC-2305 R.1”. C I A C Department of Energy. December,
1994.
250
Appendix A : How Most Firewalls are Configured
All firewalls from any vendor that will be providing Internet firewall facilities require a
routed connection to the Internet to provide traffic flow between the Internet and in-
house network facilities. There are usually more than one router involved in such
connections. With some effort, connections are successful but usually difficult to
monitor and manage.
A typical set-up with an Internet Service Provider where a firewall is configured in the
network is set-up as follows:
A
Internet
B CSU/DSU
C
IP Router
D Ethernet/802.3
E
Firewall
System
Ethernet/802.3
In the above diagram, the network and firewall connection parts are as follows:
251
c) A router system to connect to the ISP’s router connection to the Internet
d) An Ethernet/802.3 or Token Ring/802.5 UTP connection from the router to the
firewall
e) A “dual-homed gateway” firewall system with two LAN controllers (in this diagram,
two Ethernet/802.3 connections are provided)
f) An Ethernet/802.3 UTP connection from the firewall to the internal network
g) An internal network configuration. In this case, a simple stacked hub architecture
(e.g. Cabletron Mini-MAC)
One of the more popular configurations of a “firewall” is to use an external router as the
singular security facility between an untrusted network (e.g. Internet) and the internal,
trusted network. This configuration is called a “screening router” set-up. A typical
configuration is as follows:
A Internet
B CSU/DSU
C
IP Router
Ethernet/802.3
D
252
e) An internal network configuration. In this case, a simple stacked hub architecture
(e.g. Cabletron Mini-MAC)
While the router is a required part of the network connection, there are some definitive
problems with using screening routers as the only network security interface to an untrusted
network, including:
• Configuration of filters and security facilities in the router may be difficult to accomplish
and knowledge about the intricacies of routing is required to do it correctly
• There usually is little or no auditing or logging of traffic and security information as most
routers are diskless in nature and have no easy way to get information to secondary
(disk) storage. Further, routers are built to route and not necessarily to handle logging of
network traffic.
• It can be quite difficult for the network and security managers to get information out of
the router on the paths and security rule base that was implemented
• Adding authentication is difficult, time consuming and expensive even if the router
vendor supports such functions
• Sessions from other parts of the network may be “tunneled” on top of each other and,
therefore, non-filterable by the router itself
• There is usually a user demand to open up features in a router that are not screenable
by the router and therefore put the network (trusted side) at risk
• Any bug in the router’s operating environment may not be detected and can compromise
the network’s security (there are numerous CERT and CIAC alerts about router bugs
and security issues over the years)
• Routers can be “spoofed” with some types of IP header options that would cause the
router to believe that an external packet “looks” like an internal packet to the router
tables
• Over time, multiple connections on the router usually do not get the same security
screening rules. This means that one path through the router may not have the same
security facilities as another and this may allow alternate paths to compromise the
security of the router.
• Routers are configured to route. Enabling any filtering facility in a router will degrade the
router’s performance. As more filters are added, the router’s performance may degrade
to a totally unacceptable performance level for traffic. As a result, many sites opt to
remove necessary filtering for security to gain performance and end up compromising
trusted network security and integrity.
253
Appendix B: Basic Cost Factors of Firewall Ownership
The following 20 base factors comprise the basic costing issues in the ownership of
firewall products:
254
training on the firewall product will result in a much higher manpower costing
factor for in-house personnel as well as a higher consultation costing factor due
to the recurring need to secure outside help to make modifications to the firewall
facilities to satisfy corporate needs as time goes on.
8. Definition and installation of security policies for the firewall. Using the
requirements definitions, security filters are created that mirror the security
requirements for use of the network connection that is provided via the firewall
facilities. How long this phase takes depends heavily on the training provided to
in-house personnel or the expertise in the system and firewall product set for the
consultant(s) hired to implement the security policy filter baseline. There can be
a very wide variance in manpower requirement from product to product.
9. Testing of the firewall with the security policies installed. This phase of
costing is critical to reduce corporate risk factors and to ensure that the firewall
is functioning properly. Typically, the filters are fully tested by in-house or
consulting personnel and then a third party is contracted to provide a
penetration study to verify integrity of the firewall and proper implementation of
security policies implemented as filters in the firewall product set. How much
testing is required is a function of corporate risk factors, estimated usage
metrics, importance of reliability and many other issues.
10. Release of the firewall connection to the user population. For a period of
time, there is a requirement to provide modifications and changes to satisfy a
shake-down period of user access. This is usually a higher manpower
requirement than the day-to-day management function that eventually settles
into corporate use.
11. Day-to-day technical management effort. This costing factor involves the
typical day-to-day functions required to keep the firewall functioning properly
(checking of logs, events, backup/restore, disk maintenance, etc.) as well as the
modifications and additions to the security policy rule base to accommodate
new users, changes of service to existing users, moves of users, readdressing
issues of systems on the network, added service facilities, etc. There may also
be report-writing requirements to the company to show management and
maintenance of the firewall as well as disposition of serious events and
problems that need to be addressed as the product is used.
12. Periodic major maintenance and upgrades. As time goes on, there will be
required down-time network activities that are required to satisfy hardware and
software operational needs. The hardware will need to be periodically updated
with additional disk space or memory, faster processing may be required via a
new processing system, additional network controllers or faster network
controllers may be added to the configuration and so on. Software-wise, the
operating system may require upgrades to patch or fix problems, bug fixes and
updates to the firewall software will be required, new security threats may be
identified by vendors and updates to the security filters are required, etc. Further
major maintenance may be required in the form of major system upgrades to
support higher-speed Internet connectivity or to support multiple network feeds
from Internet, customers, sister companies, etc.
13. Remedial training for technical personnel. As the systems and software are
upgraded over time, the firewall software and operating environment will
undergo extensive transformations to take into account new security facilities as
well as new user facilities. This will require remedial training and updates to
technical personnel to allow them to properly take advantage of the new
facilities as well as to properly identify potential security risks and isolate them
before they become problems for the company. Remedial training may also
include attendance at national and international security conferences and
outside training events for firewall and security efforts.
14. Investigation of infiltration attempts. As the firewall product set is used and
connected to a publicly available network, chances are extremely likely that
255
unauthorized connections will be attempted by hackers and other disreputable
individuals on the network. When these infiltration attempts occur, someone
within the company will be required to investigate the whys and hows of the
penetration attempt, report on the attempt and help management make
decisions on what to do to defeat such infiltrations in the future as well as modify
existing policies, filtering rules and other firewall functions to ensure security
integrity in the firewall set-up. This effort, depending upon the visibility of the
company, can be time consuming and expensive. It is labor intensive as tools
on firewalls are only one component of the investigator’s repertoir of facilities
required to accomplish their mission.
15. Corporate audits. Needless to say, corporate EDP audit functionaries will
require someone who understands the firewall set-up to work with them to
ensure that corporate security requirements are properly implemented in the
firewall facilities. For those companies without proper corporate audit expertise,
an outside consultancy may be hired to evaluate the firewall set-up and
operations from time to time to ensure integrity and reliability. In either case,
someone familiar with the technical operations of the firewall set-up must be
made available to the audit functionary and this takes time.
16. Application additions to the network firewall connection. As the network
connection via the firewall increases in popularity and criticality to corporate
business, the need to add application facilities and access to remote network
facilities will increase. This leads to multiple meetings between firewall
management team personnel and users/application implementers who wish to
add applications over the firewall facilities. This will eventually result in new
security policy filters, additional firewall packet loading and other performance
and labor-related functions which affect overall cost of ownership. It may also
require hardware and software upgrades faster than expected due to packet or
application loading increases.
17. Major outage troubleshooting. From time-to-time, all technological
components break and a firewall is no exception. When such outages occur,
someone has to spend time defining the problem(s), finding solutions,
implementing solutions and restoring the status quo ante. How much time this
will take varies, but it usually is significant and intense as the firewall becomes a
locus of activity during an outage of any kind.
18. Miscellaneous firewall and network security meeting time (technical and
political). This factor is a catch-all for time spent explaining the firewall facilities
to interested corporate groups or management as well as functioning as a “go-
between” for information on facilities available to users. This factor can be
extremely time consuming and does not generate any measurable progression
as a general rule. It is manpower time required to keep things running smoothly
and is, therefore, a cost factor.
19. New firewall and network security technology assessment (ongoing). As
the firewall lifetime progresses, the need to evaluate new threats and new
technologies that defeat new threats is important. Further, additional vendor
features for a particular firewall product may need to be evaluated for inclusion
into the existing facilities. For instance, if a new standard for remote
authentication via firewalls is added to most products, this facility will need to be
evaluated for use with the existing facilities. This takes time and technical effort.
20. Application changes and network re-engineering. All applications and
network components change with time on any network. Prudent engineering
requires that firewall facilities be re-evaluated for any changes in application set-
up or network hardware changes that could affect the integrity of the firewall
facility. Again, a time-consuming effort is involved.
As can be seen, properly (and improperly) defined and installed firewalls consume a
great deal of time and resources. This makes them fairly expensive resources as
256
well as a strategic corporate resource - not a tactical one. The cost of a firewall is
not the firewall itself - it is all the ancilliary functions and time involved. The more the
extra costs are eliminated, the better the costing solution for the customer.
257
Appendix C: Glossary of firewall related terms
1. Abuse of Privilege: When a user performs an action that they should not have,
according to organizational policy or law.
2. Application-Level Firewall: A firewall system in which service is provided by
processes that maintain complete TCP connection state and sequencing.
Application level firewalls often re-address traffic so that outgoing traffic appears
to have originated from the firewall, rather than the internal host.
3. Authentication: The process of determining the identity of a user that is
attempting to access a system.
4. Authentication Token: A portable device used for authenticating a user.
Authentication tokens operate by challenge/response, time-based code
sequences, or other techniques. This may include paper-based lists of one-time
passwords.
5. Authorization: The process of determining what types of activities are
permitted. Usually, authorization is in the context of authentication: once you
have authenticated a user, they may be authorized different types of access or
activity.
6. Bastion Host: A system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to potentially come under
attack. Bastion hosts are often components of firewalls, or may be "outside"
Web servers or public access systems. Generally, a bastion host is running
some form of general purpose operating system (e.g., UNIX, VMS, WNT, etc.)
rather than a ROM-based or firmware operating system.
7. Challenge/Response: An authentication technique whereby a server sends an
unpredictable challenge to the user, who computes a response using some form
of authentication token.
8. Chroot: A technique under UNIX whereby a process is permanently restricted
to an isolated subset of the filesystem.
9. Cryptographic Checksum: A one-way function applied to a file to produce a
unique "fingerprint" of the file for later reference. Checksum systems are a
primary means of detecting filesystem tampering on UNIX.
10. Data Driven Attack: A form of attack in which the attack is encoded in
innocuous-seeming data which is executed by a user or other software to
implement an attack. In the case of firewalls, a data driven attack is a concern
since it may get through the firewall in data form and launch an attack against a
system behind the firewall.
11. Defense in Depth: The security approach whereby each system on the network
is secured to the greatest possible degree. May be used in conjunction with
firewalls.
12. DNS spoofing: Assuming the DNS name of another system by either corrupting
the name service cache of a victim system, or by compromising a domain name
server for a valid domain.
13. Dual Homed Gateway: A dual homed gateway is a system that has two or
more network interfaces, each of which is connected to a different network. In
firewall configurations, a dual homed gateway usually acts to block or filter some
or all of the traffic trying to pass between the networks.
14. Encrypting Router: see Tunneling Router and Virtual Network Perimeter.
15. Firewall: A system or combination of systems that enforces a boundary
between two or more networks.
16. Host-based Security: The technique of securing an individual system from
attack. Host based security is operating system and version dependent.
17. Insider Attack: An attack originating from inside a protected network.
258
18. Intrusion Detection: Detection of break-ins or break-in attempts either
manually or via software expert systems that operate on logs or other
information available on the network.
19. IP Spoofing: An attack whereby a system attempts to illicitly impersonate
another system by using its IP network address.
20. IP Splicing / Hijacking: An attack whereby an active, established, session is
intercepted and co-opted by the attacker. IP Splicing attacks may occur after an
authentication has been made, permitting the attacker to assume the role of an
already authorized user. Primary protections against IP Splicing rely on
encryption at the session or network layer.
21. Least Privilege: Designing operational aspects of a system to operate with a
minimum amount of system privilege. This reduces the authorization level at
which various actions are performed and decreases the chance that a process
or user with high privileges may be caused to perform unauthorized activity
resulting in a security breach.
22. Logging: The process of storing information about events that occurred on the
firewall or network.
23. Log Retention: How long audit logs are retained and maintained.
24. Log Processing: How audit logs are processed, searched for key events, or
summarized.
25. Network-Level Firewall: A firewall in which traffic is examined at the network
protocol packet level.
26. Perimeter-based Security: The technique of securing a network by controlling
access to all entry and exit points of the network.
27. Policy: Organization-level rules governing acceptable use of computing
resources, security practices, and operational procedures.
28. Proxy: A software agent that acts on behalf of a user. Typical proxies accept a
connection from a user, make a decision as to whether or not the user or client
IP address is permitted to use the proxy, perhaps does additional
authentication, and then completes a connection on behalf of the user to a
remote destination.
29. Screened Host: A host on a network behind a screening router. The degree to
which a screened host may be accessed depends on the screening rules in the
router.
30. Screened Subnet: A subnet behind a screening router. The degree to which
the subnet may be accessed depends on the screening rules in the router.
31. Screening Router: A router configured to permit or deny traffic based on a set
of permission rules installed by the administrator.
32. Session Stealing: See IP Splicing.
33. Trojan Horse: A software entity that appears to do something normal but which,
in fact, contains a trapdoor or attack program.
34. Tunneling Router: A router or system capable of routing traffic by encrypting it
and encapsulating it for transmission across an untrusted network, for eventual
de-encapsulation and decryption.
35. Social Engineering: An attack based on deceiving users or administrators at
the target site. Social engineering attacks are typically carried out by
telephoning users or operators and pretending to be an authorized user, to
attempt to gain illicit access to systems.
36. Virtual Network Perimeter: A network that appears to be a single protected
network behind firewalls, which actually encompasses encrypted virtual links
over untrusted networks.
37. Virus: A self-replicating code segment. Viruses may or may not contain attack
programs or trapdoors.
259
Appendix D: Top 10 Security Threats
Companies can prevent this by ensuring that their systems sit behind a network
firewall and any services available through this firewall are carefully monitored for
potential security exposures.
To combat this, ensure systems do not allow NFS through the firewall, and enable
NFS protections to restrict who can access files.
To prevent this from occurring, check with vendors to ensure systems are running a
correct version of sendmail or some more secure mail product.
Protect systems by ensuring that all vendor passwords have been changed.
Recently computer hackers have been using sophisticated techniques and tools at
their disposal to identify and expose vulnerabilities on Internet networks. These tools
and techniques can be used to capture names and passwords, as well as
compromise-trusted systems through the firewall.
To protect systems from this type of attack, check with computer and firewall
vendors to identify possible security precautions.
260
Hackers will attempt to gain sensitive or confidential information from companies by
placing calls to employees and pretending to be another employee. These types of
attacks can be effective in gaining usernames and passwords as well as other
sensitive information.
Most passwords that are easy to remember are also easy to guess. These include
words in the dictionary, common names, slang words, song titles, etc. Computer
hackers will attempt to gain access to systems using these easy-to-guess
passwords usually via automated attacks.
Protect systems by ensuring that passwords are not easy to guess, that they are at
least eight characters long, contain special characters and utilize both uppercase
and lowercase characters.
Computer viruses can infect systems on a widespread basis in a very short period.
These viruses can be responsible for erasing system data.
Protect systems from computer viruses by using anti-virus software to detect and
remove computer viruses.
9. Prefix Scanning
Computer hackers will be scanning company telephone numbers looking for modem
lines, which they can use to gain access to internal systems. These modem lines
bypass network firewalls and usually bypass most security policies. These
"backdoors" can easily be used to compromise internal systems.
Protect against this intrusion by ensuring modems are protected from brute force
attacks. Place these modems behind firewalls; make use of one-time passwords; or
have these modems disabled.
261
Appendix E: Types of Attacks
Boink (similar to System seizure Bad fragment attack Sends bad packet
Bonk, Teardrop fragments that cannot be
and New correctly reassembled,
Tear/Tear2), a hack causing the system to fail
DoS (Denial of Lack of access to Denial of Service attacks Examples include floods
Service) resources and tie up system resources (which soak up bandwidth
services doing things you do not and CPU) and disconnects
want so you cannot get (which prevent you from
service reaching hosts or
networks)
ICMP flooding Loss of bandwidth A flood of ICMP (ping) Ties up CPU time and
(flood ping), a DoS (slow responses requests that tie your wastes your bandwidth
attack from the Internet) system in knots with the garbage traffic.
and poor response responding to garbage For example, "Pingexploit"
time on the desktop traffic. This is analogous typically attacks Unix
to wasting your time systems with oversized
answering the door to ICMP packet fragments.
never-ending doorbells
that do nothing.
Identification Loss of bandwidth Similar to an ICMP flood, Very often slows the CPU
flooding (Identd), a (slow responses but requests information down (even more than an
DoS attack from the Internet) from your system (TCP ICMP flood) since
and poor response port 113) identification responses
time on the desktop take more time than ICMP
responses to generate
Jolt (SSping, System seizure Oversized, fragmented System stops working and
IceNuke), a hack packet which causes the must be rebooted
system to seize up
Land, a hack System seizure Spoofing attempt which The attacked system
forcing cold reboot establishes TCP/IP attempts to connect to itself
connection to you from and seizes up
you. This SYN request
forces the system to
connect to itself, thereby
locking itself up.
262
Hack N/A An application or a Varied results. Examples
packet that exploits a include smurf, teardrop,
weakness in operating land, newtear, puke,
system, application or ssping, jolt, etc.
protocol
Smurf, a hack A very effective Spoofs ICMP packets A form of flood that is very
CPU crushing requesting a response dangerous since it can get
flood-like attack. and triggering multiple a "many-for-one" effect,
Apparent system responses tying up lots of CPU cycles
seizure. for relatively few packets
sent
263
unreachable "Destination There are 2 forms of
(dest_unreach)- a Unreachable" this—client unreachable
DoS attack messages and and server unreachable.
disconnection from The server unreachable
a server attack sends an ICMP
message to the system
fooling it into thinking its
traffic can no longer
reach the server, so it
gives up. The client
unreachable form does
the same thing to the
server with respect to
your system.
WinNuke, a hack Loss of networking Sends OOB (Out-of- Does not crash the system,
and a DoS attack, resources Band) data to port 139 but it causes a fatal
but not a flood and exploits Win 3.11, exception requiring a
Win95, Win NT 3.51 and reboot to regain TCP/IP
Win NT 4.0 systems (Internet) connectivity
264
AppendixF:Top10SecurityPrecautions
Ensure corporate systems are protected from Internet attacks. Deploy a firewall
between these systems and the Internet to guard against network scans and
intrusions.
Subscribe to security alert mailing lists to identify potential security exposures before
they become problems. CERT (Computer Emergency Response Team at Carnegie
Mellon University) is a good place to start. The URL for CERT's Web site is
[email protected]. The e-mail address is [email protected].
Regularly check logging data and audit trails to look for unusual or suspicious
activity.
4. Backup Data
Don't be a victim of accidental or malicious data erasure. Backup all sensitive data
on a regular basis.
Computer viruses can spread throughout a system in minutes. Check systems for
viruses on a regular basis.
Don't pick easy to remember passwords and change them often. Consider the use
of one-time password tokens to avoid password compromise threats.
Consult with vendors and obtain any system security patches that can be used to
add additional layers of protection.
9. Employee Awareness
Ensure all employees and management are briefed regularly on security threats,
policies, corrective measures and incident reporting procedures.
A variety of public domain security tools exist on the Internet, many of which can be
used to assist in the protection of computer systems.
265
AppendixG:VirusGlossary
Bogus Programs: Programs which do not do what they have been advertised to
do. A example is XTRATANK, which claims to double your hard drive space. It
merely diddles the file allocation to double the reported size of the disk.
Boot Sector Virus: A virus secreted in the boot sector or replacing the boot sector
on a floppy disk. Also a virus on the master boot block of a hard disk, or in the
partition table of a hard disk. N.B. even non-systems floppy disks still have a boot
sector; they just lack the boot program on that block ! Examples are Stoned and
Michelangelo viruses.
Checksum: a number that uniquely defines a file, block or other bit of computer
code. A checksum is calculated by applying an algorithm to each byte of the code
and rotating it, logically ANDing or ORing it to some standard, or otherwise encoding
it. The result is a single number which is a numeric finger-print. See cyclic
redundancy check (CRC).
Droppers: Programs which have a legitimate use, but contain viruses which are
secretly planted in system. Droppers may actually be commercial software hacked
to drop viruses.
FAT: File Allocation Tables. These areas of the formatted floppy or hard disk
contain information used by the system to locate and maintain the file structure.
File Viruses: These viruses infect files with *.COM or *.EXE extensions. Friday the
13th is an example. Also included in this category are viruses which use the
"corresponding files" technique. These viruses search for directories with files with
.EXE extensions and then creates a file of the same name with a .COM extension.
Since DOS executes files with the *.COM extension before those with the .EXE
extension, the virus is executed and then passes control to the .EXE file.
266
Hacks: Software which has been illegally modified by a system expert. See cracks,
pirates, droppers, etc.. This may be as simple as modifying parts of the code with a
debugger; to patching the system to snatch interrupts.
Hoaxes: Programs which claim to do the impossible; and don't. An example is a file
2496 which claims to provide instructions on running a 2400 bps modem at 9600 or
even 14400 bps. If you follow the instructions, you get a modem which runs at 0
bps.
Interrupt: A hardware or software signal which indicates to the OS some event such
as a keystroke has happened. It is typically taken care of by an interrupt handler
which services the event.
Multi-partite Viruses: These viruses infect both boot sectors and files. Tequila is an
example.
Pirates: Any illegally obtained software. Also software which has had the copy-right
notices, or other identification altered or removed.
Rabbit: A program designed to exhaust a system resource (e.g. CPU time, disk
space, terminal I/O, etc.) by replicating itself without limit. It differs from a bacterium
in that it is specifically targeted at a system resource; and from a virus in that it is a
self contained program.
Rogue Program: A program that is no longer under the control of its owner, the
system or its executing terminal; a.k.a. zombie. A virus is the ultimate rogue
program!
Stealth Viruses: These viruses conceal the results of infection; keeping file length
unchanged for example, or modifying the file in such a way that the checksum is not
changed. They may simply alter the system so that the file length is reported
unchanged although it is actually increased. Hundred years is an example.
Systemic Viruses: These viruses infect parts of the system other than the boot
block. The file allocation table (FAT), device tables, directories, device drivers and
COMMAND.COM are typical targets. Number of the Beast is an example.
267
Time Bomb: A logic bomb activated after a certain amount of time, or on a certain
date. The classic example is a program that ceases functioning on a given date, as
a control for leasing it. Such a program is often re-activated by an appropriate
password.
Trojan Horse Programs: A program which has a hidden aspect which causes
malicious damage. The classic is AIDS, which purports to be an AIDS data base,
but actually destroys the hard disk when executed. False logon screens which
snatch the users logon ID and password are another example.
Virus (pl. viruses): a program that can "infect" other software by modifying them to
include a copy of itself. A program need not cause malicious damage to be a virus;
the act of "infecting" other programs is central to the definition.
Worm: A program that spreads copies of itself through-out a network. The first use
of the term was applied to a program that copied itself benignly around a network, to
use otherwise unused resources for distributed computation. A worm becomes a
security problem when it spreads against the wishes of the system owners, and
disrupts the network by overloading it.
268
AppendixH:NetworkTermsGlossary
AAL An acronym for ATM adaptation layer, which interprets the type and format of
user data messages, and then translates these messages into ATM format by
packaging them into the 48-byte payload portion of an ATM cell. The AAL’s
interpretation of data type and format is based on the specific class of service
assigned to the data by the application. The AAL provides support for four different
service classes and provides five different AAL types to accommodate a particular
service class. AAL1 is used for data that require connection-oriented, constant-bit
rate transmissions (e.g., voice transmissions); AAL2 is used for data that require
connection-oriented variable-bit rate transmissions (e.g., a videoconferencing
application); AAL3 and AAL4 are used for connection-oriented or connectionless
variable-bit rate transmissions (e.g., bursty data typical of LAN applications such as
those found on frame relay and SMDS networks); and AAL5, which is an
improvement to AAL3, is used for transmissions in which higher layer protocols
provide error recovery.
Access Line A term used in frame relay to denote the local loop. Also called port
connection.
Active Monitor A station on a token ring network that oversee the ring and ensure
that it is functioning properly. Also called a monitor station.
ADSL An acronym for asynchronous digital subscriber line, which is a DSL variant
in which traffic is transmitted at different rates in different directions. Downstream
rates range from 1.5 Mbps to 9 Mbps; upstream rates range from 16 kbps to 1
Mbps. Rates depend on line quality and local loop distance. Suitable for Internet or
intranet access, video-on-demand, database access, remote LAN access.
ADSL Lite A slower ADSL; also called G.lite. Downstream rates equal 1 Mbps;
upstream rates equal 128 kbps. Intended primarily for homes.
269
Always On/Dynamic ISDN (AO/DI) An initiative from the Vendor’s ISDN
Association (VIA) in which a portion of the D channel, which is always active and
constantly connected to the provider’s switch, is used to transmit user packet data.
Ambient Noise Electrical noise that is always present and is generated primarily
by transmission equipment like transmitters, receivers, and repeaters. Ambient
noise also can be induced by external sources such as fluorescent light
transformers, electrical facilities, and heat. Ambient noise makes it difficult for
receiving equipment to distinguish between incoming signals. Also called thermal
noise.
Analog Refers to any physical device or signal that varies continuously in strength
or quantity over an infinite range of voltages or currents. An example is voltage in a
circuit.
ARP An acronym for address resolution protocol, which is an Internet protocol that
binds a node’s IP address to its corresponding MAC sublayer (hardware) address.
270
Attenuation The decrease in signal strength, which occurs as the signal travels
through a circuit or along a cable. The longer the cable, the greater the attenuation.
Also, the higher the frequency of the signal, the greater the attenuation.
Auto-wrapping A term used to describe the “self healing” of a token or FDDI ring
that has been cut in a single spot. The break in the active ring is corrected by
establishing a loopback connection to the inactive ring. This creates a single virtual
ring and allows the network to continue to function at full speed.
B Channel A 64 kbps ISDN clear channel (no signaling information is sent on the
channel) used to transmit computer data (text and graphics), digitized voice, and
digitized video. Most basic ISDN services are based on multiple B channels.Also
called a bearer channel.
Baseband Cable Uses the entire bandwidth of the cable to carry a single signal.
Baud A unit of signaling speed, named after the French engineer Jean Maurice
Emile Baudot (1845-1903). It is another term used to express the capacity of a
channel, but is different from bits per second.
Baud Rate A measure of the number of times line conditions (i.e., frequency,
amplitude, voltage, or phase) change each second. At low speeds (under 300 bps)
data rate (measured in bps) and baud rate are the same because signaling methods
are relatively simple. As speed increases, signaling methods become more
complex. Baud rate then differs from data rate because several bits are typically
encoded per baud. That is, each signal can represent more than one bit of
information.
271
Bearer Channel See B channel.
Bend Radius The radius in which cable (copper or fiber) can be curved or “bent”
without breaking. Fiber is much more flexible than copper cable and can be bent in
much smaller radii than equivalent copper.
Bit-Time A unit of measure equal to 0.1 µs. Thus, a one bit transmission requires
0.1 µs. Transmitting a 64-byte Ethernet/802.3 frame requires 512 bit-times or 51.2
µs.
BNC Connector A type of connector used with thin coaxial cable. There are
several interpretations of BNC, including Bayonet Neill-Concelman (named after its
developers), Bayonet Nut Connector, Barrel Nut Connector., and British National
Connector.
BRI An acronym for basic rate interface, which is an ISDN basic access channel
that comprises two 64 kbps B channels, one 16 kbps D channel, and 48 bits of
overhead used for framing and other functions. Commonly written as 2B + D.
Bridge A layer 2 device that interconnects two or more individual LANs or LAN
segments. A transparent bridge is used in Ethernet/802.3 and 802.5 (Token Ring)
networks; a source routing bridge (introduced by IBM) is used exclusively in token
ring networks. Bridges keep local traffic local, but forward traffic destined for a
remote network. Forwarding/filtering decisions are based on MAC sublayer (i.e.,
hardware) addresses. Bridges partition Ethernet/802.3 networks into multiple
collision domains.
272
Broadcast Storm A network phenomenon that occurs when several broadcast
messages are transmitted at the same time. Broadcast storms can use up a
substantial amount of network bandwidth, and in many cases, can cause a network
to crash or shut down.
Bus Design A specific design based on a broadcast topology. All nodes are
directly connected to the same communications channel.
Cable Modem A modem that uses cable television lines for data communications.
These lines use broadband coaxial cable, which has a multitude of frequencies
available and significantly higher bandwidth than the UTP cable used by the telcos.
Cable modems provide an Ethernet/802.3 network interface that enables a
computer to connect to the cable. Once connected, it is as if the PC were connected
to an Ethernet/802.3 LAN. The connection is always “up,” and multimegabit data
rates are possible. Depending on the cable operator and service, current upstream
rates fro cable modems are somewhere between 500 Kbps to 3 Mbps; downstream
rates range between 10 Mbps to 30 Mbps.
Carrier Sense Protocol A network protocol that requires nodes to first listen
(“sense”) for the “sound” of another node’s transmission prior to accessing a shared
channel.
CDDI An acronym for copper distributed data interface, which is an interface that
provides a 100 Mbps data transmission rate over copper. A CDDI network is similar
to an FDDI network. CDDI also is restricted to connections between concentrators
on the ring and single attachment devices, not for the ring itself.
Cell A unit of data that is transmitted across a network. Similar to a data frame.
When used in the context of ATM, a contains exactly 53-bytes—48 bytes for user
data and 5 bytes for overhead.
Cells in Frames (CIF) Defines a method for transporting ATM protocols over
Ethernet and token ring LANs. CIF is a LAN technology that provides LANs with
ATM features including QoS and the seamless integration of data, voice, and video.
273
Centralized System A single computer that provides all the computing resources
for all offices and departments within an organization via computer terminals that
are connected to the centralized system.
Class of Service (CoS) A data prioritization scheme that tags data with a specific
priority level. Higher priority data get delivered before lower priority data.
CLEC An acronym for competitive local exchange carrier, which refers to a new
telecommunication service provider formed after the Telecommunications Act of
1996 in the United States.
274
Client A networked device that requests resources from a server.
Collision The term used to describe what happens when two or more nodes
attempt to transmit data simultaneously on an Ethernet/802.3 network: Their signals
collide resulting in a collision.
Committed Burst (Bc) A term used in frame relay to denote the maximum amount
of data a provider guarantees to deliver within a specified time period, T. CIR = Bc/T.
Most providers use a one-second time interval to calculate the average amount of
bandwidth utilization. Thus, CIR is usually equal to Bc. The difference between these
two parameters is their units. CIR is measured in bps; Bc is measured in bits. See
also excessive burst.
275
Computer Network A collection of computers and other devices that use a
common network protocol to share resources with each other over a network
medium.
Conductor That part of a wire which serves as the medium for the physical signal.
It is composed of either copper wire, glass, or plastic fiber. In the case of copper, the
wire can be stranded (composed of several thin wires) or solid (a single, “thick”
strand). Furthermore, the thickness of a wire is given in terms of gauge, which
represents the conductor’s diameter. The lower the gauge, the thicker the wire. Most
often, wire gauges are expressed in terms of AWG—American Wire Gauge—which
is a classification system for copper wire based on a wire’s cross-section diameter.
proceed because it is waiting for the first router to do something. Congestion control
is provided by layer 3 of the OSI model.
Consortia Standards Network standards that are designed and agreed upon by a
group of vendors who have formed a consortium for the express purpose of
achieving a common goal. These vendors pledge their support for the standards
being developed by the consortium and also develop and market products based on
these mutually agreed upon set of standards.
276
Contention Protocol A network protocol that specifies procedures nodes are to
follow when competing for access to the same communications channel at the same
time. Also called random access protocol.
Crosstalk Electrical interference (i.e., noise) that occurs when energy radiated
from one wire-pair of a twisted pair wire “spills over” into another pair. In one type of
crosstalk, called near-end crosstalk (abbreviated NEXT), a signal on the transmit
pair is so strong that it radiates to the receive pair. A direct consequence of this
spilled-over radiation is that the receiving device cannot decipher the real signal.
CSMA An acronym for carrier sense multiple access, which serves as the basis
for various random access protocols. CSMA-based protocols include one-persistent
CSMA, nonpersistent CSMA, CSMA with collision Detection CSMA/CD), and CSMA
with collision avoidance (CSMA/CD).
CSU An acronym for channel service unit, which is a device used for terminating
Tx circuits. A CSU regenerates the signal, monitors the line for electrical anomalies,
provides proper electrical termination, performs framing, and provides remote
loopback testing for diagnosing line problems. Usually combined with a DSU to form
a single unit called a CSU/DSU or DSU/CSU.
CSU/DSU An acronym for channel service unit/data (or digital) service unit, which
is a device that combines the functions of a CSU and a DSU. A CSU/DSU works
exclusively with digital signals; it provides an interface between a digital computing
device and a digital transmission medium.
277
frame. This polynomial is divided by a predetermined generator polynomial. The
remainder of this division, called the CRC checksum, is then assigned to a frame’s
checksum field. The most common CRC used in most LAN protocols is CRC-32, a
32-bit checksum.
D Channel A 16 kbps or 64 kbps ISDN circuit that is used to carry signal and
control information for circuit-switched user data. The D channel transmits call
initiation (call- setup) and termination (call tear-down) information between an ISDN
device and the telco’s central office for each B channel. The D channel also can be
used to transmit packet-switched user data (provided that no signal or control
information is needed), data from security alarm signals of remote sensing devices
that detect fire or intruders, and low speed information acquired from telemetry
services such as meter reading. The “D” stands for “delta.”
Data Link Layer The second layer (layer 2) of the OSI Reference Model. The
data link layer regulates and formats transmission of information from software on a
node to the network cabling facilities. This layer is partitioned into two sublayers:
The logical link control sublayer (LLC), which provides framing, flow control, and
error control; and the media access control sublayer (MAC), which media access
management protocols for accessing a shared medium.
Data Rate A measure of the amount of data that can be transferred over a
communications medium in a given period. Data rate is measured in bits per second
(bps) and can vary considerably from one type of channel to another.
DCE-to-DCE Rate The speed at which two modems “talk” to each other. This rate
is fixed and is a function of a modem’s speed. Typical rates are 14,400 bps (V.32),
28,800 bps (V.34), and 57,600 bps (V.90).
278
De Facto Standards Network standards, placed in the public domain, that have
been met with widespread industry acceptance instead of formal approval from a
standards organizations (“De facto” is Latin for “from the fact.”)
Digital Refers to any device or signal that varies discreetly in strength or quantity
between two values, usually zero and one. Zero implies “off”; one implies “on.”
Digital signals are represented as binary digits called “bits,” and are discrete.
279
Digital Certificate An electronic passport that consists of a numerical pattern,
value, or key and used for personal identification. Creating a digital certificate
involves a user identifying a specific personal trait to a trusted third party, which
issues the certificate.
Digital Subscriber Loop The formal term used to denote the local loop, which is
the circuit between a customer’s premise equipment (CPE) and the telco’s
equipment.
Discard Eligibility The name of a field in a frame relay frame, which, if set to 1 by
an end node, denotes that the frame can be discarded in the presence of
congestion Discarded frames will then be retransmitted at a later time when
congestion has subsided.
DLCI An acronym for data link connection identifier, which is a term used in frame
relay to denote virtual circuit addresses assigned to PVCs or SVCs.
280
DQDB An acronym for distributed queue dual bus, which is a data link layer
protocol (IEEE 802.6) that specifies the medium access method for MANs. Used in
SMDS.
DS-0 A single, digital voice channel rated at 64 kbps. The notation DS-0 stands for
digital signal at level 0, which refers to a voice channel multiplexed into a digital
signal.
DS-1 A digital signal that carries 24 DS-0 channels plus one 8 kbps channel
reserved for framing for an aggregate bandwidth of 1.544 Mbps. A T1 circuit carries
a DS-1 signal.
DS-2 A digital signal that carries 4 DS-1 channels for an aggregate bandwidth of
6.312 Mbps. A T2 circuit carries a DS-2 signal.
DS-3 A digital signal that carries 28 DS-1 channels for an aggregate bandwidth of
44.736 Mbps. A T3 circuit carries a DS-3 signal.
DS-4 A digital signal that carries 168 DS-1 channels for an aggregate bandwidth
of 274.176 Mbps. A T4 circuit carries a DS-4 signal.
DSL An acronym for digital subscriber line, which is a technology that enables
data, voice, and video to be mixed and carried over standard analog, (copper)
telephone lines. This is accomplished by using the unused frequencies that are
available on a telephone line. Thus, DSL can deliver data services without
interfering with voice transmissions.
There are at least nine DSL variants: ADSL, ADSL lite, HDSL, HDSL 2,IDSL,
RADSL, SDSL, UDSL, and VDSL.
DSSS An acronym for direct sequence spread spectrum, which is a physical layer
technology used in wireless LANs (IEEE 802.11). DSSS operates by spreading a
signal over a wide range of the 2.4 GHz band.
DSU An acronym for data (or digital) service unit, which is a device used for
terminating a Tx circuit. A DSU provides the interface (usually V.35, a type of serial
interface) for connecting a remote bridge, router, or switch to a Tx circuit. The DSU
also provides flow control between the network and the CSU. Usually combined with
a CSU to form a single unit called a CSU/DSU or DSU/CSU.
DTE An acronym for data terminal equipment. Computers (PCs, workstations) are
data terminal equipment. DTEs are the end points of a link and communicate
through their serial ports or expansion buses. See also data communications
equipment (DCE).
281
DTE-to-DCE Rate The speed at which a computer “talks” to its modem. Typical
rates include a 4:1 compression ratio between DTE and DCE speeds. Thus, for a
V.34 modem (28,800 bps), the DTE-DCE rate is 115,200 bps. This rate is user
configurable.
Dual-attachment Station (DAS) An FDDI node that is connected to two full, dual-
fiber rings and have the ability to reconfigure the network to form a valid network
from components of the two rings in case of a failure. A DAS is also called Class A
node.
E-1 Describes the multiplexing of 30 separate 64 kbps voice channels, plus one
64 kbps control channel, into a single, wideband digital signal rated at 2.048 Mbps.
E-1 is the basic telecommunications service used in Europe.
E-2 A multiplexed circuit that combines four E-1 circuits and has an aggregate
bandwidth of 8.448 Mbps.
E-3 A multiplexed circuit that combines 16 E-1 circuits and has an aggregate
bandwidth of 34.368 Mbps.
E-4 A multiplexed circuit that combines 64 E-1 circuits and has an aggregate
bandwidth of 139.264 Mbps.
E-5 A multiplexed circuit that combines 256 E-1 circuits and has an aggregate
bandwidth of 565.148 Mbps.
E-commerce Short for electronic commerce, which involves using the Internet for
credit card purchases of items such as automobiles, airline tickets, computer
hardware and software, and books.
EGP An acronym for exterior gateway protocol, which refers to any Internet
interdomain routing protocol used to exchange routing information with other
autonomous systems. Also refers to Exterior Gateway Protocol, which is a specific
EGP defined in RFC 904. Another EGP is the Border Gateway Protocol (BGP),
defined in RFC 1105 and RFC 1771. Both EGP and BGP are part of the TCP/IP
protocol suite. Of the two, however, BGP has evolved into a robust Internet routing
protocol and the term “Border Gateway Protocol” is used in favor of the term
“Exterior Gateway Protocol.”
282
EIGRP An acronym for enhanced IGRP, which is routing protocol designed by
Cisco that combines the best features of distance-vector and link-state routing
protocols.
Error Control The process of guaranteeing reliable delivery of data. Error control
can be provided through error detection or error correction.
Error Correction The process in which a destination node, upon detecting a data
transmission error, has sufficient information to correct the error autonomously.
Error correction implies error detection.
Ethernet A local area network protocol developed jointly by Xerox, Intel, and
Digital Equipment Corporation (DEC) at the Xerox Palo Alto Research Center
(PARC) in the mid-1970s. The name “Ethernet” was derived from the old
electromagnetic theoretical substance called luminiferous ether, which was formerly
believed to be the invisible universal element that bound together the entire universe
and all its associated parts. Thus, an “ether” net is a network that connects all
components attached to the “net.”
Excessive Burst (Be) A term used in frame relay to denote the maximum amount
of uncommitted data a provider will attempt to deliver within a specified time period.
A provider will guarantee a committed burst of Bc bits and will attempt to deliver (but
not guarantee) a maximum of Bc + Be bits.
4B/5B A data encoding method, which stands for four bits in five baud, or four-bit
to five-bit, used in FDDI networks.
283
5-4-3 Repeater Rule A general rule of thumb to follow when configuring an
Ethernet/ 802.3 LAN to ensure that it follows IEEE specifications. The 5-4-3 rule
requires: no more than 5 segments of up to 500 m each; no more than 4 repeaters;
and no more than 3 segments can have end nodes connected to them. This rule is
also known as the 4-repeater
rule, or the 5-4-3-2-1 rule. In the latter, the “2” implies that two of the five segments
are used as interrepeater links, and the “1” implies that a configuration using the
maximum parameters permitted results into one collision domain.
Fast Ethernet 100 Mbps Ethernet (IEEE 802.3u). Three different media
specifications are defined: 100BASE-TX, 100BASE-T4, and 100BASE-FX.
FDDI Fiber Distributed Data Interface. FDDI networks are described by ANSI
standard X3T9.5 and created in 1986 for interconnecting computer systems and
network devices typically via a fiber ring topology at 100 Mbps.
FDDI-II A now defunct second generation FDDI technology that was intended to
handle traditional FDDI network traffic as well as synchronous, circuit-switched PCM
data for voice or ISDN systems.
Fiber-optic Cable A type of cable that carries data signals in the form of
modulated light beams. The cable’s conductor can be either glass or plastic. Fiber-
optic cable is immune to electromagnetic interference (EMI) and other types of
externally induced noise, including lightning, it is unaffected by most physical factors
such as vibration, its size is smaller and its weight lighter than copper, it has much
lower attenuation per unit of length than copper, and it can support very high
bandwidth. Two general types are available: single-mode fiber and multimode fiber.
284
used on Internet connections are frame-filtering, packet-filtering, circuit gateways,
stateful and application gateways, and proxy servers.
Flow Control A process that controls the rate at which data messages are
exchanged between two nodes. Flow control provides a mechanism to ensure that a
sending node does not overwhelm a receiving node during data transmission.
FRAD An acronym for frame relay access device, which is a term used to denote
any frame relay end node.
Frame A specially formatted sequence of bits that incorporates both data and
control information.
Framing A data link layer process that partitions a bit stream into discrete units or
blocks of data called frames.
GAN An acronym for global area network, which refers to a collection of WANs
that span the globe.
285
Gigabit Ethernet 1000 Mbps Ethernet (IEEE 802.3z).
GOSIP An acronym for Government OSI Profile, which mandated all government
organizations purchase OSI-compliant networking products beginning in 1992. In
1995, however, GOSIP was modified to include TCP/IP as an acceptable protocol
suite for GOSIP compliance.
H Channel An ISDN channel used for transmitting user data (not signal or control
information) at higher transmission rates than a B channel provides. Four H
channels are defined: H0 (six B channels; 384 kbps); H10 (United States-specific;
aggregates 23 B channels; 1.472 Mbps); H11(equivalent of North American DS-1;
24 B channels; 1.536 Mbps); and H12 (European-specific; comprises 30 B
channels; 1.920 Mbps).
Harmonic Motion The basic model for vibratory or oscillatory motion. Examples
include mechanical oscillators such as mass-spring systems and pendulums;
periodic motion found in the earth sciences such as water waves, tides, and climatic
cycles; and electromagnetic waves such as alternating electric currents, sound
waves, light waves, radio waves, and television waves.
HDSL An acronym for high bit-rate digital subscriber line, which is a DSL variant
that provides symmetrical service at T1 rates over 2 pairs of UTP, and E1 rates over
3 pairs of UTP. Telephone service not supported. Applications include connecting
PBXs, serving as an alternative to T1/E1; suitable for campus networks and ISPs.
Hertz A measure of frequency in cycles per second. A frequency rate of one cycle
per second is defined as one hertz (abbreviated Hz). Named in honor of Heinrich
Rudolf Hertz (1857-1894), a German physicist who in the late 1880s was the first to
produce radio waves artificially.
HFC An acronym for hybrid fiber cable, which describes a cable TV cable plant
that has fiber-optic cable between the head end and neighborhood distribution sites,
286
but coaxial cable between the neighborhood distribution and residential homes and
businesses.
Hold-down A strategy used by RIP that requires routers to not update their
routing tables with any new information they receive for a prescribed period of time,
called the hold-down time. Designed to prevent routing loops. Hold-down is not
standardized.
Hub Generically, any device that connects two or more network segments or
supports several different media. Examples include repeaters, switches, and
concentrators.
IBM Cable System (ICS) A copper wire classification system established by IBM
that specifies nine cable “types” (1 through 9). Of the nine “types” defined,
specifications are available for only seven; types 4 and 7 are not defined.
IDSL An acronym for ISDN-like digital subscriber line, which is a DSL variant that
provides symmetrical service at a maximum of 144 kbps each way. Uses ISDN
hardware.
IEEE 802 The primary IEEE standard for the 802.x series for LANs and MANs.
287
IEEE 802.2 IEEE standard that defines the Logical Link Control, which describes
services for the transmission of data between two nodes.
IEEE 802.3 IEEE standard that defines the Carrier Sense Multiple
Access/Collision Detection (CSMA/CD) access method commonly referred to as
Ethernet. Supplements include 802.3c (10 Mbps Ethernet); 802.3u (100 Mbps
Ethernet known as Fast Ethernet), and 802.3z and 802.3ab (1000 Mbps Ethernet
known as Gigabit Ethernet).
IEEE 802.4 IEEE standard that defines the token bus network access method.
IEEE 802.5 IEEE standard that defines the logical ring LAN that uses a token-
passing access method; known also as Token Ring.
IEEE 802.6 IEEE standard that defines metropolitan area networks (MANs).
IEEE 802.7 IEEE standard that defines broadband LANs (capable of delivering
video, data, and voice traffic).
IEEE 802.9 IEEE standard that defines integrated digital and video networking—
Integrated Services LANs (ISLANs).
IEEE 802.10 IEEE standard that defines standards for interoperable LAN/MAN
security services.
IEEE 802.11 IEEE standard that defines standards for wireless media access
control and physical layer specifications.
IEEE 802.12 IEEE standard that defines the “demand priority” access method for
100Mbps LANs; known also as 100 Base-VG or 100VG-AnyLAN.
IEEE 802.14 IEEE standard that defines a standard for Cable-TV based
broadband communication.
IGP An acronym for interior gateway protocol, which is any intradomain Internet
protocol used to exchange routing information within an autonomous system.
Examples include RIP, RIP-2, OSPF, IGRP, and Enhanced IGRP (EIGRP).
IGRP An acronym for interior gateway routing protocol, which was developed by
Cisco to address some of the problems associated with routing in large,
heterogeneous networks.
ILEC An acronym for incumbent local exchange carrier, which is the contemporary
name given to the RBOCs relative to the United States Telecommunications Act of
1996.
288
omega, ¾), impedance is a function of capacitance, resistance, and inductance.
Impedance mismatches, caused by mixing cables of different types with different
characteristic impedances, can result in signal distortion.
Intermodulation Noise Electrical noise that occurs when two frequencies interact
to produce a phantom signal at a different frequency. Occurs in frequency-division
multiplexed channels.
289
medium-term Internet engineering issues. Relies on the Internet Engineering
Steering Group (IESG) to prioritize and coordinate activities.
Internet Research Task Force (IRTF) An organization that is part of the Internet
Architecture Board and primarily concerned with addressing long-term research
projects. Relies on the Internet Research Steering Group (IRSG) to prioritize and
coordinate activities.
nologies and applications that support the research endeavors of colleges and
universities. Internet2 members use the vBNS to test and advance their research.
290
IPv4 An acronym for Internet protocol version 4.
IPv6 Address An IP address based on IPv6. An IPv6 address consists of 128 bits
96 32
and is 4 billion 4 billion times the size of the IPv4 address space (2 vs. 2 ).
Unlike IPv4 addresses, IPv6 addresses use a colon as their delimiter (instead of a
“dot” notation), and they are written as eight 16-bit integers expressed in
hexadecimal form.
ISDN An acronym for integrated services digital network, which is a carrier service
that is offered by telephone companies (telcos) and designed to transmit voice and
non-voice (e.g., computer data, fax, video) communications on the same network.
Also known as, I Still Don’t Need it, Innovative Services users Don’t Need, I Still
Don’t kNow, and It’s Still Doing Nothing, response to ISDN’s long period of
dormancy.
Isochronous A term used to describe the delivery of time sensitive data such as
voice or video transmissions. Networks that are capable of delivering isochronous
service (e.g., ATM) preallocate a specific amount of bandwidth over a regular
intervals to ensure that the transmission is not interrupted.
291
IXC An acronym for inter-exchange carrier, (alternatively, IEC), which is any
company that provides long distance telephone and telecommunications services.
Examples include AT&T, Sprint, British Telecom (BT), and MCI Worldcom.
LAN An acronym for local area network, which is a network that generally
interconnects computing resources within a moderately sized geographical area.
This can include a room, several rooms within a building, or several buildings of a
campus. A LAN’s range is usually is no more than 10 km in radius).
LANE An acronym for LAN emulation, which is an ATM protocol that specifies a
technology that enables ATM to emulate Ethernet/802.3 or token ring networks. In
ATM’s protocol hierarchy, LANE is above AAL5 in the ATM adaptation layer. The
LANE protocol defines a service interface for the network layer that functions
identical to the one used by Ethernet/802.3 and token ring LANs. Data that cross
this interface are encapsulated in the appropriate MAC sublayer format.
LAPM An acronym for link access procedure for modems, which uses CRC and
ARQ for error control. CRC is used for error detection; ARQ prevents the modem
from accepting any more data until the defective frame has been retransmitted
successfully. V.42’s default is LAPM. Thus, if a connection is being initialized
between two V.42 compliant modems, they will use LAPM for error control. If one of
the modems is not V.42 compliant, then the modems will negotiate to use MNP 1–4.
LATA An acronym for local access and transport area, which is a specific
geographical region in which a local exchange carrier (LEC) provides local
telephone and telecommunications services in the United States. There are 195
LATAs. Services that cross LATA boundaries are provided by inter-exchange
carriers (IECs).
Latency The amount of delay a network device introduces when data frames pass
through it. It is the amount of time a frame spends “inside” a network device. For
example, switch latency is usually measured from the instant the first bit of a frame
enters the device to the time this bit leaves the outbound (i.e., destination) port.
292
Layer 4 Switch A router that is capable of examining upper layer (layers 4
through 7) information to make routing decisions. It is more appropriate to refer to
layer 4 switches as either layer 2 or layer 3 application switches because application
information from upper layers is being used for routing decisions.
Line Set A term used by the National ISDN Users’ Forum to describe the number
of multiplexed B and D channels, and the type of ISDN service supported.
Lobe The name of a token ring node, as defined in the IBM world.
Lobe Length A term used to identify the cable length between token ring nodes.
Local Loop Refers to the circuit that connects the telephone central office or
exchange (sometimes called point of presence) with a customer’s location. In frame
relay, this circuit is called the port connection or access line. Formally called digital
subscriber loop.
Logical Link Control (LLC) Sublayer The top sublayer of the data link layer that
provides framing, flow control, and error control Defined in IEEE 802.2.
Loop A network configuration in which nodes are connected via dedicated wiring
instead of through a centralized hub (as is the case of a star design). Loops can be
either simple (only one connection between any two nodes), partial (some nodes
are interconnected by more than one link), and complete (every node has a
connection to every other node). A loop is also referred to as a meshed design.
L2F An acronym for layer 2 forward protocol, which provides tunneling between
an ISP’s dial-up server and the network.
293
L2TP An acronym for layer 2 tunneling protocol, which defines a method for
tunneling PPP sessions across a network. It combines PPTP and L2F.
MAU Another term for a transceiver; “MAU” stands for “Media Attachment Unit.”
Also, Multistation Access Unit, which is a token ring hub.
Media Access Control (MAC) Sublayer The bottom half of the data link layer
that provides media access management protocols for accessing a shared medium.
Example MAC sublayer protocols include IEEE 802.3 (Ethernet) and IEEE 802.5
(token ring).
294
Metro-Area Satellites A proposed satellite that consists of a specially equipped
jets that fly 50,000 feet above cities.
Micron One micrometer (one millionth of a meter) and abbreviated by the symbol
µm. Used in specifying the size of fiber-optic cable.
MNP An acronym for Microcom Networking Protocol, which defines various levels
of error correction and compression for modems.
MNP 1-4 The first four MNP levels used for hardware error control. All four levels
are incorporated into V.42.
MNP 5 The fifth level of MNP that incorporates the MNP 1-4. Also uses a data
compression algorithm that compresses data by a factor of 2 to 1.
MNP 6 The sixth level of MNP that supports V.22 bis and V.29.
MNP 7 The seventh level of MNP that improves MNP 5’s data compression
algorithm to a 3 to 1 compression factor.
MNP 8 The eighth level of MNP that extends MNP 7; enables half-duplex devices
to operate in full-duplex mode.
MNP 10 The tenth level of MNP that is used in cellular modems and in those
situations where line quality is poor.
Multilink PPP (MP) An IP protocol that combines multiple physical links (i.e., tele-
phone lines) into a single, high capacity channel. Unlike BONDING, which is imple-
mented in hardware, MP is achieved via software. MP is also applicable to analog
dialup connections.
295
Multimode Fiber A type of fiber-optic cable with a core diameter ranging from 50
µm to 100 µm. In multimode fiber, different rays of light bounce along the fiber at
different angles as they travel through the core. This results in some degree of
signal distortion at the receiving end. Multimode fiber can be of two types: graded-
index or step-index.
Multiplexer A device that does multiplexing. Also called a mux for short.
NAP An acronym for network access point, which is an Internet traffic exchange
point that provides centralized Internet access to Internet service providers. A NAP
serves as a critical, regional “switching station” where all different network backbone
providers meet and exchange traffic on each other’s backbone.
NSAP An acronym for network service access point, which is an OSI addressing
mechanism used by private ATM networks. NSAPs are 20-byte addresses and
include a 13-byte prefix that can be used to identify a specific location including a
country, region, or end system.
netstat A UNIX program that generates a local host’s routing table. Similar output
can be generated on a Windows NT system using the command route print.
Network Diameter The overall length between a network’s two most remote
nodes.
296
Network Ethics Refers to specific standards of moral conduct by network users
for the responsible use of network devices and resources.
Network Interface Card A layer 2 device that performs standard data link layer
functions, including organizing data into frames, transferring frames between the
ends of a communication channel, and managing the link by providing error control,
initialization, control termination, and flow control. A NIC” is also known as a LAN
adapter, network adapter, network card, and network board. When used in
Ethernet/802.e networks, a NIC is called an Ethernet card or adapter.
Network Protocol Suite A set of related and interoperating network protocols. For
example, the TCP/IP protocol suite consists of protocols for e-mail, web service, file
transfers, and routing.
Network Termination Unit (NTU) A device that terminates E-1 circuits. An NTU
provides broadly similar CSU/DSU functionality.
Network Topology The basic design of a computer network that details how key
network components such as nodes and links are interconnected.
Node Another name for a device. Usually used to identify computers that are
network hosts, workstations, or servers.
297
Noise Any undesirable, extraneous signal in a transmission medium. There are
generally two forms of noise—ambient and impulse. Noise degrades the quality and
performance of a communications channel and is one of the most common causes
of transmission errors in computer networks.
OSPF An acronym for open shortest path first, which is an interior gateway
protocol based on a link-state algorithm. Designed for large, heterogeneous IP
networks.
Oversized Frame An Ethernet/802.3 frame with more than 1,518 bytes but a valid
CRC checksum.
298
guaranteed by the provider. More specifically, the port speed is less than the
aggregate CIR.
PAN An acronym for personal area network, which refers to residential computer
networks being established in private homes. Sometimes called TANs for tiny area
networks.
Parity Refers to the use of an extra bit (called a parity bit or a redundant bit) to
detect single-bit errors in data transmissions. Parity can be specified as even, odd,
or none. Even parity means that there must be an even number of 1-bits in each bit
string; odd parity means that there must be an odd number of 1-bits in each bit
string; and no parity means that parity is ignored. The extra bit (i.e., the parity bit) is
forced to either 0 or 1 to make the total number of bits either even or odd.
PBX An acronym for private branch exchange, a telephone exchange used within
an organization to provide internal telephone extensions and access to the public
telephone network; it is the modern day equivalent of what used to be called a
switchboard.
299
PCMCIA Card A layer 2 device that was originally designed to serve as memory
cards for microcomputers. These cards are now known as PC Cards. “PCMCIA”
stands for Personal Computer Memory Card International Association.
Period The reciprocal of the frequency. It is the amount of time it take to complete
a single cycle, that is, seconds per cycle.
PGP An acronym for pretty good privacy, which is a public key application
developed by Phil Zimmerman for e-mail security.
Physical Layer The lowest layer (layer 1) of the OSI Reference Model. The
physical layer translates frames received from the data link layer (layer 2) into
electrical, optical, or electromagnetic signals representing 0 and 1 values, or bits.
Abbreviated PHY in the documentation.
ping A UNIX and Microsoft NT program used to test the communication path
between source and destination nodes. Ping is an ICMP-based application and is an
acronym for packet Internet groper.
Pinout The electrical signals associated with each pin and connector. Also called
pin assignment.
Plastic Fiber A type of fiber-optic cable in which the fibers (i.e., conductors) are
constructed of plastic instead of glass.
Plenum Cable Any type of cable that contains an outer sheath or “jacket” that is
composed of a Teflon coating. Plenum cable is used for cable “runs” through a
return air system. The Teflon coating provides a low-flame spread and does not
release toxic fumes as quickly as PVC does in the case the cable burns during a
fire. Both PVC and Teflon give off nasty toxic gases when burning. Teflon, however,
is fire retardant and takes much longer to get to a burning point.
POP An acronym for point of presence, which usually refers to a telco’s central
office or switching station.
Port Connection A term used in frame relay to denote the local loop. Also called
access line.
300
Port Speed A term commonly used in frame relay to denote the data transmission
rate in bits per second of the local loop.
PRI An acronym for primary rate interface, which is an ISDN primary access
channel that comprises either 23 (United States) or 30 (Europe) 64 Mbps B
channels and one 64 kbps D channel. Commonly written as 23B + D, or 30B + D.
Propagation Delay The amount of time a signal takes getting from one point in a
circuit to another.
301
PSTN An acronym for public switched telephone network, which is the traditional
analog-based telephone system used in the United States that was originally
designed for voice transmissions.
Public Key A special code, available in the public domain, that can be used to
code and decode messages.
PVC Cable Any type of cable that contains an outer sheath or “jacket” that is
composed of polyvinyl chloride (PVC). Also called non-plenum cable.
Random Access Protocol A network protocol that governs how nodes are to act
in those instances where accessing a shared medium at will, on a first-come, first-
served basis is permitted. Also called contention protocol.
RBOC An acronym for regional bell operating company, which refers to a regional
telephone company in the United States formed after the AT&T breakup in 1984.
Redundancy Bits Extra bits incorporated into a data frame that provide error
correction information. A data set composed of both user data and redundancy bits
is called a codeword. Also called check bits.
302
Reliable Service A type of service that requires a sending node to acknowledge
receipt of data. This is called an acknowledged datagram service.
Repeater A layer 1 device that provides both physical and electrical connections.
Their function is to regenerate and propagate signals—they receive signals from
one cable segment, regenerate, re-time, and amplify them, and then transmit these
“revitalized” signals to another cable segment. Repeaters extend the diameter of
Ethernet/802.3 networks but are considered to be part of the same collision domain.
RFC An acronym for request for comments, which are the working notes of the
Internet research and development community. RFCs provide network researchers
and designers a medium for documenting and sharing new ideas, network protocol
concepts, and other technically-related information. They contain meeting notes
from Internet organizations, describe various Internet protocols and experiments,
and detail standards specifications. All Internet standards are published as RFCs
(not all RFCs are Internet standards, though).
RIP-2 An updated version of RIP, formally known as RIP version 2. New features
include authentication, interpretation of IGP and BGP routes, subnet mask support,
and multicasting support.
Risk Analysis The assessment of how much a loss is going to cost a company.
Router A layer 3 device that is responsible for determining the appropriate path a
packet takes to reach its destination. Commonly referred to as gateway.
Routing A layer 3 function that directs data packets from source to destination.
Routing Arbiter (RA) A project that facilitates the exchange of network traffic
among various independent Internet backbones. Special servers that contain routing
information databases of network routes are maintained so that the transfer of traffic
among the various backbone providers meeting at a NAP is facilitated.
303
Routing Protocol A specific protocol that determines the route a packet should
take from source to destination. Routing protocols are a function of network
protocols. For example, if your network protocol is TCP/IP, then several routing
protocol options are available including RIP, RIP-2, and OSPF. If your network
protocol is OSI’s CNLP, then
your routing protocol is IS-IS. Routing protocols determine the “best” path a packet
should take when it travels through a network from source to destination, and
maintain routing tables that contain information about the network’s topology.
Routing protocols rely on routing algorithms to calculate the least-cost path from
source to destination.
Routing Table A data structure that contains, among others, the destination
address of a node or network, known router addresses, and the network interface
associated with a particular router address. When a router receives a packet it looks
at the packet’s destination address to identify the destination network, searches its
routing table for an entry corresponding to this destination, and then forwards the
packet to the next router via the appropriate interface.
RSA An acronym for Rivest, Shamir, and Adleman, which are the last names of
the three individuals who designed the RSA public-key encryption algorithm.
Runt Frame An Ethernet/802.3 frame that has at least 8 bytes but less than 64
bytes long and have a valid CRC checksum.
304
SDSL An acronym for symmetric digital subscriber line, which is a DSL variant in
which traffic is transmitted at same rate in each direction. Maximum transmission
rate is 768 kbps. Uses single-wire pair. Telephone service not supported. Suitable
for videoconferencing.
Shielded Twisted Pair (STP) Twisted pair cable in which individual wire pairs are
shielded (i.e., protected from noise).
Signal Quality Error (SQE) A signal generated by a transceiver and read by the
controller of the host to which the transceiver is connected. In V2.0 Ethernet, SQE is
called heartbeat and is generated periodically to inform the host’s controller that the
transceiver is “alive.” In IEEE 802,3, SQE is only generated when a real signal
quality error occurs.
Single Mode Fiber A type of fiber-optic cable with a core diameter ranging from 7
µm to 9 µm. In single mode fiber, only a single ray of light, called the axial ray, can
305
pass. Thus, a light wave entering the fiber exits with very little distortion, even at
very long distances and very high data rates.
SIP An acronym for SMDS interface protocol, which consists of three protocol
levels: SIP Level 3, SIP Level 2, and SIP Level 1. These three protocol levels are
similar in function to the first three layers of the OSI model but represent SMDS’s
MAC sublayer and hence operate at the data link layer.
Smart Card A type of “credit card” with embedded integrated circuits that store
information in electronic form and used for authentication. Similar to a digital
certificate.
Spanning Tree A single path between source and destination nodes that does not
include any loops. It is a loop-free subset of a network’s topology. The spanning tree
algorithm,
specified in IEEE 802.1d, describes how bridges (and switches) can communicate
to avoid network loops.
SPID An acronym for service profile identification, which are numbers assigned by
the telcos and used to identify the various processes of an ISDN device. (Used only
in North America.)
306
pattern and transmitting the real signal with the PN pattern. The transmission signal
is spread over a range of the frequencies in radio spectrum.
SVC An acronym for switched virtual circuit, which is a circuit between source and
destination nodes that is established on the fly and then removed after data
communications have ended. SVCs are logical, dynamic connections instead of
logical permanent connections as with PVCs. Thus, SVCs provide switched, on-
demand connectivity.
Standby Monitor A station (i.e., node) on a token ring network that oversees the
active monitor. Except for the active monitor, all token ring nodes are standby
monitors.
Stateful Firewall A device or product that monitors all transactions between two
systems and is capable of (1) identifying a specific condition in the transaction
between two
307
applications, (2) predicting what should transpire next in the transaction, and (3)
detecting when normal operational “states” of the connection are being violated.
Static Route A fixed route that is entered into a router’s routing table either
manually or via a software configuration program.
Step-index Multimode Fiber A type of multimode fiber in which light pulses are
guided along the cable from source to destination by reflecting off the cladding.
308
T4 A multiplexed circuit that combines 168 T1 circuits and has an aggregate
bandwidth of 274.176 Mbps.
Thick Ethernet Describes IEEE 802.3 10BASE5, which uses “thick” coaxial cable
(outer diameter between 0.375-inch and 0.405-inch) as its physical medium.
Thin Ethernet Describes IEEE 802.3 10BASE2, which uses “thin” coaxial cable
(outer diameter between 0.175-inch and 0.195-inch) as its physical medium.
309
power, overhead, and many other items. Compared to bandwidth, throughput is
what the channel really achieves, where bandwidth is what is theoretically possible.
Token A special frame on a token ring or token bus network. Possession of the
token permits a node to transmit data.
Token Passing Protocol A network protocol that requires nodes to first possess
a special frame, called a token, prior to transmitting data. Token-passing schemes
are both contention-free and collision-free.
a logical ring using a physical ring topology, or as a logical ring structure arranged in
a physical star configuration.
Triple DES A variant of DES that uses three DES operations instead of one.
Twisted Pair Cable A type of copper cable that uses at least two insulated copper
wires that have been twisted together. There are two basic type: unshielded twisted
pair (UTP) and shielded twisted pair (STP).
310
UDP An acronym for user datagram protocol, which is a connectionless protocol
providing an unreliable datagram service. UDP does not furnish any end-to-end
error detection or correction, and it does not retransmit any data it did not receive.
UDSL An acronym for universal digital subscriber line, which is a DSL variant that
provides symmetrical service at 2 Mbps each way.
UNI An acronym for user-to-network interface, which is an end node’s port where
the local loop terminates at a customer’s site.
Unshielded Twisted Pair (UTP) Twisted pair cable in which individual wire pairs
are not shielded (i.e., protected from noise).
V.22 bis ITU-T standard for 2400 bps full-duplex modems; cycles to 1200 bps/600
bps.
V.32 ITU-T standard for 9600 bps modems; cycles to 4800 bps when line quality
degrades, and cycles forward when line quality improves.
V.32 bis ITU-T standard that extends V.32 to 7200, 12,000, and 14,400 bps;
cycles to lower rate when line quality degrades; cycles forward when line quality
improves.
V.32 ter Pseudo-standard that extends V.32 bis to 19,200 bps and 21,600 bps.
V.34 ITU-T standard for 28,800 bps modems. (Note: V.34 modems upgraded with
special software can achieve data rates of 31,200 bps or 33,600 bps.)
V.42 ITU-T standard for modem error correction. Uses LAPM as the primary error-
correcting protocol, with MNP classes 1 through 4 as an alternative.
311
V.42 bis ITU-T standard that enhances V.42 by incorporating the British Telecom
Lempel Ziv data compression technique to V.42 error correction. Most V.32, V.32
bis, and V.34 compliant modems come with V.42 or V.42 bis or MNP.
V.90 ITU-T standard for 57,600 bps modems (commonly called “56K modems”) in
which asymmetric data rates apply (i.e., the send and receive rates are different).
Depending on telephone line conditions, upstream rates (send) are restricted to
33,600 bps, and downstream rates (receive) are restricted to 57,600 bps. V.90
modems are designed for connections that are digital at one end and have involve
only two analog-digital conversions each way.
vBNS An acronym for very high speed backbone network service, which is
another National Science Foundation-funded research and educational network.
The vBNS is a nationwide backbone network that currently operates at 622 Mbps
(OC-12) and is accessible to only those involved in high-bandwidth research
activities. The backbone is expected to be upgraded to OC-48 (2.488 Gbps) in
1999.
VDSL An acronym for very high-speed digital subscriber line, which is a DSL
variant that provide asymmetric service over fiber. Downstream rates range from 13
Mbps to 52 Mbps; upstream rates range from 1.5 Mbps to 2.3 Mbps. Suitable for
Internet/intranet access, video-on-demand, database access, remote LAN access,
and high-definition TV.
Virtual Path Identifier (VPI) A parameter used to identify ATM virtual path. VPI
information is carried within an ATM cell header.
312
VLAN An acronym for “virtual local area network.” Nodes comprising a VLAN are
not physically connected to the same medium. Instead, they are connected in a
virtual sense using specially designed software that groups several ports in a switch
into a single work
VOFR An acronym for voice over frame relay, which refers to transmitting voice
signals over a frame relay network.
Voice Over IP (VOIP) A technology that enables users to place telephone calls
across the Internet.
WAN An acronym for wide are network, which interconnects computing resources
that are widely separated geographically (usually over 100 km). This includes towns,
cities, states, and countries. A WAN generally spans an area greater than five miles
(eight kilometers). A WAN can be thought of as consisting of a collection of LANs.
Wire A general term used to describe the physical layer of a network. The three
main physical attributes of wire are conductor, insulation, and outer jacket. Wire also
has three important electrical characteristics that can directly affect the quality of the
signal transmitted across it: capacitance, impedance, and attenuation. Signal quality
is affected most by the combination of attenuation and capacitance. The two primary
forms of wire are copper and fiber. Also called cable.
Wire Speed A unit of measure used to describe a device’s maximum (i.e., fastest)
filtering and forwarding rates. In Ethernet/802.3, wire speed is equal to 14,880
313
frames per second. This is frequently reported as 14,880 packets per second. (See
Box 8-3.)
Workstation A computer system that has its own operating system and is
connected to a network. A workstation can be a personal computer such as a
Macintosh or Intel-based PC, a graphics workstation such as those manufactured by
Sun Microsystems, a super- minicomputer such as IBM’s AS/400, a super-
microcomputer such as DEC’s Alpha, or a mainframe such as an IBM ES-9000.
Also called host, server, desktop, or client.
314
315