Part I General network security concepts
New Security Concerns
Security threats
TCP/IP flaws
Part II Current Security Technologies
1. IPSec
2. SSL
3. Kerberos
4. VPN
5. Firewalls
6. Certificates
7. Router & Switch security
8. .NET security solutions
Part III Business Model and Infrastructure
Business model: e-Commerce business
Enterprise Security Model (Focus on DMZ security)
Security policy
Proposed security solutions with .Net technology
Part IV Simulation
Simulation
- performance analysis
Attacking
and hacking simulations using some hacking tools
ECE1800 project
Implementing Network
Security of Intranets and Extranets
Introduction
In recent years, Intranets and Extranets have become more widely deployed in many organizations. Many of these organizations are now extending their Intranets to reach key customers and business partners via Extranets. Undoubtedly, Intranets and Extranets offer clear cost savings and ease of installation compared with the expensive leased line networks or WANs based on proprietary technology. In addition, they enable highly productive and cost effective new ways for organizations to communicate with their customers, and collaborate with their business partners. However, Intranets and Extranets build on the public Internet which uses TCP/IP protocol (IPV4) as their communication language. The success of the Internet is its open design and it is flexible, powerful and well-suited to communication between a variety of platforms with divergent capabilities. However, its success also causes security problem for information transmitted over it. TCP/IP was designed to be open and had no security consideration in mind at the beginning. There are a number of serious security flaws inherent in TCP/IP protocol suite, which can be used to launch the malicious attacks. The new security challenges have emerged and become more and more critical for its business employment.
In this report, we outline the new security concerns for a organization to deploy Intranets and Extranets. We take an in-depth look at some security flaws of TCP/IP protocol and current security threats. In order to implement the network security in a corporation's Intranet and Extranets, we introduce new security technologies and services. Based on these technologies, we design our security solutions for a security sensitive e-commerce corporation to implement Intranet and Extranet. Finally, we conduct some tests and simulations to verify our work.
1
Basic
Security Concepts
In this part,
we begin with some fundamental concepts of network security. We outline
the main security risks for an
organization to deploy Intranets and Extranets. We describe some security
vulnerabilities in the TCP/IP protocol suite that gives attackers many
opportunities for malicious attacks on Internet connected computers. We also
present the methods and techniques that attackers use and our defence
solutions.
1.1
New Security Concerns
Information is the key asset in most
organizations. Companies gain a competitive advantage by knowing how to use
their information. As Intranets and Extranets have become widely deployed by
more and more organizations, the growth in network complexity has increased the
potential risks to organizational confidential information. The threat comes
from others who would like to acquire the information or limit business
opportunities by interfering with normal business processes. Information
security has become a new challenge and a critical problem to these
security-sensitive organizaitons. Figure
1 illustrates the potential points of attack for an organization to employ
the Intranet and Extranet.
Figure 1: Expanding Networks Increase Possible Points of Attack
Intranet and Extranet security breaches can
take a variety of forms. For example:
Ø
The
organizational information can be interrupted, intercepted, modified and
fabricated when it is transmitted from its internal network to the customers,
branch offices, partners and remote employees over the public network like
Internet
Ø
An
unauthorized person might gain access to a company's computer
system
Ø
Users
may share documents between geographically separated offices over the Internet
or Extranet
Ø
Telecommuters accessing the corporate Intranet
from their home computer can expose sensitive data as it is sent over the
wire
Ø
Inside
users (e.g. employees) authorized to use the system for one purpose might use it
for another, etc
In our project, we assume the insiders in an
organization are fully trustful. We will only consider the treats from outside
and address mainly network security.
1.2
Security Goal
Organizational valuable and sensitive
information should be secure while making it readily available. Information
security can be defined as:
Information security = Confidentiality +
Integrity + Availability + Authentication
The goal of our security policy is to ensure that each of the four fundamental components are adequately addressed:
Ø
Confidentiality: sometimes referred to as privacy, is the
protection of information from unauthorized disclosure. Most organizations must provide
information to some individuals while blocking access for someone else. Only
users who need to view sensitive information are authorized to do so. This can
be achieved either by restricting access to the information or by encryption to
ensure the intercepted information unreadable.
Ø
Integrity: refers to the ability to protect information,
data or transmissions from unauthorized, uncontrolled or accidental alterations
as it travels between senders and recipients. Data integrity is achieved by
preventing unauthorized or improper changes to data, ensuring internal and
external consistency. Digital signatures validate a user's identity, so that
message recipient can be sure that message senders are who they claim they are.
Digital signatures also provide strong evidence that the message has not been
altered since it was signed.
Ø
Availability: refers to the resources on the organization
network must always be accessible to people. This applies to everything from
servers and services to the information stored in a particular database. An
unauthorized user can compromise the system and fill mailboxes with unsolicited
commercial e-mail or disable large portions of the Intranet. Limiting the number
of entry points to the network and restricting the number of people with access
to these resources are two key methods for ensuring that your resources remain
available.
Ø
Authentication: refers to the process of verifying the claimed
identity of an individual, station or originator and determine whether to grant
a user permission to connect to the system. ?????
Why do we need to protect our information?
Where do these security threats come from? Because the Internet. In a local LAN, where information is
only limited to use in the internal network, the organizational information is
fully secure if not considering the inside attacks. The birth of the Internet
brought endless business opportunities to the e-Commerce companies. As these
organizations are migrating to the Internet, the security threats also emerge
since IP-based network data is wide open to tampering and eavesdropping. Let's
first take a deep look at the vulnerabilities and flaws in TCP/IP protocol suite
-- the language of the Internet.
1.3
TCP/IP
Vulnerabilities
TCP/IP is the most widely used network
communication standard that runs over the Internet. It’s a connectionless,
best-effort delivery protocol. The transmission data is broken into packets,
each packet with a destination address for the routing through the Internet. The
sequence number in each packet is used to identify the order of the packets, and
the TCP port number provides a mechanism to direct data to a specific
application. The packets travel over the Internet through the different (best
possible) ways and assemble when they the destination. Thus, the packets are
easily to be incepted, modified and fabricated when they are transmitted over
the public network. There are a number of security flaws in TCP/IP protocol
suite. These security flaws incur some attacks like packet sniffing, IP
spoofing, sequence number spoofing, routing attacks, source address spoofing,
authentication attacks, and Denial of Service, etc.
1.3.1 Packet
Sniffing
Packet Sinffing is the action of intercepting and reading network traffic that is being transmitted across a shared network communication channel. This is usually done by using utility software checking for interfaces working in promiscuous mode, or physical checking of all the connections. A common target for packet sniffers is user account and password. Since in a normal networking environment, the user accounts, passwords and data information for most protocols (such as HTTP, FTP, Telnet, SNMP, POP3, SMTP, IMAP) are sent across the network in plain-text. Once equipped to eavesdrop, it is not difficult for an attacker to capture packets that contain readable user account and password.
1.3.1.1
How does it work
Ethernet is the most popular computer network. Ethernet protocol works by sending packets to all networked computers on the same network segment. The packet header contains the proper address of the destination host. The network interface card (NIC) hardware in a networked computer receives every piece of packets that is transmitted across the network. Usually the network device driver software will only process incoming packets which contain the address of its host computer, or broadcast packets. However, the network adapter hardware can be configured to operate in an altered state, That is to be in promiscuous mode.
The promiscuous mode is the biggest security flaw of the Ethernet. In promiscuous mode, the network device can process all traffic transmitted across the network and forward the packets to its operating system, no matter whether these packets are addressed to itself or not. This option is used as a debugging tool for network administration. However, it could be misused by an attacker to eavesdrop the traffic transmitted over the network. Sniffing software just works by placing a system's network interface into promiscuous mode. After the network traffic is processed by the Network Interface Card, software mechanisms are used to filter the captured packet, extract and reconstruct the data portion of the packets, and to display in a readable format. Figure ??? (in part 4) shows the FTP basic authentication session was captured using network monitor.
1.3.1.2 Defences:
There are several ways to prevent this kind of
attacks:
·
Network Segmentation -- A network
segmentation can separate the network part with high-level security from
the low-level security network part, and minimizes the amount of information
that can be collected with a network sniffer or an analyzer which operate in
promiscuous mode. Repeaters
and passive hubs used for network segmentation do not provide security because
the flow of data arrives to any of its interfaces. Instead, routers, switches
and bridges can limit the flow of traffic, allow the traffic only go to its
destination interface.
·
Encryption -- Encryption schemes can be used to
prevent the contents from being read even though an attacker capture the
packets. E.g. Public key encryption programs PGP uses various forms of
encryption and combines messages with a simple packet format to provide a simple
and efficient security mechanism for the transmission of electronic mail (E-mail).
·
Secure
Socket Layer (SSL) -- SSL can be built into popular web browser and web servers.
It allows encrypted web surfing, and is almost always used in e-commerce when
users enter their credit card information.
1.3.2
IP Spoofing
The spoofing attack exploits the fact that IP
does not perform a robust mechanism for authentication. It believes that a
packet comes from where it claims. Since many systems (such as router access
control lists) define which packets may and which packets may not pass based on
the sender's IP address, this is a useful technique to an attacker, and is also
a strong weakness of TCP/IP protocol. IP addresses can be configured in
software, and it is usually easy to configure one address for a machine as if it
is another. A packet simply claims to originate from a given address, and there
is no way to know if it is or not.
To engage in IP spoofing, a hacker first uses a
variety of techniques to find an IP address of a trusted port, which is
permitted access through the packet-filtering router or firewall, then modifies
IP address in the packet header on the external network to gain access to the
internal network. It is possible to
route packets through the packet-filtering router or firewall if they is not
configured to filter incoming packets whose source address is in the local
domain. It is possible to spoof even if no reply packets can reach the
attacker.
Detection:
·
If
monitor packets using network-monitoring software such as netlog, and find a
packet on your external interface that has both its source and destination IP
addressed in the internal network, the internal network is currently under
attack.
·
Another way to detect IP spoofing is to compare
the process accounting logs between systems on the internal network. If the IP
spoofing attack has succeeded on one of the systems, the log entry on the victim
machine shows a remote access; on the apparent source machine, there is no
corresponding entry for initiating that remote access.
Defenses:
1)
Avoid
reliance on address-based authentication and trust
mechanisms;
2)
Disabling source routing;
3)
Using
a screening router or firewall which can intelligently filter network packets
based on configurable rules. This can avoid the following
attack:
·
Inbound attacks that originate from external
networks: implemented by configuring the router to discard incoming datagram
with a source address belonging to the internal network.
·
Outbound attacks that originate inside of your
own networks: implemented by discarding outgoing datagram with a source address
from an external network.
1.3.3
TCP Sequence Number Attack
This kind of attack uses TCP sequence number
prediction to construct a TCP packet sequence without ever receiving any
responses from the server. This allows an attacker to spoof a trusted host on a
local network.
The connection-oriented transport control
protocol (TCP) uses a 3-way handshake
to establish the connection before transmitting data between the server and
client. Telnet is just such an application. When a Telnet session is started,
the application layer will request TCP as its transport service in order to
insure reliability of the connection.
The client sends a connection request to the
server by setting the SYN bit and selecting an initial sequence number ISNc, the
server acknowledges the request by setting the ACK bit and its own sequence
number ISNs, and the client acknowledges the acknowledges by setting the ACK
bit. After the 3-way handshake, data transmission can take place. The 3-way
handshake can be shown as the following Figure:
Figure 2: TCP Three-way Handshake
Before data transmission, the Client must first
receive the sequence number ISNy from the Server. The 3-way handshake protocol
can be easily exploited by the attacker.
By monitoring a network connection, a hacker can record the exchange of
sequence numbers and predict the next sequence number.
The sequence number attack works this way: In
this case, the attacker could send the following sequence to impersonate trusted
Client (C):
Figure 3. TCP Sequence Number
Attack
Even though the message 2 from the Server (S)
to the Client(C) didn't go to the Attacker(X ), the attacker was able to know
the contents, and could send data at the right time.
In some systems, for example, Berkeley systems,
the initial sequence number variable is incremented by a constant amount once
per second, and by half that amount each time a connection is initiated. Thus,
if the attacker initiates a legitimate connection and observes the ISNs used, he
can calculate, ISNs used on the next connection attempt.
Defences
1)
Randomize the increment of the sequence number
attacks, make it difficult to guess or calculate
2)
Use a
cryptographic algorithm (or device) for ISNs generation, such as
DES.
1.3.4
Denial-of-Service
Denial of service occurs when a hostile entity
uses a critical service of the computer system in such a way that no service or
severely degraded service is available to others. The DoS attack is simple: send
more requests to the machine than it can handle. DoS cause datagram to be
discarded before final delivery, effectively blocks the communication path. Some
DoS attacks are: SYN Flooding attack, The Ping of Death (ICMP attack), E-mail
Bombing, Spoofing Attack DNS, Windows Nuke (newk)OBB Attack on Port 139, etc.
Here we briefly describe the SYN Flooding
attack and the Ping of Death (ICMP attack):
1.3.4.1 SYN Flooding
Attack
SYN attacks take advantage of a flaw in TCP "three-way handshake"(See Figure 1). In a normal connection, the client sends a SYN message requesting the connection to the server, the server acknowledges the request with SYN/ACK message, the client then sends ACK message acknowledging the approval. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. The problem arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to the client but has not yet received the ACK message (it is called "half-open connection"). When the server receives the SYN request from the client, it must keep track of the partially opened connection in a "listen queue" for a period of time (typically 75 seconds). The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many half-open connections.
In DoS attack, an attacker can send a bundle of
SYN requests whose source address are set to a routable but unreachable (false
return address), which is easily be done by IP spoofing. The final ACK
messages will never be sent to the victim server. The server's queue is filled up with pending
connections. When the queue limit is reached, TCP drops all new incoming
requests until time-out and close the connections. However, the attacker
continues sending a new patch of IP-spoofed packets requesting new connections
faster than the server can expire the pending connections, and the process
begins again. The service is disabled indefinitely.
Figure 4: SYN
Flood Attack
Defences:
§
Deploying system operating patches: several vendors have
released operating system patches to compensate and react to SYN attacks
§
Not
running the visible-to-the-world servers at a level too close to its capacity.
§
Using
packet filtering to guard against attacks by checking the pattern of information
or request, prevent obviously forged packets from entering into the network
address space.
§
Using
Proxy Server to protect the main server. A proxy server stands between both the
client and the server during the connection. A proxy server acts as the "man in
the middle" so that there is no direct contact between a client and the server.
Denial of service is very easy to launch, but
difficult (sometimes impossible) to track. It is becoming a greater problem for
the Internet in recent years. It grows at a rate about 50% per year greater than
the rate of growth of Internet hosts, although the total number of incidents was
small.
1.3.4.2 Smurf Attack
The smurf attack is another kind of DoS attack.
It names after the source code employed to launch the attack (smurf.c). The
smurf attack employs forged ICMP echo request packets and the direction of those
packets to IP network broadcast address. Figure ??? illustrates how a smurf
attack works.
Figure 5: Smurf
Attack
The attacker (128.100.153.9) issues the ICMP
ECHO_REQUEST to the broadcast address of the intermediary network (the network
mask is 102.100.36.255). The attacker spoofs the source address using the IP
address (207.125.64.39) of the system it wishes to target. When the intermediate
network receives the packet with the falsified source address, they respond. The
targeted victim system then receives flooding echo replies from all systems on
the intermediary network. This flood can overwhelm the targeted victim’s
network. Both the intermediate and victim’s networks will see degraded
performance, and eventually results in unavailable for the
service.
1.3.4.3 The Ping of Death (ICMP
Attack)
This attack is also known as a "Ping Flood" attack. It emploited a flaw in many venfors' implementations of ICMP. ICMP is part of the IP protocol using the IP datagram to deliver messages. PING is a TCP/IP command that simply sends out an IP packet to a specified IP address or host name to see if there is a response from the address or host. Normally a PING (echo request) packet's size is about 32 to 64 bytes. However, the attacker can send a constant stream of over-sized forged PING packets to the target system. In many cases, this flood of traffic can cause an overflow in system's internals, and result in system crashes.
Defenses:
§ Blocking ICMP packets on the network firewalls to prevent the traffic from effecting the internal system.
1.3.5
IP Session Hijacking
IP Session Hijacking is an action that the
attacker takes over the control of the client's session (e.g Telnet). The
hijacking attack is usually launched after the user's authentication is
complete. An attacker first need to attack the connection by either closing it
or messing up the user's SEQ/ACK. Then the attacker takes over the session
without being noticed by the user.
Session hijacking is a higher level attack.
Since when a TCP link is established between the client and the server after the
client authenticated itself. You
can not be sure that it will be the same person for the rest of the session.
There are techniques to take over the connection. These tools send a message to
the client to cut the connection so that the attacker can communicate via the
same TCP link to the server.
The following are some techniques that an
attacker usually use to launch an IP Session Hijacking
attack:
1.3.5.1 Using reset
(RST)
TCP segments have flags which indicate the
status of the packet. RST is one flag that tells the receiving TCP module to
abort the connection because of some abnormal condition. To be accepted, only
the sequence number has to be correct since there is no ACK in a RST packet.
When A and B are in the connection, the attacker H watches the traffic between A
and B, and calculates the sequence number for A's next sent packet from B's
ACK's packet. When B is waiting for A's response, H launch a forged RST packet
to B as if it comes from A.
1.3.5.2 Using FIN to close a
connection
Another flag in TCP segments is FIN, which
tells the receiver that the sender does not have any more data to send. This
flag is used when closing a connection in a normal legal way. This works almost
the same as the former one. Instead of sending RST packet, it sends the FIN
packet. The attacker H can pretend to be either A or B, send a FIN packet to the
other host, and close the connection between A and B.
1.3.5.3 SEQ/ACK mess
up
Since TCP separates good and forged packets by
their SEQ/ACK numbers, i.e. B trusts the packets from A because of its correct
SEQ/ACK numbers. So, if there is a way to mess up A's SEQ/ACK, B would stop
believing A's real packet. The attacker H could then impersonate to be A, but
using correct SEQ/ACK numbers to connect with B. To mess up A's SEQ/ACK numbers,
the attacker simply insert a data packet with correct SEQ/ACK number for B at
the right time. Host B would accept the packet, and update ACK numbers. When A
continues to send packets to B, the real packets would be
dropped.
Defences:
This can be solved by using encryption scheme.
In this case, the attacker can still take over the session, but he can't see
anything because the session is encrypted. The attacker don't have the needed
cryptographic key to decrypt the data stream, therefore, be unable to do
anything with the hijacked session. In addition, a scheme that authenticates the
data’s source throughout the transmission is also needed.
1.3.6
Source Routing Attack
The biggest security hole in TCP/IP protocol is
IP source routing. Briefly, IP source routing is an option that can be used to
specify a direct route to a destination and return path back to the origination.
The route can involve the use of other routers or hosts that normally would not
be used to forward packets to the destination. This means if the originator of
the connection wishes to specify a particular path for some reason, replies may
not reach the originator if a different path is followed. The attacker can then
exploits this flaw and use any IP source address desired, including that of a
trusted machine on the target's local network. Any facilities available to such
machines become available to the attacker.
The following example shows how this can be
used such that an attacker's system could masquerade as the trusted client of a
particular server is as follows:
1. The attacker would change his host's IP
address to match that of the trusted client;
2. The attacker would then construct a source
route to the server that specifies the direct path the IP packets should take to
the server and should take from the server back to the attacker's host, using
the trusted client as the last hop in the route to the server;
3. The attacker sends a client request to the
server using the source route;
4. The server accepts the client request as if
it came directly from the trusted client and returns a reply to the trusted
client;
5. The trusted client, using the source route,
forwards the packet on to the attacker's host.
Defences
It is rather hard to defend against this sort
of attack. The best idea would be for the gateways into the local network to
refuse source routing protocol. And also be configured to reject external
packets that claim to be from the internal local network.
Man-in-the-Middle Attack
The "man in the middle" is a rogue program
that intercepts all communication between the client and a server with which the
client is attempting to communicate via SSL. The rogue program intercepts the
legitimate keys that are passed back and forth during the SSL handshake,
substitutes its own, and makes it appear to the client that it is the server,
and to the server that it is the client.
The encrypted information exchanged at the
beginning of the SSL handshake is actually encrypted with the rogue program's
public key or private key, rather than the client's or server's real keys. The
rogue program ends up establishing one set of session keys for use with the real
server, and a different set of session keys for use with the client. This allows
the rogue program not only to read all the data that flows between the client
and the real server, but also to change the data without being detected.
2
New
Technologies
Though there are a variety of network attacks,
there also exist a variety of security technologies available to address these
security holes and provide security services over IP-based netowrk. In this
part, we will first briefly give an introduction of these security technologies
that we will cover in the next part for deriving our solution to the
corporation's Intranet and Extranet. These technologies include IPSec, VPN, SSL
(now TLS), Kerberos, Firewall, Certificate, etc.
2.1 IPSec (Internet Protocol
Security)
IPSec is a security framework of open standards designed by Internet Engineering Task Force (IETF) to secure private communications over IP network. IPSec applies at the IP layer and thus offering protection for IP and all upper layer protocols. Security Services provided by IPSec are data authentication, confidentiality, integrity and replay prevention. The greatest advantage of IPSec is it completely transparent for the applications.
2.1.1 IPSec Overview
IPSec relies on two mechanisms (or protocols), AH (Authentication Header) and ESP (Encapsulating Security Payload). The parameters necessary to the use of these protocols are managed by security associations (SA), an association containing the parameters used to protect a given part of the traffic. SAs are stored in the Security Association Database (SAD) and are managed using the IKE (Internet Key Exchange) protocol. The protection offered by IPSec is based on choices defined in the Security Policy Database (SPD). This database allows to decide, for each packet, if it will be afforded some security services, will be authorized to pass by or will be rejected.
IPSec has two modes: transport mode, which protects only the transported data, and tunnel mode, which also protects the IP header. IPSec can be used either on a terminal host or on a security gateway, which allows for both link-by-link and end-to-end security. IPSec can thus be used, in particular, for the creation of virtual private networks (VPNs) or for the protection of remote accesses.
2.1.2 How it works
Ø
Outbound
traffic:
When the IPSec "layer" receives data to be sent, it starts by consulting the policy database (SPD) to determine what processing is required for the packet. If the packet must be afforded security services, the IPSec engine recovers the characteristics of the corresponding SA(s) and consults the SA database (SAD). If the necessary SA already exists, it is used to process the traffic in question. If not, IPSec calls IKE to establish a new SA with the necessary characteristics.
Ø
Inbound traffic:
When the IPSec "layer" receives a packet from the network, it examines the header to determine if this packet was afforded IPSec protection and if so what are the SA references. It then consults the SAD to determine the parameters to use for checking and/or the deciphering of the packet. Once the packet is checked and/or deciphered, the SPD is consulted to determine if the required IPSec processing was applied. If the received packet is a "normal" IP packet, the SPD makes it possible to know if it can nevertheless bypass IPSec.
2.1.3 Business
deployments
By placing IPSec-enabled hardware at different points in the network---routers, firewalls, hosts, as BITW "crypto boxes"--- different security deployments can be realized. End-to-end security can be achieved by deploying IPSec-enabled stacks on hosts. A VPN can be constructed by IPSec-enabled routers protecting traffic between protected subnets. Three basic configurations are possible:
Figure ??. Various possible
configurations depending on the equipment implementing IPSec
The first situation when two distant private network are to be connected using an unreliable network such as the Internet. In such a case, a virtual private network (VPN) is established between the security gateways.
The second situation corresponds to the case where mobile users are to securely access the Intranet. The unreliable network can be the Internet, the telephone network ...
Lastly, in the third situation, two parties wish to communicate in a secure way but do not have any confidence in the network that separates them.
The disadvantage of end-to-end security is that various applications such as QoS solutions, traffic shapping, firewalling and traffic monitoring, which require the ability to "inspect" or modify a transient packet will be unable to make the decisions that they are supposed to make. In addition, Network Address Translation (NAT) will also fail to modify a packet that has been secured.
There are also more complex configurations where several security associations, possibly affording different security services:
-Figure ??? Examples of double uses of IPSec
In the above example, the first
association can ensure the security services required by the external security
policy (authentication and confidentiality for example), and the second SA can
ensure the services required by the internal security policy (authentication of
the terminal host for example).
2.2 VPN (Virtual Private
Network)
2.2.1 VPN
Overview
A Virtual Private Network (VPN) is a collection of technologies that creates secure connections between two locations over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. It usually achieves this by employing some combination of tunneling, encryption, authentication, access control, and auditing. It provides a virtual “tunnel” through the Internet or other public networks in a manner that provides the same security and features formerly available only in private networks (See Figure 2.2.1).
VPN
technology also allows the branch offices or business partners to connect to the
corporation over a public network, while still maintaining secure
communications. The VPN connection across the Internet logically operates as a
Wide Area Network (WAN) link between the sites. It also allows the employees
working at home or on the road to connect in a secure fashion to a remote
corporate server using the routing infrastructure provided by the Internet. From
the user’s perspective,
the
VPN is a point-to-point connection between the user’s computer and a corporate
server.
Figure 2.2.1: Virtual
Private Network
2.2.2 Tunneling
Concept
Tunneling
is a method of using an internetwork infrastructure to transfer data for one
network over another network. The data to be transferred (or payload) can be the frames (or packets)
of another protocol. Instead of sending a frame as it is produced by the
originating node, the tunneling protocol encapsulates the frame in an additional
header. The additional header provides routing information so that the
encapsulated payload can traverse the intermediate internetwork.
The
encapsulated packets are then routed between tunnel endpoints over the
internetwork. The logical path through which the encapsulated packets travel
through the internetwork is called a tunnel. Once the encapsulated frames
reach their destination on the internetwork, the frame is unencapsulated and
forwarded to its final destination. Tunneling includes this entire process
(encapsulation, transmission, and unencapsulation of packets).
Figure
: Tunneling
New
tunneling technologies have been introduced in recent years. These newer
technologies include:
Ø
Point-to-Point Tunneling
Protocol (PPTP)
PPTP
is a Layer 2 protocol that uses a TCP connection for tunnel maintenance and
Generic Routing Encapsulation (GRE) encapsulated PPP frames for tunneled data.
The payloads of the encapsulated PPP frames can be encrypted and/or compressed.
Figure ?? shows how a PPTP packet is assembled prior to transmission.
Ø
Layer 2 Forwarding
(L2F)
L2F
is a runnel technology proposed by Cisco. It is a transmission protocol that
allows dial-up access servers to frame dial-up traffic in PPP and transmit it
over WAN links to an L2F server (a router). The L2F server then unwraps the
packets and injects them into the network. Unlike PPTP and L2TP, L2F has no
defined client. L2F functions in compulsory tunnels only.
Ø
Layer
2 Tunneling Protocol (L2TP)
L2TP
is a combination of PPTP and L2F. L2TP encapsulates PPP frames to be sent over
IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks. When
configured to use IP as its datagram transport, L2TP can be used as a tunneling
protocol over the Internet. L2TP can also be used directly over various WAN
media (such as Frame Relay) without an IP transport layer.
Ø
IP Security Protocol (IPSec)
IPSec
is a Layer 3 protocol standard that supports the secured transfer of information
across an IP network. In addition to its definition of encryption mechanisms for
IP traffic, IPSec defines the packet format for an IP over IP tunnel mode,
generally referred to as IPSec Tunnel
Mode. An IPSec tunnel consists of a tunnel client and a tunnel server, which
are both configured to use IPSec tunneling and a negotiated encryption
mechanism.
IPSec
Tunnel Mode uses the negotiated security method to encapsulate and encrypt
entire IP packets for secure transfer across a private or public IP network. The
encrypted payload is then encapsulated again with a plain-text IP header and
sent on the network for delivery to the tunnel server. Upon receipt of this
datagram, the tunnel server processes and discards the plain-text IP header, and
then decrypts its contents to retrieve the original payload IP packet. The
payload IP packet is then processed normally and routed to its destination on
the target network.
2.2.3
How
Tunneling Works
Layer
3 tunneling technologies generally assume that all of the configuration issues
have been handled out of band, often by manual processes. For these protocols,
there may be no tunnel maintenance phase. For Layer 2 protocols (PPTP and L2TP),
however, a tunnel must be created, maintained, and then
terminated.
Once
the tunnel is established, tunneled data can be sent. The tunnel client or
server uses a tunnel data transfer protocol to prepare the data for transfer.
For example, when the tunnel client sends a payload to the tunnel server, the
tunnel client first appends a tunnel data transfer protocol header to the
payload. The client then sends the resulting encapsulated payload across the
internetwork, which routes it to the tunnel server. The tunnel server accepts
the packets, removes the tunnel data transfer protocol header, and forwards the
payload to the target network.
2.4 SSL (Secure Socket
Layer)
SSL is a security scheme proposed by Netscape
Communication Corporation for providing a secure channel between two application
hosts. SSL can provide data encryption, server authentication, message
integrity, and optional client authentication for a TCP/IP connection.
SSL is the
technology used to encrypt and decrypt messages sent between the browser and
server. By encrypting the data, you protect messages from being read while they
are transferred across the Internet. SSL encrypts a message from the browser,
then sends it to the server. When the message is received by the server, SSL
decrypts it and verifies that it came from the correct sender (a process known
as authentication).
SSL
consists of software installed on both the browser and server. Several companies, including Verisign,
SSL.com, and Equifax offer SSL encryption and authentication tools. Verisign's
digital certificates, are already installed in most recent versions of the major
browsers.
Digital
certificates are used by the SSL security protocol to encrypt, decrypt, and
authenticate data. The certificate contains the owner's company name and other
specific information that allows recipients of the certificate to identify the
certificate's owner. The certificate also contains a public key used to encrypt
the message being transported across the Internet. SSL uses two kinds of
certificates: root certificates and server certificates. Root certificates are
installed on the browser, and server certificates exist on the Web server. A
root certificate tells the browser that you will accept certificates signed by
the owner of the root certificate. A server certificate is installed on the
Web server. It works much like the root certificate and is in charge of
encrypting the messages sent to browsers and decrypting messages received from
browsers.
How does it
work
SSL uses the RSA public key cryptography, which
is widely used for authentication
and encryption in the computer industry. The public key encryption is a technique
that uses two asymmetric keys for encryption and decryption. Each pair of keys
consists of a public key and a private key. The public key is made public by
distributing it widely. The private key is never distributed; it is always kept
secret. Data that is encrypted with
the public key can be decrypted only with the private key. Conversely, data encrypted with the
private key can be decrypted only with the public key.
SSL handles the
scrambling of messages so that only the intended recipient can read it. The
encryption/decryption process goes something like this:
1. The user browses to the secure Web server's
site.
2. The user's SSL secured session is started
and a unique public key is created for the browser (using the certificate
authority's root certificate).
3.A message is encrypted and then sent from
the browser using the server's public key. The message is scrambled during the
transmission so that nobody who intercepts the message can read
it.
4.The message is received by the Web server
and is decrypted using the server's private key.
The
process of SSL encryption relies upon two keys: the server's public key and
private key. The private key only exists on the Web server itself and is used by
the Web server to encrypt and decrypt secure messages. The public key exists on
any client computer that has installed a root certificate for that Web server.
Once the public key is installed, the user can send encrypted messages to and
decrypt messages received from the Web server. Figure ? shows this
process. Just to be extra safe, the keys are discarded once the transaction's
session ends.
Figure ??? Asymmetrical
Encription using SSL
SSL
doesn't prevent the message from being intercepted. However, it does make the
message useless to the rogue interceptor. In other words, someone could capture
the message on its way to the secure Web server, but could not decrypt it
because they do not have the server's private key.
The
encryption process can be either symmetric or asymmetric. Symmetric encryption
uses a single key by both parties to encrypt and decrypt secure messages. The
problem is that the key itself has to be passed along as part of the
conversation. With asymmetric encryption, the keys are never transported over
the public network, there is never a risk of them being stolen by a
attacker
.
SHTTP (Secure HTTP)
SHTTP is the scheme designed by Enterprise
Integration Technologies (EIT). It is a higher level protocol that only works
with the HTTP protocol, but is potentially more extensible than SSL. S-HTTP is backwards compatible
with HTTP. It is designed to incorporate different cryptographic message formats
into WWW browsers and servers. This will include PEM, PGP, and PKCS-7. Non
S-HTTP browsers/servers should be able to communicate with S-HTTP without a
discernible difference, unless they request protected documents
SHTTP provides a wide variety of mechanisms to
provide for confidentiality, authentication, and integrity. SHTTP is not tied to
any particular cryptographic
system, key infrastructure, or cryptographic
format.
Kerbros
Kerberos was developed by MIT as a solution to the network security problems. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Password based authentication is not secure for use over the public network, since passwords sent across the network can be intercepted and used by eavesdroppers to impersonate the user. In addition to the security concern, password based authentication is inconvenient; users need to enter a password each time they access a network service.
The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity. Thus Kerberos basically provides entity authetication in a centralized environment (authentication between both principles comes from their respective trusts in the central server) and provides a shared secret key agreement mechanism.
Overall Functionality
At a basic level, the Kerveros protocol brings four entities on the scene: the client, the server with which the client wishes to communicate, the Autehtication server (AS) and the Ticket Granting Server(TGS). These last two, which usuallty reside on the same host, make up the Key Distribution Center (KDC). The whole system is based on the use of tickets, which are issued by the KDC and enable the clients to authenticate when connecting to servers.
The AS contains a database of all the principles) clients and servers) for which it is responsible in its ream. For each such principal, the AS stores information such as the principal’s name and secret key. Hence the AS shares a different secret key with each principal located in its realm. Authentication between the client and the server takes place in three steps. First the client obtains a special Ticket Granting Tag (TGT) from the AS. Next the client obtains a ticket from the TGS for use with the server (this exchange between the client and the TGS is authenticated thanks to the TGT). Finally , the client authenticates with the server using the ticket obtained from the TGS. The reason for the TGS is that it avoids using the client’s secret key each time a ticket is required for a server. The client uses the session secret key generated by the AS to authenticate when tickets will be obtained.
Symmetric Encryption vs.
Asymmetric Encryption (Private Key vs. Public
Key)
Symmetric,
or private-key, encryption (also known as conventional encryption) is based on a
secret key that is shared by both communicating parties. The sending party uses
the secret key as part of the mathematical operation to encrypt (or encipher)
plain text to cipher text. The receiving party uses the same secret key to
decrypt (or decipher) the cipher text to plain text. Examples of symmetric
encryption schemes are the RSA RC4 .
Asymmetric,
or public-key, encryption uses two different keys for each user: one is a
private key known only to this one user; the other is a corresponding public
key, which is accessible to anyone. The private and public keys are
mathematically related by the encryption algorithm. One key is used for
encryption and the other for decryption, depending on the nature of the
communication service being implemented.
Public
key encryption technologies allow digital signatures to be placed on messages. A
digital signature uses the sender’s private key to encrypt some portion of the
message. When the message is received, the receiver uses the sender’s public key
to decipher the digital signature to verify the sender’s identity.
Certificates
With
symmetric encryption, both sender and receiver have a shared secret key. The
distribution of the secret key must occur (with adequate protection) prior to
any encrypted communication. However, with asymmetric encryption, the sender
uses a private key to encrypt or digitally sign messages, while the receiver
uses a public key to decipher these messages. The public key can be freely
distributed to anyone who needs to receive the encrypted or digitally signed
messages. The sender needs to carefully protect the private key
only.
To
secure the integrity of the public key, the public key is published with a certificate. A certificate (or public key certificate) is a data
structure that is digitally signed by a certificate authority (CA)—an authority
that users of the certificate can trust. The certificate contains a series of
values, such as the certificate name and usage, information identifying the
owner of the public key, the public key itself, an expiration date, and the name
of the certificate authority. The CA uses its private key to sign the
certificate. If the receiver knows the public key of the certificate authority,
the receiver can verify that the certificate is indeed from the trusted CA and,
therefore, contains reliable information and a valid public key. Certificates
can be distributed electronically (through Web access or email), on smart cards,
or on floppy disks.
Public
key certificates provide a convenient, reliable method for verifying the
identity of a sender. IPSec can optionally use this method for end-to-end
authentication. Remote access servers can use public key certificates for user
authentication.
Extensible Authentication
Protocol (EAP)
Most
implementations of PPP provide very limited authentication methods. EAP is an
IETF-proposed extension to PPP that allows for arbitrary authentication
mechanisms for the validation of a PPP connection. EAP was designed to allow the
dynamic addition of authentication plug-in modules at both the client and server
ends of a connection. This allows vendors to supply a new authentication scheme
at any time. EAP provides the highest flexibility in authentication uniqueness
and variation.
Digital Signature
As more and more e-Commerce companies try to increase
the security of transactions on the Internet and intranets, more and more use is
being made of digital certificates, making them a key component of Internet
security.
How it works
A digital
certificate can be thought of as the digital equivalent of an employee badge or
a driver's license. The certificate identifies its owner to someone who needs
proof of the bearer's identity. The private cryptographic key corresponding to a
certificate also can be used to digitally sign documents before they are
distributed; correspondents or business partners then use a copy of the digital
certificate to confirm the sender's digital identity.
Digital
certificates are often used to establish a user's identity for electronic
transactions, including browsing Web sites, engaging in electronic commerce,
signing E-mail and remotely accessing network resources.
For example, a
Web browser and a Web server using the SSL (Secure Sockets Layer) protocol
authenticate each other with digital certificates to ensure that each party is
who he or she claims to be. The public key contained in a Web server's digital
certificate also is used by browsers to encrypt data sent back to the server.
Similarly, the
SET (Secure Electronic Transaction) protocol for electronic commerce requires
that a digital certificate be issued for each credit card, and that both
merchants and customers have digital certificates to prove their identity. (In
the case of customers, these are the digital certificates issued for their
credit cards.)
Digital
certificates also play a major role in guaranteeing digital signatures for such
purposes as verifying the authenticity of E-mail. A sender can generate a
digital signature for a message using a private key, but recipients of the
signed message need the sender's corresponding public key to verify the digital
signature. Obtaining a copy of the sender's digital certificate is one way of
doing this.
Corporations
also can issue digital certificates to their employees, making it possible to
control access to network resources based on those certificates. This eliminates
the need to remember log-on names and passwords for each workgroup server,
printer and other resource. And when employees are on the road, they can use
their digital certificates to identify themselves to the corporate firewall when
trying to access the company's network.
3 Business Model and
Security implementation
In this part, we will take an E-commerce company (we call it the Corporation in the following) as our implementation scenario, and derive security solution by employing the technologies we mentioned in Part 2.
3.1 E-commerce Business
Requirements
Most organizations use Internet-based services to provide enhanced communications and a cost-saving means of automating business processes. Typically an E-commerce (e.g the Corporation) company has network components as show below in Case 1 in Figure 3.1. On one hand, the Corporation has some servers (e.g. SQL server) containing sensitive organizational information, such as financial data or proprietary technology. All these data should be as secure as possible and make sure no unauthorized person can get to it. On the other hand, The Corporation would like to employ inexpensive Internet to communication with its branch offices, distributed business partners and the remote employees. It provides some business services for its customers to access over the Internet to its web server, the ftp server and the e-mail server. It also provides the wireless messaging services over the Internet for the mobile users.
Figure 3.1 Network Infrastructure without Security Consideration
3.2 Security
Infrastructure
3.2.1 Network Topology
Security
When developing a secure Intranet an Extranet, the first concern should be network topology security. The internal network in Case 1 is a typical Ethernet with a hub connecting all the machines. The problem of it is that any device can monitor communications between two machines on the same network segment. As we mentioned above, the Corporation has some confidential information contained in the servers need to keep fully secure. This can be achieved by limiting unauthorized users accessing to them. One good way is segmenting the Internal network from both security and performance point of view.
Thus, the Corporation's internal network is segmented into two subnet parts as Case 2 in Figure 3.2 shows: One subnet is the trusted network which contains the confidential organization resources like financial data, proprietary technology or acquisition and merger information, etc. Another is publicly opened and less trusted DMZ (Demilitarized Zone) part, which allows web browse, file transfer and mobile access.
Figure 2: Segmentation of the Internal Network
In this scenario, A firewall is used here between the Corporation and the Internet to separate the untrusted network (defined as the External network) from the Corporation's trusted network and DMZ part (defined as the Internal network). For this deployment, all the internal system is protected by the firewall from the Internet-based attacks. The router is used between the DMZ and the trusted internal network to provide the second-line protection of the trusted network because the router has the ability to filter out certain traffic. Segmenting networks effectively prevents packets from traversing the entire network, thus reduces the amount of information that can be collected with a network monitor or an analyzer through physical accessing to a segment.
The DMZ part lies between the trusted network and the untrusted public network, and serves as an additional protection for the trusted internal network behind the firewall. The problem of this solution is that all the traffic to the trusted network must travel through the DMZ part, which causes overloaded traffic in the DMZ part. The performance of the network is greatly reduced, especially when we apply the security solutions like packet filtering, access control and encryption. In addition, it increases the difficulty for firewall to control the traffic.
In order to achieve the better network performance while considering security, we derive our second solution of Case 3 as show in Figure 3.3:
In this scenario, we completely separate the trusted network and DMZ part. This solution solves the problems in Case 2 and has the following advantages:
Ø Balance the traffic between two subnets, thus unloading the traffic of the DMZ subnet. The traffic going to the trusted network can be routed directly, no need to pass through the DMZ;
Ø Since each subnet has its different security policy, it is better for firewall to separate them. It is easy for firewall to control the traffic and also easy to be configured;
Ø Greatly increase the network performance when a variety of security technologies are implemented.
Because of the above three reasons, we prefer to choose the Case 3 as our security infrastructure solution.
Based
on this scenario, we design our security policies for the Corporation as
following:
Ø
Internal
users can access the entire network, including the trusted network, DMZ and the
Internet
Ø
External
users can access only the DMZ network (a network that provides Mail, FTP and
HTTP services)
Ø
Any
traffic coming into the corporate the trusted network must be securely
authenticated and encrypted
Ø
Allow
the traffic from the trusted network to the DMZ part, but block the traffic
initiated from DMZ to the trusted netwok
Ø
Remote
employ and branch office or business partner must use VPN or IPSec to access to
the corporation trusted network
Ø
Authentication??
Ø
The router is used between DMZ and the trusted subnet
can be configured to allow users from the trusted subnet access to DMZ, but
don't permit some traffic from DMZ go through the trusted subnet.
Ø
The firewall should follow the principle "That which is not Expressly Permitted is
prohibited" deny any service unless it is implicitly permitted", i.e. the
firewall denies all services by default, unless they are explicitly permitted.
Ø The basic rules of the firewall:
§ Allow all outgoing packets from the internal network except the packets with a source address from an external network (prevent IP Spoofing);
§ Allow incoming packets with port 80 (HTTP), port 25 (SMTP), port 110 (POP3), port 20-21 (FTP), port 53 (DNS), VPN, IPSec and SSL service ports go to the DMZ, but block the packets with a source address belong to the internal network (prevent IP Spoofing);
§ Allow ICMP packets, and block ICMP nukes;
§ Allow broadcast packets;
§ Allow ARP and RARP;
Ø Network Address Translation (NAT)
NAT is applied in this scenario to enable the Corporation to maintain unregistered IP addressing schemes and provide Internet access to all internal hosts utilizing a single corporation IP address, thus conceal the internal IP address from the untrusted Internet.
Remote Access VPN Solution
To
provide remote users with the ability to connect to the internal network,
regardless of their locations, the corporation must deploy a secure remote
access solution. The solution must allow roaming or remote clients to
connect to LAN resources, and the solution must allow remote offices to connect
to each other to share resources and information (LAN-to-LAN connections). In
addition, the solution must ensure the privacy and integrity of data as it
traverses the Internet.
Ø
Remote
User Access
Building
up a remote access VPN connection provides remote access to corporate resources
over the public Internet, while still maintaining privacy of information. Figure
2 shows a VPN used to connect a remote user to a corporate intranet.
Figure 2: Using a VPN to connect a remote client to a private LAN
Rather than making a long distance (or 1-800) call to a corporate or outsourced Network Access Server (NAS), the user calls a local ISP. Using the connection to the local ISP, the VPN software creates a virtual private network between the dial-up user and the corporate VPN server across the Internet.
Ø
Connecting two remote
sites
In order to implement the secure communication between the corporation and its branch offices or business partners, VPNs is used to connect the local area networks at two remote sites. The Corporation gateway that act as a VPN server connect to a local ISP with a dedicated line, while branch offices or business partner can connect to the local ISP either using dedicated link or a dial-up link.
Figure 3: Using a VPN to connect two remote sites
IPSec
VPN Employment
2.2.4. 1 IPsec client software
A dial VPN consists of an IPsec gateway and a PC equipped with an IPsec client. The IPsec gateway is located between the corporate office and for the Internet. The IPsec gateway is often a part of the firewall. It permits users that are connected to the Internet to reach resources on the corporate network in a very secure way. The PC can use the Internet at the same time that it is connected to the corporate network. Only packets destined for the corporate network are encrypted via IPsec.
2.2.4.2 Router with IPsec software
Instead of each PC being equipped with IPsec client software the encryption can also be done in the router that is connected to the public network. The advantage is that you don’t need to change the configuration of the PC’s, the only thing that is necessary is to configure the IP address of the IPsec gateway and the destination IP addresses that are behind the gateway.
2.2.4.3 LAN-to-LAN VPNs
When
using IPsec in tunnel mode it allows for two private networks to communicate
over the public Internet in a very secure way. Both private networks can use
private IP addresses, these IP addresses are not visible on the
Internet.
Firewall
For a firewall to function as the company desires, the network service access policy should exist prior to the implementation of the firewall. The policy must be realistic and sound. A realistic policy provides a balance between protecting the network from known risks on the one hand and providing users reasonable access to network resources on the other. If a firewall system denies or restricts services, only a strong network service access policy will prevent the firewall's access controls from being modified or circumvented on an ad hoc basis. A sound, management-backed policy can provide this defense against user resistance.
A router is a network traffic-managing device that sits in between sub-networks and routes traffic intended for, or emanating from, the segments to which it's attached. Naturally, this makes them sensible places to implement packet filtering rules, based on your security polices that you've already developed for the routing of network traffic.
A firewall insulates a private network from a public network using carefully established controls on the types of request they will route through to the private network for processing and fulfillment. For example, an HTTP request for a public Web page will be honored, whereas an FTP request to a host behind the firewall may be dishonored. Firewalls typically run monitoring software to detect and thwart external attacks on the site, and are needed to protect internal corporate networks. Firewalls appear primarily in two flavors; application level gateways and proxy servers. Other uses of firewalls include technologies such as Virtual Private Networks that use the Internet to tunnel private traffic without the fear of exposure
Defining firewalls
A slightly more specific definition of a firewall comes from William Cheswick and Steven Bellovin, two engineers with AT&T who wrote the classic Firewalls and Internet Security (Addison Wesley, 1994). They based the book on their experience developing a firewall to protect AT&T connections to the Internet. Cheswick and Bellovin define a firewall as a collection of components or a system placed between two networks and possessing the following properties:
* All traffic from inside to outside, and
vice-versa, must pass through it;
* Only authorized traffic, as defined by
the local security policy, is allowed to pass through it; and
* The system
itself is highly resistant to penetration.
Put simply, a firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two. Typically, the two networks in question are an organization's internal (trusted) network and the (untrusted) Internet. However, nothing in the definition of a firewall ties the concept to the Internet. We traditionally define the Internet as the worldwide network of networks that uses TCP/IP for communications. We define an internet as any connected set of networks. Although many firewalls are currently deployed between the Internet and internal networks, there are good reasons for using firewalls in any internet, or intranet, such as a company's WAN. There will be more about this use of firewalls later in this chapter.
Another approach to firewalls views them as both policy and the implementation of that policy in terms of network configuration. Physically, a firewall comprises one or more host systems and routers, plus other security measures such as advanced authentication in place of static passwords. As shown in Figure 1.1, a firewall may consist of several different components, including filters, or screens, that block transmission of certain classes of traffic, and a gateway, which is a machine or set of machines relaying services between the internal and external networks by means of proxy applications. The intermediate area occupied by the gateway we often refer to as the demilitarized zone (DMZ). These terms will all be explained in more detail, starting with traffic.
Firewalls as Filters
When TCP/IP sends data packets on their merry way, the packets seldom go straight from the host system that generated them to the client that requested them. Along the way they normally pass through one or more routers. In this, TCP/IP transmissions differ from LAN communications, which broadcast over a shared wire.
To look at how TCP/IP routes packets, and how this allows sites to filter for security, let us first examine old-fashioned LAN communications. Suppose five PCs reside on a LAN. If PC #2 wants to send some data to PC #4, it shouts out over the network and hopes that PC #4 hears it. The other three systems on the same wire will also hear the same data. This is true of both Ethernet and Token Ring, the two most widely used LAN protocols. This method of communication, in which a number of computers share the same wiring, increases efficiency, limits distance and scope. It also limits the number of computers that can talk on the same wire.
Early efforts to enable computers to communicate with each other over long distances used telephone lines and switches to connect calls from one specific computer to another in a remote location (the X.25 protocol was developed for this). A connection between two computers might pass through several switches until it reached its final destination. When LANs emerged it made sense for all the computers on one LAN to have access to the machine that had access to the remote connection, thus creating a WAN. LAN protocols, however, were incompatible with X.25, and the machine hosting the connection to the WAN tended to get overworked.
Next came a special type of switch called a router, which could take over the work of making external connections, and could also convert LAN protocols, specifically IP, into WAN protocols. Routers have since evolved into specialized computers. The typical router is about the same size as a VCR, although smaller models and rackmounted units for major interconnections have entered the market.
Basically, routers look at the address information in TCP/IP packets and direct them accordingly. Data packets transmitted over the Internet from the Web browser on a PC in Florida to a Web server in Pennsylvania will pass through numerous routers along the way, each of which makes decisions about where to direct the traffic. Figure 1.3 shows the traceroute program in action, listing the path the data takes.
Figure
1.3: The traceroute program shows the path Internet data takes.
Suppose the Web browser is on a PC on a LAN with a PPP connection to an Internet Service Provider (ISP). A router, or a computer acting as a router, will likely direct the packets out from the LAN to the ISP. Routers at the ISP will send the data to a backbone provider, which will route it, often in several hops, to the ISP that serves the machine that hosts the Web site.
Routers make their routing decisions based on tables of data and rules. It is possible to manipulate these rules by means of filters so that, for example, only data from certain addresses may pass through the router. In effect, this turns a router that can filter packets into an access-control device, or firewall. If the router can generate activity logs, this further enhances its value as a security device. We will discuss how this works in more detail in the next chapter.
Firewalls as Gateways
Internet firewalls are often referred to as secure Internet gateways. Like the gates in a medieval walled city, they control access to and from the network.
In firewall parlance, a gateway is a computer that provides relay services between two networks. A firewall may consist of little more than a filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the connected network. The gateway machine then passes the data, in accordance with access-control policy, through a filter, to the other network or to another gateway machine connected to the other network.
In some configurations, called dual-homed gateways, one computer containing two network connectors acts as the gateway. Alternatively, a pair of machines can create a miniature network referred to as the DMZ (see Figure 1.4). Typically, the two gateways will have more open communication through the inside filter than the outside gateway has to other internal hosts. The outside filter can be used to protect the gateway from attack, while the inside gateway is used to guard against the consequences of a compromised gateway [Ches94].
Figure
1.4: The use of gateways.
Firewalls as Control Points
By concentrating access control, firewalls become a focal point for the enforcement of security policy. Some firewalls take advantage of this to provide additional security services, including traffic encryption and decryption. In order to communicate in encryption mode, the sending and receiving firewalls must use compatible encrypting systems. Current standards efforts in encryption and key management have begun to allow different manufacturers' firewalls to communicate securely, but these efforts have a ways to go before the customer can assume compatibility. Firewall-to-firewall encryption is thus used for secure communication over the public Internet between known entities with prior arrangement, rather than for any-to-any connections. Nevertheless it is a powerful feature, enabling the creation of virtual private networks (VPN) as a lower-cost alternative to a leased line or a value-added network (VAN).
Verifying the authenticity of system users is another important part of network security, and firewalls can perform sophisticated authentication, using smart cards, tokens and other methods. Firewalls can also protect other external network connections, such as remote dial-in. A company can apply the same traffic-restricting protections, enhanced by authentication.
Internal Firewalls
While the phenomenal growth of Internet connections has understandably focused attention on Internet firewalls, modern business practices continue to underscore the importance of internal firewalls. Mergers, acquisitions, reorganizations, joint ventures and strategic partnerships all place additional strains on security as the scope of the network's reach expands. Someone outside the organization may suddenly need access to some, but not all, internal information. Multiple networks designed by different people, according to different rules, must somehow trust each other. In these circumstances, firewalls play an important role in enforcing access-control policies between networks and protecting trusted networks from those that are untrusted.
Consider a manufacturing company that has, over time, developed separate networks within the sales, marketing, payroll, accounting and production departments. Although users in one department may wish to access certain other networks, it is probably unnecessary and undesirable for all users to have access to all networks. Consequently, when connecting the networks, the organization may choose to limit the connection, either with packet-filtering routers or with a more complex firewall.
In a WAN that must offer any-to-any connectivity, other forms of application-level security can protect sensitive data. However, segregating the networks by means of firewalls greatly reduces many of the risks involved; in particular, firewalls can reduce the threat of internal hacking--that is, unauthorized access by authorized users, a problem that consistently outranks external hacking in information-security surveys. By adding encryption to the services performed by the firewall, a site can create very secure firewall-to-firewall connections. This even enables wide-area networking between remote locations over the Internet. By using authentication mechanisms on the firewall, it is possible to gain a higher level of confidence that persons outside the firewall who request data from inside the firewall--for example, salespersons on the road needing access to an inventory database--are indeed who they claim to be.
Figure
1.5: Firewall to firewall encryption
Firewalls and Policy
Diagrams of the various configurations of filters and gateways help when planning a firewall defense, but the system administrator must not lose sight of the broader definition of a firewall as an implementation of security policy. A firewall is an approach to security; it helps implement a larger security policy that defines the services and access to be permitted. In other words, a firewall is both policy and the implementation of that policy in terms of network configuration, host systems and routers, as well as other security measures such as advanced authentication in place of static passwords.
Firewall design policy is a lower-level policy that describes how the firewall will actually go about restricting the access and filtering the services as defined in the network service access policy. We will examine both levels of policy in the following sections.
Firewall Design Policy
The firewall design policy is specific to the firewall and defines the rules used to implement the network service access policy. The company must design the policy in relation to, and with full awareness of, issues such as the firewall's capabilities and limitations, and the threats and vulnerabilities associated with TCP/IP. As mentioned earlier, firewalls generally implement one of two basic design policies:
- Permit any service unless it is expressly denied; or
- Deny any service unless it is expressly permitted.
Firewalls that implement the first policy (the permissive approach) allow all services to pass into the site by default, with the exception of those services that the service-access policy has identified as disallowed. Firewalls that implement the second policy (the restrictive approach) deny all services by default, but then pass those services that have been identified as allowed. This restrictive second policy follows the classic access model used in all areas of information security.
The permissive first policy is less desirable, since it offers more avenues for circumventing the firewall. With this approach, users could access new services not currently addressed by the policy. For example, they could run denied services at non-standard TCP/UDP ports that are not specifically mentioned by the policy.
This is where firewall design comes in. Certain firewalls can implement either a permissive or a restrictive design policy. A company can also choose to locate those systems requiring services that should not be passed through the firewall on screened subnets, separated from other site systems. Some use this approach for Web servers, which are partially shielded by packet filtering but are not sheltered behind the firewall. (If the Web server calls information from, or feeds data to, internal database systems, then that connection between the Web server and the internal machines should be well protected.)
Security Policy
The drawback of the Firewall is
that it presents a single point of
failure. Firewall generally acts as
a choke point, a single point through which all incoming and outgoing network
traffic is passed. If the firewall is configured wrong or is down, then the
whole internal network is compromised. This concern can be addressed by building
some redundancy into the choke point. Since router has the function of filtering
traffic and access control, it can be a reasonable consideration.
In order to connect from the LAN
to the outside world, a proxy is often installed on the Firewall machine. A proxy is a small program that can see
both sides of the firewall. Requests for information from the Web server are
intercepted by the proxy, forwarded to the server machine, and the response
forwarded back to the requester. A
proxy server mediates traffic between a protected network and the Internet. Many proxies contain extra logging or
support for user authentication. Since proxies must
"understand" the application protocol being used, they can also implement protocol specific security
(e.g., an FTP proxy might be configurable to permit incoming FTP
and block outgoing FTP). Another
way of contacting the outside world from behind a firewall is allowing the
firewall to pass requests for port 80 that are bound to or returning from the
WWW server machine. This has the effect of poking a small hole in the dike
through which the rest of the world can send and receive requests to the WWW
server machine.
Use network switches instead of network hubs. Using hubs, when a packet arrives at one port of the hub, it is copied to the other ports, so that all segments of the LAN can see all packets. With switches, the packets are only forwarded to the destination port, not to all ports. This also improves network throughput.
Router
Routers are often used to connect two or more networks. They control the flow of data packets on a network and determine the best way to reach the appropriate destination. In our corporate network, we use a router to separate the network segments. We can configure it to route the traffic based on predetermined rules to deny or block unauthorized traffic. For example, we can use filtering commands to limit certain protocols (e.g.snmp) or employ access lists to control the IP addresses that are allowed through. The router provides the second-line of defense for the trusted network.
Password
Password is the most widely used scheme to authenticate and identify users to the system. Most system or network use password as the only means of authentication and identification. In normal case, passwords are transmitted in plain-text over the public network, for example, when you access a system over a network using Telnet, FTP or rlogin. Passwords can be intercepted and displayed in plain-text using packet sniffer. Figure??? shows the FTP transmission process using a network monitor.
The highlight line exposes the packet containing the username and password.
Even if a password is encrypted before transmission, it still can be captured and retransmitted at a later time referred as "reply attack". It can also be cracked by some password cracking software. LophtCrack2.5 is one of such password crackers that can decipher the password in the password file. LophtCrack2.5 uses both Dictionary attack and Brute-force attack to calculate the password. It first dumps a password file of usernames and password, and extracts the password cryptographic hashes, then encrypts each word in a dictionary or every possible combination of letter, number and special characters with the same algorithms used to creat the encrypted password. Every key???It compares each encrypted word against password hash in the password file to find a match. When a match is found, a password is found. Figure ??? shows our testing result using LophtCrack2.5 to crack our system password. It takes hours
Defenses:
Ø Making a password longer with a mix of letters, numbers and special characters. The longer the password, the more secure.
Ø Using one-time password scheme, like smart card or token card.
Ø Employing Kerberos scheme.
It is as important to have a secure Web server as it is to maintain a secure mail and database system.
if you are concerned that your data is being intercepted and read,consider getting a Secure Socket Layer (SSL) server. Examples of SSL servers include the Netscape Secure Server and the Oracle Secure Server. SSL servers encrypt data before sending it, which makes it almost impossible for anyone to intercept and read the communication going back and forth between your server and the client on the other end.
Any browser that can accept SSL will decrypt your information as it is sent back. Your server has a public key and a private key, and your browser has a public key and a private key, and when the browser makes a connection with a server, the two exchanges keys. In this sense, your browser and your server mesh by talking to one another cryptically.
You can do something similar with mail. PGP (Pretty Good Privacy) was developed for Internet mail by Phil Zimmerman a few years ago and is another option for maintaining security on an intranet. It can be used for any text transmission over the Internet.
PGP functions in much the same way as browsers do in that PGP exchanges keys with an individual or a site on the Internet.
The information is encrypted before it is sent and is then decrypted on the receiving end. Should someone intercept it in transmission, the information wouldn't be useful.
The Trusted Network is the network that internal employees use when at the office or via a secure controlled dial-in mechanism.
A DMZ (Demilitarized Zone) is an isolated network placed as a buffer area between a company's Trusted Network and the Nontrusted Network. It can be used to hide the design and configuration of the Trusted Network. The DMZ prevents outside users form gaining direct access to the Trusted Network:
§ Filter and manage DoS attacks
§ Scan e-mail messages for virus, content and size
§ Passive eavesdropping /packet sniffing
§ Application-layer attack
§ Port scans
§ Limit access to the Trusted Network via a single protocol
§ IP address spoofing
One of the most common rules is that a single protocol cannot transverse the DMZ. This means if the client is entering into the DMZ via http on port 80, he can't continue into the trusted network on the same port and protocol.
The DMZ is also used to control outbound traffic via proxy servers and filter servers:
§ Control e-mail messages based on destination, size and content
§ Scan for virus going out of the DMZ
§ Monitor and limit access to unauthorized access sites or web sites
Network Security Policy
The Network Security Policy identifies the threats against which protection is required, and defines the required level of protection. The Network Security Policy will itself contain several different policies, for example a Network Service Access
Policy and System Specific Policies.
The Network Security Policy will be based on a security strategy such as Least Privilege, Defence In Depth, Choke Point,
Weakest Link ,Fail Safe Stance etc. These and other strategies are discussed in chapter 4. The role of the security strategy can be illustrated with a small example :
Strategy 1 : Everything is forbidden unless explicitly permitted.
Strategy 2 : Everything is permitted unless explicitly forbidden.(11)
Implementations of both of these strategies can be found in organisations. They adopt philosophically opposing views of how to
implement security.
Some understanding of the services available on the Internet, and the risks these present, is required before an effective
network security policy can be developed.
Port Scanning
A port scanner is a program that listens to
well-known port numbers to detect service running on a system that can be
exploited to break into the system. If the port is listening, then the scan will
succeed, otherwise the port isn’t reachable. The hacker could access those open
ports with some type of
application. They could possibly even flood those ports with requests
from several sources. Some port scanning attack can be detected by monitoring
the system log files using intrusion detection software. However, some scanning
programs use a SYN scan, are difficult to detect. These program employs a SYN
packet to create a half-open connection that the victim system can't logged.
Figure ??? shows a port scanner run on an address:
The results showed that ports ?? are open.
Ø
?????
Identificaiton: is simply the process of
identifying one's self to another entity or determing the identity of the
individual or entity with whom you are communicating.
Access Control( Authorization): refers to the
ability to control the level of access that individuals or entities have to a
network or system and how much information they can receive.
Non-repudiation: the ability to prevent
individuals or entities from denying (repudiating) that information, data or
files were sent or received or that information or files were accessed or
altered, when in fact they were. This capability is crucial to
e-commerce.
Certificates
The oldest form of security, is to ask for a password. A password is a classic 'what you know' type of security. Of course, the problem is that anyone can access your information if he knows the password. A certificate (or public-key certificate, or Digital ID) is a 'What you know and whay you have' type of security. In order to access information you need to have a specific file in your disc, that will authenticate you. Those files are encrypted, to provice a high level of security. There are many standarts of certificates. The most popular one is X.509v3 (by ITU). A X.509v3 certificate holds the following information :
The issuer is an entity that attests to the identity of the holder of the certificate. The issuer is usually an external company (like VeriSign) that all it does it to verify the identity. Certificates are very usefull when extra security is needed. It's your Digital ID, and can be used to indentify you in cyberspace (your electronic network). The certificate proves several important services :
Certificates work in both ways. If you
connect to some server, you can view it's certificate so you'll be sure to
whom you're talking. The new browsers also have client-side certificates.
So the server can know who YOU are. Secure E-Mail
(S/MIME)
S/MIME is a new standard for secure E-Mail.
It is an open standard (The specifications are open for all, which means
many companies can issue a S/MIME compatiable E-Mail client), which is
used for encrypted, signed mail.
The main advantage of S/MIME is it's interoperability, the fact that it's an open standard, and it has a good chance of become the De-Facto standard for secure E-Mail. |
Developing Security Polices and
Controls
Two common problems with organizational policies are:
1. The policy is a platitude rather than a decision or direction.
· Secrecy. Also known as confidentiality, prevents disclosure of the message to unauthorized users.
Technologies to Secure Network Connectivity
· They can block unwanted traffic.
· They can direct incoming traffic to more trustworthy internal systems.
· They hide vulnerable systems that cannot easily be secured from the Internet.
· They can log traffic to and from the private network.
· They can provide more robust authentication than standard applications might be able to do.
Filtering gateways do have inherent risks, including:
· They do not protect against IP or DNS address spoofing.
· Strong user authentication isn't supported with some packet filtering gateways.
· They provide little or no useful logging.
· Strong user authentication can be enforced with application gateways.
· Proxies can provide detailed logging at the application level.
Virtual Private Networks and Wide Area Networks
Remote Access
· Public key certificates. The use of public key certificates described earlier when logging on.
Choose the right level of encryption: Performance
