| Related sites for http://www.acm.org/crossroads/xrds2-1/security.html |
| Safari_Bookshelf Electronic reference library for programmers and IT professionals. The subscription service lets you search, annotate, read and build your own reference collection online. | | Mashek_Consulting_Corp Source for used SGI workstations, and SGI systems administration services. | | Extreme_Networks Gigabit/Fast Ethernet solutions provider. | | Afterlife_de Abnormal and normal human textures, also for monsters. Samples online, or order the CD. | | Irie_Pascal_compiler_and_interpreter A shareware Pascal compiler which complies with the Pascal standard. Creates virtual machine executables that can be run on any platform for which an interpreter exists: Win32, DOS, OS/2, Linux, FreeB | | AmiTech_Training_Systems Specialised in producing training aids in the form of technical manuals, online documentation and presentation graphics. Also offer interactive multimedia, video and web development. Based in British | | jPresto Shrinks and obfuscates code for the J2ME platform as well as the J2SE platform. [Commercial] | | Diag_Plus A DOS-based diagnostics program for Windows. | | HyperTerminal_Private_Edition An update for the HyperTerminal application shipped with Windows. | | Central_Queensland_University_-_Faculty_of_Informatics_and_Communication Access information about Faculty of Informatics and Communication, Central Queensland University, its schools, facilities and the academic programs offered. | | Zaurus_SL-C860_experiences Collection of articles on the use of and development for the Zaurus. | | Open_Wave ShiftTrack products targeted at contact centre industry. Features & benefits, news, partners and contact details. | | Borenstein,_J_ Research Scientist and Head of the Mobile Robotics Lab within the University of Michigan's Department of Mechanical Engineering. Interests in mobile robots, obstacle avoidance, odometry, positionin | | The_Adelie_Linux_Project Gentoo based solutions for Single System Image, High Performance Computing and other related fields. Provides ebuilds for various HPC-projects. | | Digitext Offers design, multimedia production, Flash animations, digital business cards and custom music. | | GreyMagic_Security__Appendix_to_\"IE_allows_universal_Cross_Site_Scripting\" Explains how the "ANALYZE.DLG" resource can be manipulated to allow the execution of arbitrary code in the My Computer" zone. (April 16, 2002) | | Longo,_Jason New Port Richey, Florida; web hosting, marketing, and design. | | ieSpell Spell checker add-on for Internet Explorer that spell checks text input boxes on a webpage. | | Find_It_Out Disk catalog software to organize file collections for Windows. Create catalogs of archives located on different kinds of media DVD-ROMs and CDs of all kinds, ZIP disks, hard drivers and floppies. | | WebLion Project aimed to distribute a Plone CMS for use by various departments at Penn State and eventually other various Higher Education Institutions. |
|
Network Security, Filters and Firewalls Network Security, Filters and Firewallsby Darren BoldingThis article is a general introduction to network securityissues and solutions in the Internet; emphasis is placed on routefilters and firewalls. It is not intended as a guide to setting up asecure network; its purpose is merely as an overview. Some knowledgeof IP networking is assumed, although not crucial.  In the last decade, the number of computers in use hasexploded. For quite some time now, computers have been a crucialelement in how we entertain and educate ourselves, and mostimportantly, how we do business. It seems obvious in retrospect that anatural result of the explosive growth in computer use would be aneven more explosive (although delayed) growth in the desire and needfor computers to talk with each other. The growth of this industry hasbeen driven by two separate forces which until recently have haddifferent goals and end products. The first factor has been researchinterests and laboratories; these groups have always needed to sharefiles, email and other information across wide areas. The researchlabs developed several protocols and methods for this data transfer,most notably TCP/IP. Business interests are the second factor innetwork growth. For quite some time, businesses were primarilyinterested in sharing data within an office or campus environment,this led to the development of various protocols suited specificallyto this task.Within the last five years, businesses have begun to need to sharedata across wide areas. This has prompted efforts to convertprincipally LAN-based protocols into WAN-friendly protocols. Theresult has spawned an entire industry of consultants who know how tomanipulate routers, gateways and networks to force principallybroadcast protocols across point-to-point links (two very differentmethods of transmitting packets across networks). Recently (within thelast 2 or 3 years) more and more companies have realized that theyneed to settle on a common networking protocol. Frequently theprotocol of choice has been TCP/IP, whichis also the primary protocol run on the Internet. The emergingubiquitousness of TCP/IP allows companies to interconnect with eachother via private networks as well as through public networks.This is a very rosy picture: businesses, governments andindividuals communicating with each other across the world. While realityis rapidly approaching this utopian picture, several relativelyminor issues have changed status from low priority to extremeimportance. Security is probably the most well known of theseproblems. When businesses send private information across the net,they place a high value on it getting to its destination intact andwithout being intercepted by someone other than the intendedrecipient. Individuals sending private communications obviously desiresecure communications. Finally, connecting a system to a network canopen the system itself up to attacks. If a system is compromised, therisk of data loss is high.It can be useful to break network security into two generalclasses: methods used to secure data as it transits a network methods which regulate what packets may transit the networkWhile both significantly effect the traffic going to and from a site,their objectives are quite different.Transit SecurityCurrently, there are no systems in wide use that will keep datasecure as it transits a public network. Several methods are availableto encrypt traffic between a few coordinated sites. Unfortunately,none of the current solutions scale particularly well. Two generalapproaches dominate this area:Virtual Private Networks: This is the concept of creating a privatenetwork by using TCP/IP to provide the lower levels of a second TCP/IPstack. This can be a confusing concept, and is best understood bycomparing it to the way TCP/IP is normally implemented. In a nutshell,IP traffic is sent across various forms of physical networks. Eachsystem that connects to the physical network implements a standard forsending IP messages across that link. Standards for IP transmissionacross various types of links exist, the most common are for Ethernetand Point to Point links (PPP and SLIP). Once an IP packet isreceived, it is passed up to higher layers of the TCP/IP stack asappropriate (UDP, TCP and eventually the application). When a virtualprivate network is implemented, the lowest levels of the TCP/IPprotocol are implemented using an existing TCP/IP connection. Thereare a number of ways to accomplish this which tradeoff betweenabstraction and efficiency. The advantage this gives you in terms ofsecure data transfer is only a single step further away. Because aVPN gives you complete control over the physical layer, it is entirelywithin the network designers power to encrypt the connection at thephysical (virtual) layer. By doing this, all traffic of any sort overthe VPN will be encrypted, whether it be at the application layer(such as Mail or News) or at the lowest layers of the stack (IP,ICMP). The primary advantages of VPNs are: they allow private addressspace (you can have more machines on a network), and they allow thepacket encryption/translation overhead to be done on dedicatedsystems, decreasing the load placed on production machines.Packet Level Encryption: Another approach is to encrypttraffic at a higher layer in the TCP/IP stack. Several methods existfor the secure authentication and encryption of telnet and rloginsessions (Kerberos, S/Key and DESlogin) which are examples ofencryption at the highest level of the stack (the applicationlayer). The advantages to encrypting traffic at the higher layer arethat the processor overhead of dealing with a VPN is eliminated,inter-operability with current applications is not affected, and it ismuch easier to compile a client program that supports applicationlayer encryption than to build a VPN. It is possible to encrypttraffic at essentially any of the layers in the IP stack. Particularlypromising is encryption that is done at the TCP level which providesfairly transparent encryption to most network applications.It is important to note that both of these methods can haveperformance impacts on the hosts that implement the protocols, and onthe networks which connect those hosts. The relatively simple act ofencapsulating or converting a packet into a new form requires CPU-timeand uses additional network capacity. Encryption can be a veryCPU-intensive process and encrypted packets may need to be padded touniform length to guarantee the robustness of somealgorithms. Further, both methods have impacts on other areas(security related and otherwise- such as address allocation, faulttolerance and load balancing) that need to be considered before anychoice is made as to which is best for a particular case.Traffic RegulationThe most common form of network security on the Internet today isto closely regulate which types of packets can move betweennetworks. If a packet which may do something malicious to a remotehost never gets there, the remote host will be unaffected. Trafficregulation provides this screen between hosts and remote sites. Thistypically happens at three basic areas of the network: routers,firewalls and hosts. Each provides similar service at different pointsin the network. In fact the line between them is somewhat ill-definedand arbitrary. In this article, I will use the followingdefinitions:Router traffic regulation: Any traffic regulation that occurs on arouter or terminal server (hosts whose primary purpose is to forwardthe packets of other hosts) and is based on packetcharacteristics. This does not include application gateways but doesinclude address translation.Firewall traffic regulation: Traffic regulation or filtering thatis performed via application gateways or proxies.Host traffic regulation: Traffic regulation that is performed atthe destination of a packet. Hosts are playing a smaller and smallerrole in traffic regulation with the advent of filtering routers andfirewalls.Filters and access listsRegulating which packets can go between two sites is a fairlysimple concept on the surface- it shouldn't be and isn't difficult forany router or firewall to decide simply not to forward all packetsfrom a particular site. Unfortunately, the reason most people connectto the Internet is so that they may exchange packets with remotesites. Developing a plan that allows the right packets through at theright time and denies the malicious packets is a thorny task which isfar beyond this article's scope. A few basic techniques are worthdiscussing, however.Restricting access in, but not out: Almost all packets (besidesthose at the lowest levels which deal with network reachability) aresent to destination sockets of either UDP or TCP. Typically, packetsfrom remote hosts will attempt to reach one of what are known as thewell known ports. These ports are monitored by applications whichprovide services such as Mail Transfer and Delivery, Usenet News, thetime, Domain Name Service, and various login protocols. It is trivialfor modern routers or firewalls only to allow these types of packetsthrough to the specific machine that provides a given service. Attemptsto send any other type of packet will not be forwarded. This protectsthe internal hosts, but still allows all packets to getout. Unfortunately this isn't the panacea that it might seem.The problem of returning packets: Let's pretend that you don'twant to let remote users log into your systems unless they use asecure, encrypting application such as S/Key. However, you are willingto allow your users to attempt to connect to remote sites with telnetor ftp. At first glance, this looks simple: you merely restrict remoteconnections to one type of packet and allow any type of outgoingconnection. Unfortunately, due to the nature of interactive protocols,they must negotiate a unique port number to use once a connection isestablished. If they didn't, at any given time, there could only beone of each type of interactive session between any given twomachines. This results in a dilemma: all of a sudden, a remote site isgoing to try to send packets destined for a seemingly randomport. Normally, these packets would be dropped. However, modernrouters and firewalls now support the ability to dynamically open asmall window for these packets to pass through if packets have beenrecently transmitted from an internal host to the external host on thesame port. This allows connections that are initiated internally toconnect, yet still denies external connection attempts unless they aredesired.Dynamic route filters: A relatively recent technique is theability to dynamically add entire sets of route filters for a remotesite when a particular set of circumstances occur. With thesetechniques, it is possible to have a router automatically detectsuspicious activity (such as ISS or SATAN) and deny a machine orentire site access for a short time. In many cases this will thwartany sort of automated attack on a site.Filters and access lists are typically placed on all three types ofsystems, although they are most common on routers.Address Translation: Another advancement has been to have a routermodify outgoing packets to contain their own IP number. This preventsan external site from knowing any information about the internalnetwork, it also allows for certain tricks to be played which providefor a tremendous number of additional internal hosts with a smallallocated address space. The router maintains a table which maps anexternal IP number and socket with an internal number andsocket. Whenever an internal packet is destined for the outside, it issimply forwarded with the routers IP number in the source field of theIP header. When an external packet arrives, it is analyzed for itsdestination port and re-mapped before it is sent on to the internalhost. The procedure does have its pitfalls; checksums have to berecalculated because they are based in part on IP numbers, and someupper layer protocols encode/depend on the IP number. These protocolswill not work through simple address translation routers.Application gateways and proxies: The primary difference betweenfirewalls and routers is that firewalls actually runapplications. These applications frequently include mail daemons, ftpservers and web servers. Firewalls also usually run what are known asapplication gateways or proxies. These are best described as programswhich understand a protocol's syntax, but do not implement any of thefunctionality of the protocol. Rather, after verifying that a messagefrom an external site is appropriate, they send the message on to thereal daemon which processes the data. This provides security for thoseapplications that are particularly susceptible to interactiveattacks. One advantage of using a firewall for these services is thatit makes it very easy to monitor all activity, and very easy toquickly control what gets in and out of a network.ConclusionThere are two basic types of network security, transit security andtraffic regulation, which when combined can help guarantee that theright information is securely delivered to the right place. It shouldbe apparent that there is also a need for ensuring that the hosts thatreceive the information will properly process it, this raises theentire specter of host security: a wide area which varies tremendouslyfor each type of system. With the growth in business use of theInternet, network security is rapidly becoming crucial to thedevelopment of the Internet. Soon, security will be an integral partof our day to day use of the Internet and other networks.Darren Bolding is a "hired geek" with Internet Partners of America.Currently designing and implementing several Internet Service Providers, he has wideexperience with Routers, Terminal Servers and telecom equipment. If youhave any questions, corrections or comments, Darren may be reached at darren@bolding.org or http://www.bolding.org/~darren.Copyright 1995 by Darren BoldingCrossroads 2.1 September 1995Want more Crossroads articles about Networking? Go to theindex orthe next one or theprevious one.Want more Crossroads articles about Security? Go to theindex orthe next one.Last Modified:Location: www.acm.org/crossroads/xrds2-1/security.html |
|
