Elements of a Comprehensive Security Solution.
Maintaining security is a never-ending struggle. Just when you think you have an airtight system in place, a new hacker technology or an especially diabolical adversary enters the picture. And, the threats aren't necessarily external. In fact, the FBI Computer Crime Unit reports that more than 80 percent of all network security breaches are inside jobs-disgruntled or dishonest employees with their own agendas.
Regardless of the type or location of perceived threat, an effective system for securing the integrity of information while maintaining availability of information assets must:
* Allow access to information by authorized parties.
* Implement policies that determine who is authorized for what access to which information.
* Employ a strong user authentication system.
* Deny malicious or destructive access to any information asset.
* Protect data from end to end.
Threats to Enterprise Security
A computer network can be attacked in a number of ways with different degrees of damage. These attacks can take several forms:
* Denial of service. The attacker disrupts the smooth flow of information by crashing or overloading a critical device such as a server, router or firewall. This is an attack on the availability of information.
* Theft of information. The attacker acquires information that is proprietary to the organization. This can be done by eavesdropping, by masquerading as an authorized entity, or by a brute-force attack such as the use of a computer program that guesses passwords. This is an attack on the ownership of information and intellectual property.
* Corruption of data. The attacker either destroys or corrupts data stored on disk or corrupts data as it is transmitted across the network. This is an attack on the integrity of information.
Threats to the availability, ownership and integrity of information assets can arise at any of these locations (Figure 1):
* The people who use the system (divulging passwords, losing token cards, etc.)
* Internal network connections such as routers and switches.
* Interconnection points such as gateways between corporate intranets and the Internet.
* Third-party network carriers such as long-distance carriers and ISPs.
* Application-level imposters, eavesdroppers and attackers.
Establishing adequate or even impenetrable security at one point of attack while leaving one or more of these other points uncovered is like posting a guard at the front desk and leaving the company's doors and windows wide open. An employee who seeks revenge or a serious thief will try every avenue of entry, particularly if the value of the information is great and the access is relatively easy.
Elements of a Comprehensive Security Solution
A complete security solution that maximizes the benefits of networked data communications must contain these elements:
[check] Physical protection--where are you? [check] User authentication--who are you? [check] Access control--what asset are you allowed to use? [check] Encryption--what information should be hidden? [check] Management--what is going on within the network?
An enterprise may employ any or all of these elements to achieve integrity and access control. The best strategy depends on the risk involved, the cost of the deployment and the cost of a security breach or lost data.
A Closer Look at ...
Physical risks most often involve access to machines or people. A number of strategies can be used to enhance physical security:
* Place computers in a secure environment. The degree to which the console, keyboard, and monitor of a computer can be physically accessed determines the level of system security. This is a common "back door" opening to an intruder. To implement physical security, organizations often use receptionists, security guards, physical keys, combination or electronic door locks, and other access controls. Train staff to log-off workstations during breaks and meal times. Something else not to be overlooked: Modem pools and all Internet connections should be firewalled.
* Destroy sensitive documents, including disks, when no longer used. Sophisticated tools can reconstruct files supposedly erased from a disk. Only destroying the disk itself guarantees the destruction of the data it once contained.
* Store digital keys on smart cards, not on disks. Disks can be duplicated; smart cards are more difficult to copy.
* Keep passwords secure. Avoid writing passwords down, then sending them through electronic mail or placing them in messages that are archived or incorporated in group discussion systems.
* Do not write PINs on ID cards. This is similar to hiding the front door key under the welcome mat. Security training can help make employees aware of their part in maintaining network security.
* Lock down portable equipment. The laptop computer represents one of the greatest physical threats to a security system, because it contains a great deal of information and can so easily be carried off. Recent headlines that reveal the loss of a laptop containing top-secret government information is a prime example of this threat. The same is true of other devices such as external disk drives, tape backup systems, and the like. These devices must be locked away or bolted to the desk to guard against theft.
Proof of identity is an essential component of any security system. It's the only way to differentiate authorized users from intruders. User authentication to the network is vital for any enterprise that is serious about protecting information assets and knowing who is attempting to the network. Authentication becomes particularly important when some of the more sophisticated communication methods are used.
In addition to proving identity, authentication systems are used to determine what information the requestor can access--for example, a human resources database or corporate financial database. True authentication generally incorporates two or three of the following elements:
* What the user has or possesses (smart card, certificate).
* What the user knows (password).
* A physical attribute (fingerprint or other biometric information).
Authentication is most often achieved through challenge and response, digital certificates, or message digests and digital signatures.
* Challenge and response. In this authentication method, a software agent within a database system or a workgroup server presents the person requesting access to a resource with a challenge, most often a request for a username and password. This is the most common form of security and one that is easily broken when passwords are not carefully chosen and maintained. Intrusion Detection Systems (IDS) guard against unauthorized access to this sensitive information in an extranet--such as those linking hospitals, clinics, and other providers. IDSs monitor information systems, correlate and report on suspect activity, and create complete logs of all information transactions. More importantly, the IDS will be able to tie together audit trails from disparate systems such as firewalls, router, and NT or UNIX system event logs. This capability is a critical element in satisfying federal requirements.
* Digital certificates. One of the earliest uses of digital certificate technology was Privacy Enhanced Mail, the predecessor to S/MIME (Secure/Multipurpose Internet Mail Extensions), a widely used specification that brought a higher level of security to e-mail through encryption and digital signature-based authentication. Since their introduction, the use of digital certificates has continued to grow steadily. Digital certificates are essential components of a public key infrastructure (PKI), which can be generally defined as a security system that consists of protocols, services, and standards that support applications of public key cryptography. Public key cryptography is used to validate messages that have been digitally signed. Such messages can be simple e-mail or part of a protocol that establishes a secure communications session. The sender of the message to be authenticated digitally signs the message using a private key. The signature can be validated using the sender's corresponding public key, which is contained in the sender's certificate and can either be sent along with the message or retrieved from a certificate repository.
* Message Digests and Digital Signatures. Applying a one-way hash function such as MD5 or SHA-1 to a message creates message digests. "One-way" means that the original message cannot be recreated from the digest. A digital signature uses the private key of an individual to encrypt the message digest. At the receiving end, the digest is recreated from the message text, the public key is used to decrypt the digest from the digital signature, and the two message digests are compared. If they match, the messages are probably the same. Comparison of the message digests provides both a means of authenticating the signature and a check of message integrity.
Access control governs a user's ability to make a connection to a particular network, computer or application, or to a specific kind of data traffic. The increasing use of the Internet is heightening the concerns of network administrators about the security of their network infrastructure and their organization's private data. And in the light of HIPAA security regulations, these concerns are becoming even more critical for healthcare providers.
The first step in establishing secure network access is to define a security policy. The National Computer Security Association (NCSA), for example, recommends starting with the most secure policy: denying all services to anyone, except for what is explicitly permitted. Many policies can be enforced through the use of technology.
Access from external systems is generally implemented using network firewalls. A firewall is a group of systems or a mechanism that enforces a security policy to protect an internal (trusted) network from an external (untrusted) one. The firewall determines which inside services can be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services can be accessed by insiders.
For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected. The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration. A firewall system cannot offer any protection once an attacker has gotten through or around it.
Even if both access control and authentication security systems are completely effective, the enterprise can still be at risk when data communications travel over a third-party network such as the Internet.
Encryption is used to protect against eavesdropping. It renders information private by making it unreadable to all except those who have the key needed to decrypt the data. It does not matter whether a third party intercepts packets over the Internet; the data still cannot be read. This approach can be used throughout the enterprise network, including within the enterprise (intranet), between enterprises (extranet) or over the public Internet to carry private data in a virtual private network (VPN).
Encryption systems in common use today include the following:
* Shared key encryption. Both or all parties possess a previously distributed key that locks and unlocks the data. The sender provides the key to a shared symmetrical encryption algorithm to encode the data before placing it in a packet bound for the remote site; the remote site then provides the key to the same encryption algorithm to decode the data.
* Public key encryption. One party possesses a private unlocking key and makes a public locking key. Any sender can use the public key to encrypt the communication; the receiver then uses its corresponding private key to decrypt the data.
* Secure key exchange. Both parties first authenticate themselves (often using digital certificates) during a session-specific encryption key distribution process. The session key is created based on data generated by both parties at the time of communication. This key can then be used to encrypt and decrypt all other communications.
A security system should allow for oversight and control by a human authority. Any system that uses authentication requires some central authority to verify those identities, whether it be the/etc/password file on a UNIX host, a Windows NT domain controller, or a Novell Directory Services (NDS) server. The ability to see histories, such as repeated failed attempts to breach a firewall, can provide invaluable information to those charged with protecting information assets. Some of the more recent security specifications, such as Internet Protocol Security 0PSec), require the presence of a database containing policy rules.
All these elements must be managed for the system to work correctly. However, management consoles or functions themselves represent another potential point of failure of a security system. It is therefore important to ensure that these systems are physically secured and that authentication is in place for any log-on to a management console.
* Internet Protocol Security. As the Internet becomes more critical to organizations and enterprises of all sizes, the need to protect intellectual property and at the same time conduct business has grown. To promote security for business communications, the Internet Engineering Task Force (IETF) developed Internet Protocol Security. IPSec offers standards-based, consistent security for IP networks. In an IPSec communication, the two communicating entities (which can be individual hosts or intervening devices, such as routers or firewalls) first establish a Security Association (SA). During negotiation of the SA, the two entities agree on what kind of security will be employed. A security policy database (SPD) keeps track of the kinds of security, encryption and authentication that a particular enterprise can implement, and also keeps track of the active security associations. This makes it possible to monitor IPSec activity across the network and to manage the security systems employed at any given site.
Securing End-to-End Data Access
It is hard to overstate the importance of the end-to-end aspect of network security. Security starts with well-defined and wellenforced security policies implemented by efficient and robust encryption on NICs, authentication and authorization in the LAN switches, and robust and flexible firewall and security management instrumentation.
VPNs and Tunnel Switching
A Virtual Private Network (VPN) is a secure connection that offers the privacy and management controls of a dedicated, point to-point link but actually occurs over a shared, routed network such as the Internet. VPNs are created using encryption, authentication, and tunneling, a method by which data packets in one protocol are encapsulated within another protocol. Tunneling enables traffic from multiple enterprises to travel across the same network unaware of each other, as if enclosed in their own private pipes.
The HIPAA legislation confronts many healthcare providers with the need to review and upgrade security policies and procedures. Although this is not an easy task, 3Com and other vendors offer product solutions and consulting services to help ensure that an organization's data network infrastructure provides the security, reliability, and manageability to support compliance with the regulation.
Acronyms and Abbreviations
AH Authentication Header BITS Bump in the Stack BITW Bump in the Wire CPU Central Processing Unit DES Data Encryption Standard ESP Encapsulating Security Payload HMAC Hashed Message Authentication Code IDEA Internet Development and Exchange Association IDS Intrusion Detection System IETF Internet Engineering Task Force IPSec Internet Protocol Security ISP Internet Service Provider KMAC Keyed Message Authentication Code MAC Message Authentication Code NIC Network Interface Card PKI Public Key Infrastructure SA Security Association SPD Security Policy Database TCP/IP Transmission Control Protocol/Internet Protocol VPN Virtual Private Network