Elements of a Comprehensive Security Solution.
A close look at threatened breaches and vulnerable points of attack.
Maintaining security is a never-ending struggle. Just when you think you have an airtight air·tight
1. Impermeable by air.
2. Having no weak points; sound: an airtight excuse.
1. system in place, a new hacker technology or an especially diabolical adversary enters the picture. And, the threats aren't necessarily external. In fact, the FBI Computer Crime Unit reports that more than 80 percent of all network security breaches are inside jobs-disgruntled or dishonest employees with their own agendas.
Regardless of the type or location of perceived threat, an effective system for securing the integrity of information while maintaining availability of information assets must:
* Allow access to information by authorized parties.
* Implement policies that determine who is authorized for what access to which information.
* Employ a strong user authentication See authentication. system.
* Deny malicious or destructive access to any information asset.
* Protect data from end to end.
Threats to Enterprise Security
A computer network can be attacked in a number of ways with different degrees of damage. These attacks can take several forms:
* Denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. . The attacker disrupts the smooth flow of information by crashing or overloading a critical device such as a server, router or firewall. This is an attack on the availability of information.
* Theft of information. The attacker acquires information that is proprietary to the organization. This can be done by eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. , by masquerading 1. (networking) masquerading - "NAT" (Linux kernel name).
2. (messaging) masquerading - Hiding the names of internal e-mail client and gateway machines from the outside world by rewriting the "From" address and other headers as the message leaves the as an authorized entity, or by a brute-force attack such as the use of a computer program that guesses passwords. This is an attack on the ownership of information and intellectual property.
* Corruption of data. The attacker either destroys or corrupts data stored on disk or corrupts data as it is transmitted across the network. This is an attack on the integrity of information.
Threats to the availability, ownership and integrity of information assets can arise at any of these locations (Figure 1):
* The people who use the system (divulging passwords, losing token cards, etc.)
* Internal network connections such as routers and switches.
* Interconnection points such as gateways between corporate intranets and the Internet.
* Third-party network carriers such as long-distance carriers and ISPs.
* Application-level imposters, eavesdroppers and attackers.
Establishing adequate or even impenetrable security at one point of attack while leaving one or more of these other points uncovered is like posting a guard at the front desk and leaving the company's doors and windows Doors and Windows is a multimedia disk by the Irish band The Cranberries. Track listing
Elements of a Comprehensive Security Solution
A complete security solution that maximizes the benefits of networked data communications data communications, application of telecommunications technology to the problem of transmitting data, especially to, from, or between computers. In popular usage, it is said that data communications make it possible for one computer to "talk" with another. must contain these elements:
[check] Physical protection--where are you? [check] User authentication--who are you? [check] Access control--what asset are you allowed to use? [check] Encryption--what information should be hidden? [check] Management--what is going on within the network?
An enterprise may employ any or all of these elements to achieve integrity and access control. The best strategy depends on the risk involved, the cost of the deployment and the cost of a security breach or lost data.
A Closer Look at ...
Physical risks most often involve access to machines or people. A number of strategies can be used to enhance physical security:
* Place computers in a secure environment. The degree to which the console, keyboard, and monitor of a computer can be physically accessed determines the level of system security. This is a common "back door" opening to an intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. . To implement physical security, organizations often use receptionists, security guards, physical keys, combination or electronic door locks, and other access controls. Train staff to log-off workstations during breaks and meal times. Something else not to be overlooked: Modem pools and all Internet connections should be firewalled.
* Destroy sensitive documents, including disks, when no longer used. Sophisticated tools can reconstruct files supposedly erased from a disk. Only destroying the disk itself guarantees the destruction of the data it once contained.
* Store digital keys on smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. , not on disks. Disks can be duplicated; smart cards are more difficult to copy.
* Keep passwords secure. Avoid writing passwords down, then sending them through electronic mail or placing them in messages that are archived or incorporated in group discussion systems.
* Do not write PINs on ID cards. This is similar to hiding the front door key under the welcome mat. Security training can help make employees aware of their part in maintaining network security.
* Lock down portable equipment. The laptop computer represents one of the greatest physical threats to a security system, because it contains a great deal of information and can so easily be carried off. Recent headlines that reveal the loss of a laptop containing top-secret government information is a prime example of this threat. The same is true of other devices such as external disk drives, tape backup Using magnetic tape for storing duplicate copies of hard disk files. Users can add an internal or external tape drive to their desktop computers for backup purposes, and files are typically copied to the tapes using a backup utility that updates on a periodic schedule. systems, and the like. These devices must be locked away or bolted to the desk to guard against theft.
Proof of identity is an essential component of any security system. It's the only way to differentiate authorized users from intruders. User authentication to the network is vital for any enterprise that is serious about protecting information assets and knowing who is attempting to the network. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. becomes particularly important when some of the more sophisticated communication methods are used.
In addition to proving identity, authentication systems are used to determine what information the requestor can access--for example, a human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. database or corporate financial database. True authentication generally incorporates two or three of the following elements:
* What the user has or possesses (smart card, certificate).
* What the user knows (password).
* A physical attribute (fingerprint or other biometric information).
Authentication is most often achieved through challenge and response, digital certificates, or message digests and digital signatures.
* Challenge and response. In this authentication method, a software agent within a database system or a workgroup server presents the person requesting access to a resource with a challenge, most often a request for a username The name you use to identify yourself when logging into a computer system or online service. Both a username (user ID) and a password are required. In an Internet e-mail address, the username is the left part before the @ sign. For example, KARENB is the username in karenb@mycompany. and password. This is the most common form of security and one that is easily broken when passwords are not carefully chosen and maintained. Intrusion Detection Systems This article is about the computing term. For other uses, see Burglar alarm.
An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. (IDS) guard against unauthorized access to this sensitive information in an extranet--such as those linking hospitals, clinics, and other providers. IDSs monitor information systems, correlate and report on suspect activity, and create complete logs of all information transactions. More importantly, the IDS will be able to tie together audit trails from disparate systems such as firewalls, router, and NT or UNIX system Noun 1. UNIX system - trademark for a powerful operating system
UNIX, UNIX operating system
operating system, OS - (computer science) software that controls the execution of computer programs and may provide various services event logs. This capability is a critical element in satisfying federal requirements.
* Digital certificates. One of the earliest uses of digital certificate technology was Privacy Enhanced Mail See PEM.
Privacy Enhanced Mail - (PEM) Internet electronic mail which provides confidentiality, authentication and message integrity using various encryption methods.
See also Pretty Good Privacy. , the predecessor to S/MIME See MIME. (Secure/Multipurpose Internet Mail See Internet e-mail service. Extensions), a widely used specification that brought a higher level of security to e-mail through encryption and digital signature-based authentication. Since their introduction, the use of digital certificates has continued to grow steadily. Digital certificates are essential components of a public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ), which can be generally defined as a security system that consists of protocols, services, and standards that support applications of public key cryptography An encryption method that uses a two-part key: a public key and a private key. To send an encrypted message to someone, you use the recipient's public key, which can be sent to you via regular e-mail or made available on any public Web site or venue. . Public key cryptography is used to validate messages that have been digitally signed Any message or key that has been encrypted with a digital signature. When a user's public key is digitally signed by a certification authority (CA), it is known as a digital certificate or digital ID. See digital signature and digital certificate. . Such messages can be simple e-mail or part of a protocol that establishes a secure communications session. The sender of the message to be authenticated au·then·ti·cate
tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates
To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. digitally signs the message using a private key. The signature can be validated using the sender's corresponding public key, which is contained in the sender's certificate and can either be sent along with the message or retrieved from a certificate repository.
* Message Digests and Digital Signatures. Applying a one-way hash function In cryptography, an algorithm that generates a fixed string of numbers from a text message. The "one-way" means that it is extremely difficult to turn the fixed string back into the text message. One-way hash functions are used for creating digital signatures for message authentication. such as MD5 or SHA-1 to a message creates message digests. "One-way" means that the original message cannot be recreated from the digest. A digital signature uses the private key of an individual to encrypt the message digest. At the receiving end, the digest is recreated from the message text, the public key is used to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. the digest from the digital signature, and the two message digests are compared. If they match, the messages are probably the same. Comparison of the message digests provides both a means of authenticating the signature and a check of message integrity.
Access control governs a user's ability to make a connection to a particular network, computer or application, or to a specific kind of data traffic. The increasing use of the Internet is heightening the concerns of network administrators about the security of their network infrastructure and their organization's private data. And in the light of HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, security regulations, these concerns are becoming even more critical for healthcare providers.
The first step in establishing secure network access is to define a security policy. The National Computer Security Association (NCSA (1) (National Center for Supercomputing Applications, Urbana-Champaign, IL, www.ncsa.uiuc.edu) A high-performance computing facility located at the University of Illinois at Urbana-Champaign. ), for example, recommends starting with the most secure policy: denying all services to anyone, except for what is explicitly permitted. Many policies can be enforced through the use of technology.
Access from external systems is generally implemented using network firewalls. A firewall is a group of systems or a mechanism that enforces a security policy to protect an internal (trusted) network from an external (untrusted) one. The firewall determines which inside services can be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services can be accessed by insiders.
For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected. The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration. A firewall system cannot offer any protection once an attacker has gotten through or around it.
Even if both access control and authentication security systems are completely effective, the enterprise can still be at risk when data communications travel over a third-party network such as the Internet.
Encryption is used to protect against eavesdropping. It renders information private by making it unreadable to all except those who have the key needed to decrypt the data. It does not matter whether a third party intercepts packets over the Internet; the data still cannot be read. This approach can be used throughout the enterprise network, including within the enterprise (intranet), between enterprises (extranet) or over the public Internet to carry private data in a virtual private network (VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. ).
Encryption systems in common use today include the following:
* Shared key encryption. Both or all parties possess a previously distributed key that locks and unlocks the data. The sender provides the key to a shared symmetrical encryption algorithm A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making to encode the data before placing it in a packet bound for the remote site; the remote site then provides the key to the same encryption algorithm to decode the data.
* Public key encryption See public key cryptography. . One party possesses a private unlocking key and makes a public locking key. Any sender can use the public key to encrypt the communication; the receiver then uses its corresponding private key to decrypt the data.
* Secure key exchange. Both parties first authenticate themselves (often using digital certificates) during a session-specific encryption key distribution process. The session key is created based on data generated by both parties at the time of communication. This key can then be used to encrypt and decrypt all other communications.
A security system should allow for oversight and control by a human authority. Any system that uses authentication requires some central authority to verify those identities, whether it be the/etc/password file on a UNIX UNIX
Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). host, a Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. domain controller, or a Novell Directory Services See NDS. (NDS See eDirectory.
NDS - Netware Directory Services ) server. The ability to see histories, such as repeated failed attempts to breach a firewall, can provide invaluable information to those charged with protecting information assets. Some of the more recent security specifications, such as Internet Protocol See Internet and TCP/IP.
(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. Security 0PSec), require the presence of a database containing policy rules.
All these elements must be managed for the system to work correctly. However, management consoles or functions themselves represent another potential point of failure of a security system. It is therefore important to ensure that these systems are physically secured and that authentication is in place for any log-on to a management console.
* Internet Protocol Security. As the Internet becomes more critical to organizations and enterprises of all sizes, the need to protect intellectual property and at the same time conduct business has grown. To promote security for business communications, the Internet Engineering Task Force (c/o Corporation for National Research Initiatives (CNRI), Reston, VA, www.ietf.org) Founded in 1986, the IETF is a non-membership, open, voluntary standards organization dedicated to identifying problems and opportunities in IP data networks and proposing technical solutions to the (IETF See Internet Engineering Task Force.
IETF - Internet Engineering Task Force ) developed Internet Protocol Security. IPSec offers standards-based, consistent security for IP networks. In an IPSec communication, the two communicating entities (which can be individual hosts or intervening devices, such as routers or firewalls) first establish a Security Association (SA). During negotiation of the SA, the two entities agree on what kind of security will be employed. A security policy database (SPD (Serial Presence Detect) The method used by DIMM memory modules to communicate their capacity and features to the computer. Data such as manufacturer, size, speed, voltage and row and column addresses are stored in an EEPROM chip on the module. ) keeps track of the kinds of security, encryption and authentication that a particular enterprise can implement, and also keeps track of the active security associations. This makes it possible to monitor IPSec activity across the network and to manage the security systems employed at any given site.
Securing End-to-End Data Access
It is hard to overstate the importance of the end-to-end aspect of network security. Security starts with well-defined and wellenforced security policies implemented by efficient and robust encryption on NICs, authentication and authorization in the LAN switches, and robust and flexible firewall and security management instrumentation.
VPNs and Tunnel Switching
A Virtual Private Network (VPN) is a secure connection that offers the privacy and management controls of a dedicated, point to-point link but actually occurs over a shared, routed network such as the Internet. VPNs are created using encryption, authentication, and tunneling, a method by which data packets in one protocol are encapsulated within another protocol. Tunneling enables traffic from multiple enterprises to travel across the same network unaware of each other, as if enclosed in their own private pipes.
The HIPAA legislation confronts many healthcare providers with the need to review and upgrade security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Although this is not an easy task, 3Com and other vendors offer product solutions and consulting services to help ensure that an organization's data network infrastructure provides the security, reliability, and manageability to support compliance with the regulation.
Acronyms and Abbreviations
AH Authentication Header BITS Bump in the Stack BITW Bump in the Wire CPU Central Processing Unit DES Data Encryption Standard ESP Encapsulating Security Payload HMAC Hashed Message Authentication Code IDEA Internet Development and Exchange Association IDS Intrusion Detection System IETF Internet Engineering Task Force IPSec Internet Protocol Security ISP Internet Service Provider KMAC Keyed Message Authentication Code MAC Message Authentication Code NIC Network Interface Card PKI Public Key Infrastructure SA Security Association SPD Security Policy Database TCP/IP Transmission Control Protocol/Internet Protocol VPN Virtual Private Network