Layer your LAN.
TRUE LOCAL AREA NETWORK (LAN) security is a many layered proposition - the more layers you have, the more difficult a system is to penetrate. This approach is known as security in depth. It assumes that any single measure can be bypassed, but that at least one of the redundant defenses will work.
Although no LAN is likely to be impenetrable, multiple security mechanisms do provide delay. This gives the appropriate person or process enough time to respond when an unauthorized action is detected. An unprotected server, on the other hand, can be dissected, the access rights and files studied, and then the data subverted, all at the attacker's leisure.
The key to LAN security is first to establish the level of security you need. Then you can set policies and procedures that stipulate who has access to what and under what conditions. The third and last step is to implement mechanisms that will enforce your security policies, such as setting up access rights within a network operating system.
LAN security should be based on a risk analysis whereby you determine the maximum size of the "bullet" - or hostile action - the LAN will face. For example, you wouldn't buy a bullet-resistant vest capable of protecting you against a .357 Magnum if you knew that the maximum threat was from a slingshot. Similarly, you wouldn't specify LAN security measures to protect against a resourceful and determined adversary such as an unfriendly government if you knew the maximum threat was from a disgruntled employee.
It is important to remember that LAN security encompasses both the procedures and techniques used to protect against external as well as internal manipulation of LAN-based records. A good security plan will protect your network from physical destruction as well as unauthorized modification or disclosure of software or records.
By far, the most significant security measures are procedural. Overall, LAN security should be viewed as a plan of operation. In that plan, you should provide for the separation of functions. This is important because if everyone, including LAN personnel and end users, has unlimited freedom of action, then accountability, control, and even management are not possible.
Your plan of operation should also establish authorization procedures and processes for recording what actions staff take, because any persons responsible for a network resource must be accountable. This means they must be able, on demand, to prove that they have faithfully executed their responsibilities.
For example, if someone is responsible for periodically backing up the accounting system and taking that data off-site, then that person must be able to demonstrate that the files were backed up and taken off-site as scheduled. Network staff should record their actions in logs, receipts, or other documents.
The key to making procedures work is to ensure that records are kept in ways that can be audited by management. Naturally, you should also make sure you hire a staff capable of following the procedures you establish.
In general, LANs require three types of protection: disaster recovery, physical security, and data security. These three security concerns are not entirely distinct, so a given policy or measure may actually apply to more than one.
From a security standpoint, LANs are both good and bad news. The good news is that LANs inherently offer better protection against physical destruction because they are distributed systems. Since the computers are not concentrated in a single location, a catastrophic event such as a fire is likely to do less damage than it would if it occurred at your only computer center.
Whereas a mainframe shop requires backup computer sites and complex off-site recovery procedures, this is unnecessary with a well-designed LAN. In addition to providing an exceptionally effective emergency operating capability, LANs often have backup staff since there are usually a number of LAN administrators spread among various sites.
With their distributed server architecture and cross-trained staffs, LANs provide good protection against disasters without the recurring costs of a contingency program that a mainframe system requires.
However, as distributed systems, LANs also pose some security risks. Processing does not take place in physically secure computer rooms. In addition, personal computers users often reconfigure machines and modify software, which makes program audit and control difficult. Since software can be introduced to the network from many workstations, preventing viruses, worms, and other threats to software is difficult.
A good security plan will provide for recovery from a disaster. It is essential to provide the systems, staff, and procedures necessary to ensure that a disaster, man-made or otherwise, does not cripple your organization.
LANs are rapidly moving from the pilot phase into production. As more LANs are implemented in mission-critical applications, the acceptable time for restoration of service is decreasing.
Clearly, a company's most valuable assets are its unique programs and data files, not its servers, workstations, or cable plant. These programs and files often represent years, even decades, of effort and expense. In many cases, they could not be recreated without hard copy records.
To protect data against disaster, you should install multiple servers placed at different locations so that each server can absorb critical work loads. This dual-operating capability should be part of your overall installation planning. The goal is to be able to operate critical programs at two or more server sites.
Another way to protect data is to copy critical files and store one or more copies at locations away from the server. One copy should be stored at a secure off-site storage facility unless you assume there is no significant risk that your building could be destroyed.
In most cases, however, backup files are used to recover files damaged because of end-users' mistakes. Therefore, you should keep one set on-site and a duplicate set off-site. It is important to remember that off-site backup is a disaster recovery solution, whereas on-site backup of the most current data is actually an operational tool. Don't cripple your ability to recover damaged files rapidly by moving the materials you need to use to a distant location.
If you have off-site backup files and additional server hardware that can be installed rapidly in an emergency, you will be able to restore LAN operations within an acceptable period. The time it takes to restore a LAN includes the time it takes to recognize that a disaster has occurred as well as the time it takes to recover.
Time wasted in determining that a catastrophe has occurred can delay action until the problem becomes uncontainable. Panic by untrained staff can, and has, resulted in the destruction of backups during chaotic recovery attempts. Try to back up your backups before you attempt to restore the data to the file server, and make sure you label the tapes. Unlabeled backups can be useless in a crisis.
Although physical security can play an important part in disaster recovery, it more broadly encompasses physically protecting the LAN and its resources from misuse. Controlling who has physical access to LAN resources is the key to physical security.
Physical assaults include destruction or damage to buildings, computer hardware, computer files, and programs. For example, computer files and programs can be destroyed or made useless by software manipulation. A skilled programmer, if uncontrolled in his or her actions, could prevent the execution of key programs for weeks.
Servers that are not physically protected cannot be made secure. Nondedicated servers, in particular, pose a risk and cannot be made secure, regardless of the LAN software used. Every time a server is turned off and on there is an opportunity to defeat the network software's security mechanisms.
Restricting who can upload programs and copy data is another physical security measure. If you can control the method by which any software is loaded on the LAN, you limit your risk of infection from computer viruses and worms. The best technique is to prevent users from installing executable code on the LAN; this capability should be limited to LAN administrative staff.
Diskless workstations prevent users from loading unauthorized software from disk. In addition, by requiring that users load MS-DOS from the network, DOS corruption is less likely. Users can also be restricted to specific drives or printers. This can be useful when printers must be reserved for critical operations such as payroll and are loaded with prenumbered forms.
Similarly, protection must be provided for the data stored off-line. If it is possible for a nonauthorized user to locate and access the backup tapes, then any protection provided for on-line data becomes useless.
Developing procedures to control what programs get used on the LAN is a key component of data security. Once the procedures are in place, you can set up access controls as your means of enforcement.
To secure a LAN, you need to structure its operation to support a very clean turnover of data and programs. You must define the data sets created by production programs as being production data sets and as accessible only by production programs stored in production libraries.
Of course, you need to identify and place controls on the system data sets. These controls can include service logs, console logs and other audit trails, and file indexes (equivalent to the PC-DOS FAT or file allocation table). You also need to place controls on software tools, such as compilers and debuggers, that could subvert security software or security procedures.
Controlling data sets and software tools is analogous to preventing a bank robbery by never storing a metal-cutting torch near your safe. The average burglar would not carry a cutting torch because of its bulk and the difficulty of explaining why it is in his or her possession.
On the other hand, a crime of opportunity may occur if somebody sees the torch lying there. Good security practices require that you safeguard tools that have the potential to breach security.
As part of setting up data security procedures, it is important to differentiate between test and production operations. Test operations are those under development, while production operations are those used in decision making.
For example, if I use a spreadsheet for calculating and printing checks, then it is my production payroll program. On the other hand, consider a compiled, multiuser payroll program. Everyone who relies on the results of that program is also dependent on the procedural controls that ensure that the program was tested to prove that it does what it is supposed to do and nothing else. This differs from a spreadsheet where I can, from my own knowledge and experience, determine that it is correct.
If the program or spreadsheet is used by people who must assume it is correct, then procedural controls must be implemented to provide security. Controls are placed at the transition point between test and production. Production data or records should only be modified or read by quality-controlled programs or procedures that have been subjected to managerial review. Quality-controlled programs are those that have been verified to operate as specified.
The mechanism for building data security is based on the principle of least privilege. This principle, developed by the military, states that each person should be provided with the minimal tools needed for his or her authorized duties. If network users have weak tools, then they are limited in their ability to bypass security and perform undesirable acts.
Since programming is a tool used to create other controls, it must be subject to normal accounting practices, including audit trails. These accounting procedures begin with the creation of files, known as program libraries, in which all programs are kept. These files are stored in directories with controlled access.
The ability to make changes to programs and the ability to authorize such changes should be assigned to separate individuals. A journal of activity on each file should be kept to fix accountability, and the library should be structured in a manner that improves management insight and control.
The best practice is to establish a scheme where programs and data used in production are isolated and can be modified only by a standardized procedure. To set this scheme up, you would establish a production library, a class of production data sets, a test library, and test data sets. Production data sets may be accessed or modified only by quality-controlled programs that reside in and are protected as a secure library. This procedure allows you to restrict access to production data and therefore reduces the risk of destruction, disclosure, or unauthorized modification either from internal or external parties.
You can detect unauthorized changes to program files by tracking control data such as hash counts, cyclic redundancy checks, and check sums on the total number of characters in a program. In this way, you can ensure that modifications of programs come to management's attention. In addition, protected program libraries must be designed so that controls can be implemented. This means they should be structured so changes can be identified and tracked back to the basic authorization document. This audit function is similar to the methods used to prove accuracy of financial records.
LAN managers can adopt the following security practices with regard to program libraries:
* Only the owner (a single person) may write to a library.
* Only those authorized by the owner can read from a library.
* Programmers are given a personal library for test purposes.
* A project librarian owns the project or application development library.
* A LAN administrator owns the production library.
Adhering to these practices ensures that only approved, quality-controlled changes are made to the program library and that only an authorized individual can transfer programs to the production library according to specified procedures. Since quality control processes prohibit programmers from accessing production files, data integrity is ensured.
If these controls are strong enough to protect against misuse by LAN staff, then they are also strong enough to protect against attacks by outsiders. However, security effectiveness also depends on the degree of separation of functions. Separation of function requires that each person involved be given only the programming tools essential to carry out his or her assigned duties.
In addition, programmers (and outsiders) must be prevented from accessing any tools that can circumvent library control. Therefore, it is important to protect the LAN operating system catalogs and restrict use of low-level procedural programming tools. By using access control to prevent access to the production library by anyone other than the operation department agent, you can secure that application's data sets without putting access controls on individual files. This approach is the fastest and least expensive method of implementing file protection.
Quality control requirements ensure that only trusted material is accepted into production use. Conversely, access control depends on quality control to ensure that only properly authorized programs are secured within the production library.
Traditional computer security measures, as described so far, are the cornerstone on which LAN security is built. With LANs, every person, tool, or resource on the LAN must be identified and named, and a record must be kept that associates each person with the use of a resource.
Access controls are then set up to limit an individual user's access to specific LAN resources. Access control is a primary security enforcement tool for LANs. One way to set up access control is to request information that only one person knows, such as a password. (LAN operating systems vary in the effectiveness of the password schemes they use.) In addition to passwords, access controls include user IDs, authorization tables, and access rights lists.
Access control is analogous to a lock on a door. Just as a lock does not protect against someone with a key, access control does not protect against someone with a password. Therefore, additional controls such as audit trails and alarms are essential to protect against the authorized user who has bad intentions. These controls should be implemented in the software used to control the program library and also in the software used to prevent unauthorized access to production data.
Up to this point, we have considered security measures that prevent the modification or substitution of programs and data. However, for organizations whose data is sensitive or very valuable, data interception is another security threat that must be considered. Data can be intercepted by wiretapping or emission sensing, for example.
This threat is most serious for government and commercial organizations with data whose disclosure to an outside party could threaten national security or cause financial damage. As offensive technology improves, protecting yourself against data interception may require the use of cryptographic security, a costly method of encoding data.
Communication security is the key to protecting against data interception. Communication security encompasses five concerns: line security, transmission security, cryptographic security, emissions security, and technical security.
Line security involves protecting telephone lines against wiretapping or other types of interception and employs the same techniques used for protecting voice conversations against interception. Transmission security is defined as the method of protecting workstation-to-server and LAN-to-mainframe communications. Line security protects against physical taps; transmission security protects against interception by workstations authorized to access the network but not particular data.
Cryptography is a method of encoding data using various keys that permit only authorized users to make any sense of the data. Using the encoding mechanism is the only way to protect data that is being transmitted across communication links, via satellites, or over microwave networks.
This procedure may also be used to protect passwords against manipulation and unauthorized use. For cryptography to work, the keys must be controlled at both ends.
Cryptographic security is found in three forms: link level, session level, and private level. Link-level security applies to data transmitted from point to point across a communications line and does not protect data within the system. It is equivalent to installing cryptographic devices at the modems. With this system, the management of the keys is a manual process.
Session-level cryptography, on the other hand, does not allow data to appear in decoded form at any point in the system. In this scheme, a key is generated for each session. A workstation wishing to contact the file server has a key stored in memory that is erased if the workstation is tampered with. The server also has the workstation key.
The workstation would send a message to the server requesting a session. The server decodes the session request message and verifies the workstation's existence (since only one workstation possesses that key). The server then develops a key for use in that single session and encodes that session key in the workstation key for transmittal. The session key exists only for that LAN session.
With private security, each user is free to develop his or her own security. This arrangement is dangerous since there is no way to tell if the measures are adequate or well implemented. Since there is no central control, the whole enterprise is at the mercy of an individual should he or she leave or turn his or her energies to subverting programs or data.
Cryptographic security also involves protecting the software or hardware used for encoding transmissions. Since this software and hardware combination is the key to the vault, so to speak, it must be protected at a higher level than even the information the cryptographic system protects. Just as a lock does not protect against a key, cryptography does not protect against a lost or intercepted cryptographic key.
Believing that you have security when you really do not, and not knowing when you lose protection, is much worse than having no security and accepting that fact. Protect keys to a higher degree than the data they protect.
Emissions security protects against the interception of computer emissions, such as electrical fluctuations, radiation, or other modulation. By intercepting such emissions, an adversary could determine what is being processed. This is a risk primarily if your adversary is both resourceful and determined, such as a government would be.
Technical security is a phrase used in the security world to describe protection against noncomputer intrusion devices. These devices include microphone or free-space transmitters, devices built into equipment, carrier-current bugging equipment, visual or optical surveillance equipment, and telephone bugging devices. These devices pose an extremely serious risk in commercial computer installations because they can be used to intercept passwords.
Consider a company that uses access control as its primary security mechanism. It depends on the secrecy of passwords to prevent system access. A password can be compromised in many ways. Anyone who is acquainted with scientific publications or do-it-yourself magazines has probably seen advertisements for small FM transmitters, about the size of an aspirin, with a range of a quarter mile.
If I wish to obtain someone's password, all I have to do is drop one of these devices near the workstation and, using techniques I won't describe here, pick up either the radiation patterns of the terminal or key clicks. These can be analyzed to determine the password.
For this reason, an access control package based on passwords should only be part of a LAN security system. The accounting controls of program libraries and the other techniques discussed above can detect when someone gains unauthorized access to the LAN or its resources. For example, manipulation of data can be detected by an audit. Audit procedures and the increased management visibility they provide act as a check on individuals who bypass the access control mechanism.
Other procedures will be necessary for files with valuable or sensitive information. Somebody using an appropriated password could gain access to a file but, if he or she does not alter the file, the program library cross-check will do no good. In this case the best security method available is what's called a hand-shaking arrangement, which means that a user signing on to a particular data set is given information regarding his or her previous activities.
These arrangements are often incorporated with access control and operate by making each user responsible for monitoring activities on his or her own file. Some networking vendors, for example, include the last date and time of log-on as part of their programs' sign-on screen, thus making each user his or her own security person.
These hand-shaking arrangements can also include information from the user as part of the sign-on. For example, a user could be asked to enter his or her mother's maiden name to determine that the user of the password is, in fact, the authorized person.
Allowing users to monitor activities in their own files as a means of checking for security breaches can pay off. Consider the case of Harvard astronomer Clifford Stoll. Stoll noticed a 75-cent discrepancy in his network use account. He became convinced that hackers were using the Lawrence Berkeley Laboratory as a path to MILNET. He tried to get the FBI to investigate, but it would not.
Stoll then crated a dummy computer network called SDInet and false military data. He rigged an alarm to the dial-in port to SDInet and linked the network to a pager. A hacker spent three hours reading the data and was traced to Hannover, West Germany. Months later, Stoll got a letter from a man in Pittsburgh asking for information on SDInet; he turned the letter over to the FBI.
Stoll, with some help from his girlfriend, nailed a spy ring capable of tapping into military computers worldwide. As a result, three hackers who were trading military passwords to the Russian KGB for cash and drugs have been arrested. The Pentagon is still attempting to determine the extent of the damage.
Because of a 75-cent discrepancy, an alert end user detected a major security breach that was not recorded or stopped by military-level computers. Stoll now has a book contract and will probably sell the movie rights, too. Computer security does pay.
Unfortunately, any flaw in security can be fatal. You must have in-depth protection: multiple layers of defenses supported by audits. With such a security scheme, you can determine whether your security is working effectively.
The LAN staff should assume responsibility for contingency planning and protection, as well as provide the auditing tools and other facilities needed for effective network management. However, for user data that is not used in production systems, the only security that should be provided is backup.
Access control can be used to provide security for each data set, user, or supervisor; however, in a large installation, maintenance of access rights files and authorization records becomes an incredible administrative burden. If you have the policies and procedures properly designed, then installing access control becomes an almost trivial task.
One of the most important benefits of implementing access control is that it forces the study and standardization of operating procedures. This is often far more beneficial to an installation than the security protection you set up.
If you don't have the procedures properly designed, then you have no control of your operation. You do not have security - you have the illusion of it. Multiple security measures protect against weaknesses in individual measures.
Who would have predicted that, given the right information, an astronomer could protect his country's data when all other security measures failed? The monitoring mechanism was there; it worked for the Pentagon just as LAN security can work for you. Put security measures in, put them in layers, check them frequently, and you can keep your network safe against intruders.
About the Author . . . Ira S. Hertzoff, CPP, is president of Tholian (Holdings) Inc., a network management and security research and consulting firm in Columbus, OH. He is also the network management columnist for LAN Technology magazine. He is a member of ASIS.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||local area network security|
|Author:||Hertzoff, Ira S.|
|Date:||Sep 1, 1989|
|Previous Article:||Retail security: doing it by the numbers.|
|Next Article:||The key to data security.|