Printer Friendly

The weak link.


I HAVE DONE SOME RESEARCH TO FIND out how communications security issues have been addressed in the past few years, and I have discovered, unfortunately, that they have not been addressed properly and sometimes not at all.

Through my research I discovered that most speakers on the topic centered their discussion on password tokens and how the PC-mainframe connection has changed in the past 20 years. But their main concern was identifying and authenticating the user at the end of the line, and the reports I accessed only addressed the issue of 3270 direct connections to the mainframe. (3270 is a standard terminal type.)

Clearly a more comprehensive approach is needed, and the issue of communications security must be applied to the micro-to-mainframe link. We need to define and understand the connection. In most cases it is no longer a 3270/coaxial connection but a dial-up connection with the PC using a 3270 terminal emulation package or a direct minicomputer-to-mainframe link (3270/coaxial). Another connection could be from a local area network (LAN) to the mainframe, or from the LAN to the minicomputer to the mainframe.

This article discusses the connection of a hypothetical PC to a file server. The file server, in turn, has several modems and a couple of direct connections to the division's minicomputer. The minicomputer also has several modems and a couple of direct connections to the headquarters mainframe. Let's take on the challenging task of securing a couple of different connections:

* PC-LAN-modem-mainframe

* PC-LAN-minicomputer-mainframe

* PC-mainframe

The last of these scenarios, the straight 3270/coaxial connection from PC to mainframe, is the simplest to secure. You can use 3270 encryption boards on your PC or encryption boxes between the PC and the mainframe.

These encryption devices secure the communications portion. For identification and authentication, several password tokens are available in the market. Make sure your mainframe access control package supports the token under consideration. TO CONSIDER WAYS OF SECURING THE communications portion of the various PC to mainframe connections, we need to understand the communication lines' vulnerabilities.

Let's explore the most common -- a wiretap used to tap phone lines, LAN lines, and 3270/coaxial lines. Since those media use unshielded cables, which emanate radio signals, a perpetrator can tap the line with an inexpensive tap built from parts purchased from a local electronics store.

To do this, the perpetrator needs physical access to the communications medium. If you use regular phone lines, access can be gained at the telephone closet outside your office -- negating the need for physical access to the office. To tap the LAN and 3270 connections, the perpetrator needs access to the office unless these lines run from floor to floor or office to office through an unsecured structure such as a false ceiling.

Fiber-optic cables could be used to connect your networks, making it harder for the perpetrator. Since those cables do not emanate radio signals, a wiretap would not work. However, some security practitioners say these cables could be tapped by bending the line and intercepting some of the reflected light.

Let's say you have a secure facility and nobody can tap the lines inside the building. Here you should be concerned about the medium used by the telephone company. The medium could be a cable, microwave communications, or satellite communications. The cable can be tapped, but it is hard for the perpetrator to identify the line among thousands of other lines.

Satellite and microwave communications can be intercepted with scanners--also available from a local electronics store. Intercepting the signal is one thing; deciphering it is a different story. The perpetrator has to differentiate your data from among millions of other messages transmitted at the same time.

One last threat is the electronic emanations that come out of computer equipment. Each piece of computer hardware, such as the monitor, printer, and CPU, has certain unique electronic emanations that can be intercepted from a couple of miles away.

To protect against this threat, replace your computer equipment with Transient Electromagnetic Pulse Emanations Standard (TEMPEST) equipment. This equipment has been shielded and no longer emanates electronic signals. If you are processing classified data in an unsecured environment, you must use TEMPEST equipment.

Other well-known threats include connecting an unauthorized terminal to a network or using an authorized terminal for unauthorized use. In the latter case, the PC could be used to emulate a log-in and capture user ID and passwords. Several off-the-shelf products can capture the data on the PC without the user knowing.

When replacing dumb terminals with PCs, you introduce these risks into the network environment. And if you are using a PC to connect to the mainframe, the network inherits these risks.

Another risk: PCs can capture downloaded data without the mainframe even knowing. This can be done through screen capture programs on the PC or turning on the buffer switch from the terminal emulation package.

The use of macros to log-in automatically to the mainframe is another risk. Most terminal emulation packages have this capability, and users tend to include their user ID or password on the macro. This macro is then saved in clear text, and anyone with access to the PC can look at it.

With LANs, we have LAN analyzers to worry about. As noted in the June 26, 1990, issue of PC Magazine, "As passive monitoring devices, analyzers don't log-on to the server, and they aren't subject to server software security. Their ability to copy and decode packets crossing the network means that anyone with a protocol analyzer can easily find passwords used by people as they sign on to servers, and they can capture any data sent across the network. No operating system encrypts data files. When you give someone a protocol analyzer, that person gains a wide-open tap on the network."

If you are connecting a PC to a mainframe via 3270 evaluation, the mainframe inherits the security vulnerabilities of the PC. If you are connecting to the mainframe from a LAN, the mainframe inherits the security vulnerabilities of not only the LAN but also the PC. TO SECURE SUCH HETEROGENEOUS connections you need several components. First, you need a form of identification, an authentication independent of the connection. Password tokens fit this requirement well and are supported by the major mainframe access control packages.

Most of these tokens work through the use of onetime passwords. Therefore, capturing the password won't be much help to the perpetrator because it is good for only one log-in session. Most of these password tokens can be used to authenticate the user to the PC, providing some level of security.

Second, you need to protect the communications medium, whether it is a dial-up line, LAN, 3270 board, or minicomputer acting as a front-end processor or communication control unit. The immediate and probably only solution is encryption.

It would be nice to have an encryption box at the PC that would encrypt from the PC to the mainframe and work across the line regardless of whether it was a LAN, a minicomputer, or dial-up line. Today several encryption devices are available, but you would need one at each connecting point -- one at the PC and at the LAN server (maybe two, one for input, one for output), one at the modem, one at the PC, and probably several at the mainframe.

A more realistic approach would be software or hardware encryption at the PC that would encrypt the data before it is handed over to the network (in the case of LANs). An external box might not work in this environment because the network routing information needs to be kept in the clear.

Encrypting the data packets before they are handed over to the network card or drivers would take care of this problem. This type of encryption would solve the LAN communication vulnerabilities. From the file server to the minicomputer and on to the mainframe, the use of an encryption box becomes more feasible since the number of boxes required would be much less than equipping every PC with such a device.

This leaves us with the computer security issues at each one of the computers used during the PC to mainframe connection. The file server, the minicomputer, and the mainframe have built-in security mechanisms in their operating systems. A discussion of these mechanisms is beyond the scope of this article.

One door is left open:the PC.Two approaches to PC security are available. The approach you take depends on how the PC is used. If every user has his or her own PC, you take one approach. If the PC is used by several users, you take a different, more secure approach.

When you have a single-user PC, you might get by with a good access control package to the PC -- a package that forces the user to enter a password and user ID before gaining access. Remember: This PC is only used by one user, and it is that user's responsibility to protect the machine. Except for possibly an administrator, he or she is the only user and thus has full access to the PC. If this user is allowed to download data, the security package should also provide for encryption on the hard disk and floppy disk.

Some form of virus protection should also be provided to guarantee that the downloaded or uploaded data has not been modified by covert methods, such as viruses or Trojan horses. Another reason for virus protection is that by disabling the PC with a virus attack, a perpetrator can disable the network.

If the PC is used by several users, you need a more sophisticated package to control these users once they have logged on. In the approach I prefer, the users are immediately forced into a menu shell without direct access to DOS. If the application is on the menu, the user can use it. If not, the user is not authorized to use the application and, therefore, cannot run it on that particular PC. If users are allowed to download or upload data, the security package should provide encryption and discretionary access controls to keep each user's data in a controlled environment and accessible only to an authorized user.

The majority of PCs today are single-user PCs. This means you can get by with the first approach, which is substantially less expensive and easier to implement. The second approach, recommended for multiuser PCs, costs more in product cost, training, and ensuring discretionary controls are properly implemented. The multiuser approach is similar to running mainframe access control packages, such as mini-RACF or ACF2, in a PC.

Securing the PC-to-mainframe link in today's environment has become a challenging task. Just when we thought we had our mainframe and communications security in place, we now have to worry about the PC being used as a terminal.

A comprehensive solution to PC-to-mainframe security would involve a minimum of three steps:

* The PC must be secured to ensure no one has loaded programs that could be used to capture passwords, IDs, or data.

* The communications between PC and mainframe should be secured by encryption.

* The user should be authenticated by using a password token. Unfortunately, the only weak link in this scenario is the use of DOS-based LANs, which have no form of encrypted communication available to secure the connection between workstation and file server.

As you can see, PC-to-mainframe security issues, which have always been a communications risk, have changed drastically in the past 10 years. Now you must consider PC security, LAN security, and sometimes minicomputer security on top of communications security.

Angel L. Rivera is president of H & A Micro Consultants in Churchton, MD, a firm that specializes in microcomputer security and computer security training. He is a member of ASIS.
COPYRIGHT 1991 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:computer security
Author:Rivera, Angel L.
Publication:Security Management
Date:Aug 1, 1991
Previous Article:Terror Australis.
Next Article:Security goes green.

Related Articles
The complexity of computer security.
Risky business: tackling computer security.
Anticancer enzyme imaged.
FBI Reports Cyber Attacks Are on the Rise.
Lock your windows securely. (Tech Talk).
Cyber security: key to homeland security. (Up front: news, trends & analysis).
And the password is ...

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters