|
|
Security Primer
Posted On November 3, 2007 by Sneha Latha filed under Miscellaneous
With the advent of the Internet we can now connect our computers to a world of information. At the same time, however, we may also be unwittingly allowing anyone on the Internet to gather a world of information from our computers!
The security of a computer network has three aspects: authentication, authorization and privacy. The emphasis laid on each of these aspects will depend on the type of network - for example, there may be no need for privacy in a closed local network, and authorization will be vital for a distributed network like a WAN.
Authentication
The main purpose of authentication is to verify the identity of the person using a service, though it can also be used to prove the identity of the service to the user.
The required level of proof will vary depending on the nature of the service, but will usually be based on one or more of the following:
Username and password
Smartcards or other tokens
Biometric inputs such as fingerprints, retinal scans etc.
Most security systems require what can be termed two-factor authentication - where at least two of the above methods are used to verify identity. Again, the choice of authentication method will depend largely on the value of the data or service. In most cases, for example, a password is more than sufficient for an email account, whereas secure banking transactions may require a smartcard or biometric authentication in addition to a password.
Any authentication method, which is transmitted across a public network may be recorded by any third party with access to the network. If this person can later use the recorded transaction as his own 'authentication,' then the method is of little value.
The main danger of such 'replay' attacks is that unlike in the case of loss of a physical token, the theft may go unnoticed by the rightful owner. To prevent replay attacks, the authentication information exchanged should be different for every transaction.
Authorization
Once a user has proved his identity, the next check will be whether that person is allowed to perform the transaction that he has requested. This authorization is normally done within the service machine by checking against a list of registered users and their access rights. In cases where the authorization information is maintained on a different server (this may belong to another business or institution), a secure protocol is needed for the service to query an authorization server at the institution.
In addition to the identity of the service, the request for authorization must necessarily include some details on the information requested by the user.
The most common approach is to have a server that combines the tasks of authentication and authorization, as this considerably simplifies the operation as well as improves on security.
Vulnerabilities
The desktop level OS issues
The operating system is the root of most security problems besetting desktop computers.
Almost all desktops run some flavor of MS Windows, and unfortunately we have to work within the software infrastructure that is already in place. It is impractical to expect users to move to a more 'secure' operating system.
Most problems with MS Windows stem from the fact that a lot of security compromises have had to be made to ensure backward compatibility.
The OS was designed with a single user environment in mind. Hence, vital issues such as authentication and access control have not been addressed in any depth by the native infrastructure. Basically, MS Windows was not designed to protect the integrity of the machine when connected to a large public network such as the Internet.
Hence, it is a trivial matter for an adversary to gain access to the machine once it is connected to the Internet, and having physical access to the machine makes the task even easier. Simple search terms yield an amazing number of sites that deal with 'hacking' windows.
For example, a simple 'Windows NT crack' search yielded more than 20,000 results when we last tried it. Randomly clicking on some of the links gave us some nifty tools, GUI and all to do everything from listing all the users on a particular machine to gaining administrator access to the system. And most of these tools are available as freeware to boot.
Patching and hardening the OS may seem like an answer, but keeping up with even the 'acknowledged' Microsoft patches is a full-time job.
Some control can be maintained with software like port monitors - passive tools that tell you which ports are being used by what software, and allow you to monitor the incoming and outgoing traffic on your computer.
Choosing secure software
An often encountered real world problem is that some applications are inherently less secure than others, even if they perform the same task. This is most often the case for end-user applications as they are selected for convenience or popularity rather than security.
Thus, the security of a desktop system can be significantly improved by a judicious selection of the end user applications to be used.
A simple way to deal with these issues is to choose relatively secure 'tested' software. Programs like Outlook Express and Eudora mail are full of vulnerabilities that even a novice can exploit to gain access to your desktop machine. It is a trivial matter, for example, for some-one to use Active X scripts embedded in a simple HTML email to gain command prompt access remotely, or send a BCC of every mail on your machine to any IP address.
And even the popular press is full of articles on how scores of viruses spread through Outlook Express address books.
The local network level
Safeguards / separating the local net from the Internet
Perhaps the most important part of network security is effective separation of the local network from the Internet.
Properly configuring the gateway, and allowing Internet access only to crucial services is vital. Time and again, we find that network administrators neglect these details, and this results in disaster. Some time ago, the Bhabha Atomic Research Centre's network was compromised because their mail server was not correctly configured, and this server was used by the hackers as the preliminary access point into the network.
Firewalls and access control
Firewalls offer a degree of control, and if configured properly, can be quite effective security tools that allow a good degree of control over what packets pass through the network.
The downside is usability - your firewall rules should not hamper the usability of the network - all services and applications that are needed by the users should be easily accessible to them.
Access control can be implemented by using the standard operating system controls, or by using third-party software, depending on specific network structure and requirements.
In this case as well, care should be taken to achieve a balance between usability and absolute security, and not finding the right balance is the biggest shortcoming of these measures.
There is no absolute way to know what configurations are correct for your network. It is usually a matter of experience and intuition (and this is probably why security consultants get such high pay packets)
Usability
It is very important to understand that ultimately the network is in place for the convenience of the users. Thus, it would be self-defeating to implement security that is so rigid that it hampers the ability to use the network.
End-users should be able to easily and readily access the services and applications they need, and should not as far as possible be either hampered or involved with the internal workings of the security implementation in place on the network.
Correctly assessing the real threat level that the network is exposed to and the importance of the information and data that the network carries is the cornerstone in deciding the correct security model that needs to be implemented. In the end, even the best networks make some compromise, both on usability and on security.
Privacy
As the Internet increases in popularity, it carries an increasing amount of private traffic. This may be personal information about a user or information of commercial value. When the messages contain sensitive information such as credit card details, purchased software or exam scores, their owners need to keep them secret.
Unfortunately, messages can be read off the network as easily as usernames and passwords. So the only solution is to encrypt them. If an authentication process occurs before a user gains access to a service, then it may be possible to use information gained during authentication to encrypt the subsequent traffic.
This requires care to ensure that only the intended user can decrypt the traffic, so is most suited to asymmetric key methods. If the server issues a public key as proof of its identity, then this key may be used to negotiate an encryption method for the subsequent session.
This may also be done in reverse if the server knows the user's public key. Since asymmetric key systems require large amounts of processing power to run the encryption/ decryption operations, they cannot be used directly to encrypt the whole session; the usual method is to choose a random symmetric key for the session and exchange this securely using the asymmetric keys.
Internet protocols are based on nesting different layers of information so there is a choice of layers at which to apply encryption. One approach is to encrypt at the Transport Layer, leaving un-encoded only the information required for to route packets to their destination.
The network simply transfers the packets between the two endpoints, which are the only machines capable of making any sense of the information.
The encryption occurs below the level where different services (WWW, E-mail, FTP, etc.) are distinguished and so can be used equally well by any of them.
There are several legal restrictions on the export and use of strong encryption technology, as many governments feel that since they cannot control or monitor such messages, they are a potential threat to national security.
Therefore, several governments have imposed limits on the strength of encryption that can be used and exported.
Fortunately, individuals in countries where there are no export or usage laws have reworked most strong encryption implementations, and it is perfectly legal to obtain and use these implementations anywhere in the world.
As public awareness about encryption technologies grows, there is mounting pressure on governments to lift these restrictions as they are often viewed to be in direct conflict with free speech and the basic premises of democracy.
The security of a computer network has three aspects: authentication, authorization and privacy. The emphasis laid on each of these aspects will depend on the type of network - for example, there may be no need for privacy in a closed local network, and authorization will be vital for a distributed network like a WAN.
Authentication
The main purpose of authentication is to verify the identity of the person using a service, though it can also be used to prove the identity of the service to the user.
The required level of proof will vary depending on the nature of the service, but will usually be based on one or more of the following:
Username and password
Smartcards or other tokens
Biometric inputs such as fingerprints, retinal scans etc.
Most security systems require what can be termed two-factor authentication - where at least two of the above methods are used to verify identity. Again, the choice of authentication method will depend largely on the value of the data or service. In most cases, for example, a password is more than sufficient for an email account, whereas secure banking transactions may require a smartcard or biometric authentication in addition to a password.
Any authentication method, which is transmitted across a public network may be recorded by any third party with access to the network. If this person can later use the recorded transaction as his own 'authentication,' then the method is of little value.
The main danger of such 'replay' attacks is that unlike in the case of loss of a physical token, the theft may go unnoticed by the rightful owner. To prevent replay attacks, the authentication information exchanged should be different for every transaction.
Authorization
Once a user has proved his identity, the next check will be whether that person is allowed to perform the transaction that he has requested. This authorization is normally done within the service machine by checking against a list of registered users and their access rights. In cases where the authorization information is maintained on a different server (this may belong to another business or institution), a secure protocol is needed for the service to query an authorization server at the institution.
In addition to the identity of the service, the request for authorization must necessarily include some details on the information requested by the user.
The most common approach is to have a server that combines the tasks of authentication and authorization, as this considerably simplifies the operation as well as improves on security.
Vulnerabilities
The desktop level OS issues
The operating system is the root of most security problems besetting desktop computers.
Almost all desktops run some flavor of MS Windows, and unfortunately we have to work within the software infrastructure that is already in place. It is impractical to expect users to move to a more 'secure' operating system.
Most problems with MS Windows stem from the fact that a lot of security compromises have had to be made to ensure backward compatibility.
The OS was designed with a single user environment in mind. Hence, vital issues such as authentication and access control have not been addressed in any depth by the native infrastructure. Basically, MS Windows was not designed to protect the integrity of the machine when connected to a large public network such as the Internet.
Hence, it is a trivial matter for an adversary to gain access to the machine once it is connected to the Internet, and having physical access to the machine makes the task even easier. Simple search terms yield an amazing number of sites that deal with 'hacking' windows.
For example, a simple 'Windows NT crack' search yielded more than 20,000 results when we last tried it. Randomly clicking on some of the links gave us some nifty tools, GUI and all to do everything from listing all the users on a particular machine to gaining administrator access to the system. And most of these tools are available as freeware to boot.
Patching and hardening the OS may seem like an answer, but keeping up with even the 'acknowledged' Microsoft patches is a full-time job.
Some control can be maintained with software like port monitors - passive tools that tell you which ports are being used by what software, and allow you to monitor the incoming and outgoing traffic on your computer.
Choosing secure software
An often encountered real world problem is that some applications are inherently less secure than others, even if they perform the same task. This is most often the case for end-user applications as they are selected for convenience or popularity rather than security.
Thus, the security of a desktop system can be significantly improved by a judicious selection of the end user applications to be used.
A simple way to deal with these issues is to choose relatively secure 'tested' software. Programs like Outlook Express and Eudora mail are full of vulnerabilities that even a novice can exploit to gain access to your desktop machine. It is a trivial matter, for example, for some-one to use Active X scripts embedded in a simple HTML email to gain command prompt access remotely, or send a BCC of every mail on your machine to any IP address.
And even the popular press is full of articles on how scores of viruses spread through Outlook Express address books.
The local network level
Safeguards / separating the local net from the Internet
Perhaps the most important part of network security is effective separation of the local network from the Internet.
Properly configuring the gateway, and allowing Internet access only to crucial services is vital. Time and again, we find that network administrators neglect these details, and this results in disaster. Some time ago, the Bhabha Atomic Research Centre's network was compromised because their mail server was not correctly configured, and this server was used by the hackers as the preliminary access point into the network.
Firewalls and access control
Firewalls offer a degree of control, and if configured properly, can be quite effective security tools that allow a good degree of control over what packets pass through the network.
The downside is usability - your firewall rules should not hamper the usability of the network - all services and applications that are needed by the users should be easily accessible to them.
Access control can be implemented by using the standard operating system controls, or by using third-party software, depending on specific network structure and requirements.
In this case as well, care should be taken to achieve a balance between usability and absolute security, and not finding the right balance is the biggest shortcoming of these measures.
There is no absolute way to know what configurations are correct for your network. It is usually a matter of experience and intuition (and this is probably why security consultants get such high pay packets)
Usability
It is very important to understand that ultimately the network is in place for the convenience of the users. Thus, it would be self-defeating to implement security that is so rigid that it hampers the ability to use the network.
End-users should be able to easily and readily access the services and applications they need, and should not as far as possible be either hampered or involved with the internal workings of the security implementation in place on the network.
Correctly assessing the real threat level that the network is exposed to and the importance of the information and data that the network carries is the cornerstone in deciding the correct security model that needs to be implemented. In the end, even the best networks make some compromise, both on usability and on security.
Privacy
As the Internet increases in popularity, it carries an increasing amount of private traffic. This may be personal information about a user or information of commercial value. When the messages contain sensitive information such as credit card details, purchased software or exam scores, their owners need to keep them secret.
Unfortunately, messages can be read off the network as easily as usernames and passwords. So the only solution is to encrypt them. If an authentication process occurs before a user gains access to a service, then it may be possible to use information gained during authentication to encrypt the subsequent traffic.
This requires care to ensure that only the intended user can decrypt the traffic, so is most suited to asymmetric key methods. If the server issues a public key as proof of its identity, then this key may be used to negotiate an encryption method for the subsequent session.
This may also be done in reverse if the server knows the user's public key. Since asymmetric key systems require large amounts of processing power to run the encryption/ decryption operations, they cannot be used directly to encrypt the whole session; the usual method is to choose a random symmetric key for the session and exchange this securely using the asymmetric keys.
Internet protocols are based on nesting different layers of information so there is a choice of layers at which to apply encryption. One approach is to encrypt at the Transport Layer, leaving un-encoded only the information required for to route packets to their destination.
The network simply transfers the packets between the two endpoints, which are the only machines capable of making any sense of the information.
The encryption occurs below the level where different services (WWW, E-mail, FTP, etc.) are distinguished and so can be used equally well by any of them.
There are several legal restrictions on the export and use of strong encryption technology, as many governments feel that since they cannot control or monitor such messages, they are a potential threat to national security.
Therefore, several governments have imposed limits on the strength of encryption that can be used and exported.
Fortunately, individuals in countries where there are no export or usage laws have reworked most strong encryption implementations, and it is perfectly legal to obtain and use these implementations anywhere in the world.
As public awareness about encryption technologies grows, there is mounting pressure on governments to lift these restrictions as they are often viewed to be in direct conflict with free speech and the basic premises of democracy.