- Email: [email protected]
Controlling network security in a multivendor environment
Computer Fraud & Security Bulletin
August 1993
reported to permit the use of E-mail for even the most confidential or secret information. President and CEO of Datamedia, Roger E. Gower, said: "SECUREExchange T'" fills the security hole of electronic mail and enables E-mail users to receive a better return on their investment. They can distribute electronic forms, sensitive records, and EDI without any concern that unauthorized persons might receive or alter the information. This is the security breakthrough that E-mail users have been waiting for." Contact Frederick B. Gluck on +1 603 886 1570 or Kurt Stammberger on +1 415 595 8782.
CONTROLLING NETWORK SECURITY IN A MULTIVENDOR ENVIRONMENT Nick Swain
Networks are increasingly made up of equipment and computer systems from a number of different vendors. There is also a growing implementation of Open Standards in both computer systems and data communications equipment. This article examines the threats to security which this entails and then goes on to identify the security features within key data communications standards such as OSI, X.400 and Directory. The impact of the design of the overall network architecture on the security of the network, the specific security problems associated with the management of multivendor networks and some minimum controls as defences against them are then identified.
Multlvendor network security NetworkS have incorporated data communications equipment purchased from a number of different vendors for a number of years. Increasingly, they now also incorporate
6
attached computer systems from several different suppliers. Corporate networks are now more complex with a number of sub-networks of different types being interconnected to form one overall network. In addition, more and more companies are turning to Open Systems solutions, where users restrict the purchase of computer systems to specific standards as an alternative to restricting the number of vendors. These trends create additional problems in the areas of security which are addressed below. The solutions to these problems are then discussed in the following sections in terms of the: •
security features in open standards;
•
implications for network architectures;
•
specific requirements management.
for
network
Threats to network security Any computer network will have a number of vulnerable points, in terms of security, for which defence is required . Specific points in many networks are: •
where a switched public network is involved;
•
within the attached computer systems;
•
in the network management systems;
•
in data exchange facilities between systems.
Switched public network risks Wherever the network involves use of a public switched network, either the telephone network or one of the public data networks, then there is potential vulnerability. In contrast, where only dedicated circuits are used, there is clearly less risk from outsiders attempting to penetrate the network.
©1993 Elsevier Science Publishers Ltd
August 1993
The public network widens the scope of the threat as all users of the same public network can potentially be considered a source of threat. The logical access controls are then the only mechanism which protects the private network from outside, unauthorized users. A user no longer has absolute control of data communications traffic once it is carried by the public network. On these grounds alone, many users may prefer to use private networks built out of separate, dedicated facilities. Many items of data communications equipment, especially the older models, have only simple security features built into them. These security features may be the only restriction over access to the management and control features within the data communications equipment. Once these defences are breached then it is difficult to protect the network from further attack. Attached computer systems risks
Every computer system type attached to a network introduces additional complications in managing security and can potentially compromise it. Where all the computer systems are the same type, then security is much easier to control, because common solutions can be applied. In a multivendor network, different systems will often not have exactly the same security features, even though they may all offer equivalent levels of functionality. The overall security services will then be implemented using a combination of mechanisms and features supported by the different computer systems and data communications devices in use. While these may work satisfactorily, the greater complexity increases the chances of errors and loopholes in the design. Network management system risks
There is also an increasing trend towards centralized network control and configuration using standard protocols. While this can be used to provide a better supported service at less cost,
©1993 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
centralized management of remote devices and systems can also create security problems of their own. Remote management requires that users connecting to data communications switches across the network have access to powerful functions which are capable of being used to disrupt services and more importantly, undermine other security features in the network. In the past, the fact that network management protocols were usually proprietary, and often unpublished, was itself a crude security defence. As management protocols are standardized, openly published and incorporate more powerful features, then they constitute a greater threat to network integrity. Network security standards
When the OSI reference model was first defined in 1978, security considerations, along with network management and addressing issues, were left out. These were later included in separate addenda to the model. The purpose of the security addendum was to define a framework which laid down a coherent set of security services and specified each layer's responsibility for implementing them. This set down the scope of the security features to be defined in the individual layer standards such as X.400, FTAM and network protocols. OSl security techniques
One of the central mechanisms specified in a number of OSI security standards, such as X.400, is the digital signature. This is not a digital representation of a person's signature, but a cryptographic technique which serves the same function in electronic messages as an actual signature on a paper document. In other words, it authenticates it by giving some measure of proof of the identity of the person who sent it. Digital signatures make use of a combination of one-way hashing of the message and public key encryption. They work by processing the content of a message with a one-way hash function, and then the hashed result is encrypted using the sender's secret key and appended to the message. The receiver of the message then
7
Computer Fraud & Security Bulletin
decrypts the signature using the corresponding public key and hashes the message content. If both give the same result then the receiver knows that the message was sent by someone in possession of the secret key, and therefore presumably the legitimate sender. Furthermore, it also shows that the message is complete and has not been modified since its was 'signed'. Inclusion of timestamps and sequence numbers in the messages prevents old messages being 'replayed' and therefore adds further security.
August 1993
has been actively signed by the other party and rules out the possibility of impersonation by simply 'replaying' a previous authentication sequence. The authentication sequence may also be used to exchange conventional encryption keys for later use in the communications session. Confidentiality of the keys is maintained by each end encrypting them with the public key of the recipient before transmission.
X.400 security Certification
For digital signatures to be effective there must also be some mechanism for guaranteeing to the receiver that he has the correct public key for the sending organization. This is provided by means of certificates issued by certification authorities. A certificate is a message giving the name of the user, his public key, the dates between which that public key is valid and the name of the certification authority. This is then signed, again with a digital signature, using the certification authority's key. A higher certification authority could be used to certify this key and in this way a chain of certificates can be set up between the certification authority which certifies the public key required and a certification authority whose public key is known to the receiver by some other, secure means. The authentication framework
The directory standards define in outline the types of protocol sequences which are required in order to carry out authentication using digital signatures and associated certification techniques. These sequences are designed to enable either one or both ends to be assured of the identity of the other communicating party. Simple, one-way authentication assures the recipient of the sender's identity. Two-way authentication also assures the sender of the recipient's identity. The most sophisticated form of authentication uses a three-way handshake. Random numbers are contained in the original signed data which are then returned in the signed data sent in response. This ensures that the data
8
The XAOO security model fits into the OSI security framework and defines the theoretical threats to the Message Handling System, the security services which address those threats and the protocol elements within XAOO which provide the relevant mechanisms to counter each one. XAOO defines a Message Transfer Service (MTS) which routes messages between MHS systems and an Inter-Personal Messaging Service (IPMS) which describes the format ofthe message itself and its header. The X.400 security features are implemented at the MTS service Jevel. For example, the authentication service provides protection against impersonation threats. Similarly, the integrity service provides protection against modification of the message during transit. I
The basic security mechanisms described above are exploited by the MTS protocol to provide X.400 security services. This protocol is used to set up connections between adjacent components (i.e. UA to MTA, MTA to MS etc.), to submit messages for transmission and deliver them. Setting up the logical connection between a user of the MTS and the MTS provider involves a protocol function known as an MTS-BIND. This can carry two sets of security arguments. The first establishes the sender's credentials. This may be a simple password, defined in XAOO as 'simple authentication', or involve an authentication sequence with digital signatures and certificates, which is referred to as 'strong authentication'. The second set of arguments define the 'security
©1993 Elsevier Science Publishers Ltd
August 1993
context'. This sets rules for the subsequent transmission of messages. Secure network architectures The international standards concentrate largely on security techniques and mechanisms which, when implemented in the relevant protocols, provide low level security services. They are therefore relevant to product designers, who have to implement mechanisms. The overall level of security delivered to users of the network is dependent on the total network design, and the security procedures which are enforced in operating, using and administering the network. Designing a secure network involves more than just ensuring that all equipment items conform to specific standards, as in themselves, these will, at the most, only ensure that the products implement specific features. The network designer must also consider architecture of the network from a security point of view. Case studies have shown that simplicity is a key factor in network security. Implementing different functions on totally separate networks, using different computer systems and limiting the number and type of interconnections between them can provide highly secure networks. However, security is not the only factor governing the design of networks. Most users now want increased flexibility, high resilience, centralized management, universal access and the ability to interconnect a wide range of information systems. These requirements mean that there is a limit to how far physical separation can be used as a means of providing security. A balance, therefore, has to be made between security and full flexibility. In practice, some separation of functions onto different systems is often both possible and desirable. For example, program development can and should be kept separate from production systems. Similarly, systems which customers can access can be kept separate from internal systems. It is usually possible to strictly limit either the range of functions allowed, or the range of interconnections and access points.
©1993 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
Separate roles for networks and hosts
Both the data communications network switches and the computer systems themselves can contribute towards the overall security of the network. The range of security features in both component types means that the network designer has a degree of choice over which functions are performed by each one. Once again, complexity increases the risk of error. It is important, therefore, that there is the same split of security functions between the two components over the whole network. One split of function which has proved to be effective in practice is for the network to be responsible for identifying the user and passing that identity onto the attached computer. The host computer is then responsible for checking the access rights to which that user is entitled. In addition the network also applies additional controls to traffic travelling to and from external networks. Secure network management Significant advances have been made over the last few years in the tools and systems available for managing networks, particularly where they are made up of components from different vendors. Network management is a large topic in its own right. In this paper, only the security aspects will be considered. Remote control and management across a network places the remote user, in this case the network operator, in a very priVileged position. The operator will often have access to a wide range of control functions which can be used to disable or reconfigure network components. The remote operator may have the capability to disable other security mechanisms or invoke features which may have very complex, or even undefined effects. The use of standardized network management protocols and network management data formats means that an unauthorized user could easily find out how to
9
Computer Fraud & Security Bulletin
make changes to the network using the network management features if he could get around the logical access controls which protect them. The open network management protocol, SNMP (Simple Network Management Protocol), has until now, been very weak in this area. For this reason, use of SNMP is often restricted just to monitoring, although the protocol defines procedures for actively controlling and reconfiguring devices. An amended version of SNMP which addresses these security limitations was proposed in 1991. However, many devices which implemented SNMP may not be able to be upgraded with the security features because of the code and processing overheads involved. For many of the devices currently in use in networks, good access control for network management protocols involves a combination of good password discipline, logging of network management accesses, deactivation of management ports on devices and physical security.
August 1993
Conclusions
In the data communications world, standards are often defined at a theoretical level, incorporating the latest technologies. Only later are these standards implemented in products which appear on the market. Network designers then incorporate these products into their network infrastructures. Finally, management define operational and administrative procedures to complement them and deliver secure network services. Security is provided by a combination of products incorporating security features, network design, and procedures. Where the network incorporates products from a number of different vendors, particular emphasis must be paid to the architecture design. In conclusion, the key priorities for network managers controlling security in multivendor networks, are to: •
be aware of the security mechanisms defined in standards;
•
assess the implementation of security standards in the products they procure;
•
adopt network architectures which are simple and consistent in applying security mechanisms;
•
ensure that the implementation of network management facilities does not compromise security.
Secure physical access
Another aspect of network management is the need to control physical access to the remote network components. This has implications for the way that maintenance is carried out and controlled. Remote management implies that equipment may be left unattended on user sites for most of its life. In many networks, months or even years can go by without anybody from the central network management function Visiting a site. Maintenance of hardware may be sub-contracted out to separate organizations who are not responsible for the overall network. Where a large number of different maintenance companies are used, which can easily happen on a site where there is equipment from a number of different vendors, then site staff can easily get used to strangers requiring access to the equipment rooms. In these circumstances, standards at remote sites can slip, and security can then be compromised.
10
SYSTEM DATA OWNERSHIP IN IBM MVSSYSTEMS L.G. Lawrence Introduction
In an IBM MVS environment what is known as a file in many other systems is called a
©1993 Elsevier Science Publishers Ltd
August 1993
reported to permit the use of E-mail for even the most confidential or secret information. President and CEO of Datamedia, Roger E. Gower, said: "SECUREExchange T'" fills the security hole of electronic mail and enables E-mail users to receive a better return on their investment. They can distribute electronic forms, sensitive records, and EDI without any concern that unauthorized persons might receive or alter the information. This is the security breakthrough that E-mail users have been waiting for." Contact Frederick B. Gluck on +1 603 886 1570 or Kurt Stammberger on +1 415 595 8782.
CONTROLLING NETWORK SECURITY IN A MULTIVENDOR ENVIRONMENT Nick Swain
Networks are increasingly made up of equipment and computer systems from a number of different vendors. There is also a growing implementation of Open Standards in both computer systems and data communications equipment. This article examines the threats to security which this entails and then goes on to identify the security features within key data communications standards such as OSI, X.400 and Directory. The impact of the design of the overall network architecture on the security of the network, the specific security problems associated with the management of multivendor networks and some minimum controls as defences against them are then identified.
Multlvendor network security NetworkS have incorporated data communications equipment purchased from a number of different vendors for a number of years. Increasingly, they now also incorporate
6
attached computer systems from several different suppliers. Corporate networks are now more complex with a number of sub-networks of different types being interconnected to form one overall network. In addition, more and more companies are turning to Open Systems solutions, where users restrict the purchase of computer systems to specific standards as an alternative to restricting the number of vendors. These trends create additional problems in the areas of security which are addressed below. The solutions to these problems are then discussed in the following sections in terms of the: •
security features in open standards;
•
implications for network architectures;
•
specific requirements management.
for
network
Threats to network security Any computer network will have a number of vulnerable points, in terms of security, for which defence is required . Specific points in many networks are: •
where a switched public network is involved;
•
within the attached computer systems;
•
in the network management systems;
•
in data exchange facilities between systems.
Switched public network risks Wherever the network involves use of a public switched network, either the telephone network or one of the public data networks, then there is potential vulnerability. In contrast, where only dedicated circuits are used, there is clearly less risk from outsiders attempting to penetrate the network.
©1993 Elsevier Science Publishers Ltd
August 1993
The public network widens the scope of the threat as all users of the same public network can potentially be considered a source of threat. The logical access controls are then the only mechanism which protects the private network from outside, unauthorized users. A user no longer has absolute control of data communications traffic once it is carried by the public network. On these grounds alone, many users may prefer to use private networks built out of separate, dedicated facilities. Many items of data communications equipment, especially the older models, have only simple security features built into them. These security features may be the only restriction over access to the management and control features within the data communications equipment. Once these defences are breached then it is difficult to protect the network from further attack. Attached computer systems risks
Every computer system type attached to a network introduces additional complications in managing security and can potentially compromise it. Where all the computer systems are the same type, then security is much easier to control, because common solutions can be applied. In a multivendor network, different systems will often not have exactly the same security features, even though they may all offer equivalent levels of functionality. The overall security services will then be implemented using a combination of mechanisms and features supported by the different computer systems and data communications devices in use. While these may work satisfactorily, the greater complexity increases the chances of errors and loopholes in the design. Network management system risks
There is also an increasing trend towards centralized network control and configuration using standard protocols. While this can be used to provide a better supported service at less cost,
©1993 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
centralized management of remote devices and systems can also create security problems of their own. Remote management requires that users connecting to data communications switches across the network have access to powerful functions which are capable of being used to disrupt services and more importantly, undermine other security features in the network. In the past, the fact that network management protocols were usually proprietary, and often unpublished, was itself a crude security defence. As management protocols are standardized, openly published and incorporate more powerful features, then they constitute a greater threat to network integrity. Network security standards
When the OSI reference model was first defined in 1978, security considerations, along with network management and addressing issues, were left out. These were later included in separate addenda to the model. The purpose of the security addendum was to define a framework which laid down a coherent set of security services and specified each layer's responsibility for implementing them. This set down the scope of the security features to be defined in the individual layer standards such as X.400, FTAM and network protocols. OSl security techniques
One of the central mechanisms specified in a number of OSI security standards, such as X.400, is the digital signature. This is not a digital representation of a person's signature, but a cryptographic technique which serves the same function in electronic messages as an actual signature on a paper document. In other words, it authenticates it by giving some measure of proof of the identity of the person who sent it. Digital signatures make use of a combination of one-way hashing of the message and public key encryption. They work by processing the content of a message with a one-way hash function, and then the hashed result is encrypted using the sender's secret key and appended to the message. The receiver of the message then
7
Computer Fraud & Security Bulletin
decrypts the signature using the corresponding public key and hashes the message content. If both give the same result then the receiver knows that the message was sent by someone in possession of the secret key, and therefore presumably the legitimate sender. Furthermore, it also shows that the message is complete and has not been modified since its was 'signed'. Inclusion of timestamps and sequence numbers in the messages prevents old messages being 'replayed' and therefore adds further security.
August 1993
has been actively signed by the other party and rules out the possibility of impersonation by simply 'replaying' a previous authentication sequence. The authentication sequence may also be used to exchange conventional encryption keys for later use in the communications session. Confidentiality of the keys is maintained by each end encrypting them with the public key of the recipient before transmission.
X.400 security Certification
For digital signatures to be effective there must also be some mechanism for guaranteeing to the receiver that he has the correct public key for the sending organization. This is provided by means of certificates issued by certification authorities. A certificate is a message giving the name of the user, his public key, the dates between which that public key is valid and the name of the certification authority. This is then signed, again with a digital signature, using the certification authority's key. A higher certification authority could be used to certify this key and in this way a chain of certificates can be set up between the certification authority which certifies the public key required and a certification authority whose public key is known to the receiver by some other, secure means. The authentication framework
The directory standards define in outline the types of protocol sequences which are required in order to carry out authentication using digital signatures and associated certification techniques. These sequences are designed to enable either one or both ends to be assured of the identity of the other communicating party. Simple, one-way authentication assures the recipient of the sender's identity. Two-way authentication also assures the sender of the recipient's identity. The most sophisticated form of authentication uses a three-way handshake. Random numbers are contained in the original signed data which are then returned in the signed data sent in response. This ensures that the data
8
The XAOO security model fits into the OSI security framework and defines the theoretical threats to the Message Handling System, the security services which address those threats and the protocol elements within XAOO which provide the relevant mechanisms to counter each one. XAOO defines a Message Transfer Service (MTS) which routes messages between MHS systems and an Inter-Personal Messaging Service (IPMS) which describes the format ofthe message itself and its header. The X.400 security features are implemented at the MTS service Jevel. For example, the authentication service provides protection against impersonation threats. Similarly, the integrity service provides protection against modification of the message during transit. I
The basic security mechanisms described above are exploited by the MTS protocol to provide X.400 security services. This protocol is used to set up connections between adjacent components (i.e. UA to MTA, MTA to MS etc.), to submit messages for transmission and deliver them. Setting up the logical connection between a user of the MTS and the MTS provider involves a protocol function known as an MTS-BIND. This can carry two sets of security arguments. The first establishes the sender's credentials. This may be a simple password, defined in XAOO as 'simple authentication', or involve an authentication sequence with digital signatures and certificates, which is referred to as 'strong authentication'. The second set of arguments define the 'security
©1993 Elsevier Science Publishers Ltd
August 1993
context'. This sets rules for the subsequent transmission of messages. Secure network architectures The international standards concentrate largely on security techniques and mechanisms which, when implemented in the relevant protocols, provide low level security services. They are therefore relevant to product designers, who have to implement mechanisms. The overall level of security delivered to users of the network is dependent on the total network design, and the security procedures which are enforced in operating, using and administering the network. Designing a secure network involves more than just ensuring that all equipment items conform to specific standards, as in themselves, these will, at the most, only ensure that the products implement specific features. The network designer must also consider architecture of the network from a security point of view. Case studies have shown that simplicity is a key factor in network security. Implementing different functions on totally separate networks, using different computer systems and limiting the number and type of interconnections between them can provide highly secure networks. However, security is not the only factor governing the design of networks. Most users now want increased flexibility, high resilience, centralized management, universal access and the ability to interconnect a wide range of information systems. These requirements mean that there is a limit to how far physical separation can be used as a means of providing security. A balance, therefore, has to be made between security and full flexibility. In practice, some separation of functions onto different systems is often both possible and desirable. For example, program development can and should be kept separate from production systems. Similarly, systems which customers can access can be kept separate from internal systems. It is usually possible to strictly limit either the range of functions allowed, or the range of interconnections and access points.
©1993 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
Separate roles for networks and hosts
Both the data communications network switches and the computer systems themselves can contribute towards the overall security of the network. The range of security features in both component types means that the network designer has a degree of choice over which functions are performed by each one. Once again, complexity increases the risk of error. It is important, therefore, that there is the same split of security functions between the two components over the whole network. One split of function which has proved to be effective in practice is for the network to be responsible for identifying the user and passing that identity onto the attached computer. The host computer is then responsible for checking the access rights to which that user is entitled. In addition the network also applies additional controls to traffic travelling to and from external networks. Secure network management Significant advances have been made over the last few years in the tools and systems available for managing networks, particularly where they are made up of components from different vendors. Network management is a large topic in its own right. In this paper, only the security aspects will be considered. Remote control and management across a network places the remote user, in this case the network operator, in a very priVileged position. The operator will often have access to a wide range of control functions which can be used to disable or reconfigure network components. The remote operator may have the capability to disable other security mechanisms or invoke features which may have very complex, or even undefined effects. The use of standardized network management protocols and network management data formats means that an unauthorized user could easily find out how to
9
Computer Fraud & Security Bulletin
make changes to the network using the network management features if he could get around the logical access controls which protect them. The open network management protocol, SNMP (Simple Network Management Protocol), has until now, been very weak in this area. For this reason, use of SNMP is often restricted just to monitoring, although the protocol defines procedures for actively controlling and reconfiguring devices. An amended version of SNMP which addresses these security limitations was proposed in 1991. However, many devices which implemented SNMP may not be able to be upgraded with the security features because of the code and processing overheads involved. For many of the devices currently in use in networks, good access control for network management protocols involves a combination of good password discipline, logging of network management accesses, deactivation of management ports on devices and physical security.
August 1993
Conclusions
In the data communications world, standards are often defined at a theoretical level, incorporating the latest technologies. Only later are these standards implemented in products which appear on the market. Network designers then incorporate these products into their network infrastructures. Finally, management define operational and administrative procedures to complement them and deliver secure network services. Security is provided by a combination of products incorporating security features, network design, and procedures. Where the network incorporates products from a number of different vendors, particular emphasis must be paid to the architecture design. In conclusion, the key priorities for network managers controlling security in multivendor networks, are to: •
be aware of the security mechanisms defined in standards;
•
assess the implementation of security standards in the products they procure;
•
adopt network architectures which are simple and consistent in applying security mechanisms;
•
ensure that the implementation of network management facilities does not compromise security.
Secure physical access
Another aspect of network management is the need to control physical access to the remote network components. This has implications for the way that maintenance is carried out and controlled. Remote management implies that equipment may be left unattended on user sites for most of its life. In many networks, months or even years can go by without anybody from the central network management function Visiting a site. Maintenance of hardware may be sub-contracted out to separate organizations who are not responsible for the overall network. Where a large number of different maintenance companies are used, which can easily happen on a site where there is equipment from a number of different vendors, then site staff can easily get used to strangers requiring access to the equipment rooms. In these circumstances, standards at remote sites can slip, and security can then be compromised.
10
SYSTEM DATA OWNERSHIP IN IBM MVSSYSTEMS L.G. Lawrence Introduction
In an IBM MVS environment what is known as a file in many other systems is called a
©1993 Elsevier Science Publishers Ltd