- Email: [email protected]
Use of network design to reduce security risks
S e p t e m b e r 1994
Most c o m m o n l y used server-based anti-virus p a c k a g e s are virus-specific scanners. The scanning process c a n b e p e r f o r m e d either overnight, minimizing the network workload, or as a continuous low priority task. Server-based virus c h e c k i n g also ensures that the process is not subverted by the presence of stealth viruses, as they are u n a b l e to run on the server. Were the server to b e c h e c k e d from an i n f e c t e d workstation with the stealth virus memory-resident, the process would be ineffective, Furthermore, in the case of viruses such as 4K, if the server is s c a n n e d from an i n f e c t e d workstation, a n y files on the server with write access rights w ou l d be i n f e c t e d during the c h e c k i n g process as well as reported as clean!
Client-server virus detection As the number of viruses continues to grow a n d anti-virus software b e c o m e s increasingly more m e m o r y a n d processor intensive, it makes sense to perform virus scanning on the server rather than the DOS workstation,
N e t w o r k Security
In addition to providing virus d e t e c t i o n on the server, the same server process c a n b e used to virus-check the workstations. Each client maintains a list of authorized programs for that workstation, Any a t t e m p t to access an unknown p r o g r a m causes the client to request authorization from the server. Authorization is given only after the server has verified that the p r o g r a m is clean. O n c e a p r o g r a m has b e e n authorized it c a n be used without further checking, unless it is modified, It is inevitable that scanners will b e c o m e more c o m p l e x a n d bigger as the number of viruses grows. File servers do not suffer from the m e m o r y restrictions that p l a g u e DOS PCs a n d p l a c i n g the scanner on the server future-proofs one's anti-virus strategy, Client/server t e c h n o l o g y on some scanners enables the workstation client to remain fixed in size, regardless of the c o m p l e x i t y of the server-based scanner, The scanner client does not c h a n g e as new viruses appear, a v o i d i n g the n e e d to install constantly c h a n g i n g memory-resident software on
Use of Network Design to Reduce Security Risks Lesley Hansen Cabletron Systems Ltd Before considering the security possibilities available to the network designer, it is important to recognise that end to end security is not possible when a network is considered in isolation from the entire computer system and network solution. By this I m e a n the levels a n d areas of security understood by those who work in the area of security application. The NIST Security Architecture covers confidentiality, integrity, accountability and availability of data. Security services as d e f i n e d by the OSI covers the following areas: •
Data origin a u t h e n t i c a t i o n
•
Access control
©1994 Elsevier Science Ltd
•
Confidentiality
•
Selective field confidentiality
•
Integrity
workstations, which c a n result in unreliable systems.
Conclusions Most networks are a suitable m e d i u m for rapid virus transmission. The dangers of virus infection c a n b e minimized by careful a p p l i c a t i o n of w r i t e / c r e a t e privileges to user areas, as well as by using anti-virus software, Server-based anti--virus software is more powerful a n d more secure than DOS-based software. Scanne~ client-server virus d e t e c t i o n enables the server scanner to c hec k workstations.
Dr. Jan Hruska is the technical director of Sophos PIc. A graduate of Downing College, Cambridge, he gained his doctorate at Magdalen College, Oxford. He regularly speaks at computer security conferences and consults on a number of security aspects, including virus outbreaks. This article accompanies a talk given by Jan at the 11th Computer Security Audit and Control Conference, at the Queen Elizabeth II Conference Centre, London, UK.
•
Selective field integrity
•
N o n r e p u d i a t i o n of origin
•
N o n r e p u d i a t i o n of delivery
Most of these areas are outside the s c ope c o v e r e d by the d a t a network. This is b e c a u s e the network is not the total system, but the transport ~nfrastructure c o n n e c t i n g the system. In OSI terms a network includes the functionality p r o v i d e d by the first three to four layers of the OSI model. As the majority of areas d e f i n e d by the OSI as c o v e r i n g security functionality are p r o v i d e d by layers five and a b o v e of the OSI model, the areas of security that network e q u i p m e n t manufacturers c a n address are limited to: •
Access c o n t r o l prevention of unauthorized devices a t t a c h i n g to the network.
13
Network Security
September 1994
Data integrity - - ensuring the d a t a is delivered uncorrupted. Origin a u t h e n t i c a t i o n - ensuring the d a t a is delivered from a n d r e c e i v e d b y the authorized devices. Further still, networks t o d a y are connectionless w h i c h means that e a c h item of d a t a is individually addressed a n d passed over the network. In this t y p e of distributed connectionless e n v i r o n m e n t it is impossible to c r e a t e an e n d to e n d solution. This situation is c h a n g i n g with the introduction of c o n n e c t i o n - o r i e n t a t e d networks as p r o v i d e d by ATM or SecureFast Packet Switching (SFPS) as is discussed later in this article. Security methods There are a n u m b e r of different access methods that require control w h e n securing a network. The more c o m m o n methods include securing the perimeter of the organization's facility or d a t a centre, wiring closets that house the networking e q u i p m e n t , a n d network access by end users. In addition, several types of h a r d w a r e a n d software solutions are a v a i l a b l e to p r o t e c t access to d a t a on the network including secure repeaters, bridges a n d reuters, network m a n a g e m e n t , d a t a compression a n d d a t a encryption.
t
This article deals with the use of secure repeaters, bridges, routers a n d network m a n a g e m e n t in system design to improve security. Security in a shared access connectionless network Segmenting for security reasons c a n be provided by strategic positioning of bridges a n d / o r routers. Partitioning the network with bridges and routers provides network security by limiting a n d controlling the flow of traffic in the network. Bridges c a n provide security by using MAC address filters to keep local traffic isolated to the local network segment. For e x a m p l e all of Cabletren's 1960 RISC-based bridging products support a Special Filtering Database (SFD). The SFD c a n isolate traffic based on source address, destination address, type field, or even all the w a y up to the a p p l i c a t i o n layer using a flexible 64 byte sliding w i n d o w . Positioning of bridges in the network so that individuals or workgroups are c o n t a i n e d , a n d d a t a is not passed to segments which d o not have the destination d e v i c e a t t a c h e d , reduces the o p p o r t u n i t y for casual c o n n e c t i o n to a network a n d unauthorized reading of data. M a n y bridges t o d a y allow all network d e v i c e addresses to be individually entered in the bridge tables so that location of devices and passing of d a t a b e t w e e n segments c a n be clearly defined. A limitation of
Secure
\
for
\
r Port Locking ........
14
The full extent of security a v a i l a b l e b y careful positioning of bridges in a network c a n be seen in a switched solution. In a switched solution e a c h port is short wired to a central h u b with a switching c a p a b i l i t y a n d all interconnections are established by means of the switch. In this design e a c h port representing either a user or a network segment is secure to all outside segments a n d d a t a is only e x c h a n g e d b e t w e e n sending a n d receiving ports. An entirely switched network design will greatly increase security. Routers offer more sophisticated security a n d administrative control b e c a u s e they i m p l e m e n t security at the OSI Layer 3 Network Layer. Routers c a n be c o n f i g u r e d to support Access Lists a n d Administrative Filters c o n c u r r e n t l y to build a network 'Fire Wall' of protection from unauthorized users. Routers l o c a t e sub networks a n d will only pass d a t a b e t w e e n authorized subnets. One o v e r h e a d for this security is that the router 'masks' h a v e to be entered into e a c h router. Another o v e r h e a d is the increased l a t e n c y whilst the access lists are c h e c k e d for e a c h p a c k e t passing across the router. Bi-directional filters h a v e b e c o m e a v a i l a b l e for the first time in the industry on the Cabletron Routing Services this year to improve security through controlled access. Designing the network using secure repeaters
'\\
Monitorir NMS
bridge filtering is that when a new destination address is seen by the bridge a n d it does not know the l o c a t i o n of the d e v i c e address, the bridge passes on the packets to all segments.
\
from
\,
M a n y organizations t o d a y are only installing switching, bridging or routing as a strategic security device. They c a n n o t afford the increased cost per port of an entirely switched solution c o m p a r e d with a shared access solution,
©1994 Elsevier Science Ltd
September 1994
Network Security
or are not p r e p a r e d to a c c o m m o d a t e c h a n g e s such as installation of a star wired c a b l i n g infrastructure. These organizations m a y still be seeking to install security controls to provide risk reduction within their shared access LANs. There are various levels of functionality that c a n be p r o v i d e d as inherent in network hub products w h i c h provide a reduction in the security risks in connectionless networks, e v e n while still u n a b l e to provide e n d - t o - e n d security.
l~tl
SA With the a d v a n c e m e n t s in silicon c h i p technologies, manufacturers are able to deliver state-of-the-art implementations of fault tolerant, secure Ethernet repeater systems without i m p a c t i n g the p e r f o r m a n c e of the network. The RIC II Secure Repeater a r c h i t e c t u r e supports both i n b o u n d d a t a 'Intruder Prevention' a n d o u t b o u n d d a t a 'Eavesdrop Prevention'.
'Intruder Prevention' Hub architectures c a n provide security delivered through source address d e t e c t i o n a n d port locking in real-time, The source field of every p a c k e t into a port is analyzed a n d stored in an array of MAC addresses by port. This array is u p d a t e d w h e n new addresses are d e t e c t e d . Devices w h i c h d o not transmit a frame within the user c o n f i g u r e d a g e i n g time are r e m o v e d from the array in order to maintain an a c c u r a t e c o n f i g u r a t i o n of the live network. Using a m a n a g e m e n t console, the network administrator queries the h u b to display to w h i c h port a d e v i c e is c o n n e c t e d . The Network M a n a g e m e n t Station operator enters the MAC address of the d e v i c e to be located. On the g r a p h i c d e p i c t i n g the hub being queried, the port associated with the entered MAC address begins to flash on the screen, The m a n a g e m e n t station user m a y then make any corrective a c t i o n in diagnosing
CRC
Clm¢, UMcnunbled
I
A
DA I
B
Type I
0800 I
or controlling the network. An SNMP trap m a y be e n a b l e d on the hubs to allow the Network M a n a g e m e n t System to be notified when a new address is learned on any port in the hub. The port locking feature allows the network administrator to prevent any users not stored in the authorized station table from gaining access to the secured hub, When e n a b l e d , the hub stores the MAC address to port table to nonvolatile r a n d o m access memory (NVRAM), The a g e i n g timer no longer removes MAC addresses from the table a n d the list b e c o m e s static, Now, only devices with MAC source addresses stored to NVRAM are a l l o w e d to transmit onto the network, Since the introduction of hub m a n a g e m e n t modules in 1990, Cabletron Systems has offered its customers MAC address d e f e c t i o n and port locking by utilizing A p p l i c a t i o n Specific Integrated Circuit (ASIC) technology, A similar function was i m p l e m e n t e d in Cabletron's Token Ring p r o d u c t line in 1993, However, rather than being based on a MAC address to port m a t c h i n g table, it is based on an authorized user MAC address list w h i c h applies to the entire ring, not just a particular hub, This a p p r o a c h allows for 'Intruder Prevention' whether the potential intruder is a t t e m p t i n g to gain access
Data Fixed1 & 0 Pattern
CRC Error I
through a Cabletron device, a third party device, or merely a passive MAU. Rather than disabling a port w h e n an unauthorized user is d e t e c t e d , the Cabletron Token Ring secure products issue an EEE 802,5 standard Remove MAC Frame to the offending a d a p t e r thus forcing it to d i s c o n n e c t from the ring. Multiple attempts at re-inserting onta the ring are met with the same result,
'Eavesdrop Prevention' Risk of unauthorized access to o u t b o u n d d a t a c a n be r e m o v e d by allowing devices to see a p a c k e t as valid d a t a only if the p a c k e t is i n t e n d e d for them, When d a t a is sent over the network, the hub c o m p a r e s the port's MAC address(es) with the destination address (DA) of a n y o u t b o u n d packet. Risk of unauthorized access c a n be r e d u c e d by installing a network h u b system with a facility that means that if the addresses d o not m a t c h , the hub replaces the d a t a field of tile p a c k e t with scrambled, meaningless information, Because this information carries no r e s e m b l a n c e to the original d a t a it is impossible to reconstruct the or ginal d a t a content, If the addresses match, the hub w o u l d send the p a c k e t through with the d a t a field intact as usual, M a n y vendors refer to this t e c h n o l o g y as 'Eavesdrop Prevention' w h i c h renders h a r d w a r e or
15
Network Security
software p r o t o c o l analyzers ineffective w h e n trying to a t t a c k an organization's secure information resources. C a b l e t r o n Systems i m p l e m e n t this scrambling t e c h n o l o g y called LANViewSecure w h i c h offers a h a r d w a r e / s o f t w a r e solution that provides a cost effective m e t h o d for network administrators to i m p l e m e n t secure h u b - b a s e d Ethernet networks without a f f e c t i n g network p e r f o r m a n c e . Today's intelligent Repeater Interface Controller (RIC II), m a n u f a c t u r e d by National Semiconductors, has the intelligence to learn up to t w o MAC addresses per port on the fly allowing a u t o m a t i c c o n f i g u r a t i o n of the secure network. Each RIC II has the ability to c a c h e 58 addresses - t w o per port a n d 32 floating. The c a c h e of 32 is c o n f i g u r a b l e from the SNMP a g e n t of the d e v i c e m a n a g i n g the chassis or hub to allow network administrators to a d d or d e l e t e authorized user network addresses. The t e c h n o l o g y c a n also be a p p l i e d to scramble Multicast a n d Broadcast address Packets. With the security feature e n a b l e d , the RIC II i m m e d i a t e l y begins scrambling the d a t a portion of the Ethernet packets r e p e a t e d out to all ports, e x c e p t the port c o n f i n i n g the a c t u a l destination device. Repeating scrambled frames to all nondestination ports ensures the integrity of the CSMA/CD system w h i c h is the basic f o u n d a t i o n of an Ethernet network.
September 1994
w h i c h addresses reside on w h i c h ports of those ports directly a t t a c h e d to it. This t a b l e is then used to make scrambling decisions based on the destination MAC address of the i n t e n d e d recipient. When d a t a is scrambled to all ports ( e x c e p t the i n t e n d e d recipient), a CRC error is c r e a t e d on all scrambled ports b e c a u s e the RIC II does not r e c a l c u l a t e the Cyclical R e d u n d a n c y C h e c k (CRC). The i m p a c t is small b e c a u s e if a user is not the i n t e n d e d destination, they d o not need the p a c k e t a n y w a y a n d it will be discarded as an errored frame. All statistics tables within the h u b will not show a CRC b e c a u s e the p a c k e t is only scrambled when transmitted. After the configuration of the network has b e e n learned by the RIC II, the network administrator m a y alter the network address tables remotely through an SNMP M a n a g e m e n t Station. The ability to remotely configure the security features of the RIC II gives the network administrator a higher d e g r e e of control for securing the network, RIC II chips on the same Ethernet segment within a Multi-Channel Ethernet design will be a b l e to h a v e board-to-board communications, The secure repeater feature provided by the RIC II must be a b l e to be e n a b l e d or disabled on a per port basis, If a port on a RIC II is c o n n e c t e d to a bridge, it will be necessary to
disable the scrambling b e c a u s e the bridge or router will discard e a c h p a c k e t as a CRC error w h e n in a c t u a l i t y the destination address is on the 'remote' s e g m e n t on the other side of the bridge. One must also disable the scrambling on ports that a c t as trunk links b e t w e e n hubs as these links h a v e the potential to e x c e e d the MAC address c a c h e limit of 58 on the RIC II. O n e c a n therefore c o n c l u d e that repeater scrambling is best i m p l e m e n t e d within a single hub, for if the network e x p a n d s b e y o n d a single hub the security feature must be disabled on links to other hubs. The scrambling feature is u n a b l e to cross multiple segments as the feature must be disabled on the ports to w h i c h the bridges or routers c o n n e c t the multiple segments to e a c h other. Secure repeaters address a part of an organization's c o m p l e t e network security solution. Security in a connection-orientated network
Over the last year asynchronous transfer m o d e (ATM) has b e e n receiving increasing press attention a n d e v e n the most u n a w a r e network managers h a v e heard of this ' n e w ' t e c h n o l o g y that is being g r e e t e d as a solution to all network problems. Interestingly, the press interest in ATM has focused most heavily on the use of a c o n n e c t i o n - o r i e n t a t e d network
When the RIC II detects a s e c o n d MAC address on a port, it c a n a u t o m a t i c a l l y secure the port if so configured, or merely send a trap to the SNMiP Network M a n a g e m e n t Station alerting the o p e r a t o r to the condition. This design allows multiple addresses per port while still providing d a t a scrambling security. By default, the RIC II initializes in 'auto-learn' m o d e , d e t e c t i n g addresses on a port by port basis a n d builds a source address t a b l e m u c h like a bridge does. The RIC II will learn
16
@1994 Elsevier Science Ltd
S e p t e m b e r 1994
to provide increased p e r f o r m a n c e a n d higher network b a n d w i d t h . They h a v e largely overlooked the a d v a n t a g e s in network security a n d a c c o u n t a b i l i t y p r o v i d e d by a connection-orientated solution. SFPS is new t e c h n o l o g y being i n t r o d u c e d by Cabletron that offers m a n y benefits for information transport. SPFS provides scalable, d e d i c a t e d b a n d w i d t h for end users m u c h like ATM. SFPS also allows networks to maintain their existing Ethernet, Token Ring, a n d FDDI workstation interfaces, bridges a n d routers. Essentially, the SFPS t e c h n o l o g y allows users to e x p e r i e n c e most of the benefits of ATM networking, such as security a n d a c c o u n t a b i l i t y a n d the lower l a t e n c y p r o v i d e d by a c o n n e c t i o n - o r i e n t a t e d solution, The benefits are p r o v i d e d while m a i n t a i n i n g their existing p a c k e t - b a s e d networks, a n d a v o i d i n g the significant investment associated with migrating to a pure ATM environment. SFPS a n d ATM share m a n y a t t r a c t i v e security benefits discussed in earlier sections of this article, all c o m b i n e d into a single solution, SFPS and ATM are: connection-orientated packet a n d cell switching. Bridging a n d Routing are connectionless p a c k e t switching. To use an analogy, if the t e l e p h o n e
N e t w o r k Security
network was based on bridges, when you dialled a number, every p h o n e in the world will ring. A t e l e p h o n e network based on routers, w o u l d m e a n that every p h o n e in an area c o d e w o u l d ring. A t e l e p h o n e network based on SFPS or ATM w o u l d m e a n that only the p h o n e of the number for the person(s) you were calling w o u l d ring. SFPS a n d ATM support ' c o n f e r e n c e calls' through point to multi-point connections. Essentially, with c o n n e c t i o n - o r i e n t a t e d LANs the nature of networking is migrating from 'party line' to 'private line" communications. The c o n n e c t i o n - o r i e n t a t e d a p p r o a c h uses the hub as a p a c k e t / b e l l switch rather than as a repeater, Conversations b e t w e e n an origination node, the hub or switch port, a n d a destination n o d e are not b r o a d c a s t to any other nodes, As a result these connection-orientated technologies a u t o m a t i c a l l y provide a level of link privacy that prevents e a v e s d r o p p i n g from any other d e v i c e c o n n e c t e d to another network port. This contrasts sharply with traditional Ethernet, Token Ring, a n d FDDI networks where transmissions are b r o a d c a s t to all network nodes in addition to the i n t e n d e d destination, By establishing a d e d i c a t e d , switched c o n n e c t i o n b e t w e e n t w o users, the security benefit of
Preventing Software Piracy Robert Schifreen It's up to you, as the person in c h a r g e of network security, to ensure that users are not storing pirated software on the server or workstations. Regular audits c a n help you a c h i e v e this.
The Copyright, Designs a n d Patents A c t 1988 states that, "A person commits an o f f e n c e who, without the licence of the c o p y r i g h t owner, in the course
©1994 Elsevier Science Ltd
of a business, distributes an article which is, a n d which he knows or has reason to believe is, an infringing c o p y of a copyright work," C o m p u t e r
climbing a n d controlling the flow of information on the network is gained. This results in security similar to that p r o v i d e d by bridges a n d routers in a connectionless network, but at o n e tenth of the cost based on p r i c e / p e r f o r m a n c e . By their nature, switched c o n n e c t i o n s are not 'shared access' a n d thus promiscuous listening devices or applications are rendered useless (:no n e e d for e a v e s d r o p prevention). End-to-end secure links c a n be established across multiple segments (much like e n c r y p t i o n methods), Finally, intruder prevention functions are p r o v i d e d through Network M a n a g e m e n t Systems. The NMS maintains authorized user lists, a l o n g with policies that control user b a n d w i d t h a l l o c a t i o n a n d access to network services or d a t a repositories.
A more in-depth discussion of Cabletron's LanViewSecure, Port Locking, SecureFast Packet Switching a n d ATM solutions is a v a i l a b l e in separate papers a n d m a y be o b t a i n e d by c o n t a c t i n g Cabletron Systems. This article accompanies a presentation given by Lesley Hansen at the 11th Computer Security Audit and Control Conference at the Queen Elizabeth II Conference Centre, London, UK.
programs are, of course, c o p y r i g h t works, Software houses g o to various lengths to d e t e c t unauthorized copies. For example, if a software c o m p a n y regularly receives support calls from 20 p e o p l e at c o m p a n y X, but it is known that c o m p a n y X has purchased only three copies, it is not u n c o m m o n for the software c o m p a n y in question to call c o m p a n y X a n d ask for a c h e q u e by return of post. This has h a p p e n e d in the UK on more than one occasion.
]7
Most c o m m o n l y used server-based anti-virus p a c k a g e s are virus-specific scanners. The scanning process c a n b e p e r f o r m e d either overnight, minimizing the network workload, or as a continuous low priority task. Server-based virus c h e c k i n g also ensures that the process is not subverted by the presence of stealth viruses, as they are u n a b l e to run on the server. Were the server to b e c h e c k e d from an i n f e c t e d workstation with the stealth virus memory-resident, the process would be ineffective, Furthermore, in the case of viruses such as 4K, if the server is s c a n n e d from an i n f e c t e d workstation, a n y files on the server with write access rights w ou l d be i n f e c t e d during the c h e c k i n g process as well as reported as clean!
Client-server virus detection As the number of viruses continues to grow a n d anti-virus software b e c o m e s increasingly more m e m o r y a n d processor intensive, it makes sense to perform virus scanning on the server rather than the DOS workstation,
N e t w o r k Security
In addition to providing virus d e t e c t i o n on the server, the same server process c a n b e used to virus-check the workstations. Each client maintains a list of authorized programs for that workstation, Any a t t e m p t to access an unknown p r o g r a m causes the client to request authorization from the server. Authorization is given only after the server has verified that the p r o g r a m is clean. O n c e a p r o g r a m has b e e n authorized it c a n be used without further checking, unless it is modified, It is inevitable that scanners will b e c o m e more c o m p l e x a n d bigger as the number of viruses grows. File servers do not suffer from the m e m o r y restrictions that p l a g u e DOS PCs a n d p l a c i n g the scanner on the server future-proofs one's anti-virus strategy, Client/server t e c h n o l o g y on some scanners enables the workstation client to remain fixed in size, regardless of the c o m p l e x i t y of the server-based scanner, The scanner client does not c h a n g e as new viruses appear, a v o i d i n g the n e e d to install constantly c h a n g i n g memory-resident software on
Use of Network Design to Reduce Security Risks Lesley Hansen Cabletron Systems Ltd Before considering the security possibilities available to the network designer, it is important to recognise that end to end security is not possible when a network is considered in isolation from the entire computer system and network solution. By this I m e a n the levels a n d areas of security understood by those who work in the area of security application. The NIST Security Architecture covers confidentiality, integrity, accountability and availability of data. Security services as d e f i n e d by the OSI covers the following areas: •
Data origin a u t h e n t i c a t i o n
•
Access control
©1994 Elsevier Science Ltd
•
Confidentiality
•
Selective field confidentiality
•
Integrity
workstations, which c a n result in unreliable systems.
Conclusions Most networks are a suitable m e d i u m for rapid virus transmission. The dangers of virus infection c a n b e minimized by careful a p p l i c a t i o n of w r i t e / c r e a t e privileges to user areas, as well as by using anti-virus software, Server-based anti--virus software is more powerful a n d more secure than DOS-based software. Scanne~ client-server virus d e t e c t i o n enables the server scanner to c hec k workstations.
Dr. Jan Hruska is the technical director of Sophos PIc. A graduate of Downing College, Cambridge, he gained his doctorate at Magdalen College, Oxford. He regularly speaks at computer security conferences and consults on a number of security aspects, including virus outbreaks. This article accompanies a talk given by Jan at the 11th Computer Security Audit and Control Conference, at the Queen Elizabeth II Conference Centre, London, UK.
•
Selective field integrity
•
N o n r e p u d i a t i o n of origin
•
N o n r e p u d i a t i o n of delivery
Most of these areas are outside the s c ope c o v e r e d by the d a t a network. This is b e c a u s e the network is not the total system, but the transport ~nfrastructure c o n n e c t i n g the system. In OSI terms a network includes the functionality p r o v i d e d by the first three to four layers of the OSI model. As the majority of areas d e f i n e d by the OSI as c o v e r i n g security functionality are p r o v i d e d by layers five and a b o v e of the OSI model, the areas of security that network e q u i p m e n t manufacturers c a n address are limited to: •
Access c o n t r o l prevention of unauthorized devices a t t a c h i n g to the network.
13
Network Security
September 1994
Data integrity - - ensuring the d a t a is delivered uncorrupted. Origin a u t h e n t i c a t i o n - ensuring the d a t a is delivered from a n d r e c e i v e d b y the authorized devices. Further still, networks t o d a y are connectionless w h i c h means that e a c h item of d a t a is individually addressed a n d passed over the network. In this t y p e of distributed connectionless e n v i r o n m e n t it is impossible to c r e a t e an e n d to e n d solution. This situation is c h a n g i n g with the introduction of c o n n e c t i o n - o r i e n t a t e d networks as p r o v i d e d by ATM or SecureFast Packet Switching (SFPS) as is discussed later in this article. Security methods There are a n u m b e r of different access methods that require control w h e n securing a network. The more c o m m o n methods include securing the perimeter of the organization's facility or d a t a centre, wiring closets that house the networking e q u i p m e n t , a n d network access by end users. In addition, several types of h a r d w a r e a n d software solutions are a v a i l a b l e to p r o t e c t access to d a t a on the network including secure repeaters, bridges a n d reuters, network m a n a g e m e n t , d a t a compression a n d d a t a encryption.
t
This article deals with the use of secure repeaters, bridges, routers a n d network m a n a g e m e n t in system design to improve security. Security in a shared access connectionless network Segmenting for security reasons c a n be provided by strategic positioning of bridges a n d / o r routers. Partitioning the network with bridges and routers provides network security by limiting a n d controlling the flow of traffic in the network. Bridges c a n provide security by using MAC address filters to keep local traffic isolated to the local network segment. For e x a m p l e all of Cabletren's 1960 RISC-based bridging products support a Special Filtering Database (SFD). The SFD c a n isolate traffic based on source address, destination address, type field, or even all the w a y up to the a p p l i c a t i o n layer using a flexible 64 byte sliding w i n d o w . Positioning of bridges in the network so that individuals or workgroups are c o n t a i n e d , a n d d a t a is not passed to segments which d o not have the destination d e v i c e a t t a c h e d , reduces the o p p o r t u n i t y for casual c o n n e c t i o n to a network a n d unauthorized reading of data. M a n y bridges t o d a y allow all network d e v i c e addresses to be individually entered in the bridge tables so that location of devices and passing of d a t a b e t w e e n segments c a n be clearly defined. A limitation of
Secure
\
for
\
r Port Locking ........
14
The full extent of security a v a i l a b l e b y careful positioning of bridges in a network c a n be seen in a switched solution. In a switched solution e a c h port is short wired to a central h u b with a switching c a p a b i l i t y a n d all interconnections are established by means of the switch. In this design e a c h port representing either a user or a network segment is secure to all outside segments a n d d a t a is only e x c h a n g e d b e t w e e n sending a n d receiving ports. An entirely switched network design will greatly increase security. Routers offer more sophisticated security a n d administrative control b e c a u s e they i m p l e m e n t security at the OSI Layer 3 Network Layer. Routers c a n be c o n f i g u r e d to support Access Lists a n d Administrative Filters c o n c u r r e n t l y to build a network 'Fire Wall' of protection from unauthorized users. Routers l o c a t e sub networks a n d will only pass d a t a b e t w e e n authorized subnets. One o v e r h e a d for this security is that the router 'masks' h a v e to be entered into e a c h router. Another o v e r h e a d is the increased l a t e n c y whilst the access lists are c h e c k e d for e a c h p a c k e t passing across the router. Bi-directional filters h a v e b e c o m e a v a i l a b l e for the first time in the industry on the Cabletron Routing Services this year to improve security through controlled access. Designing the network using secure repeaters
'\\
Monitorir NMS
bridge filtering is that when a new destination address is seen by the bridge a n d it does not know the l o c a t i o n of the d e v i c e address, the bridge passes on the packets to all segments.
\
from
\,
M a n y organizations t o d a y are only installing switching, bridging or routing as a strategic security device. They c a n n o t afford the increased cost per port of an entirely switched solution c o m p a r e d with a shared access solution,
©1994 Elsevier Science Ltd
September 1994
Network Security
or are not p r e p a r e d to a c c o m m o d a t e c h a n g e s such as installation of a star wired c a b l i n g infrastructure. These organizations m a y still be seeking to install security controls to provide risk reduction within their shared access LANs. There are various levels of functionality that c a n be p r o v i d e d as inherent in network hub products w h i c h provide a reduction in the security risks in connectionless networks, e v e n while still u n a b l e to provide e n d - t o - e n d security.
l~tl
SA With the a d v a n c e m e n t s in silicon c h i p technologies, manufacturers are able to deliver state-of-the-art implementations of fault tolerant, secure Ethernet repeater systems without i m p a c t i n g the p e r f o r m a n c e of the network. The RIC II Secure Repeater a r c h i t e c t u r e supports both i n b o u n d d a t a 'Intruder Prevention' a n d o u t b o u n d d a t a 'Eavesdrop Prevention'.
'Intruder Prevention' Hub architectures c a n provide security delivered through source address d e t e c t i o n a n d port locking in real-time, The source field of every p a c k e t into a port is analyzed a n d stored in an array of MAC addresses by port. This array is u p d a t e d w h e n new addresses are d e t e c t e d . Devices w h i c h d o not transmit a frame within the user c o n f i g u r e d a g e i n g time are r e m o v e d from the array in order to maintain an a c c u r a t e c o n f i g u r a t i o n of the live network. Using a m a n a g e m e n t console, the network administrator queries the h u b to display to w h i c h port a d e v i c e is c o n n e c t e d . The Network M a n a g e m e n t Station operator enters the MAC address of the d e v i c e to be located. On the g r a p h i c d e p i c t i n g the hub being queried, the port associated with the entered MAC address begins to flash on the screen, The m a n a g e m e n t station user m a y then make any corrective a c t i o n in diagnosing
CRC
Clm¢, UMcnunbled
I
A
DA I
B
Type I
0800 I
or controlling the network. An SNMP trap m a y be e n a b l e d on the hubs to allow the Network M a n a g e m e n t System to be notified when a new address is learned on any port in the hub. The port locking feature allows the network administrator to prevent any users not stored in the authorized station table from gaining access to the secured hub, When e n a b l e d , the hub stores the MAC address to port table to nonvolatile r a n d o m access memory (NVRAM), The a g e i n g timer no longer removes MAC addresses from the table a n d the list b e c o m e s static, Now, only devices with MAC source addresses stored to NVRAM are a l l o w e d to transmit onto the network, Since the introduction of hub m a n a g e m e n t modules in 1990, Cabletron Systems has offered its customers MAC address d e f e c t i o n and port locking by utilizing A p p l i c a t i o n Specific Integrated Circuit (ASIC) technology, A similar function was i m p l e m e n t e d in Cabletron's Token Ring p r o d u c t line in 1993, However, rather than being based on a MAC address to port m a t c h i n g table, it is based on an authorized user MAC address list w h i c h applies to the entire ring, not just a particular hub, This a p p r o a c h allows for 'Intruder Prevention' whether the potential intruder is a t t e m p t i n g to gain access
Data Fixed1 & 0 Pattern
CRC Error I
through a Cabletron device, a third party device, or merely a passive MAU. Rather than disabling a port w h e n an unauthorized user is d e t e c t e d , the Cabletron Token Ring secure products issue an EEE 802,5 standard Remove MAC Frame to the offending a d a p t e r thus forcing it to d i s c o n n e c t from the ring. Multiple attempts at re-inserting onta the ring are met with the same result,
'Eavesdrop Prevention' Risk of unauthorized access to o u t b o u n d d a t a c a n be r e m o v e d by allowing devices to see a p a c k e t as valid d a t a only if the p a c k e t is i n t e n d e d for them, When d a t a is sent over the network, the hub c o m p a r e s the port's MAC address(es) with the destination address (DA) of a n y o u t b o u n d packet. Risk of unauthorized access c a n be r e d u c e d by installing a network h u b system with a facility that means that if the addresses d o not m a t c h , the hub replaces the d a t a field of tile p a c k e t with scrambled, meaningless information, Because this information carries no r e s e m b l a n c e to the original d a t a it is impossible to reconstruct the or ginal d a t a content, If the addresses match, the hub w o u l d send the p a c k e t through with the d a t a field intact as usual, M a n y vendors refer to this t e c h n o l o g y as 'Eavesdrop Prevention' w h i c h renders h a r d w a r e or
15
Network Security
software p r o t o c o l analyzers ineffective w h e n trying to a t t a c k an organization's secure information resources. C a b l e t r o n Systems i m p l e m e n t this scrambling t e c h n o l o g y called LANViewSecure w h i c h offers a h a r d w a r e / s o f t w a r e solution that provides a cost effective m e t h o d for network administrators to i m p l e m e n t secure h u b - b a s e d Ethernet networks without a f f e c t i n g network p e r f o r m a n c e . Today's intelligent Repeater Interface Controller (RIC II), m a n u f a c t u r e d by National Semiconductors, has the intelligence to learn up to t w o MAC addresses per port on the fly allowing a u t o m a t i c c o n f i g u r a t i o n of the secure network. Each RIC II has the ability to c a c h e 58 addresses - t w o per port a n d 32 floating. The c a c h e of 32 is c o n f i g u r a b l e from the SNMP a g e n t of the d e v i c e m a n a g i n g the chassis or hub to allow network administrators to a d d or d e l e t e authorized user network addresses. The t e c h n o l o g y c a n also be a p p l i e d to scramble Multicast a n d Broadcast address Packets. With the security feature e n a b l e d , the RIC II i m m e d i a t e l y begins scrambling the d a t a portion of the Ethernet packets r e p e a t e d out to all ports, e x c e p t the port c o n f i n i n g the a c t u a l destination device. Repeating scrambled frames to all nondestination ports ensures the integrity of the CSMA/CD system w h i c h is the basic f o u n d a t i o n of an Ethernet network.
September 1994
w h i c h addresses reside on w h i c h ports of those ports directly a t t a c h e d to it. This t a b l e is then used to make scrambling decisions based on the destination MAC address of the i n t e n d e d recipient. When d a t a is scrambled to all ports ( e x c e p t the i n t e n d e d recipient), a CRC error is c r e a t e d on all scrambled ports b e c a u s e the RIC II does not r e c a l c u l a t e the Cyclical R e d u n d a n c y C h e c k (CRC). The i m p a c t is small b e c a u s e if a user is not the i n t e n d e d destination, they d o not need the p a c k e t a n y w a y a n d it will be discarded as an errored frame. All statistics tables within the h u b will not show a CRC b e c a u s e the p a c k e t is only scrambled when transmitted. After the configuration of the network has b e e n learned by the RIC II, the network administrator m a y alter the network address tables remotely through an SNMP M a n a g e m e n t Station. The ability to remotely configure the security features of the RIC II gives the network administrator a higher d e g r e e of control for securing the network, RIC II chips on the same Ethernet segment within a Multi-Channel Ethernet design will be a b l e to h a v e board-to-board communications, The secure repeater feature provided by the RIC II must be a b l e to be e n a b l e d or disabled on a per port basis, If a port on a RIC II is c o n n e c t e d to a bridge, it will be necessary to
disable the scrambling b e c a u s e the bridge or router will discard e a c h p a c k e t as a CRC error w h e n in a c t u a l i t y the destination address is on the 'remote' s e g m e n t on the other side of the bridge. One must also disable the scrambling on ports that a c t as trunk links b e t w e e n hubs as these links h a v e the potential to e x c e e d the MAC address c a c h e limit of 58 on the RIC II. O n e c a n therefore c o n c l u d e that repeater scrambling is best i m p l e m e n t e d within a single hub, for if the network e x p a n d s b e y o n d a single hub the security feature must be disabled on links to other hubs. The scrambling feature is u n a b l e to cross multiple segments as the feature must be disabled on the ports to w h i c h the bridges or routers c o n n e c t the multiple segments to e a c h other. Secure repeaters address a part of an organization's c o m p l e t e network security solution. Security in a connection-orientated network
Over the last year asynchronous transfer m o d e (ATM) has b e e n receiving increasing press attention a n d e v e n the most u n a w a r e network managers h a v e heard of this ' n e w ' t e c h n o l o g y that is being g r e e t e d as a solution to all network problems. Interestingly, the press interest in ATM has focused most heavily on the use of a c o n n e c t i o n - o r i e n t a t e d network
When the RIC II detects a s e c o n d MAC address on a port, it c a n a u t o m a t i c a l l y secure the port if so configured, or merely send a trap to the SNMiP Network M a n a g e m e n t Station alerting the o p e r a t o r to the condition. This design allows multiple addresses per port while still providing d a t a scrambling security. By default, the RIC II initializes in 'auto-learn' m o d e , d e t e c t i n g addresses on a port by port basis a n d builds a source address t a b l e m u c h like a bridge does. The RIC II will learn
16
@1994 Elsevier Science Ltd
S e p t e m b e r 1994
to provide increased p e r f o r m a n c e a n d higher network b a n d w i d t h . They h a v e largely overlooked the a d v a n t a g e s in network security a n d a c c o u n t a b i l i t y p r o v i d e d by a connection-orientated solution. SFPS is new t e c h n o l o g y being i n t r o d u c e d by Cabletron that offers m a n y benefits for information transport. SPFS provides scalable, d e d i c a t e d b a n d w i d t h for end users m u c h like ATM. SFPS also allows networks to maintain their existing Ethernet, Token Ring, a n d FDDI workstation interfaces, bridges a n d routers. Essentially, the SFPS t e c h n o l o g y allows users to e x p e r i e n c e most of the benefits of ATM networking, such as security a n d a c c o u n t a b i l i t y a n d the lower l a t e n c y p r o v i d e d by a c o n n e c t i o n - o r i e n t a t e d solution, The benefits are p r o v i d e d while m a i n t a i n i n g their existing p a c k e t - b a s e d networks, a n d a v o i d i n g the significant investment associated with migrating to a pure ATM environment. SFPS a n d ATM share m a n y a t t r a c t i v e security benefits discussed in earlier sections of this article, all c o m b i n e d into a single solution, SFPS and ATM are: connection-orientated packet a n d cell switching. Bridging a n d Routing are connectionless p a c k e t switching. To use an analogy, if the t e l e p h o n e
N e t w o r k Security
network was based on bridges, when you dialled a number, every p h o n e in the world will ring. A t e l e p h o n e network based on routers, w o u l d m e a n that every p h o n e in an area c o d e w o u l d ring. A t e l e p h o n e network based on SFPS or ATM w o u l d m e a n that only the p h o n e of the number for the person(s) you were calling w o u l d ring. SFPS a n d ATM support ' c o n f e r e n c e calls' through point to multi-point connections. Essentially, with c o n n e c t i o n - o r i e n t a t e d LANs the nature of networking is migrating from 'party line' to 'private line" communications. The c o n n e c t i o n - o r i e n t a t e d a p p r o a c h uses the hub as a p a c k e t / b e l l switch rather than as a repeater, Conversations b e t w e e n an origination node, the hub or switch port, a n d a destination n o d e are not b r o a d c a s t to any other nodes, As a result these connection-orientated technologies a u t o m a t i c a l l y provide a level of link privacy that prevents e a v e s d r o p p i n g from any other d e v i c e c o n n e c t e d to another network port. This contrasts sharply with traditional Ethernet, Token Ring, a n d FDDI networks where transmissions are b r o a d c a s t to all network nodes in addition to the i n t e n d e d destination, By establishing a d e d i c a t e d , switched c o n n e c t i o n b e t w e e n t w o users, the security benefit of
Preventing Software Piracy Robert Schifreen It's up to you, as the person in c h a r g e of network security, to ensure that users are not storing pirated software on the server or workstations. Regular audits c a n help you a c h i e v e this.
The Copyright, Designs a n d Patents A c t 1988 states that, "A person commits an o f f e n c e who, without the licence of the c o p y r i g h t owner, in the course
©1994 Elsevier Science Ltd
of a business, distributes an article which is, a n d which he knows or has reason to believe is, an infringing c o p y of a copyright work," C o m p u t e r
climbing a n d controlling the flow of information on the network is gained. This results in security similar to that p r o v i d e d by bridges a n d routers in a connectionless network, but at o n e tenth of the cost based on p r i c e / p e r f o r m a n c e . By their nature, switched c o n n e c t i o n s are not 'shared access' a n d thus promiscuous listening devices or applications are rendered useless (:no n e e d for e a v e s d r o p prevention). End-to-end secure links c a n be established across multiple segments (much like e n c r y p t i o n methods), Finally, intruder prevention functions are p r o v i d e d through Network M a n a g e m e n t Systems. The NMS maintains authorized user lists, a l o n g with policies that control user b a n d w i d t h a l l o c a t i o n a n d access to network services or d a t a repositories.
A more in-depth discussion of Cabletron's LanViewSecure, Port Locking, SecureFast Packet Switching a n d ATM solutions is a v a i l a b l e in separate papers a n d m a y be o b t a i n e d by c o n t a c t i n g Cabletron Systems. This article accompanies a presentation given by Lesley Hansen at the 11th Computer Security Audit and Control Conference at the Queen Elizabeth II Conference Centre, London, UK.
programs are, of course, c o p y r i g h t works, Software houses g o to various lengths to d e t e c t unauthorized copies. For example, if a software c o m p a n y regularly receives support calls from 20 p e o p l e at c o m p a n y X, but it is known that c o m p a n y X has purchased only three copies, it is not u n c o m m o n for the software c o m p a n y in question to call c o m p a n y X a n d ask for a c h e q u e by return of post. This has h a p p e n e d in the UK on more than one occasion.
]7