This document is over 20 years old, and Process Software makes no representations as to accuracy or features supported by our current products. Multiple patents reference this information, so we continue to make it available as a service to the Internet community.

 

Guide to Internet Security

With the proliferation of computer networks worldwide, network security has taken a front seat. A secure network must be able to prevent unauthorized users or intruders from accessing, corrupting or changing information. At the same time, the network must be available to authorized users.

The opportunity for security breaches is unprecedented. The Internet, remote computing usage, and the client/server model have all increased the number of potential security holes. The result is a network security nightmare.

Most users are "good network citizens," but a small, growing number of infiltrators threaten network integrity. These unauthorized users or "hackers" resort to a variety of tactics such as tapping into telephone lines, snooping, eavesdropping over wireless LANs, changing packets, or capturing and distorting information. Such breaches are often discovered accidentally after the damage is complete.

These "hackers" are not necessarily teenage network joyriders. In most cases, these are dishonest or disgruntled employees. However, industrial spies, foreign governments, and adventurous network users also target corporate resources. In any case, by accessing confidential information, they can cause irreparable business damage, with significant monetary and productivity losses.

Network infiltrators use a variety of methods used to test host security. Vulnerable areas include easily guessed passwords, default accounts, weak file protection, proxy/trusted host, and remote execution. More sophisticated invasion techniques include the installation of "Trojan Horse" applications. And, by using protocol analyzers or "sniffer" network monitoring tools, unauthorized intruders are able to collect host and user authentication information and steal passwords and electronic addresses from legitimate network users.

Networked systems at particular risk are those that offer remote access via commonly used Internet services, such as telnet, FTP, rlogin, E-mail, NFS, X-Windows, and finger. Since these are all services provided over the TCP/IP protocol, linking to a TCP/IP network poses significant security concern. With TCP/IP as the de facto Internet communications standard, the risk is unavoidable. But a solid understanding of the security issues and dangers involved can help eliminate potential network holes and security breaches.

 

Bulletproofing your Network: The Basics

Simple, no-cost ways to bulletproof your existing networking environment include security measures as basic as removing unused or unneeded services/accounts, reviewing accounts periodically, and enforcing aggressive password strategies.

A strict, aggressive password enforcement program is critical, especially for privileged users. Key elements include frequent password changes, non-reusable passwords, and the use of long, not easily guessed passwords.

Other common sense approaches include enforcing user restrictions (types of logins and hours of usage); substituting "Authorized Use Only" for "Welcome to" announcements on login; warning users that network auditing may be performed; and maintaining up-to-date software revisions, including security enhancements. It is also important to heed security warnings published by security advisory boards.

Seemingly trivial operations, such as properly configuring FTP, restricting remote hosts allowed NNTP access, and verifying the NFS export list, can make a tremendous difference between strong and weak security. Additionally, it is important to educate the user community about good security practices, especially for network scenarios that include Internet access, remote dial-up, or X-Windows terminals.

One way to preserve E-mail integrity is to eliminate the internal host name from the sending message and use internal mail hubs to deliver E-mail to the final destination. Another option is to install a dedicated E-mail server which can decode files and check configuration files for non-user aliases.

Whenever possible, take advantage of any security features built-in to your computer operating system. OpenVMS, for example, provides a variety of security logging and auditing features. Organizations that must comply with high-level federal security for trusted implementations should consider implementing Security-Enhanced OpenVMS (SEVMS).

 

The Network Security Plan

Effective network security begins by developing a consistent, organization-wide security plan, with defined policies and procedures. Organizations with large distributed Wide Area Networks connecting many remote sites may choose to incorporate many security layers and a variety of strategies. The plan should incorporate a strict password policy, implementation of an Internet firewall to block network traffic, and restriction of remote user access.

Incident handling is another essential element of a good network security plan. It should define the problem escalation chain within your organization, including the key players and how to contact them.

It is also important to adopt strong authentication mechanisms that require users to implement different passwords whenever they log on to an external network. Evaluate the use of "digital signatures" using public-key cryptography. These easy-to-implement security options include security management software and password encryption tools. They range from hand-held authentication devices to special cryptographic keys that prevent accidental password leaks.

Commercially available products which encrypt sensitive, confidential data include Digital Pathways' Secure NetKey, a hand-held authentication calculator; Security Dynamics' Secure ID, a turnkey system which provides a changing number authentication card; Racal-Guardata's WatchWord and WatchWord II, which provide an authentication calculator; Enigma Logic's SafeWord, a card authentication calculator that supports one-time passwords; and BellCore's S/KEY, a challenge and response, one-time password authentication system.

It is highly worthwhile to become familiar with available security resources, including local and national advisory boards, newsletters, and Internet discussion groups (See Table 2.0 and Resource listing at the back of this guide). One such organization is the Computer Emergency Response Team (CERT), which issues regular security advisories, has a 24-hour emergency hotline, and publishes a moderated mailing list, which is available on USENET News as comp.risks or via E-mail subscription. CERT also provides public domain software (available via anonymous FTP from info.cert.org in the pub/tools directory), such as the Transmission Control Program (TCP) daemon wrapper programs that provide additional logging and access control security.

 

Security Auditing and Firewalls: Tips and Techniques

There are various ways to manage security and protect external sites from accessing internal system resources over a TCP/IP network. Security mechanisms include network application controls, network monitoring, security auditing, and firewalls. An efficient scheme should address security at the application level, as well as both internal and external network connections. Security auditing requires careful and accurate record keeping and information gathering. It's as simple as using basic auditing resources to determine who is logged in, when they logged in and out, and to display most recent login entries. After identifying potential network threats, it is important to determine how the available security services fit your organization's security plan. For maximum security, a combination of services is recommended.

In implementing a security plan, consider the following issues: Should authentication be used to prove the user's identity before network access is allowed? How can you implement data confidentiality services to prevent unauthorized users from reading data? What data integrity services are needed to guard against modification or replay of data transmitted across the network? Does your security plan require non-repudiation services to prevent denial of participation in a communication? And, finally, should you implement traffic padding services to prevent illegal users from inferring information from network activities?

Authentication services that regulate user access to network services are extremely important. One established authentication protocol is Kerberos. Developed at the Massachusetts Institute of Technology, Kerberos relies on a secure server to ensure login security on a TCP/IP network. Designed to ensure data integrity and confidentiality, Kerberos uses the Data Encryption Standard (DES) to encrypt messages and create private keys used during various transactions. Through Kerberos, clients can prove their identity to other systems without transmitting "cleartext" human-readable passwords or relying on the network itself for security.

In a Kerberos environment, at least one system runs the Kerberos server. Also known as the Key Distribution Center (KDC), this Kerberos system is a secure or trusted server that provides authentication services to prove that the requesting user is genuine. It issues keys to lock or unlock encrypted passwords. The server is available to any number of heterogeneous Kerberos clients and servers from different vendors running on different operating systems.

Access control services determine what resources authorized users can access and their usage privileges once they are granted access. Effective access control depends on proper authentication. The use of access control lists (ACLs) is a common way to provide access control for incoming and outgoing services. ACLs specify which hosts or networks are allowed or denied access to services.

Incoming address filtering restricts the datagrams a network interface can receive. Ideally, a filtering scheme should be flexible enough to support a variety of protocols and filter by protocol-Internet Protocol (IP), Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), Transmission Control Protocol (TCP), or any other IP protocol-source and destination address, and TCP/UDP source and destination ports. Filtering should be easy for the system manager to configure and manage across a network.

Mandatory Access Control can be used for networks that must protect the integrity of highly sensitive, confidential data. One type of implementation is the IP Security Option Standard (IPSO). It was developed for the U.S. Department of Defense to screen IP datagrams sent over the network and prevent those without the proper security label from accessing the system or being transmitted over the network. Access can be implemented to handle different levels of security, including "Top Secret," "Confidential," or "Unclassified."

 

Maximizing Security

Routers and firewalls provide additional levels of security. For maximum security, they can be combined with incoming or outgoing access control restrictions. Routers can be used alone as a first-level security measure or together with Internet firewalls to enhance security. When used with an Internet firewall, they can address certain configuration requirements, such as separating the Internet firewall from the Internet provider.

As the first line of defense, many organizations employ packet filtering within a router or on a server. Using a pre-defined set of rules, packet filtering drops those packets not explicitly permitted. Individual rules permit filtering based on protocol, source or destination address, or port number.

A well-implemented filter capability provides each interface with a unique filter list, which indicates whether the packet is permitted or dropped. The order of entries is very important. Filtering stops when the condition is met and all unrecognized packets are dropped.

Packet filter lists can be set up either to permit only what is explicitly defined or to deny what is not wanted. In creating a packet filter list, it's advisable to: use explicit addresses for source/destination and pay special attention to services that don't use protected port numbers; allow DNS traffic through; deny dangerous ICMPs, such as redirects. Despite its advantages, packet filtering is expensive to implement because of processing time. It is necessary to check each received packet against the filter list.

Another technique is to implement two domain name servers. The first domain server, with complete network information, is dedicated for internal use only. The second domain server, is used exclusively for external use, and is configured with minimal network information; e.g. fake host names are used for all internal addresses to prevent outsiders from learning anything useful about internal hosts.

Many organizations are now exploring the use of Internet firewalls. According to a recent survey by the Business Research Group (a Newton, Massachusetts consultancy), approximately 42% of respondents surveyed plan to use firewall security servers within 12 months.

Like a fireproof wall that prevents the spread of fire, an Internet firewall serves as a gateway to block the transmission of certain types of traffic. Firewalls provide a secure method for connecting to the Internet or other public network, and use a single access point between the internal and external network. Among commercially available firewall systems are the following: Firewall-1 (CheckPoint Software), Interlock (ANS CO+RE Systems), Janus Firewall Server (NetPartners), Eagle Network Security Management System (Raptor Systems), BorderWare Firewall Server (BorderWare), Internet Firewall System (Technologics), and Gauntlet (TIS).

 

TCPware for OpenVMS

One way to setup firewall security is to use TCPware for OpenVMS, a complete TCP/IP networking solution for Digital's VAX and Alpha systems. Tightly integrated with OpenVMS security, TCPware generates OpenVMS auditing trails and accounting records and uses break-in evasion detection to ensure system integrity. TCPware also provides expanded facilities for TCP/IP security:

TCPware supports incoming access restrictions for TCP servers initiated through the master server (for example, TELNET, FTP, and RLOGIN). The use of incoming access restrictions allows the system administrator to list internet addresses (and groups of addresses) allowed or disallowed access to these services on a service by service basis. This is an efficient security filter -- the checking is only done once when the connection is established.

Outgoing access restrictions can be used to restrict the TCP services to which users are allowed access. Individual users or groups of users can be restricted; restrictions can be by destination internet addresses and/or destination port numbers. The system administrator may also log each access attempt (or a subset of attempts). These restrictions are also efficient-- checking is only done once when the connection is attempted.

Packet filtering can be used to restrict the received datagrams that may be processed on a particular interface. When a packet filter list is installed for an interface, all received packets are checked against the filter list and either accepted or dropped depending on the entry matched in the list. The entries in the filter list specify the action to take if the packet matches the protocol, source and destination internet address, and, for TCP and UDP, the source and destination port numbers. Packet filtering can be used when TCPware is used as a router between networks or even when TCPware is used in an end-host on a network. Packet filtering does require some additional processing as each datagram must be checked against the list.

TCPware can also function as a Kerberos server (KDC), as a client, or both. TCPware supports Kerberos-based authentication for Telnet, RLOGIN, RSH, and RCP. Network managers can implement these features easily, using the single TCPware Network Control Utility (NETCU).

Extending TCPware's functionality is the Security-Plus module. Available separately or included with an integrated TCPware package, Security-Plus addresses a full range of requirements for protecting data and services on a TCP/IP network. It supports incoming access restriction, using IP addresses to permit and deny entry. To prevent address spoofing, it uses packet filtering, which can be implemented by protocol, source and destination address, UDP/TCP source and destination port. Outgoing access restriction is provided at the kernel layer, which ensures proper validation.

 

Summary: The Common Sense Approach

The Internet is a valuable business tool, and security fears should not deter active usage. Because the Internet was designed for the academic and research communities, security was not an original high priority. However, with the increased business usage of the Internet and the development of the next-generation IP, security has become more of an integral concern.

Today the number of real network threats has increased. There are also numerous misconceptions about network security, ranging from a false sense of security to panic that the Internet is dangerous and must be avoided at all costs. In any case, network security has become a priority for most organizations.

There are a variety of measures that TCP/IP environments can implement to ensure a secure network. They range from simple, common sense approaches to commercially available security solutions. Operating systems, such as OpenVMS provide extensive built-in security features, which can be further enhanced when used with TCPware for OpenVMS.

Implementing the right security program is critical in a TCP/IP networking environment. But before implementing any type of security, it is essential to understand the risks and identify potential holes. As a guideline, ask these questions: What are the possible threats to your network? Which services does your network require to protect against these threats? And what are the relative advantages of each method? Breaches in network security can range from a simple business inconvenience to tremendous financial losses. At the extreme, security breaches can be as serious as industrial espionage involving the release of proprietary company information.

If your organization doesn't currently have a security program, the development of an integrated security plan should be the first step. Such a program should address a wide range of issues, including dial-up modems, viruses, etc. Because networks are dynamic, network security must be evaluated on an ongoing basis to ensure that it reflects changing network conditions, including the addition of new users, dial-up modems, wireless LAN configurations, and Internet access.

In any case, maximize efforts to ensure that organizational information is secure both at the local and network level. Provide employees access only to the data their work requires and not unrelated material. While there is no single, fail-safe security guarantee, a strong familiarity with the problems and solutions is a critical first step.