|The Castle Defense||Originally published in Performance Computing Magazine.July 1999|
Computer and network security is real. A recent IDC survey said the market grew by $1 billion from 1997 to 1998 with no signs of slowing this year. Attendance at some computer and network security conferences grew over 200 percent from 1998 to 1999.
My observation is that more than 50 percent of the attendees are there for the first time. Corporations are committing money and resources to safeguard the systems they have come to depend on for minute-by-minute business: their enterprise network.
Computer and network security -- everyone (it seems) is talking about it. I remember overhearing a random discussion on an airport shuttle at Baltimore-Washington International airport many years ago. I was amazed that the two individuals were talking about the Internet and e-mail. Three years ago I had a conversation with a Ukrainian cab driver about network security. "You mean, like firewalls?" he asked. Incredible, I thought. This is now, of course, commonplace. What is effective computer network security, how do you achieve it, and when is enough, enough? There are real threats out there, measurable risks to our organizations, but there also are effective countermeasures we can employ that have become more complex since the days of mainframes and locked glass rooms.
The Changing Perimeter
In those mainframe days, securing the computer meant locking the room the computer was in, and only allowing authorized individuals direct access to the computer itself. The perimeter was easily drawn. It was the room enclosing the central computer.
A few years after that, the move to PCs and networked PCs dramatically changed the nature of the perimeter. Sharing information continued to be a business requirement, but the information was stuck on each person's PC. Information was shared via printouts and magnetic media (floppies), then by shared partitions over the network and e-mailed documents.
Connecting an enterprise network to the Internet made the perimeter even fuzzier. We may draw nice diagrams that show the internal private network and the external Internet with a box labeled "firewall" between them, but that is, as they say, just an "artist's rendition." Which wires really go where is a different story. With the potential for modems on every desktop, the network-security perimeter becomes even harder to discern. And the Internet offers a path to other offices, business partners, suppliers, customers, and prospective customers.
"A crunchy shell around a soft, chewy center," is firewall wizard Bill Cheswick's oft-quoted description of an enterprise network. It was probably accurate at the time, but few enterprises today actually have a provably crunchy shell.
Personal, group, office, interoffice, business partners, customers, and potential customers -- as the circle of communication grows, so does our need for computer and network security, and not just more of the same, but various devices with specific tasks.
Starting Down The Road To Security
Computer and network security is often applied too late. Security becomes an "issue" when its time has come. A brief analysis is done after the breach, when an organization learns it is vulnerable to many kinds of attacks. But this is not the time to disconnect all network connections and hunker down. What it means is that it is time to begin the planning process. Securing an enterprise takes a good plan and security policy based on risk analysis and a business-needs analysis. They will tell you what services are required, and what threats and vulnerabilities must be countered. The plan will suggest what mechanisms should be used and where.
Many a castle was built around an established settlement. Some settlements were, after all, accidental. Several families decided to stop at one point to rest, and they settled down. Another group was like-minded, and settled not too far away. Soon they had a settlement and needed protection. Then they went about ensuring security in the best way they could after patterns of behavior had been established. This after-the-fact approach is similar to how most organizations establish their network-security systems.
Prevention, Detection, And Response
Connecting to the Internet opens an enterprise network to attack from the Internet. Internet firewalls have become a standard addition to any organization's gateway to the Internet or to other companies' networks, and usually are the first security devices installed. Internet firewalls, like the walls of a medieval castle, are primarily prevention devices. They are controlled access points between one network and another; guarding logging access and access attempts; and policing what services are allowed, in what direction, and under what conditions.
Rarely is a gateway to the Internet completely one-way. It often starts off that way, but an organization's needs usually grow to meet the Internet's possibilities. Soon, an enterprise network perimeter becomes more porous to include traveling users and telecommuters. Firewall technologies changed to meet this need, extending the firewall's access control down to the user level, using cryptography for strong user authentication, allowing users from the untrusted side of the connection to access the trusted side.
The use of the Internet as an inexpensive way to connect offices of the same company, coupled with the need for offices in the company to have connected networks, led to the slow but steady growth in the use of Virtual Private Network (VPN) technology. Typically an add-on to a firewall, a VPN uses cryptography to safeguard communications from eavesdropping. VPNs are also used to keep communications between business partners and customers confidential, while still maintaining controlled access to the private enterprise network. VPNs are also used to safeguard the communications from mobile PC users and the enterprise network.
A firewall is often the first security mechanism deployed. It is a good first step. Many castles started out as simple stockades -- little more than timber or stone walls, providing some protection, as well as a rallying point, when an enemy was approaching. Later they were built up, but often that simple first step bought time to implement those other steps.
Some people are deploying firewalls at internal perimeters as well. Firewalls are deployed between organizations, between offices, anywhere access control is needed or would enhance security. Firewalls can be found separating accounting from the rest of the organization, between Human Resources and the rest of the company, and protecting the advanced development group. Firewalls at different levels help to segregate and compartmentalize an enterprise network. Castles had one or two main gates to keep enemies out, but they also employed locked barriers on the inside of the castle within the primary security perimeter.
Finally, some Internet firewalls are incorporating quality of service (QoS) as a control feature. The thinking goes, since the firewall is the gateway, this is the perfect place to implement QoS controls. QoS features let an organization control, for example, what percent of the network connection is used for which services. In this way, no one service (someone downloading a large file from the Web, for example) can dominate the connection. A certain amount of the bandwidth can be made always available.
At the other end of the spectrum is antivirus (AV) software, which is primarily a detection-and-response mechanism. AV software has been in use for many years, detecting PC and Macintosh computer viruses, and taking action -- usually correction or deletion. A kind of content screening for the desktop, AV software periodically looks for known computer viruses in files, as well as dynamically, such as every time a file is opened or created. This desktop software, even with less than complete coverage in an organization, is extremely useful and effectual in stopping the spread of computer viruses throughout an enterprise.1
Another family of prevention and response systems is the class of products called intrusion-detection systems (IDSs). There are two types of IDSs: monitors and scanners, and each can be deployed on networks or computers. Monitors, or vulnerability checkers, are static analysis tools. Run periodically, they look for known problems such as bad passwords, missing security patches, and weak configurations. They also can check for changes to important system or data files. Network monitors check network services offered by individual computers on a network, looking for known vulnerabilities.
Scanners are dynamic analysis systems that look at events as they are happening. The two types of scanners are anomaly detectors, which detect the abnormal, and misuse detectors, which detect "bad" events. An anomaly detector is told what normal behavior is for an individual, system, or network, and takes action when some event occurs outside of the "normal" range. Disk usage outside of that range can be recognized as an anomaly. Individual users logging in outside of their usual hours or connecting from unusual systems can easily be tagged as out of the ordinary.
With one type of misuse detection, a list of unwanted events is watched. If something that should not happen does, the intrusion-detection system takes action. The other type of misuse-detection system is an attack-signature-recognition system. Attack signatures are written up and some data source (such as an operating-system audit log) is examined by looking for the attack signatures, which are patterns of attack.
Another security technology is application-level encryption. With this kind of encryption, users can lock documents stored on a computer disk or messages sent via e-mail. It hides database records from unauthorized eyes. Application-level encryption ensures that a vandal has not modified data. Easily integrated into software, and assigned for use to individuals, encryption software provides individual accountability, enterprise-wide authority, and confidentiality.
Brick By Brick
Castles weren't built in a day, and enterprise networks can't be built that quickly either. Evidence of battlements and fortifications added over time show that implementing an unfinished plan is better than waiting for a complete one. No society that waited to build until all the materials were available survived -- and neither can a company that waits until its plan is perfect. Start now. Improve later.
1. Tippett, Peter S. "Computer Virus Costs In A Typical Corporation vs. Various Protection Strategies," Presented at the Intl. Virus Prevention Conference, Orlando, FL, April 28, 1998.
Christian theology refers to the ordo salus -- the ordered steps to salvation. In computer and network security circles, we can refer to the ordo cautela -- the order of security. By this I mean the normal order of deploying security. This is not canon, but is pragmatism.
Desktop protection (antivirus software). Most organizations that have PCs install antivirus software long before anything else. Even with no connection to the Internet, floppy disks from home or CDs from vendors are potential avenues for viral attack.
Internet connection. A business's requirement for Internet security is often an impetus for security measures. Everyone knows that the Internet is not a safe place. Hence, the need for security.
Firewall. The first, and sometimes only, security device employed. A good first step, but a terrible only step. Internet firewalls are necessary, but not sufficient.
VPNs. Connecting offices over the Internet is less expensive than direct, private connections between sites. Confidentiality for data flowing between offices is critical. The vulnerabilities are too numerous to ignore.
Expand firewalls into inside network. Firewalls should be used at various points inside an enterprise network as well, given the risks of internal hacking. Compartmentalization of the enterprise network using firewalls often makes sense, especially in large organizations.
Intrusion-detection software on outside servers. Any system accessible from the outside is a target. These systems must be as secure as possible. Scanners and monitors can watch over systems and provide the additional coverage required to secure the enterprise network.
Intrusion detection on internal servers. Seeing how well intrusion detection works on outside servers, we can then move it to inside servers, remembering that the statistically larger threat is from the insider.
Validate and re-evaluate. Threats change, vulnerabilities change, risks change, business requirements change, and technology changes. Routine review and evaluation is required.
Frederick M. Avolio is a computer- and network-security consultant. He writes on such topics as firewalls, intrusion detection, cryptography, security management, and e-mail systems. He can be reached at email@example.com and http://www.avolio.com/.