security and the enterprise network

Security and the Enterprise Network We’ll offer some practical guidelines for assessing security .

risks that can assist nefwork managers in devising a security strategy appropriate to their particular environments.

By David Banes

et’s focus on the day-to-day security issues of the ‘average’ networked business by exploring enterprise vulner- L ability, examining the pros and cons of

familiar solutions, and evaluating network security alternatives that can interweave across functional areas of the enterprise to provide a tight security fabric. We’ll offer some practical guidelines for assessing security risks that can assist network managers in devising a security strategy appropriate to their particular environments.

The Changing Face of Security Risk

Company financial information, personnel rec- ords, product plans, and customer lists are among the critical assets residing on a company’s network. If your company lost this information, or could not rely on its accuracy, the impact could be crucial to the company’s survival. A 1990/1991 Price Waterhouse survey indicated that companies who lose critical corporate information for more than three days have a 60% chance of going out of business.

The changing complexion of the enterprise

~

David Banes is product marketing manager for network management and security in 3Com‘s Premises Distribution Division in Hemel Hempstead, England. He holds both a doctorate and a bachelor’s degree in physics from the University of Birmingham, England.

poses new challenges for security. Distributed architectures have multiplied LAN complexity and reduced management visibility such that even fundamental questions are difficult to assess. Net- work audits can reveal unknown users-even hidden networks-tapping into enterprise resources.

The New York accounting firm Coopers & Lyb- rand regularly conducts a network path analysis to explore incoming paths, connected devices, and access controls to their network. One company studied believed it had six LANs, but Coopers & Lybrand found 70. ‘People had been quietly buy- ing, building, and connecting LANs on their own,’ said Peter Browne, regional director of information technology security services for Coopers & Lybrand. ’In another case, a network path analysis discovered that an organization’s network was connected to ten different mainframes at other companies, and some of those companies were competitors.’l

Multiplying the Opportunity for Risk

Risks are multiplied by the very nature of networked traffic. Network managers are well aware that a host transmits a data packet by broadcasting it to all other stations on the LAN, independent of destination. Yet how many have considered the security ramifications of broadcast traffic? If you had a confidential message for someone at the other end of the hall, you probably would not

198 JULY-AUGUST 1995

shout it out for all to hear. But that’s effectively how data is transported across a LAN. Any host can be configured to receive packets from any or all addresses, which leaves the possibility wide open that confidential information can fall into the wrong hands, if only by accident, and without any record of the transaction.

Movable Targets Expanding boundaries of the WAN make infor-

mation more widely available at all levels of the corporation, but also harder to protect. Branch offices push the boundaries of the corporate network across broad geographic areas. And the explosive growth of remote access applications enables individuals to work in a wide range of set- tings-from home, a hotel, even from a customer site.

While remote networking offers new levels of convenience and productivity, the logical network extension that dial-up access affords makes chinks in the enterprise network armor. Centrally manag- ing and maintaining the network becomes a harder problem as the user population becomes increasingly unknown and dynamic. Dial-up technology provides the potential for any faceless user to call into the corporate enterprise from any location around the world.

he end-user population is increasingly T more computer-literate, which means the potential for curious and even malicious intrusion is more intense.

Today, remote networking is one of the fastest- growing internetworking segments. The Yankee Group predicts that the market for LAN dial-up products and services will reach $4.4 billion by 1997, a sixfold increase over a five-year period. This growth could be severely curtailed if companies perceive remote access as a threat to data security. Yet adequate security can be achieved only if the local resources are secured as well as all avenues into them. What good is secure remote access if the information available to dial-up users can be compromised on the LAN?

Knowledge Is Power The end-user population is increasingly more

computer-literate, which means the potential for curious and even malicious intrusion is more intense. In mainframe days, only the administrator was knowledgeable enough to navigate the system. Now personal computers and individual workstations proIiferate the business environment. Workers routinely add software and hardware components to their systems, send and receive electronic mail, load applications. Manuals detailing system intricacies are as handy as the nearest bookshelf. The growth of the Internet exacerbates the potential for problems. Bulletin boards and online mail services circulate all types of computer user tips, including information about bypassing security. And new generations of users, who have been using computers since elementary school, are increasingly sawy.

Types of Security Threats In a 1993 survey of 300 security professionals by

the non-profit organization, ComSec BBS, 69% said their companies had experienced security problems in the past year; 59% reported computer virus attacks within the year, some costing as much as $100,000; and 55% said security breaches occur regularly on their LANs. While these num- bers are high, it’s hard to assess the full scope of security problems because many security breakdowns are kept well hidden. Companies would rather absorb the monetary damages than risk their public image.

The last decade has witnessed an inordinate growth of networks worldwide. These networks were designed with data access, not security, in mind. The result is that everyone’s data is at risk. A security failure is as inevitable as a California earthquake. It’s incumbent on network and security managers to assess their risk and take appropriate action. Those who are prepared will sustain the least damage. Those who put off the issue for another day may wake up to find that vital network resources have been compromised.

To find the source of security threats, the first place to look is in your own backyard. Reports indicate that 80% of network security breakdowns are internal. And while mechanisms exist to track

INTERNATlONAL rOURNAL OF NETWORK MANAGEMENT 199

hackers entering your network externally, internal security breaches become more insididous by their unobtrusiveness.

Inside Threats Just the mere mention of the word security con-

jures up images of uniformed guards and ruthless criminals, But in reality, human and network error are some of the biggest security problems. And casual browsing can certainly be a security problem in a networked environment. The purpose of networking has been to make access to information as easy as possible, so many network managers have kept security to a minimum. Without adequate security, even unsophisticated users can log onto another’s machine, scan directories, and download or print files-completely unnoticed. For convenience, many users simply bypass security measures, and many applications, computer systems, and network administrators allow it.

While not common, malice is a threat to corporate security. Most users of your network are ethi- cal. However, the talented, disgruntled employee knows exactly where to aim to wreak the most havoc by destroying or tampering with data, intro- ducing computer viruses, stealing passwords for later unauthorized access, even copying intellectual property assets for possible illicit distribution.

Externally Generated Threats External network threats get more media atten-

tion than internal threats, which can lead to a false sense of security. Some people might believe that a secure Internet gateway will protect them from unauthorized intrusions. While more sensational, however, external intrusion is less common than the day-to-day threats to internal security dis- cussed above.

-Hackers-

Internet hackers are a big topic in the news today, as Internet access has moved beyond acade- mia to the commercial market. While most hackers are sophisticated programmers, the doors they

find into corporate networks are usually left open by legitimate, but unthinking or inexperienced, network users. Barbara Fraser, manager of product development at the Computer Emergency Response Team (CERT) at Carnegie Mellon Uni- versity, cites the following primary causes of Inter- net breaches2

0 Security holes in Unix’s Network File System (NFS) create access through the Internet gateway. While tools to exploit the limitations of NFS are widely available, so are software patches to correct NFS problems. Yet many network managers fail to apply the patches to the system, leaving it vulnerable to intrusion. Firewalls can prevent outsiders from pen- etrating the network in most cases, but they cannot prevent attacks from within.

0 Network monitoring tools, or ‘sniffers’, can run without detection on a network and capture unencrypted text (including passwords) during transmission. While intended for network administration, these tools gather the types of information that can advertise weak links in the network security armor.

0 Configuration errors, such as allowing insecure protocols such as NFS to pass through firewalls, give hackers yet another opportunity to intrude.

In one sense, hacker attacks can be useful to network administrators because, if noticed, they can raise awareness of problems on the network. By monitoring hacker progress through a network, managers can discover what systems are most vulnerable and reengineer their networks accord- ingly.

-Viruses - Computer viruses spread through electronic

bulletin boards, shareware, and computer dis- kettes used across multiple PCs. Shrink-wrapped software and hard disk drives can be infected right out of the box. While viruses can be annoying at best and costly at worst, the good news is that virus awareness is high, and many antivirus mechanisms are currently available. Network administrators burned by viruses are prone to educating users to the dangers of viruses and enforcing procedures for minimizing virus damage.


Popular External Mischief- makers

Among malicious security threats that have gained widespread notoriety, the following are perhaps the most common: 0 A trap door, which is embedded code that

allows programmers to perform maintenance on certain software products. Often- times, trap doors can bypass normal security procedures, leaving the system wide open for unauthorized access.

0 A Trojan horse, which is hidden code (often a virus) disguised as a legitimate utility program but set to perform some mischief at a later date. The widely reported Michelangelo virus is an example of a Trojan horse.

0 A worm, which is a program that eats up bandwidth by replicating itself as it travels across a network. The infamous 1988 Internet Worm, developed by Robert Mor- ris (who was subsequently prosecuted), tied up network resources for an estimated 6000 users over a 20-hour period. Damage estimates range from $10 million to $300 million in lost time.

0 A computer virus, which is a self-replicating program that attaches itself to legitimate software and causes mischief or damage to any computer to which it comes into contact. The first harmful computer virus was discovered in 1989, and it is estimated that more than 500 known strains of virus exist today, though less than 100 of these are thought to be active. Most viruses are written in assembly code, affect only PCs, and are not cross-platform.

Common Security Mechanisms Network security has four basic goals:

0 User authentication-validating the legit-

0 User authorization-maintaining proper

0 Data integrity-assuring the accuracy and

imacy of the user population

access to data

availability of data

0 Data privacy-safeguarding corporate and

Table 1 examines the advantages and disadvantages of point solutions for achieving these goals. As the table shows, these solutions are limited in their scope of network security. In practice, safeguarding the enterprise requires many layers of protection.

end-user confidentiality

What the Network Can Offer To account for the changing nature of the

enterprise, a strategy can apply multiple levels of security by approaching the network from two directions: from the WAN inward, to provide a protective barrier for unauthorized intrusions into the enterprise, and from the desktop outward, to secure the company’s LAN-based operations.

A robust security management system combines individual LAN and WAN security solutions into an enterprise security umbrella addressing all functional areas of the enterprise: the building /campus backbone, the workgroup, wide area connections, remote offices, and personal offices. A comprehensive network management scheme can then provide scrutiny into every individual element in the security framework, for com- plete management and control.

The following sections look at security alternatives available in each functional area.

Workgroup Security

A number of nonintrusive security mechanisms are available to protect data confidentiality and integrity at the workgroup level. These solutions secure data automatically, which makes users’ lives easier, prevents security bypass, and reduces the chance for human error.

-Segmentation - This is one of the most common methods of

improving network performance while also pro- viding a natural security buffer. Just as ‘no sex’ is the safest sex, denial is the best form of security. Filters between workgroup segments can form

W S

INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT 201

Security Mechanism Goal Advantages Disadvantages

Passwords

Electronically generated passwords

Callback systems

Firewalls

Encryption (public/private)

Digital signatures

User authentication Easy to use Built-in to many applications and hardware devices

User authentication Valid only for a

Limits retries single user session

User authentication Easy to use Applies only to dial-in users Bolsters the password system

against lnternet intrusion Can be physically segre ated from

User authorization First line of defense

rest o ? the network

Data privacy Protects data as it travels across the LAN Gives confidence that data is secure

Data integrity Provide read-only access Ensure that data has not been changed Validates source of data Doesn’t affect performance

0 Often not strictly enforced Can be bypassed Often easily uessed 05 ommercial- and

freeware-guessing software widely available Require extra hardware for each user Often employ encryption techniques and thus subject to other disadvantages listed below Relies upon the integrity of the database residing on the LAN

Relies on the validity of network addresses, which can be masqueraded Provides one-way protection, but often does not limit outbound traffic Restricts legitimate user access Reduces throughput and slows performance Key distribution adds to administration overhead

restrictions

could be compromised without your knowledge Restricts usability of data Often employs encryption techniques subject to export restrictions

Is subject to export

Software algorithms

~~ ~ ~ ~ ~~~ ~

Table 1. Pros and cons of common security alternatives

implicit firewalls by restricting certain protocols. Routers can prevent two-way access to the workgroup but are susceptible to attack by masquerad- ing. CERT reports indicate that, as often as 14 times per day, Internet hackers masquerade as legitimate sources, effectively bypassing security filters in firewalls to gain access to network resources.’

Switches provide natural segmentation between workgroups while delivering dedicated bandwidth for high performance. If any workgroup device produces spurious errors on the network, switch partitions prevent the replication of the problem across other workgroups.

-Secure Repeater Technology-

Each device on a LAN has a network interface card (NIC) with a unique Media Access Control (MAC) address. In normal operation, a host sends a data packet to all other stations on the LAN, independent of destination. Hosts can be configured to receive packets from any or all addresses. By default, the LAN sends each packet of transmitted data to every connected device, which then examines the MAC address of the packet.

Secure repeaters offer two features that use MAC address information to protect unauthorized access to data:

’Need-to-know’ checks the destination address of each data packet before putting it on the network. It then ensures only stations with authorized MAC addresses receive a readable packet; other devices receive an overwritten message. This solution is ideally suited for Ethemet networks using twisted- pair or fiber-optic transport. It works with all Ethernet NICs and provides confidentiality at a fraction of the cost of encryption. ’Disconnect Unauthorized Device’ uses network management software to identify the addresses of legitimate devices on the LAN. If a packet with an invalid MAC address arrives at any port, the repeater notifies the network management station, which logs the event and can disable the unauthorized device automatically. This feature works equally well in Ethernet, Token Ring, and FDDI

networks. While protecting access to data, it also allows the network management system to maintain an accurate network inventory by alerting the system whenever devices are added or moved.

Novel1 NetWare environments can further restrict station access by mapping each client IPX address to a particular hub port. Using this feature in combination with Need-to-Know and Discon- nect Unauthorized Device boosts the assurance that only authorized users have access to workgroup data. An intruder would need to be physically logged on to a particular known machine to violate security.

-Built-in Virus Protection for Servers and Client Devices-

Some companies supply multipurpose ROMs with built-in boot-sector virus protection for Ether- net adapters. When a PC is powered on, it executes the virus protection software, which then scans the hard disk sector or floppy disk for viruses while the operating system boots up. If it detects a virus, it aborts the boot before any damage can occur in the PC. This type of protection has two advantages over standard virus-protection applications:

0 The virus protection is activated automatically during every power cycle. Not only does this make life more convenient, it also prevents anyone from skipping the protection procedure.

0 It operates prior to booting, so it catches the virus instantly. After the system is up and running could be too late to prevent many viruses from doing harm.

Ethernet adapters with updatable ROMs can be programmed to adapt to new viruses as they emerge.

- link Resilience - Lost power, broken cables, and other link faults

can instantaneously curtail access to data. A robust network provides redundant power systems in hubs, switches, and servers to keep data paths open in the event of primary power system failure.

INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT 203

Automatic network resilience can be added at the bridge or repeater level by speclfyrng alternative paths for use if a cable fault affects the workgroup. Should a main link fail, traffic is automatically routed over the standby link.

Personal Office/Remote Office The biggest challenge with dial-up remote

access is user authentication of a growing, possibly nomadic population dialing into a single host or server. The fuzzy boundaries of remote access must be safeguarded to ensure security through- out the enterprise.

he biggest challenge with dial-up remote T access is user authentication of a growing, possibly nomadic, population dialing into a single host or sewer.

Several alternatives currently exist for auth- enticating remote access:

All the top remote-access servers provide password protection and automatic callback. This alternative is suitable for small networks, since it is constrained by the memory capacity of the remote access server to authenticate a fixed remote population. Compa- nies with a growing remote access program need a more scalable solution. Many remote-access servers support dial-up authentication mechanisms defined by the AppleTalk Remote Access Protocol ( A M ) and by Internet serial-line Point-to-Point Pro- tocol (PPP). The PPP authentication procedure, known as the Challenge Handshake Authentication Protocol (CHAP), is an Inter- net Engineering Task Force (IETF) standard for dial-up security. PAP is the Password Authentication Protocol. When packets are sent across the link to establish a PPP connection, the receiving system can verify or reject the connection based on user ID and password. Stand-alone security devices can authenticate a growing population of remote users through electronic password generation.

These devices intercept logon attempts before they reach the remote access server and require a combination of user name, password, and an electronically generated code to grant access to the enterprise network. They also support callback for a second security layer. External servers can even be physically secured against tampering. These solutions offer centralized administration of the entire remote population to facilitate moves, adds, and changes. However, this type of security does not extend to local LAN users. Logical alternatives for more complex networks include software solutions that address the local as well as the remote user population, provide centralized management and control, and can grow with the user population. Industry-standard security protocols, such as Kerberos and OSF/DCE, have been developed to allow centralized servers to control access to all enterprise network resources. When a remote user dials in, the remote access server holds the user at the login point while it seeks validation from the appropriate security service. It then forwards the validation or rejection message back from the security service to the remote user.

Remote-access servers provide the same types of data access to remote users that local network patrons enjoy. Likewise, remote users are subject to the security restrictions imposed on the LAN, such as those described for workgroups above.

Building/Campus Backbone Security

In the building and campus backbone, physical security plays a large role. You can gain a lot of assurance by having a locked door on your wiring closet, and most people do.

In addition, the campus backbone is usually the source of a company’s high-speed infrastructure. Because large amounts of data are aggregated into a single point of failure in the network, resilient links and redundant power are especially important in the backbone. Power to the wiring closet should derive from an uninterruptible source.


WAN Backbone Security Physical security, redundancy, and link resili-

ency are equally important in the WAN backbone. PBXs, modem pools, remote access servers, as well as network hubs should operate behind the locked doors of the wiring closet. Links between the WAN and the campus backbone should be fault tolerant and redundant. Leased lines connecting to other sites can be backed up with leased lines or with high-speed dial-up connections. Dial-up connections can also provide dynamic paths for over- flow traffic should the primary path become traffic saturated.

The Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF) routing protocols also provide redundancy to WAN links. These protocols distribute routing tables across the WAN so that, in the event of a primary-link failure, connected routers can devise alternative paths in real time. The broadcast nature of RIP and OSPF exchanges leaves open the possibility of unwanted parties having access to enterprise routing tables. With OSPF, however, a network administrator can program paths through the network based on traffic type. In this way, sensitive data can be seg- regated from other traffic and routed over the most secure path.

Routers often use compression techniques to optimize data throughput over leased or dial-up WAN connections. Encryption is a byproduct of compression in this instance. However, to truly protect data traveling over the WAN, it is better to re-encrypt compressed data with external encryption products, or internally at the packet level within the router.

Network Management Security The prime concern of every network adminis-

trator is keeping the network up. The network management system is one of the most important tools for achieving this goal. But security features in any network component can be compromised if the network management system is not secure.

The Simple Network Management Protocol (SNMP) is endemic to most networks because of its manageability attributes, despite its lack of security features. Available in the public domain, SNMP is easy to crack. All a subversive needs to

do is capture a SET command containing the com- munity string or the Telnet password, and edit and replay the captured packet to gain control over network devices. With this power, the subversive could disable security mechanisms with a few simple commands. No trail would alert the network manager to the intrusion.

The SNMP Remote Monitoring (RMON) is a powerful tool for monitoring individual remote ports on a LAN. Unknown to most users, however, RMON provides access to all the types of data a hacker would love to see. But RMON visibility is restricted to the port where the W O N agent resides. Thus, the best place to install RMON is inside a hub that is protected with need-to-know security, which would prevent unauthorized pro- bes from attaching to the network.

Currently there is no standard way to make SNMP systems secure. But there are ways to improve security. You can physically secure the network management console. In staged devices, you can separate management traffic from data traffic, so that ordinary network management traffic is not widely available across the network. Finally, you can disable automatic read/write access to devices so that they can be monitored without compromise.

SNMPv2, the next version of SNMP currently under review by the IETF, includes standard mechanisms for authentication, integrity, and encryption. SNMPv2 effectively requires an administrator to log onto a device to manage it. The device must acknowledge and authorize the access for a network management conversation to take place. This scheme increases security but adds significant overhead to the management process. However, SNMPv2 will allow telecommunications providers to offer Internet-compatible network management.

Assessing Your Risk Sooner or later, you’ll probably face a security

problem. Proper preparation might substantially reduce the amount of damage that ensues.

The time to institute network security is before problems arise, not in reaction to them. Weighing the scope of security threats and assessing the business costs of your risk are the first steps in devising a network security strategy, since the cost of risk is not uniform.

-___ 1NTERNATlONAL JOURNAL OF NETWORK MANAGEMENT 205

For example, loss of data in an industrial research and development company might cost $100 per user per hour, while at a university the cost per user might be one-tenth as high. Unautho- rized access to data in a hospital could result in personal-privacy litigation, while loss of hospital data or a network connection could mean the dif- ference between life and death. Data loss at a financial trading institution could cost millions of dollars per hour, and unauthorized access by a competitor could lead to bankruptcy.

A risk analysis should address all the major systems, as well as organizational procedures, and quantify the cost of potential threats. The analysis should evaluate the entire spectrum of altema- tives, beginning with the cost of doing nothing to alleviate the threat and highlighting those risks whose costs are too great for the business to bear. A number of risk analysis tools are commercially available to aid in assessing network risk. These tools identify the potential for losses and provide mechanisms for measuring the effects of loss. Also, security consultant6 perform risk analysis on a. fee basis.

Once you've identified the scope of the problem, you can devise a security plan to minimize your network security threats. A good security strategy cost-effectively reduces risk to acceptable levels and balances ease of use with effectiveness. It also includes provisions for data backup, link redundancy, and network resiliency. To be effective, the security plan must be documented, agreed to across the organization, and implemented fully. It must also be updated regularly to account for the changing nature of the enterprise landscape.

Network Security Secrets recommends that an enterprise network security plan include the following features:'

Single login capability for ease of use, but with fully protected login names and passwords to prevent a single-point of failure User authentication and identification Access control at both the user login device and at the information storage device Real-time alarm system, audit trails, and analysis Accountability File maintenance and backup Single point of hardware/software regis- tration

a Communications hardware/software security a Electronic privacy a Secure dial-up remote access

Epilogue The evolution of the enterprise presents new

challenges to network security. Enterprise expan- sion and increased user sophistication will only make these challenges more complex. There is no better time than the present for network and security managers to assess their potential threats, quantify the associated risks, and develop a strategy for reducing those risks cost effectively.

The average networked business can minimize

he average networked business can T minimize the risks to critical network data by interweaving security options across functional areas of the enterprise to create a layered web of security.

the risks to critical network data by interweaving security options across functional areas of the enterprise to create a layered web of security. Not only does such a strategy create a barrier to external threats, but it also protects the enterprise against more prevalent and unobtrusive inside security breaches-without burdening the user with unnecessary security overhead.

References 1. D. J. Stang and S. Moon, Network Security Secrets, IDG

2. G. H. Anthes, Internet hackers hit GE, others, Com- Books, San Mateo, CA, 1993.

puterworld, 5 December 1994. W

If you wish to order reprints for this or any other articles in the International Journal of Network Management, please see the Special Reprint instructions inside the front cover.

CCC 1055-7148/95/040198-09$05.00 0 1995 by John Wiley & Sons, Ltd

mm

206 IULY-AUGUST 1995

security and the enterprise network

Documents