Beruflich Dokumente
Kultur Dokumente
This Report has been submitted for assessment towards a Bachelor of Engineering degree in the School of Electrical, Electronic and Information Engineering, South Bank University. This report is written in the author's own words and all sources have been properly cited. Author's signature:
Name: Christine Reckziegel Course: BEng (Hons) Telecommunication and Computer Network Engineering Submission Date: 31/05/1999
Diplomarbeit
Analysis and Assessment of Secure Mechanisms for the Building of a Secure Server Network
{ Cryptographic Systems and Applications, in particular Virtual Private Networks {
Name: Christine Reckziegel Course: European Electrotechnical Studies Semester: I8ESx Supervisor: Prof. Dr. J. Lubcke Submission Date: 31.05.1999
Erklarung
Hiermit erklare ich, da ich die vorliegende Diplomarbeit in meinen eigenen Worten und nur unter Benutzung der angegebenen Quellen und Hilfsmittel angefertigt habe.
Christine Reckziegel
ii
Acknowledgements
I would like to thank Kai-Oliver Detken who initiated this nal project and supervised us. I learned a lot from him during the projet. His enthusiasm was always an incentive to equal him. In the same way, I would like to acknowledge Professor Lubcke at the Hochschule Bremen for the comments on our work and the time he spend to discuss and clarify important points. Special thanks to Dr Pervez at South Bank University who was always in contact with us via e-mail. He cared for us fantastically, especially during our year in London and I am very happy that I have meet him. Thanks as well to Dr Peng for his untiring e orts to explain Internetworking. It has been very helpful for this project. I gratefully acknowledge the help of Ariane Steglich who reviewed this report. Her grammar, spelling, and style is much better than mine. Many thanks to Thomas Krebs who had always a solution for my problems with TEXand put my pictures in their true light. I would like to thank the Team at OptiNet for o ering me the opportunity to realise this nal project. Many people from OptiNet GmbH helped to produce this nal report. Martin Reincke and Jorn Seemann helped us with the right questions. Thomas Renken had a lot of good hints and sources about Internet security. Many thanks to Christa for the tea and everything else. We are still a good team! Last, but not least, I would like to thank my whole family who gave me the chance to do my studies and especially my parents who always encouraged me.
iii
iv
Abstract
Todays information is digitally stored, electronically processed and transfered through private and public networks, such as the Internet. This means universal electronic connectivity but also hackers, viruses and electronic eavesdropping. It is therefore time that security does matter. It is time for security concepts, for rewall and Virtual Private Networks to built a Secure Server Network to protect the Intranet against the threats from the Internet and the communication via the Internet. Encryption systems are necessary for virtually private connections. These have been evaluated related to security, performance and their applications. So that the reader is able to decide which encryption systems should be used and which aspects are important to look at. Especially criteria for the selection of VPN solutions are given. But the security concept contains more then these technical aspect. Organisational and structural measures are included. Also recommendations related to security awareness like training of employees are mentioned. An overall security concept has been developed in co-operation with the client who has ordered it. Recommendations for security measures have been evaluated in relation to the special situation of the client.
vi
Contents
1 2 3 4 Introduction Aims and Objectives Deliverables Technical Background and Context 1 3 5 7
4.6
4.7 4.8
Safety and Security . . . . . . . . . . . . . . . . . . . . . . . Security Concept . . . . . . . . . . . . . . . . . . . . . . . . Evaluation of a Security Concept . . . . . . . . . . . . . . . Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.2 The most important methods for secret key systems . 4.4.3 The most important methods for public key systems Encryption in di erent Layers . . . . . . . . . . . . . . . . . 4.5.1 Encryption in Layer 7 (Application Layer) . . . . . . 4.5.2 Encryption in Layer 4 (Transport Layer) . . . . . . . 4.5.3 Encryption in Layer 3 (Network Layer) . . . . . . . . 4.5.4 Encryption in Layer 2 (Link Layer) . . . . . . . . . . 4.5.5 Encryption in Layer 1 (Physical Layer) . . . . . . . . E-Mail Security . . . . . . . . . . . . . . . . . . . . . . . . . 4.6.1 Security Problems in connection with e-mail . . . . . 4.6.2 Privacy Enhanced Mail . . . . . . . . . . . . . . . . . 4.6.3 Pretty Good Privacy . . . . . . . . . . . . . . . . . . 4.6.4 S/Mime . . . . . . . . . . . . . . . . . . . . . . . . . 4.6.5 Mailtrust . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 4.7.1 Digital Signature . . . . . . . . . . . . . . . . . . . . Key Management . . . . . . . . . . . . . . . . . . . . . . . . 4.8.1 Web of Trust . . . . . . . . . . . . . . . . . . . . . . 4.8.2 Trust Centre or Certi cation Authority . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
7 9 11 13 14 21 25 28 28 29 29 30 30 31 31 32 32 33 34 34 35 35 36 36
vii
CONTENTS
4.9 Virtual Private Networks . . . . . . . . . . 4.9.1 Why do organisations need VPNs? 4.9.2 Advantages of VPNs . . . . . . . . 4.9.3 Typical VPN Implementations . . . 4.9.4 Tunneling . . . . . . . . . . . . . . 4.9.5 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 38 38 39 42 47
5 Technical Approach
5.1 Security Concept . . . . . . . . . . 5.1.1 Risk Analysis . . . . . . . . 5.1.2 Security plan . . . . . . . . 5.1.3 Disaster Plan . . . . . . . . 5.2 Introduction of a Security Concept 5.3 Criteria for VPN solutions . . . . . 5.4 VPN Products . . . . . . . . . . . . 5.4.1 NCP . . . . . . . . . . . . . 5.4.2 3Com . . . . . . . . . . . . 5.4.3 CheckPoint . . . . . . . . . 5.5 Evaluation of a VPN solution . . . 6.1 Risk Analysis . . . . . . . . . . 6.1.1 Identifying Assets . . . . 6.1.2 Identifying Threats . . . 6.2 Security Plan . . . . . . . . . . 6.2.1 Technical Measures . . . 6.2.2 Organisational Measures 6.2.3 Structural Measures . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
53
53 53 54 54 55 56 58 58 59 60 61 63 64 64 65 65 70 82
6 Results
63
7 Discussion 8 Conclusion and Recommendations for Further Work A Secure Remote Access B Internet Threats
A.1 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 A.2 TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 B.1 Protocol depending Security Risks . B.1.1 Password sni ng . . . . . . B.1.2 Packet manipulation . . . . B.1.3 Re-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
83 85 91 93
93 93 93 93
viii
Final Report
B.1.4 Replay-Attack . . . . . . . . . B.1.5 IP-Spoo ng . . . . . . . . . . B.1.6 ARP and ICMP Attacks . . . B.2 Service speci c Security Risks . . . . B.2.1 E-mail and Usenet-News . . . B.2.2 Telnet . . . . . . . . . . . . . B.2.3 FTP . . . . . . . . . . . . . . B.2.4 WWW . . . . . . . . . . . . . B.2.5 DNS . . . . . . . . . . . . . . B.2.6 Finger . . . . . . . . . . . . . B.2.7 SNMP . . . . . . . . . . . . . B.3 Security Risks from Active Elements B.3.1 ActiveX . . . . . . . . . . . . B.3.2 Java . . . . . . . . . . . . . . B.3.3 Plug Ins . . . . . . . . . . . . B.3.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 94 94 94 94 95 95 95 96 96 96 96 96 97 97 97
C D E F G
ix
CONTENTS
List of Figures
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 6.1 6.2 D.1 D.2 Security Concept . . . . . . . . . . Vernam cipher or one-time-pad . . Transposition cipher . . . . . . . . Di e-Hellman key exchange . . . . Intranet VPN . . . . . . . . . . . . Remote Access VPN . . . . . . . . Extranet VPN . . . . . . . . . . . . Tunneling of ISPs . . . . . . . . . . Tunneling over several ISPs . . . . End-to-End Tunnel . . . . . . . . . Router-to-Router Tunnel . . . . . . Tunnel to remote VPN LAN clients IPSec Packet Structure . . . . . . . Encryption Transmission Modes . . Firewall Concept . . . . . . . . . . IT Security Management . . . . . . Initial Plan . . . . . . . . . . . . . Modi ed Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 16 17 26 40 41 41 43 44 45 46 47 48 49 66 71 103 104
xi
LIST OF FIGURES
The modern world of information and communication needs more and more the help of information technology (IT) to manage the growing amount of electronic data. Numerous work processes, both in public and in industry, are electronically controlled. As a result, many organisations depend on perfectly operating IT and communication systems. Information is digitally stored, electronically processed and transfered through private and public networks, such as the Internet. The Internet is a low-price possibility to connect mobile workers, business partners, suppliers and customers worldwide. However, the need for security of this sector of communication is closely related with the oppertunity to get developed. Availability is not enough, the user needs the certainty that his data transmission is secure. Especially for pecuniary transactions which will take place more and more often via the Internet, IT security must become an integral part and develop from security systems to secure systems. Therefore the awareness for security must grow. (Bundesministerium fur Sicherheit in der Informationstechnik, 1998) IT systems have changed since the time when they were mainframes in security rooms with access control, strict rules, and regulated course of events. Modern IT systems realise new concepts such as client-server architecture, decentralisation etc. whereas security often only gets low priority. A new security policy is necessary: data has to be considered to be economic good. (Pohlmann, 1998) The Internet has obtained a high complexity but in its development security has been neglected. As a result of globalisation and teleworking, organisations actually need the Internet but they also need to protect their communication via the Internet and most of all they have to protect their Intranet. The former can be realised with cryptographic methods, the latter with rewalls. Cryptographic methods are mathematical transformations which make it impossible to reconstruct the original plain text from the cipher text without knowing the key. Virtual Private Networks (VPNs) are one of the possible applications which use cryptographic methods. Another example is digital signature which is a method for authentication. (Schmidt, 1998) A lot of companies are connected to the Internet without the knowledge of how to secure their local network and how to use the Internet as a cost-e ective transmission medium with the required security level. Therefore a security concept should be developed for a company which plans to use the Internet. This company will appear as \the organisation" in the text because of the con dential data which this report may contain.
Chapter 1 Introduction
CHAPTER 1. INTRODUCTION
The security concept is written as a group work with Christa Eekho . The following sections are done in co-operation with her: 4.1 Safety and Security 4.2 Security Concept 4.3 Evaluation of a Security Concept 5.1 Security Concept 6 Results 7 Discussion 8 Conclusion and Recommendations for further work (partly together)
Chapter 3 Deliverables
The deliverables for this nal year projet will be the nal report, a questionnaire and the security concept for the German customer. The latter will only be handed in for examination and discussion but will not be published because of the con dentially information that it contains. The most important aspects will appear in the results. The facts will be a little bit distorted for security reasons but are comparable to the original data. The questionnaire is given in Appendix E. Final Report Questionnaire Security Concept
CHAPTER 3. DELIVERABLES
Final Report
Availability
Protecting services so they are not degraded or made unavailable (crashed) without authorisation. If the system is unavailable when an authorised user needs it, the result can be as bad as having the information that resides on the system deleted. Authentication Authentication is a very important point to realise authorisation. Authentication is the process of proving that a subject (e.g. a user or a system) is what the subject claims to be. Access Control Restrictions on the ability of a user to use a system or an object (e.g. a le) in that system. Such control limits access to authorised users only. Non Reputation Non reputation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the message was in fact sent by the alleged sender. Similarly, when a message is received the sender can prove that the message was in fact received by the alleged receiver. Auditing Auditing is used to monitor actions of unauthorised users and authorised users who sometimes make mistakes, or even commit malicious acts. In such cases, you need to know what was done, by whom, and what was a ected. Consistency Making sure that the system behaves as expected by the authorised users. If software or hardware suddenly starts behaving radically di erently from the way it used to behave, especially after an upgrade or a bug x, a disaster could occur.
Remaining Risk
Limiting of Damage
Figure 4.1: Security Concept Risk avoidance With risk avoidance a lot of damage can be prevented. For example all services (especially Internet services) that are not needed should not be o ered. Which risks can be avoided is written down in the security plan. Security measures If dangerous things or services are needed they can be made more secure with security measures. Which security measures has to be implemented is written down in the security plan. Limiting of damage Damage can often be limited if everybody knows, what to do and which steps to take if an incident occurs. This is written down in disaster plans.
Security Measures
10
Risk Avoidance
Final Report
Remaining risk
The remaining risks are the risk the company has to face after reducing the total risk with risk avoidance, security measures and limiting of damage. Sometimes the risk which remains after taking the above steps can be further reduced with insurance. The security concept contains the risk analysis and all measures to minimise the risk. Sometime it can even be necessary to develop a more common security policy which then can be distributed to co-operated companies. The detailed security concept contains two parts: The risk analysis and the security policy. The security policy document contains the security plan and the disaster plan. In the security plan it is written down, which measures should be taken to avoid and to minimise the risk. The disaster plan contains the backup plan, the recovery concept, the restart plan. So it contains everything that is needed to recover from an incident with as less damage as possible. While writing the security concept one has to be aware of certain things. There are certain parts of the security concept which will be a guideline for the employees. So it should be written positive and don't treat them as criminals. If the company could trust their employees before the company got connected to the Internet there is no reason to change this thrust in the employees, when connected to the Internet. The employees should be involved into the security concept as much as possible. They have to understand that security is everybody's matter. If the employees do not understand the necessity of the security measures they will boycott them consciously or unconsciously. It is the best to inform the employees instead of keeping everything a secret. Security through obscurity is normally no good idea. Someone will try to nd out sooner or later. While developing the security concept common sense has to be used. Not everything can be made secure. The task is to minimise the risk and not to let it vanish which is not possible. There is nothing like a 100% security. There are risks one has to live with. So the e ort to develop the security concept and to realise it should be reasonable.
11
12
Final Report
4.4. CRYPTOGRAPHY
But these last three aspects are not enough to meet the whole spectrum of security demands which are necessary for modern information communication systems. In 1990 the ITSEC published the Information Security Evaluation Criteria which is based on works from France, Germany, Netherlands, and Great Britain. ITSEC is in uenced by the Green Bock but emphasises the questions of quality. It di ers between IT products and IT systems but some points are still missing: aspects of data protection like unobservability and pseudonymity anonymity and originality concepts for combination and integration of certi cated systems concepts for accreditation of certi cated systems in a concrete environment and for repeated controlling of the orderly system employment. criteria for the evaluation of hardware The trend of security systems goes towards reliable information systems. This means that the development is away from security systems towards secure systems which will be realised by the integration of security functions into hardware, operating systems, and applications. The most important e ect of these criteria is that standardised guidelines for the building of secure systems are valid all over Europe. Manufactures will o er products with security functions which are based on standards certi cated from a neutral authority. Standard are a basis on which user and manufacturer can rely, but it is no universal remedy for all open questions. There is still the problem of accreditation of certi cated systems in a concrete environment and the evaluation of combinations of di erent certi cated systems. In future, as well, users will need systems which are specially tailored for their security requirements and o er individual solutions.
4.4 Cryptography
When talking about cryptography it turns out that it has a lot of di erent meanings for the people. Children for example play with toy ciphers and secret languages. However, these have nothing to do with real security and strong encryption. Strong encryption is the kind of encryption that can be used to protect information of real value against criminality, multinational corporations, and major governments. Strong encryption used to be only military business however, in the information society of today it has become one of the central tools for maintaining privacy, trust, access control, electronic payments, corporate security, and countless other elds. Cryptography is no longer a military concern that can be
13
4.4.1 Basics
Cryptography1 is the art of the science of encryption and decryption. Encryption transforms original information, called plaintext, into unintelligible information, called cipher or ciphertext. Decryption is the reverse process which transforms the ciphertext back into the original plaintext. Encryption and decryption methods are mathematic transformations which are called cryptographic or encryption algorithms. Sometimes cipher is also used for names of encryption algorithms. (Russell and Gangemi Sr., 1991, p.169 ) Cryptography is also the art of the science of designing encryption algorithms, whereas cryptoanalysis is the art of reading the ciphertext without knowing the encryption key. The proceeding is known as codebreaking or compromising. The aim for every cryptographer is to develop an algorithm for which the cryptoanalysis gives an outcome of no practical use. This doesn't mean that cryptoanalysis is impossible but that it would take too long (in the meantime the information would have become worthless) or that it would be much more expensive then the original value of the information. Each new algorithm must be tested against all known methods of cryptoanalysis. A special emphasis is always given to the security of an algorithm. Only then other criteria such as fastness for encryption and decryption and ease of implementation in hardware will be considered. The aim is to make the algorithm so secure that only a brute-force attack (see Section 4.4.1.1) is possible. Therefore it is important to know something about cryptoanalysis and possible attacks. (Wobst, 1997, p.52) \Before computers cryptography consisted of character-based algorithm. The primary change is that algorithms work on bits instead of characters. Things are more complex these days, but the philosophy remains the same" (Schneier, 1996). Di erent algorithms still substitutes bits by other ones or transposes them. Most successful algorithms combine elements of substitution and transposition. These basic principles will be explained in Section 4.4.1.2.
1
from the Greek kryptos meaning \hidden," and graphia, meaning \writing"
14
Final Report
4.4. CRYPTOGRAPHY
Ciphertext-only attack: This is the situation when the attacker does not know
Known-plaintext attack: The attacker knows or can guess some parts of the plaintext from the ciphertext. The task is to decrypt the rest of the ciphertext blocks using this information. This may be done by determining the key used to encrypt the data, or via some shortcuts.
crypted with the unknown key. The task is to determine the key used for encryption. Some encryption methods are extremely vulnerable to chosen-plaintext attacks. When such algorithms are used, extreme care has to be taken to design the entire system so that an attacker can never have chosen plaintext encrypted. protocols (see Section 4.4.1.4. The idea is that when two parties are exchanging keys for secure communications, an adversary puts himself between the parties on the communication line. The adversary then performs a separate key exchange with each party. The parties will end up using a di erent key, each of which is known to the adversary. The adversary will then decrypt any communications with the proper key, and encrypt them with the other key for sending to the other party. The parties will think that they are communicating securely, but in fact the adversary eavesdrops everything.
Chosen-plaintext attack: The attacker is able to have any text he likes en-
Man-in-the-middle attack: This attack often occurs when using key exchange
Timing Attack: This very recently developed attack is based on repeated measurement of the exact execution times of modular exponentiation operations. It is relevant to at least some cryptographic algorithms for example RSA (see Section 4.4.3.2), Di e-Hellman (see Section 4.4.3.1), and Elliptic Curve methods. More information is available in (Schmeh, 1998, p.95). There are many other cryptographic attacks and cryptanalysis techniques. However, these are probably the most important ones.
15
Figure 4.2: The characters of the key and the plaintext are added: A+S=S, 0+19=19 It can be proved that a truly random key provides an absolutely secure method. As this is an easy and secure system, why should we look for other ones? Because there are also some disadvantages: The key is as long as the message, this doubles the amount of data. The key must be known by sender and receiver the key must be transmitted somehow to the receiver and then we have the same problem, because it makes no di erence whether to send the message or the key. (More about changing keys in Section 4.4.1.4.) It is very di cult to produce big amounts of truly random keys. (A section about the problems of random number generators can be found in (Schmeh, 1998).) Because of this disadvantages one-time-pads have no practical use for transfering messages.
16
Final Report
4.4. CRYPTOGRAPHY
Transposition is another type of cipher where the order of the characters is rearranged but does not change the actual characters. An example is simple columnar transposition cipher where the plaintext is written horizontally with a certain width. The ciphertext can be read vertically as shown in Figure 4.3 on page 17. Plaintext: YOU CAN FIND THE GOLD IN THE HOLE
YOUCANFI NDTHEGOL DINTHEHO LE
Ciphertext: YNDLODIEUTNCHTAEHANGEFOHILO Figure 4.3: The plaintext is written horizontally and the ciphertext can be read vertically Transposition can be broken by statistical methods because the pairs of successive characters in a normal language have typical likelihood. Other pairs do occur much less often. If the messages is short, some characters may not appear thus it is possible to say which words do not exist in the text. An improvement on this cryptographical method is to put the ciphertext through a second transposition cipher. There are a lot of even more complicated transposition ciphers, but computers can break almost all of them. A disadvantage of transposition is the high demand for memory, therefore substitution is far more common.
17
18
Final Report
4.4. CRYPTOGRAPHY
few principles known that o er secure and practical algorithms. The algorithm has to show some characteristics: it needs an easy function for encryption with a very complex revers function for decryption. Furthermore this complex revers function must have a \hidden short cut" which can be used as a key. Another demand is that the private key can not be calculated from the public key. Functions which are relatively easy to compute but which shows a complex revers function are called one-way functions, and if there is a hidden short cut they are called trapdoor one-way functions. The following di erences between public key and private key systems and some more points can be found in (Schmeh, 1998, p.99). All known secret key algorithms use simple mathematical functions. However, public key algorithms can only be realised with complex mathematical functions. It is hard to nd new public key algorithms, whereas secret key algorithms can be developed in any number. In practical use the most important fact depends on the rst point: public key algorithms require more computer performance than secret key algorithms. This can be seen by the comparison of RSA (see Section 4.4.3.2) and DES (see Section 4.4.2.1), RSA is 1000 times slower than DES. Public key algorithms are more susceptible to faulty implementation then secret key algorithms because of their complexity. In secret key algorithms the key can be represented as a sequence of bits. In public key algorithms the key can be represented as a big number. This leads to xed key length in most of the secret key algorithms (e.g. 64 Bit with DES, 128 with IDEA) and variable key length in public key algorithms (this means that the used number has no xed quantity). Modern cryptographic algorithms cannot be executed by humans. Strong cryptographic algorithms are designed to be executed by computers or hardware devices. In most applications, cryptography is done by computer software. Generally, symmetric algorithms are much faster in operation on a computer than asymmetric ones. In practice both are often together in use, so that a publickey algorithm is used to encrypt a randomly generated encryption key, and the random key is used to encrypt the actual message using a symmetric algorithm. This method is called hybrid encryption.
19
20
Final Report
4.4. CRYPTOGRAPHY
people. 384 bit keys can be broken by university research groups or companies. 512 bits is within reach of major governments. Keys with 768 bits are probably not secure in the long term. Keys with 1024 bits and more should be safe for now unless major algorithmic advances are made in factoring keys of 2048 bits are considered by many to be secure for the next decades. It should be emphasised that the strength of a cryptographic system is usually equal to its weakest point. No aspect of the system design should be overlooked, from the algorithm choice to the key distribution and usage policies. The next two sections list commonly used cryptographic algorithms and methods, and give references to implementations and textbooks.
21
22
Final Report
4.4. CRYPTOGRAPHY
modern computers or special-purpose hardware. DES is still strong enough to keep most random hackers and individuals out, but it is easily breakable with special hardware (DES-Crack-Machines) by government, criminal organisations, or major corporations. DES, like it is now, is getting too weak. If it has a 64-bit key there would be no chance to break it at the moment. A variant of DES, Triple-DES or 3DES is based on using DES three times. Usually, there will be an encrypt-decrypt-encrypt sequence with three di erent, unrelated keys. The reason for the decryption in the middle is that only two keys are necessary, one for the two encryptions and another for the decryption. The algorithm can be reduced to simple DES by using the same key so that the rst two steps: encryption-decryption produce the original plaintext. Many people consider Triple-DES to be much safer than plain DES. An improvement is the use of DES with key dependent S-boxes, because linear and di erential cryptoanalysis are only possible if the composition of the S-boxes is known. The only condition for the realisation of this algorithm is a hardware which is designed with loadable S-boxes. In this case there are no speed penalties. Blow sh is an algorithm developed by Bruce Schneier and published in 1994 (Schneier, 1996, p.336). It is a block cipher with 64-bit block size and variable length keys (up to 448 bits). There are some similarities to DES in the design: Blow sh uses S-boxes which are already key dependent and also P-boxes. The number of rounds is the same which is very important because this is relevant for the security of the system. The function of each round is much more complex than in DES and therefore Blow sh is more non-linear. It is very compact and can run in less than 5 kbyte of memory. It uses simple operation and it is easy to implement (source code is free and given in (Schneier, 1996)). It has gained a fair amount of acceptance in a number of applications. No attacks are known against it. Blow sh is used in a number of popular software packages, including Nautilus, PGPfone and FolderBolt for MS Windows and Macintosh.
4.4.2.2 Blow sh
4.4.2.3 IDEA
IDEA (International Data Encryption Algorithm) is an algorithm developed at ETH Zurich in Switzerland. It is the successor of the Proposed Encryption Standard (PES) which has been developed in 1990. After strengthening the algorithm against di erential analysis ETH changed its name into IDEA in 1992. It is a block cipher operating on 64-bit plaintext blocks and using a 128 bit key. IDEA is based on a mixture of operations belonging to three di erent algebraic groups which can all be easily implemented in both hardware and software. Each of the eight rounds of IDEA is a very complex sequence of these operations. The small
23
24
Final Report
4.4. CRYPTOGRAPHY
4.4.2.5 RC4
Rivest Code 4 (RC4) is a stream cipher designed in 1987 by Ron Rivest for RSA Data Security, Inc. It used to be a trade secret, until someone posted source code for an algorithm in Usenet News, claiming it to be equivalent to RC4. There is very strong evidence that the posted algorithm is indeed equivalent to RC4. The algorithm is very fast. Its security is unknown, but breaking it does not seem trivial either. Because of its speed { about 10 times faster than DES { it may nd usage in certain applications, including Lotus Notes. It can also accept keys of arbitrary length, but in most cases a 128 bit key is used. RC4 is essentially a pseudo random number generator, and the output of the generator is xored with the data stream. For this reason, it is very important that the same RC4 key is never used to encrypt two di erent data streams. The United States government routinely approves RC4 with 40 bit keys for export. Keys that are this small can be easily broken by governments, criminals and amateurs. More stream ciphers such as SEAL or WAKE which are described in (Schneier, 1996). Public key algorithms use two di erent keys: one public key for encryption and one private key for decryption. They can only be realised with complex mathematical functions. The mathematical description of all algorithms which are mentioned in the following section and of a lot more can be found in (Schneier, 1996).
4.4.3.1 Di e-Hellman
Di e-Hellman { published by Whit eld Di e and Martin Hellman in 1976 { was the rst public-key algorithm ever invented and is now commonly used for key exchange. The purpose of the algorithm is to enable two user to securely exchange a key that can then be used for subsequent symmetric encryption of messages. In a Di e-Hellman cryptosystem the combination of private key A and public key B generates the same result as the combination of private key B and public key A (see Figure 4.4). Di e-Hellman can be used for key distribution, but it cannot be used to encrypt and decrypt messages. The security of Di e-Hellman relies on the di culty of the discrete logarithm problem (which is believed to be computationally equivalent to factoring large integers). The security of Di eHellman depends on the right choice of some numbers, especially a strong prime and a generator which has to be of a certain volume and su cient long keys. A conservative advice is to make the key for Di e-Hellman twice as long as the intended session key. The keys are much longer than for symmetric algorithm
25
Figure 4.4: Di e-Hellman public key distribution system because brut-force is not the most e cient attack. There are methods for calculating the discrete logarithm which require less expenditure than brut-force, but which are still quite expensive. The generator and the key length should be at least 768 bit (see (Schmeh, 1998, p.92)). Generally Di e-Hellman is considered to be secure. Di e-Hellman also works in communicative rings or multicast groups which means that tree or more people can generate the same session key and communicate with one another. The patent for the algorithm has expired on April 29, 1997. Timing attacks can be used to break many implementations of Di e-Hellman (see Section 4.4.1.1).
4.4.3.2 RSA
Di e and Hellman introduced a new approach to cryptography. One of the rst responses to them has been developed by Ron Rivest, Adi Shamir, and Len
26
Final Report
4.4. CRYPTOGRAPHY
Adleman in 1977 and published in 1978. The Rivest-Shamir-Adleman (RSA) algorithm is the most commonly used public key algorithm which can be used not only for key exchange but also for encryption and decryption of messages as well as for signing (see Section 4.7.1). RSA is a block cipher in which the plaintext and ciphertext are integers and there the function is a trapdoor oneway function (see Section 4.4.1.4). The security of RSA relies on the di culty of factoring large integers. Therefore the characters of a message are described by numbers, e.g. A=00, B=01, C=02 etc. All these numbers are put together and taken as one integer. This reveals to be a very large integer which is very advantageous because it is really di cult to calculate the revers function for their exponents. Recovering the plaintext from the public key and the ciphertext is equivalent to factorising the product of two primes. In general, this kind of algorithm is considered to be secure when su ciently long keys are used (512 bit is insecure, 768 bit is moderately secure, and 1024 bit is good). Dramatic advances in factoring large integers would make RSA vulnerable. RSA is currently the most important public key algorithm. It is patented in the United States (expires year 2000), and available for free outside the USA. One should know that RSA is very vulnerable to chosen plaintext attacks. Timing attacks can be used to break many implementations of RSA (see Section 4.4.1.1). There is also a low-exponent attack: the exponent is one part of the public key which is normally 3, 17, or 65537. These are primes with few 1's when they are written as binary numbers this allows a fast calculation of the exponential function. Newer implementations use larger numbers than 65537 but they are still xed. The RSA algorithm is believed to be safe when used properly, but one must be very careful when using it to avoid these kind of attacks.
27
This means that the application such as an e-mail program or a web browser itself is responsible for encrypting, decrypting, and signing the message as well as for authentication. Advantages Encryption from the application of the sender to the application of the receiver. Every message can be individually encrypted. Received messages can be decrypted directly or stored rst. Non reputation can be proofed. Authentication t best into this layer because lower layers cannot ask for a password or a chip card without the help of the application layer. This would violate the interface paradigm. Disadvantages The program must support encryption or the use of plug-ins ! all applications have to be changed.
28
Final Report
Sender address and receiver address can not be encrypted tra c can be analysed and used for attacks.
the ow of
The transport layer includes in the Internet TCP and UDP. Each application uses a port number thus encryption on the transport layer means to establish a secure tunnel between two applications. Advantages Instead of changing all applications only the protocol must be changed. Using the port number, the coice of the message to be encrypted can be made dependent of the application. The port number can be encrypted thus an attacker does not know which one of the applications is sending the message. Disadvantages Encryption depends on the application. Messages can not be encrypted individually. The message is already decrypted arriving at the receiver's application. Digital signature is for the same reason not possible. Security ends outside the application this is a critical point especially for e-mails. Therefore e-mails has to be encrypted on the application layer. Two protocols, TCP and UDP, has to be changed, but the IP address is still readable. Encryption on layer 3 establishes a secure tunnel in the same way as on layer 4. The advantages and disadvantages are nearly the same as on layer 4. Advantages Only on protocol, the IP, has to be changed. Authentication and integrity check of IP-packets protects the network against some attack such as IP spoo ng, denial-of-service attack etc.
29
Conclusion
The advantages and disadvantages show that one optimum solution do not exist. It depends on every isolated case and often a combination will o er the optimum level of security. The principle is the same as for good rewalls having lter functions on di erent layers. But some points should be emphasised: The deeper the layer in which encryption takes part, the more will be encrypted. Addresses and routing information are always encrypted. The higher the layer in which encryption takes part, the more the user has got in uence on what will be encrypted and in which way.
30
Final Report
With e-mail messages can be sent over the Internet. Messages have to be protected in the same way as all other communication. Therefore con dentiality, authentication, integrity, and non reputation must be guaranteed. Speci c aims for secure e-mail are as follows: Cryptography should only be used when necessary thus the user has to be able to decide whether he wants to use encryption or not. Mail clients should be able to read encrypted as well as non encrypted mail. Mail server and mail clients have to be protected against attacks. Mail servers are highly in danger because they are on a xed location in the network and they work with complex software. Mail clients are more or less immune against attacks as long as only text mail is processed. Mail clients which also accept executable programs can get problems with viruses. Some general aspects on e-mail security As we have seen in section 4.5, e-mail has to be encrypted in the application layer. This means that information about addresses etc. remain unprotected. Non reputation is beside authenticity an important point if e-mail is used for nancial transactions. Digital signatures (see Section 4.7.1) can help in these cases. the reliable distribution of public keys are connected with the digital signatures. This point will be discussed in more detail in section 4.8. Ordinary e-mail can be easily sent to a lot of persons with the help of mailing lists. This becomes more complex for encrypted mail because each receiver has got a di erent public key. E-mail encryption must be possible even if the receiver is o ine. Attacks on e-mail are so easy because e-mail uses the Simple Mail Transfer Protocol (SMTP). Contents and author can be replaced easily and it is also easy to fake that an e-mail comes from president@whitehouse.com or someone else. SMTP commands can be directly used with a telnet connection. Like on all other means of communication via the Internet, everybody can eavesdrop on e-mail. E-mail is less secure than a postcard, because a postcard can only be read by a certain number of postmen but e-mail can be read by many people in the Internet.
31
Privacy Enhanced Mail (PEM) is an US American standard which has been developed in the mid 80s. It uses MD5 for digital signature, RSA and DES for hybrid encryption. PEM only encrypts the body of the message, the header remains unchanged thus it can be used on di erent mail clients. Each message is signed but not necessarily encrypted. It uses a hierarchical structure for certi cates with a trust centre (see Section 4.8). Unfortunately PEM shows some disadvantages: PEM is outdated. It does not support Multipurpose Internet Mail Extension (MIME), because it has been developed earlier. (MIME enables to sent several parts with di erent formats in one e-mail.) It uses 7-Bit characters which is only adequate for English ASCII-text. The supported cryptographic algorithms are too weak, like DES, and it uses too short keys.
Pretty Good Privacy (PGP) has been developed by Phil Zimmermann. It is not an e-mail encryption program but a le encryption program which has been developed for e-mails and it is the most often used program for e-mail encryption. The key exchange is done with RSA or Di e-Hellman, DSS respectively. Encryption is doneby IDEA, Triple DES or another algorithm called CAST are implemented. PGP supports the hash functions MD5 and SHA. The main di erence to PEM is the key management. PEM uses trust centre and PGP the web of trust (see
32
Final Report
Section 4.8). Although PGP does not forbid the utilisation of trust centres. Advantages of PGP: The quality is better than that of PEM, because PGP supports IDEA and Triple DES. All Information which are not necessary for transfering the message are encrypted. PEM leaves digital signature after encryption visible. No trust centres are necessary. Whereas PEM needs trust centre which were not avaliable some years ago. PGP source code is published and analysed. PGP is spread over the whole Internet, whereas PEM has problems with the export regulations of the USA. Disadvantages: PGP is not a standard. It is only for free for non-commercial use It is not compatible with other systems The web of trust does not work very well and it has no approved certi cate which can be used in court (see Section 4.8.1). PGP does not support chip cards. PGP does not support MIME (but it plans to do so in future).
4.6.4 S/Mime
S/Mime stands for secure MIME and has been developed by RSA Data Security Inc. As the name says it supports MIME and also all formats which are compatible to PEM. It implements the secret key algorithm RC2 with a 40-bit key. This agrees with the US export regulations. DES and Triple DES are optional. Hash functions are MD5 and SHA. For key exchange RSA with 512-bit to 1024-bit keys is used. Due to the fact that it is supported by Microsoft and Netscape it will surely become the new standard soon.
33
4.6.5 Mailtrust
Mailtrust is a German standard from the Industrieverband Teletrust. It is an improvement of PEM with better algorithms. It speci es an interface to a Personal Security Environment (PSE) which is usually a chip card. Mailtrust agrees with the German signature law and there are no problems with the US export regulations. S/Mime will be supported in a future version.
Conclusion
S/Mime will be the worldwide standard, because PEM is outdated, PGP will not be accepted for commercial use and Mailtrust is only of interest for German users. Netscape and Microsoft already support S/Mime and Mailtrust also wants to do so.
4.7 Authentication
Authenticity is the process of proving that a user is what he claims to be. Authentication is usually used to control authorisations. But is not a computer or Internet problem thats why the fundamentals of authentication will be explained in this section. Often digital signatures are used to prove authenticity, sometimes they are really necessary. Authentication systems are also very important for remote access, therefore the description of two of them can be found in Appendix A. There are three fundamental things to prove authenticity (Schmeh, 1998): Personal characteristics such as ngerprint. This method is called biometric authentication and the basic principle relies on something belonging to your physical body. An object which is hard to forge such as an ID card. The basic principle relies on something that you own. Certain Information such as a password or a secret number. The basic principle relies on something that you know. It is the easiest method but the problem is that anyone who gets to know this information can fake your identity. Biometric methods are not so common in the Internet. The best known method is the iris-scan where a picture of the iris is made which is at least as unique as a ngerprint. Many products utilise tokens which can be hardware such as an ID card or software which can be stored on a disk. The most common method is
34
Final Report
still the password check. A password in cryptology is a key. Passwords or keys can be used for symmetrical encryption. This has also the advantage of guaranteed integrity of the message. In this case two communication partners need to agree on a common key. If one of them can decrypt a message he can be sure that it comes from his communication partner. The problem of all symmetrical encryption system lays in the secure exchanging of the key. Digital signatures which provide also non reputation beside authenticity and integrity solve this problem.
The aims of digital signatures are the following: The authenticity must be provable. It must not be transfered unnoticed from one document to the other. The accessory document must not be altered unnoticed. One algorithm I have already mentioned is the public key system RSA. This can be used for encryption as well as for digital signature (see Section 4.4.3.2). The other one is DSA (see Section 4.4.3.3) which is a discrete logarithm signature systems (DLSS). There are some more but they don't play any rule in the Internet. A comparison between RSA and DLSS can be found in (Schmeh, 1998, p.106). Problems occur when longer messages has to be divided into smaller blocks and each of them has to be signed. A digital signature is like all public key algorithm very slow. To solve this problem, not the whole message is signed. But instead there is a function compressing the message to an adequate length that is called the hash value or footprint. This function is called hash function. The value is then signed with the digital signature. Authentication and in particular digital signatures are closely connected with key management.
35
Trust centre or Certi cation Authorities (CA) are trusted third parties which were established to sign certi cates. Each CA has its own public key which is used to sign certi cates of other people. A person who wants to use the public key of someone else has to get the public key of the CA and make sure that it is authentic. This can be realised by a phone call. The advantage is that it has to be done only once and then all certi cates from this CA can be veri ed with this signature. To reach the acceptancy of the users a CA has to be a trustworthy organisation such as a state department. After all, a digital signature is something like an ID
36
Final Report
card. Several CA can be certi cated from a higher CA and thus can build up a hierarchy of CAs. In Germany o cial CAs must agree with the German signature law. This means that they have to meet very high requirements and must be valuated, e.g. from the Bundesministerium fur Sicherheit in der Informationstechnik (BSI). However enterprises might have their own trust centre to handle the keys of their employees which does not have to be valuated. Trust centre also plays an important role for the X.509 standard from the ISO and ITU-T.
37
VPNs o er cost-e ective solutions to some of today's most critical networking challenges. Organisations need a more a ordable, scalable way to meet the demands of a growing community of remote users and to manage branch o ce connectivity. They need to be able to accommodate the pace and unpredictability of business by linking customers and partners into extranets on an ad-hoc basis. And they need to be able to provide access to networked resources, including existing systems and protocols, without compromising security. (3Com, 1998) Reasons for using VPNs: increasing number of external and mobile users, increasing number of branches and cooperating partners which need access to parts of the local network All these points can be combined in one word: \globalisation". Business processes require exibility. The place of work nowadays can be in the central o ce, at home, in a branch o ce, at the customer, at the airport, in the hotel room, or even in a temporary o ce which is set up for a special project. Enterprises cooperates with worldwide partners or they merge and then a branch o ce can be at the other end of the world. (Bendl, 1998) Before VPNs were developed, the classical ways for remote access were ISDN or modem connections via public telephone lines or leased lines. These methods are cost-intensive relating to call charges and equipment and it takes some time to establish the connection. Therefore the advantages of VPNs are clear: low-priced exible and scalable
38
Final Report
huge number of users can be served only one interface for Internet access and all remote user easy to supervise remote users can be handled in the same way than local users The low price results from the local call charge, independing from wwere the user works, and from the lower costs for maintenance, because there is only one connection for remote access instead of ISDN connections and/or modem pools. The exibility and scalability is higher, because connections can be set up and also disconnected as required. One call to the Internet Service Provider (ISP) allows to order more bandwidth. Users can be added without informing the ISP and the ISP can be easily changed or multiple ISPs can be used for redundancy. VPNs have another advantage: no routing is necessary, only tunneling is and therefore no o cial Internet address is needed and the administrator can use his own address scheme. But the most important fact is that all these advantages can be used without any compromises concerning security related to access control and con dentiality. (Bendl, 1998) As mentioned in Section 4.9.1 there are di erent possible scenarios using VPNs or in other words: \There are as many types of VPN implementations as there are companies taking advantage of the concept's bene ts, each with its own speci c set of technology requirements. However, VPN con gurations can be grouped into three primary categories:" (Check Point a, 1998, p.4). Intranet VPNs between internal corporate departments and branch o ces, Remote Access VPNs between a corporation and remote or mobile users, Extranet VPNs between a corporation and its strategic partners, customers, and suppliers. Intranet VPNs connect the central o ce with its branches and also internal departments if encryption or authentication is necessary (see Figure 4.5 on page 40). This can be in case of exchanging sensitive data like nancial or personal data. For intranet VPNs fast and strong encryption is required. The latter because it is easy for employees to eavesdrop messages in a LAN and the former to accommodate the high-speed links present in internal LANs.
39
to use data or applications from the local network (see Figure 4.6 on page 41). Mobile employees are often limited to slow modem speeds therefore the reliability of the connection is important. In addition, strong authentication to ensure the remote and/or mobile users' identity is di cult to realise, because the working place of remote and/or mobile employees is not particularly protected and other persons may have access to the employees' computer. Remote Access VPNs also require centralised management and a high degree of scalability for being able to handle multitude VPN links and a great number of users.
and suppliers require an open, standard-based solution to ensure interoperability with various solutions that can be implemented by the business partners (see Figure 4.7 on page 41). The pictures and descriptions are taken from (Check Point a, 1998). Companies usually implement more than one type of VPN, because they may have e.g mobile users and some suppliers which are linked via a VPN to the central o ce. In addition, VPNs should be integrated in an overall security policy and therefore the idea of \one size ts all just doesn't apply in the VPN market" (Check Point a, 1998, p.6).
40
Final Report
41
4.9.4 Tunneling
Point to Point Tunneling Protocol (PPTP) { An extension of Point to Point Protocol (PPP) that encapsulates IP, IPX, or NetBEUI inside of IP packets. This protocol is used primarily by ISP equipment providers because it accommodates end to end and server to server tunneling. It is largely a proprietary protocol developed by Microsoft and only recently a proprietary encryption mechanism has been added, but which is still considered as being optional. Layer 2 Forwarding (L2F) { A forwarding protocol used to tunnel higher
level protocols into a link layer protocol. This protocol has been developed by Cisco and Shiva and is o ered by some ISPs. Although it facilities remote dial-in connectivity, the information in an L2F tra c stream is not encrypted.
PPTP that tunnels tra c via various networks (e.g. IP, SONET, ATM). It is used to provide multi-protocol dial-up services for ISP's Point of Present (POP). Like L2F, L2TP does not de ne any kind of data privacy mechanism. Further a draft exists which proposes the use of the IPSec protocol suite to provide data privacy of L2TP tra c via IP networks.
protocol is standardised and therefore not proprietary. Because of this it is advisable to use VPN solutions based on IPSec. More details of IPSec are described in Section 4.9.5. The basic components of a tunnel are: a tunnel initiator (TI), a routed network, and a tunnel terminator (TT).
42
Final Report
Tunnel initiator and terminator can be various network devices and software. This depends on how the VPN is implemented. However, there are two di erent approaches: Link and End-to-End VPNs.
4.9.4.1 Link
If the trust in the ISP and his employees is high enough, it is su cient to use VPN gateways at the two ends of the public network (see Figure 4.8). This solution is suitable for all VPN implementation: intranet, Remote Access, and extranet. tunnel is initiated and terminated at the POPs the way from and to the POPs is not protected (\last mile"-problem)
POP
l
Remote PC
e nn Tu
POP
Internet @
Corp. H.Q.
of the ISP
Figure 4.8: If the tunnel is only established between the two POPs security is the task
In this solution problems can occur, if the tunnel is not only established over the network of one ISP but over several networks as shown in Figure 4.9 on page 44. The routers of one ISP are compatible and adjusted to one another, but the problems occur with di erent ISPs having di erent VPN implementations from di erent manufacturers. In this case it has to be clari ed whether the tunnel can be established from the POP of one ISP to the POP of another ISP or not.
43
Router B
Router D
Corp. H.Q.
Figure 4.9: A tunnel which goes through all networks of di erent ISP is often not possible, because of incompatibilities of VPN implementations of di erent manufacturers
This means that the tunneling methods has to be compatible for all applications regardless whether ISDN, X.31, modem, or GSM is used. Problems with the packet length can occur and fragmentation can become necessary, because of the overhead of the tunneling protocol. There is also the question whether other protocols such as IPX, SNA, or NetBIOS can be used or not. The solution for these problems are end-to-end tunnels which will be described in the next section.
4.9.4.2 End-to-End
In case of requiring high protection only end-to-end tunneling can be taken into account. The expenditure for this is considerable, because each client has be specially equipped and a VPN gateway is necessary. This is shown in Figure 4.10 on page 45. With this solution remote access VPNs can be realised. For this approach the router at the end becomes super uous. The end points of the
44
Final Report
POP
Internet @
POP
Router A
Router A
e nn Tu
Router D
VPN Gateway
Corp. H.Q.
Figure 4.10: The tunnel is establish from the company's VPN gateway to the remote or mobile user tunnel are the VPN gateway and the VPN-client software on the remote PC. The advantages of this solution are: transparence for all network components: no VPN support from the ISP is required low cost of ownership maximum security ease of administration between the VPN gateway and the client only IP is used
45
st
VPN Router
POP
Internet @
POP
Router A
e nn Tu l
Router A
VPN Gateway
Remote LAN clients
Corp. H.Q.
Figure 4.11: The tunnel is establish from the company's VPN gateway to the VPN
router which is connected to the remote LAN clients
The advantage of this solution is the capability to support multiple protocols such as IP, IPX, NetBios etc. Also multiple connections can be established over one tunnel. Encryption and compression end at the VPN router which is no problem if the LAN is secure otherwise it would be better to established the tunnel between each client. This solution can be also used if a router does not support VPN (see Figure 4.12 on page 47). It can be implemented on intranet VPNs to connect branches, because there it is no problem to install special software on the remote LAN clients. For extranet VPNs this is unsuitable, because of the reason of di erent business partner in the extranet would all need the same software.
46
Final Report
Router
POP
VPN Client
Internet @
POP
Router A
e nn Tu l
Router A
VPN Client
Corp. H.Q.
Figure 4.12: The tunnel is established from the company's VPN gateway to each single remote LAN client
4.9.5 IPSec
If an organisation plans to introduce a VPN system they should chose a solution which is based on an open standard. The advantage is that standards will be supported by di erent manufacturers. This often means that standard based products are supported for a longer time and that you are not bound to a proprietary solution. Thus investigations are more e cient over a longer period. In this section IPSec (IP Security) is described in a few words and compared to other techniques for VPNs. IPSec is a working group of the Internet Engineering Task Force (IETF) which de nes standards and protocols related to Internet security. One of the most important aspects is the IPSec standard itself, which de nes the overall IP packet structure, and a security association relative to VPN communication. Everything about IPSec that is not mentioned in this text can be found in (Smith, 1998), (Schmeh, 1998), (Raepple, 1999), or at www.ietf.org/html.charters/IPSec-charter.html IPSec is an extension of IP which o ers protection of con dentiality, integrity and authentication of datagrams. IPSec is encryption on layer 3 of the OSI reference
47
AH
Includes message digest for authentication
ESP
Includes encapsulated data
Original IP Header
Includes original source and destination information
Original data
Encapsulation Headers
Original Data
Figure 4.13: AH provides data integrity only and ESP provides both encryption and data integrity
48
Final Report
Before the transfering of a message, a Security Association (SA) has to be negotiated between the to VPN end points. The SA is an agreement about the security parameter of a concrete communication which are de ned with the receiver's address and a Security Parameter Index (SPI). SAs contains all information required for executing various network security services. These are: Authentication and encryption algorithm Key for authentication and/or encryption Initial vector for encryption Validation time of the key and the SA Address of the sender The receiver de nes the SPI and the SA. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation, encryption algorithm, and authentication mechanism. Di erent transmission modes used in VPN solutions determine which pieces of the message are encrypted. Some solutions only encrypted the data whilst others encrypted the entire message with header. In Figure 4.14 these modes are described. Only the second and third are IPSec (ESP) modes.
Original IP Header
addressed to destination device and packet size not affected
In-place
Packet Payload Encrypted In-place
Original IP Header
addressed to destination device
IPSec Header
New IP Header
addressed to destination device with additional security header added
IPSec Header
New IP Header
addressed to "VPN" Device
49
After having de ned the packet structure, the working group IPSec also standardised the key management. There were to di erent approaches: The information about the key are sent in additional headers with the IP packet. This means that the key management protocol remains on the same layer. A separate and general key management protocol is added which can only run at the application layer. This has got the disadvantage that it violates the layered model. The Simple Key Management over IP (SKIP) developed by SUN, a represent of the rst category, has been rst the favourite in the rst approach. But in the meantime the development of the second category is favoured by IETF and Cisco with the Internet Security Association and Key Management Protocol (ISAKMP). An implementation of ISAKMP is ISAKMP/Oakley which is now called Internet Key Exchange (IKE). This automated key management schemes include the concept of a Public Key Infrastructure (PKI). A PKI is an open community of Certi cation Authorities (CA) (see Section 4.8.2) which in most
50
Final Report
cases uses a hierarchical model to construct trust associations. Setting up a VPN between a corporate network and a business partner or supplier requires a secure key exchange. A third party CA which is trusted by both VPN nodes is necessary. Using a PKI for automated key management allows an administrator to easily and securely create, distribute and revoke VPN encryption keys.
51
52
53
With the implementation of security measures 100% security is not possible. Therefore to limit the damage which is done if an incident occurs a disaster plan
54
Final Report
is developed. The disaster plan contains a backup concept, a contingency plan, a recovery concept and a restart plan. So it not only contains measures to recover but also measures how to behave during an incident.
55
56
Final Report
One point which is taken into account is whether the solution is based on standards like IPSec (see Section 4.9.5). For a moment, this may be unimportant, because there shall be only a VPN between two branches and a proprietary solution may be very cost-e ective, but this solution is perhaps not capable of development. When this VPN shall be extended to an extranet, the partners may have other solutions which are not compatible. If an extranet is planned right from the beginning standardised solutions should be used. A VPN shall protect communication, therefore it is necessary to use good encryption algorithms and the key length has to be long enough. Criteria for this are given in Section 4.4. Most of the cryptographic systems which are developed in the USA are to weak because they are subjected to the export restrictions for key lengths. For exibility it is useful to have VPNs which can change the algorithm and key length easily. With that, di erent level of security can be realised for di erent connections. For a high performance it is useful if the VPN solution supports hardware based encryption such as accelerator cards or co-processors. For the security level it is also important from where to where the VPN tunnel is established. For remote access VPNs this can be from the users PC to the rewall or to an VPN gateway which can be in front or behind the rewall. In the case of a double rewall concept there is a Demilitarised Zone (DMZ) where the tunnel terminates. Some products o er the possibility to terminate the VPN tunnel at an internal server (see Section 5.4.2. But if the network behind the rewall is secure enough and attacks from inside are not expected then the rewall is the right place for terminating the VPN tunnel. Most VPN solution can be combined with a security servers such as a Network Access Server (NAS) or AAA server such as RADIUS (see Appendix A.1). The integration in existing or planned management tools such as Tivoli from IBM or Unicenter from Computer Associates makes the handling of VPNs easier. If smart cards or biometrical procedures shall be used for authentication then the VPN solution has to support appropriate hardware. The VPN solution should meet the requirements and should be easily extendable but it should not be to complex. Features which are not necessary should not be included, because this also makes the handling more complex. The con guration, administration and operation shall be user friendly, because the higher the complexity the higher the possibility for mistakes and this means always a loss in security.
57
In this section di erent approaches for VPN implementations will described. More products can be found in Appendix C. The rst is a software based solution from NCP engineering GmbH. This software was tested during the project. Then will a solution from 3Com who is a manufacturer of active network components like switches and nally Check Point's VPN solution which is an extension of their rewall product Firewall{1 be described. A list of VPN products can be found in Appendix C.
5.4.1 NCP
The solution from NCP o ers the possibility to connect mobile workers or branches with the central o ce. The VPN can be established via the Internet independent from the Internet Service Provider (ISP). NCP is a seller of ISDN cards therefore the client software Remote Workstation for Global Access (RWS/GA) is able to handle connections via ISDN, modem, or GSM (Global System for Mobile Communication). At the central o ce the Multi Protocol Router for Global Access (MPR/GA) can be used or the Narac Enterprise VPN which is a VPN gateway. Di erent protocols are supported like IP, SNA and NetBios. The tunneling protocol L2F or L2TP (see Section 4.9.4) can be used. An extension for IPSec is planned. For authentication a RADIUS server can be integrated. The encryption algorithms Triple DES and Blow sh can be used which are not restricted by the USA export regulations, because NCP is a Germen company. The administration of the system can be done with every tool which uses the Simple Network Management Protocol (SNMP). Our test scenario could not be realised because the existing remote workstation is a LAN client which is connected with a router to the POP. The remote access software for this case is not already developed. We got this information during the tests only on inquiry. Even though NCP already advertises for this solution. The software solutions NCP o ers in the moment are only for communication cards (ISDN, GSM or modem) which may be a good solution for smaller companies, but larger companies are normally connected to the Internet with a router. The con guration is not to complex for an advanced system administrator but the documentation is not very clear. The client software could not be installed (because a communication card is absolutely necessary), therefore no statements can be done about the user friendliness when using the software in operation.
58
Final Report
5.4.2 3Com
3Com is a seller for network components. The following information is taken from a 3Com technical paper (3Com, 1998). All possible scenarios can be built up with 3Com equipment. The VPNs can be established between for example an end user's laptop equipped with an analogue modem card and VPN enabled dial-up software. It also could be started by a VPN enabled router on a branch LAN or at an access concentrator at the POP of an ISP. The tunnel could be ended as with the NCP solution by the rewall or by the VPN gateway. In addition 3Com o ers another solution in which the tunnel can be switched through the rewall to increase security and exibility. In this case, a tunnel switch at the company's router for remote access or in the DMZ ends the incoming tunnel and starts a new tunnel to a tunnel terminator on the internal network. The remote user is thus virtually plugged into the network inside of the rewall, where more network resources are available. This solution has the advantage that only a hole for the tunneling protocol has to be opened instead multiple holes, one for each application. Tra c from remote employees and from external partners can came into the network over the same interface but can then be separated and terminated at di erent locations. With the tunneling switch remote employees have no problems in using network protocols such as SNA, Novell Netware, or Apple Talk and the applications running over them. 3Com solutions support the tunneling protocols PPTP, L2F and L2TP (see Section 4.9.4). Encryption systems are Microsoft Point-to-Point Encryption (MPPE) with 40-bit key length and 128-bit key length. But also IPSec which is more robust than MPPE can be used for encryption and authentication. It is recommended for use with L2TP. IPSec can also be used to extend the tunnel from the tunnel terminator to the destination workstation. Together with IPSec the key management system ISAKMP/Oakley can be used at the ISP (see Section 4.9.5.1). A security server is recommended, for example a RADIUS server for user authentication.
59
5.4.3 CheckPoint
The information about CheckPoint is taken from the CheckPoint Web-sites, in particular (Check Point a, 1998) and (Check Point b, 1998). Checkpoint's FireWall{1 is a software solution available for SUN Solaris, Windows NT and shall be developed for Linux. VPNs can be realised between several FireWall{1 systems to establish an extranet. The VPN{1 Gateway is a software solution which extends the FireWall{1 with VPN technology. The client software which is available for Windows 95/98 or NT is called Securemote. In addition, the Accelerator Card is a hardware to speed up the time for encryption to o er high performance. FireWall{1 supports three encryption schemes: A proprietary FireWall{1 encryption system Manual IPSec (see Section 4.9.5) SKIP for key management (see Section 4.9.5.1) For authentication a strong two-factor system is recommended, i.e. not only user ID and password are checked but also something the user possesses such as an electronic token. Also the authentication server RADIUS (see Appendix A.1) is supported. The VPN solution from CheckPoint is able to combine di erent scenarios for mobile employees, external branches, partners and customers. The management can be centralised together with the administration of the rewall system. This means that a security policy con be realised over the whole network, including both the intranet and the extranet. With the management tolls for FireWall{1 all components can be con gured, including routers, switches, gateways, and servers. Therefore it is important that standards like IPSec are used. For CheckPoint tra c control is an basic component of a VPN. They o er a bandwidth management system called FloodGate{1 which shall be able to manage and prioritise encrypted VPN tra c. FloodGate{1 is integrated with CheckPoint VPN solutions, sharing the same Stateful Inspection technology for tra c control and uses the same policy de nitions as FireWall{1. However, how the bandwidth management is realised with connections via the Internet which can not o er certain bandwidth or prioritised tra c is not clear. The most important advantage of the CheckPoint solution is the centralised security management which includes all security aspects of the whole network. With this solution a company security policy can be realised and the complexity may be decreased, because the same rules can be used for all ways of communication.
60
Final Report
For the evaluation of a VPN solution the requirements has to de ned. Requirements (for example): { High level of security, especially for con dentiality and authentication { High performance for special applications { Deployment of existing hardware such as ISDN router { Realisation of a connections to external partners { Possibility for mobile employees to connect from all over the world etc. Then a product assortment has to be checked which product can meet which requirement. Sometime not all requirements can be met, then compromises has to be found. Product selection { All requirements are met { or a the most important requirements are met After the product is selected and agreed with the client, the VPN can be realised. At this point, it has to be evaluate whether the requirements are met or not. If not all requirements are met, the most important should be realised. The administrator of the client who will be responsible for the maintenance of the VPN should be able to easily con gure the VPN. Tests { Testing of the implementation of the encryption algorithm (the common algorithms themselves are thoroughly tested) { Testing whether it is possible to evade the authentication process to get authorisations { Testing whether authorised users have really only access to the objects the should have { Testing the performance etc. Without test it is normally not possible to say whether the product met the requirements, because the promises of the sellers are not always true. And also the whole system has to be tested especially related to compatibility with other hardware and software components. The test can be done manually or with tools which are available on the market or in the Internet.
61
62
Chapter 6 Results
In this chapter the results of our risk analysis and the recommendations for the security plan are described. The risk analysis is not fully completed because the communication pro le is missing which is necessary for the rewall concept as well as for the VPN concept. The recommendations especially those for organisational measures are given as examples out of the security plan. More information can be found in the IT Baseline Protection Manual (Bundesministerium fur Sicherheit in der Informationstechnik, 1998).
63
CHAPTER 6. RESULTS
following sections shows the results of the risk analysis. First point is the analysis of assets and threats.
The network is built up with some powerful central switches and routers which realise the connections to branches and external partners. There are also routers for remote access via ISDN. In the local network there are di erent servers in the computer centre: Fileserver MS Exchange server for e-mail Server for nancial programs BS 2000 Mainframe CD-ROM server and in the technical equipment rooms: Central le server DNS server Backup servers Department servers Remote access servers The single branches have local servers at their sides which also store and process sensitive data. The clients in the local network and in the branches should not store any sensitive data locally. The breakdown of one of them concerns only the user working at this client. Therefore the security level for clients is very low.
For identifying the threats it is important to know against whom the countermeasures should be e ective. First, there is the Internet access with possible attackers which may intrude the system. There are a lot of threats from the Internet. A list can be found in Appendix B. But beside the Internet access there are other access points to the network.
64
Final Report
These remote access points are connections for smaller branches via ISDN or modems. At the moment, there are dial-in possibilities which are controlled by RADIUS servers. An ISDN connection which is once established can be used from unauthorised persons who have access to the external network. Beside the known access points for modems there are a lot of connections via modems which are not very well documented. Also each working place has the possibility to connect a modem. All these remote access points are threats for the intranet, because the give the possibility to intrude. External partners are connected via leased lines to use e-mail and the Internet access. These external networks belong to other administration sectors and their security policies and the threats of these networks are unknown.
65
CHAPTER 6. RESULTS
External Branch External Partner
Internet
Client Client Router Router / Packetfilter Router / Packetfilter
Client
ISDN
Firewall
Server
Figure 6.1: Firewall Concept The customer has its own Mail- and WWW-server. These two servers shall be available to the external branches as well as to the external partners and of course to the internal users. These servers are protected against the Internet with a packet lter, but they are standing outside the internal network which is protected by a rewall. This is called a Demilitarised Zone (DMZ). The packet lter in front of the external partners makes sure, that the external partners only use the Internet access, e-mail and WWW-services provided by our client. The external partners sould not have access to the internal network. The dial-in users are allowed to access to the internal network. This access is secured with the rewall and the packet lter protecting their entry point into the network. In contrast to the packet lter of the external partner this packet lter will allow packets to access the rewall. The external branches are treated in the same way as the local users. Their networks are seen as secure so that it is possible to connect them over a packet lter to the internal network. The packet lter will mainly reduce the tra c allowed into the internal network. Another reason for using only a packet lter to secure the connection is that the external branches use a performance critical application from out client. Our client has also a great in uence on the security concept of the external branches. The dial-in users also have to use applications from our client, but these are not performance critical.
66
Final Report
Rules for the rewall and the packet lters can not be de ned, because the data given from our client does not allow to develop a communication pro le. But this communication pro le is absolutely necessary to set up the rules for the rewall and the packet lters. One basic rule at least was agreed: Everything that is not explicitly permitted is denied. So the basic rule is very restrictive. An other rule was agreed: A communication between two branches can not take place over the internal network. Our client provides Internet access, e-mail and WWW-services which have to be charged. Therfore a recommendation on the rewall concept is that it is possible to do accounting. An actual product can not be suggested at the moment, because the services which shall be provided are not clearly stated.
6.2.1.2 Router
The branches are connected via leased lines to a router in the local network. Because these branches are part of the protected network the security measures are on a low level. To o er additional security and control functions within the network, packet lter and access control list on the router are adequate means. The rules for the packet lter have to be adapted to the individual connection. This allows an exact regulation which protocols can pass the router in which direction and which clients or subnetworks are allowed to communicate. The use of packet lters on the routers has another advantage, the local network is kept clear of unauthorised data tra c and the rewall system as well as the other components of the network are facilitated and can better ful l their primary task.
67
CHAPTER 6. RESULTS
like the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP) are o ered. PAP only ensures that the user has to authenticate during the set up. But it o ers a basic security when the user connects other networks or routers. CHAP makes a periodically handshake to proof the identity of the communicating partners.
68
Final Report
the VPN tunnel can end at the rewall. Then it is advisable to use a rewall based solution. Another advantage of a rewall based solution is that the conguration can be made with the rewall tools, this centralises the con guration and maintenance. A concluding decision could not be made, because of the missing communication pro le. The VPN solution also depends on the rewall product which is not yet chosen.
6.2.1.6 Clients
Clients will not be specially protected, because they should not store any sensitive data and the breakdown does not a ect other clients or components of the network. But a PC guideline is useful.
6.2.1.7 Passwords
A secure system should refuse trivial words. Because \dictionary attacks" can be done with programs. All words out of a dictionary, names etc. are tried in di erent variations. Where feasible in data processing terms, the following complementary rules should be observed: The selection of trivial passwords (BBBBBB, 123456) must be prevented. For initial log-on of new users, one-time passwords should be assigned, i.e. passwords which must be discarded after their rst use. In networks in which passwords are transferred in non-encrypted form, the constant use of non-recurrent passwords is recommended. After three unsuccessful attempts to enter the correct password, a lockout should be imposed which can only be cancelled by the system administrator.
69
CHAPTER 6. RESULTS
During authentication of networked systems, passwords should not be transmitted in a non-encrypted form. The password must be entered covertly, i.e. the entry will not be displayed on the monitor. Passwords should be stored in the system in a way preventing unauthorised access, e.g. by means of encryption. Password alteration must be initiated by the system on a regular basis. Re-use of previous passwords in the case of password alteration should be prevented by the IT system (password history).
Organisational measures are the basis for all other measures, because access rights, authorisation, and controlling functions must be de ned here. For the realisation and maintenance of the security plan an organisational structure is necessary. Someone must be responsible for all regulations, controls, training etc.
70
Final Report
Figure 6.2: The organisation of IT Security Management that IT security has its price. The persons in question must be released from their other duties in such a way that they can devote su cient energy to the task of \IT security". This has more than paid for itself if there are no more damaging incidents due to lack of security. Figure 6.2 on page 71 shows the recommended organisation of the IT Security Management for the organisation and shows the relations between the management, the IT Security Management Team, the IT Security O cer, the Divisional IT Security O cer (for departments or for branches), the IT Co-ordination Board and the IT users.
71
CHAPTER 6. RESULTS
The duties of the IT Security O cer include: helping compile the IT security concept, reporting throughout the IT security process to the IT Security Management Team and thus to management, being responsible for the implementation of the selected IT safeguards, planning and co-ordinating training and sensitisation courses, guaranteeing IT security during current operation (e.g. by checking that IT safeguards are adhered to), organising the investigations of any security-relevant incidents. In order to carry out these tasks, it is desirable that the IT Security O cer has knowledge and experience in the areas of IT security and IT. As this task requires a variety of skills, the person appointed to this position should have the following quali cations: identi cation with the goals of IT security and appreciation of the necessity of IT security. the ability to liase and work as part of a team (few other projects require such a high degree of skill in working with other people - management must be involved in central issues of the IT security process, decisions must be called for and the IT users must be involved in the IT security process, possibly with the help of the Divisional IT Security O cers).
72
Final Report
developing an implementation plan of the safeguards stated in the IT security concept, monitoring the implementation of these safeguards, promoting awareness for IT security throughout the institution, monitoring the e ectiveness of safeguards during current operation, In order to be able to carry out its tasks e ectively, the IT Security Management Team should have one member with knowledge of IT security, technical knowledge of IT systems and experience in organisation and administration. The following persons should also participate: the IT Security O cer, a representative from the IT Co-ordination Board and a representative of the IT users. This is the only way to ensure that a practicable IT security policy is determined and implemented.
73
CHAPTER 6. RESULTS
Depending on the size of the division, the task of a Divisional IT Security O cer can be assumed by one person already familiar with similar tasks. When selecting the Divisional IT Security O cer, it should be ensured that he is familiar with the tasks, conditions and work processes in the relevant division. A detailed knowledge of IT is an advantage as this facilitates discussions with IT users on the site and when developing IT safeguards for special IT systems. Further, the Divisional IT Security O cer should have a knowledge of project management which is helpful for the organisation of IT user surveys and the compilation of plans for the implementation and checking of IT safeguards. Working together with IT users requires a high degree of skill as these users must rst be convinced of the necessity of IT security, which may involve additional work. Equally difcult is questioning IT users about critical incidents and hot spots. In order to guarantee success here, the IT users must be convinced that honest answers will not cause them problems.
74
Final Report
use of passwords protection against computer viruses emergency precautions
6.2.2.3 Documentation
The quality of the documentation is an important aspect of the security concept. If documentation, for example on the IT components used, is inadequate or lacking, this can have signi cant e ects both on the selection and decision-making processes regarding a product and in terms of a loss occurring during actual operation. Documentation on system con guration, authorised users and on rights pro les must also be made. Documentation is the basis of a security concept, because it contains all regulations and all information about the organisation.
75
CHAPTER 6. RESULTS
result may be a large variety of hazards which can impair the con dentiality and integrity of data or the availability of computer power.
76
Final Report
authentication means. It is necessary to make sporadic checks for compliance with the before mentioned requirements.
77
CHAPTER 6. RESULTS
When site access controls are de ned, the acceptance from the users has to be taken into account. They look upon supervision as a necessary evil and often disapprove it. Rules which are easy to understand and realise, information for the user why and how security measures are realised are useful to make the acceptance as high as possible.
6.2.2.9.1 Provisions governing the con guration of users and of user groups
Provisions governing the designation of users and of user groups are the prerequisite for adequate allocation of access rights and for ensuring orderly and controlled operations. A blank form should be in existence so that, as a rst step, the required data can be obtained from each user or each user group: surname, rst name, organisational unit Proposed user name and group ID, if not already allocated by convention, where to be reached (e.g. telephone, room) where appropriate, information on the planned activity within the system and the rights required for that purpose and on the duration of the activity
78
Final Report
79
CHAPTER 6. RESULTS
Here, sta members should be instructed on how to handle computer viruses. Proper Use of Passwords In this context, the importance of a password for IT security and the overall prerequisites for ensuring e ectual use of passwords should be explained. Handling of Personal Data Personal data require particularly careful handling. Sta members having to deal with personal data must be trained in the legally stipulated safeguards required. Subjects to be covered are: handling of information requests, modi cation and recti cation requested by the data subjects, legally stipulated deletion deadlines, protection of privacy, and communication of data. Prevention against social engineering Sta should be informed of the dangers of social engineering. The typical examples of attempts to gain con dential information by sounding out certain persons should be explained, as well as the relevant methods of protection. As social engineering often involves the pretence of a false identity, sta are instructed to check the identity of business partners and not to provide con dential information by telephone, in particular. The behaviour of the employees who work in critical areas related to security or who have access to sensitive data has to be regularly checked. Special attention must be paid with new employees, transfers or during the period of dismissal. Also checking of external personnel and temporary workers must be done regularly.
6.2.2.9.5 Passwords
Without mechanisms for identifying and authorisation of users control over unauthorised using of the IT system is impossible. Even with user ID and password the unauthorised using is possible if these information can be detected. Password can be found out by try not all possible combinations. But more e ective is to try the most likely passwords. This can be done with programs which start a \dictionary attack", i.e. all words out of a dictionary, names etc. are tried in di erent variations. A secure system shall refuse these trivial words. Even better is a well educated user who uses secure password without the preconditions of the system. Attackers can use these preconditions, because they reduce the number of passwords which can occour. For this purpose, it is advisable to introduce a set of provisions governing password use and to inform the users accordingly.
80
Final Report
The following rules regarding password use should be observed: It must not be possible to guess the password as easily as names, motor vehicle licence numbers, birth dates, or the like. The password should comprise at least one non-letter character (special character or number). The password should consist of at least 6 characters. The number of password digits checked by the computer must be tested. Pre-set passwords (e.g. by the manufacturer at the time of delivery) must be replaced by individually selected passwords. The password must be kept secret and should only be known personally to the user. The password must be altered regularly, e.g. every 90 days. Entry of the password should be made away from general view.
81
CHAPTER 6. RESULTS
Most e ective is to record critical events at the servers. But the protocol les should not become to big, because then security relevant data may be overlooked. This can be avoided with short intervals between the checks and a useful choice of relevant events. Also the use of appropriate tools for evaluation is recommended. These tools should be easy to use, various critical events should be eligible and the most critical events should be emphasised. Additional to the revision of protocol les online audits should be done in real time. This is not only useful for security checks but also problems of network performance or hardware failures can be detected. Structural measures are in most cases related to protection against structural destruction or protection of the buildings. Therefore the recommendations listed here are limited to those which supports the realisation of organisational measures protecting the computer centre and technical equipment rooms. The most important structural measure is the realisation of functional separation within the technical equipment rooms. Persons with di erent functions and from di erent departments or administration sectors have di erent responsibilities. Therefore they should not be allowed to use the same room, because control can not be guaranteed. If the spatial separation is not possible, all persons authorised to this room must be informed about the other persons, thus they know who is allowed to be in the room. Then they can identify unauthorised person and check them. For the site access control of the computer centre and the technical equipment rooms, ID card or smart cards are recommended for authentication. The access control is easier to realise, because the authorisation can be given and revoked with a centralised management system. This is very important when someone lose a key the lock must be changed with an ID card this is not necessary. Also access to di erent sites can be given without having a bundle of keys or using a general key. Another advantage is that the entry can be recorded with time and duration. So revision can be made and there is a piece of evidence if something has happened.
82
Chapter 7 Discussion
Security in the Internet is one of the most important subjects recently discussed. This can be seen on all the fairs about security like the \Info Security 1999" in London (27 - 29 April). The usage of the Internet for exchanging information or e-commerce is more and more popular, therefore the demand for security is very high. But o lot of companies have not the resources and the knowledge to develop a security concept. They need additional sta or the help of a consulting company. The development of a security concept requires a good knowledge of all security aspects, information has to be collected from books and from the Internet. Therefore it is important to know where to nd these information. Then they have to be put together and be applied to the special situation of the client. The knowledge to evaluate the recommendations is necessary to nd out which of them are relevant and useful for the client. Therefore the help of specialists is required. Externals often see security holes more clearly than internals. They also have the advantage that they are not within the organisational structure and have more authority. A security concept is as individual as the company the concept is for. To compile the right security concept for a company not only a lot of information of the company has to be known but also a broad knowledge of available hardware and software and their security holes have to be known. This will insure that the company will get the most suitable security concept with suitable security products. The best basis for this extensive knowledge is experience in security aspects. We hadn't this experience, because it takes a long time to learn all these things. Normally it is not recommended to order a security concept from someone who has no experiences in this eld. To compensate this lack of experience we looked at products and recommended solutions which are tested by other people like rewalls tested by ICSA or encryption algorithms which are tested by a lot of crypto analysts.
83
CHAPTER 7. DISCUSSION
Our aim to develop an overall security concept is not fully reached, because it could not be reached in the limited space of time and because of our limited knowledge about all aspects of security. Therefore we laid the emphasis on technical aspects of the IT system. Some problems have occurred which were more or less our fault. The person to turn on in the organisation wasn't able to give us all the information we needed, because he had not the knowledge about all aspects and did not ask the appropriate persons. He couldn't answer the rst questionnaire we sent to him. Only after our meeting with him where we discussed the questions together we got some information. Among other things, the problem seemed to be that he didn't understand why we needed this information.
84
85
The main aim of the group work was to develop an overall security concept for an organisation. The overall security concept is nearly completed { Risk analysis is done { Recommendations for security measures are given in the security plan { Firewall concepts and VPN concepts are described but no nal product is selected The security concept is nearly nished. The risk analysis where assets and threats are identi ed is done. The security concept contains all general recommendations and most of those which are specially related to the organisation. A product assortment is shown but a de nite selection could not be done. Also detailed rules related to access control could not be de ned, because of the missing communication pro le of the organisation. Therefore the realisation and the tests could not be done. The following points: { Communication pro le { Product requirements and selection { Realisation { Tests are recommended for further work. The questionnaire has been developed This questionnaire can be used for a rst meeting with a client to get an overview of the aspects related to security: the infrastructure, responsibilities, remote access points, requirements for the Internet access and for the availability of services, usage of rewall and encryption systems, training of the people etc. This questionnaire has to be adapted on future developments in IT technology and it has to be developed further on with questions related to the already furnished information. These can be answered in later meetings together with the client. For the better understanding of the questionnaire it is advisable to give the client an introduction to security and security concepts. What technical and structural measures can improve security? What does security or a security concept mean? Where can be threats? What has to be covered? A lot of information is needed in from the organisation. Therefore it will be a good to have a team of specialists from di erent departments of the organisation.
86
Final Report
Together with all these specialists the information needed to compile a security concept can be gathered. It is a good idea to go through the questionnaire with the client and further explain which information is needed and why. Giving examples is a good idea, too. Then the client will understand why the information is so important and it is more likely that the information will be delivered. A regular contact with the client is very important. This will make sure that you are still doing what the client wants you to do and that the client is still collecting the right information over his network. From meeting with the client further questions can arise. Writing a security concept is a lot of work. The client has to be aware of the fact that even though he pays for the writing of a security concept he still a lot of work, too.
87
88
Bibliography
3Com (1998). Private Use of Public Networks for Enterprise Customers, 3Com Technical Papers. 3Com, http://www.3com.com. Bendl, R. (1998). Virtuelle private netze: Die neue art der einwahl. LANline Spezial Internet/Intranet, 3:40{42. Bundesministerium fur Sicherheit in der Informationstechnik (1998). IT Baseline Protection Manual. Bonn: BSI. Check Point a (1998). Rede nig the Virtual Private Network. Check Point, http://www.checkpoint.com/products/vpn1/vpndef.html. Check Point b (1998). Virtual Private Network, Security Components. Check Point, http://www.checkpoint.com/products/vpn1/vpnwp.html. Gar nkel, S. and Spa ord, G. (1996). Practical UNIX & Internet Security. Cambrige: O'Reilly & Associates, Inc., second edition. Landesbeauftragter fur den Datenschutz Niedersachen (1998). Grundschutz durch Firewall. Hannover. Pohlmann, N. (1998). IT-Sicherheitsstudien. Kryptokom, Aachen. Raepple, M. (1999). Transportsicherung, virtuelle private netze. iX, 1:118{122. Russell, D. and Gangemi Sr., G. (1991). Computer security basics. Sebastopol: O'Reilly & Associates, Inc. Schaumuller-Bichl, I. (1992). Sicherheitsmanagement. Mannheim: BIWissenschafts-Verlag. Schmeh, K. (1998). Safer Net: Kriptogra e im Internet und Intranet. Heidelberg: dpunkt-Verlag. Schmidt, T. (1998). Virtual Private Networks, White Paper. BinTec Communications GmbH.
89
BIBLIOGRAPHY
Schneier, B. (1996). Applied Cryptography. NEW YORK: JOHN WILEY & SONS, INC., second edition. Smith, R. E. (1998). Internet-Kryptographie. Bonn: Addison-Wesley Longman Verlag GmbH. Wobst, R. (1997). Abenteuer Kryptologie. Reading: Addison-Wesley Longman Verlag GmbH.
90
91
A.1 RADIUS
Remote Authentication Dial-In User Service (RADIUS) is developed by a company called Livingston and is speci ed in RFC 2058. RADIUS is no Internet standard but is realised in many products. RADIUS uses UDP as the transport protocol.
A.2 TACACS+
TACACS which is developed assisted by CISCO is described in RFC 1492. It uses a double authentication similar to RADIUS. TACACS+ has additionally authorisation and accounting and now, there are no more important di erences to RADIUS except that TACACS+ uses TCP as transport protocol. There all also many implementations of TACACS+ thus there will two standards for AAAservers.
92
B.1.3 Re-routing
To snatch packets attacker often try to re-route packets. This is very easy especially if the router uses dynamic routing or when source routing is active. Countermeasure: Only static routing, no source routing
93
B.1.4 Replay-Attack
Here the attacker tries to record a communication and replay it later on to get access to the system. Countermeasure: Authentication with one-time passwords or Challenge-ResponseSystems
B.1.5 IP-Spoo ng
Often authentication is only done over the IP-address. The attacker can alter the source-address of the packet to become trustworthy. Countermeasure: Packet lter who does not allow packets to pass with invalid or altered IP-Addresses (e.g. Packets arriving outside but with internal IPAddresses)
94
Final Report
viruses or Trojan horses. Countermeasure: Encryption, digital signature, virus protection systems
B.2.2 Telnet
An unrestricted telnet service may allow an attacker to gain user privileges on the computer which may be used for further attacks on other computers in the network. Countermeasure: Restriction of telnet and similar services to necessary addresses and ports through a rewall. It is also possible to take over a telnet session completely. Countermeasures: Instead of using telnet, rlogin, rsh and rcp use SSH (Secure Shell)
B.2.3 FTP
Badly administrated FTP-server are a security risk because in older versions of certain FTP-servers (ftpd) there are security bugs. Which allows attackers to get administration privileges. Special care has to be taken because several manuals who tell how to install an anonymous-FTP-server contain security relevant mistakes. If the server is malcon gurated it is possible for the attacker to download the encrypted password le which contains all users. This le can be decrypted at home. If it is permitted to put les somewhere on the server where others can get them, the server may soon be used as an unlicensed software server. Countermeasures: Use programs from the SSH-Packet, limitation of access rights
B.2.4 WWW
Dangers may occur at WWW-server through faulty software or con guration. Without the use of SSL (Secure Socket Layer) or other encryption it is possible to control the communication. Additionally it is possible that scripts for dynamic generation of documents contain security bugs. At the end of 1996 an attack called Web-Spoo ng became known. With this attack the attacker connects his server between the actual target-system and the user. The attacker displays an almost identical copy of the original data and can control and modify it entirely to suit his needs. Then he has the possibility to gather and manipulate the data sent from the user. Countermeasure: Encryption and digital signature for the communication, certi cates for the Web-server, reciprocal authentication of the user and the Web-server.
95
B.2.5 DNS
With Domain Name Service (DNS) spoo ng it is possible to redirect data streams, if the user uses the name of the computer instead of the IP-address. Countermeasure: Addressing through numerical IP-Addresses, usage of own DNSserver
B.2.6 Finger
Data displayed by the nger-service can give attackers useful information about the user on the system, which then can be used explicitly for attacks. The service got famous through a bu er-over ow bug. With the call of nger the parameter were written into a bu er with xed length. Data that couldn't t into the bu er was overwriting the stack in the working memory, where it was treated and executed as executable code. So with careful choice of characters almost any code could be executed. Similar programming bugs can be found in a lot of other server programs. Countermeasure: Switching o the services which will give attackers security related information about the system like nger, rup, rusers, rwho Installation of patches against bu er-over ow bugs
B.2.7 SNMP
With the help of SNMP (Simple Network Management Protocol) service it is possible to centralise the administration of network components. Con guration and status of the components can be gathered and changed. This provides the attacker with valuable information about the hardware and software at the site, which can be used for further attacks. Special signi cation has the so-called community string, which allows an easy way of authentication at SNMP. The prede ned value is often set to \public" which makes it easy to gain unauthorised access to the service. Countermeasure: Use of hard to guess community strings, minimising of the information SNMP is giving to the absolute necessary.
96
Final Report
Investigation of users and computer systems Installation and execution of viruses and Trojan horses Damage of system resources System overload Countermeasure: Switching o the ActiveX support, use of microsoft-authenticodes, activation of a high security level in the Internet Explorer, employment of ActiveX lters and the Internet Explorer Administration Kit at networks Java o ers a su cient security, but due to implementation bugs it is possible to attack the system with Java-applets. The threats are modi cation of the system and resources, overload of the system, investigation and annoying of users. Countermeasure: Switching o the Java functionality, employment of Java- lters, working with signed applets Browser plug ins are software modules which are running on the client to extend the browser functionality e.g. to display audio- or videodata. Plug ins are platform independent. They occupy local disk space and have to be installed by the user. Countermeasure: Training of users to prevent unintentional installation of plug ins Cookies can give information of the user pro le to the Web-server. This is done without the notice of the user. The web pages can then be con gurated according to the user pro le. Countermeasure: Browser con guration: cookies are not or not automatically accepted or stored deleting of already stored cookies employment of cookie lters
B.3.2 Java
B.3.4 Cookies
97
Linux 2.0.28 NetBSC-current IPSec BSD/OS 2.0 e-lock VPN manual Windows NT, IKE(ISAKMP/Oakley) geplant: Windows95/98 Trusted Security manual, Gemini Trusted Firewall-Guard proprietary Firewall-Guard (GTFW-GD)
98
Final Report
Manufacturer IBM
http://www.ibm.com
Name IBM SNG (Secured Network Gateway) NARAC Onnet Gauntlet Firewall Border Manager OpenBSD
V.34 Modem Windows 95/98 Windows NT manual Windows 95 IKE(ISAKMP/Oakley) Winwos 3.11 manual, proprietary manual,SKIP, IKE(ISAKMP/Oakley) manual, Pluto (Photuris) manual, proprietary TIS Gauntlet NetWare/ Intranet Ware OpenBSD (all systems) Network Systems
Borderguard and http://www.storagetek.com Security Router Timestep Corporation Permit/Gate manual + Client IKE(ISAKMP/Oakley) http://www.timestep.com VP Net Technologies
http://www.vpnet.com Toshiba http://www.toshiba.com
Router Embedded + Windows NT 4.0 Windows 95, MAC SKIP Windows 95/98 IKE(ISAKMP/Oakley) Windows NT, OS/2 manual, BDD/OS SKIP
99
100
101
102
Final Report
Item
Begin 01.02.99 01.02.99 01.02.99 03.02.99 08.02.99 15.02.99 22.02.99 24.02.99 18.03.99 02.02.99 02.02.99 12.02.99 15.02.99 01.03.99 08.03.99 22.03.99 22.03.99 22.03.99 29.03.99 12.04.99 19.04.99 03.05.99 15.02.99 15.02.99 08.03.99 24.03.99 12.04.99 26.04.99 10.05.99 20.05.99 31.05.99 07.05.99 07.05.99 12.05.99
End 31.05.99 19.03.99 02.02.99 05.02.99 12.02.99 19.02.99 23.02.99 16.03.99 19.03.99 12.02.99 11.02.99 12.02.99 26.02.99 09.03.99 19.03.99 22.03.99 09.04.99 26.03.99 09.04.99 16.04.99 30.04.99 07.05.99 31.05.99 19.03.99 23.03.99 09.04.99 23.04.99 07.05.99 19.05.99 28.05.99 31.05.99 12.05.99 11.05.99 12.05.99
Security Concept in general Cryptographic methods Digital Signature Key Management Trust Centre VPN Viruses Interim Report Interim Report INTERIM REPORT completed Questionnaire Revision Product Information Comparing Products All Information from the Organisation Analysis Analysis joint data Analysis special data Concept Realisation Test Documentation Background and Theory Product information Data Analysis Technical Approach Results Conclusion and recommendations for further work Documentation of Realisation and Test, Report Revision FINAL REPORT completed Presentation of Final Year Project Preparation Presentation at OptiNet
103
ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Item Security Concept Research Security Concept in general Cryptographic methods Digital Signatur Key management Trust Centre VPN Interim Report Interim Report
Begin
End
Real Begin
Real End
01.02.99 31.05.99 01.02.99 28.05.99 01.02.99 19.03.99 01.02.99 19.03.99 01.02.99 02.02.99 01.02.99 05.02.99 03.02.99 05.02.99 08.02.99 16.02.99 08.02.99 12.02.99 17.02.99 22.02.99 15.02.99 19.02.99 23.02.99 02.03.99 22.02.99 23.02.99 03.03.99 04.03.99 24.02.99 19.03.99 04.03.99 08.04.99 02.02.99 12.02.99 02.02.99 11.02.99
INTERIM REPORT completed 12.02.99 12.02.99 12.02.99 12.02.99 Questionnaire Revision Product Information Comparing Products / Product criteria Informations from the Organisation Meeting with customer Organise new information Further Questions Meeting with customer Organise new information Preparation of Presentation Concept Presentation Organise new information Data Analysis Concept Realisation Test Documentation FINAL REPORT completed Presentation of Final Year Project Preparation Presentation at OptiNet 15.02.99 26.02.99 15.02.99 26.02.99 01.03.99 09.03.99 24.03.99 01.04.99 08.03.99 19.03.99 06.04.99 16.04.99 08.02.99 05.05.99 08.02.99 05.05.99 08.02.99 08.02.99 08.02.99 08.02.99 09.02.99 09.02.99 09.02.99 09.02.99 22.03.99 22.03.99 22.03.99 22.03.99 23.03.99 23.03.99 23.03.99 23.03.99 24.03.99 24.03.99 24.03.99 24.03.99 14.04.99 15.04.99 14.04.99 15.04.99 04.05.99 04.05.99 04.05.99 04.05.99 05.05.99 05.05.99 05.05.99 05.05.99 22.03.99 09.04.99 22.03.99 12.05.99 12.04.99 16.04.99 17.03.99 04.06.99 19.04.99 30.04.99 06.06.99 18.06.99 03.05.99 07.05.99 19.06.99 25.06.99 15.02.99 28.05.99 15.02.99 28.05.99 31.05.99 31.05.99 31.05.99 31.05.99 07.05.99 12.05.99 25.04.99 28.04.99 07.05.99 11.05.99 25.04.99 27.04.99 12.05.99 12.05.99 28.04.99 28.04.99
Christa, Christine
Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine Christa, Christine
Appendix E Questionnaire
1 Existing Infrastructure 1.1. Record Hardware Infrastructure - if possible in graphical form 1.1.1. How does the passive cable network look like? This must be exact recorded. 1.1.2. Which end devices are used? This means input and output devices. 1.1.3. Which active components are existing (router, switches etc.)? 1.2. Which technologies are used? (ATM, Ethernet, Token ring, etc.) 1.3. Specify physical and logical network transitions, network sovereignty and management zones. 1.4. Describe the address structure. 1.4.1. How are the addresses administrated? (DNS-Server, DHCP, etc.) 1.5. Which protocols are used? (IP, IPX, DECnet, NetBIOS etc.) 1.6. Which Operating Systems are used? (Windows NT, Windows 95/98, Linux, Unix (which), Novell NetWare etc.) 2 Security of operation 2.1. Are there any hardware redundancies (routers, switches, servers etc.)? 2.2. Is there a backup concept? 2.2.1. What kind of tools are used for the backup? 2.2.2. Which data is stored (user, system)? 2.2.3. How often is data stored? 2.2.4. For how much time is the backup stored?
105
APPENDIX E. QUESTIONNAIRE
2.2.5. Where is the backup done? 2.2.6. Where is the backup stored? 2.2.7. What kind of medium is used for the backup? 2.3. Who is responsible for operational security? 3 Remote Access Points 3.1. Is there any access points from outside to the Intranet? 3.2. Is there any access from the Intranet to other networks? 3.3. Is there any access control and monitoring? 3.3.1. What kind of control and monitoring is used? 3.3.2. Who is responsible for carrying out? 3.3.3. What kind of consequences are drawn out of it? 3.3.4. Is there a standardised concept? 3.4. Are there any policies or user guidelines? 3.5. What does the communication pro le with external partners look like? 3.5.1. Is there a security policy of the external partner? 3.5.2. How is the access realised? 3.5.3. For what are the external users authorised? 4 Analysis of the security grade of the Intranet within the company 4.1. De ne relation of trust 4.1.1. Against whom shall be protected? 4.1.2. What shall be protected? 4.1.3. Against what shall be protected? 4.2. Which data is how con dentially? 4.3. Are there legal rules that must be paid attention? 4.4. To which extent is data integrity to be secured? 4.5. Which data is how to secure? 4.5.1. Is there already a list of goods which have to be protected? 4.6. Are there sensitive data points in the network? 4.6.1. Where are they? 4.7. Administration structure of the network operating system? 4.8. Communication pro le
106
Final Report
4.8.1. Who is communicating with whom? 4.8.2. Which services are used? (Facsimile, mail, phone etc.) 4.9. Is there a security policy in existence? 4.9.1. How does this look like? 4.10. Cost-Bene t-Analysis 4.10.1. Which nancial damage will be done if the data is lost? 4.10.2. How high is the expense to protect the sensitive Data? 4.10.3. How much time and work shall be invested? 5 Analysis of Security Risks 5.1. Are there any known security risks in the organisational structure? 5.1.1. Are there any security zones? 5.1.1.1. Are there any provisions governing the site access authorisations? 5.1.1.2. Are there any restrictions for site access? 5.1.1.3. What do access controls like like? 5.1.2. Where and how is sensitive data processed? 5.1.3. Are there any areas where sensitive data can be found in paper form? 5.2. Is there a security o cer? 5.3. Are the users trained in security aspects? 5.4. Are the security risks of operation systems known? 5.5. Are there any know security risks based on the complexity of the network? 5.5.1. Can the complexity of the network be reduced? 5.6. Are there any regular security checks of the IT system? 5.6.1. In what way are the results treated? 6 Firewall concept for access control 6.1. De nition of the requirements of the rewall-system (de nition of rules, recommendations) 6.2. Shall a packet lter be used? 6.3. Is NAT (Network Address Translation) needed? 6.4. Which lters are needed at application level?
107
APPENDIX E. QUESTIONNAIRE
6.5. Are Proxies needed? 6.6. Which services shall be used and in which direction (inbound or outbound)? (E-mail, WWW (HTTP, Java, Active-X, CGI etc.), News (NNTP), Telnet, Rlogin, FTP, etc.) 6.7. How high must the availability of the services be? 6.8. Which network protocols shall be used? (UDP, TCP) 6.9. Is there a preferred operating system which the rewall should have? 6.10. How important is the performance? 6.11. Operating concept (Monitoring, Alarming, Patches, how are and who is implementing changes? 7 Encryption Systems and Authentication 7.1. Are there any encryption systems in use? 7.1.1. Are there any e-mail encryption in use (PGP, PEM etc.)? 7.1.2. Which key length is used? 7.2. Do you use a trust centre? 7.3. Are there any authentication systems in use? 7.3.1. Do you use digital signatures or are they required? 7.3.2. Do you use smart cards or other systems for authentication? 7.4. Are VPNs in operation? 7.4.1. Where and what for are these VPNs? 8 Virus scanner 8.1. Are there any virus scanners in use? 8.1.1. Which virus scanner are used? 8.1.2. Which version number is in use and how old is this version? 8.1.3. Are there regular updates? 8.2. How are virus scanners used (automatically with the booting of the system, manually from the user etc.)? 8.3. Are the users trained in using a virus scanner? 8.3.1. Do the users use virus scanners?
108
Appendix F Abbreviations
AAA Authentication, Authorisation, Accounting ADP Automated Data Processing AH Authentication Header ANSI American National Standards Institute BSI Bundesministerium fur Sicherheit in der Informationstechnologie CA Certi cation Authority CBC Cipher Block Chaining CFB Cipher Feedback CHAP Challenge Handshake Authentication Protocol CLIP Calling Line Identi cation Presentation COLP Connected Line Identi cation Presentation DEA Data Encryption Algorithm DES Data Encryption Standard DLSS Discrete Logarithm Signature Systems DMZ Demilitarised Zone DSA Digital Signature Algorithm DSS Digital Signature Standard
109
APPENDIX F. ABBREVIATIONS
ESP Encapsulating Security Payload FIPS Federal Information Processing Standard GSM Global System for Mobile Communication IETF Internet Engineering Task Force IDEA International Data Encryption Algorithm IKE Internet Key Exchange IP Internet Protocol IPSec IP Security ISAKMP Internet Security Association and Key Management Protocol ISO International Standards Organization ISP Internet Service Provider L2F Layer 2 Forwarding L2TP Layer 2 Tunneling Protocol MIME Multipurpose Internet Mail Extension MPPE Microsoft Point-to-Point Encryption MPR/GA Multi Protocol Router for Global Access NAS Network Access Server NBS National Bureau of Standard NIST National Institute of Standards and Technology NSA National Security Agency PAP Password Authentication Protocol PEM Privacy Enhanced Mail PES Proposed Encryption Standard PGP Pretty Good Privacy PKI Public Key Infrastructure
110
Final Report
POP Point of Present PPP Point to Point Protocol PPTP Point to Point Tunneling Protocol PSE Personal Security Environment RADIUS Remote Authentication Dial-In User Service RC4 Rivest Code 4 RSA Rivest-Shamir-Adleman algorithm RWS/GA Remote Workstation for Global Access SA Security Association SHA Secure Hash Algorithm SKIP Simple Key Management over IP SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SPI Security Parameter Index SSN Secure Server Network TCP Transmission Control Protocol TI Tunnel Initiator TT Tunnel Terminator VPN Virtual Private Network
111
APPENDIX F. ABBREVIATIONS
112
Appendix G Glossary
according to organisational policy or law. access control lists Rules for packet lters (typically routers) that de ne which packets to pass and which to block. access router A router that connects your network to the external Internet. Typically, this is your rst line of defence against attackers from the outside Internet. application-level rewall A rewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. attack An attempt to bypass security controls on a system. An active attack alters data. A passive attack releases data. Whether an attack succeed depends on the vulnerability of the system and the e ectiveness of existing countermeasures. authentication The process of proving that a subject (e.g., a user or a system) is what the subject claims to be. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. authentication header (AH) A part of the security protocol IPSec that provides authentication and optional replay-detection services. AH is embedded in the data to be protected (a full IP datagram, for example). AH can be used either by itself or with Encryption Service Payload (ESP). Refer to the IETF draft for AH. authorisation The granting of rights to a user, a program, or a process. For example, certain users may be authorised to access certain les in a system,
abuse of privilege When a user performs an action that he should not have,
113
APPENDIX G. GLOSSARY
whereas only the system administrator may be authorised to export data from a trusted system.
bastion host A system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of rewalls, or may be \outside" web servers or public access systems. public key associated with this identity.
certi cate A cryptographically signed object that contains an identity and a certi cation A technical evaluation performed as part of, and in support of, ciphertext In cryptography, the unintelligible text that results from encrypting
original text. Contrast withplaintext. the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a prespeci ed set of security requirements.
compromise Unauthorised disclosure or loss of sensitive information. con dentiality A security principle that keeps information from being disclosed
to anyone not authorised to access it. Synonymous with secrecy. tos" meaning \hidden" and the \graphia" meaning \writing."
cryptography The study of encryption and decryption. From th Greek \krypdata encryption standard (DES) A private key encryption algorithm adopted
as the federal standard for the protection of sensitive information and used extensively for the protection of commercial data as well. nal text (called plaintext). Contrast with encryption. and the identity of the sender and receiver.
decryption The transformation of encrypted text (called ciphertext) into origidigital signature An authentication tool that veri es the origin of a message de-militarised zone (DMZ) A network which is located between a protected
and a external network to build an additional security layer.
114
Final Report
the name service cache of a victim system, or by compromising a domain name server for a valid domain. dual homed gateway A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a di erent network. In rewall con gurations, a dual homed gateway usually acts to block or lter some or all of the tra c trying to pass between the networks. encapsulating security payload (ESP) A security protocol that provides data con dentiality and protection with optional authentication and replay{detection services. ESP completely encapsulates user data. ESP can be used either by itself or in conjunction with AH. Check out IP Encapsulating Security Payload (ESP). This is the IETF draft for ESP. encryption The transformation of original text (called plaintext) into unintelligible text (called ciphertext). Contrast with decryption. rewall A system or combination of systems that enforces a boundary between two or more networks. hash A one way function that takes an input message of arbitrary length and produces a xed length digest. Examples are Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) host-based security The technique of securing an individual system from attack. Host based security is operating system and version dependent. insider attack An attack originating from inside a protected network. integrity A security principle that keeps information from being modi ed or otherwise corrupted either maliciously or accidentally. intrusion detection Detection of break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network. IP splicing / hijacking An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorised user. Primary protections against IP splicing rely on encryption at the session or network layer. IP spoo ng An attack whereby a system attempts to illicitly impersonate another system by using its IP network address.
DNS spoo ng Assuming the DNS name of another system by either corrupting
115
APPENDIX G. GLOSSARY
key In cryptography, a secret value that's used to encrypt and decrypt messages.
A Sequence of symbols (often a large number) that's usually known only to the sender and the receiver of the message. See also private key encryption and public key encryption. minimum amount of system privilege. This reduces the authorisation level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorised activity resulting in a security breach. rewall or network.
logging The process of storing information about events that occurred on the Message Digest 5 (MD5) A one way hashing algorithm that produces a 128one-time cipher or one-time pad A type of encryption in which a cipher is
used only once. Two copies of a pad are created one copy goes to the sender,and the other to the recipient. The pad contains a random number for each character in the original message. with ciphertext. bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5.
plaintext In cryptography, the original text that is being encrypted. Contrast policy Organisation-level rules governing acceptable use of computing resources,
security practices, and operational procedures.
proxy A software agent that acts on behalf of a user. Typical proxies accept
a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. lated keys. The private key is known only to its owner. The public key is known by a group of users. Also called asymmetric encryption. Contrast with private key encryption. system vulnerability.
public key encryption A type of encryption that uses two mathematically re-
risk The probability that a particular security threat will exploit a particular
116
Final Report
RSA A public key cryptographic algorithm (named after its inventors, Rivest,
Shamir and Adleman) with a variable key length. RSA's main weakness is that it is signi cantly slow to compute compared to popular secret-key algorithms, such as DES.
screened host A host on a network behind a screening router. The degree to screened subnet A subnet behind a screening router. The degree to which the
subnet may be accessed depends on the screening rules in the router.
which a screened host may be accessed depends on the screening rules in the router.
screening router A router con gured to permit or deny tra c based on a set
of permission rules installed by the administrator.
secrecy A security principle that keeps information from being disclosed to anyone not authorised to access it. Synonymous with con dentiality.
secret key encryption A type of encryption that uses a single key to both en-
crypt and decrypt information. Also called symmetric encryption. Contrast withpublic key encryption.
secure hash algorithm (SHA) A one way hash put forth by NIST. SHA is
closely modelled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.
security Freedom from risk or danger and the assurance of safety. security level A representation of the sensitivity of information. security policy The set of laws, rules, and practices that regulates how an
organisation manages, protects, and distributes sensitive data.
117
APPENDIX G. GLOSSARY
target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorised user, to attempt to gain illicit access to systems. substitution cipher A type of cipher that replaces the characters being encrypted with other characters. threat A possible danger to a computer system. token A physical item that's used to provide identity. Typically an electronic device that can be inserted in a door or a computer system to gain access. transposition cipher A type of cipher that rearranges the order of the characters being encrypted, but does not change the actual characters. trojan horse A software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program. trust Reliance on the ability of a system to meet its speci cation. virus A replicating code segment that attaches itself to a program or data le. Viruses might or might not contain attack programs or trapdoors. vulnerability A weakness in a computer system, or a point where the system is susceptible to attack. The weakness could be exploited to violate system security. worm A standalone program that, when run, copies itself from one host to another, and then runs itself on each newly infected host.
118
Index
Access control, 9, 13, 37, 39 AH, 48 Anonymity, 13 Application Layer, 28 Asymmetric algorithm, 19, 35 Auditing, 9 Authentication, 9, 28, 29, 31, 34, 35, 39, 40, 47{49 Authentication Header, see AH Availability, 9, 12 Backup plan, 11 Block cipher, 20, 24 Blow sh, 23 Brute-force attack, 14 Brute-force attacks, 18 CA, 36, 37, 51 Certi cated systems, 13 Certi cation Authority, see CA Chosen-plaintext attack, 15 Ciphertext-only attack, 15 Con dentiality, 8, 12, 31, 37, 39, 47 Confusion, 17, 20 Consistency, 9 Cryptoanalysis, 14, 15, 17, 21 Cryptography, 13, 14, 18, 19, 31, 37 Data Encryption Standard, see DES DES, 21{24, 32, 33 Di e-Hellman, 25{27, 32 Di usion, 17, 20, 24 Digital Signature, 27{29, 31{33, 35, 36 Digital signature, 34 Digital Signature Algorithm, see DSA Digital Signature Standard, see DSS Disaster, 54 Disaster plan, 11, 53 Discrete Logarithm Signature Systems, see DLSS DLSS, 27 DSA, 27 DSS, 27, 28 E-mail, 31, 32 ElGamal, 27 Encapsulating Security Payload, 48 ESP, 48 Extranet VPN, 39, 40, 46 Firewall, 65 Green Book, 12, 13 Homophone substitution, 16 IDEA, 23, 24, 32 Integrity, 8, 12, 29, 31, 35, 37, 47, 48 Intranet VPN, 39, 46 IPSec, 42, 47{50 IP Security, 42 ISAKMP, 50 Key management, 35, 40, 49{51 Known-plaintext attack, 15, 16 L2F, 42, 59 L2TP, 42 Layer 2 Forwarding, 42 Layer 2 Tunneling Protocol, 42
119
INDEX
Level of Security, 12, 30 Link Layer, 30 Mailtrust, 34 Man-in-the-middle attack, 15 Network Layer, 29 Non-brut-force attack, 18 Non Reputation, 9, 28, 31, 35 One-time-pad, 16 Orange Book, 12 Organisational measures, 11, 70 Originality, 13 OSI reference model, 28 PEM, 32{34 PGP, 32{34, 36 Physical Layer, 30 Point to Point Tunneling Protocol, 42 PPTP, 42, 59 Pretty Good Privacy, see PGP Privacy Enhanced Mail, see PEM Private key, 18, 19, 25, 35 Pseudonymity, 13 Public key, 17{20, 25{27, 31, 35, 36 RC4, 25 Recovery concept, 11 Remote Access VPN, 39, 40, 44 Restart plan, 11 Risk Analysis, 9, 11 Risk analysis, 53, 63 Risk Avoidance, 10, 11 RSA, 26, 27, 32, 33, 35 S/Mime, 33, 34 Safety, 7 Secret key, 17{21, 36 Secure Hash Algorithm, see SHA Security, 7 Security Concept, 9, 11, 53, 55, 56 Security measures, 7 Security plan, 11, 53, 54, 65 Security Policy, 11, 40 SHA, 27 SKIP, 50 Stream cipher, 20, 25 Structural measures, 82 Substitution, 16, 17, 21, 22 Symmetric algorithms, 19, 20, 22, 25, 35 Technical measures, 65 Threats, 8, 54, 64 Timing Attack, 15 Transport Layer, 29 Transposition, 16, 17 Triple DES, 21, 32, 33 Trust Centre, 36, 37 Tunnel, 37, 42{46 Tunneling, 42, 44, 46, 59 Unobservability, 13 Vignere cipher, 16 Virtual Private Network, see VPN VPN, 7, 14, 37{40, 47, 49, 56{61, 68, 69 Web of Trust, 36
120