We don't have a Secure Network
An Alarmist Memo
Mark Verber
Draft 2.0 October, 1997
Version 1.0 April 1994
It is my belief that we most likely have crackers which have not yet
been detected who have access to the internal COMPANY network. If
we don't have crackers today, I expect that we will any time now. The
question is, do we care, and are we willing to do anything about it?
Why Is There A Problem?
Ease of Internet Connections
In the "good old days" (not so good really) connections to the public
Internet were expensive and difficult to get. It was possible to keep
the internal corporate network reasonably secure from outside crackers
by the use of a carefully design and administered firewall. We had a
single "choke point" which could be monitored and protected.
These days there are hundreds of Internet Service Providers (ISPs).
Competition has driven the cost of dialup Internet connections down to
the single digits in some markets. Internet connections are now in
the reach of anyone who wants to purchase one. With the dropping
price of ISDN and Frame Relay it is possible to get reasonably high
bandwidth connections for a very reasonable cost. The bottom line is that
anyone can go out and purchase an Internet connection and there is virtually
no way for COMPANY to discover this.
The "business need" of the Internet
The Internet is hot! Nearly every issue of national news and business
magazines have articles about the Internet. Many people within COMPANY feel
that they have a business requirement to be "On the Internet". Groups
want to publish information, share data with customers, access resources
which other organizations are making available, etc. There is a sense of
urgency with all of these desires.
Organizations believe they needs services which are offered, but
they don't know about, or need services that are not currently offered.
Since the cost of purchasing Internet services is so low, it does not
take high levels of approval to purchase an Internet connection. This
is to say that unless *every* employee of COMPANY, and every contractor
who works in a COMPANY facility knows and abides by a rule that only
"official" Internet connections will be made, there will be
connections made to the public Internet that the people responsible
for the corporate network will most likely never know about, and that
will not be adequately secured.
Connections are Hard to Detect
Once a connection is up, it is difficult to detect. There is no practical
way to detect all external network connections unless all machines within COMPANY
are forced to support SNMP and tools are run on a regular basis to
sweep *all* machine looking for interfaces which are connected to the
outside world. Macintoshes, PC laptops, UNIX workstations, and many other
network devices are capable of routing TCP/IP traffic if configured (or
is that misconfigured) to do so. Some connections might be noticeable
by advertising routing information, but in most cases our existing routing
infrastructure would obscure this information. Even without routing
information, it is possible to gain access to internal machines through
the use of "source routing." Unless we run traffic monitoring
tools on the internal COMPANY network, it is unlikely that we would discover
these connections.
These Small Connections will be Found by Crackers
I believe that we need to assume that if a connection exists to the public
Internet, some set of crackers will discover the link and make use of it.
First of all, we need to discount the "reasonable man" defense. Sometimes
people think that "reasonable people aren't going to spend hours and hours
cycling through all IP addresses looking for machines which they can probe."
We have plenty of evidence that there are people who do this, whether or
not it is reasonable. What's more, there is evidence that ISPs are one
of the primary targets of the crackers. Crackers break into ISPs, and then
use information they gain at the ISP to break into all the customers of
the ISP. This means that if someone's account with an ISP has any indication
that they work for COMPANY then some set of crackers has an idea how they might
gain access to COMPANY's internal network.
Once Network Connectivity exists... we are in trouble!
Given the network services that we are currently running, once someone
can inject and/or snoop packets on a network, they can completely
compromise the network in a matter of hours, if not minutes. The
classic mode of attack is finding a single machine which has not been
secured, breaking into that machine, and installing software which can
monitor all traffic on the network. Using such a tool it is possible
to break into nearly any machine. In fact, any machine which accepts
unencrypted network connections is vulnerable. Some tools exist today
which allow existing sessions to be hijacked merely by having a
machine with special software along the network path. [Crackers have
had these tools for at least a year, one is now sold commercially, see
IPWatcher.]
Once inside networks are compromised, every one of our firewalls is
currently vulnerable to attack. Once the firewall is attacked, a
"large" pipe to the outside world can be opened up. The only defense
is to force all administration to be done from the the console, or to
only permit encrypted data streams, (stelnet or Kerberized
connections) network connections.
What To Do?
Education
First we need to give up the illusion that our "internal" network can
be completely secure. Securing our networks is a practical
impossibility. This isn't to say that we can reduce the risk greatly,
but to completely secure our networks would require verifying that
there are no data connections between our internal network and any
outside source except were we have connections which have been
verified to be secure (such as our Internet Firewalls). Given the
wide availability of dialup technology this is impractical. We would
need someone at every facility to goes from office to office checking
to make sure no one has connected their computer to a phone line.
Second, we need to educate people that data security rests with the
owner of the data which needs to be protected. That isn't to say that
we don't attempt to provide protection, but that we realize that
general protection will not be adequate for highly sensitive
information. Many of our building have restricted access, yet we
realize that papers with "Confidential" labels should not be
left unattended on our desk.
Move to Secure Services
There are two ways to keep data secure. The first is choose not to
share the information, that is keep the data in a place that no one
can get to it. In your mind is the best place. The second best option
is keeping the information in a personal computer which doesn't have a
network connection, which sits in a locked room, which requires a
secret password to decrypt the data. This is, of course impractical. We
need to share information all the time, we just want to be sure that
the information is accessible to the people we have selected.
The second way to protect data is to use secured services. All
security experts agree that you can't trust data from computer
networks unless cryptographically strong authentication is used. You
can not assume data is private unless cryptographically strong
encryption is used. These techniques can be systematically applied to
various network protocols to assure that network communication is
secure. Examples of this includes many XNS services, Kerberos based
applications, PGP electronic mail, PEM electronic mail, Secure-HTTP,
and Lotus Notes. A computing environment which is constructed using
only these services should be secure provided the platforms that these
services are running on is secure.
Of course, attention needs to be paid to the end-to-end security, not
just the protocol in use. See the memo posted to cyberpunks about End
to End security. Often times we don't run secured services on
machine which are themselves secure. For example, XNS file services
are reasonable secure using strong authentication which is provided by
the XNS Clearhouse to determine who a user is, and to check that
user's identity against access control lists which grants access to a
particular file drawer. We have a high degree of certainty that files
on an XNS file server are well protected from unauthorized access
using XNS file protocols. But these days, many XNS file
services are running on UNIX workstations. These workstations have
not been constructed in a secure manner, so it is possible for
unauthorized people to gain access to the workstation. A sufficiently
skilled individual (or one with the appropriate tool) can then gain
access to data which *had* been protected by a secure service. This
is like locking your front door, but leaving a window open and
unlocked which anyone could crawl through.