IT Security Coming of Age
Many articles have been written about the latest and greatest tools for securing your machines and network from unwanted attack. Firewalls, security analysis tools, intrusion monitoring, and other topics have inundated the press for the past few years. Yet, the topic that is rarely discussed, and in which system administrators play a role is security architecture.
Yes, information security is only one component, but a well-rounded and well thought out architecture, even if focused only on information security plays a vital part in the protection of your corporate information.
This article suggests a sample model for the design of a security infrastructure, and is founded on published documentation and my experience as a systems administrator and information security specialist. For additional background on why a planned architecture is essential, who should focus on it, and the various industry forces pointing us in that direction, please see the companion article on the Sys Admin Web site at: http://www.samag.com.
A Security Infrastructure Model
For most organizations, the information technology model has changed dramatically during the past seven years. Many larger organizations have had to wrestle with the task of moving from a mainframe computing model to a workstation model. This generated a whole new set of problems and issues that had not been considered in a mainframe computing model. Figure 1 illustrates an example of a functional security model. We see that it essentially provides us with a framework with which to build our architecture.
This architecture addresses the concerns and requirements that have previously been mentioned in this article. And while it may be somewhat reminiscent of the OSI 7-layer model, it takes into consideration the client server environment, network-based applications and services, user behavior, alarms or monitoring systems, and the physical environment. This model also incorporates the elements of physical security and awareness, including user training, which are often overlooked. Unless the user community understands what is expected from them in the security model, it will be difficult, if not impossible, to maintain.
The Infrastructure Elements
Let us examine each of the elements in the infrastructure model.
Fundamentally, information security is in the hands of the users. Regardless of the measures that may be implemented, carelessness of individuals involved in the preparation, consolidation, processing, recording, or movement of information may compromise any or all security measures. (Thus, this layer looks at the human-related processes, procedures, and knowledge related to developing a secure environment. These include user training, information security training and awareness, and security policies and procedures.
Policies and procedures, generally speaking, have been slow to reflect the portable electronic-desk age. Unfortunately, although users are using the corporate resources, or the Internet, they are generally uneducated in security issues and how to protect themselves. It is not so much that the problems are new (i.e., we have been using passwords and encryption for several decades) but that the means to attack a secure system have become considerably more sophisticated. In the past, the solutions have been provided by the facilities or services; however, because of the changes in information technology and the appearance of a more sophisticated perpetrator, this is no longer possible. This situation is reflected in user training (i.e., security is frequently an afterthought in a training program).
Behavioral problems cannot, for the most part be controlled by technology, they must be addressed as management issues. To be effective in addressing such problems, management requires supportive corporate policies and procedures.
The access layer relates to the control mechanisms for limiting access to systems or services to authorized people or systems. This layer includes, for example, identification of the user, thte user's authorization, and security practices and procedures. Examples of items included in this layer are: password and privilege management, user registration, and access control.
A general opinion in the industry today is that the days of the re-usable password are over. Most passwords chosen by users are simple to remember, which, in all likelihood, means they are also easy to break in a relatively short time with desktop computing power. In many systems, passwords are transmitted "in the clear", which presents an opportunity for the perpetrator with transmission monitoring technology (e.g., a LAN sniffer, cellular radio scanner, etc.) to discover an entry point.
To protect against the increased hacking activity, it is imperative that passwords be impossible to guess and changed frequently, an activity highly dependent on the security consciousness of the user. It is well known that stolen password files have revealed easily guessed passwords.
To address the access control problem, some emphasis must be placed upon using passwords that are not easy to guess, such as one-time passwords, or multiple factor authentication tools.
The data aspect of the architecture addresses the measures taken to ensure data origination authenticity, integrity, availability, non-repudiation, and confidentiality. This layer addresses such things as database management, data movement and storage, backup and recovery, and encryption.
Security for data elements, particularly considering the trend for shared use of data by several applications, is cause for growing concern. Information repositories are managed in an ad hoc fashion creating major challenges when a part of the company is transferred to another owner, a development partnership expires, or an individual leaves the company. A single corporate directory of people and systems maintained in real time and conforming to international standards is an operational imperative.
Data in transit, particularly to parts of the globe where communications facilities are being monitored, is also cause for concern. This concern is heightened due to the restrictions placed on the use of encryption technology at the session level in order to protect both data and voice services.
The application and services layer addresses the controls required to ensure the proper management of information processing, including inputs and outputs, and the provision of published information exchange services.
One problem at this layer is the number of legacy systems in existence that may represent a security risk, but this problem is most likely not sufficient to warrant investment in a rewrite. New applications under development are more likely to have security features engineered or take advantage of the features of the database technology utilized.
Operating System Layer
The operating system layer provides all the functionality for applications to be executed and management of system peripheral units, including connectivity to network facilities. A heterogeneous computing environment cannot be considered homogeneous from a security perspective, as each manufacturer has addressed the various security issues in a different manner.
Generally speaking, UNIX users are aware of the need for a higher degree of security consciousness than their mainframe/PC counterparts - if only because of the different forms of information they tend to process and the experiences of susceptibility in the past. There is no virus-checking software for the UNIX platforms. CERT warnings and recommendations assist greatly in addressing problem areas before they become too well known.
The network layer addresses connectivity between one user, or system, and another for the purposes of information exchange. In this context, information may be in the form of data, image, or sound and may be transmitted using copper, fiber, or wireless technologies. This layer includes specific measures to address intra- and inter-enterprise information containment controls, the use of private or public services, and protocols.
The network layer includes the Local Area Network, and the corporate Wide Area Network. It also identifies that the communication systems used to provide the LAN and WAN will depend upon the firewall or gateway to provide a physical separation between them and the other network. The use of the firewall within the network layer is important. Many corporations make use of the public carrier services to provide their communications network, since few companies also operate their own wires and cables for communications.
Alarm and Monitoring Systems
Each of the foregoing layers will provide the capability to monitor activities within the layer. Monitoring systems will be capable of collecting information from one or more layers that trigger alarm mechanisms when certain undesirable operational or security criteria are met. The alarm and monitoring tools layer will include such things as event logging, system usage, exception reporting, and clock synchronization.
Physical security pertains to all practices, procedures, and measures relating to the operating environment, the movement of people, equipment or goods, building access, wiring, system hardware, etc. to ensure that corporate assets are not subjected to unwarranted security risks. Items addressed at this layer include secure areas, security of equipment off-premises, movement of equipment, and secure disposal of equipment.
Unfortunately, all of this is not easily accomplished. Rather, the organization will only be able to successfully address these issues through careful planning and implementation. In many organizations the responsibilities for some of these layers are shared among groups, while others are clearly the responsibility of one.
The Translation: Plan into Action
The diagram in Figure 1 is a functional representation of a security infrastructure. Translating that view into actual technologies can be very difficult, and in some places, it isn't technologies that are needed, but sound policies, training, and user education. Figure 2 illustrates the components of an infrastructure program that are above the network layer.
As shown in Figure 2, the security control infrastructure is composed of tools and processes that sit between the application and the network. The security control infrastructure replaces some of the control features in the applications - mostly user authentication. This means that the application is no longer required to have its own view of user authentication. Thus, the user can authenticate once and let the security control infrastructure take over. This allows for the eventual implementation of a single sign on capability.
As illustrated, the security control infrastructure is dependent upon an information repository based upon an X.500 directory product. This standard repository allows all of the required information about a user to be shared amongst the various applications, services, and departments within the corporation. It also allows for information, including encryption keys, and ID pictures, to be included for later retrieval as needed.
A solid authentication method is also required. Because not all authentication methods are capable of addressing all authentication concerns, the infrastructure may need to provide several mechanisms, including static passwords, one-time passwords, and multi-factor authentication tools.
A centralized tool for the management of individual user and process privileges is required. This interacts with the application and security control infrastructure to determine what the user is allowed to do. This centralized tool is dependent upon the existence of a corporate-wide privilege database, which contains the access and application rights for every user in the corporation.
The result is a security infrastructure that has the ability to deliver encryption, strong authentication, and a corporate directory today, and the ability to add single sign-on and advanced privilege management in the future.
The Corporate Directory
In the infrastructure diagram discussed above, there is a need for a corporate-wide database used for a variety of services. To have a global corporate management tool, there must be a trusted central repository in which the information is stored.
Although the actual corporate directory implemented may be of proprietary design, it is recommended that a standard technology such as X.500 be implemented. This resolves the organizational application development costs, and allows for reduced time to deployment and improved utilization. X.500 itself provides a way to establish a data repository and a transport to distribute the information to applications, services, and users. For example, X.500 can be used to provide email address directories and ID pictures for the physical security group and the public key infrastructure used within the corporation.
The objective is to reach the point that when an employee leaves, denying access within the corporate database will disable other services that the user has access to. Now that the infrastructure can look up information from the corporate directory, we must be concerned with the identity of the user making the request.
Much documentation and research into authentication is available, and the organization must ultimately decide which authentication method makes sense for its business needs. However, as stated previously, the common thread is that in today's environment, the simple password just isn't good enough anymore.
With the implementation of the corporate directory, we must then determine the identity of the user requesting access. Without the assurance of who the user is, any security measures are useless. One such implementation uses smart card technology for its authentication mechanism. This technology, such as Security Dynamics SecurID and similar products, provides a high level of trust that the person logging in is indeed that individual. With the use of the smart card, we can also consider it for non-computing applications such as access to voice mail and other telephony services. This technology also allows us to provide strong controls on gateways and firewalls where access must be restricted. In that sense, it is important that the company take a serious view when unauthorized users gain access with an authorized user's card.
No authentication method is perfect, and we can only hope to establish even greater levels of trust to the authenticating users. However, we must bear in mind that user authentication is only one aspect. The second is authentication of the information. This is achieved through the use of digital signature, which provides the authentication and integrity of the original message.
Encryption and Information Protection
In today's business environment, the protection of our corporate and strategic information has become a necessity. Consequently, parts of the infrastructure requirements are encryption and digital signature.
Encryption is currently the only way to ensure the confidentiality of electronic information. A whole book has been dedicated to applied cryptography, and there are countless papers about its strengths and weaknesses. This article doesn't differentiate between symmetric and asymmetric encryption other than to say that a corporation cannot base its information protection scheme upon a symmetric or private key system. The only way to successfully implement encryption across an organization is to use a public key infrastructure (PKI).
Encrypting files before sending them over the Internet is essential given the amount of business and intellectual property stolen over the Internet each year. The infrastructure must provide for key management and the ability to handle keys of varying size. For example, a global company must be able to provide support for 40, 56, 128 bit, and greater key lengths.
Additionally, the mobile user workforce must be able to protect the integrity and confidentiality of their data in the event that their computer is stolen. This level of protection is accomplished with encryption along with disk and system locking tools.
Of equal importance to the mobile user is session encryption. The ability to know that sensitive information is not visible to prying eyes is of importance for the corporation, and in some cases vital due to legislative issues.
Firewalls and Network Perimeter Control
As part of the infrastructure, it is necessary to provide for the construction of a perimeter around your network. This is typically done through the use of firewalls or secure gateways. There are many books and publications on firewalls and their implementation. However, firewalls are not the top level of our infrastructure. Without the ability to identify and authenticate users and specify their authorizations, all users either have access, or they don't.
The firewall provides the mechanism for limiting and controlling access to and from the corporate network. It is important to prevent certain types of outgoing access in order to reduce risks, thus firewalls should not be wide open for outbound services. For example, many companies do not permit the viewing or downloading of sexually explicit material. The firewall can assist in controlling access to these sites from the corporate network. In short, the firewall is an essential tool in the implementation of the corporation's security policies.
However, firewalls are often required by the government when a corporate network extends into countries where legislative restrictions apply. Consequently, the deployment of the secure gateway must be tightly linked to the infrastructure and corporate policies.
What Changes are Coming?
As changes in technology occur, you should be ready for them. With the extensive research into privilege management and the enhanced security features of IPv6, you should be able to utilize those features without redesigning your infrastructure.
For example, as smart and crypto card technology moves forward to include encryption capability, you will want to be able to use it. Alternatively, with the advances in biometrics, you may choose to replace smart cards with fingerprint devices. You will need to watch, evaluate, and decide what makes sense for your organization. The point is that the infrastructure must be flexible enough to adapt to new technologies, issues, corporate policy, and external legislation in a modular, plug-in fashion.
Through the development of a security infrastructure that is global in basis and supported by the management structure, the following benefits are realized:
- The ability to encourage developers to include security in the early stages of their new products or business processes;
- The risks and costs associated with new ventures or business partners are reduced an order of magnitude from current reactive processes;
- Centralized planning and operations with an infrastructure that is responsive to meeting business needs;
- Business application developers can deliver stronger controls over stored intellectual capital;
- The risks associated with loss of confidentiality are minimized;
- A strengthening of security capabilities within the installed backbone applications (e.g., email, servers, WWW);
- The privacy and integrity associated with the corporation's intellectual capital is increased; and
- The risks and costs associated with security failures are reduced.
In conclusion, your security infrastructure must be global in nature and must encompass the entire organization no matter where it is. It must be consistently applied, and offer protection against both internal and external threats. It must provide for perimeter and intrusion detection. It must be configurable in order to adapt to changes in the corporate directions and focus, or as the network evolves. Above all else, the infrastructure must allow the network users, developers, and administrators to contribute to the corporation's security by allowing them to do the right thing.
About the Author
Chris Hare is the Manager, Security Operations for Nortel Networks. He was previously with iSTAR Internet (now PSINet Canada) and Choreo Systems Inc. He has a broad background including more than 10 years in system administration, UNIX, programming, training, security and technical management. He is the author of numerous articles published in Sys Admin magazine and co-author of several books including Inside UNIX, Internet Firewalls and Network Security, and the Internet Security Professional Reference. Chris lives in Ottawa, Canada, and can be reached through firstname.lastname@example.org.