Security Threat Antidotes

Newton's third law of motion—frequently paraphrased as: For every action, there is an equal and opposite reaction—can be easily applied to the area of network security. For every security threat, there is an equally effective antidote.

Of course, network security is not the well-established field of classical physics; networking technologies are dynamic and continue to evolve at a rapid pace. It's a given that new security threats will emerge as a function of time. But it's also a given that over a period of time, if not immediately, those threats will be countered with effective antidotes. The following generic antidotes counter the four broad threat categories identified earlier in this chapter:

• Information integrity (counters information corruption)

• Information confidentiality (counters information disclosure)

• Nonrepudiation, authentication, and authorization (counters repudiation and lack of authentication and authorization)

• System availability (counters DoS)

Within a generic security antidote for a specific threat category, there can be numerous security solutions that implement a wide range of protocols and algorithms.

Information Integrity

Information integrity means that data or information remains unaltered, during transmission and storage, from the original value intended by its creator. (This statement does not imply anything about the integrity of the intent of the data creator, which is a separate issue.) Examples of the principle of data integrity are obvious and numerous.

If an SMB employee sends an e-mail message to a group of customers, data integrity means that the message will be delivered exactly as it was sent. Subtle changes will not be introduced into the message during its transmission. (If the message accidentally contains information that was not supposed to be sent to customers, the boss might wish that the message could be changed during transit, but that is a different issue!) Whether the contents of a message are proper or not, if they remain unchanged during transit, the principle of data integrity applies.

The extreme case of lack of data integrity in the case of an e-mail transmission is the nondelivery of the message or a delivery with the contents of the message being null. Information integrity in the case of data being transmitted is closely coupled with nonrepudiation and encryption. Encryption minimizes the potential for outsiders to tamper with the data, whereas nonrepudiation ensures that the transmitter is whom she or he claims to be.

Here are some examples of lack of information integrity:

• Application program installations or operating system upgrades that result in alterations to the system other than those intended by the vendor

• Viruses that change or destroy data

• Website defacements

Specific tools and procedures that are commonly used to enforce data integrity include the following:

• Use of encryption and digital signatures for e-mail transmissions. Both techniques also enforce data integrity when dealing with information disclosure and repudiation.

• Firewalls with regularly updated virus-scanning software to prevent virus infestations and unauthorized access to the network from the outside. It is vital that the security administrator keep up with upgrades to the firewall software.

• Strict procedures regarding installation of software applications and operating system upgrades. These procedures must ensure that the preinstallation state of the server or workstation can be quickly restored in case of the device crash or data destruction during the installation. For example, all installations could be tried first on an offline server or workstation before being attempted on a production unit.

• Data audits to detect discrepancies between the actual and the intended data. (Don't be alarmed if this seems like an accounting function. Comprehensive network security encompasses many types of functions.)

• Verifiable backup procedures. Backup procedures are verified by simulating complete data destruction and performing a restore from a backup device. Backup procedures are not verified when the backup software says that it successfully completed a backup. (Again, no need to be alarmed if this procedure seems like it has more to do with network administration than network security. Consider the final result of the procedure and decide for yourself under which umbrella to place it.)

• Disaster recovery plan. (Linking information integrity with disaster recovery is perhaps stretching the security envelope thin and getting more and more controversial, so it's time to stop. But again, no need to get hung up on semantics. The final goal is data integrity under all circumstances.)

Information Confidentiality

As stated earlier in this chapter, whenever an SMB's CEOs and CIOs think about network security, information confidentiality is probably their greatest concern. Information confidentiality needs to be enforced through technology as well as commonsense procedures.

The proactive approach to maintaining information confidentiality is, as a default, to deny everyone access to all of the confidential information, and then to permit access for authorized individuals as a function of their need to know. This concept is the basis for the use of firewalls and access control lists (ACLs). Access to information is denied unless explicitly granted.

Generic tools that facilitate the enforcement of information confidentiality include these:

• Use of firewalls to secure the network from unauthorized outside penetration. Firewalls must be properly configured, the logs they generate must be monitored, and they must be subject to ongoing maintenance with upgrades to their software. Use of firewalls can be defeated from the inside if an authorized access point to the network is created that bypasses the firewall—for example, if an SMB's network is protected by a firewall, use of a modem or a digital subscriber line (DSL) on one or two workstations can bypass the firewall.

• Use of encryption for confidential internal and external transmissions. If a transmission that is encrypted with a long key (128 bits or more) is intercepted either internally or externally, it is nearly impossible to decode it without access to extremely powerful computing resources.

• Use of strong internal authentication to minimize the potential for repudiation. If access to information—and, consequently, its disclosure—cannot be repudiated, individuals who are contemplating malicious action might reconsider because they might not want to face the consequences of disclosure.

• High granularity in authorization to minimize the degree of damage and compromise after a disclosure occurs. By maintaining granularity in authorization, even if a deliberate disclosure occurs, the damage is limited to only the information the individual was authorized to see rather than all of the SMB's confidential information.

Nonrepudiation, Authentication, and Authorization

Not being able to deny an act of authentication under any circumstances is equivalent to nonrepudiation. This is easier said than done, so why bother with nonrepudiation? Even hardened network security will sooner or later encounter individuals who are entrusted with a high degree of authorization who can't resist sharing secrets with others. Nonrepudiation offers the means to tie an individual to an act of authentication and possibly other activities that follow—which could include information disclosure or corruption.

Nonrepudiation in and of itself does not prevent someone, except as a deterrent, from creating security breaches by disclosing information, engaging in acts of data destruction or modification, and performing other acts that result in DoS. But in select high-security environments, nonrepudiation backed up by strong legal and financial consequences is nonetheless a desirable security antidote against all of the security threats discussed in this chapter.

An SMB must consider the cost of implementing a high degree of nonrepudiation compared to the cost of taking other security precautions. In such a situation, a security policy comes in handy.

Following are some recommendations for SMBs to ponder while pursuing the goal of a high degree of nonrepudiation, authentication, and authorization on their networks:

• Consider biometric authentication for highly sensitive areas housing critical network equipment.

• Clearly spell out in the security policy the consequences of deliberate or even accidental security breaches that can be conclusively tied (beyond repudiation) to an individual.

• Take advantage of all the authentication and authorization mechanisms that come with modern network operating systems.

System Availability

Network or system availability should be a design consideration in every networking solution, as discussed in Chapter 1. In the context of network security, the system availability antidote counters the threat of DoS. This antidote means that network security is sufficiently robust to defeat all attempts to bring the network down through any means other than the authorized and scheduled shutdown procedures.

System availability can be hardened in the following ways:

• Use of firewalls and a server operating system configuration capable of detecting and ignoring DoS attacks

• Uninterruptible power in the form of uninterruptible power supplies (UPSes) or generators for critical network components

• Strong physical security for data centers, telecom closets, or any location housing a network server, a switch, or a router

• Standby spares of critical components

• Presence of verifiable up-to-date backups in case a restore is required following information destruction or unrecoverable failure of data storage devices