Security requires 'depth in datapath', AT&T researcher says

[InfoSec News <isn () c4i org>]

http://www.commsdesign.com/news/OEG20020910S0011

By Loring Wirbel 
Editorial Director
CommsDesign.com
September 10, 2002

SAN FRANCISCO, Calif - Distributed computing environments of the
future require a "defense in depth" security architecture which cannot
be implemented with single-point firewalls, an AT&T Labs researcher
said at a Communications Design Conference NetSeminar on Aug. 9. Steve
Bellovin, a Research Fellow at AT&T, said that inadequate funding is
being provided in government and corporate worlds for operational
security, such as system administration.

"Systems need to be designed from the assumption that things will
fail, even those critical points designed not to fail," Bellovin said.  
"This requires designing whole systems for security from the very
beginning. Secure networks also have to scaleable and extendable,
which we do not see very often nowadays."

Bellovin said that both system designers and network managers make
assumptions about nodes in their networks that allow weak links for
hostile users to exploit. For example, developers should never assume
that a software application or hardware node will never be connected
to the Internet, because standalone applications invariably end up
becoming Internet-connected, if only indirectly so. He said it was
also "demonstrably untrue" to say that proprietary closed-source
systems could not be penetrated.

"Never, never underestimate the bad guy," Bellovin said. Most truly
hostile attackers do not use obvious routes to a system and leave
marks of their arrival, such as defacing a Web site, he said. The
professional will use indirect access to critical systems, and will
not stick around by leaving an open access port into a system. The
professional will penetrate a system quickly, leave a Trojan Horse or
logic bomb, and get out.

"The smart adversary will utilize special connections from third-party
vendors or joint-venture partners," he said. "You don't go through a
strong security mechanism, you go around it."

Bellovin saw a few positive signs in hardware development, such as
IPsec support on network interface cards (NICs), or improved system
partitioning proposed by the Trusted Computer Platform Alliance. He
said there are also advantages in newer computer languages, provided
they are used with discipline - such as the avoidance of buffer
overflows that comes with good use of Java or C++.

Ultimately, though, nothing can replace good system administration,
and functions such as authentication are more important than
encryption. Bellovin listed advantages and pitfalls of authentication
on several levels. For user authentication, some developers are
turning to wider use of biometrics. This could be useful, Bellovin
said, but methods such as iris scans and fingerprint verification
systems are subject to scamming by both false-negative and
false-positive tests.

In system authentication, Bellovin said a particular problem lies in
the stateless nature of router algorithms themselves, and how routing
across domains and through several Internet Service Providers could
fall victim to many different packet-authentication problems. The
federal government has looked at many schemes, he said, but most
router authentication architectures are controlled from the center.

"Historically, the successful things on the Internet are those
deployed incrementally, on the edges," he said. "Router authentication
solutions to date have tended to be centralized."

Bellovin said that consumer networks, such as wireless LANs (WLANs)  
serving as part of a home network, have provided useful insights for
improving corporate security. Traffic can be diverted very easily in a
WLAN, Bellovin said, and even the most advanced home gateways would
have difficulty authenticating the owner of a networked VCR or DVD
player. The security problems encountered as local groups build out
wireless LAN hot spots could provide useful insight at moving the
corporate world to a more distributed view of security.

One dinosaur that must go is the single corporate firewall. Not only
does it fall victim to the Port 80 access problem, but it can be
overridden with requests for special applications that tunnel through
the firewall, or access points that go around the firewall, until “it
is no longer clear what traffic the firewall might still be blocking.”

"The answer is not fewer firewalls, but more firewalls," Bellovin
said. "Distributed architectures require distributed security
strategies."

Loring Wirbel is the editorial director of CommsDesign.com. He can be
reached at lwirbel () cmp com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.