[i-logo]
[MAIN] [BACK]

SECURE CONNECTIONS TO THE INTERNET

From its early beginnings as the ARPANET, the Advanced Research Projects Agency network in the US, the Internet has steadily increased in size. For much of this time, participating systems have been largely drawn from the academic and defense research communities. Recently, however, there has been an enormous growth in the number of systems connected to the Internet, typically increasing by 100% per year. The corresponding number of potential users is almost impossible to quantify but has been variously estimated to be in the region of 15-30 million.


Much of this growth is caused by the connection of existing networks rather than individual systems, and in practice the Internet is much more a collection of inter-operating networks than a single homogeneous network. Combined with the relaxation of the previous ban on commercial activities on the Internet, the pervasiveness and ease of use of Internet facilities have become very attractive to commercial organizations, and these are to a large degree responsible for the recent growth. According to one estimate, commercial usage of the Internet had grown to more than 50% by mid-1991.

As a demonstration of the importance of the Internet to a commercial organization, the Digital Internet connection currently handles approximately 2 million mail messages and provides 20,000 product and service related documents to customers per month, as well as providing access to more than 300,000 files of public domain software as a free service to the Internet. Digital introduced a World-Wide Web (WWW) server in October 1993, and in the first 4 months of operation supplied 250,000 pages of information to more than 9,000 external users. The enormous rate of growth in WWW activity seen by Digital (more than 250% per quarter) is typical of the Internet as a whole. Additionally, the higher speeds associated with Internet connections compared to traditional dial-up connections and ability to handle many incoming requests simultaneously have given Digital the opportunity to make several of its new Alpha AXP systems freely available to any Internet user for demonstration or software porting activities, which would not have been practicable using conventional dial-up lines. Digital's incentive to develop a secure Internet connection has been driven by the conflicting requirements of this high level of "public" access and virtually unrestricted access by Digital employees to Internet resources with maintaining the security and integrity of a large corporate network.

There are a number of characteristics of the Internet which are derived from its original purpose, and which are relevant to any discussion of secure use of the Internet. One of these is that the network was designed to facilitate information sharing, and for the network designers the availability aspects were probably more important then confidentiality and integrity. In simple terms, if one sends a data packet to the network there is a very high probability that the Internet's powerful dynamic routing capabilities will ensure that it will be delivered to the destination whatever the state of the various intermediate links. Typically neither sender nor receiver will know the route the packet took, the systems through which it passed, who was potentially able to read it in transit, or whether it was modified, maliciously or otherwise. The classic example is that of electronic mail, where one can have little confidence in the accuracy of the header information (sender, source address, etc.) or the integrity and confidentiality of the actual message content without additional application-level functionality (typically based on cryptographic techniques).

Overall direction of the Internet is in the hands of the Internet Activities Board (IAB), which delegates responsibility for various aspects of operation to bodies like the Internet Engineering Task Force. However, much of the management and co-ordination is designed to facilitate use of the network, and to prevent "bad citizens" from interfering with the activities of legitimate users. Therefore, much of the Internet operation is based on mutual co-operation, adherence to common published protocols, etc., rather than strict hands-on management. For example, the concept of the centralized registration of individual users with Internet access is quite impossible. for all practical purposes, so is the centralized registration of individual systems with Internet access. The net effect of these principles is that any system manager whose machine connects to the Internet, or any organization which chooses to connect its internal network to the Internet, must be responsible for the security of their own systems, as they cannot rely on security controls implemented on the network itself.

Any rational discussion of security countermeasures must begin with an analysis of threat. A detailed analysis will be unique to a particular organization, but there are a number of broad classes and modes of attack that will be common to all. The parties carrying out attacks on a particular organization's network will vary from the individual, often obsessive in his attempts to attack a system although with relatively poor technical resources at his disposal, through organized groups with the capabilities to mount technically more sophisticated attacks motivated perhaps by antiestablishment or criminal tendencies, to those seeking information or intelligence to support national economic objectives. The latter will have the resources of a state organization behind them. The aim of these potential intruders will vary from intellectual curiosity or challenge (although these people may well leave significant damage behind them, whether by accident or design) through deliberate attempts to disrupt an organization's normal business, to the covert theft of information. One characteristic of these intruders that is often overlooked is that they will attempt to steal or make use of the resources of an organization, even when that organization is not their primary target. A common technique to hide an intruder's trail is to hop from one node to another across a network, often across international borders. This both masks the path back to the intruder's entry point to the network and also allows the intruder to make use of, for example, dial-pout connections from intermediate nodes, the costs of which will be charged to the owner's organization. Digital has seen a case in which bill of 25K GBP per quarter were received fro this reason. In addition, intermediate nodes may well also be used to store significant quantities of data "stolen" from elsewhere. Any protection mechanisms implemented by an organization must take such patterns of behavior into account.

Other papers will discuss in more detail the actual techniques used by hackers, but attacks are commonly mounted through password guessing, particularly on well-known and privileged accounts such as root, through the exploitation of faulty and/or poorly-configured code, and through Trojan Horse programs or worms. The famous Robert Morris "worm" which seriously affected a substantial number of systems on the Internet used weaknesses in some versions of the sendmail program to allow the introduction of the worm program itself. The strength of a particular security countermeasure must be measured by its resistance to such attacks. The security of a particular configuration may also be measured by the resulting exposure should any one mechanism fail.


Stand-alone System

The simplest and potentially the most secure means of establishing an Internet connection is via a stand-alone system with no direct connection to the organization's internal network.

(Figure 1):
[Figure 1]

Although it sounds trivial, this is the approach that is actually used by a number of small (and sometimes not-so-small) organizations, often in conjunction with a dial-up Internet connection rather than a permanently-connected high-speed line. Data can be transferred between the Internet-connected system and the rest of the organization's network by floppy disk, which at least has the merit that any data transfer will only take place as the result of a deliberate action and cannot be initiated by any person outside the physical boundaries of the organization. In addition, it is easy to regulate access by employees to Internet services by controlling access to the dedicated "Internet system". However, it is difficult and cumbersome to make use of many of the features of the Internet. Because it is so easy to set up a dial-up Internet connection, organizations should also be aware of the possibility of unauthorized and uncontrolled Internet connections from internal systems which may bypass otherwise well-constructed security infrastructures.


Filtering Router

The simplest way of providing a continuously available Internet connection to internal users is through the use of a leased line and an IP router .

(Figure 2):
[Figure 2]

This is the standard means of connecting to the Internet if security is not a high priority. For organizations which are not unduly concerned about security this router will allow unrestricted access in both directions between the Internet and the internal systems. However, there are very few such organizations. Others will need to work very hard on the security of each one of their internal systems, because each individual system is open to potentially unrestricted attack from the Internet. Where the internal network is not very large this may be viable, but for a network of any size, particularly where this is geographically spread and/or under the control of a single central system and security management group it is very difficult to guarantee the security of each single machine.

The exposure of the organization to an intruder on the Internet can be reduced by implementing some measure of filtering on the router. Many of today's routers have this capability to a greater or lesser extent. At the minimum, the router may refuse to accept connections for application protocols which are thought to offer particular risk, or which are not actually required by the organization. For example, an organization might enable mail protocols both ingoing and outgoing, and only allow outgoing file transfer requests. Employees could get access to data stored on other Internet nodes, but Internet users could not get access to data on internal systems. The more sophisticated routers are also able to generate audit and alarm messages which may be printed on a locally-connected printer or passed to a system on the internal network where they can be used to generate alarm messages on an operator's console and be stored for later analysis.

The security of this configuration is provided primarily by the filtering router, and in the vent of a failure or mis-configuration of this device, by the security measures on each individual internal node. As mentioned above, it is difficult to secure all nodes in a large network to an appropriate standard at all times. In addition, the full topology of the internal network is revealed to the Internet, for example by the publishing of mail addresses. While "security through obscurity" is rightly discredited as a security mechanism in itself, it is still true that the less information that you give a potential intruder the harder his task becomes. Additionally, one must rely on the integrity of the security controls of the Internet service applications running on all the internal nodes. For example, if one of the internal nodes in the example above had been running one of the flawed or incorrectly configured versions of the sendmail program it could have been vulnerable to an attack of the "Robert Morris worm" variety. The difficulty for the organization's security manager is to ensure that all systems are running tested and approved versions of all relevant applications in an environment where he may have little control or even visibility of these systems, but in which the failure of any one of these systems may give rise to a security breach.


Dual-Homed Gateway

A more sophisticated connection can be used with the specific intention of preventing any direct link from systems on the Internet to internal systems. This uses a host-based system in place of the filtering router.

(Figure 3):
[Figure 3]

Usually known as a "dual-homed gateway", this system will generally be running a UNIX-derived operating system, which gives it the capability of running much more sophisticated applications than the router it replaces. These applications form a bridge between inside and outside, removing the need for direct connections between the external and internal networks. The IP level routing capabilities of the system are disabled, so that IP packets cannot be passed directly from the outside to the inside or vice versa. However, an application running on the gateway is able to receive connections from or make connections to any node on either network. The mail and file transfer protocols 'stmp' and 'ftp' illustrate how the gateway works in practice.

smtp uses routing at the application level (as opposed to the network level routing which happens in any case here nodes are not directly connected). The 'smtp' mail protocol and the applications which support it are used to receive a mail message from a user program, and transfer it to the addressee. However, it is common to find situations where for some reason the source and destination nodes cannot or do not wish to directly communicate. In such cases, the mail message will be passed from forwarding node to forwarding node, perhaps several times, before being finally delivered to the addressee's node. This forwarding happens transparently to the users concerned, although the route taken can often be determined after receipt by fields written into the message header by each mail handler. The requirement for mail to work correctly in the dual-homed gateway configuration is that the gateway should run a mail handling application which advertises itself to the Internet as the mail handler for all users on the internal network. When it receives such a message, it will forward it to the appropriate internal node. For outgoing mail, all internal nodes which generate mail should forward their mail messages to the gateway application, which will forward them to the external nodes as appropriate. The organization must decide whether to allow outgoing mail to retain the original sender'x address or to rewrite the address to a more generic form. For example, a user on node x in organization y could generate mail from user@x.y.uk but wish it to be sent as if from user @y.uk, hiding internal node names from the outside world. In either case, the mail forwarder allows users inside and outside the gateway to exchange mail without any change in working practice. The gateway is effectively transparent to both sets of users.

Unlike the smtp mail protocol, the file transfer protocol ftp was designed as an end-to-end protocol. It does not allow for the possibility of intermediate application-level routing nodes, and thus the gateway prevents direct ftp connections between inside and outside. The simplest way of overcoming this is to allow users to log in to the gateway system itself and carry out file transfer operations from there. This is undesirable for two reasons. Firstly, it is not considered good practice for users to log in to the gateway as the presence of user accounts may potentially create weaknesses on what should be a highly secured system. Secondly, users who actually wish to transfer data to or from their own local node must do this as a two-stage operation, from source to gateway and then from gateway to destination. There may also be user management and resource problems on the gateway system if there is a large user community. The most commonly used alternative is to use an application forwarding program, commonly known as a proxy application, on the gateway. An internal user will first connect to the proxy application. He will supply the proxy with the identity of the server to which he wishes to connect, usually with a corresponding password. The proxy will then establish the connection to the remote node, and henceforward will merely relay data and control packets between user and server, so that the user appears to have a direct connection to the remote server. The only additional operation required by the user is to establish the initial connection to the proxy application. In practice this is simple to use and effective in operation. A new generation of proxy applications and associated client utilities is now making even the intermediate connection transparent to the user.

While it is stronger than a filtering router by itself, the dual-homed gateway does not provide much by way of "defense in depth". Particularly if it is desired to provide services to the Internet hosted on the gateway, there is still the problem that the machine is potentially vulnerable to direct attacks from the Internet. A successful intrusion into the gateway will give the intruder full visibility of the internal network. Although the first point may be relatively easily overcome (for example by providing a system dedicated to external services on the "public" side of the gateway) the second point remains valid.


Screened Subnet

In order to prevent direct connection from the Internet to the gateway, the screened subnet configuration was developer.

(Figure 4):
[Figure 4]

In this, a "public" node, i.e. a node with full visibility from the Internet, is placed between the Internet and the gateway. In effect, the application forwarding and the filtering functions of the dual-homed gateway are separated. The filtering remains in the gateway, but connectivity is reduced to the point that only the "public" system, known as a bastion host, is able to connect to internal systems, and internal systems are able to connect to only the bastion host on the "public" side of the gateway. The bastion host takes over the role of application forwarder, and the various proxy applications, mail forwarders, etc., are installed and configured on this system. The word bastion is used to signify that this is a strong point of defense, as access to this system is very strictly controlled. Typical measures would be the removal of any software that is not necessary for the operation of the system, removal of all user accounts and the prevention of user logins except for system management purposes from named users on a few known nodes (on the internal network only), and the control of physical access to the hardware concerned. This physical protection must also be extended to the cables or other network components connecting the external router, the bastion host and the gateway to prevent the possibility of unauthorized connections which could be used to "spoof" the gateway.

The method of operation of this screened subnet configuration is much the same as for the dual-homed gateway. Where possible, routing applications running on the bastion host transparently forward data between the internal nodes and the Internet and back, and proxy applications are used where required. The audit subsystem, and where appropriate individual applications which produce audit data, on both the bastion host and the filtering gateway are configured to copy their output data to an internal system where it can be securely stored and analyzed.

The bastion system is also a good place to locate services which will be provided to the Internet. In general, these will be "public" services such as anonymous ftp directories and World-Wide Web servers. These do not require user access to other than the particular service offered, which will have been checked to ensure that it does not introduce loopholes bypassing the bastion host's security mechanism. However, some organizations require that particular users do have access to more than just "public" services. A typical example would be to allow an employee working away from base but with Internet access to have access to their account on an internal node. This will require the user to first authenticate himself to a proxy application running on the bastion host, which will then forward the connection to the appropriate application on the desired internal node. In this example, the incoming user will probably be using telnet to establish a virtual terminal connection to their home node, although other types of connection are also possible.

Compared with the filtering router, both the dual-homed gateway and the screened subnet have the considerable advantage for the organization's security manager that only a very small number of systems need a very high level of security, and these systems can be easily placed under the direct supervision of a centralized system and security management group. This allows strict software version control, reducing the likelihood of software "acquired" from the Internet with some as-yet undiscovered security-related flaw running on the system.

There is a spin-off from these more sophisticated connection topologies for those organizations with existing well-developed networks who wish to connect to the Internet. Many such networks have been built using "illegal" IP addresses. That is, the organization originally had no intention of joining the Internet community and thus picked arbitrary addresses for its internal network which had already been allocated to other organizations. Such a network cannot be directly connected to the Internet as it will clearly introduce address ambiguities which break the Internet addressing and routing conventions. One possibility is to use the screened subnet in conjunction with address hiding or address translation facilities to allow some restricted level of access to the Internet. A better alternative is to modify the internal network to use some of those addresses reserved by the Internet community for exactly this purpose. The organization will still need at least a few registered addresses to allow incoming connections, but these can then be forwarded into the internal network without any ambiguities arising at the gateway. An existing network can also be extended with the use of these "reserved" addresses if the organization has reached the limit of its registered address space. Although many organizations may use the same reserved addresses, there is no ambiguity introduced as these are completely hidden behind the gateway and are not used for communication with other organizations.


Digital's Gateway

The Digital IP network today consists of some 40,000 TCP/IP nodes, part of a total network of some 80,000 nodes. These are connected together via Digital's private internal world-wide network and hence to the Internet through a screened subnet gateway configuration based in Palo Alto,CA. The bastion host consists of a number of systems effectively connected in parallel to handle the considerable amount of traffic. The gateway also consists of a number of parallel systems, for reasons of performance and redundancy.

Digital has had an Internet connection for about 8 years and it takes the security of this connection very seriously. At the same time, Digital recognizes that many users regard excessive security measures as a nuisance and it is therefore important to balance security controls against the threat at any particular point in the network. Digital policy requires that all systems connected to the network meet a certain minimum standard of security, and security inspection and monitoring tools from Digital's standard product range are used to ensure this. This minimum standard or security baseline makes a number of assumptions about the threats. For example, all users with access to Digital systems are Digital employees or others working under direct supervision of Digital employees. Effectively, there is an outer wall which logically surrounds the whole network. In order to allow connections to external systems such as the Internet special precautions are required to ensure that only authorized users are able to cross this defensive wall.The Internet gateway, known as the Digital Screening External Access Link (S.E.A.L.) gateway is one such. The aim of the S.E.A.L. gateway is to allow Digital employees to gain access to Internet services in as near-transparent fashion as possible, while at the same time preventing the access of unauthorized external users to the Digital network.

All the services that Digital provides to the Internet are hosted on systems on the outside of the S.E.A.L. gateway. These services (for example, the WWW server) are also available to internal users through the gateway. WWW clients are configured to use a proxy application running on the gateway which can establish connections to either external or internal WWW servers, transparently to users. The only inbound connection that is allowed without special authentication is for mail, which is handled by a mail forwarder on the bastion host (know to the Internet as gatekeeper.dec.com). In order to mask the names of internal nodes, mail addresses do not use individual node names. Instead, mail is sent to an individual using and address based on their internal office node. Thus, the author can be reached from the Internet as neale@new.mts.dec.com, where 'new' is a location code). Using correctly configured mail forwarders, this "sender address" can be generated automatically for outgoing mail, avoiding the need for any user interaction. In customer installations of the S.E.A.L. gateway, mail is often addressed to departments rather than to individual nodes using the same kind of convention. The net effect is that the S.E.A.L. gateway is transparent to mail users within it.

There is a specific business requirement for certain employees to have access to the Digital internal network from the Internet. Typically, these would be Digital personnel working on a customer site with Internet access and who, with the agreement of the customer, can make use of that Internet connection for connecting back to their home systems. As described above, such users need to authenticate themselves to the bastion host before being allowed to connect into the internal network. Digital is concerned that the traditional username/password combination is not adequate for this purpose. Although the audit mechanisms on the host would usually be expected to pick up persistent password guessing attempts and there are various techniques to enforce the use of "good" passwords/passphrases, the password is being transmitted in clear text from the user's workstation across the Internet to the bastion host and may be read at some point. Digital, therefore, insists on the use of a strong authentication technique for such incoming connections. These are based on the use of Hand-Held Authenticators (HHA's). An HHA is an approximately credit-card sized device with a small LCD display and, depending on type, a small numeric keypad. One form of HHA provides a password in the form o a pseudo-random number. A clock in the HHA is synchronized with the host system, and the pass number is changed at regular intervals. The period of exposure of any given password is then reduced to the update interval ofthe pseudo-random number generator, typically 1 minute. The other form of HHA works on a challenge-response basis, in which the host does not prompt for a password in the usual fashion, but instead displays a random 8 digit number to the user. The user enters this number into his HHA, along with a unique PIN, and the HHA calculates a response which is entered in place of a conventional password - a genuine "one-time" password generator. Either form of HHA can give a high level of assurance of user identity without worrying about compromise of secret information (the password) on the network.

The aim of the Internet is to provide a widely-available and easy-to-use communications path between many organizations. However, it is the responsibility of each organization to secure its own systems and Internet connections. This paper has discussed a range of options for securing an Internet connection, from the simplest "stand-alone" system to the most sophisticated screened subnet configuration as used by Digital for its own Internet connection. As with all security options, each organization must find the balance between security, cost and complexity, and ease to use which suits its own particular needs.


Dr. Brian Neale

Digital Equipment Co. Ltd.
Czech Translation:

Tomas Vitak

Digital Equipment s.r.o.
e-mail:vitak@chk.mts.dec.com


[MAIN] [BACK] [UP]