It's Time To Shore Up The Front Lines Of Network
Defense BY DAVE POWER, SECURITY DYNAMICS
Passwords have long been the front line of defense protecting information systems and
networks. The security of passwords has come under considerable scrutiny in recent months
as a result of several wellpublicized security breaches of information systems networks.
The problem is, however, that even well-composed passwords are vulnerable to being
intercepted and stolen by todays more sophisticated system attackers.
The Internet, a global web of thousands of networks, is under nearly constant assault from
a wide range of advanced system intruders. With the overwhelming growth of the Internet,
the time for reusable passwords has passed.
In recent months, unidentified system crackers have deployed
passwordgathering programs and have succeeded in collecting tens of thousands of
passwords. The attacks on the Internet are particularly worrisome because a growing number
of commercial and nonprofit organizations are now eyeing the Internet as a new avenue for
conducting business. Its worth noting that although the Internet break-ins have
received most of the publicity, the problem of illegal access cuts across networks of all
types, especially the local- and widearea networks (LANs and WANs) that are in widespread
use today.
INTERNET SECURITY ISSUES
The vulnerability of reusable passwords has been made shockingly apparent in recent months
following a rash of computer break-ins linked to the Internet. Several Internet service
providers were attacked in an orchestrated effort to gather passwords that could be used
to penetrate still other computers with Internet links. An unknown group of system
crackers planted programs designed to capture the passwords of users as they logged into
the penetrated systems. It is estimated that the intruders managed to harvest a great many
passwords before their illegal programs were discovered. Such illegal escapades worry
companies because the massive network is destined to become a cornerstone for the nascent
information superhighway. In something akin to a modern-day gold rush,
commercial organizations are scrambling to get a stake in the Internet.
As the number of networks, hosts, and users on the Internet has mushroomed, so too have
security incidents.
The rapid increase in commercial traffic is also making it more difficult to track and
stop breaches. Although there is yet little hard evidence of companies with Internet links
having suffered significant losses as a result of security breaches, it is only a matter
of time, according to many security experts. The Federal Bureau of Investigation, for
example, says that the Internet is used to break into systems in more than 80 percent of
the computer crime cases it investigates. For the most part, these attacks have been aimed
at universities, research centers, and other non-commercial sites. Obviously, such attacks
have financial implications associated with them, but they are still difficult to
quantify. One reason is that many victim organizations are reluctant to report
securityrelated incidents to law enforcers.
Still, it is easy to envision what some of the potential consequences of a security
breach via the Internet might have on a commercial organization. Given the enormous
reliance most organizations now place on information systems technology, unauthorized
tampering with those systems or the theft of the information they contain could have
serious financial impact. In addition to data loss, organizations are faced with computer
and/or network downtime, lost productivity, and the possibility of negative publicity in
the marketplace. In a survey conducted this year by Infosecurity News, 49 percent of the
more than 1,200 respondents reported that their system security had been breached by at
least one of the following: successful unauthorized system access by an outsider; abuse of
access privileges by an employee; abuse of access privileges by an authorized user;
leakage of confidential information; or destruction of data.
Not surprisingly, the lack of adequate security is also hindering many organizations
with Internet protocol networks that could otherwise conduct business on the Internet. The
Internet Society estimates that about half of all networks are not tied into the Internet
primarily because their network administrators are too fearful of the security risks.
THE GROWTH OF THE INTERNET
Dataquest, a market research and consulting company, estimates that by the year 2001,
nearly 268 million users worldwide will be accessing the Internet, while less than 10
years ago, there were only an estimated half a million users.
One of the Internets key strengths, and one of its weaknesses, is that no one
agency or organization is responsible for its overall management. Thus, it has been free
of bureaucratic control and burdensome regulation. Conversely, management is decentralized
and informal, residing primarily at the host site and the individual network levels. Early
in the Internets development, responsibility for managing and securing host
computers was given to end users the host sites, such as college campuses and
federal agencies, that owned and operated them. It was believed that the host sites were
in the best position to manage and determine a level of security appropriate for their
systems. Each of the Internets thousands of networks maintains operational control
over its own network, whether it is a backbone network, regional network, or LAN.
THERES GOT TO BE A BETTER WAY
There have been a multitude of cases where the systems of some service providers have been
compromised by a group of unidentified intruders. System crackers are able to capture
passwords and login IDs for thousands of systems across the Internet, using a variety of
network packet-sniffing programs, according to the Computer Emergency Response Team
(CERT), an Internet security watchdog organization. Intruders can use the captured
information for subsequent access to those hosts and accounts, CERT explained in a
security advisory. This is possible because the password is used over and over and
the password passes across the network in clear text.
The short-term solution, according to CERT, is for all users on sites that offer remote
access to change their passwords frequently. In addition, sites that support a so-called
promiscuous network interface are advised to disable this feature or implement
a policy that permits only authorized users and programs to access this particular
feature. However, this is only a quick-fix solution.
Traditional user authentication by means of reusable passwords does not provide strong
security in todays networked environment with or without encryption.
Information systems protected by advanced methods such as tokens or smart cards (which are
used to generate one-time passwords) are far more secure.
ELIMINATE RELIANCE ON REUSABLE PASSWORDS
The best long-term solution to prevent these and other sorts of attacks is to eliminate or
reduce the transmission of reusable passwords in clear text over the network. The only
effective long-term solution is to not transmit reusable passwords on the network. As a
means of eliminating reliance on stand-alone passwords, todays information systems
managers may choose from several access control technologies, such as dialback systems,
biometric devices, and a series of token technologies including challenge/
response calculators, smart cards that require card readers, and
time-synchronized super smart cards that can be used without a card reader.
Each of these authentication systems offers its own unique advantages.
However, dialback systems cant authenticate users on the road and can be rendered
useless by convenient telephone features like call forwarding. Dialback systems
arent designed to secure Internet access and are therefore not a comprehensive
solution. Also, these types of technologies often authenticate terminals only not
users. And while biometric devices may be highly effective in authenticating user
identity, their cost and lack of portability may preclude their use in todays mobile
computing environments.
Information systems that deploy chal-lengeresponse technology require that the user
accurately respond to a challenge or request for a password from the host computer. The
response or password may be generated by a calculator carried by the user. Some tokens are
somewhat bulky and may require the user to proceed through a number of steps (anywhere
from 4 to 8) before allowing system access. This is a time-consuming process that tends to
lead to user frustration. Smart cards requiring card readers restrict those users who
travel and may be expensive for host end and application software support. In contrast,
the timesynchronized super smart card contains a microprocessor that generates and
displays a new password every time it is used or within a predetermined period of time
(usually every 60 seconds).
The premise of using a smart card for security applications is based on a long
recognized notion that there are three ways for a user to authenticate himself or herself:
- Something the user knows, such as a PIN or reusable password.
- Something the user has, such as a smart card or a token.
- Something specific to the user, such as his fingerprint or voice.
More advanced security technologies employ at least two of these three factors of user
identification and authentication. The first factor is a memorized personal identification
number; the second factor is a smart card with its displayed code generated at a
programmed interval. The two factors combine to produce a onetime password.
FIREWALL OPTIONS
Commercial organizations who are considering conducting business on the Internet are
turning to electronic firewalls that insulate the organizations vital information
systems from outsiders, yet permit the organizations to securely transfer and receive
information via the Internet. These firewalls offer varying degrees of security, however.
A screening router firewall, for example, can be configured with a set of access rules
that will filter out many wouldbe intruders. Using a router as a screening firewall is
convenient because it is usually already in place. But this method of controlling access
cannot be customized to specific network environments, does not authenticate users, and
has no audit capability. If not properly set up, the firewall may have trapdoors through
which intruders can surreptitiously enter.
A UNIX-based firewall a server with UNIX programmed filtering, security, and
auditing is effective in allowing users to telnet directly to an application
server: however, the network administrator must create and maintain the security
architecture, programming for every possible exposure. Application-level firewalls allow
users to telnet to an applicationlevel prompt, and include a high level of preprogrammed,
customizable network and security functionality. Applicationlevel firewalls can be
configured to be virtually impenetrable, but may be expensive and difficult to administer.
Most firewalls still rely upon static passwords as a means of authenticating a
users identity. An unauthorized user may gain access to a system using a dummy
password and then create a backdoor for future access, thus reducing firewall
security levels. In summary, firewall security technologies can be highly effective in
controlling Internet access. However, they are most effective when combined with
two-factor authentication procedures that utilize one-time passwords.
CONCLUSION
All the recent attacks on networks (whether LANs or the vast Internet) have one thing in
common: The intruders were able to penetrate those networks and expand their illegal
activities by exploiting reusable passwords, thus rendering all other controls useless.
Traditional user authentication by means of reusable passwords is no longer adequate
for providing strong security in todays networked environment. It has become
increasingly obvious that information systems protected by advanced methods, such as super
smart cards which are used to generate one-time passwords, are far more secure.
Todays network managers should evaluate their enterprise networks and implement
policies and procedures for controlling access to networks through all access points.
Organizations facing the challenge of securing Internet access should take action
immediately by installing proven, highly secure access control products that will
eliminate the threat of unauthorized network access through reusable passwords.
Dave Power is senior vice president of marketing and corporate development, Security
Dynamics Technologies, Inc. Security Dynamics designs, develops, markets, and supports a
family of security products that protect and manage access to computerbased information
resources. The company develops software and hardware products that verify the identity of
authorized users and prevent unauthorized access to information on computers and networks.
For more information, visit the companys Web site at www.securitydynamics.com.
|