1 Control of Wide Area Networks Steven Powell Frederick Gallegos Payoff This article describes the various types of wide area networks and their access methods and connective devices, communications protocols, network services, and network topologies. It also describes the automated tools that are currently available for network monitoring, and provides a brief introduction to the Internet. Introduction Local area networks (LANs) have become commonplace in most medium and large companies. Now, wide area networks (WANs) have become the next communications frontier. However, WANs are much more complicated than LANs. In most WAN environments, the more devices an individual has to manage, the more time-consuming is the process of monitoring those devices. Complexity also increases very rapidly due to the fact that each new device on the network invariably has to interface with many existing devices. In order to get a further understanding of WANs, it is useful to explore the differences between WANs and LANs. LANs are defined as communications networks in which all components are located within several miles of each other and communicate using high transmission speeds, generally 1M-bps or higher. They are typically used to support interconnection within a building or campus environment. WANs connect system users who are geographically dispersed and connected by means of public telecommunications facilities. WANs provide system users with access to computers for fast interchange of information. Major components of WANs include CPUs, ranging from microcomputers to mainframes, intelligent terminals, modems, and communications controllers. WANs cover distances of about 30 miles, and often connect a group of campuses. WANs are usually static in nature. Changes to them require rerouting telephone lines and installing modems. LANs on the other hand can be quickly reconfigured; communications lines are set up and rerouted more easily and gateways to host computers can be quickly added. Types of Wide Area Networks There are two basic types of WANs: centralized and distributed. Centralized WANs consist of a mainframe or minicomputer that serves remotely distributed dumb terminals. Network managers lease communications channels from a common long-distance carrier and tie together terminals and the central computer using a star (or other) topology. (WAN topologies are described in more detail later in this article.) Communications is fairly straightforward; the smart computer polls the dumb terminals to find out if they have anything to transmit, and then it controls data transmission so that there are no collisions. Distributed networks provide an environment that allows independent computers to have equal levels of control in the communications architecture. Distributed networks have grown as smart computers have increased throughout organizations. Today's packet WAN technologies are capable of supporting worldwide transmission at rates that are less than LAN transmission rates. (LANs support transmission rates of 100M-bytes and higher over relatively short distances.)
2 Benefits of Wide Area Networks WANs provide a number of benefits, including: Allowing network expansion and terminal changes to be accomplished through plug-in connections over wide area locations. Support of a variety of applications and a large number of terminals. Facilitating interconnectivity by means of gateways, bridges, and routers. Distributing terminals to the most convenient locations rather than forcing them to remain in a more centralized area. Centralized network management and monitoring of use and performance to ensure maximum reliability and availability. These benefits help make users more effective in their jobs. Networking over wide areas also helps reduce or eliminate the expensive costs of gathering teams of people together. A US manufacturing team can now work closely with a team in Germany using such services as electronic mail and computer video conferencing. Elements of Wide Area Networks WANs differ according to their access methods, connective hardware and software, communications protocols, types of network services, and network topologies. These differences affect network installation, growth, and operating costs. In addition, WANs depend on the network management system for efficient and reliable operation. The following sections describe these elements. Access Methods Connections to remote networks may be accomplished over public data networks or private lines provided by long-distance and interexchange telephone carriers. The Internet requires the use of 32-bit addresses, which are administered by the Network Information Center. Locally administered private networks should encourage use of addresses that are compatible with Internet addresses to facilitate connection to the Internet. Connective Devices Information is transmitted over WANs in packets. In addition to user data, these packets contain information necessary for network management and protocols that permit local and remote devices on the network to recognize one another. For example, each packet contains address information which is necessary to ensure the correct routing of the packet. Bridges and routers are the primary connective devices used to handle these transmissions. Bridges. A bridge is a hardware and software device used to connect networks using various media and signalling systems. Bridges operate at the data-link layer of the open systems interconnection model. Bridges read and filter data packets and frames, passing traffic only if the address is on the same segment of the network cable as the originating station. (Frames contain information that is necessary for reassembling the messages contained in
3 packets after they reach their destination. There are two types of frames: control frames for link management and information frames for the transfer of information.) Routers. A router is a sophisticated hardware and software device that connects local and wide area networks. It serves packets or frames containing certain protocols, and it routes packets using network layer protocols. Multiprotocol routers can operate in heterogeneous environments by simultaneously using multiple protocols. Protocols WAN protocols are designed to provide connections for many devices within a wide area. Their purpose is to support a peer network of terminals, microcomputers, and hosts. A number of WAN protocols are available, including TCP/IP (which is the combined acronym for a pair of networking protocols, the Transmission Control Protocol [TCP] and the Internet Protocol [IP]). The TCP/IP protocols provide the prim ary communications procedures for the Internet. IBM's Systems Network Architecture (SNA) is designed to provide communications compatibility among microcomputers, minicomputers, and mainframes. For example, it can be used to connect IBM token-ring LANs to a host environment. Network Services Frame relay and asynchronous transfer mode (ATM) are technologies used to support network traffic. Their method of operation is described in the following paragraphs. The appendix at the end of this article provides a listing of selected vendors of frame relay and ATM products. Frame Relay Network Services. Frame relay is an extremely flexible and cost-effective technology that supports variable network traffic. Service bandwidth is scalable from 56K bps to 2.048M bps, and it offers a variable-length frame size from 262 bytes to 8K bytes. Frame relay allows users to gain the advantages of high-speed circuits without having to run dedicated links between all the endpoints on a private network. The other major advantage of frame relay is its minimal packet overhead. Asynchronous Transfer Mode Network Services. Asynchronous transfer mode (ATM) refers to a high-bandwidth, low-delay switching and multiplexing technology. ATM network services provide a foundation for high-speed data transmission, LAN connectivity, imaging, and multimedia applications. ATM is based on cell-switching technology that is equally effective at transmitting voice, video, and data at high speeds. ATM is better suited than packet-switching to real-time communications (e.g., video) because it uses standard-length cells with small headers containing packet and address information. ATM supports transmission speeds of up to 622M-bps. It supports services requiring both circuit-mode information transfer capabilities (characterized by a constant bit rate) and packet-mode capabilities (characterized by a variable bit rate).
4 The Network Management System Every major business wants to have the most efficient and economical operation of the corporate network. In order for a business to achieve this, it must effectively manage the computer and communications resources over the wide area network. Because most businesses buy their networking products from more than one vendor, network management systems must be able to support a wide variety of equipment on the same network. This diversity makes the task of management and troubleshooting more challenging. (Network management software is discussed later in this article.) Network Topologies Although the star topology is the most popular WAN topology, a number of other network topologies are available. Each of the these topologies has consequences with respect to reliability and availability. Star Topology. The star topology is highly reliable; loss of one node results only in the loss of a single line. Loss of that line prevents communication between the hub and the affected node, but all other nodes continue to operate normally. This topology is more limited with respect to ensuring availability. The network can only support the level of traffic that can be handled by the hub. In some cases, the hub is only able to handle one request at a time, which can cause serious delays during peak workloads. Ring Topology. The ring topology uses link segments to connect adjacent nodes; each node is actively involved in the transmission of tokens to and from other nodes. The loss of a link causes operation of the entire network to cease. Therefore, this topology is not considered very reliable. The ring topology is less effective than the mesh topology at ensuring availability of network services, but it is more effective than the star topology. Its effectiveness is limited because each node on the ring must wait to receive the token before transmitting data. Bus Topology. The bus topology is also not considered reliable. If the link fails, the entire segment connected to that link also fails. However, if the node fails, the rest of the network will continue to operate. The availability of network resources using this topology depends on the access control protocol used, the length of the bus, and the transmission load. Under a light load, availability is virtually assured, but as the load increases so too does the chance of collisions among transmissions. The chance of collisions also increases with greater bus length. Mesh Topology. This kind of topology is highly reliable, because it provides a diverse set of transmission routes. If one segment of the line fails, the rest of the line is not affected. Because of its multiple transmission paths, mesh topology also provides a high level of availability.
5 Hybrid Topology. The hybrid topology is highly reliable; the failure of one node does not affect the operation of other nodes. It also provides a high degree of availability because it provides a large number of connections to users. Tools for Network Monitoring A number of automated tools can assist the security specialist in identifying risks to network security. These include: Protocol analyzers. Network monitors. Network management software. General statistical tools. Hybrid tools. The following sections describe each of these types of tools. Protocol Analyzers Protocol analyzers can be used to observe data packets as they travel across a network, measure rates of line use, and simulate traffic to gauge changes in the network configuration. They are designed to capture and decode data packets, breaking traffic down according to the seven-layer OSI reference model. The device is physically connected to the network segments being monitored. Wandell & Goltermann's DA-30 is an example of a protocol analyzer. As described next, a WAN protocol analyzer is a specialized type of protocol analyzer. WAN Protocol Analyzers High-speed WAN protocol analyzers can be used to help network and security specialists plan and maintain multiple LANs linked to WAN services. With their unparalleled packet-filtering capabilities, these instruments are able to monitor overall network activity, view organizational data traffic patterns, simulate new circuits, and pinpoint problems. WAN analyzers allow the user to track exactly how much of a leased line is being used for a particular protocol. These analyzers can also capture and store data samples and filter out specific data packets for scrutiny. WAN analyzers are being developed with capabilities to provide fault management filters and rule-based judgments, performance trend analysis, and reports that identify problems and assign responsibility for its diagnosis and tracking. For efficient monitoring and diagnosis, it is vital that the analyzer be able to filter out specific packets from the overall data stream. This requires that the analyzer keep pace with system line speeds so that it does not overlook packets that may be critical to the network. In practice, most high-speed WAN protocol analyzers do not really filter data at the full rate of a T1 line. And the filtering and decoding processes further slow down the analyzer's operation. Because of this, most vendors of protocol analyzers specify a frame rate for their products, indicating the number of packets or frames per second that the analyzer can process. The vendors also specify the size of frames for which rates are given.
6 Most analyzers come with simulation programs that allow network managers to gauge the possible effects of specific types of data traffic on WAN circuits. With this software, sample packets are actually launched onto the network so that the analyzer can measure the effects of adding different types of protocol loads. (Running simulation applications may require shutting down network traffic.) Because most analyzers already have sophisticated packet filtering and time-stamping capabilities, it is relatively easy to add statistical software for data sampling and analysis. Such statistical packages can generally be run without interfering with network traffic. Network Monitors Network monitors track and statistically analyze traffic on network segments. As with protocol analyzers, the device is physically connected to the segments being monitored. Sample products include Network General's Distributed Sniffer System and Concord Communications Trakker. Network Management Software Network management software and workstations are designed to monitor and report on the conditions of such network elements as bridges, routers, and hubs, typically displaying information using multicolored icons on a map. These products typically use the Simple Network Management Protocol (SNMP). A number of products are available, including Hewlett-Packard's HP-OpenView, Sun Microsystems' SunNet Manager, IBM's NetView/6000, and E-Comms' E-Commander. Novell's NetWare 4.1 offers reliable network security and data integrity services. General Statistical Tools These tools are designed primarily to provide statistical information about network performance. They typically track CPU and memory levels of use, free disk space, and network I/O. Among the available products is Hewlett-Packard's PerfView. Hybrids It should be noted that many products are actually hybrids that offer elements of two or more of the preceding categories of monitoring tools. For example, many network management stations include the statistical analysis capabilities of network monitors; some network monitors provide basic protocol analysis capabilities. Among hybrid products that combine traffic monitoring, protocol analysis, and network mapping are the Distributed Sniffer System and Trakker (both introduced above), Metrix of Nashua's NetMetrix, ProTools' Network Control Series, EMC's DataReach, and TimeFinder. The Internet The Internet was started in the 1960s by the US Defense Department's Advanced Research Projects Agency to link the department with its suppliers. Today, the Internet is a worldwide collection of millions of computers tied together by means of high-speed communications lines to form an apparently single network. The Internet provides an electronic forum in which people can share information and ideas, exchange and data, use remote computers, and access public-domain information and software. Corporate customers now represent the fastest growing segment of the overall Internet user population. They use the Internet for many reasons, including file transfers, electronic mail, system maintenance, and interactive sessions. For example, one chemical company
7 uses the Internet to disseminate the results of its research; the company prefers using Internet because it is available 24 hours a day, every day. An oil company uses the Internet to transmit maps and land surveys to remote locations for oil and gas exploration; the Internet is able to reach nearly 130 countries. Users can connect to the Internet in several ways: dialing in to a personal account on an Internet-connected computer; connecting through a commercial gateway; or subscribing to a commercial service. Personal Accounts With this first alternative, service is limited to certain levels of access for example, access to USENET (an Internet-based news service), services, or file transfer protocol (FTP) services. In addition to obtaining an account on one of these systems, the user must implement a modem and communications package. A monthly connect-time fee is charged; the telephone carrier also charges the user for any long-distance calls. With this approach, the computer is not actually on the Internet it is just acting as a terminal for another computer with a direct Internet connection. The user does not need to run any Internet-protocol software with this approach. But any files the user transfers to server accounts using the Internet FTP must be downloaded using the selected communications software, which can be very expensive. To simplify the downloading process and reduce connection costs, a software access package (e.g., IBM's TalkLink or cute FTP for Windows) can be used to obtain an interface to Internet file transfer services. Commercial Gateways With this approach, users must obtain an official Internet membership for their systems; in effect, they become official Internet nodes. This can be accomplished in several ways. Server Security Server security involves limiting access to data stored on the server. Although this field is primarily the responsibility of the network administrator, the process of publishing data to the Web often requires information systems specialists to take an active hand in installing and implementing the security policy. The two primary methods in which information from databases is published to the Web are the use of static web pages and active dynamic Web page creation. These two methods require almost completely different security mechanisms. Static Web Pages Static Web pages are simply HTML files stored on the server. Many database specialists consider static page creation the simplest and most flexible method of publishing data to the Web. In a nutshell, a client program is written to query data from a database and generate HTML pages that display this information. When published as static Web pages, Web files can be uploaded to any server; for dynamic creation, however, the Web server usually must be modified (or new scripts or application software installed). Static pages have the secondary advantage of being generated by traditional client/server tools such as Visual Basic or PowerBuilder. Because almost any development system can output text files, only the necessary HTML codes must be added to make them Web pages. The creation of the pages, therefore, uses standard methods of database access control such as database security and login controls. Once created, the files must be uploaded to the Web server. Protecting the documents stored there occurs in the same manner that any other Web documents would be secured.
8 One of the most straightforward ways to protect sensitive HTML documents is to limit directory browsing. Most FTP and Web servers allow directories to be configured so that files stored within them may be read but the files may not be listed in the directory. This technique prevents any user who does not know the exact filename from accessing it. Access may be permitted by simply distributing the exact filenames to authorized personnel. Directories may also be protected using the integrated operating system security. Some Web servers allow security limitations to be placed on particular folders or directories using standard operating system techniques (i.e., file attributes) and then use this security to restrict access. This implementation will vary among Web servers. These security implementations to gain access to particular files or folders fall under the userauthentication category of security. Dynamic Page Generation Favored by large organizations, this method is gaining popularity as the technology to generate Web pages instantly from a database query becomes more robust. A dynamic Web page is stored on the Web server with no actual data but instead a template for the HTML code and a query. When a client accesses the page, the query is executed, and an HTML page containing the data is generated on the fly. The necessary data is filled into the slots defined in the template file in much the same way that a mail merge occurs in a wordprocessing program. A program may be active on the Web server to generate the necessary Web page, or a CGI script might dynamically create it. One of the first security issues that a WAN security administrator must confront is setting up access to the database from the Web server. Whether using a CGI script, serverbased middleware, or a query tool, the server itself must have access to the database. Database Connections With most of the dynamic connectors to databases, a connection with full access must be granted to the Web server because various queries will need to access different tables or views to construct the HTML from the query. The danger is obvious: A single data source on the server must be given broad access capabilities. This makes server security crucial. For example, an ODBC data source given full administrator access could potentially be accessed by any other program on the server. A program could be designed to retrieve private information from a data source regardless of whether the program's author is permitted access. This security problem is most dangerous on a system where users are allowed to upload CGI scripts or programs to run on the server. To prevent unauthorized access to your data, make sure that the server that owns the database connector is physically secure and does not permit unrestricted program execution. Table Access Control Standard table access control, if featured in the user authentication system, is more important on Web applications than on traditional client/server systems. DBAs are often lax in restricting access to particular tables because few users would know how to create a custom SQL query to retrieve data from the database. Most access to a database on a client/serve system occurs through a specifically built client that limits access from there. Not so with Web-based applications: Client/server development requires substantial experience, but even some novices can program or modify HTML code, and most user productivity applications such as word processors or spreadsheets that can access databases also save documents as HTML pages. Therefore, more solutions will be created by
9 intermediate users and so valid security is a must. Remember, a little knowledge can be a dangerous thing. User-Authentication Security Authentication security governs the barrier that must be passed before the user can access particular information. The user must have some valid form of identification before access is granted. Logins are accomplished in two standard ways: using an HTML form or using an HTTP security request. If a pass-through is provided to normal database access, traditional security controls can be brought into play. Exhibit 1 shows an example of a standard security login through Netscape Communications Corp.'s Netscape Navigator browser. A Schematic Diagram of Different Types of Layers Involving TCP/IP The HTML login is simply an HTML page that contains the username and password form fields. The actual Ids and passwords are stored in a table on the server. This information is brought to the server through a CGI script or some piece of database middleware for lookup in a user identification database. This method has the advantage of letting the DBA define a particular user's privilege. By using a table created by the DBA, numerous security privileges specific to a particular project can be defined. Once a login has occurred, a piece of data called a cookie can be written onto the client machine to track the user session. A cookie is data (similar to a key and a value in an.ini file) sent from the Web server and stored by the client's browser. The Web server can then send a message to the browser, and the data is returned to the server. Because an HTTP connection is not persistent, a user ID could be written as a cookie so that the user might be identified during the duration of the session. HTML form login security, however, must be implemented by hand. Often this means reinventing the wheel. Not only must a database table or other file be kept to track users and passwords, but authentication routines must be performed, whether through CGI script or via another method. Additionally, unless a secured connection (Please refer to subsection Secure Socket Layer (SSL), both the username and password are broadcast across the network, where they might be intercepted. HTML form login is excellent when security of the data is not paramount yet specialized access controls are required. Browser login is most useful when it is integrated with existing database security through some type of middleware. Even with users properly authenticated, additional security concerns arise. Session Security After the user has supplied proper identification and access is granted to data, session security ensures that private data is not intercepted or interfered with during the session. The basic protocols of the network do not set up a point-to-point connection, as a telephone system does. Instead, information is broadcast across a network for reception by a particular machine. TCP/IP is the basic protocol for transmission on the Internet. The protocol was never designed for security, and as such is very insecure. Because data sent from one machine to another is actually broadcast across the entire network, a program called a packet sniffer can be used to intercept information packets bound for a particular user. Therefore, even though a user has properly logged onto a system, any information that is accessed can be intercepted and captured by another user on the network. There is no easy way to prevent
10 this interception except by encrypting all of the information that flows both ways (see Exhibit 2). Need For Web Protection Levels (Encrypted) Threats Service Type 1. Destru ction2. Interfer ence 3. Modifi cation or replace ment4. Misreprese ntation 5. Adverti sing Basic Basic Strong Basic No Level Secure Internet/Intranet 1. Basic Basic Strong Basic No Inform Level ational 2. Transa ctional Elecro nical Comm erce Reputa tion 6. No Level Inadver tent misuse 7. basic Unauth orizeda ltering/ downlo ading8. No Level Unauth orized transac tion9. No Level Basic Strong Basic Basic Basic Strong Strong Basic Basic Basic Strong Basic Basic Strong Strong Strong Strong Strong Basic Strong Strong Strong
11 Threats Service Type Destruction Interference Modification Misor representation replacement Advertising Basic Basic Strong Basic Secure Internet/ Intranet 1. Informational Basic Basic Strong Basic 2. Transactional Basic Strong Strong Basic Elecronical Strong Strong Strong Strong Commerce (table continued) Reputation Inadvertent Unauthorized Unauthorized Unauthorized misuse altering/ transaction disclosures downloading Advertising No Level No Level basic No Level No Level Secure Internet/ Intranet 1.Informational No Level Basic Strong Basic Basic 2.Transactional Basic Basic Strong Basic Basic Elecronical Strong Basic Strong Strong Strong Commerce Conclusion Vendors that used to compete with each other in marketing their products are now working together to provide a common routing protocol. A common routing protocol will give customers the ability to implement an open computing environment using components from multiple vendors. Customers will no longer have to rely on a single vendor to meet their networking requirements, which will provide them greater flexibility and efficiency and help reduce network operating costs. Author Biographies Steven Powell Steven Powell, PhD, is an associate professor of computer information systems, College of Business Administration, California State Polytechnic University, Pomona CA. He has taught and written articles on communications management and controls. Frederick Gallegos
12 Frederick Gallegos, CISA, CDE, CGFM, is the EDP audit advisor for the College of Business Administration, California State Polytechnic University, Pomona CA. He has taught EDP audit and security classes at the university and has authored articles on computer security management and control.