Transcription

1 Página 1 de 8 Search Home About ISACA Overview & History Certification Education & Conferences Standards Research Publications Chapters Membership Languages Information Systems Audit and Control Association InfoBytes Intranet Security By Lisa Lin Many organizations have already found that Intranets can help empower personnel through more timely and less costly information flow. The empowerment bolsters the company's competitive advantage, improves employee moral and assists in getting more timely information to customers and providers. Why Intranet Security? Let's first define what is Intranet. "An Intranet is an internal information system based on Internet technology, web services, TCP/IP and HTTP communication protocols and HTML publishing" (Hinrichs, 1997). The Intranet is a technology that allows an organization to define itself as a whole entity, a group, where everyone knows their roles, and everyone is working on the improvement and health of the organization. Intranet Security Policy: Security is a means to protect information no matter where it is resides or travels on the Intranet. Some of the elements that go into security are the following:! Integrity: Is the data received exactly what was sent?! Reliability: No matter when it was sent or received, can you rely upon the integrity of the data?! Availability: Can you access the data reliably whenever you need it?! Security: Can you be certain that the data is protected from unauthorized access? Security is critical within a private corporate network. According to a majority of computer security statistics, over 80 percent of all computer related fraud is committed by internal users. Insiders could have a motive to strike against a company and often have direct physical access to the computer as well as familiarity of the resource access controls. In order to protect the organization's information from threats, it must strengthen the network security policy. Planning: The first objective for an organization is to develop a network policy. The policy is a document that describes an organization's network security concerns. This document becomes the first step in building effective firewalls. Some of the issues that an organization should explore in designing a policy include overall network security planning, site security policy, approach to security policy and risk analysis. Network security planning: A network security is worth implementing if the resources and information that an organization has on its networks are worth protecting. The next step is to properly identify network security problems prior to implementing firewall solutions and define what types of Internetwork services and resources the organization will allow the users to access and which ones have to be restricted because of security risks. Making the network policy will not impair the functioning of the organization. A network security policy that prevents network users from effectively implementing their tasks can have unwanted consequences: network users may find means of bypassing the network policy, rendering it

2 Página 2 de 8 ineffective. An effective network security policy is one that all network users and network administrators can accept and are able to enforce. Site Security Policy: An organization with multiple sites with each site having its own networks and different goals and objectives may have their own network security policies. However, the network policy should encompass the goals of all the interconnected sites. This is an important point because it is possible to come up with a network security policy that safeguards the site's interests but can become harmful to others. The site security policy should take into account the protection of their resources, such as the following:! "Workstations! Host computers and servers! Interconnection devices: gateways, routers, bridges, repeater! Terminal servers! Networking and applications software! Network cables! Information in files and databases" (Siyan, pp ) Approach to Security Policy: Defining the network security policy means developing procedures and plans that safeguard the organization's network resources against loss and damage. A possible approach to developing this policy is to examine the following:! "What resources are the organization trying to protect?! Which people does the organization need to protect the resources from?! How likely are the threats?! How important is the resource?! What measures can the organization implement to protect the assets in a cost-effective and timely manner?! Periodically examine of the network security policy to see if the organization objectives and network circumstances have changed" (Siyan, pp ) The cost of protecting the organization's network against threats should be less than the cost of recovery should the organization be affected by the security threats. It's important to obtain the right type of people in the design of the network security policy. The group could include those that are involved with auditing/control, campus information systems groups, and the individuals who deal with physical security. In order to have universal support of the network security policy, the organization must have the group's cooperation and acceptance of the network security policy. Risk Analysis: Risk assessment is one of the most important critical and overlooked tasks in security. The organization needs to know what they have and what its worth is to really understand how to protect it. Risk assessment needs to be conducted before right-sizing a computing environment or moving systems to a new platform. Management needs to identify the risk and take steps to ensure the privacy of the organization's data. Some of the steps to ensure the privacy of the data are better access control, auditing, intrusion detection and encryption of the systems. Intranet Security Techniques Encryption: One technique used in protecting sensitive information such as password, user ID, and human resource files, is encryption. "Encryption is a technique of creating unintelligible information from intelligible information" (Gallegos, pg. 12). The same technique is use to convert cleartext to ciphertext. The algorithm uses a "key" to create the mathematical equation to start producing the ciphertext. This key also must be given to the program that will decipher the text. In order for encryption to work, "the passage of the key and the algorithm must be kept secret. Programs must not be hard-coded with the key, nor should the key be written down. The key and the algorithm are often encrypted or written in machine language to prevent the casual user from intercepting code messages" (Gallegos, pg. 12). If encryption is used widely within an organization, the public key system should be used. The public

3 Página 3 de 8 key system requires that the sender create the ciphertext on the basis of the receiver's public key. The receiver will deciper the information using their private key. This system will eliminate the passing of the key, which can threaten its secrecy. (Gallegos, pp ). Authentication: Authentication means establishing proof of identity between two or more entities. This statement raises some obvious questions: The identity of whom or what requires proving? To whom or what is the evidence made known? How is authentication accomplished, and for what purpose? There are three categories of authentication used when computing and communicating on the Intranet: User-to- Host, Host-to-Host and User-to-User. User-to-Host Authentication: User-to-host authentication schemes identify users to computer systems. The purpose of this type of authentication is to provide users with services for which they are authorized and to deny access to services for which they are not. There are a variety of user-to-host authentication schemes. The following are three example authentication schemes: static passwords, one-time passwords and trusted third parties. Static passwords scheme is when a user chooses or is assigned an account name and an associated password. In this scheme, after the user enters the password, the host then confirms that the password entered by the user is correct. One-time passwords scheme uses passwords that are used only one time to establish authentication, and are therefore not subject to snooping and replay attacks. The three popular one-time password mechanisms are Bellcors's S/KEY, handheld authenticators and smart cards. Bellcor's S/KEY provides secure password-based authenticators over unsecure networks. S/KEY achieves this by utilizing a user's secret password to algorithmically produce a sequence of passwords, each of which may be used exactly one time. As with standard Unix passwords, no ontime S/KEY passwords are stored in cleartext on the server system. Secret passwords always remain a secret to their owners, and unlike standard Unix passwords, are never transmitted over the network except through personal carelessness. Handheld authenticators, also known as handheld password generators or tokens, are small hardware devices that generate one-time passwords. There are primarily four overall types of handheld authenticators, which are asynchronous, PIN/Asynchronous, synchronous and PIN/synchronous. Asynchronous is a challenge-response scheme, whereby the host issues a challenge string that the user keys into the authenticator. The response appears on the authenticator's display, which the user then enters to the host. PIN/Asynchronous is the same as asynchronous, but with an added requirement that the user first keys in a personal identification number (PIN). The PIN acts as a password to the authenticator, not to the host. Unlike asynchronous, in synchronous the authenticator produces a password as a function of its internal clock at the time the user demands it. This authenticator does not involve the host challenges. PIN/synchronous is identical to synchronous, but first requires the user to enter a PIN. All the schemes mentioned above require that both the authenticator and the host know a common algorithm for computing the one-time passwords. The algorithm is either industry standard or proprietary, depending on the vendor's implementation. Smart cards are similar in purpose to handheld authenticators, but are more intelligent devices: they contain a CPU, miniature operating system, clock, some program ROM, scratchpad RAM for cryptographic calculations and nonvolatile RAM or EEPROM (electrically erasable programmable read-only memory) for key storage. One aspect of their operation is analogous to handheld authenticators in that they calculate one-time passwords in response to a host challenge. Smart cards communicate directly with the challenging entity through a smart card reader. After the PIN is entered, the reader processes the challenge, enabling authentication to occur without further human involvement. This automatic function coupled with onboard key storage makes the use of lengthy keys possible with no added inconvenience to the user. In trusted third party technique, the host does not have to rely solely on credentials supplied by the user or a device in his possession. Nor does the user have to entrust the host with secret information

4 Página 4 de 8 such as a password. Instead, both parties reply on a third entity, called a Key Distribution Center (KDC), to vouch for each other's identity. The KDC alone bears the burden of trust: all participants trust it and not each other. A KDC does not distinguish between users and hosts, or more correctly, server programs on hosts. It treats both as principals, distinct entities that share a secret (a cryptographic key) with the KDC. Host-to-Host Authentication: Host-to-host authentication is concerned with the identity of computer systems on the network. The concept is important for several reasons. For example:! "A firewall guarding the entrance to a corporate network in San Francisco receives packets that appear to originate from a sister network in New York. Should it accept the packets?! A diskless workstation downloads its operating system kernel from a boot server. Should it trust that the kernel it receives really came from the intended server?! A host in Philadelphia receives a "network-unreachable" message from a router allegedly located in London. Should the host trust the message?! A file server receives a mount request from what appears to be an authorized client. Should it honor the request and export its file system to the client?! Two hosts, circle and square, have a common user base. If a user has authenticated to circle, and now wants to log in to square from circle, should square ask her to authenticate again?" (Hughes, pg. 87) There are several ways to achieve host-to-host authentication, such as no authentication, disclosing passwords and digital signatures and encryption. Authentication based on host names can be classified as no authentication. Host names exist mainly for human convenience; in fact, a system on the Internet need not even have a name assigned by an authority. Use of name-based authentication also presumes that DNS (Domain Naming System) is secure. A host is easily convinced that an address used by an attacker's machine maps to the name of a different machine. Some host-to-host protocols authentication information (passwords) in cleartexts within the protocol messages. Such a technique is marginally better than no authentication, in that a would-be attacker must at least unearth the passwords by eaves dropping protocol messages. Digital signature is an unforgeable electronic signature that authenticates a message sender and simultaneously guarantees the integrity of the message. Authenticated messages can almost unequivocally identify their senders and if the algorithms used are cryptographically strong and if keys are not compromised. Such techniques can be used by communicating hosts as well as by communicating users. Private-key or public-day encryption also can be employed when host-to-host confidentiality is required. User-to-User Authentication: User-to-user authentication establishes proof of one user's identity to another. One technique is digital signatures, which was discussed in the previous section. Another technique is the Kerberos version 5 KDC (Key Distribution Center). The Kerberos uses the trusted third-party authentication scheme. Participating users, client programs and server programs, all termed principals, authenticate to one another through the aid of a KDC. Developing of Intranet Security Types of Firewalls: Packet Filtering Gateways: Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source address, destination address and port. They offer minimum security but at a very low cost and can be an appropriate choice for a low risk environment. They are fast, flexible and transparent. Filtering rules are not often easily maintained on a router, but there are tools available to simplify the tasks of creating and maintaining the rules. Filtering gateways do have inherent risks including:! The source and destination addresses and ports contained in the IP packet header are the only information that is available to the router in making decision whether or not to permit traffic access to an internal network.! They do not protect against IP or DNS address spoofing! An attacker will have a direct access to any host on the internal network once access has been

5 Página 5 de 8 granted by the firewall.! Strong user authentication is not supported with some packet filtering gateways.! They provide little or useful logging. Circuit-level Gateways Circuit-level gateway is a firewall that validates TCP and, in some products, User Datagram Protocol (UDP) sessions before opening a connection or circuit through the firewall. The state of the session is monitored, and traffic is only allowed while the session is still open. This is more secure than packet filtering but allows any kind of data through the firewall while the session is open, creating a security hole. This is better than packet filtering but still falls short of total security. If this gateway does not support UDP, it cannot support native UDP traffic such a domain name service (DNS) and SNMP. Application Gateways: An application gateway uses server programs (called proxies) that run on the firewall. These proxies take external requests, examine them and forward legitimate requests to the internal host that provides the appropriate service. Application gateways can support functions such as user authentication and logging. Because an application gateway is considered as the most secure type of firewall, this configuration provides a number of advantages to the medium-high risk site:! The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.! The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against insecure or misconfigured internal hosts.! Strong user authentication can be enforced with application gateways.! Proxies can provide detailed logging at the application level. Application level firewalls shall be configured such that out-bound network traffic appears as if the traffic had originated from the firewall. In this manner, direct access to network services on the internal network is not allowed. All incoming requests for different network services such as Telnet, FTP, HTTP, RLOGIN, etc., regardless of which host on the internal network will be the final destination, must go through the appropriate proxy on the firewall. Applications gateways require a proxy for each service, such as FTP, HTTP, etc., to be supported through the firewall. When a service is required that is not supported by a proxy, an organization has three options:! Deny the services until the firewall vendor has developed a secure proxy - this is the preferred approach, as many newly introduced Internet services have unacceptable vulnerabilities.! Develop a custom proxy - this is a fairly difficult task and should be undertaken only by very sophisticated technical organizations.! Pass the service through the firewall - using what are typically called plugs, most application gateway firewalls allow services to be passed directly through the firewall with only a minimum of packet filtering. This can limit some of the vulnerability but can result in compromising the security of systems behind the firewall. Hybrid or Complex Gateways Hybrid gateways combine two or more of the above firewall types and implement them in series rather than in parallel. If they are connected in series, then the overall security is enhanced; on the other hand, if they are connected on parallel, then the network security perimeter will be only as secure as the least secure of all methods used. In medium to high-risk environments, a hybrid gateway may be the ideal firewall implementation. Firewall Architectures: Firewalls can be configured in a number of different architectures and can provide various levels of security at different costs of installation and operation. An organization should match their risk profile to the type of firewall architecture selected. The following sections describe typical firewall architectures. Multi-homed host: A multi-homed host is a host (a firewall) that has more than one network interface, with each interface connected to logically and physically separate network segments. A dual-homed host (host with two interfaces) is the most common instance of a multi-homed host. A dual-homed firewall is a firewall with two network interfaces cards (NICs) with each interface

6 Página 6 de 8 connected to different networks. For instance, one network interface is typically connected to the external or untrusted network, while the other interface is connected to the internal or trusted network. In this configuration, a key security tenet does not allow traffic coming in from the untrusted network to be directly routed to the trusted network - the firewall always act as an intermediary. In dual-homed firewall, routing by the firewall shall be disabled so those IP packets from one network are not directly routed from one network to the other. Screened host: A screened host firewall architecture uses a host (bastion host) to which all outside hosts connect, rather than allow direct connection to other, less secure internal hosts. To achieve this, a filtering router is configured so that all connections to the internal network from the outside network are directed towards the bastion host. Screened subnet: The screened subnet architecture is essentially the same as the screened host architecture, but adds an extra strata of security by creating a network where the bastion host resides (often call perimeter network) which is separated from the internal network. Adding a perimeter network in order to separate the internal network from the external will deploy a screened subnet. This assures that if there is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the screening router that is connected between the internal and perimeter network. Figure 1: An example of firewall configuration (Internet-Ireland, pg.1) Implementing Intranet Security Security strategies should not be based on current or future products or technology but on the existing functional needs and risks of the organization. The toughest part of developing a security strategy is determining what needs to be secured and from whom. When implementing an Intranet security, the security plans should encompass four major aspects of information security:! Physical (physical and procedural controls to corporate resources, for example)! Network (network isolation and packet encryption)! Platform (intrusion protection and compliance monitoring tools)! Application security (strong authentication and electronic commerce)

7 Página 7 de 8 The steps of implementing a security plan are listed below. These steps should be followed and answered pertaining to the needs of the company. 1. Develop a security policy! Decide value of resources! Determine who must use those resources! Determine what ratio of security/accessibility is feasible Two basic attitudes:! List of permitted actions! List of forbidden actions 2. Configure system around security policy 3. Inform system users! Inform of their part in security maintenance! Define proper use of resources 4. Maintain system and user information level 5. Response to breaches Intranet Security after Implementation Once the security is developed, the policy needs regular review and update. The environment and technologies are constantly changing, and so is the protection that is needed for the information. In any Intranet implementation where information needs protection, there are three regular activities that should take place in order to keep the company current. These include: Threat Identification! The information is evaluated to the business, the value to potential security risks, and consequences of a security breach. External consultants are used in this process because of the knowledge needed to identify threats. Active Penetration Testing! This involves sanctioned attempts to actually penetrate the security at known vulnerability points. A package known as SATAN can be used to duplicate known hacking techniques and apply them against the target system. External Audits! External auditing is used because they see a broader range of experiences and results in the course of their business as compared to that of which any one company would encounter. Internal auditing is valuable, but external auditing is a must. Conclusion There is a potential benefit in using an Intranet in that many of the complicated security schemes can be bypassed for the basic reason that the network is private and there is a known set of users. This will certainly not increase the security of the system, but it may reduce its cost and complexity, and if properly designed, should not prevent the future addition of stricter security schemes and a migration to the Internet. This should be balanced against the cost of implementing the Intranet, and the more restricted access on the Intranet. Overall, security concerns for Intranets and the Internet are much like concerns for any networked environment: provide proper configurations, make information available only to authorized users, remember security when developing applications, think about privacy needs of your users and keep system and application software maintained to current service levels.

8 Página 8 de 8 Bibliography Cooper, Frederic J.; Goggans, Chris,; Halvey, John K.; Hughes, Larry; Morgan, Lisa; Siyan, Karanjit; Stallings, William; Stephenson, Peter, "Implementing Internet Security", Indianapolis: New Riders Publishing, Hinrichs, Randy J., "Intranets: What's The Bottom Line?", SunSoft/Prentice Hall, Hughes, Larry J., "Actually Useful Internet Security Techniques", Indianapolis: New Riders Publishing, McCarthy, Linda, "Intranet Security: Stories from the Trenches," Sun Microsystems Press, Siyan, Karanjit and Hare, Chris, "Internet Firewalls and Network Security", Indianapolis: New Riders Publishing, Intranet Organization: Strategies for Management Change, by Steven L. Telleen, Ph.D., Iorg.com, Internet Security Policy: A Technical Guide, Gaithersburg: National Institute of Standards and Technology, Internet/Intranet Firewall Security for TCP/IP and IPX Networks: A Manageable, Integrated Solution, Ukiah Software, Inc., Microcomputer Network Controls and the Intranet, by Frederick Gallegos and Steven r. Powell, Auerbach, This paper by Lisa Lin was one of three that won the ISACA Los Angeles Chapter's Best Paper Contest. Assurance Security Governance Members & Leaders Professionals & Practitioners Student & Educators Exhibitors & Advertisers Info Request Join Bookstore My ISACA About ISACA Home Site Map Shopping Cart Logout Contact Us Terms Of Use Copyright 2004 Information Systems Audit and Control Association (ISACA ) All rights reserved 3701 Algonquin Road Suite 1010 Rolling Meadows, Illinois USA Site designed and developed by Active Matter