The steadily growing international computer network user community needs an expanding staff of well educated network security professionals to guarantee the reliability of the global IT infrastructure of computer nodes in wired and wireless networks. Network security tools are usually software tools. Network security professionals should know these tools, how to use and develop them, and know what kind of network security they can provide.
In accordance with Oppliger (1999, preface) we define network security as "a set of procedures, practices and technologies for protecting network servers, network users and their surrounding organizations." Network security software (computer programs) covers the area defined above. In order to give a more structured picture of network security software, the material has been organized into the following topics:
-
Protection against malicious programs
-
Firewall software
-
Cryptographic software
-
Security administration software
-
Security software development
-
Network security software skill levels
-
Network security software skills in higher education
The text gives a topical overview of network security software: the topics are not covered in detail, and most topics are briefly introduced and left for further study. The main objective is to present "State-of-the-Art" of network security software and to discuss related skills and education needed by network users, IT professionals, and network security specialists.
Protection Against Malicious Programs
Malicious software exploits vulnerabilities in computing systems. In Bowles and Pelaez (1992) is presented a taxonomy, in which malicious programs are divided into two categories:
-
Host program needed
-
Trap door
A trap door is a secret entry point bypassing normal authentication procedures to a program. Trap doors have for many years been used legitimately in program development for debugging and testing purposes. Malicious use of trap doors is a serious security threat.
-
Logic bomb
A logic bomb is one of the oldest malicious program types. A logic bomb embedded in some legitimate program can be triggered by some condition — for example a particular time on a particular date — to "explode," which means some damage in the host computer, like an unexpectedly formatted hard disk, deleted files, etc.
-
Trojan horse
A Trojan horse is a program fragment hidden in some useful program performing unwanted or harmful operations.
-
Virus
A virus is a program that can infect other programs by modifying them. The modification includes a copy of the virus program that can go on to infect other programs.
-
-
Self-contained malicious program
-
Bacteria
A bacteria is a self-replicating but otherwise harmless program, which eventually may take up all capacity in the target computer.
-
Worm
A worm is a program spreading from computer to computer through network connection. An activated worm may behave like a virus or bacteria, or it could implant Trojan horses.
-
Antivirus Protection Software
A virus is the most common malicious program. Virus types are defined in Stallings (2000, Chap. 9) and Stephenson (1993). As can be seen from Table 1, viruses use different ways to hide their presence or otherwise complicate antivirus operations. Some viruses even use self-encryption to hide themselves or are embedded in encrypted data communication, like file attachments in secure email or script viruses on protected web pages or in secure HTTP mail messages. Retroviruses attack antivirus programs trying to destroy or neutralize these programs. Multi-partition viruses use multiple infection techniques in order to survive disinfection operations.
| Type of virus | Description |
|---|---|
| Parasitic | Attaches itself to executable files and replicates when the infected program is executed. |
| Memory-resident | Lodges in main memory as part of a resident program and infects every program executed. |
| Boot Sector | Infects a (master) boot record and spreads when a system boots up from the infected disk (original DOD viruses). |
| Macro | Takes advantage of the macro script features of some types of documents (e.g., MS Word and MS Excel documents). |
| Script | The virus is similar to macro viruses and uses scripting languages of the operating system or applications like the web. It is application and platform independent. |
| Stealth | Explicitly designed to hide itself from detection by antivirus software (e.g., using compression). |
| Polymorphic | Mutates with every infection, making detection by "signature" impossible. |
The ideal antivirus approach is prevention, which means that a virus is not allowed to enter a computer system. In practice, 100% virus prevention is difficult to achieve, that is why prevention must be combined with detection, identification and removal of such viruses for which prevention fails (Stallings, 2000).
Four generations of antivirus software are described in Stephenson (1993):
-
First Generation: Simple scanners that search files for any known virus "signatures" and check executable files for length changes.
-
Second Generation: Scanners that use heuristic rules and integrity checking to search for probable virus infection. Look for more general signs than specific signatures (code fragments common to many viruses); check files for checksum or hash changes.
-
Third Generation: Programs called "activity traps" that are memory resident and identify virus actions (e.g., opening executable files in write mode, scanning many files).
-
Fourth Generation: Antivirus software packages that use a variety of the best of antivirus techniques in conjunction.
Examples of recent advanced antivirus techniques are Generic Decryption (GD) and Digital Immune System (DIS) technology. GD is used for efficient detection of complex polymorphic viruses (Nachenberg, 1997). GD works by running executable files through a GD scanner. The GD scanner consists of three components, the CPU emulator, the virus signature scanner and the emulation control module. The comprehensive approach DIS, proposed by IBM in 1997, was developed in response to the weaknesses in integrated mail systems and mobile program technology. DIS consists of three components, a monitoring program, the administrative machine and the virus analyst machine. Both Generic Decryption and Digital Immune System antivirus approaches are described in Stallings (2000, Chap. 9).
Modern antivirus programs can also be divided into classes based on the level of antivirus protection it provides:
-
Gateway level protection
-
File server level protection
-
End user level protection
Gateway level antivirus protection consists of mail server and firewall protection. Mail server protection is implemented by monitoring incoming and outgoing SMTP traffic. Malicious code in scripts in HTTP email messages and in file attachments is automatically detected, identified and removed. Firewall protection is implemented by detection, identification and removal of viruses passing through firewalls. HTTP, FTP and SMTP traffic is automatically scanned for malicious code as data comes through the firewall from the Internet. Examples of gateway level antivirus software are F-Secure Anti-Virus for Firewalls, F-Secure Anti-Virus for Internet Mail, McAfee WebShield and Symantec Anti Virus Gateway Solution.
File server level antivirus protection consists of software that resides on the server. User profiles of the file system are updated periodically and whenever data is downloaded and uploaded.
End user level antivirus protection is achieved by programs and modules attached to communication applications. The basic antivirus software consists of scanners that scan local files and monitor memory for viruses. As an addition to these, antivirus modules are needed. These modules are add-ons that implement antivirus protection to other programs. Examples of such programs are web browsers, email software and other cryptographic applications. For example, web browsers need antivirus protection integrated into decryption of HTTPS communication, and email clients need antivirus protection to scan encrypted HTTP email messages and encrypted file attachments during decryption. Embedded end user level antivirus modules are needed whenever data communication is encrypted, because encryption disables gateway level antivirus security.
There are commercial end user level antivirus programs for detection of, and protection from viruses (McAfee, 2002; Symantec, 2002; F-Secure Download Center, 2002):
-
VirusScan Online
-
Norton AntiVirus™
-
F-Secure Anti-Virus™
Many of these commercial end user level antivirus programs can be downloaded from the Internet as free TRIAL versions that only work for a specific period of time.
There are also freeware or shareware antivirus programs such as:
-
AntiVir® Personal Edition (H+BEDV, 2002)
-
AVG Free Edition (Free Site, 2002)
-
AVG 6.0 Free Edition (AVG AntiVirus, 2002)
-
F-Secure Antivirus™ (F-Secure Download Center, 2002)
Different levels of antivirus protection should be combined to achieve depth in antivirus defense. The first defense line is gateway level antivirus protection, where viruses are detected and removed before files and scripts reach a local network. The next defense line is file server antivirus protection, where viruses are detected and removed from network user files and script, even before the users try to use these files and scripts from network connected workstations. The ultimate defense line is end user antivirus protection, where viruses undetected in outer defense line are detected and removed.
The defense lines in antivirus protection are illustrated in Figure 1. Viruses can enter a system through a network connection and through infected files and scripts on external media (CD, floppy) inserted into the system. In both cases viruses can be hidden in encrypted information
When using a network connection, viruses may try to enter the network through a gateway, where the gateway level antivirus protection software is installed. But when viruses are hidden in encrypted information the gateway level antivirus protection is always penetrated and the server level antivirus protection is usually penetrated.
Viruses hidden in encrypted information may try to enter also the server level from infected installation files, which have been encrypted.
When antivirus protection is installed, virus definition databases should be kept updated. New viruses and modifications of earlier viruses are constantly introduced. Providers of commercial antivirus protection software usually develop protection against newly detected viruses and virus modifications within hours, and include this new protection in their virus definitions databases, which are available to their customers. Commercial antivirus protection software can usually be configured to update virus definition databases automatically or on request from:
-
a management server updated by the antivirus protection provider,
-
a network server directory updated by local network administrator, or
-
the web page of the antivirus protection software provider.
Virus definition databases can, of course, also be updated manually.
Trojan Horse Defense Software
One defense option against Trojan horse attacks is the use of a secure, trusted operating system, in which attempts to implant Trojan Horses are disallowed by a reference monitor using a security kernel access database (Stallings, 2000, p. 334). The concept of a trusted system is also explained. Example illustrations of Trojan Horse defense in a secure, trusted operating system are published in Boebert Kain, and Young (1985).
Firewall Software
Firewalls are used to protect a local computer or network of computers from external network-based security threats. There are three common types of firewalls:
-
Packet-filtering router: The router applies a set of rules to each incoming IP packet and then forwards or discards the packet. IP packet filtering occurs in both directions.
-
Application-level gateway: The gateway is also called proxy server. It acts as a relay of application level traffic.
-
Circuit-level gateway: The gateway is a stand-alone system or performs specialized functions through an application level gateway. Typically it relays TCP segments from one connection to another without examining the contents.
The platform for a packet-filtering router is, of course, the router itself, in which the filtering rules are hardware and/or software implemented. Most TPC/IP routers support basic user defined IP packet filtering rules.
A packet-filtering firewall can also be a stand-alone device on a network link. For example, a PC/Linux computer with two network connections can be used as a platform for an IP packet filtering router for the IP traffic between the two network connections (Conry-Murray, 2001, Chap. 9). Such Linux firewall platforms usually use IPTables screening firewall software (Web Portal of the Netfilter/IPTables Project, 2002), which is integrated into the Linux kernel. For example, the following lines in the firewall initialization script, which is executed at boot time in the Linux firewall platform, allow data communication to and from the SSH port (port number 22) of the same Linux computer:
# SSH TCP 22 OUT
iptables -A INPUT -i eth0 -p tcp —sport 22 -m state —state ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp —dport 22 -m state —state
NEW,ESTABLISHED -j ACCEPT
# SSH TCP 22 IN
iptables -A INPUT -i eth0 -p tcp —dport 22 -m state —state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp —sport 22 -m state —state ESTAB
LISHED -j ACCEPT
Another example of a stand-alone firewall device is Cisco Secure PIX 500 Firewall with IP packet traffic, controlled by a stateful connection oriented algorithm (Adaptive Security Algorithm, ASA) and user authentication/authorization based on an efficient Cut-Through Proxy functionality (Cisco Firewalls, 2002).
For some routers advanced firewall functionality is available as add-on software. An example is Cisco IOS Firewall add-on module to Cisco Internetwork Operating System, which is the control software of many Cisco routers and routing switches (Cisco IOS Firewall Feature Set, 2002). Cisco IOS Firewall can be configured to filter network layer, transport layer, and application layertraffic. Cisco IOS Firewall can be configured to permit specific TCP and UDP traffic when the connection is initiated from the protected network. Cisco Firewall add-on software thus implements packet filtering features and application level gateway features, as well as circuit level gateway features on routed TCP/IP connections.
A typical application level gateway is a protocol oriented proxy server — for example a PC/Linux computer with two network connections executing proxy software — on a network link, for example a HTTP proxy, a SMTP proxy, a FTP proxy, etc. An HTTP proxy can also be used as a web page cache for web users in the proxy protected network.
The platform for an application-level gateway firewall or for a circuit-level gateway firewall is called a bastion host. A single-homed bastion host forwards incoming data traffic and filters outgoing data traffic. A dual-homed bastion host filters data traffic in both directions. Usual configurations for firewall-protected networks consist of a one or two packet filtering routers and a bastion host (Stallings, 2000, p. 329).
Firewall software can also protect individual computers connected to a public TCP/IP network. Examples of firewall software for individual workstations in a TCP/IP network are ZoneAlarm® (Zone Labs, 2002), Sygate Personal Firewall (Sygate Technologies, 2002) and Norton Personal™Firewall (Symantec Corporation, 2002).
No comments:
Post a Comment