Security Administration Software
Security administration software includes intrusion detection, management software for security software and vulnerability checking.
An Intrusion Detection System (IDS) monitors traffic in a network and/or user behavior in a host computer to identify possible intruders and/or anomalous behavior and/or misuse (Stallings, 2000, Chap. 9).
Network security software in host computers and in other network nodes, like routers, configurable switches, is often controlled by management software. An example is the distributed IDS described in Heberlein, Mukherjee, and Levitt (1992). Management software is also available for multiple installations of Cisco Secure PIX Firewalls (Cisco PIX 500 Firewalls, 2002). The Digital Immune System described in Stallings (2000, Chap. 9) as well as security software developed and delivered by F-Secure (F-Secure Enterprise Solutions, 2002) are also centrally managed and updated.
A major vulnerability of password protection is insufficient password quality. Passwords can be too short or easily guessed or cracked. A potential intruder could run a password cracker on the encrypted passwords stored in a computer. A system administrator should often do the same, disable user accounts with bad passwords, and urge users to use only good passwords. A freeware password cracker, L0phtCrack, can be downloaded from @stake Research Labs (2002)
Intrusion into a computer in a TCP/IP network occurs through open ports. Intrusion prevention thus requires administration based on regular vulnerability scans for open ports. The vulnerability scan procedure is described in Conry-Murray (2001). How the three-step "handshake" to establish a TCP connection can be manipulated in intrusion attempts is described in Scambray, McClure and Kurtz (2001). A freeware port scanner, Nmap, can be downloaded from Insecure.Org (2002). Information on available commercial port scanners is available at Atomic Tangerine (2002).
Security Software Development
Antivirus protection programming skills require studies of self-modifying code programmed in assembler, in high level programming languages, and in scripting languages, as well as of virus sensitive vulnerabilities in common operating system environments.
Firewall software programming skills are based on knowledge of software implementations of the TCP/IP protocol stack. Programming exercises and projects to design software of the IP, TCP, UDP and application level protocols should therefore be included in advanced network security education.
For development of network applications with built-in application level security the open source toolkit OpenSSL is available (The OpenSSL Project, 2001). OpenSSL can be installed on UNIX, Windows, and Macintosh computers as a library of C functions available to a C compiler. Also, commercial development tools for SSL-protected network applications are available. RSA Security and Certicom offer software developer kits based on C and Java (see RSA BSAFE, 2001; Certicom, 2001).
There are a number of IPSec implementations and patches available for Linux, such as portable, open source, tunnel and reference implementation. (References can be found in R4knet, 2002; Ringström, 2002; Linux FreeS/WAN, 2002; and NIST/ ITL, 2002). The KAME project aims to provide free reference implementations of IPv6 and IPSec (see KAME Project, 2002).
There are also available commercial IPSec developer products such as SSH QuickSec™ Toolkit. This toolkit includes full IPSec based VPN functionality, an integrated stateful inspection firewall with support for multiple Application Level Gateways, dynamic addressing and configuration, and integration to existing infrastructures (authorization, authentication and accounting). It provides the industry's latest Internet standards, including IPv6, NAT Traversal, and robust PKI support (press release, 2002).
VPN software is implemented as add-on or integrated software controlled by operating systems of workstations, servers, and routers (F-Secure Security Solutions, 2002; Cisco Systems, 2002; Linux FreeS/WAN, 2002). Development skills for VPN software and other IPSec applications require a deep knowledge, especially in IKE - the encryption key management protocol in IPSec. Education of IPSec specialists should include installation, configuration, and test use of VPN software, as well as source code studies of VPN implementations combined with programming exercises in which new features and/or modifications are introduced into the examined VPN software.
There are a number of S/MIME toolkits and packages available from different commercial companies or non-commercial organizations. With these toolkits S/ MIME features can be implemented to existing software that do not support S/ MIME and to applications under development that need S/MIME support.
A freeware S/MIME v3 toolkit is available in the S/MIME Freeware Library (SFL). SFL works under the MS Windows NT/98/2000/XP, Linux and Solaris 2.8 operating systems (see Getronics, 2002).
There is an S/MIME Toolkit for cross-platform development of S/MIME applications available from The Mozilla Organisation. The Mozilla S/MIME Toolkit provides S/MIME functionality via an API that can be integrated with a variety of MIME parsers and generators (see Mozilla Organization, 2002).
Phaos S/MIME is a package in pure Java. With the Phaos S/MIME Toolkit secure S/MIME messaging applications and applets can quickly be built. The Phaos S/MIME Toolkit is platform-independent, and executes on newer versions of the Java platform. With the Phaos S/MIME Toolkit you can incorporate the S/MIME secure messaging protocol into Java applications (Phaos, 2000).
RSAEuro is an open source cryptographic toolkit providing various preprogrammed functions in C. RSAEuro can be downloaded; for example, from ftp.funet.fi (FUNET ftp server, 2001).
In smartcard application development usually some development kit for smartcard programming is used. Microsoft offers a Smart Card Toolkit based on the use of visual programming tools (Windows for Smart Cards Toolkit for Visual Basic 6.0, 2001).
Network Security Software Skill Levels
Every computer and computer network user needs skills:
-
to understand the significance of antivirus protection and to perform virus scans with installed antivirus protection software;
-
to understand the basic principles of firewalls; to install and use firewall software for protection of a workstation connected to a public TCP/IP network;
-
to manage settings of network security software embedded for example in web browsers and remote access software like SSH; and
-
to understand the basic principles of PKI and digital signatures.
This skill level could be called user level, including basic understanding of PKI and digital signatures. User level skill examples are management of security settings of a web browser and inspection of the signature of a signed email message .
User level skills in network security software should be acquired in all medium- and higher-level education
The next level of network security software skills is the network administrator level, which should include skills to install, configure and update network security software . Education of IT engineers and other IT professionals should provide network administrator skills in network security software.
The highest level of network security software skills is the software development level, in which a profound and detailed knowledge of:
-
behavior of viruses and other malicious programs
-
TCP/IP and other network protocols
-
cryptographic algorithms, protocols and standards
is combined with advanced programming skills. Figures 12-14 illustrates the knowledge and skills needed for development of PKI client software based on the PKCS#11 standard. Education of software and programming professionals should provide software development skills in network security software.
An even higher skill level could be introduced, the network security scientist level, which covers knowledge and skills:
-
to propose new protection methods against viruses and other malicious programs,
-
to propose new firewall types and configurations,
-
to further develop the mathematics of cryptography, and
-
to propose new cryptographic algorithms, protocols and standards.
| PKCS #11 V2.11: CRYPTOGRAPHIC TOKEN INTERFACE STANDARD | ||
|---|---|---|
| 11.1.7 | More on relative priorities of Cryptoki errors | 133 |
| 11.1.8 | Error code "gotchas" | 133 |
| 11.2 | Conventions for functions returning output in a variable-length buffer | 133 |
| 11.3 | DISCLAIMER CONCERNING SAMPLE CODE | 134 |
| 11.4 | GENERAL-PURPOSE FUNCTIONS | 135 |
| ? | C_Initializ | 135 |
| ? | C_Finalize | 136 |
| ? | C_GetInfo | 137 |
| ? | C_GetFunctionList | 138 |
| 11.5 | SLOT AND TOKEN MANAGEMENT FUNCTIONS | 139 |
| ? | C_GetSlotList | 139 |
| ? | C_GetSlotInfo | 141 |
| ? | C_GetTokenInfo | 141 |
| ? | C_WaitForSlotEven | 142 |
| ? | C_GetMechanismList | 144 |
| ? | C_GetMechanismInfo | 145 |
| ? | C_InitToken | 146 |
| ? | C_InitPIN | 147 |
| ? | C_SetPIN | 149 |
| 11.6 | SESSION MANAGEMENT FUNCTIONS | 150 |
| ? | C_OpenSession | 151 |
| ? | C_CloseSession | 152 |
Figure 13: PKCS #11 function declarations published by RSA Laboratories
It should be possible to acquire this skill level in postgraduate IT education in universities.
Network Security Software Skills in Higher Education
Education of computer scientists and IT professionals in universities and polytechnics includes, as a rule, courses in computer and network security (Rubin, 2002). Several universities also offer MSc programs in information security (see Eastern Michigan University, 2002; James Madison University, 2002; Queensland University of Technology, 2002; University of Glamorgan, 2002; University of London, 2002; University of Westminster, 2002). Usually these courses and programs cover information security administration, antivirus protection, firewall techniques, intrusion prevention and detection, theory and applications of cryptography, and information security standards. Computer scientists and IT professionals educated by these courses and programs should have knowledge as well as skills about installation, configuration, use, and user support of present network security software. However, university and polytechnic level network security education seldom covers network security software development skills like programming TLS/ SSL applications, IPSec applications, SET applications, PKI applications, authentication solutions, applications with digital signatures, antivirus protection software, firewall software, and smartcard programming.
 |
/* pkcs11f.h include file for PKCS #11. 2001 June 25 */
/* This function contains pretty much everything about all the */
/* Cryptoki function prototypes. Because this information is */
.............................
/* Signing and MACing */
/* C_SignInit initializes a signature (private key encryption)
* operation, where the signature is (will be) an appendix to
* the data, and plaintext cannot be recovered from the
* signature. */
CK_PKCS11_FUNCTION_INFO(C_SignInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
CK_OBJECT_HANDLE hKey /* handle of signature key */
);
Conclusions
The rapidly spreading use of computers and computer networks and the many advantages of open global network interconnections also have created increasing needs of improved information security. Software solutions and tools are irreplaceable cornerstones in network security. As can be seen from this chapter, network security software is today a large and complex topic area in a rapidly expanding state. Network security software skills are a necessity, not only for IT and security specialists, but for every computer and computer network user. All this has profound implications on IT education, but also on all education in which use of computers and computer networks is inevitable.
The highest level of IT education, the university and polytechnic level, education for network security software skills should include:
-
installation, configuration, and test use of all categories of available network security software solutions and products,
-
source code inspection exercises of open source network security software solutions, and
-
programming exercises and projects with TLS/SSL application development environments, cryptographic toolkits like RSAEuro, IPSec applications, SSH applications, PKI applications, and smartcard applications.
More emphasis should be put on network security software development skills in present upper level network security education, especially in postgraduate educational programs focusing on information security. Also, student participation in related research should be supported.
#endif
|
Figure 14: PKCS #11 function declaration in include file pkcs11f.h published by RSA Laboratories
Education of IT professionals in Arcada Polytechnic includes an undergraduate course on Computer and Network Security and specialization courses on IPSec Applications and TLS/SSL Programming. Arcada Polytechnic has, in cooperation with the LM Ericsson IPSec Competence Center, implemented a multimedia IPSec tutorial, in which the characteristics of IPSec and especially IKE are illustrated with audio-supported text presentations, pictures and animations.
No comments:
Post a Comment