Gemeinsame Systemgruppe IfI/b-it

Translations of this page:

You are here: aktuelles » en » networksecurity

En:networksecurity

This is an old revision of the document!


FIXME This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)

Please note, this translation is for your convenience only.

Network security

Decided by the institute of computer science's directorate on January the 3th 2001

Overview

Levels of detail

The institute of computer science's security concept is defined on three layers of abstraction:

  1. security policy
  2. security program
  3. specific implementation of the program

The top layer of the security policy defines basic goals, responsibilities and frame conditions in which the policies are realized. This encompasses basic principles, like meeting privacy protection regulations and, explicitly, which resources are to be used to enforce the security policies.

The security program implements the security policy’s generic requirements as concrete regulations. For example, services which have to be adjusted in compliance with the security concept are specified here. The general outline of the technical implementation of these regulations is defined, and finally, the organizational measures connected to them are specified.

The programs specific implementation is done by the appropriate support-groups. When defining the security program, technical and staff-related conditions related to the specific conditions of the institute's IT-infrastructure are to be taken into account.

Security concept at an University

Academia's scope of work requires a security concept that is harder to implement than in the private sector. Additionally, the institute's financial circumstances all but forbid the use of commercial tools, thus mostly home-made tools will be useable. Finally, since the institute's network is part of the university network, further limitations arise, as control over the internet access is beyond the institute's competency.
Some of those aspects will be highlighted further on.

Why is security necessary?

Traditionally, academic networks are open. This is partly due to historic reasons, since the networks were designed for research and thus had a more or less closed community. Every computer inside the academic network has direct access to the internet via its official IP address.

While this opens up all the possibilities of internet usage to the user, it also makes him vulnerable to a plethora of possible attacks. Furthermore, the computers are often used as development platforms, users often have administrative rights and the requirements for using the net are highly individual. This creates a very heterogeneous computer-scape, which prevents a uniform, per-computer based security system. Individual computers become susceptible to systematic attacks. Examples of the resulting cases of misuse include:

a) Using the computer as a basis to attack third parties So called Distributed-Denial-of-Service (DDoS) attacks, in which a target computer, often times an exposed commercial server, is flooded with so many packages from multiple computers that it can no longer provide services. The attacker will attempt to control as many computers as possible in preparation for an attack like this. Dangers to the institute include claims for compensation as well as a public loss of reputation, possibly resulting in further negative consequences when working with third parties.

Another common attack method is the use of IRC robots which attempt to block IRC Servers. Unlike DDoS attacks, such attacks have been initiated by users inside the university's network.

b) The computer itself being the target of an attack

This includes attacks that aim to cause as much damage as possible to a computer, for example by deleting all user data. Oftentimes, users have local files which are not backed up on their computers, in such a case the loss can hit the person concerned very harshly.

Instead of destroying data, the goal could also be to store data that is illegal to possess or to spread on a computer. The attacker then uses the computer to store such material in a manner that is safe for him. It can be very difficult for the person concerned to prove that they are not responsible for those files being on their computer.

Besides those risks, there is another problem applicable in all cases:

Detecting an attack and reversing the damage results in considerate additional work for the system groups, which in turn interferes with the regular operating schedule.

Technical, financial and staff boundaries

Commercial solutions for secure networks are very expensive, for example firewalls and tools to detect anomalies in network usage, so called Intrusion-Detection-Systems. In addition to high acquisition costs there is the staff requirement for the oftentimes complex systems. This is not possible with the funds available to us. The technical solutions have to be realizable with the existing funds. The institute's network core consists of Cisco switches. Some of these devices have basic functions integrated with which to define network address access lists. Additionally, virtual subnets (VLANs) can be created, to logically isolate networks from one another. Membership in a VLAN is defined via the switch's ports. Ideally, every socket in the institute rooms should belong to exactly one VLAN. Despite this not being the case yet, it is still possible to separate the work groups into VLANs to define different security zones.

The network's size requires automated supervision. Due to monetary reasons, this goal will not be fully realizable. The second part of this concept, detailing the security program, will explain, in detail, the possible options and the resulting consequences.

Even with further automated network supervision, a lot of experience is required in order to detect and assess possible anomalies. With the current staff, the support groups cannot sufficiently perform this duty.

Cost/Value estimate

Complete network security is not possible. However, the difficulty for an attack could be raised so high, that most of the attacks that succeeded in the past would have been prevented. This is especially true for systematic attacks on multiple computers to find possible vulnerabilities. Likewise, it is possible to prevent the theft of passwords with simple measures. The suggested measures are designed in such a way that they can be realized with minimal additional financial and staff resources.

I. Security policy

Strategic goals

The security policy defines the basic security architecture as well as the goals which shall be accomplished by the security program. The scope is the entire institute's network. All of the following security measures apply exclusively to the network protocol layer.

The network traffic's content is neither checked nor analyzed.

Layered security concept with diverse security zones

To serve the various needs of different users, we define separate security zones with different rules in regard to enforced security restrictions.

1) Global
Minimal security requirements, which have to be obeyed by further zones.

2) Experimental areas
Experimental areas are characterized by users requiring immediate access to network resources and are therefore able to listen in on network traffic or undermine security regulations. This areas have to be completely secluded from the rest of the network.

3) Public zone
The public zone contains computers with immediate access to the internet, which therefore may be immediate subject to attacks. This category especially includes login- web- and mail-servers. Since these computers are highly endangered, this zone is to be monitored extensively. Furthermore, these computers have to be maintained especially well.

4) Differentiated area
This area contains computers that have their network access secured via access-lists. Access to the network is only permitted after an explicit permission via an ACL.

5) Core
The core area includes only the computers of staff and student as well as central servers. There is usually no immediate access to the internet from this area.

6) Closed areas
Work groups with additional security requirements will have additional security zones separated from the core network established. Access to this areas will be protected via firewall.

Protection from internal and external attacks

The security program is required to prevent both attacks from the outside as well as attacks originating from inside the institute's network.

The basic principle is to only allow usage which is explicitly intended by the security program, though the usage is to be defined in technical respect only. Other uses are invalid and are to be prevented via technical and organizational means. The security program is to be adapted when new developments make this necessary.

Protection against misuse

It is to be ensured that third parties cannot abuse user accounts on institute computers. As a minimum requirement, the unencrypted transfer of passwords is forbidden globally. Passwords are to be constructed in a way so they cannot be guessed or decrypted with common methods.

Connecting experimental sub-networks to the global network is to be fashioned in a way that prevents computers inside the experimental area from accessing personal data outside this area. Computers used in the public zone only receive access to user data as required, for example, the mail-server requires access to the user's mail directories.

Enforcing the security policies

Obeying the security regulations is paramount, even if doing so is inconvenient or prevents the user from doing things they were previously allowed to do. Situating a computer in the public zone is only allowed under specific, justified circumstances.

In general, only preemptively registered computers are to be used inside the network. If unknown computers are detected and there are anomalies in the network traffic which could lead to a disruption of operations or which may be indication for an attack, these computers are to be removed from the network immediately.

To prevent misuse and attacks, the protection of network infrastructure is a necessary requirement for secure operation. This applies to the entire network. Since access to network resources is usually required in experimental zones, policies to effectively separate the experimental areas from the rest of the network are to be implemented.

Data protection

Besides compliance with security measures, compliance with data protection via technical and organizational means is to be secured. Data gathered from network traffic surveillance may not be used to analyze personal network usage. However, this doesn't mean that statistical anomalies which imply misuse will not be investigated. Access to this data is to be limited to the proper staff.

Responsibilities

The head of the institute is responsible for the operation of the IT, including the institute's network. The implementation of the security concepts, in administrative, organizational and technical ways is done by permanent employees of the institute, especially:

1) Administrative coordinators
Administrative coordinators are responsible for regulating measures required to enforce and implement the security program. Due to the network topology, a distinction is made between the sub-networks of the Altbau and the Neubau buildings. The coordinator responsible will make use of the proper support groups and department staff.

The coordinators decide among themselves how to access shared resources and how to ensure trusted import and export of data between various zones. If required, the head of the IT commission will be called in.

2) Technical contact
The rules defined by the security program are implemented by the proper support groups, which also enforce compliance with said rules. Each department names a technical contact, together with the aforementioned administrative coordinators they coordinate specific security measures. The technical contact is responsible for the implementation of these measures in his department.

II. Security program

The security program defines in detail, which organizational and technical measures should be taken, to accomplish the goals defined by the institute's security policies. Technical details will be compiled by the aforementioned administrative coordinators and technical contacts, and will be constantly updated in accordance with new technical developments.

Firstly, the scopes of duty to be addressed by the security program will be identified. The definition of services provided in the network, which may vary depending on the security zone, marks the beginning. Regulations for detecting and dealing with prohibited network access are tightly interwoven with this. Detecting such accesses requires constant monitoring of network activity. Proper mechanisms are to be defined here. Furthermore, compliance with data privacy and effectiveness of the measures have to be ensured. Defining priorities for implementation, estimation of financial and staff requirements as well as planing for the event of damage concludes this part.

Services

All services used inside the network, with the exception of experimental areas, are to be registered preemptively. Following are the definitions, which services are provided in each of the six security areas and which communication interfaces to other areas exist. General rule is, that no direct access from lower security zones to data in higher security zones is possible. Other than that, exporting data from servers in secure zones is permitted, as long as the data in question is suitable for the lower security standards.

Closed Security Zones
Core area

In the core area, only services that are necessary for the operation of the computers in this area are permitted. The detailed definition is worked out by the administrative network coordinator in coordination with the local technical contacts. There is no immediate access to the internet. Exporting data out of this area is only permitted, if the data is suitable for the lower security standards of the area it is imported into. For user folders this means, that data that is to be distinguished between data that is publicly available and those that is only available in the core area. Both user directories are available in the core area then, but only a subset will be available in the public area.

Public security area

Here are all computers which require immediate access to the internet. This includes the following services:

a) Mail Server using SMTP protocol as well as encrypted POP3 and IMAP4 protocol to the inside and outside. The mail-server exports no data. Thus, mail can be read from the experimental zones as well. User's mail folders are only stored locally.

b) Web- and proxy-server using HTTP protocol to the inside and outside. Web-server only export data to the core area.

c) FTP-server using FTP protocol. The server offers anonymous access only, or access via specific, local user accounts. CS accounts can not be used for FTP access.

d) Login-server offer users with cs accounts to use telnet and FTP services with encrypted password transmission. The login-server offers a special home folder, which allows transfer of data to the core area (see above).

e) Special systems for specific tasks. This includes for example database systems which access network resources.

Differentiated area

In this area, only services registered with the proper coordinators are permitted. The is no unlimited access to the network. Computers with special tasks are discerned from regular work computers via extended ACL vectors. Mirroring of userdata inside this area is not intended. The level of security in this area is defined via ACL entries and the indirect access to the internet. Differentiating the unique ACL entries is done via subnets, VLAN or on a per computer basis. Data imports exports in other areas are to be done after consultation with the coordinators.

Experimental zone

In the experimental zones, users have immediate access to network resources. Every computer, whose privileged accounts are to be used by persons not employed by the institute are to be placed in an experimental zone. Importing data into this zone is only permitted for data which has no special privacy demands. If the experimental work also requires access to active network components, these components are to be separated from the rest of the network either via proper security measures or by physically unplugging them form the rest of the network.

Global

The global area only allows services which transfer user passwords in encrypted form. All computers in the entire institute network are considered belonging to this zone.

Access regulations

To protect the network infrastructure, all parts of the network are to be secured against unauthorized access. Beginning with power outlets, over cables up to the active network components like switches and routers. The interface to the user is the power outlet. Only specified computers are to be connected to a power outlet.

Regulations for network usage and surveillance

This section describes methods and practices by which the network surveillance is conducted. Furthermore, reactions to threats will be explained. There will be no surveillance of content or connection data, with an exception for investigating anomalies, though only if there is reasonable suspicion suggesting an attack or misuse.

Registration

Every system that is to be connected to the institute's network has to be preemptively registered. The following information will be collected on registration:

  • Network addresses on OSI layers 2 and 3
  • DNS information
  • Description of the system, e.g. manufacturer, hardware, operating system
  • Membership in a work group, location, contact person
  • List of ports the system may be used on, alternatively a VLAN
  • Distinct features, e.g. usage of experimental network protocols
Blocking unwanted traffic

Some network components allow to block traffic based on network addresses and protocols via ACLs. When switching from the institute's network to the rest of the university network, especially when accessing the internet, ACLs are used to enforce the access restrictions defined by the security program. Since the ACLs define access rights based on IP addresses, aspects of IP address ranges are to be considered when creating security zones.

This mechanism is also used to control traffic between the VLANs inside the institute's network. Thus, when defining VLANs, restrictions in regards to IP address ranges are to be considered.

All services which are prohibited on a computer are blocked on every computer by blocking the proper level-4 ports.

Monitoring, detection of anomalies

Every port of active network components will be monitored regularly via its management information. These provide information about workload, possible damages as well as connected systems based on network addresses. This data is analysed automatically and is used to detect anomalous traffic. Additionally, RMON-based tools or similar are used to analyse end-to-end traffic data. Furthermore, especially sensitive systems, e.g. servers in the public security area, are monitored with further tools to monitor access to non-permitted ports. In order to detect anomalies it is necessary to preemptively detect uncommon traffic patterns, which may also occur during regular operations, e.g. during backups.

Measures after detecting anomalies

To react quickly to possible attacks and to prevent damages which might be caused by erroneous behaviour of single computers, computers in the core and differentiated security zones exhibiting signs of anomalous traffic get the offending ports blocked automatically. Outside the core network as well as on server-ports, an alarm is sent and the technical staff will decide whether or not to block the port.

Since fluctuations in network traffic also occur during regular operation, automatic detection of anomalies is very error prone. The threshold that needs to be passed before a port is automatically blocked thus has to be set rather high.

Risk management

The above measures reduce risks, but cannot completely eliminate them. Thus it is necessary to take precautions in order to reduce potential damages.

Function control

Defining thresholds for alarms, or rather, defining what is considered to be regular network traffic, is rather difficult in practice. Before such decisions are made, a learning phase is to be had, during which the thresholds are adjusted as to prevent accidental blocking of ports.

Furthermore, the effectiveness of the ACLs have to be tested in practice. Regrettably, there are no tools that to automate this process.

Due to the security program's decentralized implementation proposed here, the communication between the various security officers must be efficient and the areas of responsibilities clear. This is the responsibility of the administrative coordinators.

Creating a plan of action

It is inevitable to create a plan of action on how to react to an attack. Therefor it is necessary to classify potential risks and their results preemptively. Actions to be taken in case of an attack have to be defined. Finally, it has to be agreed on when to inform users about a possible attack.

Data protection

Network surveillance creates a plethora of data, which can not be directly associated with any user, but which may indirectly identify workplaces and therefore potentially employees via network addresses. These information do not basically differ from those that can be gathered and queried via the operating system. Therefore, the same rules defined in the terms of service apply to them.

What data is gathered?

The measures for network surveillance have to be auditioned to check if gathered data is subject to the data protection regulations. Procedures which create a personalized profile of network traffic are especially problematic. These profiles have to be anonymized, so they are cannot be traced to a single workplace.

Who may access this data?

Access to this data is to be granted only in so far as is necessary for operation. The network operation's decentralization is helpful here, as the gathered information encompass a smaller scope. Thus, a rule can be in place to restrict operations staff to traffic data of subnetworks (VLANs) they're immediately responsible for. Only the specifically named network officers are granted access to the data of other parts of the network.