Network security fundamentals and best practices

Network Security: Past, Present and Future

The work of Curtin (2007) states that a network is defined as "any set of interlinking lines resembling a net, a network of roads -- an interconnected system, a network of alliances." Quite simply a computer network is a system of computers that are interconnected. There are seven layers of communication types identified by the International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model as well as the interfaces among them. Each layer is stated to be dependent on the services that the layer above it provides including the physical network hardware.

Technology: Description and Area of Research

The most popular networks which have been used over the past twenty-five years and which include both private and public networks include the following network services: (1) UUCP -- Unix-to-Unix CoPy: This was developed originally for connecting Unix hosts together however, since that time UUCP is reported to have "been ported to many different architectures, including PCs, Macs, Amigas, Apple IIs, VMS hosts, everything else you can name, and even some things you can't. Additionally, a number of systems have been developed around the same principles as UUCP." (Curtin, 1997) (2) Batch-Oriented Processing: UUCP and similar systems are batch-oriented systems, everything that they have to do is added to a queue and then at some specified time, everything in the queue is processed. (Curtin, 1997) (3) Implementation Environment -- UUCP networks most commonly were built for use with dial-up or modem connections. However, UUCP can be used over any type of connection between two computers and this includes over an Internet connection. The construction of UUCP networks is simply a matter of "configuring two hosts to recognize each other, and know how to get in touch with each other. Adding on to the network is simple; if hosts called A and B. have a UUCP network between them, and C. would like to join the network, then it must be configured to talk to A and/or B. Naturally, anything that C. talks to must be made aware of C's existence before any connections will work. Now, to connect D. To the network, a connection must be established with at least one of the hosts on the network…" (Curtin, 1997)

There are security tradeoffs with any networking application and this is true as well of the UUCP network. The UUCP is limited in its applications making it harder to break the security of these type networks and since it has been in use for quite a while the largest part of its weak points have been identified and corrected. UUCP networks work through a system-wide UUCP user account and password therefore any system connected with a UUCP connection and then connecting to another is required to know the password for the uucp or nuucp account. Recently an additional layer of authentication has been added requiring the hosts have the same sequence number which is stated to be "incremented each time a connection is made." (Curtin, 1997) Another type of network is the Internet stated to be the largest of all networks in the world. The Internet connection is actually a connection first to a network, which is connected to the 'Internet backbone', which is described as a network of "extremely fast (and incredibly overloaded!) Network components." (Curtin, 1997) The Internet uses a language known as TCP/IP or 'Transport Control Protocol/Internet Protocol. Any type of machine that can speak TCP/IP can interact on the Internet. One of the primary features of the TCP/IP is one that is non-technological in that the protocol is what is known as an open protocol and therefore anyone that wishes to implement this protocol is free to do so. The Internet Engineering Task Force is a group that engineers and scientists worldwide participate in designing the protocols that run the functioning of the Internet. The IP or Internet Provider is a 'network layer' protocol, which enables the hosts to communicate among one another. IP is stated to have two features, which are very important and which make it a strong protocol that has plenty of flexibility. There are reported to be several potential attacks against an IP, which effectively "exploit the fact that IP does not perform a robust mechanism for authentication which proves that a packet arrives from its identified point of departure. What this really means is that the higher layer of the ISO/OSI Reference Model must provide host authentication. And those requiring strong host authentication do so at the application layer. One type of attack is known as "IP Spoofing" which is when one host makes the claim to have another IP address. "IP Session Hijacking" is described as an attack with relative sophistication (Curtin, 1997) and in fact is "very dangerous…because now there are toolkits available in the underground community that allow otherwise unskilled bad-guy-wannabes to perpetrate this attack." (Curtin, 1997) The 'TCP' or 'Transport Layer Protocol' is such that it requires to be seated atop a network layer protocol and designed to also be seated atop the IP. The 'UDP' or 'User Datagram Protocol' is a simple transport-layer protocol which does not have the same features as the TCP and is not considered reliable although considered as being ill-suited for some applications however, being more applicable in other applications than in the TCP. The types and sources of threats that are dealt with by Network Security applications are various and include such as the 'Denial-of-Service' threat which are reported as "…probably the nastiest, and most difficult to address." (Curtin, 1997) These attacks are reported to be in terms of their launch and difficult in tracking. In addition, refusing the attacking request proves difficult without additionally refusing legitimate service requests. This type of attack is what is known as a DoS attack, which is quite simply the sending of more requests that the machine has the capacity to handle and since underground toolkits are available, the individual perpetrating the attack simply has to purchase a program that is running and instruct it which host to send the requesting attacks to. These were common attacks in the later 1990s. Defense against these types of attacks include such as: (1) Not running your visible-to-the-world servers at a level too close to capacity; (2) Using packet filtering to prevent obviously forged packets from entering into your network address space; (3) Obviously forged packets would include those that claim to come from your own hosts, addresses reserved for private networks as defined in RFC 1918 and the loopback network (127.0.0.0); and (4) Keeping up-to-date on security-related patches for your hosts' operating systems. (Curtin, 1997) A second type of DoS attack is the 'unauthorized access attack which includes several various types of attacks. These attacks are stated to attack a machines resource that should be restricted to the attacker. Other types of attacks include such as 'confidentiality breaches' and 'destructive behavior' attacks which results in the destruction of data. The adequately address security Curtin (1997) states "all possible avenues of entry must be identified and evaluated. The security of that entry point must be consistent with your stated policy on acceptable risk levels." Curtin reports that there are necessary steps to take in case an attack is successfully executed and these are the following stated steps: (1) have backups; (2) do not store data where it does not need to be; (3) avoid systems with single points of failure; (4) stay current with relevant operating system patches; (5) watch for relevant security advisories; and (6) have a staff member who is familiar with practices of security. (Curtin, 1997) There are three types of firewalls, which include: (1) Application Gateways; (2) Packet-Filtering; and (3) Hybrid-systems. (Curtin, 1997) Application gateways are also known as proxy gateways. This type of software is stated to run "at the Application Layer of the ISO/OSI Reference Model and Clients behind the firewall are required to be "prioritized" or in other words to know how to make use of the proxy and be configured to use the proxy if they are to use the Internet services. These are stated to traditionally be the most secure of all firewalls since nothing can pass by default but are required to have the programs written and then turned on for them to begin passing traffic. Packet filtering is another firewall technique stated to contain routers with ACLs or 'Access Control Lists' that are turned on and that results the router by default passing all traffic it is sent and to do so void of any type of restrictions. The Hybrid System was created in an attempt to make the security of the application layer gateways compatible with the flexibility and speed of packet filtering. Some systems use both principles. Some of the systems require that new connections be authenticated and approved at the application layer and others include the potential of the use of packet filtering and application layer proxies. Benefits include the provision of protection against machines that provides services to the Internet and the provision of the security of an application layer gateway to the internal network.

According to the work of Graff (2002) entitled "The Future of Internet Security" the following practices are some of the mix utilized by today's sites for protective measures: (1) detection and correction of software bugs and vulnerabilities; (2) installation of software upgrades and patches; (3) configuration and control of change; (4) assessing for file contamination and Trojans; (5) conduction of penetration tests and audits for security; (6) honey pots and other measures of pest control; (7) General administrative policies and procedures, such as account handling and authorization policies. (Graff, 2002)

The specific elements of internet security include: (1) authorization; (2) access control; (3) minimum useful access; (4) compartmentalization; and (5) invisibility and obfuscation. (Graff, 2002) Elements of network security include: (1) architectural network security; (2) technological network security; (3) procedural network security; (4) psychosociological network security; and (5) existential element network security against attacks and attackers. (Graff, 2002)

Future Trends in Network Security

The work of Bouchard (2009) entitled "Wanted: The Future of Network Security for Service Providers -- Now!" reports that requirements in today's network security solution is one that must address essential criteria which include security in terms of meeting the need "for greater stopping power" requiring that the solution "incorporate multiple countermeasures" that include a combination of negative and positive model techniques that make the provision of protection at the network layer and at the application layer as well as for individual elements of data. (Paraphrased) Scalability must also be considered in terms of the capacity to the system to be easily scalable from "relatively modest traffic rates of a few Gbps to an aggregate throughput of greater than 100 Gbps. This is not enough however. Session handling capabilities must also scale to match these throughput levels. For NGN applications, this translates to being able to support several million simultaneous sessions." (Bouchard, 2009) Also considered in Network Security applications is that of 'Latency' and it is stated that consideration the performance characteristics of the applications in use as well as the "…far-flung nature of their users (due to overlapping globalization and mobility trends), this criterion can no longer afford to be treated as secondary to having generous amounts of throughput. The two are definitely inter-twined, but latency should also be considered in its own right. Solutions must be architected to minimize the amount they introduce and should also incorporate capabilities to prioritize the processing of designated, time-sensitive traffic streams." (Bouchard, 2009) Unified management also must be considered as well as reliability, adaptability, networking compatibility, and cost effectiveness. (Bouchard, 2009)

It is reported by Bouchard that conventional approaches currently being used "come up short" due to significant limitations. Bouchard reports what he describes as "next-generation architecture that delivers" and states that today's service providers need "another alternative: a network security solution that is designed to "maximize attainment of the previously identified r3equirements and that is capable, therefore fully enabling the various initiatives service providers must pursue to remain competitive." (2009) Bouchard states that upon the bases of the strengths and weaknesses of security solutions that optimally the design should be a combination of "…the traditional chassis and multi-service gateway approaches would certainly be a logical foundation from which to build." (2009) Specifically, it is stated that a good design would be "…a chassis-based design" and one that has the following features: (1) interface flexibility and idealistically in the form of modular cards or blades; (2) dedicated, distributed hardware and software based intelligence for ingress processing, internal distribution and balancing of session traffic, and egress processing; (3) a high-speed, no-blocking switching fabric that makes provision of any-to-any connectivity between all slots or blades; (3) Scalable processing capacity, ideally in the form of blades that are dynamically programmable and that automatically inherit the configuration of all other processing cards (thereby avoiding the management overhead and inevitable utilization inefficiencies associated with having each blade configured to perform a specific subset of tasks; (4) A dedicated control plane to enable full-time accessibility to management functions; (5) Redundant hardware components and support for high availability configurations; (6) A modular operating system capable of being incrementally upgraded (for adaptability purposes) and serving as the "central store" for a robust set of security services that are tightly integrated (to avoid redundant packet processing; (7) Fully unified policy and configuration management; and (8) A robust networking feature set, including routing, switching, and virtualization capabilities. (Bouchard, 2009)

The following table contains a comparison of Various Network Security Product Architectures.

Figure 1

Source: Bouchard (2009)

Bouchard states that future network security includes "substantially greater scalability and security coverage with considerably less latency and infrastructure complexity." (2009) The next-generation network security solution for providers is stated by Bouchard to be one that enhances competitiveness, improves responsiveness, reduces total cost of ownership, and that facilitate future growth. (2009) Specifically stated by Bouchard is: "The bottom line is that a next-generation network security solution enables service providers to accelerate the transformation, innovation, and differentiation required to drive continued growth while still containing costs. Service offerings and the infrastructure that supports them can easily be scaled without the usual delays and capital expenditures required for new hardware installation." (2009)

III. IV. Example companies involved in the area

One of the primary companies that are involved in the design and development and provision of network security solutions is the company known as 'Cisco'. Cisco Borderless Networks are stated to bring "routing, security, and wireless technologies together to enable employees, customers, and partners to securely access mission-critical services and applications and take advantage of new business models. Supporting new business models that foster broader collaboration and greater productivity, requires an organization to balance business transformation with the protection of network access and assets, while also ensuring availability, and supporting regulatory compliance." (Cisco Services, 2010) It is reported that the Cisco Security Planning and Design Service assists in the implementation of "an effective yet flexible solution through four capabilities that Cisco security experts have identified as essential for successful security deployments." (Cisco Services, 2010) Those four capabilities are stated to include: (1) security technology readiness assessment which involves the review of security policies as well as assessment of network along with identification of business requirements and all of this geared toward alignment with the company's business objectives; (2) Security design development involving the design of security and documentation of architecture with designs being detailed and test plan for the system stated; (3) Security implementation engineering focused on needs of successful deployment; (4) Security Knowledge transfer which provides staff with knowledge and skills needed in operation, maintenance and management of security solution and support of new business models. (Cisco Services, 2010)