Security Issues in High-Assurance Environments

SECURITY ISSUES
in High-Assurance Environments
by Colin Robbins, NEXOR
(Originally published in Messaging Magazine, September/October 1999)

Computer security is an increasing problem for today’s businesses. Although it can be difficult to measure the intangible damage caused by an unknown intruder falsifying a company’s e-mail, for example, such security breaches can have disastrous financial, strategic, and operational consequences. The key, then, is to define an organization’s security requirements based on an analysis of the assets to be protected and the consequences that would result if a security breach compromised those assets.

Implementing effective computer security measures can be likened to securing an office building. Windows are a security risk, but also a desirable feature in an office building. Businesses can take precautions to secure the windows, but the level of security used should be proportionate to the damage that the business would sustain as a result of a break-in.

In the past, organizations could achieve adequate computer security by advising users not to write down their passwords and put them in their desks, for fear that someone will find them and use them to access the system without proper authorization. Today, organizations must extend computer security well beyond this.

With worldwide Internet connections, a person can scan for vulnerabilities in hundreds of machines in a few hours. As a result, an organization can carefully secure its building, but an unauthorized user could still break into the organization’s systems from the other side of the world and steal one or more passwords. Viruses and worms can be passed from machine to machine, as the electronic equivalent of the thief who looks for open windows and doors.

Given the increasing magnitude of the problem, system administrators and decision-makers must understand the security threats that exist, the potential consequences and costs of a security breach, and the actions they need to take (if any) to prevent and respond to security threats. This article outlines a number of security threats to mission-critical systems, and examines a variety of possible solutions.

Methodology
Setting security policies and procedures means developing a methodology for analyzing computer security requirements, and implementing effective, measured solutions. The solutions identified in this article are based on the methodology outlined in RFC 2196, the Internet standards document known as the "Site Security Handbook." Specifically, that methodology includes the following iterative steps:

Look at the assets you are trying to protect.
Look at the risks and vulnerabilities you need to protect the assets from.
Determine how likely the threats are.
Implement measures that will cost-effectively protect your assets.
Continuously review the process, and improve the existing security policies and procedures every time you find a weakness.

In discussing today’s computer security solutions, the conversation often turns to Public Key Infrastructures (PKIs). This article also touches on the role of PKIs, but recognizes that cryptographic security is only a small part of an overall security system. Consequently, this article looks at security in a broader context.

As is now common practice in the security arena, this article discusses security in the context of two users, Alice and Bob, who legitimately want to communicate, and Eve, the bad character who is trying to infiltrate the system.

General Security Threats
Before looking in detail at specific problems, it is worth reviewing the security threats that apply to messaging and directory systems in general, including:

data interception,
data modification,
denial of service,
viruses, and
junk e-mail (SPAM).

These threats in no way represent an exhaustive list, but are generally believed to be the problems most commonly encountered in today’s business computing arena.

Data Interception
Perhaps the biggest fear about using the Internet is that unauthorized individuals may access confidential data either for their own use or for publication, as shown in Figure 1.

In high-assurance messaging environments, this can occur in several ways, including:

interception of e-mail in transit,
unauthorized access to a message store,
unauthorized access to a directory,
accidental or malicious passage of confidential information to a third-party by a trusted individual.

Data Modification
In a paper-based world, modification of published or stored information is generally detectable, unless a highly sophisticated approach has been used to produce a forgery. In a computer-based world, such modifications are much more difficult to trace. The risks are also higher, since electronic data is often used in related documents or databases by dynamic linking or cut-and-paste functions. Thus, the effects of any false modification can spread very quickly.

Within high-assurance messaging environments, there are three primary areas where data modification is an issue:

data stored in a directory,
e-mail in transit, and
e-mail stored in a message store.

Denial of Service
When an organization becomes reliant upon an e-mail service for business communications, there is always the risk that the technology will fail or be maliciously cut off. Thus, organizations must assess the cost of downtime for a mission-critical system. In other words, would the business fail to function correctly or efficiently if access to the network is lost for an extended period? If so, the organization may need to implement protection against attacks that prevent service. This is a real security challenge, but steps can be taken to reduce the level of risk.

Viruses
Viruses are perhaps the most familiar form of security attack, and can be the cause of any of the security failures discussed above. One of the most well-known attacks was the recent Melissa virus that propagated itself via e-mail. Several existing software products offer effective protection against network virus attacks. Installation of these products on all hosts connected to the Internet is vital.

Junk E-Mail (SPAM)
Virtually every e-mail user can relate a story about receiving unsolicited e-mail messages, or SPAM. Some are innocent, offering a new product or service, while others are potentially very offensive. On an individual basis, the level of junk e-mail is relatively low, perhaps 1 in 50 messages, but when this is applied to an organization handling 100,000 e-mail messages a week, it represents 2,000 unwanted messages each week. If these can be effectively eliminated, such organizations will realize significant cost savings and increased productivity.

Junk e-mail attacks can also be used as part of a "denial of service" attack to flood an organization with e-mail at a susceptible time, hereby tying up business resources. Therefore, effective control against junk e-mail is required as part of a solution to protect the organization against denial of service attacks.

Finally, while junk e-mail is generally thought of as unwanted e-mail coming into an organization, many companies have begun to worry about the reverse. For example, how can an organization prevent unauthorized e-mail from leaving an organization, as in the accidental or malicious e-mailing of a secret internal document to an external recipient? Interestingly, components of many junk e-mail solutions can also provide some protection for outgoing e-mail transmission.

Technology Review
Having reviewed the general security issues, it is important to consider the technologies that are available to facilitate secure solutions. For ease of discussion, this article groups the available technologies by whether they operate at the network layer, or as part of the operating system (OS) connected to the network, or the applications running on the operating system.

Network Layer Security
While it is possible—and often very cost-effective—to build security into the network layer, security at this level is typically broad brush, offering all-or-nothing scenarios. With today’s technology, organizations have two primary security solutions for the network layer:

First, the network can be physically isolated by ensuring that the network cables are not connected to a hostile network. This basic approach prevents online hacking attempts from the hostile network; however, it also severely restricts the users’ capabilities. Nonetheless, there are undoubtedly environments where this level of protection is advisable, such as networks carrying top secret military information.
Second, a virtual private network (VPN) can be created. This solution allows access to a public (and potentially hostile) network, but uses network layer encryption technologies to prevent unauthorized access. An example of this solution is the "Ptarmigan" encryption system used within the Ministry of Defense (MoD) in the United Kingdom.

OS Level Security
In general, operating systems only provide a minimal level of security. It is usually the responsibility of the applications or the network itself to provide the requisite level of security. This is acceptable in the majority of environments, although many high-assurance systems require a greater level of security at the OS level.

In particular, the operating system needs to be able to protect elements of the computer systems against infection from other elements (isolating elements of the computer file store from the network, for example). This level of security prevents network attacks from modifying critical elements of the operating system itself, or the configuration of a specific application.

The operating system is also responsible for ensuring that applications present the correct information to the users. Some security attacks have been known to attack the computer fonts, thereby subtly altering the meaning of the document (for example, by substituting a dollar ($) sign for a pound (Ł) sign in the graphical and printed representation of a contractual document).

Unless the operating system provides a secure environment, it is not possible to be certain that an application is behaving correctly. To quote a paper from the U.S. National Security Agency (NSA)¹, "Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality the need for secure operating systems is growing."

Generic Application Level Security
At the application level, security must be applied between each of the components of the system, for both server-to-server communications and client-to-server communications (for example, directory server-to-directory server; mail user agents-to-message store; message store-to-mail transfer agent). There are typically four mechanisms available at this level:

Secure Socket Layer (SSL) or its more recent derivative, Transport Layer Security (TLS),
X.509 two-way authentication,
Simple Authentication Security Layer (SASL), and
application firewalls.

SSL and TLS are TCP/IP-level services. Using these services, there is an exchange of digital signatures before a TCP/IP connection is made between two applications, so that each application can authenticate the other. This authentication is based upon the TCP/IP network address of the applications, and can be used across all TCP/IP applications (e.g., X.400 and SMTP). TLS also has the advantage that a full-fledged PKI is not required. This provides integrity and (optional) confidentiality by ensuring that an application is talking to the remote computer application it expected to contact.

X.509 has two principle functions. It describes a generic public key model, as used by many systems, and it defines a specific two-way authentication mechanism. This two-way mechanism provides a full security service, at the application layer of the communication stack, rather than the transport layer, as in TLS and SASL. This has the added advantage that you know exactly which application you are talking to, not only which computer. The disadvantage is that it only works with Open Systems Interconnect (OSI) applications (such as X.400, but not SMTP; or DAP, but not LDAP).

SASL is an Internet equivalent of X.509 used to provide two-way authentication of a client-server application. SASL can also be used with TLS to add integrity and confidentiality services. In effect, it is a simplified X.509 model.

Application firewalls are an alternative and complementary approach to using cryptographic techniques. With application firewalls, all accesses to a specific application are controlled and managed by a third party process known as a proxy. These proxies are controlled by a network firewall, which only accepts connections from authorized hosts. Typically, these proxies understand and control the protocol they are managing (for example, allowing data passage, but blocking data modification attempts).

User Level Secure E-Mail
One of the most popular services offered by an Internet connection is the ability to use e-mail. Typically, e-mail does not have the same number of safeguards offered by land-based physical mail. For example, a recipient can generally detect if a physical letter has been opened. If a letter contains confidential material, more secure registered delivery services can be used. Similar mechanisms are required with e-mail.

The following first-level security functions are required in an electronic messaging system, and can be based upon digital signature technology:

sign message attachments (whether encrypted or not),
verify who is the sender of a message and when the message was sent, and
verify that the message and any attachments have not been modified.

In addition to the digital signature, organizations can use encryption to enable users to:

encrypt a message attachment and send it to any other user, and
decrypt attachments that have been received from any other user.

A final requirement is the ability to prove or disprove that messages have been sent, delivered, and received. This specific issue is more difficult to address and requires a legal trusted third-party framework.

The major commercial standard implementing these security controls is the Internet Secure MIME (S/MIME) standard e-mail format. Within the military world, similar functionality is provided by the X.400 security services or by the Message Security Policy (MSP), which is built upon the X.400 messaging standard.

In its simplest form, the S/MIME standard takes a cryptographically secure message, and adds a MIME wrapper to enable the message to be carried and identified by e-mail systems. The embedded secure message is formatted using the Internet Cryptographic Message Syntax (CMS) standard, derived from PKCS#7.

The security concepts within S/MIME version 3 and MSP are starting to merge, and recent discussions in military environments have begun to focus on a new standard known as Protected Content Type (PCT). This new standard is essentially a profile of S/MIME that uses the CMS syntax to carry and identify military messages.

Specific Security Problems
The final section of this paper reviews some specific security problems that arise as side effects of not having a universally agreed upon security system.

Too Many Computers
Many organizations in high-assurance environments have access to two or more different e-mail systems. Typically, these systems reside on networks at different security classifications, and the networks are often physically separated by an "air gap." As a result, the operators typically have two or more computer systems on their desks, as shown in Figure 2. This is both costly and confusing for the operators. The requirement is to have one computer capable of supplying access to all e-mail systems used throughout the organization.

Isolated Security Environments
One of the major issues organizations face in implementing computer security is that different products have implemented different technologies. These technologies need to interconnect to facilitate electronic business. In the UK, recent initiatives have coined the phrase "joined up government," promoting the need for different government and military networks and applications, at different security levels to be interconnected, as shown in Figure 3.

To achieve joined up government, total replacement of all existing systems is not an option. The costs and logistics of such a replacement are simply prohibitive. Instead, the problem must be resolved at the boundary between the existing systems. Firewall technology is one part of the solution, but it cannot be the entire answer. If application level security, such as S/MIME, is being used, the existing solution will need to be represented in a way that can be understood by the legacy applications. To represent the data in a legacy format requires altering the message, but this will trigger the security alert mechanisms designed to detect modifications. Consequently, the solutions are not simple.

One solution, known as "domain-based security," uses system-to-system security instead of providing user-to-user security. With this solution, the user sends a message to the domain boundary using the legacy technology. The domain boundary system then verifies the legacy security, and applies the appropriate security for the target end system. In principle, this sounds simple, but the pragmatic application relies on very careful management of the security systems, tokens, and keys. Although this is complex, the solution can be more cost-effective than wide-scale re-deployment. MM

Foot note:

1. "The Inevitability of Failure: The Flawed Assumptions of Security in Modern Computing Environments." Losocco, Smalley, Muckelbauer, Taylor, Turner, and Farrell, NSA.

For information on article reprints, contact Jay Devine, Communications Manager at jay.devine@ema.org.

Back to Table of Contents