Introduction
Network security is defined as "a set of procedures, practices and technologies for protecting network servers, network users and their surrounding organizations" (Oppliger, 2000, Preface). The need for network security is caused by the introduction of distributed systems, networks, and facilities for data communication. Improved network security is required because of the rapid development of communication networks. Network security is achieved by using software-and hardware-based solutions and tools.
background
This article gives a topical overview of network security technologies, that is, the topics are not covered in detail, and most topics are briefly introduced and left for further study. The main objective is to present "state-of-the-art" network security technologies and to stimulate discussion about related skills and education needed by network users, IT professionals, and network security specialists.
Protection against malicious programs
Malicious software exploits vulnerabilities in computing systems. Malicious program categories are (Bowles & Pelaez, 1992):
• Host Program Needed: Trap door, logic bomb, Troj an horse, and virus.
• Self-Contained Malicious Program: Bacteria and worm.
• Malicious Software Used by an Intruder after Gaining Access to a Computer System: Rootkit.
Threats commonly known as adware and spyware have proliferated over the last few years. Such programs utilize advanced virus technologies for the reason to gather marketing information or display advertisements in order to generate revenue (Chien, 2005).
Modern malicious programs (including adaware and spyware) employ anti-removal and stealth techniques as well as rootkits to hide and to prevent detection. Rootkits conceal running processes, files, or system data. This helps an intruder to maintain system access in a way, which can be extremely difficult to detect with known security administration methods and tools. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer (Hoglund & Butler, 2005; Levine, Grizzard, & Owen, 2006).
The ideal protection is prevention, which still must be combined with detection, identification, and removal of such malicious programs for which prevention fails. Protection software is usually called antivirus software, which is characterized by generations (Stephenson, 1993):
• First Generation: Simple scanners searching files for known virus "signatures" and checking executable files for length changes.
• Second Generation: Scanners using heuristic rules and integrity checking to find virus infection.
• Third Generation. Memory resident "activity traps" identifying virus actions like opening executable files in write mode, file system scanning, and so forth.
• Fourth Generation: Software packages using many different antivirus techniques in conjunction.
Anti-adware/spyware modules are usually integrated in these software packages.
Protection levels of modern antivirus software are:
• Gateway Level Protection: Consists of mail server and firewall protection. Viruses are detected and removed before files and scripts reach a local network.
• File-Server-Level Protection: Consists of server software. Viruses are detected and removed even before network users access their files/scripts.
• End-User-Level Protection: Consists of workstation software. Viruses undetected in outer defense lines are detected and removed. However, this level is the only antivirus protection level for data communication, which is end user encrypted.
All levels should be combined to achieve depth in antivirus defense. Virus definition databases should be automatically and/or manually updated.
Examples of antivirus and anti-spyware software are Ad-Aware, F-Secure Internet Security, and Norton Antivirus.
firewall technology
Firewalls protect computers and computer networks from external security threats. Firewalls fall into four broad categories (Stallings, 2006):
• Packet-Filtering Router: Applies a software and/or hardware implemented filtering rule set to each incoming/outgoing IP packet and then forwards or discards the packet. Most TCP/IP routers support basic user defined filtering rules. A packet-filtering firewall can also be a stand-alone network link device, for example, a computer with two network cards.
• Application-Level Gateway (Proxy Server): Acts as an application level traffic relay, that is, traffic is filtered based on specified application rules. A typical application level gateway is a protocol oriented proxy server on a network link, for example, an HTTP proxy, a SMTP proxy, a FTP proxy, and so forth.
• Circuit-Level Gateway: Typically relays TCP packets from one connection to another without examining the contents. Traffic is filtered based on specified session rules such as when a session is initiated by a recognized computer.
• Stateful Multilayer Inspection Firewall: Traffic is filtered at three levels, based on a wide range of specified application, session, and packet filtering rules.
cryptographic technology
Cryptographic network security technology consists of network security applications, network security system software, and cryptographic hardware.
Secure-Network-Level Data communication
Secure-network-level data communication is based on the Internet protocol security (IPSec) protocol. Two computers in the same TCP/IP network implement end-to-end security through the network, when IPSec software is installed and properly configured in both computers. IPSec provides two operation modes:
• Transport Mode: Original IP headers are used.
• Tunnel Mode: New IP headers are created and used to represent the IP tunnel endpoint addresses.
IPSec is usually embedded in virtual private network (VPN) software. VPN provides secure LAN functionality in geographically distributed network segments and for Internet connected computers. Fundamental VPN types are:
• Access VPN: Secure connection to a LAN through a public TCP/IP Network.
• Connection VPN: Secure remote connection between two logical LAN segments through a public TCP/IP network.
IPSec and VPN functionality is included in Windows 2000/XP. Commercial VPN software products are F-Secure VPN+™, Nokia VPN, Cisco Security VPN Software, and so forth. Open source IPSec and VPN software is also available (Openswan Portal, 2006).
Middleware
Middleware is a software layer between the network and the applications for providing services like identification, authentication, authorization, directories, and security (Internet2 Middleware Initiative [I2-MI] Portal, 2006). Shibboleth is an example of open source authentication and authorization middleware (Shibboleth Project Portal, 2006). Commercial security middleware based on the SHH protocol is SSH Tectia Solution (2006).
Secure-Transport-Level Data communication
Many network applications are based on the IETF transport layer security (TLS) standard (Dierks & Rescora, 2006). The TLS/SSL protocol is based on an established client-server TCP connection. Then both computers execute the SSL handshake protocol to agree on the cryptographic algorithms and keys for use in the actual data communication. TLS/SSL versions of common application level TCP/IP protocols are available (see Table 1).
VPN solutions can also be implemented using the TLS/SSL protocol and executed on the transport level. This technology, called SSL-VPN, provides VPN functionality to geographically distributed network segments and for Internet connected computers using a standard Web browser.
Tablel. Secure application level protocols based on TLS/SSL
| Secure protocol | Port | Description |
| HTTPS | 443 | TLS/SSL protected HTTP |
| POP3S | 995 | TLS/SSL protected POP3 |
| IMAPS | 993 | TLS/SSL protected IMAP4 |
| SMTPS | 465 | TLS/SSL protected SMTP |
| NNTPS | 563 | TLS/SSL protected NNTP |
| LDAPS | 636 | TLS/SSL protected LDAP |
Open source SSL-VPN software can be downloaded from OpenVPN Portal (2005).
Web security
Basic Web security features are access level security and transaction level security. Access level security is provided with firewalls, which guard against intrusion and unauthorized use. Transaction level security requires protocols for protecting the communication between a Web browser and a Web server. Proposed protocols are HTTPS, S-HTTP, and PCT (Pulkkis, Grahn, & Astrom, 2003). HTTPS was originally introduced by Netscape for the Navigator browser. Presently HTTPS is an accepted standard supported by practically all Web browsers, while S-HTTP and PCT are seldom used.
E-Mail security
E-mail traffic between e-mail servers is protected using the SMTPS protocol. Sessions between e-mail client programs and e-mail servers can be protected
• By using the mailbox access protocols POP3S and IMAPS.
• By embedding an e-mail client program in a HTTPS Web page.
E-mail content security requires solutions for signing and/ or encrypting outgoing messages as well as for decryption and/or signature verification of incoming messages. These solutions can be adapted on
• Client level, by e-mail client program security extensions.
• Server level, by gateway security extension solutions.
The most widely used e-mail security extensions are PGP and S/MIME (see Stallings, 2006, Chap. 15). A commercial e-mail security extension solution is Utimaco Safeware's SecuE-Mail Gateway supporting OpenPGP (Open PGP) Alliance Portal, 2006) and S/MIME.
A current problem with e-mail is spam e-mail sent by some unknown party to a large number of recipients. Usually this spam e-mail has some commercial contents. Spam e-mail is also used to spread spyware and viruses. Server level solutions detect spam e-mail before they reach the e-mail server and client solutions, embedded in modern client level security suites, detect spam e-mail when e-mail reaches the e-mail client.
E-commerce security
There are three main e-commerce transaction categories:
• Consumer-to-Business (C2B) Transactions: Occur between a consumer and an electronic marketplace or a bank over public networks, usually over the Internet.
• Business-to-Business (B2B) Transactions: Called market link transactions. Here, businesses, governments, and other organizations conduct business using different electronic communication technologies.
• Intraorganizational Transactions: Also called market driven transactions for internal strategies by collecting outside information and by customer monitoring (Kalakota & Whinston, 1999).
Secure Electronic Transaction (SET), introduced by MasterCard and Visa, is a standard protocol for securing credit card transactions over insecure networks such as the Internet (Stallings, 2000). SET provides secure communication, trust based on X.509v3 digital certificates, and privacy based on strictly controlled access to sensitive information. The SET protocol was published in the late 1990s but has still only a small market share in existing implementations of C2B transactions.
HTTPS is presently a standard protocol for securing C2B transactions on the Internet. When a customer browses to an e-commerce Web page, then authentication of this Web page with a trusted X.509v3 certificate is required before any transactions occur. A typical transaction is then a SSL/TLS protected authorization of the customer to the e-commerce Web page to charge the cost of a purchase from the credit card account of the customer. For online transactions with bank accounts, customers have private HTTPS protected Web pages. When a customer browses to his/her private Web page, then mutual authentication of the customer and the customer's bank is required before any transactions occur. In this authentication the bank uses a trusted X.509v3 certificate, and the customer uses either a trusted X.509v3 certificate or a one-time password according to the requirements of the bank. In this case a typical transaction is an SSL/TLS protected authorization signed by the customer to transfer a specified amount of money from the customer's account to some other account. The signature is created with a trusted X.509v3 certificate or with a randomly chosen signature code according to the requirements of the bank.
For B2B transactions, the main technologies are Roset-taNet XML, Electronic Data Interchange (EDI), and EDI over the Internet (EDIoI).
RosettaNet is a consortium of major information technology (IT), electronic components (EC), and semiconductor manufacturing (SM) vendors dedicated to the development and deployment of open e-commerce standards for B2B transactions in high tech supply chains. RosettaNet Implementation Framework (RosettaNet Implementation Framework: Core Specification, 2001) is an open common networked application framework defining a XML format for exchange of B2B documents. This framework includes S/MIME v2 for secure authentication, authorization, and confidentiality of B2B transacting.
The latest version of the international EDI standard can be downloaded from UN/EDIFACT Portal (2006). For B2B transacting via EDI, the trading partners must agree on
• what information is to be exchanged,
• which message standards are used, and
• the means of transportation (EDI network).
An EDI network consists of direct modem-to-modem data links between involved companies or is implemented by a third-party value-added network (VAN) service. The security of VANs is high, since they are private networks physically out of the reach for outsiders. Examples of present EDI VAN service providers are AT&T, British Telecom, IBM network, and General Electric Information Services (Kalakota & Whinston, 1999; Whiteley, 2000).
B2B transacting via EDIoI means EDI network implementation by the Internet. EDI transactions are implemented by Web browsing operations, which can be mutually authenticated and protected by the HTTPS protocol. To support the use of EDIoI, IETF has standardized the Electronic Data Interchange Applicability Statement 2 protocol (AS2), which uses S/MIME messaging for authentication and data confidentiality (Moberg & Drummond, 2005).
Secure Shell (SSH)
The secure shell (SSH), a secure remote connectivity protocol in TCP/IP networks, is a de-facto standard being further developed by one of the IETF Security Area Working Groups. Two SSH versions have hitherto been developed: SSH1 and SSH2. Commercial as well as open source SSH implementations are available (OpenSSH Portal, 2006; SSH Tectia Solution, 2006).
Wireless Security Software
A radio interface is by nature easy to access. Security threats are either passive or active attacks. Active attacks involve altering data streams. Passive attacks, on the other hand, include snooping on transmission. The most important security features are authentication, authorization, confidentiality, integrity, and availability. The corresponding software is included in the network.
WLAN security is built up around the security protocol 802.11i/WPA2 (Wi-Fi Protected Access). WPA2 was created to address problems with the security protocols WEP (wired equivalent privacy) and WPA. For authentication, IEEE 802.1X is used in current systems (Wi-Fi Protected Access, 2003).
WiMAX (WiMAX Forum, 2006) has adopted the DOCSIS BPI+ (Data Over Cable Service Interface Specification - Baseline Privacy Interface Plus) protocol. Authentication relies on PKM-EAP (privacy key management-extensible authentication protocol) and TLS (transport layer security). The CCMP (counter mode with cipher block chaining message authentication code protocol) protocol and the AES (Advanced Encryption Standard) algorithm are used for encryption.
In Bluetooth, there are three security modes handled by the security manager (Grahn, Pulkkis, & Guillard, 2002). A bonding process including pairing and authentication, and encryptionbased on the SAFER+ algorithm are implemented. Also a concept of trusted devices is applied.
ZigBee (ZigBee Alliance, 2006) uses basic security elements in IEEE 802.15.4. The AES is used to protect data. Any two devices must share a key for encryption and decryption. The public key encryption algorithm is based on ECC (elliptic curve cryptography).
The security features in a GSM network can be divided into three subparts: subscriber identity authentication, user and signaling data confidentiality, and subscriber identity confidentiality. In 3G systems security is based on what was implemented in GSM. The encryption algorithm is stronger; the application of authentication algorithms is stricter, and subscriber confidentiality is tighter. The security principles are all incorporated into the authentication and key agreement (AKA) procedure (Grahn et al., 2002).
secure Network Management
A protocol for secure network management, SNMPv3, was introduced in 1998 by IETF to address the lack of security in earlier SNMP versions. SNMPv3 incorporates authentication and encryption features to SNMP managers and access control features to SNMP agents (Stallings, 2000).
Secure DNS (DNSSEC)
The absence of trust in DNS host name resolution is a security hazard in all TCP/IP applications. To address this problem IETF formed a Working Group to develop the DNSSEC standard. The objective is to provide both authentication and integrity to DNS information. DNSSEC uses public key cryptography to sign DNS information (DNSSEC, 2006).
secure Routing software
Routing protocols and their hardware/software implementations in computer networks are usually open and functionally unprotected. A manifestation of an emerging recognition of routing security in the Internet community is the recently formed IETF Routing Area Working Group "Routing Protocol Security Requirements (rpsec)," which in October 2004 published an Internet Draft "Generic Threats to Routing Protocols" (Barbir, Murphy, & Yang, 2004).
cryptographic Hardware
Cryptographic hardware is needed for data protection and also computational acceleration purposes. A piece of cryptographic hardware is usually used for both purposes, and it is called:
• a hardware security module (HSM Module), when the goal is to achieve data security
• a crypto co-processor or cryptographic accelerator chip, when the goal is improved computational efficiency HSM Modules are used for:
• protection of sensitive cryptographic data structures like symmetric and private cryptographic keys
• secure generation and use of sensitive cryptographic data structures, such as:
• one-time passwords with short validity time
• cryptographic keys
• irreproducible random numbers needed in key generation and for nonce generation in authentication protocols to prevent replay
• execution of key agreement protocols
• execution of encryption and decryption operations using symmetric and private keys
The cryptographic keys in HSM Modules are protected by pin codes or biometrically by digital fingerprint comparison and/or by digital voice recognition.
Examples of cryptographic hardware are:
• Smartcard chips. Smartcard types are:
• Electronic Identity Cards (PKI Cards)
• SIM, PKI SIM, USIM, and SWIM cards inmobile phones
• USB HSM tokens
• PC Card HSM Modules with PCMCIA or PCMCIA Express interface
• PCI card HSM Modules
• SecurID (Nystrom, 2000) and Digipass (Vasco Product Range, 2006) HSM Modules for generation and use of one-time passwords with short validity time
• TRNG (True Random Number Generator) devices for extraction of natural physical randomness for generation of irreproducible random numbers. TRNG devices are implemented by:
• radiation counters
• radio noise monitors
• audio noise monitors
• monitors of thermal noise in diodes, leaky capacitors, mercury discharge tubes, and so forth
• cryptographic processors/acceleration chips for execution of
• symmetric encryption/decryption operations with DES, 3DES, AES, and so forth
• RSA encryption/decryption operations in public key cryptography
• arithmetics with discrete points on elliptic curves in elliptic curve cryptography
• SHA-1 hashing
With smartcards, the most widely used cryptographic hardware, a smartcard reader is needed. With other cryptographic hardware no separate reader is needed. For true pin code security a smartcard reader with a dedicated keypad is necessary. Software required for accessing cryptographic tokens on smartcards is
• Device driver for communication with the smartcard through the used smartcard reader.
• PC/SC, a specification set released by an international consortium (PC/SC Workgroup, 2006) for integration with the operating system. In PC/SC a device manager
keeps track of the cards and card readers connected to a computer.
• An Application Programming Interface (API) like PKCS#11, also called CrypTokI, or Microsoft Crypto API.
Public Key infrastructure (PKi)
Network server authentication is usually based on the use of certified public key cryptographic key pairs. In network access software, such as SSH and VPN, a network user authentication option is based on the use of certified key pairs. The server or the network is authenticated by proving the ownership of the private key in a certified key pair. The Internet standard for key pair certification is presently X.509v3 (Public-Key Infrastructure [X.509] Working Group [pkix], 2006). An X.509v3 certificate is a public digitally signed data structure consisting of:
• the public key of a key pair
• the subject (=owner) of the key pair
• validity time of the certificate
• usage of the key pair
• issuer of the certificate
Also digital signatures are created and verified with certified key pairs in the X.509v3 standard. An X.509v3 certificate is signed by the private key in the key pair of the issuer. The public key in an X.509v3 certificate is trusted, if the issuer is trusted Certification Authority (CA). A PKI is hardware, software, people, policies, and procedures needed to issue, manage, store, distribute, use, and revoke X.509v3 certificates.
security administration
Security administration uses intrusion detection software, vulnerability checking software, and software for security software management.
An intrusion detection system (IDS) monitors traffic in a network and/or user behavior in a host computer to identify possible intruders and/or anomalous behavior and/or misuse (Stallings, 2006). A distributed intrusion detection system coordinates and brings cooperation among several intrusion detection systems across a whole network. Standards to support such distributed intrusion detection systems are defined by the IETF Intrusion Detection Working Group (Stallings, 2000).
Major vulnerabilities are too short, easily guessed, or cracked passwords. A potential intruder could run a password cracker on the encrypted passwords stored in a network. System administrators can use cracking to disable usage of bad passwords.
Intrusion prevention requires regular scans for unnecessary open ports and other vulnerabilities like missing security patches.
Data encryption software protects data stored in networks using encryption. Encryption per user or per group of data stored in files and databases protects data contents from unauthorized access. Data encryption software examples are:
• Microsoft's Encrypting File System (EFS) technology for file and folder encryption on user level.
• Utimaco Safeware's SafeGuard LAN Crypt software for file and folder encryption on both user and group level. SafeGuard LAN Crypt supports encrypted network traffic for the encrypted data.
Network security software in host computers and in other network nodes like routers is often software managed. A management software example is F-Secure® Policy Manager™ for management of "not only antivirus solutions, but all critical network security solutions on all tiers of the network" (F-Secure Policy Manager, 2006).
development of security solutions
Antivirus protection programming skills require knowledge about self-modifying programs/scripts and about virus sensitive operating system features.
Firewall software programming skills are based on detailed knowledge of TCP/IP protocol stack implementation software.
The open source toolkit OpenSSL is available for TLS/SSL application design (The OpenSSL Project, 2005). OpenSSL is installed as a C function library. Also commercial development tools are available, for example (Certicom Security Builder SSL, 2006).
S/MIME e-mail extensions can with special toolkits be added to existing network software and be embedded in network software being developed. Freeware S/MIME v3 toolkits are (S/MIME Freeware Library, 2006) and the Mozilla S/MIME Toolkit. Phaos S/MIME Toolkit is a Java package (Phaos S/MIME, 2004) for secure messaging in Java applications.
IPSec software development is usually VPN software development. IPSec can be integrated in the networking software and/or hardware of a router/a computer node. Commercial IPSec developer toolkits are available, for example Certicom Security Builder IPSec (2006).
Program libraries for SSH protocol integration during network software design are also available; see, for example, Ganymed SSH-2 for Java (2005).
In smartcard application development usually some development kit is used. Microsoft offers a Smartcard Toolkit to be used together with visual programming tools.
design of secure network software
Network security software implements security features. Other network software implements functionality and other features like usability, efficiency, simplicity, safety, dependability, reliability, and so forth. Security requirements for any network software include:
• absence of vulnerabilities and security holes
• secure interfaces
Security should be integrated in the network software life cycle starting from the specifications. The need to assess vulnerability and to react on security incidents should be proactively minimized before network software is used. A recent handbook for secure software design is available (Viega & McGraw, 2002).
future trends
IPSec is integrated in the new version of the IP protocol, IPv6 (IP version 6, 2006). Thus IPSec is automatically included in the IP software in all nodes in future TCP/IP networks. Also DNSSEC and secure routing protocols will be included in the system software of future TCP/IP networks.
New wireless network protocols emerging are among others Wireless USB (WUSB) (Kolic, 2004) and ZigBee (ZigBee Alliance, 2006). WUSB will offer the same functionality as standard wired USB devices. ZigBee is a low-power, short-range, wireless technology. Both technologies will be used in networking solutions for home/industrial automation.
Wi-Fi Protected Access version 2 (WPA2) includes full 802.11i support in a WLAN (Wi-Fi Protected Access, 2003). WPA2 will replace RC4 with AES. It will also include the CCM protocol. The new standard implementation is hardware accelerated and will require replacement of most access points and some NICs (Network Interface Cards).
Session key agreements in future wired network, will be based on absolutely secure quantum cryptography protocols (Bennett, 1984), which are physically implemented by transmission of randomly polarized laser pulses in optical fibers (Stucki, Gisin, Guinnard, Ribordy, & Zbinden, 2002). Absolutely secure means that verified reception of a session key is also a proof that the same key has not been eavesdropped. Commercial Quantum key distribution technology is already available (id Quantique Portal, 2006).
conclusion
Software and hardware solutions and tools are network security cornerstones. Today, network security technology is a large and complex rapidly expanding area. Network security software skills are needed by every computer and computer network user. This has profound implications on all education, since use of computer networks is inevitable.
Education for professional network security software skills should include:
• installation, configuration, and test use of all categories of available network security software/hardware solutions and products,
• source code inspection exercises of open source network security software solutions, and
• programming exercises and projects with TLS/SSL application development environments and cryptographic toolkits.
Network security software development skills are important in upper level network security education.
KEY TERMS
E-Mail Protocols: Simple mail transport protocol (SMTP) is a set of commands for transport of ASCII encoded e-mail messages. Post office protocol (POP3) retrieves new messages from a mailbox to a remote e-mail client. A remote e-mail client can simultaneously access several mailboxes on different mail servers with the Internet message access protocol (IMAP).
Internet Engineering Task Force (IETF): An open international community engaged in Internet architecture evolution (IETF, 2006). Working Groups in several topical areas develop technical drafts and Internet standards.
Internet Protocol Security (IPSec): The IPSec protocol suite is developed by an IETF Security Area Working Group. IPSec introduces a new TCP/IP protocol stack layer below IP. IPSec adds authentication and optionally encryption to transmitted data packets. Authentication ensures that packets are from the right sender and have not been altered. Encryption prevents unauthorized reading of packet contents.
Pretty Good Privacy (PGP): An e-mail extension used to encrypt/decrypt and cryptographically sign e-mail, as well as to verify e-mail signatures. Verification of a signature is a proof of sender identity and message authenticity.
Secure Multipurpose Internet Mail Extensions (S/MIME): A secure e-mail standard based on MIME. S/ MIME, being further developed by an IETF Security Area Working Group, accomplishes privacy and authentication by using encryption/decryption, digital signatures, and X.509 certificates.
Simple Network Management Protocol (SNMP): An application layer TCP/IP protocol for management information exchange between network devices. SNMP includes two main software entity types: managers and agents.
Virus: Malicious code added to an executable file loaded to a computer and executed without the user's knowledge and consent. Computer viruses often copy and spread themselves to other computers in the same network.