Previous Table of Contents Next


The public should not be granted read and write access to the same resource. For example, if the public can read a web page, they should not be able to write to it. The ability to write to it would permit them to alter or contaminate the data in a manner that could prove embarrassing. If a directory is provided to which the public can send files, they should not be able to read from that directory. If they can both read and write to the directory, they may use it simply as storage in lieu of their own. They may also use it to store contraband data that they would not want on their own systems and which might also prove embarrassing.

ENCRYPTION

Encryption is the application and use of secret, as opposed to public, codes. It is a powerful defense that can deal with many of the problems related to vulnerable links and even some of those related to insecure nodes. It is inexpensive and effective. In addition, multiple implementations are available. However, it is limited in the open node problems that it can deal with and may require some management infrastructure. Exhibit 1 displays some of the encryption choices available for selected applications on the Internet.

Encryption is used for two fundamental purposes on the net. The first is to preserve necessary confidentiality on the net, which is the traditional use of cryptography. The second is to enable some confidence about with whom one is talking. In other words, if conversation is in a language that can only be spoken by one other, the correct parties are speaking to one another.

Encryption can also be used to resist password grabbers and other eavesdropping attacks.

USING THE INTERNET IN A RELATIVELY SAFE ENVIRONMENT

The following are recommendations for using the Internet in a relatively safe way. Although few will follow all of these recommendations, there is risk involved in any deviation from the recommendations. Moreover, although complete adherence to these recommendations will not eliminate all vulnerabilities, it will address many of them. Finally, although complete adherence will not eliminate all risks, it following these recommendations provides a reasonable balance between risk and other values.

  Do not rely on the secrecy or authenticity of any information traversing the internet in public codes. Names and addresses, credit card numbers, passwords, and other data received from the public net may be replays rather than originals. Amounts and account numbers may have been tampered with.
  Choose a single point of connection to the Internet. Although the Internet is inherently mesh connected, and more than one connection may be necessary to avoid single points of failure, the more connections, the more points of attack and the more difficult it is to maintain consistent controls. The fewer the number or points of connection, the fewer the potential points of attack and the easier to maintain control.
  Connect to the Internet only with equipment dedicated to that purpose. When computers were expensive, it was economic to put as many applications as possible on the costly hardware. Communication software was added to connect existing multi-use, multi-user systems to the net. Attacks exploited this gratuitous generality. Because of less expensive hardware, hardware connected to the net should be dedicated to that use. All other applications should be run on other systems.
  Choose application-only connections. Many of the compromises of the Internet have resulted from the fact that the components were connected at the system layer and that attacks have succeeded in escaping the application to the more general and flexible system layer. If in an attack encounters the E-mail service, it should see nothing else. If it escapes the E-mail application, it should see nothing. Under no circumstances, should it see the prompt of an operating system that knows about any other system. In other words, the operating system should be hidden from the public net.
  Limit the use of Telnet. Telnet, particularly to the operating system, is a very general and flexible capability. It can be both used for attack and is vulnerable to attacks. Most of its functions and capabilities can be accomplished with safer alternatives.
  Use end-to-end encryption for commercial applications on the net. Although most of the applications and traffic on the public net are public, commercial and other private applications on the public net must be conducted in secret codes.
  Require strong authentication. Users of private applications on the public net or of the public net for commercial applications must use strong authentication. Two independent kinds of evidence should be employed to determine the identity of a user, and the authentication data must be protected from capture and replay.
  Log, monitor, and meter events and traffic. Given enough time, almost any attack can succeed. It is important to be able to recognize attack traffic and correct for it early. Attacks can usually be recognized by a change, often a sudden increase, from normal traffic patterns. It is useful to know what normal traffic looks like to be able to recognize variances on a timely basis, and to communicate the condition of those variances to managers who can take timely corrective action.

CONCLUSION

The Internet is as ubiquitous as the telephone and for similar reasons. It gives users such an economic advantage over nonusers so that the nonusers are forced to become users. Pundits are fond of saying that no one is making money on the Internet. This position is fatuous and suggests that tens of thousands of enterprises are behaving irrationally. What is meant is that no one is conducting commerce on the Internet, at least not in the sense that they are selling, distributing, billing, and being paid over the Internet. Of course, many firms are doing one or more of these. Many others are making money, mostly by reducing costs. Many companies are using the Internet because it is the most efficient way to support customers.

The Internet holds out the promise to empower, enrich, and perhaps even ennoble. A minimum level of public trust and confidence must be maintained if that promise becomes a reality. That trust is both fragile and irreparable.

Because fundamental vulnerabilities on the network exist and because all possible attacks cannot be anticipated, a conservative policy and a responsive posture are required.


Previous Table of Contents Next

Copyright © CRC Press LLC