Previous Table of Contents Next


Chapter 46
An Introduction to Internet Security and Firewall Policies

William Hugh Murray

This chapter is an introduction to security on the Internet. It describes the characteristics, applications, and protocols of the network. It also describes and explains the peculiar vulnerabilities that arise from these characteristics and the attacks that exploit them. This chapter offers strategies, tactics, and mechanisms for protecting the traffic on the network. It places special emphasis on firewalls and encryption and strategies for using them.

INTRODUCTION

Any attempt to describe anything as dynamic, not to say unstable, as the Internet, is likely to make one look foolish. Describing the Internet can be liken to five blind men trying to describe an elephant. However, the elephant remains an elephant, it does not change during the examination and discussion. On the other hand, descriptions of the Internet that are only three years old are already so out of date as to be inaccurate if not dangerously misleading.

The Internet is already the most complex artifact in history. It may turn out to be important, or it may not. On the chance that it is or will be important, it makes sense to try to understand it, no matter how difficult and uncertain an explanation is likely to be.

THE CHARACTERISTICS OF THE INTERNET

The Internet can be defined and described, in part, in terms of its characteristics. Although it is possible for a network to have some of these characteristics without having them all, they are related in subtle ways.

Public and Open

Perhaps one of the most important characteristics of the Internet, at least from a security point of view, is that it is essentially public and open. It is public in the sense that, like the phone system, anyone can use it. One may have to go to a pay phone, a kiosk, or the public library, but anyone can use it. Libraries have been known to hand out user IDs with the same frequency as library cards. No requirements exist to be able to use the Internet, i.e., anyone can use it. In addition, as in broadcast TV, radio, or magazine advertising, most of the traffic is public. Its value increases with the number of people who see it. Although it has not always been so, most of the servers and services available on the Internet do not know or care who their users are. No user identification or authentication is required. The servers may count the accesses and they might like to know the demographics of those who visit, but otherwise, the greater number of visits, the more successful the site is considered.

Similar to it being public, the Internet is open. Like the postal system and for the price of a postage stamp, anyone can send a message. For the price of an accommodation address, anyone can receive a message. Although there may be an agreement to pay, no other permission is required and, as a rule, payment in advance is not required. The Internet is also open in the sense that with a minimum of notice to or cooperation of others a connection can be made. A node at the edge of a network can be added easily and unilaterally, creating a new connection between networks. Therefore, it is difficult, nearly impossible, to know what the network looks like.

Although only a small percentage of the traffic on the Internet is sensitive to disclosure and most applications and services are free, almost all traffic is sensitive to contamination and most services are sensitive to interference. Moreover, although many who offer public information on the Internet want many people to see it, they want it to get through in tact; they do not want it modified, they do not want it broken, and they do not want to be responsible for what they did not say. The public and open nature of the Internet makes this more difficult to achieve. It also makes it more difficult to achieve confidentiality and accountability for that traffic and those applications that require them.

Inclusive Network of Networks

By definition, an internetwork is a network that connects networks. Therefore, the Internet is a network of networks. It is one collection of all networks, and the economic advantage of a connection is so great as to be irresistible. Moreover, although isolated networks may exist in the short term, in the long term, the internetwork will be one. Isolated networks that persist will be sparse, small, and temporary as not to be significant.

Mesh Topology

The Internet has a mesh topology, which means that, except at the edges, most nodes are connected to two or more other nodes. In addition, there are multiple paths between any two points on the network, because the topology maximizes the potential that a message will get through and maximizes the total message carrying potential (i.e., bandwidth) of the network. On the other hand, at least by default, users do not know what path their traffic will follow or what nodes and links their messages will traverse.

Flat

Ideally, the Internet is flat, as opposed to hierarchical. Information flows directly from the origin to the destination rather than in, to a central switching point, and then back out to the destination. Therefore, the cost to send a message between any two points on the network is the same as between any other two points. The time required for a message to move between any two points is roughly the same as for any other two points chosen at random. Finally, the bandwidth between any two points is roughly the same as for any other two points.

As expected, messages flow more quickly between nodes that are close together. However, it is possible for a part of a message to circle the globe, even when addressed to a nearby node. So, at least on average, across all randomly chosen pairs of nodes, the Internet is flat.

Broadcast

A node that desires to send a message to another node broadcasts that message to the remainder of the network. Depending on the routing algorithm used, the originating node may prefer nodes that it thinks are in the direction of the destination. However, it is possible for a message to traverse the globe even when addressed to a nearby node. Other nodes that receive the message look at the destination address in the message and forward it in the general direction of that destination. This is similar to a point-to-point network in which the path between two points is determined in advance and dedicated, at least for the instant, to carrying that message. Although every packet does not pass every node and it is possible for users to influence the path that their traffic follows, few users have the necessary special knowledge to take advantage of this capability. They do not know how to exercise the control or to distinguish one path from another. Such control, if used, would limit the paths and bandwidth available to the traffic and be achieved at the cost of a reduction in the chances that the traffic would get through quickly.


Previous Table of Contents Next

Copyright © CRC Press LLC