NETWORK SECURITY ESSENTIALS
By Manuel Cereijo
With the introduction of the computer, the need for automated tools for protecting files and other information stored on the computer became evident. The generic name for the collection of tools designed to protect data and to thwart hackers is computer security. The introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer has affected security also. The generic name is network security and Internet security.
Perhaps the most sophisticated types of threats to computer systems are presented by programs that exploit vulnerabilities in computing systems. We are concerned with application programs as well as utility programs, such as editors and compilers.
The figure below provides an overall taxonomy of software threats, or malicious programs. These threats can be divided into two categories: those that need a host program, and those that are independent. The former are essentially fragments of programs that cannot exist independently of some actual application program, utility, or system program. The latter are self-contained programs that can be scheduled and run by the operating system.
We can also differentiate between those software threats that do not replicate and those that do. Viruses, Bacteria, and Worms replicate.
A trap door is a secret entry point into a program that allows someone that is aware of the trap door to gain access without going through the usual security access procedures. Trap doors have been used legitimately for many years by programmers to debug and test programs. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access. It is difficult to implement operating system controls for trap doors. Security measures must focus on the program development and software update activities.
One of the oldest types of program threat, predating viruses and worms, is the logic bomb. The logic bomb is coded embedded in some lrgitimate program that is set to "explode" when certain conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence or absence of certain files, a particular day of the week or date, or a particular user running application. Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some damage.
A Trojan horse is a useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function. Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan horse program that, when executed, changed the invoking user's file permission so that the files are readable by any user.
A virus is a program that can "infect" other programs by modifying them. The modification includes a copy of the virus program, which can then go on to infect other programs. A computer virus carries in its instructional code the recipe for making perfect copies of itself. The infection can be spread from computer to computer by unsuspecting users, who either swap disks or send programs to another over a network. In a network environment, the ability to access applications and systems services on other computers provides a perfect for the spread of a virus.
Network worm programs use network connections to spread from system to system. A network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
Bacteria are programs that do not explicitly damage any files. Their sole purposes is to replicate themselves. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space.
The ideal solution to the threat of viruses is prevention: do not allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. The next best approach is to be able to do the following:
· Detection: Once the infection has occurred, determine that it has occurred and locate the virus.
· Identification: Once detection has been achieved, identify the specific virus that has infected a program
· Removal: Once the specific virus has been identified, remove all traces of the virus from all infected systems so that it cannot spread further.
ADVANCES IN VIRUS AND ANTIVIRUS TECHNOLOGY GO HAND IN HAND.
Early viruses were relatively simple code fragments and could be identified and purged with relatively simple antivirus software packages. As the virus arms races has evolved, both viruses and, necessarily, antivirus software have grown more complex and sophisticated.
There are four generations of antivirus software.
· First generation: simple scanners
· Second generation: heuristic scanners
· Third generation: activity traps
· Fourth generation: full-featured protection
Fourth generation products are packages consisting of a variety of antivirus techniques used in conjunction. In addition, such a package includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection.
The arms race continues. More sophisticated antivirus approaches and products continue to appear. Two of them are: Generic Decryption (GD) technology; Digital Immune System.
There are four general categories of attack:
· Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability, as for example, destruction of a piece of hardware.
· Interception: An unauthorized party gains access to an asset. This is an attack on confidentiality. Examples include wiretapping to capture data in a network
· Modification: An unauthorized party not only gains access to but tampers with an asset. This is an attack on integrity. Examples include changing values in a data file or altering a program so that it performs differently.
· Fabrication: An unauthorized party insets counterfeit objects into the system. This is an attack on authenticity.
These attacks can also be classified as: passive and active attacks. Active attacks are more damaging. It is also quite difficult to prevent active attacks absolutely, because to do so would require complete protection of all communications facilities and path at all times.
The intruder is also referred to as a hacker or cracker. There are three classes of intruders:
· Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account
· Misfeasor: A legitimate user who access data, programs, or resources for which such access is not authorized.
· Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.