SAN FRANCISCO, Calif — Distributed computing environments of the future require a "defense in depth" security architecture which cannot be implemented with single-point firewalls, an AT&T Labs researcher said at a Communications Design Conference NetSeminar on Aug. 9. Steve Bellovin, a Research Fellow at AT&T, said that inadequate funding is being provided in government and corporate worlds for operational security, such as system administration.
"Systems need to be designed from the assumption that things will fail, even those critical points designed not to fail," Bellovin said. "This requires designing whole systems for security from the very beginning. Secure networks also have to scaleable and extendable, which we do not see very often nowadays."
Bellovin said that both system designers and network managers make assumptions about nodes in their networks that allow weak links for hostile users to exploit. For example, developers should never assume that a software application or hardware node will never be connected to the Internet, because standalone applications invariably end up becoming Internet-connected, if only indirectly so. He said it was also "demonstrably untrue" to say that proprietary closed-source systems could not be penetrated.
"Never, never underestimate the bad guy," Bellovin said. Most truly hostile attackers do not use obvious routes to a system and leave marks of their arrival, such as defacing a Web site, he said. The professional will use indirect access to critical systems, and will not stick around by leaving an open access port into a system. The professional will penetrate a system quickly, leave a Trojan Horse or logic bomb, and get out.
"The smart adversary will utilize special connections from third-party vendors or joint-venture partners," he said. "You don't go through a strong security mechanism, you go around it."
Bellovin saw a few positive signs in hardware development, such as IPsec support on network interface cards (NICs), or improved system partitioning proposed by the Trusted Computer Platform Alliance. He said there are also advantages in newer computer languages, provided they are used with discipline — such as the avoidance of buffer overflows that comes with good use of Java or C++.
Ultimately, though, nothing can replace good system administration, and functions such as authentication are more important than encryption. Bellovin listed advantages and pitfalls of authentication on several levels. For user authentication, some developers are turning to wider use of biometrics. This could be useful, Bellovin said, but methods such as iris scans and fingerprint verification systems are subject to scamming by both false-negative and false-positive tests.
In system authentication, Bellovin said a particular problem lies in the stateless nature of router algorithms themselves, and how routing across domains and through several Internet Service Providers could fall victim to many different packet-authentication problems. The federal government has looked at many schemes, he said, but most router authentication architectures are controlled from the center.
"Historically, the successful things on the Internet are those deployed incrementally, on the edges," he said. "Router authentication solutions to date have tended to be centralized."
Bellovin said that consumer networks, such as wireless LANs (WLANs) serving as part of a home network, have provided useful insights for improving corporate security. Traffic can be diverted very easily in a WLAN, Bellovin said, and even the most advanced home gateways would have difficulty authenticating the owner of a networked VCR or DVD player. The security problems encountered as local groups build out wireless LAN hot spots could provide useful insight at moving the corporate world to a more distributed view of security.
One dinosaur that must go is the single corporate firewall. Not only does it fall victim to the Port 80 access problem, but it can be overridden with requests for special applications that tunnel through the firewall, or access points that go around the firewall, until "it is no longer clear what traffic the firewall might still be blocking."
"The answer is not fewer firewalls, but more firewalls," Bellovin said. "Distributed architectures require distributed security strategies."
Loring Wirbel is the editorial director of CommsDesign.com. He can be reached at lwirbel@cmp.com.
