1997 Congressional Hearings
Intelligence and Security

Security through Containment

A White Paper

by Geoff Mulligan


About the Author

Geoff Mulligan has been designing and building Network security products, including Sun Microsystem's premiere firewall product SunScreen and the DEC SEAL, for the past seven years and has been instrumental in development of the Internet for the past 17 years. Geoff spent 11 years in the Air Force working at the Pentagon on computer and network security and taught computer science at the Air Force Academy. He is a Senior Staff Engineer in the Security Products Group at Sun Microsystems and a founding member of the Internet Commerce Group. He is researching emerging network technologies and network/system security products such as JAVA, telecommuting tools, firewalls and encryption. Geoff received his M.S. in 1988 from the University of Denver and B.S. in 1979 from the United States Air Force Academy.


1. Security Through Containment


1.1 Introduction

Is Network Security an oxymoron? Networks are designed and built to facilitate the sharing and distribution of data and information, while the goal of security is to limit and control the distribution of information. Ideally, networks are built to increase the ease of use while security reduces this convenience-- passwords are difficult to remember, and certain systems are not allowed to exchange information. We end up trading some ease of use for the sake of added security and we give up some security to increase the sharing of data and information. One method for providing both connectivity and security is through the use of containment.


1.2 What is Containment?

Containment is a methodology whereby access to information, files, systems or networks is controlled via access points. Much as a bank vault has only a single well-controlled entry and exit with various security procedures and protections, the security container also has controlled entries and exits known as connectivity points, though when using security containment, there may be more than a single connectivity point. Each of these may handle a specific type of service, such as electronic mail or file transfers. They may also control connections to other systems or networks, such as from the internal network to the global Internet or from an application to the files on the local system. The container has well defined security policies that it enforces and has security protection mechanisms to guard against attack.


1.2.1 Security Policies

Without well defined security policies, even the best container will leak like a sieve. These policies outline the procedures used to pass or move information into and out of the container. Examples of some connectivity security policies might be:

* No users or systems outside the company will have access to the financial network.

* Employees can only have access to the Internet during work hours.

* No files downloaded from the Internet are to be run on corporate systems.

* Any attempts to access the executive network will be logged.

* Alerts will be generated whenever sensitive files are being accessed.

Once the policies have been defined they are implemented and enforced using security containment.


1.2.2 Taxonomy of Security Attacks

There are three main groups of security attacks: intrusion, information interception, and denial of service. Intrusion

Intrusion is when unauthorized persons gain access to internal networks, systems or files. They may only be able to read the data or they may gain complete access to read and modify the information. In the second case their entry may go undetected if they can modify security log files to hide the intrusion. They may also be able to cause actions to be taken by the user without his knowledge, such as initiating funds transfers or equipment purchases by modifying the appropriate files. Intrusions are usually accomplished by guessing or cracking passwords, using IP spoofing, or exploiting operating system bugs. Information Interception

Information interception doesn't require the intruder to actually penetrate the internal networks or systems, but instead merely eavesdrop on data being passed into and out of the systems. He may capture electronic mail messages, conversations, paging messages or even the key strokes while you type. Interception is most commonly used to collect credit card or other sensitive information such as passwords. Using a simple packet sniffer, the intruder watches each packet looking for usernames and passwords and stores them for later use. They then use this information to gain access to internal systems in an intrusion attack. Denial of Service

The final type of attack is the denial of service attack. While the attacker cannot read the data or listen to the conversation, they can keep you from doing it. Jamming, as used by the military, is a denial of service attack and when properly initiated can be devastating to the target group. Overloading a system with invalid requests so that valid users are not able to access the system or causing the system or network to crash are both examples of denial of service attacks. It may not be necessary to access its systems to hurt a company. Interfering or jamming the phone lines of a bank causing financial transactions to be delayed or lost can result in irreparable financial damage.


There are tools and mechanisms that can be used to diffuse most of these attacks, though the most difficult to defend against is the denial of service attack. The attacker can remain focused on the single point of failure or weakest link in the connection and either crash it or overload it. Quite often these attacks are used against the security system to try to circumvent the procedures or to stop all connectivity.


1.3 Network/Connectivity Containment

One level of security containment is at the network or connectivity layer of the system. In the United States, we control our security with guards and border patrols while allowing unrestricted movement between the states. Companies control the access to their buildings with receptionists or guards stationed at the entrances and again allow free access to the offices within the building. Using network containment we put our "guards" and "patrols" at the edge of our network, where it connects to the global Internet, phone system, or customers. In fact, wherever there is a connection to a network or system that is not controlled under the same security policy, a "fence" should be installed. This type of security containment is called perimeter defense.


The benefits derived from a perimeter defense are ease of use and ease of implementation. Putting the controls at the edge or perimeter of the network allows a free flow of information within the network. This has been termed the "Cadbury Egg" security model, where there is a hard shell with a soft middle. Should an attacker break through the hard shell, they have unrestrained access to all the systems within the interior. It is, therefore, necessary to ensure that the perimeter is well maintained and guarded.


The other benefit of perimeter defense is ease of implementation. Quite often there are legacy systems that cannot be secured, such as MS-DOS and Windows systems. These machines, if connected to a network, can be quite easily compromised. In addition, it may be impossible due the sheer number of machines and networks to completely protect each and every system. In these cases a connectivity container provides the best mechanism to defend against attacks.


1.3.1 Firewalls/Proxies

The current and most popular implementation of connectivity containers is the Firewall. These systems reside between your internal network and the external Internet. They check each and every piece of information (packet) that attempts to pass through the Firewall, but do not interfere with data passing inside the network, much like a receptionist only checks visitors coming in or leaving.


Firewalls are very effective at protecting and limiting the flow of information into and out of the network. They work well at stopping or blocking various types of intrusion attacks, such as IP spoofing, password guessing/cracking and other operating system service level attacks or operating system security deficiencies. In addition, they can provide some measure of protection against denial of service attacks, but the Firewall themselves may be vulnerable to these same attacks and shutting down the information flow through the Firewall can be equally destructive.


Firewalls cannot protect against "inside jobs". If the attacker gains access to the inside or "soft middle" of the network, the firewall provides very little protection. It may be able to track and log the attackers' activities which can be used in the future to learn what was done and how to better protect the network.


Firewalls also cannot protect against content level attacks. This means that they cannot completely filter or control what is being carried via electronic mail messages or inside downloaded programs. There are some tools that can provide the most rudimentary filtering to try to catch viruses, worms and e-mail bombs, but it is impossible to completely protect against these attacks with just a connectivity container. This is best accomplished with the use of the software/application container discussed later.


1.3.2 Encryption and Authentication

By combining encryption and authentication technologies with connectivity containment (Firewalls), it is possible to eliminate information interception. The eavesdropper will only see the encrypted data and therefore cannot capture usernames and passwords, thereby also preventing that type of intrusion attack. It is also possible to stop password eavesdropping by using authentication via digital tokens or one-time passwords. This method uses a challenge/response scenario, where the user is asked to prove who they are by answering with a "secret" that only they know. This is usually done by sending the user some data and asking them to encrypt or "sign" it using their digital signature. The strongest level of protection is created by encrypting all data sent from the user's system and decrypting it at the destination. This is know as "end-to-end" encryption and makes it virtually impossible to intercept the data at any place between the two systems.


Encryption also protects the user from the intruder making changes to information being sent. For example, if the user is sending payment information to a mail order house an intruder could modify the data to transfer the funds to their account rather than the account originally specified. Carried out on a large scale, it would be possible to divert huge sums to the attackers account.


1.3.3 Virtual Private/Secure Networks

Many companies are now implementing telecommuting and are becoming geographically dispersed. In order to have secure communications, these companies currently must use costly leased-lines. Firewalls facilitate the creation of Virtual Private Networks (VPN) and combining these with encryption will create Virtual Secure Networks (VSN). This technology allows users who are at different locations to communicate as though they are directly connected to each other while using the much less expensive public Internet to carry the data. Encryption is required so that attackers cannot intercept and/or change the data and the users' communications are still afforded the same level of security as with leased lines.


1.4 Software/Application Containment

Software or Application containment is similar to connectivity containment except that the perimeter surrounds only the single program or application rather than an entire network or system. This container is colloquially call the sandbox. The program is allowed to do whatever it wants within the sandbox, but in order for it to access or use anything outside the sandbox, the "parent" must be asked. Access is only granted if the request follows and meets the security policies. In this case, a security policy might be "programs loaded over the Internet are not allowed to read or write to local files or systems, but a program loaded from the local disk drive can access files on that disk." Any attempt to violate the security policies causes an alert to be signaled and applications determined to be inappropriate may be shut down.


The sandbox approach can provide security against content level attacks. Should a virus try to infect a system, alerts would be generated when the virus attempts to modify operating system files and the virus' attempted infection would be blocked.


1.4.1 Component

Components are re-usable software modules and systems that can range from an on-screen button to a complete application, such as a word processor. Each component is a software module that includes a specific programming interface and program logic that defines how that module will process data and user events sent to it. The key technologies that components provide are re-use and dynamic interconnection. These two technologies allow programmers to build very large and complex systems by combining simpler, already developed and well tested modules. A Programmer building a banking application can use a pre-written, tested and validated balance sheet module, rather than having to write a new program which very likely could contain bugs. This can save significant development, testing and maintenance time and dollars.


1.4.2 The "Sandbox"

The sandbox, just like the Firewall, implements a predefined security policy. This security policy, if well designed, will allow for the safe execution of downloaded programs and modules and will not compromise the security of the company. For example, some standard security policies might be:

* Only programs or modules loaded from the local system can read or write to files on the local system.

* No modules can write or change any operating system files.

* Execution of modules that do not bear the digital signature of the user's company will be disallowed

* Communication with any systems other than where this module was retrieved is prohibited.


The program is free to do whatever is needs to do with the data provided in the module and is only constrained when it tries to access data, systems or networks that are outside the security perimeter.


1.4.3 Digital Signatures

Digital signatures allow a receiver of a message to verify who sent the original message with non-repudiation, meaning that the sender cannot deny sending the message and that the message was received unchanged. Digital signatures use the properties of complex mathematical functions combining exponentiation and factoring very large numbers to create two "keys". The public key is available to everyone, while the private key is kept strictly to the user. When the user signs a message, program or module, he uses his private key. Anyone receiving that module can verify where it originated and that it wasn't changed before receipt.


By combining digital signatures with application containment it becomes possible to finely control the execution of programs and modules. Based upon the digital signature carried by the module the user can either allow or disallow the execution of that code. Only programs written by authors or companies that are trusted by the user will be loaded, thereby stopping viruses and intruders.


1.5 Conclusions

Deployment of security through containment, Firewalls and "the sandbox", and encryption can greatly improve the usability and functionality of current and future systems. By installing Firewalls with encryption and authentication most methods of attack can be eliminated and communications can be protected from eavesdropping. In addition, protection can be afforded to those systems that systems that are inherently insecure, such as MS-DOS and Windows. The use of application containment, as in Sun Microsystems JAVA security model, enables the sharing of pre-written applications without the security issues of rogue programs stealing corporate secrets or requesting funds transfers without the user's knowledge.