5. NETWORK SECURITY AT THE COMMUNICATIONS NET LEVEL In our introduction, we stressed that "the security problem of computer networking is not a communications problem, but another more sophisticated instance of multi-level computer operating system security" (quoted from Anderson AND-72). This was not intended to imply that there are no communications-related concerns at all, but rather that the major emphasis and concern should be placed at the higher levels of the network design. Having covered these higher level issues in earlier sections of the report, we will conclude with a "bottom-up" view as seen by the communications net, and will discuss the security-related aspects of this lowest level. Our analysis was intended to cover a wide range of network architectures; although we have emphasized message-switching due to the increasing acceptance that it provides the best balance of availability, data rate, response time, error recovery and cost. The benefits (and limitations) of message-switching can be seen relative to other network communications technologies by considering their architectural differences. These differences manifest themselves along a number of dimensions, such that the observed variations are dependent upon the point-of-view or dimension being observed. For our purposes in evaluating communications net security, we will consider two major axes of the architecture as shown in Table 5-1. One axis lists the basic generic technologies of dedicated (point-to-point), circuit-switched, message-switched, and broadcast nets. This axis emphasizes the more structural aspects of the net, while the second axis considers the operational aspects of resource allocation, control, addressing, and fault-recovery. Since any selected communications net would be operating on enciphered data for the end-to-end protection scheme, the security vulnerabilities of concern tend to be primarily in the area of denial of service. Such threats might come about via any of the operational aspects listed in Table 5-1, e.g., by modifying message addresses, by introducing line faults, or by exploitation of flaws in the control structure, and will be considered in more detail in Section 5.7. In the following sections, we will consider the issues related to authentication, authorization, etc. following the same structure as in earlier volumes, even though some of these categories do not apply to the communications net to any significant extent. A common practice of authentication in the commercial environment is to utilize the "call back" scheme in which the caller identifies himself, and then hangs up and waits for the called party to call him back. This authentication is essentially by means of the correspondence between telephone numbers and physical locations, and provides little additional authentication above that of the ICD's, etc. The use of "call back" also requires that telecommunications equipment has the necessary hardware to place (as well as receive) calls. This additional unit also tends to be expensive (about $25/month rental for the Bell System model 801 unit for each such modem). Multiplexing this equipment is possible, as performed on the MERIT net (AUR-73), but may not be available in all localities. Automatic call placement equipment may be required for other operational reasons, but should not be considered as an authentication mechanism per se, since it would provide minimal security, (and might give a false sense of security to the operation). One of the concerns related to denial of service is that malicious users might try to "tie-up" all of the incoming ports of a network resource. For a directdial network, this would involve making N calls, where N is the number of modems at the resource, and then trying to keep each such dialog open for as long as possible, e.g., by apparent slow typing of an identifier. The ICDlevel test using an echoed message to establish that the two ends can communicate in enciphered form can provide a rapid, user-independent mechanism to ensure that such input-port hogging is minimized. Little, if any, authorization checking can be performed at the communications net level, except to implement certain least-privilege limitations. For example, if automatic dialing equipment were to be utilized, only the telephone numbers for authorized connections should be included. Such measures should be considered to be rather weak fire walls, and would provide value only for accident-induced security flaws. 5.3 ACCESS CONTROL; ESTABLISHMENT OF A CONNECTION A requesting device (terminal, HOST, etc.) initially connects to the SC by addressing a "HELLO/id" message to it as discussed in Section 4. This initial connection is via the communications net, e.g., by dialing the phone number of the SC or by addressing a store-and-forward message to it depending on the communications net technology.* The considerations involved in this process are primarily operational, e.g., the time required for dialing, the cost and physical limitations of multiple input ports as opposed to multiplexing a single port, and the bandwidth required for the requestor-to-SC dialog. siderations such as these will be discussed in the following paragraphs. Con Addressing the initial connection message to the SC would be via either a direct dial or an explicitly addressed message. The dialing time would be of the order of 20 seconds, which is small compared to the estimated total dialog between a requesting person and the SC (about one minute), but would be long compared to that of an automated (e.g., HOST computer) dialog. The SC could receive incoming requests via a set of physical ports or one multiplexed port depending on the communications net. Earlier estimates indicated the need to service of the order of 50 simultaneous requestors, which would result in considerable expense for telephone modems at the SC *The dedicated (point-to-point) net is not considered further since it is not viable for the dynamic nature of requestor-to-SC and requestor-to-resource connections. (e.g., $1000 per month based on 50 modems at $20/month each). A lesser number of automatic call modems would be required for SC initiated connections (e.g., to another SC). Only the direct dial net requires that physically separate input ports be provided for each active user, since all other schemes perform message multiplexing, at some additional complexity within the SC. The requestor-to-SC dialog tends to involve relatively little information flow, and therefore is not affected appreciably by utilizing data rates above those provided by standard voice-grade communications. Only certain authentication methods (such as sending finger print scan data) would change this observation to any significant extent. Therefore, the available bandwidth will only be a minor factor in selecting of the requestor-to-SC communications. The manner in which the SC (master ICD) would distribute the working keys to the ICD's is highly dependent on the network technology used. For a direct dial net, either the relay or priming methods could be utilized with the following considerations affecting the decision. Use of the relay scheme: If the SC (master ICD) is to relay For a message-switching net, the key distribution is simplified to |