this point we first encounter a question in defining the boundaries for "network security," which also reflects on our definition of a network--are the HOST computers considered part of the "network"? In theory, one should answer this question with an unequivocal "yes" (e.g., the supracomputer notion of the quoted ESD report); but in practice, one must often segment the problem into data processing and data communication aspects due to the autonomous nature of the local computer centers, and/or the administrative separation of data processing and communication areas. This investigation of computer network security is based on the following: 1. Both the data processing and communications functions will 2. 3. 4. be considered as generally as possible, The investigation will focus on the interface between the intermediate layer of equipment required when separately The investigation will also consider the resulting impact Globally-defined network security mechanisms should augment rather than replace local (individual HOST) mechanisms. Aside from the "political" reasons (due to the autonomous HOSTS), augmentation rather than replacement also provides an evolutionary approach to network integration and the development of centralized security mechanisms which can gradually assume more of the total security functions. We are then faced with two questions: (1) what global security-related policies must be developed to ensure network security; and (2) by what global and/or local mechanisms can those policies be implemented? The basic policy issues can be derived directly from our three-part definition of security: Provide controlled access to resources All requesters of network services must be identified 2. 3. Provide controlled usage of these resources Although this is primarily the responsibility of the HOST Provide assurance that the desired level of protection is Two related areas of networking policy relate to maintaining These three basic policy issues will be discussed in detail in later sections of the report, as will various issues and tradeoffs related to mechanisms which can be used to implement policies. These considerations can be viewed in a top-down manner by first exploring the policy, administrative, and requirements issues, which then reflect downward into HOST-level mechanism issues. These, in turn, help to define the cryptographic device level issues, which then further define the issues related to the communications network. Each of the major levels forms a separate chapter of the report to clearly separate the functions and tradeoffs within the separate mechanisms. For each of these levels, one must consider all of the categories from the definition of security: These general topics become the sub-chapter headings within each of the top-down layers. This report will (1) define the critical issues and problems that relate to network security, (2) describe the various mechanisms which might implement the policy/solutions, and (3) discuss the tradeoffs which relate to these mechanisms at each of the various levels. The organization of the report is such that it can be separated into reasonably independent discussions of the policy and requirements, the global security control mechanisms, the distributed cryptographic mechanisms, and the communications network. Alternately, the issues related to the individual topics of authentication, authorization, etc. can be separated by selecting the appropriate sub-chapters, e.g., sections 2.1, 3.1, 4.1, and 5.1 for authentication issues. However, it is recommended that the document be considered in its entirety since even the individual, separable aspects should be viewed within the scope of the overall networking problems. 2. NETWORK SECURITY POLICY AND REQUIREMENTS ISSUES The network security problem, like all security problems, exists because hostile elements would "misuse" certain valuable resources if given an opportunity. The nature of these hostile elements and the resources to be protected, leads to the development of appropriate policy issues and system requirements which, when implemented by security mechanisms, lead to some prescribed level of protection. This protection can never be absolute, and does not necessarily apply beyond some predefined set of threats. We assume for this investigation that the nature of the hostile elements Many network security issues are straightforward extensions to those of any multi-user, resource-sharing computer, while others are unique to the multi-system environment of a network. These unique problems are the primary concern of this investigation, but in the interest of completeness, we shall also briefly describe the general problems. Similarly, other issues must be addressed if a secure network (or any network) is to be viable; for example, the concern for the user-to-network interface. These non-security issues will be discussed for areas which have been problems for other networks. Certain matters under discussion must remain as generally open-issues*, since adequate solutions have not yet been defined (particularly in the areas related to heterogeneous systems). Where possible, we will recommend some action to close these issues, at least within a particular network environment. the If a network is to provide controlled access of requestors to resources, • Authentication of persons and devices Process and HOST level authentication Distributed versus centralized authentication checking N-th party authentication 2.1.1 Authentication Of Persons And Devices All entities which can affect security must be uniquely identified and authenticated. In the most straightforward case, an entity would have a globally unique name and an appropriate authenticator. More complex situations arise for "composite entities" and environment-dependent entities. An example of the former is the attachment of an authentication device to a terminal. If such a device is non-forgeable, non-removable, and is otherwise adequately protected with physical and procedural controls, As a prime example of the open-endedness of many critical issues, consider the attributes of "security" itself, e.g., how can one quantitatively express the adequacy of a given approach to security. |