The current, widespread use of computer networks has led to increased concerns about security. This paper deals with network security in general, and concentrates on corporate networks in particular. A method to develop security concepts for corporate networks is introduced, and stepwise refined.
It is assumed that the reader of this paper is familiar with the fundamentals of computer networks, open systems, and OSI networks. A computer network consists of interconnected computer systems that can either be closed or open. Closed systems are proprietary, usually being able to communicate only with systems of the same manufacturer. In using standardized protocols to provide standardized services, open systems are free to communicate with other open systems, forming an OSI network (Open Systems Interconnection). OSI standards are being developed by the Joint Technical Committee 1 (JTC1) of the International Standards Organization (ISO), and the International Electrotechnical Commission (IEC).
Corporate networks use public services to interconnect geographically distributed local area networks and private branch exchanges. Public services are offered in wide area networks; examples are leased lines, circuit switched lines, and services that are provided in packet switched data networks.
A security concept is needed to make a corporate network comparably secure. A method to develop security concepts for corporate networks is introduced in this paper. It is organized as follows: Possible attacks are outlined in section two. The method is shortly described in section three, and stepwise refined in sections four and five. Conclusions are drawn in section six.
Attacks threaten the security (confidentiality, integrity, and availability) of corporate networks, and data that are stored or transmitted within. There are passive and active attacks to be distinguished:
A corporate network is said to be secure, if it is able to prevent from passive and active attacks. This goal is hard to reach, not only because of the huge size of a corporate network, but also because of its heterogenity; there may be various computer systems from different manufacturers, possibly running different operating systems, communication and application software, interconnected to one corporate network. Gateways may exist to public networks and other corporate networks.
A corporate network provider has to develop different security concepts for the network. The choice of an appropriate conecpt is left to the top management; it has to take the responsibility. A method is needed to develop different security concepts; a possibility is introduced in the next section.
A method to develop different security concepts for a corporate network can be based on a layered approach.
On the top level, there is a security policy to be defined for every security concept. Based on this security policy, and knowing the actual situation, and the possible forms of attack, a set of security services has to be derived. This step is indicated with (1) in the figure above. Possible scurity services are authentication, confidentiality, integrity, non-repudiation, and access control services. Security mechanisms have to be studied or developped for every security service that is required for a policy. This step is indicated with (2) in the figure above. Security mechanisms need to be simple, cost-efficient, and secure. As a matter of fact, they have to be exchangeable; whenever better mechanisms are found or developped, they must be replaced.
Security services and mechanisms are discussed in the following sections. The terminology of the OSI security architecture (ISO 7498-2) is needed for this discussion. The use of this terminology doesn't imply that the method can only be applied to corporate networks that follow OSI standards; other security services and mechanisms can be used in addition or instead.
The OSI security architecture enumerates five calsses of security services:
Authentication services are to verify the identities of entities, peer-entities, or data origins. Data confidentiality and data integrity services are to protect the confidentiality and integrity of data in transmission; they prevent from passive and active attacks. There are connection and connectionless data confidentiality and integrity services. Protection can be restricted to some particular fields within the data units, too. There is a traffic flow confidentiality service to prevent from traffic analysis attacks. Connection integrity services can be provided with or without recovery. In some cases it might be vital for the receiver (sender) to prove that data were sent (received) by the stated originator (intended receiver); non-repudiation services can be used therefore. Finally, there are access control services to prevent entities from accessing and using OSI resources in an unauthorized way.
Authentication, data confidentiality, and data integrity services represent orthogonal security functions, wheras non-repudiation is a stronger version of authentication. Access control services are not much related to the other security services. Authentication services are fundamental. Although confidentiality, integrity, and non-repudiation services are based on authentication services, they can be offered independantly from each another, in order to extend the overall level of security. Access control services can be left to application processes; they needn't be offered in corporate networks.
Security mechanisms are used to provide security services. There are eight classes of security mechanisms enumerated within the OSI security architecture.
The OSI security architecture has been extended by a multi-part standard, known as open system security frameworks. Each security framework addresses, at a general level, one specific topic. A working group of JTC1 is dealing with management aspects of OSI security, too.
A method to develop security concepts for corporate networks is outlined in this paper. The method follows a layered approach: On the top level there has a policy to be defined for every security concept. Based on this policy, different security services and corresponding mechanisms can be evaluated.
Authentication services are fundamental for any network; if authentication is not given, the discussion of further security services is useless. A lot of research is actually being done in developping authentication and key distribution systems. Examples are Kerberos from MIT, NetSP (former KryptoKnight) from IBM, SPX from DEC, and TESS from the European Institute for System Security (E.I.S.S.). A Kerberos-like authentication system has been chosen by the Open Software Foundation (OSF) for its Distributed Computing Environment (DCE). Based on the key distribution functionality of an authentication system, data confidentiality, integrity, and non-repuiation services can be added straightforward.
With regard to a corporate network that is actually being built for the Swiss federal administration authorities, the authentication and key distribution systems that are available today are being considered and evaluated by the Institute for Computer Science and Applied Mathematics (IAM) of the University of Berne, and the information security section of the Swiss Federal Office of Information Technology and Systems (BFI).
The authors would like to express their thanks to Mr. P. Trachsel and Mr. M. Frauenknecht from the Swiss Federal Office of Information Technology and Systems (BFI) for their support and encouragement.