Introduction
One of the most important aspects of creating a network is securing the applications and the data that they contain. Securing networked resources involves preventing unauthorized access to the networked systems and resources-- whether or not the threat comes from users sitting in front of systems on your own network or from remote systems or users seated at those remote systems. This chapter of the planning Guide addresses techniques and technologies which facilitate securing your networked applications and data. The solutions discussed will begin with a review of the most simple and straightforward protection methods and end with an overview of the more state-of-the-art techniques which are available today.
The task of securing your networked resources from unauthorized access may seem a daunting task to the potential network developer. However, we want to emphasize that network security issues are effectively dealt with every second of every day. As with the other aspects of network planning discussed in this Guide , network security can be planned for, prepared for, and integrated into your overall network plan so that you can avoid the vast majority of problems before they occur.
There are three primary elements to consider when securing computer networks that manage school records and financial data and allow Internet access to and from the classroom. The first is to prevent unauthorized access to the systems on your network; this is accomplished primarily through user education and effective use of passwords. Second, it is also important to go a step further and to take measures to protect the information on your systems, as it resides on your systems and as it traverses the network; this is done primarily through system and network configuration methods and encryption products. Finally, authentication schemes are a critical element to the ongoing protection of your applications and data.
Preventing Unauthorized Access to Networked Systems
Most unauthorized access to network resources stem simply from lack of user awareness of the issues involved in keeping networked resources secure. In order to eliminate these avoidable breaches, users must be made aware of what security is and how their actions may deliberately or inadvertently contribute to problems. We cannot emphasize strongly enough that education regarding security issues should be addressed as soon as access to the network is granted, not after a problem has occurred.
User Education
Network security education should begin with a general discussion regarding the interdependence of all users on the system and the ethical/moral obligation each user has to protect the system. Second, clear definitions should be provided to users explaining the differences between those resources which are publicly available and those that are proprietary. Third, user education should strongly emphasize the legal aspects of security. The penalties involved in illegal or unauthorized access to resources available through the Internet or any other network should be clearly defined and users should be made aware (regardless of their ages) that these penalties will be enforced. Examples of acceptable use agreements between users (teachers, students, and parents) and the network administrator are provided in Appendix E -- Acceptable Use Policies.
Passwords
Another important aspect of security education is an explanation to users of the role played by passwords (both to their accounts and to other restricted resources on the network). A surprising number of security breaches are the result of poor password selection and control. Adequate password security will include consideration of the following:
- Users should be instructed never to give their passwords to others (no matter how tempting it may be in order to demonstrate how wonderful access to the network is);
- Users should be asked to select passwords which are random in nature as opposed to those that are easy-to-remember such as a partner or spouse's name, a child's name, anniversary dates, and others that are easy to guess. Selecting nonsense passwords containing capitalization, punctuation, and digits (e.g., 2guD-4u) can help prevent "guesswork" break-ins and dictionary attacks where the hacker tries all the words in a special dictionary.
- Often new user accounts are established using a default password. Each new user should be required to change this password upon first logging in. If this is not required, many users will use the default password indefinitely providing easy access to any user who already has seen the default. (Assigning initial cryptic passwords may be a solution to this, but it is often considered bad security for even the system administrator to know user passwords). Network servers should be configured so that users are required to change their passwords on a regular basis (e.g., every three or six months).
Protection of Networked Information
Protecting access to sensitive information on a network takes on a more critical nature as many districts and counties are integrating their administrative and instructional networks. Many districts and counties have networks in place which transfer school administrative and financial data among geographically separated offices. By connecting the Internet server to these existing networks, the bandwidth on the administrative network can be shared and used to transport instructional materials to the classroom. Because approximately 80% of the costs associated with owning a network are the recurring monthly circuit costs, the sharing of bandwidth is highly desirable. Nonetheless, it does introduce greater security risks to the data on the networks and requires judicious attention to the task of preventing unauthorized access to the educational community's highly sensitive administrative data.
The primary issue when protecting networked information is preventing unauthorized access to data and user accounts. Whether the potential threat originates from a user at a system physically located on your network or from a user sitting at a remote system, there are measures that can be taken to minimize the likelihood that a "break-in" will occur:
- Establishing user access privileges;
- Creating a "Firewall"; and
- Utilizing encryption software.
Establishing User Access Privileges
One step toward protecting systems is to compartmentalize user access to applications and data stored on networked computer systems, (e.g., protect the users from one another so that one user cannot damage the applications or data of another). Most multi-user systems allow restrictions to be placed on individual files and applications. These restrictions can allow various levels of access. For example, one restriction might specify that a select number of users have the right to modify a file, other users can only read it, and others might be restricted from even reading its text. A system administrator who ensures that access privileges are properly set has taken a major step to prevent unauthorized access to files and data.
Creating a "Firewall"
Physically configuring the network in a manner which restricts access is a popular way to protect sensitive data on a network. This typically is accomplished by using a dedicated router which functions as what is referred to as a packet filtering "firewall." This firewall router acts as a trap door to permit only desired traffic (e.g., requests from known systems) to cross while discarding undesired traffic (e.g., packets from a hacker trying to gain access). A firewall can make it appear that your internal users have virtually unlimited access to the Internet and its resources while making your network appear to be a "black hole" to undesired or unauthorized hosts in the Internet.
A packet filtering firewall first examines the source, destination, address, and program information in each packet. It then applies a set of rules which have been created by the network administrator. These rules determine which packets may be passed onto the network and which packets should be discarded. It is possible to create a set of filter rules that permit general access only to specific systems while permitting other, predetermined sites to have greater or lesser access. It is possible to create filter rules that allow users from within an organization's network to have essentially full access to the greater Internet while preventing hosts out in the Internet from having any access back into the organization's network.
Normally the firewall will allow mail and news to flow in a controlled fashion into the systems on the protected network. The firewall will also allow general requests for service (e.g., requests for a file transfer or a terminal session) flow from the systems on the protected network but not in the other direction. In this manner the firewall is almost analogous to a one-way mirror. The internal users can see out, but the external users (and hackers) cannot see in.
In addition to controlling access, the firewall can provide extra security for sensitive data. Because the firewall can identify the hosts and applications to which a packet belongs, it can provide additional security through encryption. The firewall can in essence say, "If the packet is from application X on machine A and is going to machine B, the information is sensitive and should be encrypted." The encrypted packet will be decrypted in the firewall once it reaches its destination. Using this feature, sensitive information, such as student records, financial data, or personnel data, can travel over the network and be secure even if intercepted.
Utilizing Encryption Software
The solution most often offered to insure privacy of information is encryption. Encryption involves the scrambling of data through a hardware or software embedded algorithm. The information passes through the network in this encrypted form and is decrypted via a similar mechanism once it arrives at its designated destination.
Encryption standards have existed since the mid 1970s and are widely available and utilized throughout the data communications industry. While encryption products do offer a high level of security from data being monitored as it is transported through the network, their implementation does impact several financial, maintenance, and performance issues. Some encryption schemes can prove quite costly, especially in light of the opportunity costs involved in implementing networks in schools. For example, a school might find itself choosing between allocating budget to either a sophisticated encryption product or installing higher bandwidth connectivity or systems in the classroom. The trade-offs must be weighed seriously as both investments are extremely worthwhile.
Authentication Software
Authentication offers a unique solution to securing network resources in that it provides a highly dynamic, and therefore harder to breach, mechanism for authorizing access to networked resources. When an authentication system is employed, every instance of any attempt to access a networked resources is verified as authentic. It is necessary for every system and/or application to verify that the user or remote application is indeed who he/she/it claims to be upon each request for a service or data. This is done as a system/ application generates and transmits a random challenge that the requesting system/application must properly answer.
Authentication schemes may be implemented in many different ways. This section will discuss two examples of authentication schemes, one that may be embedded in client-server applications and another which is integrated into network protocol software. The first example is Kerberos, developed by the Massachusetts Institute of Technology's Athena Project. Kerberos allows applications to share information across a networked environment ensuring that the integrity of the information is not compromised through unauthorized access. Another example, Challenge Handshake Authentication Protocol (CHAP), is embedded in a network software and ensures that only certain machines on the network are allowed to access certain other machines. When looking to purchase or otherwise obtain new applications and protocols for your network, it is advisable to inquire about whether or not an authentication scheme has been integrated into the application and, if not, what effort would be required to integrate an authentication scheme into the environment.
Kerberos
Kerberos works as systems and/or applications contact a Kerberos authentication server and exchange security information. The application/ system must successfully authenticate itself to the authentication server. This is done as a client, that wishes to request service from the server, must first request a ticket. The authentication server will then challenge the request. If the application system can provide valid authentication information, it is issued the ticket, which the client then proceeds to use to request information and services across the network. As can be seen, this system is highly dynamic in that the application server does not need to know anything about the client in advance. However, the requesting application/server cannot proceed unless it can, upon request, easily validate its presence by responding to the Kerberos authentication server challenge.
There are several advantages to the Kerberos system:
- Any application may be adapted to use Kerberos authentication.
- All the authentication information is maintained on one server, so administration is simple and straightforward.
- Kerberos is available in source code form for free from MIT. Any application may be "Kerberized" without having to pay royalties to anyone.
Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) operates as the request is made for its service. The authenticating system generates a large challenge that must be operated on by the requesting system and returned to the authenticating system. The challenge in this instance is a 128-bit sequence that requesting the system must then combine mathematically with a "secret" and then send that treated challenge back to the authenticating system.
The authenticating system then performs the same process to the sequence and checks to see that the returned challenge is the same as the one it just produced. If the two sequences match, the requesting system is granted access.
There are several advantages to this system:
- The challenge response combinations are never repeated, so capturing a challenge/response pair is useless;
- The secret itself is never transmitted over the line, so it cannot be intercepted; and
- Both sides may challenge the other, so both sides can be sure of the identity of the remote system. (This is especially important when the server system wishes to transmit sensitive data and wants to be sure that it is being received by the proper systems.)
