Choosing Where to Apply Security

CH05-P374463.indd 111

112 CHAPTER 5 Concepts in IP Security

to keep their network topology secret), the protocols themselves are vulnerable to malicious attacks that can cause a break-down in the services provided to end users—a denial of service attack. For example, if someone injected OSPF messages into a network that appeared to advertise a low-cost link from one side of the network to the other, this might fi nd its way into the paths computed by all or most of the nodes in the network, causing traffi c to be misrouted and possibly lost entirely.

Similarly, signaling and other IP-based protocols are used to manage network resources and to direct traffi c along specifi c paths. These protocols are also vul- nerable to attack, particularly from message replay or spoofi ng.

Routing and signaling protocols typically offer some security protection through authentication schemes (discussed in Section 5.3.2). These processes allow nodes to verify that a message really was sent by the partner from which it appears to come and, combined with sequence numbering schemes within the protocols themselves, also protect against replay attacks.

In practice, however, authentication is rarely used by deployed routing and signaling implementations. This has something to do with the confi guration and management overheads (each node must know a security key for use when authen- ticating a message from each other node with which it might communicate), and also derives from the fact that network providers are able to apply other security schemes (physical, access control, and network level) to achieve the same ends.

5.2.3 Application-Level Security

For a majority of users the most important aspect of IP security is the protec- tion of their user data as it is transferred across the network. It has been argued that the greatest facilitator of the recent exponential growth of the Internet has been the development of reliable and truly secure techniques for encrypting data. Without these mechanisms it is unlikely that Internet commerce would have become so popular because the sensitive nature of fi nancial details (such as credit card numbers) limits the likelihood of people participating in online transactions across a public network.

Similarly, commercial information is widely regarded as being suffi ciently sensi- tive that it should be protected from prying eyes. The fact that the overwhelming percentage of corporate data is so banal as to be tedious, and that this information outweighs valuable data to such an extent as to hide it quite effi ciently, is rightly not considered as an effective security measure. The enthusiastic and determined criminal will be willing to wade through thousands of unimportant emails that set out lunch arrangements or discuss the latest ballgame, in the hope of discov- ering something of value. Companies, therefore, do not send information “ in the clear ” across the Internet. Data in fi le transfers and email exchanges is routinely encrypted as it is transferred between company sites over public networks.

Application security normally takes one of two forms. First, the user can encrypt or password protect the data to be transferred. Many applications such

CH05-P374463.indd 112

113

as word processors or fi le compression tools allow the user to require the use of a password before the fi le can be opened. This password is usually encrypted and stored within the fi le so that the receiving application requires the user to enter the same password before the data can be viewed. All nontrivial appli- cations assume that the use of a password also implies that the data should be encrypted—this is wise since the application in question is not the only tool that could be used to examine the fi le.

The second application security mechanism is embedded in the applications that are used to transfer fi les or data as distinct from those that the user uses to operate on the data. For example, email programs often allow the user to encrypt individual emails so that the recipient must specify a password before being allowed to read what was sent. An equally important concept is secure exchange of data on web-based transactions—using security extensions to the Hypertext Transfer Protocol (HTTP), it is possible for a user to send and receive sensitive data such as credit card numbers using encryption techniques.

A fi nal concept that is popular, especially in email exchanges, is the digital sig- nature. This technique allows the receiver to verify that the message being read was really sent by the apparent author, and that the message has not been modi- fi ed by a third party.

Application security has strengths and weaknesses. It allows the user full con- trol of the level of security applied to different transactions, but at the same time it allows the user to make a mistake or simply forget to take appropriate measures. Security modules must be implemented for each application since the rules and methods for applying security within each application protocol differ. Although these modules should be able to share common libraries for encryption and decryption, the applications are developed by different software companies and cannot necessarily rely on the presence of a third-party security library that the consumer would have to purchase and install. So each application may need to include its own security implementation. The alternative to this is offered by apply- ing security across the board to all traffi c at a lower layer, as described in the next two sections, but this may mean that more security is used than is actually required, slowing data transfer.

5.2.4 Protection at the Transport Layer

Transport protocols are responsible for delivering data on behalf of applications over an IP network. Different transport-layer protocols provide different levels of service, ranging from simple datagram dispatch to guaranteed in-order delivery of data.

The more sophisticated transport protocols include some elements of security that may be used by applications that do not, themselves, include modules that offer secure data transfer. This has the advantage of collecting together all security code in a single place (the transport stack module) and relieving applications from having to include such features. On the other hand, the security enhancements are

5.2 Choosing Where to Apply Security

CH05-P374463.indd 113

114 CHAPTER 5 Concepts in IP Security

not available in all transport protocols (for example, the popular User Datagram Protocol), which limits the popularity of transport-layer security.

Perhaps the biggest issue with transport-layer security is that it does not hide or protect important fi elds in the transport protocol headers. These fi elds indicate the source and destination of the data and give clues to the purpose of the mes- sage exchanges. Additionally, these unprotected fi elds are fundamental to the suc- cessful delivery of the data: if they are modifi ed, the service may be interrupted.

5.2.5 Network-Level Security

The best alternative to application-level security is provided at the network layer where the whole content of IP packets, and even the IP headers themselves, are secured. This solution has many advantages. It is available for all IP traffi c between any pair of end points, so it is useful to protect application data and also can be used to secure routing and signaling exchanges.

IP security (IPsec) is the mainstay of network-level security. It is used to authenticate the sender of messages, to verify that message data has not been tam- pered with, and to hide information from prying eyes. IPsec is used for a wide range of applications, from protecting signaling and routing fl ows to providing Virtual Private Networks (VPNs) across the public Internet.