Joan A. Smith


Professor Ravi Mukkamala

CS 555: Computer Networks & Communications

18 April 2003



Selective Security:

Using Current Security Technology To Protect Critical Assets

            Two network security experts, Greg Shipley and Mike Fratto, have proposed a layered approach to achieving reasonable security within the business LAN/WAN environment. Shipley’s 3-tiered approach (firewalls, host-based intrusion prevention, and database encryption) is discussed in a series of articles in the January 23, 2003 issue of Network Computing. Fratto took a slightly different approach in the May 13, 2003 issue. His “three pillars of network security: authentication, access control and auditing” (Fratto) complement Shipley’s tiered approach. Together, they provide sensible guidelines for critical asset protection from network security risks.

            According to Shipley, it is not possible to protect 100% of an enterprise’s network resources from attack; there are too many ways in which a company’s data and equipment can be compromised. Countering all of these methods for a business’s entire digital infrastructure is prohibitively expensive in terms of both time and money. Instead, he argues that a business must create “an asset classification system” (36), preferably with two or more levels. The most important assets would get the hardware and manpower needed to provide a ‘state of the art’ security fence, while less critical elements would act as ‘rings of defense.’ By integrating business policy, process and technology into a comprehensive security program, a business can succeed in protecting the assets that are vital to its existence.

            If it is true that “there is no silver security bullet” (Fratto) then how can vital assets be protected? In class we discussed TCP/IP, which is the ‘lingua franca’ of the Internet. It is also often the vehicle through which attackers enter a company’s digital domain – for example, through direct attack such as remote login or by attaching a virus to an email message sent to an employee. But it is an innocent participant. As Tannenbaum notes, “the TCP software has no idea of what the bytes mean and no interest in finding out. A byte is just a byte.” (534) Obviously, then, a mechanism must be put in place at the receiving end to sift through the bytes and accept them (or not). Both Fratto and Shipley are correct in saying that Firewalls are an excellent first layer of defense, because they make it harder for an external intruder to directly access an internal system. Mail gateways, for instance, can prevent all attachments from entering the LAN or allow only those from specified senders. By configuring the rules tables of firewalls, access into the company’s LAN can be controlled to meet specific criteria. Of course, if access permission has been granted to a specific (external) computer, and that computer has been ‘hacked,’ the company’s internal LAN is now also potentially vulnerable.

            Another kind of access control, host-based intrusion prevention systems (‘HIPS’), can be installed on the key asset itself (i.e., the host) to prevent “critical systems from modification and exploitation.” (Fratto) In reality, this is not yet a practical solution for most companies because it requires fine-tuning of the HIPS product, and considerable monitoring (i.e., manpower) for effective implementation. A lot of companies focus more on the other side of the HIPS coin, Intrusion Detection Systems (‘IDS’). However, these require considerable manpower which is something few companies are willing to invest in. Logs must be audited frequently so that intrusion attempts can be spotted in time; recovering from a successful intrusion can be more costly than preventing it. Another weakness is the analysis itself: HIPS, IDS, and firewalls can produce prodigious amounts of log data which must be properly aggregated and correlated for it to be truly useful.

            Database encryption and user authentication are the third layer of protection. Encryption and password-based protection are – superficially, at least - understood by both technical and non-technical employees and managers. In fact, they are in widespread use. Still, users have a hard time remembering passwords and tend to either write them down or to “pick easy-to-guess passwords – even when they are forced to use symbols and numbers.” (Fratto) Keys for decrypting are also often duplicated and stored in some relatively insecure location (like hiding your house key under the mat). So while the basic theory is sound and encrypted information can be relatively unbreakable without the key, finding the key is often too easy.

            This is why the ranking of business assets in terms of protection urgency is important. So much effort has to go into a well-rounded security scheme that it is not practical to apply it to every single corporate digital component. A business uses a similar strategy in its day-to-day physical operations: all employees have access to the building, some employees have access to the central filing cabinet, a few employees have a key to the President’s office and perhaps only one or two can sign checks. Within that framework, there are many security details including card readers (for employees at doors), keys to file cabinets, two-signature checks, etc. The attention given and incurred cost is proportional to the perceived need to secure the asset. The same thing goes for achieving reasonable network security for the business. Layers of firewalls, intrusion detection/prevention, digital certificates, data encryption and system auditing need to be applied to the enterprise’s mission-critical assets, while basic prevention (firewalls and spam filters, for example) are utilized at the ‘outer edge’ of the digital enterprise.

            Interestingly, this layered approach reflects in some ways the OSI model, particularly the network and transport layers. Firewalls and rules-based restrictive routers play a role at the network layer. Just as “its main job is routing packets from the source to the destination” (Tannenbaum, 473), Control Tier 1 (Shipley) and the Access Pillar (Fratto) see to it that a packet coming in is from a proper source and going to an allowed destination. At the next level, the transport layer depends on a three-way handshake to establish and manage a reliable connection. Authentication (Fratto) and Encryption (Shipley) reflect this aspect of the communications model whose job is to provide “an end-to-end, reliable [connection] from sender to receiver.” (Tannenbaum, 573) Digital Certificates and other secure-sign-on services echo this role. At the application layer, which is the user-interface level, the analogy breaks down somewhat, since there is no parallel single element proposed by Shipley or Fratto. However, just as the application layer is more directly associated with the individual user, the concept of selective security – picking the data to protect the most – focuses on a business’s individual requirements. Business X may need to keep shopping carts and credit card records as secure as possible whereas Business Z may need to ensure the security of its research computers. Of course, just as TCP/IP blurs the lines between the OSI layers, each of the elements of Fratto’s three “pillars of network security” and of Shipley’s three-tiered approach touches on more than one OSI layer.

            Ultimately, there are as many points of potential failure as there are employees (and ex-employees) in a company. By implementing the same kinds of layered control on digital assets that a business typically exerts over its physical assets, security can be greatly improved. That means Shipley’s 3-tiers and Fratto’s 3 pillars can provide an acceptable level of security to the enterprise, but only if the business’s employees actively support the security policies, and only if the company knows which assets it most needs to protect.

Works Cited

Fratto, Mike “New Security Threats – Stronger Defenses” Network Computing (May 13, 2002) HTML file: < http://www.nwc.com/1310/1310f2.html>.

Shipley, Greg “Secure To The Core” Network Computing 14.1 (January.23,.2003): 34-43. HTML file: <URL: http://www.networkcomputing.com/1401/1401f1.html>.

Shipley, Greg “Tactical Security101” Network Computing 14.1 (January.23,.2003): 44-57. HTML file: <URL:  http://www.networkcomputing.com/1401/1401f2.html>.

Shipley, Greg “How We Got Here” Network Computing 14.1 (January.23,.2003): 50. HTML file: <URL:  http://www.networkcomputing.com/1401/1401f28.html>.

Tannenbaum, Andrew S. Computer Networks (4th Edition) Upper Saddle River, NJ: Prentice Hall PTR, 2003.

Site comments or problems:   email joan smith