For the following discussion, we assume that the function of a system that is the target of an attack is to provide information. In general, there is a flow of data from a source (e.g. host, file, memory) to a destination (e.g. remote host, other files, user) over a communication channel (e.g. wire, data bus). The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access according to the security policy in use. In the case of an automation system that is remotely connected to the Internet, the information flow is from/to a control application that manages sensors and actuators via communication lines of the public Internet and the network of the automation system (e.g. a field bus). The normal information flow and several categories of attacks that target it are.
Interruption: An asset of the system gets destroyed or becomes unavailable. This attack targets the source or the communication channel and prevents the information from reaching its intended target (e.g. cut the wire, overload the link so that the information gets dropped because of congestion). Attacks in this category attempt to perform a kind of denial-of-service (DOS).
Interception: An unauthorized party gets access to the information by eavesdropping into the communication channel (e.g. wiretapping).
Modification: The information is not only intercepted but modified by an unauthorized party while in transit from the source to the destination. By tampering with the information, it is actively altered (e.g. modifying message content).
Fabrication: An attacker inserts counterfeit objects into the system without having the sender do anything. When a previously intercepted object is inserted, this process is called replaying. When the attacker pretends to be the legitimate source and inserts his desired information, the attack is called masquerading (e.g. replay an authentication message, add records to a file).
The four classes of attacks listed above violate different security properties of the computer system. A security property describes a desired feature of a system with regards to a certain type of attack. A common classification following is listed below.
Confidentiality: This property covers the protection of transmitted data against its release to non-authorized parties. In addition to the protection of the content itself, the information flow should also be resistant to traffic analysis. Traffic analysis is used to gather other information than the transmitted values themselves from the data flow (e.g. timing data, frequency of messages).
Authentication: Authentication is concerned with making sure that the information is authentic. A system implementing the authentication property assures the recipient that the data is from the source that it claims to be. The system must make sure that no third party can masquerade successfully as another source.
Non-repudiation: This property describes the feature that prevents either sender or receiver from denying a transmitted message. When a message has been transferred, the sender can prove that it has been received. Similarly, the receiver can prove that the message has actually been sent.
Availability: Availability characterizes a system whose resources are always ready to be used. Whenever information needs to be transmitted, the communication channel is available and the receiver can cope with the incoming data. This property makes sure that attacks cannot prevent resources from being used for their intended purpose.
Integrity: Integrity protects transmitted information against modifications. This property assures that a single message reaches the receiver as it has left the sender, but integrity also extends to a stream of messages. It means that no messages are lost, duplicated, or reordered and it makes sure that messages cannot be replayed. As destruction is also covered under this property, all data must arrive at the receiver. Integrity is not only important as a security property, but also as a property for network protocols. Message integrity must also be ensured in case of random faults, not only in case of malicious modifications.
Different security mechanisms can be used to enforce the security properties defined in a given security policy. Depending on the anticipated attacks, different means have to be applied to satisfy the desired properties. We divide these measures against attacks into three different classes, namely attack prevention, attack avoidance, and attack detection.
Attack prevention is a class of security mechanisms that contain ways of preventing or defending against certain attacks before they can actually reach and affect the target. An important element in this category is access control, a mechanism that can be applied at different levels such as the operating system, the network, or the application layer. Access control limits and regulates the access to critical resources. This is done by identifying or authenticating the party that requests a resource and checking its permissions against the rights specified for the demanded object. It is assumed that an attacker is not legitimately permitted to use the target object and is therefore denied access to the resource. As access is a prerequisite for an attack, any possible interference is prevented.
The most common form of access control used in multi-user computer systems is access control lists for resources that are based on the user identity of the process that attempts to use them. The identity of a user is determined by an initial authentication process that usually requires a name and a password. The login process retrieves the stored copy of the password corresponding to the user name and compares it with the presented one. When both match, the system grants the user the appropriate user credentials. When a resource should be accessed, the system looks up the user and group in the access control list and grants or denies access as appropriate. An example of this kind of access control is a secure web server. A secure web server delivers certain resources only to clients that have authenticated themselves and that possess sufficient credentials for the desired resource.
The authentication process is usually handled by a web client such as Microsoft Internet Explorer or Mozilla by prompting the user for his name and password. The most important access control system at the network layer is a firewall. The idea of a firewall is based on the separation of a trusted inside the network of computers under single administrative control from a potentially hostile outside network. The firewall is a central choke point that allows enforcement of access control for services that may run inside or outside. The firewall prevents attacks from the outside against the machines in the inside network by denying connection attempts from unauthorized parties located outside. In addition, a firewall may also be utilized to prevent users behind the firewall from using certain services that are outside (e.g. surfing websites containing adult or misguided material).
For certain installations, a single firewall is not suitable. Networks that consist of several server machines which need to be publicly accessible and workstations that should be completely protected against connections from the outside would benefit from a separation between these two groups. When an attacker compromises a server machine behind a single firewall, all other machines can be attacked from this new base without restrictions. In this setup, one firewall separates the outside network from a segment (DMZ) with the server machines while a second one separates this area from the rest of the network. The second firewall can be configured in a way that denies all incoming connection attempts. Whenever an intruder compromises a server, he is now unable to immediately attack a workstation located in the inside network.
The following design goals for firewalls are identified.
- All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the internal network except via the firewall.
- Only authorized traffic, as defined by the local security policy, will be allowed to pass.
- The firewall itself should be immune to penetration. This implies the use of a trusted system with a secure operating system. A trusted, secure operating system is often purpose-built, has heightened security features, and only provides the minimal functionality necessary to run the desired applications.
These goals can be reached by using a number of general techniques for controlling access. The most common is called service control and determines Internet services that can be accessed. Traffic on the Internet is currently filtered on basis of IP addresses and TCP/UDP port numbers. In addition, there may be proxy software that receives and interprets each service request before passing it on. Direction control is a simple mechanism to control the direction in which particular service requests may be initiated and permitted to flow through. User control grants access to a service based on user credentials similar to the technique used in a multi-user operating system. Controlling external users requires secure authentication over the network (e.g. such as provided in IPSec). A more declarative approach in contrast to the operational variants mentioned above is behavior control. This technique determines how particular services are used. It may be utilized to filter e-mail to eliminate spam or to allow external access to only part of the local web pages. The following benefits can be expected.
- A firewall defines a single choke point that keeps unauthorized users out of the protected network. The use of such a point also simplifies security management. It provides a location for monitoring security-related events. Audits, logs, and alarms can be implemented on the firewall directly. In addition, it forms a convenient platform for some non-security-related functions such as address translation and network management.
- A firewall may serve as a platform to implement a virtual private network (e.g. by using IPSec).
The list below enumerates the limits of the firewall access control mechanism.
- A firewall cannot protect against attacks that bypass it, for example, via a direct dial-up link from the protected network to an ISP (Internet Service Provider). It also does not protect against internal threats from an inside hacker or an insider cooperating with an outside attacker.
- A firewall does not help when attacks are against targets whose access has to be permitted. It cannot protect against the transfer of virus-infected programs or files. It would be impossible, in practice, for the firewall to scan all incoming files and e-mails for viruses.
Firewalls can be divided into two main categories. A Packet-Filtering Router, or short packet filter, is an extended router that applies certain rules to the packets which are forwarded. Usually, traffic in each direction (in- and outgoing) is checked against a rule set that determines whether a packet is permitted to continue or should be dropped. The packet filter rules operate on the header fields used by the underlying communication protocols, for the Internet is almost always IP, TCP, and UDP. Packet filters have the advantage that they are cheap as they can often be built on existing hardware. In addition, they offer good performance for high traffic loads. An example of a packet filter is the IP tables package which is implemented as part of the Linux 2.4 routing software.
A different approach is followed by an Application-Level Gateway, also called a proxy server. This type of firewall does not forward packets on the network layer but acts as a relay on the application level. The user contacts the gateway which in turn opens a connection to the intended target (on behalf of the user). A gateway completely separates the inside and outside networks at the network level and only provides a certain set of application services. This allows authentication of the user who requests a connection and session-oriented scanning of the exchanged traffic up to the application level data. This feature makes application gateways more secure than packet filters and offers a broader range of log facilities. On the downside, the overhead of such a setup may cause performance problems under heavy load.
Another important element in the set of attack prevention mechanisms is system hardening. System hardening is used to describe all steps that are taken to make a computer system more secure. It usually refers to changing the default configuration to a more secure one, possibly at the expense of ease of use. Vendors usually pre-install a large set of development tools and utilities, which, although beneficial to the new user, might also contain vulnerabilities. The initial configuration changes that are part of system hardening include the removal of services, applications, and accounts that are not needed and the enabling of operating system auditing mechanisms (e.g., Event Log in Windows). Hardening also involves a vulnerability assessment of the system. Numerous open-source tools such as network (e.g., Nmap) and vulnerability scanners (e.g., Nessus) can help to check a system for open ports and known vulnerabilities. This knowledge then helps to remedy these vulnerabilities and close unnecessary ports. An important and ongoing effort in system hardening is patching. Patching describes a method of updating a file that replaces only the parts being changed, rather than the entire file. It is used to replace parts of a (source or binary) file that contains a vulnerability that is exploitable by an attacker. To be able to patch, it is necessary that the system administrators keep up to date with security advisories that are issued by vendors to inform about security-related problems in their products.