The following text is copyright 1995 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Is Network Security an Oxymoron?

By: Scott Bradner

Well, Internet security (or the lack of it) made the news again. There was a front page story in the New York Times (below the fold though) and articles in the Wall Street Journal and Washington Post. All this at a time, as I mentioned previously in this space, more organizations are deciding that rather than building their own private universes, the Internet is the place to build their future.

The particular problem to which all these articles were responding is, as they say, a neat hack. For those of you who did not get the details it involves 3 facts of life on the Internet and in TCP/IP implementations on some systems.

First: in the IP part of TCP/IP, as in almost all other network protocols, data is sent between two network connected hosts in a stream of packets. Each packet has the destination and source network addresses of the communication hosts in it. The packets are guided through the network by having each router look at the destination address in the packet. The source address is not used in this process.

Second: When a packet reaches its destination, the source address within the packet is used by itself to authenticate the source of the data packet. A packet with a forged source address is thought by the receiving host to have come from a place other than from the host that actually sent it.

Third: In order to insure reliable transmission of data the TCP part of TCP/IP must have some way of checking to see if the destination has received all of the packets that have been sent its way. Reliability is maintained by each end of a network conversation sending acknowledgment packets after it receives some data from the other end. To keep track of where you are in the process the data packets have sequence numbers in them and the acknowledgments refer to the sequence numbers of the data received.

If somehow I can predict which sequence numbers would be used in a conversation between two hosts that trust each other on your corporate network, I can send packets to one of those hosts forging the source address of the other including calculated acknowledgment sequence numbers. If I do this, the target host thinks it is having a conversation with its trusted partner even though it is not. Now, I don't get the half of the conversation that the target host is sending because that is going to the host whose address I forged. But that does not matter if I'm trying to do something very predictable such as modify some access control files. It turns out that it is quite easy to guess the sequence numbers that some UNIX computers will use and thus easy to do this spoofing.

It is also easy to keep your organization from being hurt by someone out there in Internet-land doing this to you, because many routers can be configured to discard packets coming into your organization from the outside world with a source address that is from within your organization. You also have to block source routed packets to be complete. In this way you can keep the forged packets from entering your network from the rest of the Internet. As long as your internal hosts do not form a trusted relationship (e.g., use NFS) with someone outside your organization you will be fine.

So, in light of things like this, will the problems of security on the Internet put a damper on its growth curve? It might, but to quote, "it would be wrong." The main thing that is often lost in the Internet security laments is that by far most cases of network and host security violations involve local people with authorized access to the local network and not people from half way around the world.

IPv6 will make some of the current security issues easier to deal with in the future, but not connecting to the Internet or erecting a big firewall is not the whole answer now. Look in the mirror before looking out the window.

Disclaimer: Harvard is currently trying to deal with the security of its own network but the above only reflects my own views.