Articles

Local Area Network Security

It is extremely important to understand that security is not a product that you can buy in a store and be confident in your own protection.

«Security» is a special combination of both technical and administrative measures.

Administrative measures also include not only papers, recommendations, instructions, but also people.

It is impossible to consider your network «safe» if you do not trust the people working with this network.

Perfect security is an unattainable myth that can be realized, at best, only by a few professionals.

There is one factor that cannot be overcome on the way to perfect security — a person.

Part 1. Main Objectives of Network Security

Network security objectives may vary depending on the situation, but there are usually three main objectives:

  • Data integrity.
  • Data confidentiality.
  • Data availability.
  • Let's look at each of them in more detail.

Data integrity

One of the main goals of network security is to ensure that data is not altered, tampered with, or destroyed. Data integrity should ensure that it is not damaged by malicious or accidental means. Ensuring data integrity is usually one of the most difficult tasks in network security.

Data Confidentiality

The second main goal of network security is to ensure data confidentiality. Not all data can be considered confidential.

There is a large amount of information that should be available to everyone.

But even in this case, ensuring the integrity of data, especially open data, is a major task.

The following data can be classified as confidential:

  • Personal information of users.
  • Accounts (names and passwords).
  • Credit card data.
  • Data on developments and various internal documents.
  • Accounting information.

Availability of data

The third goal of data security is its availability. It is useless to talk about data security if the user cannot work with it because it is unavailable.

Here is a rough list of resources that typically need to be «available» on a local network:

  • Printers.
  • Servers.
  • Workstations.
  • User data.
  • Any critical data required for work.
  • Let's consider the threats and obstacles that stand in the way of network security. All of them can be divided into two large groups: technical threats and the human factor.

Technical threats:

  • Software errors.
  • Various DoS and DDoS attacks.
  • Computer viruses, worms, Trojan horses.
  • Protocol analyzers and listening programs («sniffers»).
  • Technical means of information retrieval.

Software errors

The bottleneck of any network.

The software of servers, workstations, routers, etc. is written by people, therefore it almost always contains errors.

The more complex such software is, the more likely it is to find errors and vulnerabilities.

Most of them do not pose any danger, but some can lead to tragic consequences, such as an attacker gaining control over the server, server inoperability, unauthorized use of resources (storing unnecessary data on the server, using it as a springboard for an attack, etc.).

Most of these vulnerabilities are fixed with the help of service packs regularly released by the software manufacturer. Timely installation of such updates is a prerequisite for network security.

DoS and DDoS attacks

Denial Of Service is a special type of attack aimed at rendering a network or server unusable.

DoS attacks can use software bugs or legitimate operations, but on a large scale (for example, sending a huge amount of email).

The new type of DDoS (Distributed Denial Of Service) attacks differs from the previous one by the presence of a huge number of computers located in a large geographic area.

Such attacks simply overload the channel with traffic and interfere with the passage, and often completely block the transmission of useful information through it.

This is especially relevant for companies engaged in any online business, such as trading via the Internet.

 

Computer viruses, Trojan horses

Viruses are an old category of dangers that are almost never encountered in their pure form these days.

Due to the active use of network technologies for data transmission, viruses are increasingly integrated with Trojan components and network worms.

Nowadays, a computer virus uses either email or software vulnerabilities to spread. And often both.

Now, instead of destructive functions, remote control functions, stealing information, and using an infected system as a springboard for further spread have come to the forefront.

More and more often, an infected machine becomes an active participant in DDoS attacks. There are many methods of combating this, one of which is the same timely installation of updates.

Protocol analyzers and «sniffers»

This group includes tools for intercepting data transmitted over the network. Such tools can be either hardware or software.

Usually, data is transmitted over the network in clear text, which allows an intruder to intercept it within the local network. Some network protocols (POPS, FTP) do not use password encryption, which allows an intruder to intercept them and use them himself.

When transmitting data over global networks, this problem becomes especially acute. If possible, access to the network should be restricted for unauthorized users and random people.

Technical means of data collection

This includes such means as keyboard bugs, various mini-cameras, sound recording devices, etc.

This group is used in everyday life much less often than the above, since, in addition to the availability of special equipment, it requires access to the network and its components.

Human factor:

  • Dismissed or dissatisfied employees.
  • Industrial espionage.
  • Negligence.
  • Low qualifications.

Dismissed and dissatisfied employees.

This group of people is the most dangerous, since many of the working employees may have authorized access to confidential information. A special group is made up of system administrators, who are often dissatisfied with their financial situation or do not agree with dismissal, they leave «back doors» for the subsequent possibility of malicious use of resources, theft of confidential information, etc.

Industrial espionage

This is the most difficult category. If someone is interested in your data, then this someone will find ways to get it. Hacking a well-protected network is not the easiest option. It may well be that the cleaning lady «Aunt Glasha», washing under the table and cursing at an incomprehensible box with wires, may be a very high-class hacker.

Negligence

The most extensive category of abuse: from updates not installed on time, unchanged «default» settings and ending with unauthorized modems for Internet access — as a result of which intruders gain open access to a well-protected network.

Low qualification

Often, low qualification does not allow the user to understand what he is dealing with; because of this, even good security programs become a real hassle for the system administrator, and he is forced to rely only on perimeter protection.

Most users do not understand the real threat from running executable files and scripts and believe that executable files are only files with the «exe» extension.

Low qualification also does not allow determining what information is truly confidential and what can be disclosed.

In large companies, you can often call the user and, posing as an administrator, ask him for his login information. There is only one way out — user training, creating relevant documents and improving skills.

Part 2. Protection methods

According to statistics on losses that organizations suffer from various computer crimes, the lion's share is made up of losses from crimes committed by their own dishonest employees.

However, recently there has been a clear trend towards increasing losses from external intruders. In any case, it is necessary to ensure protection from both disloyal personnel and hackers capable of penetrating your network. Only a comprehensive approach to information protection can instill confidence in its security.

However, due to the limited volume of this article, we will consider only the main technical methods of protecting networks and the information circulating on them, namely, cryptographic algorithms and their application in this area.

Protecting data from internal threats

The following cryptographic methods can be used to protect information circulating in a local network:

  • information encryption;
  • electronic digital signature (EDS).

Encryption

Encryption of information helps protect its confidentiality, i.e. ensures that unauthorized access to it is impossible.

Encryption is the process of converting open information into closed, encrypted information (called «encryption») and vice versa («decryption»).

This conversion is performed using strict mathematical algorithms; in addition to the data itself, an additional element, the «key», also participates in the conversion.

GOST 28147-89 provides the following definition of a key: «A specific secret state of some parameters of a cryptographic conversion algorithm that ensures the selection of one conversion from a set of all possible conversions for a given algorithm.»

In other words, a key is a unique element that allows information to be encrypted in such a way that only a specific user or group of users can obtain open information from encrypted information.

Encryption can be expressed by the following formulas:

C=Ek1 (M) — encryption,

M’=Dk2(C) — decryption.

Function E encrypts information, function D decrypts it. If the key k2 corresponds to the key k1 used for encryption, it is possible to obtain open information, i.e. obtain the correspondence M’ = M.

In the absence of the correct key k2, it is almost impossible to obtain the original message.

According to the type of correspondence between the keys k1 and k2, encryption algorithms are divided into two categories:

1)Symmetric encryption: k1 = k2. The same key is used to encrypt and decrypt information. This means that users exchanging encrypted information must have the same key. A more secure option is to have a unique encryption key for each pair of users, which is unknown to the others. The symmetric encryption key must be kept secret: its compromise (loss or theft) will lead to the disclosure of all information encrypted with this key.

2)Asymmetric encryption. The key k1- in this case is called «public», and the key k2 — «secret». The public key is calculated from the secret key in various ways (depending on the specific encryption algorithm).

The reverse calculation of k2 from k1 is practically impossible.

The point of asymmetric encryption is that the key k2 is kept secret by its owner and should not be known to anyone; key k1, on the contrary, is distributed to all users who want to send encrypted messages to the owner of key k2; any of them can encrypt information on key k1, but only the owner of the secret key k2 can decrypt it.

Both keys: the symmetric key and the secret key of asymmetric encryption must be absolutely random — otherwise, an attacker theoretically has the opportunity to predict the value of a certain key.

Therefore, random number generators (RNG) are usually used to generate keys, preferably hardware ones.

It is worth mentioning that all Russian government organizations and a number of commercial ones are required to use the domestic symmetric encryption algorithm GOST 28147-89 to protect data.

This is a strong cryptographic algorithm, in which no shortcomings have been found for more than 12 years of use.

EDS

EDS allows you to guarantee the integrity and authorship of information (diagram 2).

As can be seen from the diagram, EDS also uses cryptographic keys: secret and public.

The public key is calculated from the secret key using a fairly simple formula, for example: y = ax mod p (where x is the secret key, y is the public key, and a and p are the parameters of the digital signature algorithm), while the reverse calculation is very labor-intensive and is considered impossible to implement in an acceptable time with modern computing power.

 

Scheme 2. Scheme for using digital signature

The scheme for distributing digital signature keys is similar to the scheme for asymmetric encryption: the secret key must remain with its owner, while the public key is distributed to all users who wish to verify the digital signature of the owner of the secret key.

It is necessary to ensure the inaccessibility of your secret key, because an attacker can easily forge the digital signature of any user by gaining access to their secret key.

Any information can be signed with an electronic signature.

The information is first processed by the hashing function, the purpose of which is to generate a sequence of a certain length that unambiguously reflects the content of the information being signed.

This sequence is called a «hash», the main property of a hash is that it is extremely difficult to modify the information so that its hash remains unchanged. The domestic standard of hash functions GOST R 34.11-94 provides for a hash of 256 bits.

The digital signature is calculated based on the hash of the information and the user's secret key. As a rule, the digital signature is sent together with the signed information (the digital signature of a file is most often simply placed at the end of the file before it is sent somewhere over the network).

The digital signature itself, like the hash, is a binary sequence of a fixed size. However, in addition to the digital signature, a number of service fields are usually added to the information, primarily identification information about the user who has put the digital signature; moreover, these fields are involved in calculating the hash. When checking the digital signature of a file in interactive mode, the result may look like this:

«The signature of the file «Document.doc» is correct: Ivanov A.A. 25.02.2003″.

Naturally, in case of an invalid digital signature, the corresponding information is displayed, containing the reason for recognizing the digital signature as invalid. When checking the digital signature, the hash of the information is also calculated; if it does not match the one obtained when calculating the digital signature (which may indicate an attempt to modify the information by an intruder), the digital signature will be invalid.

Along with GOST 28147-89, there is a domestic digital signature algorithm: GOST R 34.10-94 and its newer version GOST R 34.10-2001. Government organizations of the Russian Federation and a number of commercial ones are required to use one of these digital signature algorithms in combination with the hashing algorithm GOST R 34.11 -94.

There is also a simpler way to ensure the integrity of information — calculating the imitator prefix. The imitator prefix is ​​a cryptographic checksum of information calculated using the encryption key.

In particular, one of the modes of operation of the GOST 28147-89 algorithm is used to calculate the imitator prefix, which allows you to obtain a 32-bit sequence from information of any size as an imitator prefix. Similar to the hash of information, the imitator prefix is ​​extremely difficult to forge.

The use of imitation prefixes is more convenient than the use of digital signatures: firstly, it is much easier to add 4 bytes of information, for example, to an IP packet sent over the network, than a large digital signature structure; secondly, the calculation of the imitation prefix is ​​a significantly less resource-intensive operation than the formation of a digital signature, since in the latter case such complex operations are used as raising a 512-bit number to a power whose exponent is a 256-bit number, which requires quite a lot of calculations.

The imitation prefix cannot be used to control the authorship of a message, but in many cases this is not required.

Comprehensive use of cryptographic algorithms

To securely transfer any files over the network, it is enough to sign and encrypt them. Diagram 3 shows a specialized archiving technology that provides comprehensive protection of files before sending them over the network.

 

Scheme 3. Specialized archiving technology

First of all, the files are signed with the sender's secret key, then compressed for faster transmission. The signed and compressed files are encrypted with a random session key, which is only needed to encrypt this portion of the files — the key is taken from a random number generator, which must be present in any encryptor. After that, a header containing service information is added to the special archive formed in this way.

The header allows you to decrypt the data upon receipt.

For this purpose, it contains the session key in encrypted form.

After the data is encrypted and written to the archive, the session key, in turn, is encrypted using the pairwise communication key (DH key), which is calculated dynamically from the secret key of the file sender and the public key of the recipient using the Diffie-Hellman algorithm. The pairwise communication keys are different for each «sender-recipient» pair.

The same pairwise key can only be calculated by the recipient whose public key was used to calculate the pairwise key on the sender's side.

The recipient uses its own secret key and the sender's public key to calculate the pairwise key. The Diffie-Hellman algorithm allows one to obtain the same key that the sender generated from its own secret key and the recipient's public key.

Thus, the header contains copies of the session key (according to the number of recipients), each of which is encrypted using the sender's pairwise key for a specific recipient.

After receiving the archive, the recipient calculates the pairwise key, then decrypts the session key, and finally decrypts the archive itself. After decryption, the information is automatically decompressed. Lastly, the digital signature of each file is checked.

Protection from external threats

There are many methods of protection against external threats — countermeasures have been found against almost all the dangers listed in the first part of this article. The only problem that has not yet been adequately solved is DDoS attacks. Let's consider the technology of virtual private networks (VPN — Virtual Private Network), which allows using cryptographic methods to both protect information transmitted over the Internet and prevent unauthorized access to the local network from the outside.

Virtual private networks

In our opinion, VPN technology is a very effective protection, its widespread implementation is only a matter of time. Proof of this is at least the implementation of VPN support in the latest operating systems of Microsoft — starting with Windows 2000.

The essence of VPN is as follows (see diagram 4):

  1. All computers with Internet access (the Internet can be any other public network) are equipped with a VPN implementation tool. Such a tool is usually called a VPN agent. VPN agents must be installed on all global network outputs.
  2. VPN agents automatically encrypt all information transmitted through them to the Internet, and also monitor the integrity of the information using impersonation devices.

 

Diagram 4. VPN technology

As is known, information transmitted on the Internet is a set of IP protocol packets, into which it is divided before sending and can be repeatedly divided along the way.

VPN agents process IP packets, the technology of their work is described below.

1. Before sending an IP packet, the VPN agent does the following:

  • The IP address of the packet recipient is analyzed. Depending on the address and other information (see below), the protection algorithms for this packet are selected (VPN agents can simultaneously support several encryption and integrity control algorithms) and cryptographic keys. The packet may be completely discarded if such a recipient is not specified in the VPN agent settings.
  • The packet's impersonator is calculated and added to the packet.
  • The packet is encrypted (entirely, including the IP packet header containing service information). A new packet header is formed, where the recipient's address is replaced by the address of its VPN agent. This is called packet encapsulation. When encapsulation is used, data exchange between two local networks is externally presented as exchange between two computers on which VPN agents are installed. Any information useful for an external attack, such as internal IP addresses of the network, is inaccessible in this case.

2. When an IP packet is received, the reverse actions are performed:

  • Information about the VPN agent of the packet sender is obtained from the packet header. If such a sender is not among those allowed in the settings, the packet is discarded. The same thing happens when receiving a packet with an intentionally or accidentally damaged header.
  • According to the settings, cryptographic algorithms and keys are selected.
  • The packet is decrypted, then its integrity is checked. Packets with compromised integrity are also discarded.
  • At the end of processing, the packet in its original form is sent to the real recipient via the local network.

All of the above operations are performed automatically, and the work of VPN agents is invisible to users. The only difficult part is configuring VPN agents, which can only be done by a very experienced user. The VPN agent can be located directly on the protected computer (which is especially useful for mobile users). In this case, it protects the data exchange of only one computer — the one on which it is installed.

VPN agents create virtual channels between protected local networks or computers (the term «tunnel» is usually applied to such channels, and the technology of their creation is called «tunneling»). All information goes through the tunnel only in encrypted form. By the way, VPN users, when accessing computers from remote local networks, may not even know that these computers are actually located, perhaps, in another city — the difference between remote and local computers in this case is only in the data transfer speed.

As can be seen from the description of the VPN agent actions, some IP packets are discarded by them. Indeed, VPN agents filter packets according to their settings (the set of VPN agent settings is called the «Security Policy»). That is, the VPN agent performs two main actions: creating tunnels and filtering packets (see diagram 5).

 

Diagram 5. Tunneling and filtering

An IP packet is dropped or directed to a specific tunnel depending on the values ​​of the following characteristics:

  • Source IP address (for an outgoing packet, the address of a specific computer on the protected network).
  • Destination IP address.
  • The higher-level protocol to which the packet belongs (for example, TCP or UDP for the transport layer).
  • The port number from which or to which the packet was sent (for example, 1080).

The VPN technology is described in more detail in specialized literature.

E. S. Gryaznov, systems analyst at ANKAD
S. P. Panasenko, head of the software development department at ANKAD

    Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
    Принять