Previous Table of Contents Next


Authorization

Authorization provides a means of controlling which legitimate users have access to which resources. Authorization involves complex software which resides on every secured computer on the network. Ideally, it provides single sign-on capability. Authorization systems commonly used in support of Net security include Kerberos, Sesame, and Access Manager.

Kerberos
draws its name from Kerberos (also known as Cerebrus), the three-headed monster which guarded the entryway to the infernal regions in Greek mythology. Perhaps the best known authorization software, it was developed by the Massachusetts Institute of Technology (MIT) and is available without charge, although more powerful commercial versions exist as well. As Kerberos uses DES, it is not easily exportable. IBMs Kryptoknight is a Kerberos variant, weaker but exportable. By way of example, EIN uses Kerberos in its Secure Server product. Although Hercules defeated Kerberos, according to Greek legend, a hacker of Herculean proportions has yet to emerge victorious over this powerful software.
Sesame (Secure European System for Applications in a Multivendor Environment)
was developed by the ECMA (European Computer Manufacturers Association). It is flexible, open and intended for large, heterogeneous network computing environments. It also is highly complex and not effective for smaller applications.
Access Manager
recently approved by the IETF, uses an API for application development, employing scripting. Scripting involves a process of mimicking the log-on procedures of a program, providing basic levels of security for small networks.

Firewalls

Firewalls are application software that reside in a communication router, server, or some other device. That device physically and/or logically is a first point of access into a networked system (see Figure 13.5). On an active basis, the device can block access to unauthorized entities, effectively acting as a security firewall. Firewalls provide logging, auditing, and sucker traps to identify access attempts and to separate legitimate users from intruders. Firewalls can be in the form of a programmable router ([ge]$3,000) or a full set of software, hardware, and consulting services such as offered by DEC in the form of SEAL (Screening External Access Link) ([ge]$25,000). While detailed discussion of firewalls is beyond the scope of this book, the intensity of interest is indicated by references [13-61] through [13-66].


Figure 13.5  Firewall implementation in a router.

SATAN

SATAN (Security Administrator Tool for Analyzing Networks) is software designed to identify and report security weaknesses, including unauthorized access and virus contamination. Through mimicking an intruder, the software was designed to identify security holes and to alert the system administrator of their presence. Very easy to use as a result of its Mosaic interface, SATAN unfortunately also can be employed to crack the very security it is intended to ensure. SATAN was developed by Dan Farmer of Silicon Graphics and Wietse Venema of the Netherlands University of Eindhoven. When Farmer made SATAN available, free-of-charge, on the Internet on April 5, 1995, he separated from Silicon Graphics, officially by mutual consent.

CERT issued a SATAN advisory warning on April 10, 1995. That warning suggested that SATAN posed significant risk of intrusion when run with certain Web browsers, including Netscape and Lynx, but not Mosaic. The danger is presented if a user moves immediately from a session running SATAN to browsing the Web, without first quitting the browser. The very next day, Dan Farmer posted SATAN v.1.0 on the Web. That version offers tighter security and warns users of the potential for system vulnerability.

Misuse and Content

There have been a large number of highly publicized cases of the Internet and the Web having been misused for illicit and immoral purposes including transmitting stolen credit card numbers and cellular telephone ID numbers. While any communications medium can be used for such purposes, the Net creates another set of difficulties for law enforcement, as communications are virtually instantaneous and multiple parties can gain access to the illegal data through a bulletin board. Further, it is difficult if not impossible in many cases to track down the offenders.

The U.S. Federal Communications Commission (FCC), however, is seriously considering regulating the content of the Internet. While censorship can go too far, there are numerous and clearly documented cases of beasts who prowl the Net. (Author’s humble opinion: At the risk of lapsing into a discussion of morals, there should be a method for constraining those who would use the Net and the Web for immoral purposes as defined by law. At the very least, there should be a means of blocking access of minors to such material. There also should be stiff penalties imposed on violators.)

The Electronic Frontier Foundation, Electronic Privacy Foundation, and Voters Telecommunications Watch are battling the FCC and U.S. Congress in this regard, citing freedom of speech; petitions were passed (you guessed it) over the Internet. Although a Communications Decency Act was passed in 1996, it was overturned in Federal District court, citing violation of free speech as guaranteed by the First Amendment to the Constitution. Tthe federal government is expected to appeal to the U.S. Supreme Court. Should the Act be upheld, remaining to be addressed would be the issues of who would assume the role of cybercop, and the extent to which the service providers would be held liable for the transgressions of their subscribers. While we may never see Net content censored, there do exist a number of commercially available software filters that allow parents to deny access to Internet sites which might contain unsavory content, as defined by the filter developers. Those filters run against Web servers, which are updated on a regular basis in order to keep pace with the dynamics of the Web sites and their content. Outside the United States, very tight content controls have been exercised in some countries; as one might expect, those nations include Singapore and the Peoples Republic of China (PRC).


Previous Table of Contents Next