Presented at ISSS EXPO93, November, 1993, Washington D.C.
The Development of a Proactive Network Security System
Mr. Jeff Humphrey and Dr. Bruce Gabrielson
Kaman Sciences Corp.
Alexandria, VA
in Association with
Naval Research Laboratory
ADP Security Groups are quickly becoming a major force in most technical organizations with networked computer systems. The number of connections to on-site LANs (and number of LANs) are expanding, as are the number of sites with gateways to the Internet. Closely following the growth in network connections is the incidence of cracking/hacking and the often expensive cost of cleanup.
Two issues drive the need for protecting an organization's network. Sensitive and proprietary information is often contained in the local area networked computing base on-site. The National Computer Security Act requires personal information be protected from unauthorized access. Government organizations should be in full compliance with this privacy requirement. In addition, these organizations have issued instructions regarding the protection of their sensitive, but unclassified information.
Commercial organizations have similar requirements, especially if they wish to stay in business very long. Trade secrets and market edge information are essential if a business is to remain competitive.
The other problem relates to regular data protection. Down time to get your organization network back on-line, or to simply recover data after a virus attack can run to millions of dollars. Costs can also be high if certain types of data is manipulated to show other than its actual information.
With information resources so important, any organization with a networked computer should require something be done about ADP security protection.
Cost Control in an Expanding Environment
As more ADP computing resources are added, the job of maintaining control goes up. However, budgets to perform security functions are shrinking, and there are limited personnel available to address the multitude of problems. Businesses and Government organizations consider ADP security an overhead cost center, the subject of most primary budget cuts. Although needed, it is increasingly more difficult to hire staff regardless of a growing workload.
The job of just identifying intrusions and network weaknesses gets more difficult as sophisticated problems become much less conspicuous. To address this issue, the necessary training and technical background of security personnel has become increasingly complex.
In an environment with many networks and network types, our own organization has found that we can no longer simply follow guidelines provided by others to tell the ADP security manager for a particular LAN all the problems or fixes possible for his or her machine, or even which known generic network problems might not be directly applicable or related. In most cases there are specific problems for specific applications, each requiring a unique fix.
Simple network administration doesn't work anymore since now we must know when sophisticated attack occurs, what was tampered with, and how to fix the problem in the future. Facing increasing complex threats and the possibility of decreased resources, Kaman Sciences, in association with the Naval Research Laboratory, embarked on an ambitious program of creating a system that would allow both better control over computing resources and increased efficiency in correcting security problems in multi-networked environments.
Identification of Possible Approaches
Since many security restrictions were already imposed, any approaches or changes to the existing networks must be able to meet some pre-specified criteria. What we needed was a multi-facet approach that was both technical network management oriented and also based on our existing formal individual machine security compliance.
Of the approaches considered, item 5 was determined to be the best for our particular needs. If a successful method was developed, our efficiency would initially increase, we could control our costs, and we could also continue to maintain control over our network security needs by allowing our basic system to evolve as our needs also evolved.
Proactive Testing to the Rescue
The question we faced was what methodology could work in an automated or semi-automated network environment to test our networks. When we considered both active and passive security techniques that could be applied to networks, one method appeared most likely to meet our needs. We decided on Proactive Testing because:
Specifics of Proactive/Reactive Approaches
Security software generally falls into one of two categories, reactive[1] or proactive[2]. The most common and easiest method to use is reactive testing, while proactive software is just beginning to emerge as actual applications products.
Reactive computer security is often software set up to monitor traffic and connections, keep audit trails, and generally help `react' to cracking attempts. The goal of reactive security is to give the system administrator enough recorded or real-time information to clean up after a system attack or avoid it altogether. Examples of reactive security services include network sniffers, C2 audit trails, and network daemon[3] connection loggers.
Proactive security actively deals with the conditions and environment the computer system is operating in. A proactive approach to local system security would check default setup of system files, possibly try to crack encrypted user passwords, check the setup of user accounts, etc. A second proactive approach checks remote system security. To check remote systems, the proactive software attacks the computer system from the outside (as a system cracker would) in order to guarantee that the system is free of known security holes. This also has the effect of checking the network's intrusion detection capabilities.
Remote proactive security testing is a process whereby computer security personnel attempt to gain access to remote systems under their control. The process is much more involved than simply a sweep for information. The purpose is to uncover known system problems that were left uncorrected or identify new problems that were previously unknown. In using a proactive approach, the security office runs a series of tests against remote machines with the purpose of discovering known holes that have not been corrected.
Proactive testing benefits the system administrator in that it gives him information he may not have discovered by looking at system files. Computer systems look very different from the outside, and a new perspective goes a long way toward clearing up problems, especially when that perspective is the same as the enemies. An effective proactive testing program also gives the remote system administrator a feeling of security when testing is no longer effective against his or her machines.
The proactive security methodology is in reality an overall program which encompasses many aspects of security in addition to network testing. The intent is to develop and apply a total network security program which will in turn lead to a well protected network. A typical proactive program would include the areas identified in Figure 1.
Figure 1 - Some Major Aspects of a Good Proactive Computer
Security Program
Below are listed two typical examples of a proactive test scenario.
Characteristics of the Ice-Pick Program
The proactive package developed by Mr. Jeff Humphrey of Kaman Sciences to meet NRL's demanding requirements is called Ice-Pick. The Ice-Pick package is a window driven program that provides a multi-layered approach to network testing. As previously mentioned, the project was initiated to increase staff efficiency in isolating and correcting network vulnerabilities. The original goal of Ice-Pick was to develop an interactive cracker tool that could be used to identify frequently exploited security problems present on well known UNIX based operating systems.
Both passive and active testing is used to collect very specific information about each of the computer systems connected to the network under test. This information is used to determine the vulnerability of a network to a directed attack.
The Ice-Pick interface is written in "X" on a UNIX-based workstation. This interface can be used to map entire networks, machines, gateways, and the links between them. This format allows a quick point-and-shoot method of testing for over 13 different major test categories. Target identification and verification is done through architecturally specific signatures present in information returned from Ice-Pick queries. A typical Ice-Pick type attack scenario is shown in Figure 2.
Figure 2 - Typical Ice-Pick Attack Scenario
There is one more way in which hosts are added to the network mapping interface, by way of the mapping software itself. By default, when a new system or address is added to the mapping interface, it's location on the network is automatically verified by a tracing routine embedded in the code itself. This tracing algorithm often find new hosts (gateways) which are between the tester and the target system. These systems are added to the available pool of testable systems automatically and need not be known by the user of the Ice-Pick program.
Test selection is the most important part of any remotely proactive tool. This is the phase of program operation in which the user decides what security holes are going to be tested on the remote system or network, and in which order they will be used. Inside of the Ice-Pick interface tests are selected by using the mouse to move test blocks into a row in the order they are to be executed. The priority is up to the program's user.
Among the many tests currently available in the Ice-Pick user's arsenal include:
There are also a number of tests which require user participation in their execution. One such test is the 'guess' test, in which the user can add possible 'username/password' combinations to the suite of couples to be guessed at.
Remote system testing is the phase in which the user watches the program as it fires tests off at remote systems and networks. Not much participation is required by the user at this point, but a number of visual cues are sent to the interface to facilitate a 'video game' atmosphere in which the Ice-Pick user can simply watch machines get pounded on. Testing can, of course, be stopped at any time.
Report generation is one of the most important phases. During this phase of program execution, after testing has completed, the user has options as to how he/she wishes to view the testing results. The following options are allowed ...
Simple viewing: The user looks at results with the interface but does not actually create a document describing those results. Network report generation: The user allows the program to generate a report with statistical data for the network as well as summaries of testing results against all hosts on that network. System report generation: The user allows the tool to create a sperate report for each system on the network (normally e-mailed to system administrators from the person in charge of testing in a real facility).
Is the Program Successful?
With Ice-Pick in hand, the system manager knows how vulnerable his system is. In effect, he can launch an offensive attack against one or more of the computer systems on the network, just as any outside hacker could. The difference is that once the network is penetrated, a report on vulnerabilities, rather then the loss of data or the insertion of a virus or other malicious code is the result.
Ice-Pick has quickly evolved from its original form and continues to increase its capabilities as a network based security tool. The addition of new tests to the program is unavoidable as ever more complex problems are identified within existing and emerging operating systems on a regular basis.
Ice-Pick has now become more than just a successful test tool at NRL. The overall test program has allowed site security personnel to gain control over their organizations network security issues by centralizing system security testing, greatly increasing our staff efficiency, and reducing the costs of both oversight and recovery.
[1] Reactive Security: Reactive computer security deals with who- did-what-when issues as related to local and remote system activity.
[2] Proactive Security: Proactive computer security addresses the need to check the current setup of a system in order to verify that system is secure. A proactive package would look at default conditions as they currently exist on the system and identify problem areas.
[3] Daemon: A program running in the background (or activated by interrupt) which provides a network based service to remote users.