Security Problems in Wide Area Networks
Copyright (C) 05/1996 by Howard FuhsContent:
The Physical Infrastructure is vulnerable
Introduction
The increasing globalisation of resources and markets forces corporations and companies to expand their networks to equip even the most remote divisions with state-of-the-art computer installations and allow them access to central internal information, enabling them to make rapid decisions.
This leads to the establishment of a WAN - Wide Area Network. This technology enables companies to exchange and correlate data and information throughout this Wide Area Network. It is up to the enterprise to specify the scope and design of the WAN. Thus, it is not unusual that large companies have at their disposal an extended network with connections to all their divisions world wide.
Irrespective how the WAN is designed, it has one property that makes it vulnerable to attacks. The network leaves the controlled area belonging to the enterprise and is uncontrolled and publicly accessible over long distances.
The vulnerability of a WAN is, however, not caused only by the possibility of the corresponding infrastructure being directly sabotaged or destroyed. It is not only the cables that leave the area under company protection. No, the data transmitted on the net leave as well. It is fairly easy to intercept or listen in on data transmitted through a cable without causing too much attention.
lt should be stated clearly that when you consider radical or Terrorist circles, targeted attacks on WANs seem more and more likely to happen in the future. The risk involved in this type of attack is comparatively low and the effect can be very high, indeed. It is easier for an attacker to attack an infrastructure that is outside the direct protection of the owner of the information than to carry out an attack on a well protected data centre inside the perimeter of the target.
Also with regard to industrial espionage WANs constitute ideal points of attack. The risk of getting caught is as low as in case of a Terrorist attack. Thus it is extremely likely that it is possible to carry out data espionage in this manner for extended periods of time with almost no risk of detection.
lt is evident that Wide Area Networks have two fundamental problems:
- The physical infrastructure is vulnerable
- Information traveling over a Wide Area Network are vulnerable to attack (capture, evesdropping, falsification, etc.)
The Physical Infrastructure is vulnerable
This vulnerability is caused by cables being routed remotely, away from the information owner. In this connection it is immaterial whether a cable is torn by a builder's digger or by a saboteur with the intention of harming the enterprise. In both cases the result is a broken network connection, data is no longer available and this situation may continue for several hours, even days. The potential costs caused by this are difficult to calculate but can become very significant.Several factors need to be taken into account when suitable countermeasures are considered to reduce the vulnerability of the infrastructure.
Irrespective of whether we are talking about an individual building or about a company plot or area, two mutually independent main conduits for data and Telephone connections should always be installed. Furthermore, these two main connections should be sufficiently separated from one another to avoid them falling prey to one single attack. Their routes should not be in proximity to each other, e.g. in the same cable bay or the same vertical cable conduit between floors.
This principle will make it necessary for an attacker to disperse his efforts on several targets at the same time, thus reducing his force to attack each individual point. In case one connection gets knocked out it is possible to continue using the second connection without huge disruptions or problems.
lt must be emphasized that the two cables must be kept apart in space throughout their route. Separate cable connections make little sense in case they are both routed through the same physical conduits. lf that particular conduit fails that would lead to the simultaneous failure of both connections, still a single point of failure.
The situation of the connection points, the routing of the cables, the exact wire markings (colours, numbers) as well as the situation of the most important cable ducts is to be classified as confidential. lt is important to make it close to impossible to carry out a targeted attack, be it sabotage or espionage, without insider knowledge, and difficult even in possession of insider knowledge, requiring in fact high-level knowledge.
Potential points of attack should be identified. These should be inspected with irregular, not too large, intervals. These inspections should be carried out by suitable craftsmen and all irregularities should be noted and corrected if necessary, e.g. unlocked inspection hatches, covers that have been removed, etc. This is particularly true for cable conduits. These often falls under the area of responsibility of telecom suppliers, and it may be possible to involve the security organisation of the supplier in positive co-operation.
In case of mission-critical stretches of the cabling it is a good idea to consider installing redundancy in the form of non-terrestrial connections, e.g. laser connections, satellite connections or radio connections.
This advice is also appropriate to counter other types of incidents, e.g. fires.
The Information is Vulnerable
When it comes to protecting the information, itself, from attacks there are really only a few solutions that can be considered secure. The primary tool is a strong and efficient encryption mechanism.If modern state-of-the-art encryption techniques are introduced intercepted data packets are useless to a data-spy because it is impossible to crack the encryption and retrieve the information with the means currently available.
The only attack methods remaining under those circumstances is to remove or falsify data packets. Both these types of attacks will immediately be discovered because it would no longer be possible to decrypt a data stream containing falsified packets or missing packets.
Nevertheless it always makes sense to use suitable authentication mechanisms at several levels of the network protocol. Several standards and methods exist to accomplish this.
Without these types of protection important information should not be let out of the organisation to be sent across insecure cables.
It is, however, not sufficient to protect particularly important information in this manner.
The reason for this is that it is possible to use advanced and modern statistical methods to extract important information from large amounts of seemingly unimportant, and thus perhaps un-encrypted, information. "Unimportant" information can leak important information if there is enough of it e.g. about methods and procedures used by the enterprise, business connections, legal problems, etc. Memory is cheap, so is computing power, making it feasible for parties outside government intelligente to perform types of information analysis that have only recently become possible.
In this case it is not a question of information quality, only of information quantity.
In other words, all data traffic should be routinely encrypted to leave an attacker as little as possible in terms of defined points of attack. It is obviously an important method to conceal which data are considered to be important and which not.
It also makes it impossible for an attacker to attack specific qualitative levels of information (sabotage/alter specific data packets) in the organisation and forces him to make (more) random attacks or base his attack pattern on other types of information. He will not know which damage he actually causes.
Conclusion
These WAN vulnerabilities have been known to security experts for a long time. It is also understandable that it is economically impossible to properly secure a cable network like e.g. the ordinary Telephone system.
It is also necessary to take into account that even security installed by specialists can be by-passed and fail to provide protection against specifically targeted attacks. However, by following good security practices you will make a less attraktive and harder target than if you don't!
Copyright (C) 05/1996 by Howard Fuhs