Placement of Encryption Function
If encryption is to be used to counter attacks on
confidentiality, we need to decide what to encrypt and where the encryption
function should be located. To begin, this section examines the potential
locations of security attacks and then looks at the two major approaches to
encryption placement: link and end to end.
Potential Locations for Confidentiality Attacks
As an example, consider a user workstation in a typical
business organization. Figure 7.1
suggests the types of communications facilities that might be employed by such a
workstation and therefore gives an indication of the points of
vulnerability.
In most
organizations, workstations are attached to local area networks (LANs).
Typically, the user can reach other workstations, hosts, and servers directly on
the LAN or on other LANs in the same building that are interconnected with
bridges and routers. Here, then, is the first point of vulnerability. In this
case, the main concern is eavesdropping by another employee. Typically, a LAN is
a broadcast network: Transmission from any station to any other station is
visible on the LAN medium to all stations. Data are transmitted in the form of
frames, with each frame containing the source and destination address. An
eavesdropper can monitor the traffic on the LAN and capture any traffic desired
on the basis of source and destination addresses. If part or all of the LAN is
wireless, then the potential for eavesdropping is greater.
Furthermore, the eavesdropper need not necessarily be an
employee in the building. If the LAN, through a communications server or one of
the hosts on the LAN, offers a dial-in capability, then it is possible for an
intruder to gain access to the LAN and monitor traffic.
Access to the outside world from the LAN is almost always
available in the form of a router that connects to the Internet, a bank of
dial-out modems, or some other type of communications server. From the
communications server, there is a line leading to a wiring closet. The wiring closet serves as a patch
panel for interconnecting internal data and phone lines and for providing a
staging point for external communications.
The wiring closet itself is vulnerable. If an intruder can
penetrate to the closet, he or she can tap into each wire to determine which are
used for data transmission. After isolating one or more lines, the intruder can
attach a low-power radio transmitter. The resulting signals can be picked up
from a nearby location (e.g., a parked van or a nearby building).
Several routes out of the wiring closet are possible. A
standard configuration provides access to the nearest central office of the
local telephone company. Wires in the closet are gathered into a cable, which is
usually consolidated with other cables in the basement of the building. From
there, a larger cable runs underground to the central office.
In addition, the wiring closet may provide a link to a
microwave antenna, either an earth station for a satellite link or a
point-to-point terrestrial microwave link. The antenna link can be part of a
private network, or it can be a local bypass to hook in to a long-distance
carrier.
The wiring closet may also provide a link to a node of a
packet-switching network. This link can be a leased line, a direct private line,
or a switched connection through a public telecommunications network. Inside the
network, data pass through a number of nodes and links between nodes until the
data arrive at the node to which the destination end system is connected.
An attack can take place on any of the communications links.
For active attacks, the attacker needs to gain physical control of a portion of
the link and be able to insert and capture transmissions. For a passive attack,
the attacker merely needs to be able to observe transmissions. The
communications links involved can be cable (telephone twisted pair, coaxial
cable, or optical fiber), microwave links, or satellite channels. Twisted pair
and coaxial cable can be attacked using either invasive taps or inductive
devices that monitor electromagnetic emanations. Invasive taps allow both active
and passive attacks, whereas inductive taps are useful for passive attacks.
Neither type of tap is as effective with optical fiber, which is one of the
advantages of this medium. The fiber does
not generate electromagnetic emanations and hence is not vulnerable to inductive
taps. Physically breaking the cable seriously degrades signal quality and is
therefore detectable. Microwave and satellite transmissions can be intercepted
with little risk to the attacker. This is especially true of satellite
transmissions, which cover a broad geographic area. Active attacks on microwave
and satellite are also possible, although they are more difficult technically
and can be quite expensive.
In addition to the potential vulnerability of the various
communications links, the various processors along the path are themselves
subject to attack. An attack can take the form of attempts to modify the
hardware or software, to gain access to the memory of the processor, or to
monitor the electromagnetic emanations. These attacks are less likely than those
involving communications links but are nevertheless a source of risk.
Thus, there are a large number of locations at which an attack
can occur. Furthermore, for wide area communications, many of these locations
are not under the physical control of the end user. Even in the case of local
area networks, in which physical security measures are possible, there is always
the threat of the disgruntled employee.
No comments:
Post a Comment