The Internet, by design, is an open network that allows anyone to contact anyone else. While this openness makes communication between individuals and devices a breeze, it also creates pressing security concerns. As CIOs and IT managers around the world work to lock down their companies’ networks and data, the design of the Internet is proving to be a tricky stumbling block.
The root of the problem is that when the inventors of the Internet created the technology, they never envisioned that it would become so ubiquitous — or that it would serve as a way for malicious hackers to spread worms, trojans and other malware. The inventors aimed for openness and functionality, which they achieved, but with that success came a downside. The structure of the Transmission Control Protocol/Internet Protocol, commonly known as TCP/IP, turned out to be less secure than it could have been, to put it mildly.
“A lot of people, even some of my colleagues in the security business, have said that the protocol suite was designed poorly from a security perspective,” Steve Bellovin, a Fellow at AT&T Labs Research, told the E-Commerce Times.
In terms of the Internet’s future, is it possible to build a solid house on such a weak foundation?
House Without Locks
Angelos Keromytis, assistant professor in the computer science department at Columbia University, told the E-Commerce Times that data on the Internet is bundled into packets, which then are sent across the network.
Unlike caller ID on a phone line, however, there is no way to discern the source of a packet. This fact makes it difficult for IT security personnel to trace the source of attacks — and easy for malicious hackers to hide their tracks. “It allows a bad guy to easily probe a remote network and see what’s running there,” Keromytis said.
Gartner research vice president Richard Stiennon confirmed that packet anonymity is a serious issue for Internet security. He noted that most applications trust the source address of IP packets. “Firewalls and routers all think the return address is correct,” he told the E-Commerce Times. “That leads to the easy launch of denial-of-service attacks and worms.”
The Internet’s unlocked doors have become a concern because they are such a fundamental part of the network technology.
“Because of the way TCP/IP works, it’s an open network,” Keromytis said. “Other network technologies don’t have that problem. They have other issues, but only IP is subject to this difficulty with abuse.”
What’s the Problem?
Although Bellovin said many of his colleagues believe the TCP/IP protocol suite was poorly designed, the AT&T Fellow is not so sure. As he explained, “While there have been flaws and errors, from both a theoretical and practical perspective, there’s very little wrong with TCP/IP.”
He noted that most of the frequently discussed network security problems are not about networks at all. Rather, they are host security problems, and the network is just a transport mechanism.
Bellovin compared the situation to bank robberies. “[S]treets, highways and getaway cars don’t cause bank robberies, nor will redesigning them solve the problem. The flaws are in the banks,” he said. Similarly, most security problems are due to buggy code, and changing the network will not affect that.
“Seen from this perspective,” he added, “network security devices, such as firewalls, are the network’s response to host security problems.”
Repair Service
Some strategies already exist that can effectively defend the network, Bellovin said. He noted that cryptography properly guards against some attacks, and network intrusion detection systems also help.
He added that, despite its problems, networking is the best vehicle available for scalable administration. For example, when providing a fix for buggy code, efficient application of that fix requires a network.
“As for future changes, the immediate challenge is dealing with more varied, more chaotic nets, like ubiquitous wireless and so-called ad hoc networks.” Bellovin said. “Cryptography will play a more important role there.”
Fixing the Foundation
In terms of changing the way TCP/IP is structured or creating workarounds for it, there is little hope that any major changes will appear soon. Keromytis noted that universities, research labs and companies involved in network security are working on the problem, but he said he does not foresee a single solution that can be easily implemented.
“There are many proposals,” he said. “But since the Internet is composed of many smaller networks put together, you’d have to convince everybody involved with those networks to deploy one piece of software or a do a fix.”
In short, the amount of effort it would take to change the porous nature of the Internet is simply beyond the reach of any research lab or industry body.
“In some sense, it deals with economics,” Keromytis said. “There’s so much invested in this that there’s no incentive to do something fundamentally different. It’s a very difficult, large problem. We’re very far from actually having a good solution.”
This has to be countered, by people like us, at every opportunity. The Internet (in the ARPA sense) was explicitly designed for availability and that is absolutely a security-centric design point. Without availability guarantees, the rest is irrelevant.
Joan Feigenbaum and I got in a rather public argument with Tony Rutkowski two Fridays ago at Yale on this very issue — the critical feature, the one that we should all pay homage to every day, is that Clark, Kent and Saltzer concluded that the end-to-end design point was the right one to take for matters of security for individual protocols and entities. No other decision was as critical or as wise. This "was not designed for security" cant is myopic, antihistorical, and misleads lesser minds. Carried to its obvious conclusion is a nanny state for electrons.
— Dan Geer
Bellovin is right that the problem is insecure hosts and can’t be solved using firewalls and or new protocols. The internet is a global community. If you consider communities around the world there are some where it is safe to go out at night and others where people who can afford it never mingle with ordinary people and live in guarded compounds. Because governments have a duty to be accessible, "best security practices" for government sites should not be copied from a business model. Governments should assume responsibility for shaping the internet community.
Bellovin’s suggestions are a step in the right direction.