Evolution of Operating Systems Designs/Networking: Security
When networking first started, connections between computers were simple one directional links. Then Two directional links were developed. Then banks of connections became possible, and so on. Today literally millions of computers are connected to every computer in the internet. At each expansion of networking to a large audience, the problems caused by connectivity increased.
At first it was enough to have access control to the computer room. then as computers began to connect, it was found that service companies were building illicit links into the computer rooms in order to deal with service requirements without visiting the site. These Back door links were at first thought to be a good idea, but later found to be a security problem. The development of War Dialing made an extra phone line into the computer a security breach.
At first networks were in-house, you could, it was thought trust the computers in your own computer room, because you had access control. But about this time time-sharing began to happen, and terminals spread outside the computer room in large banks. Some of these terminals had system user capabilities and thus could be used to attack data integrity from outside the confines of the computer room. Later, computers became even more prevalent, and everyone seemed to have one. The idea of Local area Networks was created, in order to allow people to hook up their own systems within an office or home.
Then internetworking began to happen, one network hooked up to another network, and so on. It became possible for disgruntled employees to reach beyond their local network, and play havoc with networks on the other side of the building. Then internetworking took off, and the Internet was created and it became possible for people half the world away to affect your private computer. Obviously you needed some control over who was allowed into your computer.
Hubs and Packet Sniffers
Along with networking came the idea of a hub, where multiple computers were hooked up to the same network segment. It was found that if a network card was put in promiscuous mode it could listen in to all the data flowing through its own network segment. All that was needed was a packet sniffer, and you could literally read the data right off the network.
Switches and Routers
Eventually data speeds became high enough that more control over network segments was required, and a switch was substituted for the hub. this passively separated the data so that only data aimed at a particular network card passed through the switch into that network segment. However for larger networks, something similar was needed to link the larger segments together, and Internetworking Routers were designed. Essentially a Router is an active device that routes data to the network segment that connects it to the particular network card. Gradually more and more advanced routers became possible and now some routers routinely switch data between different network segments so as to balance loads across the network. One of the interesting aspects of the Iraqi war was that they had Internet routers for their command and control and as long as there was even partial connections between the soldiers and command, the commands could keep passing to the soldiers.
As routing became possible special programs were run, often on the router, to limit the access of unqualified users. These programs called firewalls, were supposed to limit security breaches. However as more and more became known about how firewalls worked, security became more and more difficult and new firewall designs needed to be created.
One of the problems was that internet relied on programs called Daemons which offered services automatically without operator intervention. These Daemons listened to transport channels called Sockets in order to serve up their data. Vulnerabilities in the programming of the Daemons made it possible for crackers to break into a system without the owners awareness. A simple program could scan all the sockets, and report which versions of which Daemons answered the connection request, and from that it could be determined which socket was most vulnerable to cracking.
In order to counter this firewalls had to become more sophisticated and shut down any attempts to scan the sockets of a computer. As well scanners were made publically available so that people could evaluate their firewalls and determine if they shut down the more vulnerable sockets or not.
One way of limiting access was the idea of a packet filter, which could limit which types of packets were allowed to access the network segment. The problem with this type of firewall was that it was so secure that Users often complained that nothing was getting through.
The idea of a Demilitarized Zone, developed as a result. Obviously the Users wanted access to some Internetworking services, but the Data in the most secure computers needed to be protected as well, so a compromise was reached. Two different types of firewalls would be installed, one between the users and the internet to protect them from hacking attacks, and one between the users and the secure filesystem, that only accepted valid packets. The user area was called the demilitarized zone because while it was protected the whole firepower of the most secure firewall was not offered to it. As well a firewall program could be implemented on the individual computer that would limit the access to the sockets by prompting the user whenever programs went to access the internet.
The idea of Intrusion Detection, is that when someone successfully manages to penetrate your security, you want to be able to quickly notice their penetration and be able to deal with it. In one of the first documented cases of Intrusion Detection, an American student was hired by his university to determine why an operating system accounting program that was formerly stable had suddenly broken and had lost a few cents. Over a period of months, he developed first the idea that the problem was related to a specific Users account, then the idea that the user account had been hacked, then developed a methodology to track and trick the hacker into revealing his location, and finally managed to shut down a German Spy Ring based on Hackers. The student wrote a book about it, popularizing the concept of Intrusion Detection.
The seminal work on Intrusion Detection started in the 1970's and was first published in 1980 by James P. Andersion. He set out some standards for audit trails that made them comprehensive enough to detect anomalies in operation, but not so comprehensive as to allow intruders to detect the presence of Intrusion Detection, or unduly confuse an auditor.
In 1984 to 1985 Dorthy Denning and Peter Neumann did more seminal work on how to use anomaly detection and an expert system, to detect the likelihood of abuse. Called IDES the system was able to reliably detect abuse because the Anomaly detector could adapt to changes in use, while the Expert System could detect abuse, and link it back to particular behaviors.
By 1990 Intrusion Detection began to move beyond merely auditing the computer system, and began to monitor network connections as well. It quickly became obvious that only about 1 percent of intrusions were being detected by earlier means. A system called DIDS was developed that was capable of tracking intrusions that hopped from computer to computer so that proper attribution of damage could be done. From this first work in the 1980's considerable work has been done on development of the capability of tracking anomalous use of the computer, and security threats so that they can be managed.