WSJ: 2/14/2000:ÿÿÿÿ INTERNET SECURITY.
February 14, 2000ÿ
Redesigning the Internet:
ÿ Can It Be Less Vulnerable?
ÿ By DAVID P. HAMILTONÿ
ÿ Staff Reporter of THE WALL STREET JOURNAL
ÿ (See Corrections and Amplifications item below.)
ÿ This week's rash of mysterious attacks against Web sites
ÿ such as Yahoo! Inc. and E*Trade Group Inc. has
ÿ hammered home one message: The Internet's architecture
ÿ needs to be redesigned to prevent malicious tampering.
ÿ But how do you upgrade a far-flung network with no boss,
ÿ no central authority -- just a loose confederation of
ÿ self-governing standard-setters and rule makers?
ÿ Tightening up security will be the toughest challenge yet for
ÿ the free-form community of panels and volunteers that keep
ÿ the Web running. They have already done an extraordinary
ÿ job of allocating addresses, upgrading services and directing
ÿ traffic as Web use has grown exponentially in recent years.
ÿ But determining how to improve security, who should do it
ÿ and who, if anyone, should oversee such an effort may be
ÿ much tricker.
ÿ The technical solutions to the recent attacks aren't that difficult, many
ÿ experts argue. For starters, the federal government urged universities
ÿ and corporations this week to make sure their systems aren't being used
ÿ as unwitting platforms for the new wave of attacks, in which hackers
ÿ send commands to hundreds orÿ thousands of servers that, in turn,
ÿ flood target computers with packets
ÿ of meaningless data.
ÿ Other fixes would make it difficult or impossible to forge
ÿ the "return address" on those packets, making it easier to
ÿ trace their origin. More draconian measures would
ÿ strengthen "authentication" services to ensure that both
ÿ users and servers on the Internet are who they say they are.
ÿ But that's a step that would reduce or even eliminate the
ÿ anonymity of Internet users.
ÿ The bigger catch is that while individual Web sites can take
ÿ some steps to protect themselves, improving security
ÿ across the network as a whole requires a much broader
ÿ effort -- one that may well be beyond the capabilities of the
ÿ Internet organizations now in place.
ÿ One such group is the Internet Engineering Task Force,
ÿ essentially a collection of technical volunteers who agree on
ÿ new approaches to traffic congestion, security and other
ÿ issues. Despite its importance to the Internet's operations,
ÿ the IETF has no power to enforce its recommendations,
ÿ and instead must lead by example and moral suasion.
ÿ "We can issue statements all we like, but unless we get
ÿ buy-in from service providers and application providers --
ÿ all the people with irons in the fire -- nothing happens," says
ÿ Marcus Leech, a co-director of the IETF's security section.
ÿÿ The result: a network with persistent vulnerabilities to a wide
ÿ range of accidents or deliberate attacks. "People talk about
ÿ defense in depth, but what we have is weakness in depth,"ÿ
ÿ says Peter Neumann, a respected computer-security expert
ÿ at SRI International. "Usually you build a system with as
ÿ few weak links as possible, but the Internet is nothing but
ÿ weak links."ÿ
ÿ Why is that? Start with the fact that the Internet, born more
ÿ than 30 years ago, has been both blessed and cursed with
ÿ an organization that mirrors its basic, nonhierarchical
ÿ technological design. Where most communications
ÿ networks are governed by a single authority or company,
ÿ the Internet is owned by no one, and instead is maintained
ÿ as a cooperative effort by representatives of government,
ÿ industry and academia.
ÿ Similarly, no one directs communications traffic across the
ÿ Internet the way the phone company holds open a phone
ÿ circuit. Instead, messages route themselves across a chain
ÿ of servers, after being divided into equally sized packets,
ÿ containing both a destination and return address.
ÿ Up to now, the decentralized nature of the Internet has
ÿ struck many people as an almost unqualified good, since it
ÿ makes it impossible for any one company or government to
ÿ seize control of the infrastructure. It also allows just about
ÿ anyone to communicate with anyone else so long as they
ÿ follow the same set of Internet protocols, essentially a set of
ÿ rules for configuring Internet messages.
ÿ But it has also created a network in which security runs a
ÿ distant second to efficiency -- and which must rely on the
ÿ individual actions of its far-flung and disparate members to
ÿ improve matters.
ÿ Mr. Leech points out that the IETF has already approved
ÿ some techniques to help prevent service-denial attacks. One
ÿ example: a new fundamental communications protocol
ÿ known as IPv6, short for Internet Protocol Version 6.
ÿ The protocol in use today, called IPv4, lets hackers create
ÿ fake return addresses on data packets, thus making it harder
ÿ to trace attacks. IPv6, by contrast, could mark each packet
ÿ with an encryption "key" that can't be faked by hackers, and
ÿ which would securely identify the packet's origin. That
ÿ wouldn't make service-denial attacks impossible, Mr. Leech
ÿ says, but "it does make it harder for the people perpetrating
ÿ them to be anonymous."
ÿ Unfortunately, there's little urgency for the industry to move
ÿ to IPv6, and doing so would be an expensive task:
ÿ Widespread adoption would require software vendors and
ÿ makers of operating systems to rewrite their code to take
ÿ advantage of several advanced IPv6 features.
ÿ What's more, another key feature of IPv6 -- longer
ÿ numerical Internet addresses that would greatly expand the
ÿ number of sites the Web can accommodate -- is no longer
ÿ in great demand, since the industry has found other ways
ÿ around the possible address shortage.
ÿ Some experts think that computers themselves must work
ÿ differently. For example, operating systems could be
ÿ rewritten to prevent machines from performing some tasks
ÿ involved in denial-of-service attacks, such as disguising the
ÿ source of Internet traffic sent from a machine, says Bill
ÿ Hancock, an author of 25 books on information security
ÿ and vice president of security for Exodus Communications
ÿ Inc.
ÿ "Not one operating system on the market has
ÿ network-access controls built in as part of the design," says
ÿ Mr. Hancock. "Doing that would kill off a lot of these
ÿ denial-of-service attacks."
ÿ Short of changing operating systems, software makers and
ÿ computer companies could simply switch on existing
ÿ security precautions at the factory, says Matt Blaze, a
ÿ research engineer at AT&T Labs Research. If computer
ÿ systems were set at a more secure level of operation when
ÿ users buy them, there would be fewer of the loopholes that
ÿ allow hackers to unwittingly transfer improper traffic or
ÿ instructions, he says.
ÿ Mr. Neumann argues that the biggest problem is that the
ÿ Internet's fundamental communication protocols, including
ÿ IPv6, are still designed for "best case" assumptions -- not
ÿ for the possibility that someone will try to abuse them. That
ÿ approach has sacrificed security for efficiency, he says.
ÿ Down the road, security problems may only grow. One
ÿ concern: the growing number of high-speed Internet
ÿ connections on home computers, where security is lax and
ÿ high-speed connections increasingly provide "always on"
ÿ access to the Internet -- a natural reservoir for future hacker
ÿ attacks.
ÿ "There's no malaria in Washington, D.C., not because we
ÿ licked the bug, but because we drained the swamps," said
ÿ Daniel Schneier, chief technology officer of Counterpane
ÿ Internet Security Inc. "On the Internet, swampland is
ÿ being built at an alarming rate."
-------------
Message #17138 from zbyslaw owczarczyk at Feb 17 2000 12:16PM
And some were saying that NN has only ATM,what about leading VPN
GTE Internatworking preferred supplier,Two US Army contracts which include application for combat mission.!!!
What about multimedia(TV,Video) 3DSL with several 200+ million contracts(350 access switch)
What about leading core LMDS over ATM
Zbyslaw |
