<head><title>An Architectural Overview of UNIX Network Security</title><script type="text/javascript"><!--// <![CDATA[ - Ad Muncher helper script: do not remove without removing all references to this in the below page (eg: everything containing "ywzw", "ywzf" or "ywb")var ywzwa,ywzwb,ywzwc,ywzwd,ywzwff,ywzwh,ywzwi,ywzwir,ywzwk,ywzwm,ywzwn,rp,ywzwq,ywzws,ywzwv,ywzww,ywzwy,ywzwro,ywzwolp,ywzwqn,ywzwqnbu,ywzwtop,ywzwpld,ywzwplt,ywzwtopt,ywzwagt;ywzwpld=1;ywzwh=1;ywzwk=1;ywzwd=1;ywzww=0;ywzwy=0;ywzwro=0;ywzwi="";ywzwz="http://www.admuncher.com/";function ywzwps(){eval("ywzwtop="+ywzwtopt+";");};function ywb(z){if(z.location)return false;else return z.blur();};function ywzwj(){ywzwps();if(ywzwtop.ywzwolp)ywzwf();return true;};function ywzf(z){if(z.location)return false;else return z.focus();};function ywzwf(){ywzwps();ywzwtop.ywzwqn=ywzwtop.ywzwqnbu;ywzwtop.ywzwolp=0;};function ywzwr(e){ywzwps();if((e&&e.which==1)||(window.event.button==1)){ywzwtop.ywzwqn=1;setTimeout("ywzwtop.ywzwqn=0;",500);};};function ywzwe(z){ywzwps();ywzwtop.ywzwa=0;ywzwtop.ywzwqnbu=ywzwtop.ywzwqn;ywzwtop.ywzwqn=0;ywzwtop.ywzwolp=1;setTimeout("ywzwtop.ywzwa=1;",5000);ywzwx();if(ywzwh){ywzwh=0;if(ywzwff)ywzwff();};if(z!=7)ywzwf();};function ywzwx(){ywzwq=""+document.onmousedown;if(!document.onmousedown||!ywzwq||ywzwq.indexOf("ywzwr")!=-1){if(document.layers)document.captureEvents(Event.MOUSEDOWN);document.onmousedown=ywzwr;};ywzwq=""+window.onload;if(!window.onload||!ywzwq||(ywzwq.indexOf("ywzwe")!=-1&&ywzwq.indexOf("ywzwf")==-1))window.onload=ywzwe;};function ywzwu(a){ywzwps();ywzwtop.ywzwi=ywzwtop.ywzwi.substring(0,1024);while(ywzwtop.ywzwi.indexOf('"')!=-1)ywzwtop.ywzwi=ywzwtop.ywzwi.replace('"',"<~am~`");while(ywzwtop.ywzwi.indexOf("<~am~`")!=-1)ywzwtop.ywzwi=ywzwtop.ywzwi.replace("<~am~`",'\\"');ywzwtop.ywzwir='ywzwtop.defaultStatus="'+ywzwtop.ywzwi+'";';if(!ywzwtop.ywzws){ywzwtop.ywzws=1;setInterval("eval(ywzwtop.ywzwir);",3000);};setTimeout("eval(ywzwtop.ywzwir);",1000);};function ywzwt(a){ywzwps();if(ywzwtop.ywzwqn||ywzwtop.ywzwa){ywzwtop.ywzwqn=0;return alert(a);};if(a&&ywzwd){ywzwv=a;while(ywzwv.indexOf("\n")!=-1)ywzwv=ywzwv.replace("\n"," ");ywzwtop.ywzwi="Alert message blocked by Ad Muncher: "+ywzwv;ywzwu();};return false;};function ywzwo(a,b,c,d){ywzwps();ywzwtop.ywzwqn=0;if(!a)a="";if(c){c=c.toLowerCase();while(c.indexOf(" ")!=-1)c=c.replace(" ","");if(ywzww){c=c.replace("height=","xxx=");c=c.replace("width=","xxx=");c=c.replace("top=","xxx=");c=c.replace("left=","xxx=");c=c.replace("screenx=","xxx=");c=c.replace("screeny=","xxx=");};if(ywzwy){c=c.replace("location=","xxx=");c=c.replace("toolbar=","xxx=");c=c.replace("menubar=","xxx=");c=c.replace("resizable=","xxx=");c=c.replace("scrollbars=","xxx=");c=c.replace("status=","xxx=");c=c.replace("titlebar=","xxx=");c=c.replace("fullscreen=","xxx=");c=c.replace("directories=","xxx=");};};if(ywzwy){if(c)c+=",";else c="";c+="location,toolbar,menubar,resizable,scrollbars,status,titlebar,directories";};if(d)return open(a,b,c,d);else if(c)return open(a,b,c);else if(b)return open(a,b);else return open(a);};function ywzw(a,b,c,d){ywzwps();ywzwagt=navigator.userAgent.toLowerCase();if(ywzwro||ywzwtop.ywzwa||ywzwtop.ywzwqn||typeof(parent.frames[b])=="subwindow"||typeof(parent.frames[b])=="object"||b=="_top"||b=="_self"||b=="_parent"||((ywzwagt.indexOf("msie")!=-1&&ywzwagt.indexOf("opera")==-1)&&(b=="_search"||b=="_media"))){return ywzwo(a,b,c,d);};if(a){ywzwp="/admuncherpopcheck&"+Math.random();ywzwm=new Image();ywzwm.src=a+ywzwp;ywzwm=ywzwm.src.replace(ywzwp,"");ywzwn=ywzwm.toLowerCase();}else{ywzwm="(No URL)";ywzwn=document.URL.toLowerCase();};if(ywzwa==-1||(ywzwn.indexOf(".aol.com/aimexpress")!=-1)||(ywzwn.indexOf(".bcn-hj.com/")!=-1)||(ywzwn.indexOf(".cnn.com/pr/video/")!=-1)||(ywzwn.indexOf(".com/gp/")!=-1&&ywzwn.indexOf(".asp")!=-1&&ywzwn.indexOf("packageid=")!=-1)||(ywzwn.indexOf(".feedroom.com/")!=-1)||(ywzwn.indexOf(".mail.com/templates/common/")!=-1)||(ywzwn.indexOf("//go.icq.com/")!=-1)||(ywzwn.indexOf("/register/register.jsp?")!=-1)||(ywzwn.indexOf("download.com/")!=-1)||(ywzwn.indexOf("ebizautos.com/shared/viewer.cfm")!=-1)||(ywzwn.indexOf("fiv.sp.co.gg")!=-1)||(ywzwn.indexOf("novapal.com/")!=-1&&ywzwn.indexOf(".pdf")!=-1)||(ywzwn.indexOf("pogo.com/arena/game-outerframeset.jsp?")!=-1)||(ywzwn.indexOf("zdnet.com/")!=-1)){return ywzwo(a,b,c,d);};if(ywzwd&&ywzwm){if(ywzwtop.ywzwb){ywzwc="s";ywzwtop.ywzwb+=", "+ywzwm;}else{ywzwc="";ywzwtop.ywzwb=ywzwm;};ywzwtop.ywzwi="Popup"+ywzwc+" on page blocked by Ad Muncher: "+ywzwtop.ywzwb;ywzwu();};return false;};ywzwx();try{if(top.ywzwpld){top.rplt=1;ywzwtopt="top";}else ywzwtopt="self";}catch(e){ywzwtopt="self";};if(ywzwk)window.onerror=ywzwj;// ]]>> --></script></head><body>       <H1>An Architectural Overview of UNIX Network Security</H1>                        February 18, 1993<P>                       Robert B. Reinhardt<BR>                    breinhar@access.digex.com<P>                   ARINC Research Corporation<BR>                         2551 Riva Road<BR>                       Annapolis, MD 21401<p><H2>1.  Introduction</H2><P>     The goal of this paper is to present my concept of a UNIXnetwork security architecture based on the Internet connectivitymodel and Firewall approach to implementing security.  This paperdefines several layers of a firewall, which depict the layers ofvulnerability.  This paper also provides some subjective commentson some of the most widely known tools and methods available toprotect UNIX networks today, plus a brief discussion of the threatand the risk.<P>     The list of tools and methods that I present in this paperwere chosen loosely on the basis of the following:  (a) My attemptto find at least one, maybe several examples of a tool or methoddesigned to address a part of the architectural model (someduplication or overlap is accepted); (b) my preference to discusstools that are well-known and/or part of the public domain (this isnot a strict rule, although I did not purposely seek out commercialproducts); and (c) I hoped to find tools that had a recent paperwritten by the tools' author, for the reader to use as detailedreference beyond the scope of this document.<P>     Nothing in this paper should be construed as a productendorsement.  I apologize in advance to the authors of these toolsand methods; since I am only presenting a brief overview, I cannotdo justice to a comprehensive description of them.  I alsoapologize to any authors whom I may have left out of thisdiscussion; it was not intentional.  The reader should check theavailability information that accompanies each tool and obtainadditional information prior to proceding with any plans orimplementation.  Of course, there is no warranty expressed orimplied in this paper.<P><H2>2.  Risk, Threat, and Vulnerability</H2><P>     This section presents a general overview of the risk and thethreat to the security of your network.  These are generalstatements that apply to almost every network.  A complete analysisof your network's risk, threat, and vulnerability should be done inorder to assess in detail the requirements of your own network.<P><H3>2.1  Risk</H3><P>     The risk is the possibility that an intruder may be successfulin attempting to access your local-area network via your wide-areanetwork connectivity.  There are many possible effects of such anoccurence.  In general, the possibility exists for someone to:<P><PRE>         READ ACCESS.  Read or copy information from          your network.         WRITE ACCESS.  Write to or destroy data on          your network (including planting trojan          horses, viruses, and back-doors).         DENIAL OF SERVICE.  Deny normal use of your          network resources by consuming all of your          bandwidth, CPU, or memory.</PRE><P><H3>2.2  Threat</H3><P>     The threat is anyone with the motivation to attempt to gainunauthorized access to your network or anyone with authorizedaccess to your network.  Therefore it is possible that the threatcan be anyone.  Your vulnerability to the threat depends on severalfactors such as:<P><PRE>         MOTIVATION.  How useful access to or          destruction of your network might be to          someone.         TRUST.  How well you can trust your authorized          users and/or how well trained are your users          to understand what is acceptable use of the          network and what is not acceptable use,          including the consequences of unacceptable          use.</PRE><P><H3>2.3  Vulnerability</H3><P>     Vulnerability essentially is a definition of how wellprotected your network is from someone outside of your network thatattempts to gain access to it; and how well protected your networkis from someone within your network intentionally or accidentlygiving away access or otherwise damaging the network.<P>     Motivation and Trust (see Threat, section 2.2) are two partsof this concern that you will need to assess in your own internalaudit of security requirements and policy, later I will describesome references that are available to help you start this process.   <P>     The rest of this paper is a presentation of my concept of thearchitectural model of UNIX network security (the focus of thispaper).  This is geared toward connectivity to the Internet (orInternet Protocol connectivity in general), employing the FIREWALLmethod of reducing vulnerability to the risks and the threat.<p><H2>3.  UNIX Network Security Architecture</H2><P>     For each of the layers in the UNIX Network SecurityArchitecture (UNIX/NSA) model below, there is a subsection thatfollows that gives a brief description of that layer and some ofthe most widely used tools and methods for implementing securitycontrols.  I am using the ISO/OSI style of model since most peoplein the UNIX community are familiar with it.  This architecture isspecifically based on UNIX Internet connectivity, but it isprobably general enough to apply to overall security of any networkmethodology.  One could argue that this model applies to networkconnectivity in general, with or without the specific focus of UNIXnetwork security.<P><PRE>Layer     Name                Functional Description</PRE><PRE>LAYER 7   POLICY              POLICY DEFINITION AND DIRECTIVESLAYER 6   PERSONNEL           PEOPLE WHO USE EQUIPMENT AND DATALAYER 5   LAN                 COMPUTER EQUIPMENT AND DATA ASSETSLAYER 4   INTERNAL-DEMARK     CONCENTRATOR - INTERNAL CONNECTLAYER 3   GATEWAY             FUNCTIONS FOR OSI 7, 6, 5, 4LAYER 2   PACKET-FILTER       FUNCTIONS FOR OSI 3, 2, 1LAYER 1   EXTERNAL-DEMARK     PUBLIC ACCESS - EXTERNAL CONNECT</PRE><P>     The specific aim of this model is to illustrate therelationship between the various high and low level functions thatcollectively comprise a complete security program for wide-areanetwork connectivity.  They are layered in this way to depict (a)the FIREWALL method of implementing access controls, and (b) theoverall transitive effect of the various layers upon the adjacentlayers, lower layers, and the collective model.  The following isa general description of the layers and the nature of therelationship between them.  After this brief discussion of whateach layer is, the next section of this paper will discuss examplesof common methods and tools used to implement some of your optionsat each level, or at least try to tell you where to find out how toget started.  Note that there may be some overlap between thedefinitions of the various levels, this is most likely between thedifferent layers of the FIREWALL itself (layers 2 and 3).<P>     The highest layer [ 7 - POLICY ] is the umbrella that theentirety of your security program is defined in.  It is thisfunction that defines the policies of the organization, includingthe high level definition of acceptable risk down to the low leveldirective of what and how to implement equipment and procedures atthe lower layers.  Without a complete, effective, and implementedpolicy, your security program cannot be complete.<P>     The next layer [ 6 - PERSONNEL ] defines yet another veilwithin the bigger umbrella covered by layer 7.  The people thatinstall, operate, maintain, use, and can have or do otherwise haveaccess to your network (one way or another) are all part of thislayer.  This can include people that are not in your organization,that you may not have any administrative control over.  Your policyregarding personnel should reflect what your expectations are fromyour overall security program.  Once everything is defined, it isimperitive that personnel are trained and are otherwise informed ofyour policy, including what is and is not considered acceptable useof the system.<P>     The local-area network layer [ 5 - LAN ] defines the equipmentand data assets that your security program is there to protect.  Italso includes some of the monitor and control procedures used toimplement part of your security policy.  This is the layer at whichyour security program starts to become automated electronically,within the LAN assets themselves.<P>     The internal demarkation layer [ 4 - INTERNAL DEMARK ] definesthe equipment and the point at which you physically connect the LANto the FIREWALL that provides the buffer zone between your local-area network (LAN) and your wide-area network (WAN) connectivity.   This can take many forms such as a network concentrator that homesboth a network interface for the FIREWALL and a network interfacefor the LAN segment.  In this case, the concentrator is theinternal demarkation point.  The minimum requirement for this layeris that you have a single point of disconnect if the need shouldarise for you to spontaneosly separate your LAN from your WAN forany reason.<P>     The embedded UNIX gateway layer [ 3 - GATEWAY ] defines theentire platform that homes the network interface coming from yourinternal demark at layer 4 and the network interface going to yourpacket filtering router (or other connection equipment) at layer 3.   The point of the embedded UNIX gateway is to provide FIREWALLservices (as transparent to the user or application as possible)for all WAN services.  What this really is must be defined in yourpolicy (refer to layer 1) and illustrates how the upper layersovershadow or are transitive to the layers below.  It is intendedthat the UNIX gateway (or server) at this layer will be dedicatedto this role and not otherwise used to provide general networkresources (other than the FIREWALL services such as proxy FTP,etc.).  It is also used to implement monitor and control functionsthat provide FIREWALL support for the functions that are defined bythe four upper ISO/OSI layers (1-Application, 2-Presentation, 3-Session, 4-Transport).  Depending on how this and the device inlayer 2 is implemented, some of this might be merely pass-thru tothe next level.  The configuration of layers 3 and 2 shouldcollectively provide sufficient coverage of all 7 of the functionsdefined by the ISO/OSI model.  This does not mean that yourFIREWALL has to be capable of supporting everything possible thatfits the OSI model.  What this does mean is that your FIREWALLshould be capable of supporting all of the functions of the OSImodel that you have implemented on your LAN/WAN connectivity.<P>     The packet filtering layer [ 2 - FILTER ] defines the platformthat homes the network interface coming from your gateway in layer3 and the network interface or other device such as synchronous orasynchronous serial communication between your FIREWALL and the WANconnectivity at layer 1.  This layer should provide both yourphysical connectivity to layer 1 and the capability to filterinbound and outbound network datagrams (packets) based upon somesort of criteria (what this criteria needs to be is defined in yourpolicy).  This is typically done today by a commercial off-the-shelf intelligent router that has these capabilities, but there areother ways to implement this.  Obviously there is OSI link-levelactivity going on at several layers in this model, not exclusivelythis layer.  But, the point is that functionally, your securitypolicy is implemented at this level to protect the overall link-level access to your LAN (or stated more generally; to separateyour LAN from your WAN connectivity).<P>     The external demarkation layer [ LAYER 1 ] defines the pointat which you connect to a device, telephone circuit, or other mediathat you do not have direct control over within your organization.   Your policy should address this for many reasons such as the natureand quality of the line or service itself and vulnerability tounauthorized access.  At this point (or as part of layer 2) you mayeven deploy yet another device to perform point to point data linkencryption.  This is not likely to improve the quality of the line,but certainly can reduce your vulnerability to unauthorized access.   You also need to be concerned about the dissemination of things atthis level that are often considered miscellaneous, such as phonenumbers or circuit IDs.Illustration of the UNIX/NSA Model