@@ -10,15 +10,18 @@ as long as we have had time-shared computers. If two users can share a
1010computer, then it is necessary to have protections in place to limit
1111the impact one user can have on another. For example, one user should
1212not generally be able to read the data of another user just because
13- they run code on the same system. A multi-user system should ensure
13+ they run code on the same system. At the same time, when one user
14+ *wants * to share data with another, the operating system needs to
15+ support that in a controlled way. Similarly, multi-user systems ensure
1416that malicious or poorly written code from one user cannot interfere
15- with the operation of another user's programs.
17+ with the operation of another user's programs.
1618
1719Computer networks are, like multi-user computers, shared
1820resources, and similar requirements apply. One network user should not
19- be able to interfere with another user's traffic. And in general,
21+ be able to interfere with another user's traffic. Networks are often
22+ used so that specific resources can be shared among users. And in general,
2023a user sending data across a network wants that data to be protected
21- from unauthorised modification or eavesdropping.
24+ from unauthorized modification or eavesdropping.
2225
2326As we will see, the security of computer systems and the security of
2427computer networks are closely related topics. And just as a
@@ -31,7 +34,7 @@ the end systems that connect to it.
3134The Internet was created to allow users in one location to
3235access computing resources in another. Those systems had their own
3336security measures in place. For example, if you wanted to use the Internet
34- to log in to a remote computer, you would need to authenticate
37+ to log in to a remote computer, you would (usually) need to authenticate
3538yourself to that remote system (e.g., with a user name and password) before
3639gaining access to any resources on that system.
3740
@@ -93,7 +96,7 @@ A Short History of Internet Security
9396------------------------------------
9497
9598The Internet architecture was initially created with essentially no
96- security features. This was not because the inventors, implementers and
99+ security features. This was not because the inventors, implementors and
97100architects were unaware of security issues, but rather because there
98101were other, more pressing goals. As Vint Cerf, the co-inventor of
99102TCP/IP said: "getting this thing to work at all was
@@ -107,17 +110,20 @@ networks below and a wide range of upper layer protocols and
107110applications above. The narrowness of the waist refers to its limited
108111functionality: global addressing and a best-effort packet delivery
109112model. Conspicuously missing from that waist is any sort of security
110- capability.
113+ capability. The best-effort packet delivery model included a "default
114+ open" setting: if you knew the destination address of a host, you
115+ could send it a packet.
116+
117+ .. could include something about decentralization
111118
112119
113120developers of the Internet by highlighting just how vulnerable it
114121was. By the early 1990s the first firewalls had appeared, allowing the
115122default "accept any packet from anywhere" behavior of the Internet to
116- be changed. These
117- devices filtered packets based on information in the TCP and IP
118- headers, and were sometimes implemented as part of the functionality
119- of a router. By 1994 they were common enough that applications such as FTP (the
120- file transfer protocol) adapted to work with them.
123+ be changed. These devices filtered packets based on information in the
124+ TCP and IP headers, and could be implemented in both hosts and
125+ routers. By 1994 they were common enough that applications such as FTP
126+ (the file transfer protocol) adapted to work with them.
121127
122128Also in the early 1990s, the Internet was growing quickly enough to make it clear
123129that IP version 4 (IPv4), with 32-bit addresses, would eventually run
@@ -133,7 +139,7 @@ The security features that were proposed for IPv6 included headers to
133139support encryption, message integrity and authentication. However it
134140became clear that such features did not require a new version of IP,
135141only a way to add optional information to the packet
136- header, and so these capabilties also made their way into IPv4. These
142+ header, and so these capabilities also made their way into IPv4. These
137143extensions became known collectively as IPSEC (IP security) and are
138144described in several dozen RFCs.
139145
@@ -149,13 +155,13 @@ weaknesses exploited by the Morris worm.
149155The rise in popularity of the World Wide Web in the 1990s created the
150156demand for security features at the transport layer to support
151157applications such as e-commerce. This lead to the creation of SSL
152- (secure sockets layer) which was superceded by TLS (transport layer
158+ (secure sockets layer) which was superseded by TLS (transport layer
153159security), both of which provided confidentiality and authentication
154160at the transport layer.
155161
156162Another aspect of securing the Internet that started to receive
157163attention in this period was the security of its infrastructure. One
158- such pieve of infranstructure is the domain name system (DNS). DNS
164+ such piece of infrastructure is the domain name system (DNS). DNS
159165replaced static host-to-address mapping files in the 1980s and subsequently
160166become critical to the operation of the Internet. Clearly the
161167information served up by DNS needs to be robust against manipulation
@@ -172,7 +178,11 @@ incorrect routing updates in BGP, e.g., advertising a good route to
172178some prefix from an autonomous system that has no such route. Thus,
173179securing BGP has likewise proven to be a multi-decade, incremental task.
174180
175-
181+ This is by no means a complete history of Internet security but it
182+ gives some sense of the scope of the problems faced. Some further
183+ perspective on this history, and the factors that contributed to
184+ Internet's lack of security, can be found in the following series
185+ of articles from the Washington Post.
176186
177187
178188.. admonition :: Further Reading
@@ -184,6 +194,53 @@ securing BGP has likewise proven to be a multi-decade, incremental task.
184194Trust and Threats
185195-----------------
186196
197+ A discussion of security often begins with an analysis of the *threat
198+ landscape *. That is, what are the threats that our system is likely to
199+ be exposed to and which we hope to mitigate. This is one of the great
200+ challenges in developing a security strategy: how do we know when we
201+ have identified all the likely threats? Some may be obvious, such as
202+ eavesdropping on unencrypted traffic sent over a shared medium, but
203+ less obvious threats are constantly being identified.
204+
205+ It is common to talk about security as a "negative goal". That is, we
206+ are trying to ensure that a set of undesirable things cannot
207+ happen. That set of undesirable things is large, making security
208+ particularly challenging. Over the years, a number of principles have
209+ been developed to try to manage this challenging landscape; we will
210+ consider many of them in subsequent chapters.
211+
212+ Noted security expert Bruce Schneier points out in his book
213+ "Beyond Fear" that security is also a matter of making trade-offs. You not
214+ only have to identify the threats that you wish to defend against, but
215+ also to decide what costs you are willing to incur in mounting
216+ that defense. For example, encrypting every packet sent by a computer
217+ in 1970 imposed such a high computational cost as to be barely
218+ practical or required special hardware; today it is routine that every
219+ packet sent between a web browser and server is encrypted. Thus, the
220+ trade-offs around encryption are different than they were when the
221+ Internet was originally designed. And just as we consider the costs
222+ that security techniques impose on our system, we can also consider
223+ the costs they impose on adversaries. Much of security consists of
224+ finding ways to make those costs highly asymmetric, so that they are
225+ much higher for the adversary than for those seeking to protect their
226+ systems and information.
227+
228+
229+ Schneier describes a set of questions to be addressed in developing a
230+ security strategy:
231+
232+ * Step 1: What assets are you trying to protect?
233+ * Step 2: What are the risks to these assets?
234+ * Step 3: How well does the security solution mitigate those risks?
235+ * Step 4: What other risks does the security solution cause?
236+ * Step 5: What costs and trade-offs does the security solution impose?
237+
238+ Schneier's book is targeted at a general audience, addressing
239+ security in a broad context (e.g., airports), not just systems and
240+ networks. Nevertheless it provides some useful guidelines that are
241+ applicable to system security.
242+
243+
187244.. admonition :: Further Reading
188245
189246 B. Schneier. Beyond Fear: Thinking Sensibly About Security in an
0 commit comments