Designing an Internet (Information Policy) by David D. Clark

Author:David D. Clark [Clark, David D.]
Language: eng
Format: azw3
Tags: Internet architecture, Internet security, Internet history, Internet design requirements, Alternative Internet designs
ISBN: 9780262038607
Publisher: The MIT Press
Published: 2018-10-04T16:00:00+00:00

Attacks on the Attached Hosts

Today, we see a wide range of attacks in this category, ranging from attacks that involve a malicious sequence of packets sent to a machine that was not a willing participant in the communication (an attack that exploits an unintentionally open port, a flaw in the network software, and the like) to attacks that use an intentional act of communication (receiving email or going to a Web site) to download malicious code.

Again, it may be helpful to return to a historical perspective to understand the current situation with respect to these classes of attacks. As I said earlier, the security experts that we consulted in the early days of the Internet were mostly from the intelligence community, and their primary concern was confidentiality—preventing disclosure of classified information. This framing of security tends to ignore the issue of communication among parties that do not necessarily trust each other. This framing also tends to divide the world cleanly into trusted and untrusted regions of the network. In the context of classified work, it made sense to accept that there were trusted regions of the network, typically inside facilities where users had clearances and computers could be trusted. These regions might be connected together over a public, untrusted Internet, but in this case the packets across the public internet would be encrypted and wrapped in outer IP headers that only delivered the packet to the distant trusted region. This concept, called encrypted tunnels, made sense from a technical perspective, since only one encryption device would be needed at the interconnection point between the trusted region and the public Internet. At the time, encryption boxes were expensive, and even a point-to-multipoint device was pushing the state of the art. Having such a device for each host was not practical. The concept also made sense in the security calculus of the day. There was no way an untrusted computer on the public Internet could make a connection to a trusted computer in a trusted region, because the encryption device would not accept a packet that was not encrypted at another region. End nodes did not need to worry about being attacked, because within the trusted region the prospect of attack was discounted, and from outside the region packets were totally blocked.

The security analysis of this sort of architecture became quite sophisticated. There were concerns about the possibility that corrupt insiders could leak information by hiding it in covert channels, low-bandwidth communication channels exploiting features such as the timing of packets in the channel. The confinement problem was understood early on (Lampson, 1973). These concerns did not end up being the real threats, and a focus on this framing may have distracted the early thinkers from a broader consideration of the security landscape, such as the need for users with clearances to talk to people without such clearances.

This simple division of responsibility between network and host has proved flawed, for several reasons. First, of course, the operating systems of today are flawed.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.