Some research at academic and industrial departments requires that the end user have complete
access to the machine on the desktop. In these cases, a secure segment is probably out of the
question unless the end users are impeccably ethical and technically competent to maintain
system security on the machines they control (a machine administered by someone without security training is likely to be broken into by an attacker and used as a base of operations to
attack other machines, including sniffing attacks). If you assume the end users are indeed
competent to ensure the security of their own desktop system, all machines on the segment can
be considered mutually trusting with respect to sniffing. That is, while any of the machines on
the segment could be used as a sniffer, the users trust that they will not be based on the following:
n The physical security of the machines
n The technical competence of the other users to prevent outsiders from gaining control of
one of the machines remotely
n The personal integrity of the other users
It is possible to build a secure subnet or local area network out of a set of segments that each
have mutually trusting machines. You must locate machines that are not mutually trusting on
separate segments. Machines that need to communicate across segment boundaries should only
do so with data that is not private. You can join mutually trusting segments by secure seg-
ments. Such an arrangement presumes that the end users trust the staff operating these central
facilities. However, from a practical standpoint all but the most paranoid end users find this
acceptable.
Connecting Segments of One-Way Trust
Consider, for example, the simple situation of two segments of mutual trust. Mutual trust
exists between the machines on the first segment and mutual trust exists between the machines
on the second segment. However, the machines in the first segment are communicating less
sensitive information than those in the second segment. The machines in the first segment may
trust those in the second segment but not vice versa. In this case, it is allowable for the data
from the first segment to flow through the second segment. However, you must use a barrier
such as a bridge to prevent the flow of data in the opposite direction.
One-way trust is fairly common between secure segments and other types of segments. The less
secure machines must trust the more secure machines, but not vice versa. Similarly, one way
trust may exist between a segment of mutual trust and an insecure segment. Connecting
segments with one way trust via bridges and routers leads to a hierarchy of segments. Tree
diagrams represent hierarchies graphically. In this case, the parent-child relationship in the tree
associates the parent with a more secure segment and the child with a less secure segment.
Thus, the more secure segments are closer to the root of the tree and less secure segments are
closer to the leaves—insecure segments are leaves in the tree representing the one-way trust
hierarchy.
Insecure Segments
In many cases, it is not practical to construct the segment boundaries between machines that
are not mutually trusting. The reason for this is that such a setup isn’t safe from sniffing.
Insecure segments might be acceptable in areas where security requirements are also low.
However, most users expect a higher level of security than any such setup could provide.
If you must use an insecure segment and still expect a higher degree of security, your only
solution is software-based techniques rather than hardware-based techniques, such as encryp-
tion technology.
Case Study: A Small Department Subnet
A good case study of a network system at risk is in building at the university where I work.
Computer Science shares two floors of the building with Mathematics and English. On the
lower floor are several rooms with computers that are accessible by clients of Computer
Science, offices for professional staff members in each of the three departments, and the
Computer Science machine room. On the upper floor are offices for professional staff mem-
bers of Computer Science and Mathematics and the office suites for the managers and secre-
tarial staff of each.
The rooms in which clients access the network are not secure. Professional staff members in
each department are mutually trusting of each other. They are not mutually trusting of all
members of other departments. The two management suites cannot trust each other. They
cannot trust the professional staff they supervise because they work with sensitive employee
records dealing with performance reviews, salary recommendations, and compete for resources
provided by higher levels of management.
In fact, the management suites are equipped with a higher level of physical security than the
professional staff offices. These suites may be considered secure relative to the offices of the
staff they supervise. The machines in each suite can be considered mutually trusting of other
machines, because the personnel share sensitive information with each other anyway (see fig.
6.7). Finally, the Computer Science machine room is secure.
To satisfy the constraints of these trust relationships, the staff members of Computer Science,
Mathematics, and English must each be placed on a separate segment. The Mathematics
management suite must be placed on a separate segment. However, data to and from the
Mathematics staff may flow through the Mathematics management suite without violating the
trust constrains. In an exact parallel, the Computer Science management suite can have a
segment with data flowing through it to and from the Computer Science staff segment. The
machines used by Computer Science clients may transmit through staff and management
segments. Notice the fact that we have a hierarchy of trust being in effect here. At the top end
of the hierarchy is the Computer Science machine room, which must be on its own segment as
well.
Now consider the wiring system available to service these two floors. The lower floor has a
single communication closet that contains the connection to the central computing facility.
The upper floor has a primary communication closet immediately above it connected by a
conduit through the flooring. This primary communication closet on the upper floor is close
to the Mathematics management suite. The primary closet connects, via a wiring conduit, to a
secondary communication closet on the opposite side of the upper floor close to the Computer
Science management suite.
If you do not consider security, you will design the network by looking purely at cost and
performance. The minimum cost solution is simply to locate a set of hubs in each communica-
tions closet and connect all the hubs together to form a single segment. From a performance
standpoint the management personnel do not want to have their network activity slowed by
the activity of the staff they supervise or by people from a different department, so one can
argue to segment the network on the basis of performance in a way that is close to what is
needed for security purposes. If cost is not an issue, each of the proposed segments can simply
be connected by a switch.
A realistic solution needs to do the following:
n Balance the issues of cost and performance
n Take into consideration the physical layout of the building
n Maintain security by not violating the trust constraints
Figure 6.8 shows such a solution. Mathematics places all of its staff on a single segment by
connecting hubs in the upper and lower floor communication closets. The Mathematics
management suite has a segment that bears the burden of traffic from the staff segment. While
Mathematics has a lower cost solution, Computer Science has a higher performance solution.
Computer Science has five separate segments joined by a switch. Computer Science staff are
placed on two separate segments, one for the upper floor and one for the lower floor, not to
satisfy any security concern, but because separate hubs on each floor simplified the wiring and
provide a low-cost opportunity to enhance performance. Computer Science, Mathematics, and
English each have a separate subnet. These three subnets are joined into a single network by a
router located in the communication closet on the lower floor.
The solution shown in figure 6.8 provides for reasonable security against sniffing. Absolute
security is not provided since it is still possible for anyone to hook up a sniffer on any of the
segments. However, data from areas where more security is needed do not flow through areas
where less security is needed. The areas where more security is needed have higher levels of
physical security as well. Hence, it is increasingly difficult to physically get to a location where
sensitive data is flowing on the wires. Also, except on the insecure Computer Science client
segment, there is trust between the authorized users of the machines sharing a segment. Hence,
an authorized user of a machine cannot use it to sniff data going to or from someone who does
not trust the user.
You can learn several things from looking at the case study and its solution:
n A minimum cost solution is not likely to provide for security.
n A totally secure system is prohibitively expensive, but a reasonably secure system is not.
n Different approaches to cost and performance trade-offs may be combined in a secure
system. Mathematics and Computer Science have different budgets for equipment and
needs for network performance.
n A single solution may provide both security and enhance performance as in the solution
shown for Computer Science.
n A solution that provides for security adds significantly to cost. There is almost no cost
difference between having a single segment for Mathematics and the solution shown. An
extra wire run from the lower floor staff hub to the upper floor staff hub is one extra cost
item as is the bridge separating the two segments.
Tip A simple hardware barrier that is inexpensive and has the potential for increasing
network performance is the installation of a bridge between your machine room and
the rest of your facility. In many cases, a great deal of traffic occurs between the
computers in the machine room. A bridge placed between the machine room and
the rest of the facility prevents this traffic from escaping to less secure areas and
reduces the collision rate outside the machine room. Bridges are much less expen-
sive than a router or a switch. In fact, a low-cost personal computer may be
configured for this purpose with free software such as Drawbridge.
Drawbridge is a free software package that turns an ordinary PC with a pair of standard
Ethernet interfaces into a bridge. Drawbridge is also capable of filtering operations and can act
as a cheap alternative to a firewall in small networks. In some cases, you may be able to recycle
a used PC considered obsolete for this purpose as the memory and disk requirements of
Drawbridge are quite modest.
So far, this section has covered how to avoid sniffing of data from the local part of the Internet.
Such an action seems directed toward protection against internal personnel rather than external
threats. However, many security breaches are aided either knowingly or unknowingly by
internal personnel. In such cases, the hardware barriers described in this section will limit what
an intruder, physically present or remote, can do with a sniffer. Not only is physical security
greater for the more trusted segments, but so is the technical competence of those in charge of
the computer systems. The least technically competent to protect a system from remote
intruders must be given systems that cannot be given commands from a remote location (such
as a simple personal computer). Systems that can accept commands from remote locations
must be administered by those technically competent enough to prevent remote intruders by
not making mistakes that will allow remote intruders to gain access to the systems.
