Internet Engineering Task Force P. Savola Internet-Draft CSC/FUNET Expires: April 27, 2006 October 24, 2005 Distributed Security Threat Model draft-savola-distsec-threat-model-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 27, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract The distributed security framework document describes an approach where hosts take greater responsibility for protecting against attacks on security vulnerabilities targeted at themselves. This memo analyzes the threat model of the distributed security approach, in particular pointing out areas which the mechanism cannot protect against. XXX: generic comment from JariA: "The main issue that I could see is that its still rather simple presentation of the issues, e.g. does Savola Expires April 27, 2006 [Page 1] Internet-Draft Distributed Security Threat Model October 2005 not necessarily go as deep as some other ongoing work goes." XXX: generic comment from EKR: "I found the organization rather confusing. It seems to me like a lot of the material in the framework document would make more sense in the threat model. Without that context, it's fairly hard to understand what you're trying to accomplish." (Similar comment from others: addressing this would require significant(?) text duplication from the framework doc..) Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Main Goal: Prevention and Damage Control . . . . . . . . . . . 3 3. Generic Threats . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Mitigating the Consequences of a Security Breach . . . . . 4 4. Assumptions About the Threat Model . . . . . . . . . . . . . . 5 4.1. Applicability . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Users and Privilege levels . . . . . . . . . . . . . . . . 5 4.3. Users Have Physical Access to the Hosts . . . . . . . . . . 6 4.4. L2/L3 Network Access Authorization . . . . . . . . . . . . 6 4.5. Host Identification and Blocking . . . . . . . . . . . . . 6 4.6. Policy Implementation and Correctness . . . . . . . . . . . 7 4.7. Protocol mechanism security . . . . . . . . . . . . . . . . 8 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 9 Savola Expires April 27, 2006 [Page 2] Internet-Draft Distributed Security Threat Model October 2005 1. Introduction Distributed security framework [1] described an approach where hosts take larger responsibility in protecting against security vulnerabilities targeted to themselves. This approach is aimed to lower the chance of breaches and to reduce the extent of spreading the vulnerabilities (by increasing the resistance of neighboring hosts) in the event that (inevitably) an individual host is breached. This memo analyzes the threat model of the distributed security approach, in particular pointing out areas which the mechanism cannot protect against. 2. Main Goal: Prevention and Damage Control Like any other security mechanism, distributed security is not bullet-proof. The goal is to significantly reduce the likelihood of a security breach and significantly reduce the damage inflicted by a breach. The failings of standard firewalls are described in Section 2.1 of [1]. As a specific example, viruses/worms ("malware") and other misbehavior by laptops which move in and out of the "protected" network has come up as a problem: when infected, such hosts may also easily infect the network's "soft underbelly" behind the firewalls. The key concepts of distributed security framework are to reduce the chance of a security breach, minimize damage in the local network environment should one occur, and to isolate the misbehaving or vulnerable nodes from the network. The main factor in reducing vulnerability is reduction of the size of the smallest security perimeter so that it only encloses a single node. By eliminating components which are externally (network) accessible from the interior of the security perimeter, the scope for attacks is reduced. This contrasts with today's most common paradigm where the security perimeter encloses network connections as well as nodes which allow attacks to be mounted from compromised or introduced nodes within the security perimeter: these attacks represent a significant fraction of the threats to today's networks. Each node in this model will have intrusion detection capabilities and the ability to block those malware, but a key feature of distributed security is minimized security risk in the local network environment from listed threats. Savola Expires April 27, 2006 [Page 3] Internet-Draft Distributed Security Threat Model October 2005 3. Generic Threats Below we describe the main threats which the security mechanism aims to mitigate. XXX: "I think you need to explain how these threats work in more detail, and why they're a big problem in current architectures (or not)" XXX: Sam Hartman: "I would recommend working on the following issues: 1) Better articulate your threats, and 2) Better show how the technology can actually address these threats." o Viruses (including those carried over email or in application payloads, for example word processor or spreadsheet files which contain active content). o Worms, especially ones exploiting already known security vulnerabilities in the local networks and elsewhere. o An "inside host" under unauthorized remote control (e.g., in a "botnet"), for DDoS, sending of unsolicited mail, etc. o Port scanning and other forms of aggressive probing which could be a sign of an infected or otherwise questionably behaving host. o Other defined security breaches originating inside the host, e.g., trying to access services the user is not authorized to access. 3.1. Mitigating the Consequences of a Security Breach XXX: seems a bit like material for the framework or other places in the spec? Since it is probably impossible to prevent a security breach ever happening, the distributed security framework aims to prevent a possible breach propagating from one host to another, and to reduce the value of the information that might become accessible in the event of a breach. This requires that the framework should include intrusion detection mechanisms and security level checking. The intrusion detection and security level checking should be connected to secure ways of blocking access by the host to the rest of the netwoek and means to render the data contained within a security perimeter of no value to an attacker if an intrusion is detected or the security level of the host drops below an acceptable threshold. This might be achieved by rendering the security keys needed inaccessible, provided that the Savola Expires April 27, 2006 [Page 4] Internet-Draft Distributed Security Threat Model October 2005 data is encrypted (and adequate backups are held elsewhere!). 4. Assumptions About the Threat Model 4.1. Applicability Laptop hosts, especially those connected through wireless infrastructure, have the greatest need of the distributed security mechanism. It is also very useful on servers which are designed to be access through specific pinholes in the normal perimeter firewalls, as exploiting the server is as easy as finding an exploit in the protocol or the implementation. XXX: "I'm not sure why this mechanism would be better in these cases." Routers, switches and other similar equipment may need to participate in the distributed security framework (e.g., in enforcement). However, we consider protecting such equipment itself with distributed security out of scope because securing the equipment with existing tools is much easier than hosts. 4.2. Users and Privilege levels Users are often keen (and even instructed by helpdesks) to turn off firewalls, virus scanners, etc. when debugging a problem or when such behavior is deemed undesirable (e.g., hampering playing a network- based game or running a peer-to-peer software). In enterprise scenarios, or where this is recognized as a problem, a solution typically is to withhold administrator privileges from ordinary users preventing them from performing these actions. If the user has administrator access to the system, it is not possible to prevent these actions, short of more extensive security framework (e.g., "trusted computing"). Therefore we assume that the users are either knowledgeable enough or must not have the privileges to turn off the required security services. XXX: "How well do these policies get enforced now with stuff like HIDS or AV?" Savola Expires April 27, 2006 [Page 5] Internet-Draft Distributed Security Threat Model October 2005 4.3. Users Have Physical Access to the Hosts In case of laptops and workstations, the users are expected to have physical access to the systems. In some environments, the IT support will have password-protected BIOS setups or implemented other countermeasures to prevent users from, e.g., booting a system and performining administrative password recovery. While these countermeasures and policies might mitigate the threat of misbehaving users, we cannot assume the hosts would be physically safe from the user. If a host falls into the wrong hands (e.g., a stolen laptop), we assume that the system would be sufficiently encrypted. Alternatively, configurations must not include secrets which would be of significant information value in assisting a security breach. 4.4. L2/L3 Network Access Authorization It is assumed that the security of network access has been chosen according to the requirements of a site. For example, one could use 802.1x and EAP to control network access, using certificates and/or usernames and passwords. Some sites might view this as an overkill in their environment (e.g., where there is deemed to be sufficient physical security) and have no protections, or just perform MAC-address locking in the switch equipment. Other sites might require no or only minimal L2 authorizationm but require encrypted VPNs from all the hosts to VPN gateways to eliminate eavesdropping and hijacking. Sites may also have different requirements for layer 3 network access controls, i.e., which IP address the user gets and whether the address can be changed/spoofed by the user if need be. In some rare cases, DHCP authentication may be in use, though it does not prevent manual configuration of another address. In IPv6, SEND [2] may be applicable. Other solutions may exist. Distributed security should be able to work within any of these scenarios according to the security requirements. 4.5. Host Identification and Blocking XXX: "This is, of course, a standard technique in modern 802 networks." When security policy is communicated and applied, the hosts need to be reliably identified. Savola Expires April 27, 2006 [Page 6] Internet-Draft Distributed Security Threat Model October 2005 The mechanisms by which this is done depend on the security requirements of the site. IP address, hostname, MAC-address, etc. or some combination thereof may or may not be sufficient; sometimes certificates may need to be used; if 802.1x and EAP was used for L2 network access or VPNs for L3 access, the user identification credentials used there could be used here as well. We also need to consider how access to the host can be blocked reliably (e.g., because its security is not at a sufficiently high level, because it has been compromised or or because it hasn't been checked yet). o The most reliable way would be using strong identification (XXX: need spelling out?), but that cannot be expected to be readily available (and inspecting it on the wire would probably require that each host would use VPNs). o The easiest way is to use IP addresses. However, the user could just change an IP address and try again; presumably, all IP addresses (until verified) would need to be blocked by default. Then the user could try to hijack another, already-authorized user's IP address. However, this can often be noticed and even prevented, depending on the security requirements of the site. 4.6. Policy Implementation and Correctness Distributed security uses policies and checks to verify that the host should be secure enough. There are a couple of assumptions associated with this requirement: o The host (even if infected) will not lie about the checks. This is a bit of stretch, and in the absence of "trusted computing", there may be security problems which could be exploited in conjunction with kernel vulnerabilities, allowing an attacker to hide their presence or activities. We assume that such hosts would be detected by unnatural external behaviour or by other means. o The policy language and mechanisms are expressive enough. For example, it may not always be possible to identify "good" and "bad" versions just by looking at a version string (especially as may be the case for "backported" updates). The implementations would need to include more extensive mechanisms for noticing and reporting problems. There are potential managerial problems in ensuring that, for example, the correct checksums of software are known. There are also potential combinatorial problems: it may not just be a matter of having specific versions of software but ensuring that the correct combination of versions are present. Savola Expires April 27, 2006 [Page 7] Internet-Draft Distributed Security Threat Model October 2005 4.7. Protocol mechanism security Distributed security mechanisms need to be able to block the hosts at policy enforcement points. If there is communication between the IDSs or other mechanisms detecting anomalous behaviour, the communication should be at least authenticated and integrity- protected. The communication of a host and policy controllers should be sufficiently secure that the information cannot be altered by man-in- the-middle or other attackers. Typically this calls for encryption, integrity protection and sufficient authentication. 5. Acknowledgements Satoshi Kondo provided useful feedback for the initial version of this memo. Elwyn Davies, Jari Arkko, Eric Rescorla, and Sam Hartman provided a number of very helpful comments. 6. Security Considerations This memo is all about the distributed security threat models. The most important thing to note is that distributed security is not a perfect solution; as it needs to rely on (to some degree) the users' and the host OS's correct behavior. In cases where this assumption does not hold stricter measures will be necessary. 7. IANA Considerations This memo does not require any IANA action. 8. References 8.1. Normative References [1] Vives, A., "Distributed Security Framework", draft-vives-distsec-framework-00 (work in progress), August 2005. 8.2. Informative References [2] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005. Savola Expires April 27, 2006 [Page 8] Internet-Draft Distributed Security Threat Model October 2005 Author's Address Pekka Savola CSC/FUNET Espoo Finland Email: psavola@funet.fi Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement Savola Expires April 27, 2006 [Page 9] Internet-Draft Distributed Security Threat Model October 2005 this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Savola Expires April 27, 2006 [Page 10]