Scalable Security in an Unimaginably Large Internet

William R. Soley
Sun Microsystems, Inc., Palo Alto, California
william.soley@sun.com
 
IEEE Future Trends in Distributed Computing Systems
Tunis, Tunisia, October 1997

The slides for the panel discussion are also available.

Abstract

The Internet is predicted to become unimaginably large in the coming decades. Not only will it grow in the number, but also in the diversity, of the connected devices. This position paper briefly looks at how the security challenges presented by such growth differ from those of today, and some possible directions to meet those challenges.
 

Introduction

We face the prospect in the coming decades of an unimaginably large global public network made up not only of general purpose computer systems, but also billions of special purpose controllers and sensors. In an attempt to imagine the unimaginable I recently read a collection of essays, Beyond Calculation: The Next Fifty Years of Computing,[4] in which several noted experts share their visions of the future. Cerf foresees everything being connected to the Internet.[3] Bell and Gray imagine "the ultimate personal assistant consisting of 'on body' computers" connected to a "body network."[1] Weiser and Brown talk about the "ubiquitous computing" era that will find computers "embedded in walls, chairs, clothing, light switches, cars and everything."[10] The designers of IPv6 seem to agree since the 128-bit long address fields[8] are more than enough to uniquely address every atom on the surface of the Earth.[2]
As much as I find this well-connected future to be exciting, I am also terrified to consider the harm that could come to individuals and society if such a powerful network were to be abused. The possibility of information warfare is substantial.[5] Not only are privacy and financial assets at stake from unauthorized manipulation of databases or on-line transactions, but people's very lives could be in jeopardy when controllers and sensors used for health care are connected to the public network.
When the network grows in size, the opportunity for abuse increases. As the network becomes more intimately connected to our daily lives, the consequences of abuse increase. Good security will be far more important in the network of the future than it is today. Yet the sheer scale of the network will make many security techniques employed today impractical or inappropriate.

What is the future of firewalls?

Firewalls work on the principle that a network administrator examines the traffic patterns and security policies of the organization to be protected by the firewall and then defines a set of access rules to be installed in the firewall system for it to enforce on the traffic passing through it. There are a number of limitations that will make this approach increasingly impractical as the network evolves toward the future.
The firewall assumes the inside part of the network is trusted and attempts to protect it from the outside part. This model breaks down when there is no longer a well defined inside and outside. Devices on what might be considered the inside may not be equally trusted. Some of the inside devices will need to be protected from each other. Consider the example that the electric company wants to connect their meter to your home network so they can read it remotely. You may not trust their meter and it may not trust you. There is also the transitive trust problem that thwarts drawing simple boundaries.
Growth in the diversity of the devices, protocols and services available on the network will make prediction of traffic patterns difficult and problematic. A single application will make use of a wider range of protocols and connect to a wider range of destinations than is common today. Configuring the firewall requires a priori knowledge of the expected applications, protocols and endpoints. This will quickly become impractical.
Proper firewall configuration requires a moderate level of network and security expertise. It is inappropriate to require these skills of end users. End users would be forced to contract for these services.
Firewalls will continue to be important to protect legacy systems as long as they exist, but will be used less and less as the primary defense for a network. The primary defense will move to the end systems.

How will access control evolve?

The common state of access control today is pitiful. Almost everything is based on password authentication with some kind of manually administered list of authorized users. If you are lucky, the access control lists are centralized to make them easier to administer. These techniques don't scale and they aren't secure. They are heavily oriented toward interactive access and do not effectively address unattended interprocess communication.
There are lots of companies trying to solve this problem today with proprietary solutions. Proprietary won't work. The growth that is being predicted includes huge numbers of tiny "nearly free" devices. These are not general purpose computing systems that we are used to. I don't want to have to upgrade the software in my dining room light to keep the neighbor's kids from turning it off in the middle of my dinner. It has to be built in -- "nearly free." A suite of public-key/certificate-based open standards is needed that will support a wide range of devices, from a dining room light to a super-computer. Kerberos[9] is the closest thing today, but it is symmetric key-based which makes it awkward to scale.

How will all those keys be managed?

Key management is the biggest challenge. What makes it so hard is that it goes way beyond the software industry. Of course widely accepted open standards are needed to solve the key management problem on a large scale, but the real problem is a matter of infrastructure, law and international treaty. I am not a lawyer so I will focus on the technical issues.
Public-key cryptography is the answer to the scalability problem. Certificates are needed to assure that the communicating parties have the correct keys for each other (and not a key belonging to an imposter). The most common certificate format today is X.509. I dislike it for several reasons, but I think it will do what we need, so we should stop arguing and get on with it.
Another issue of debate is who signs the certificates. The choice is generally between hierarchical certificate authorities and a web-of-trust. There are situations where each is appropriate. If it is allowed for a single key to be certified by more than one authority, and if it is allowed for any key to sign a certificate, then this is effectively a web-of-trust. I believe the minor complication is justified to get the flexibility of supporting both trust models.

What about security of the host?

Secure network protocols do not help very much if software bugs or misconfiguration leave the hosts vulnerable to break-in. As operating systems and applications grow in complexity, the chance of vulnerability increases. In order to achieve the needed reliability, the security critical functions must be isolated in a small, well-defined, verifiable security kernel.
Programming languages and systems contribute directly to the reliability of the software. C and C++ lack of strong type checking on pointer references, lack of memory bounds enforcement, and crude memory allocation are problematic. Languages such as Java improve on this while also providing the option of an active security manager[7] or even capability-based security features.[6] But of course, there is never a substitute for talent and good software engineering practice.

Conclusion

Scalable security capable of supporting the expected growth in the Internet will require substantial investments and new technology. Firewall technology will not scale to future network size and diversity. Public-key technology is most promising. We must establish a standardized, widely available and trusted public-key infrastructure. Next is government acceptance of the need to protect the assets of the new channel for commerce. Software vendors must improve their security architecture and recognize security as a major factor in product quality.

References

[1] Bell, Gordon, and James N. Gray. "The Revolution Yet to Happen." Essay in [4].
[2] Bolt, Sean. "IPv6 Density." On-line.

http://www2.wvitcoe.wvnet.edu/~sbolt/ip-density.html
[3] Cerf, Vinton G. "When They're Everywhere." Essay in [4].
[4] Denning, Peter J., and Robert M. Metcalfe. Beyond Calculation: The Next Fifty Years of Computing. New York: Springer-Verlag, 1997.
[5] Druffel, Larry. "Information Warfare." Essay in [4].
[6] Electric Communities. "Using the EC Trust Manager to Secure Java." On-line.

http://www.communities.com/company/papers/trust/index.html
[7] Fritzinger, J. Steven, and Marianne Mueller. "Java Security." On-line, Sun Microsystems, 1996.

http://java.sun.com/docs/white/index.html
[8] Hinden, R., and S. Deering, eds. "IP Version 6 Addressing Architecture." ietf Network Working Group, Dec 1995.

http://ds.internic.net/rfc/rfc1884.txt
[9] Neuman, B. Clifford, and Theodore Ts'o. "Kerberos: An Authentication Service for Computer Networks." ieee Communications, 32(9):33-38. September 1994.

http://nii.isi.edu/publications/kerberos-neuman-tso.html
[10] Weiser, Mark, and John Seely Brown. "The Coming Age of Calm Technology." Essay in [4]

 
Copyright 1997 IEEE. Published in the Proceedings of FTDCS'97, October 29-31, 1997.
Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted omponent of this work in other works, must be obtained from the IEEE. Contact: Manager, Copyrights and Permissions / IEEE Service Center / 445 Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA. Telephone: +1 908-562-3966.