Segments with Mutually Trusting Machines

Some research at academic and industrial departments requires that the end user have complete access to the machine on the desktop. In these cases, a secure segment is probably out of the question unless the end users are impeccably ethical and technically competent to maintain system security on the machines they control (a machine administered by someone without security training is likely to be broken into by an attacker and used as a base of operations to attack other machines, including sniffing attacks). If you assume the end users are indeed competent to ensure the security of their own desktop system, all machines on the segment can be considered mutually trusting with respect to sniffing. That is, while any of the machines on the segment could be used as a sniffer, the users trust that they will not be based on the following:

•  The physical security of the machines

•  The technical competence of the other users to prevent outsiders from gaining control of one of the machines remotely

•  The personal integrity of the other users

It is possible to build a secure subnet or local area network out of a set of segments that each have mutually trusting machines. You must locate machines that are not mutually trusting on separate segments. Machines that need to communicate across segment boundaries should only do so with data that is not sensitive. You can join mutually trusting segments by secure segments. Such an arrangement presumes that the end users trust the staff operating these central facilities. However, from a practical standpoint all but the most paranoid end users find this acceptable.

Connecting Segments of One-Way Trust

Consider, for example, the simple situation of two segments of mutual trust. Mutual trust exists between the machines on the first segment and mutual trust exists between the machines on the second segment. However, the machines in the first segment are communicating less sensitive information than those in the second segment. The machines in the first segment may trust those in the second segment but not vice versa. In this case, it is allowable for the data from the first segment to flow through the second segment. However, you must use a barrier such as a bridge to prevent the flow of data in the opposite direction.

One-way trust is fairly common between secure segments and other types of segments. The less secure machines must trust the more secure machines, but not vice versa. Similarly, one-way trust may exist between a segment of mutual trust and an insecure segment. Connecting segments with one-way trust via bridges and routers leads to a hierarchy of segments. Tree diagrams represent hierarchies graphically. In this case, the parent-child relationship in the tree associates the parent with a more secure segment and the child with a less secure segment. Thus, the more secure segments are closer to the root of the tree and less secure segments are closer to the leaves—insecure segments are leaves in the tree representing the one-way trust hierarchy.

Insecure Segments

In many cases, it is not practical to construct the segment boundaries between machines that are not mutually trusting. The reason for this is that such a setup isn’t safe from sniffing. Insecure segments might be acceptable in areas where security requirements are also low. However, most users expect a higher level of security than any such set-up could provide.

If you must use an insecure segment and still expect a higher degree of security, then deploying systems and encryption technology that are designed, implemented, and evaluated according to sound security principles are your only hope.

Case Study: A Small Department Subnet

A good case study of a network system at risk is in the building at the university where I work. Computer Science shares two floors of the building with Mathematics and English. On the lower floor are several rooms with computers that are accessible by clients of Computer Science, offices for professional staff members in each of the three departments, and the Computer Science machine room. On the upper floor are offices for professional staff members of Computer Science and Mathematics and the office suites for the managers and secretarial staff of each.

The rooms in which clients access the network are not secure. Professional staff members in each department are mutually trusting of each other. They are not mutually trusting of all members of other departments. The two management suites cannot trust each other. They cannot trust the professional staff they supervise because they work with sensitive employee records dealing with performance reviews, salary recommendations, and compete for resources provided by higher levels of management.

In fact, the management suites are equipped with a higher level of physical security than the professional staff offices. These suites may be considered secure relative to the offices of the staff they supervise. The machines in each suite can be considered mutually trusting of other machines, because the personnel share sensitive information with each other anyway (see fig. 5.7). Finally, the Computer Science machine room is secure.

Figure 5.7  Trust relationships between groups of machines in case study.

To satisfy the constraints of these trust relationships, the staff members of Computer Science, Mathematics, and English must each be placed on a separate segment. The Mathematics management suite must be placed on a separate segment. However, data to and from the Mathematics staff may flow through the Mathematics management suite without violating the trust constrains. In an exact parallel, the Computer Science management suite can have a segment with data flowing through it to and from the Computer Science staff segment. The machines used by Computer Science clients may transmit through staff and management segments. Notice the fact that we have a hierarchy of trust being in effect here. At the top end of the hierarchy is the Computer Science machine room, which must be on its own segment as well.

Now consider the wiring system available to service these two floors. The lower floor has a single communication closet that contains the connection to the central computing facility. The upper floor has a primary communication closet immediately above it connected by a conduit through the flooring. This primary communication closet on the upper floor is close to the Mathematics management suite. The primary closet connects, via a wiring conduit, to a secondary communication closet on the opposite side of the upper floor close to the Computer Science management suite.