Typically, one thinks of trust at the application
layer between file servers and clients.
Clearly, the file server trusts its clients to
authenticate users.
However, this notion of trust extends to lower-level
network devices as well.
For
example, at the network layer, routers are trusted to deliver datagrams and
correct routing tables to the hosts on their networks. Hosts are trusting of
routers and routers are trusted machines. If you extend the concept of trust
down to the data link layer one gets to sniffing. A machine sending data
considered private on a particular network segment must trust all machines on
that network segment. To be worthy of that trust, the machines on the segment
and the wiring between them must have sufficient physical security (locks on
doors, armed guards, and such) to ensure that an attacker cannot install a sniffer
on that segment.
The
threat of sniffing comes from someone installing sniffing software on a machine
normally on the network, someone taking a sniffer into a room and jacking it
into the network connections available
there, or even installing an unauthorized network connection to sniff.
To counter
these options, you must rely on the security of the operating system itself to
prevent the execution of unauthorized sniffing, the personal trustworthiness of
the people who have access to the rooms in which network components are
located, and physical security to prevent untrustworthy people from gaining
access to these rooms.
To
create trustworthy segments, you must set up barriers between secure segments
and insecure segments. All of the machines on a segment must mutually trust
each other with the data traveling on the segment.
It is
less clear where to draw the line in a more professional business setting. The
only basis for trust between machines is for trust between the people who
control the machines. Even if a person can be trusted personally in an ethical
sense, he or she may not be trustworthy technically to administer a machine in such a
way that an attacker could not abuse the machine under his or her control.
Suppose
a set of machines has a set of trust relationships as shown in figure 1 (an
arrow points from the trusting machine to the trusted machine). One needs to
connect them to the network in such a way that two machines that do not trust
each other are on the same segment and provide appropriate physical security to
avoid tampering with a trusted machine.
One such
partitioning is shown in figure 2 (the lines between segments indicate that the
segments are connected by a device that limits data flow, such as a bridge).
Figure 1
Figure 2
No comments:
Post a Comment