1-06-50

INFORMATION MANAGEMENT: STRATEGY, SYSTEMS, AND TECHNOLOGIES

WEB

AND

JAVA RISK ISSUES

Louise Soe and Frederick Gallegos

INSIDE

The Perceived Risks, Internet Security, Security Tools and Technologies, Encryption Technologies, Security Policies and Procedures, Firewalls, Practical Web Security Solutions, Java Risk Issues, Java Security Improvements

INTRODUCTION

The Internet has been around for years, but private industry only became interested in its commercial possibilities after the graphical World Wide Web emerged during the early 1990s. The Web version of the Internet offered a potentially inexpensive and platform-independent network over which to conduct business and disseminate information. In addition, companies grew excited about the possibility of developing intranets (internal Internets) that would give them access to all of their legacy data via one simple Internet browser interface. All of this was to be enabled by a programming language, Java, that would work on any operating system or computing platform. In addition, this language could be used to deliver to client machines the program and data elements (in the form of a Java applet) that the client needed to use at any given time. Companies envisioned desktops equipped with Internet appliances that would not need to contain expensive copies of application programs such as word processors and spreadsheets. It is little wonder that corporations were ready to embrace both the Internet and Java, and to build such high expectations about these technologies. These expectations have not died. Many corporate executives and managers expect these technologies to drive economic growth well into the next century. THE PERCEIVED RISKS

However, the Internet and its most promising language, Java, present an interesting mix of opportunities and risks to organizations. On the one hand, organizations want to stay competitive and embrace technolo-

PAYOFF

IDEA

With the explosive growth of the Internet and the drive toward electronic commerce, many companies have given their customers access to their business resources without considering all of the security risks. This article provides a blueprint for identifying and reducing those risks.

Auerbach Publications © 1999 CRC Press LLC

gies that provide so much promise. Yet, both corporations and individuals still perceive the Internet as insecure and the use of Java applets as unsafe. Corporations are wary of the very serious security threats from outside hackers to which a connection to the Internet might expose them. Individual users of the Internet are wary of the possible destructive use of Java applets that they download to their computers over the Internet. Thus, while the promise of the Internet and Java pushes companies toward expectations of free and open communication over the Internet, fear pushes companies toward isolation because they want to protect their information assets from theft, corruption, or destruction. The remainder of this chapter discusses ways in which corporations can use the Internet in a secure fashion by implementing security measures that are currently available. It also discusses the Java programming language, which is still somewhat immature, and the measures that are being taken to strengthen its security so that it will become the powerhouse language of the Internet.

INTERNET SECURITY

Security tools and procedures exist right now to reduce risk when a company gives its customers access to business resources over the Internet. Security measures are available to provide access security to protect the company’s own computers, disks, memory, and other computing equipment from outside interference, and transaction security to ensure that two individuals or organizations on the Internet can privately and safely execute a transaction. Properly implemented, these security mechanisms will: • Protect the company from intruders who attempt to enter the internal network from the Internet; • Provide authorized users with access to Internet services such as HTTP, FTP, Telnet, and Gopher; • Deliver required Internet applications from the internal network to the Internet; • Deliver SMTP and Netnews services to the internal network from the Internet; • Prevent unauthorized use of resources on the internal network; • Give users an easy way to understand network security status without being Internet security experts; • Assure expert round-the-clock, seven-day-a-week monitoring and response to security events; and • Maximize protection from the Internet and minimize the cost of operating and monitoring protective devices, such as the application proxy firewall.

SECURITY TOOLS AND TECHNOLOGIES

Effective security solutions rely on several tools and technologies designed to protect information and computers from intrusion, compromise, or misuse: encryption technologies, security policies and procedures, and various types of firewalls. Encryption Technologies

Encryption technologies electronically store information in an encoded form that can only be decoded by an authorized individual who has the appropriate decryption technology and authorization to decrypt. Encryption provides a number of important security components to protect electronic information: • • • • • • •

Identity ............................... Who are you? Authentication .................... Can you prove who you are? Authorization...................... What can you do? Auditing .............................. What did you do? Integrity .............................. Is it tamper proof? Privacy ................................ Who can see it? Nonrepudiation .................. Can I prove that you said what you said?

When information is encoded, it is first translated into a numerical form, and then encrypted using a mathematical algorithm. The algorithm requires a number or message, called a key, in order to encode or decode the information. The algorithm cannot decode the encrypted information without a decode key. Security Policies and Procedures

In the rush to establish an Internet presence, many companies have overlooked perhaps the most important foundation piece in an effective security solution: a sound security policy that identifies who has access to a company’s electronic resources, and under what circumstances they have access. Many companies have overlooked this strategy in their rush to establish an Internet presence. Thus, security policies in some companies are almost nonexistent and clearly defined in others. For example, the use of stateless filters means that the organization is relying on defaults set by the vendor of the security package, whereas the use of state-maintained filters means the organization is actively ensuring certain types of activity or patterns are reviewed to prevent possible intrusion or loss. Security policies fall along a continuum that ranges from promiscuous at one end to paranoid at the other. The promiscuous policy allows unchecked access between the Internet and the organization’s internal network to everyone. The paranoid policy refuses access between these two

networks to everyone. In between are two more palatable alternatives, the permissive policy and the prudent policy. The permissive policy allows all traffic to flow between the internal network and the Internet except that which is explicitly disallowed. Permissive policies are implemented through packet-filtering gateways, where stateless filters prevent individual packets of data from crossing the network boundary if the packet is coming from or going to a specific computer, network, or network port. There are two major drawbacks to a permissive policy, however. First, it requires an exhaustive set of filters to cover all possible addresses and ports that should be denied access. Second, it is virtually impossible to block certain undesirable packets without also blocking other desirable and necessary packets, because network protocols are dynamic and often change network port numbers, depending on the protocol state. A prudent policy, on the other hand, selectively allows traffic that is explicitly allowed by the protocol and excludes any other. Prudent policies are implemented by a set of application proxies that understand the underlying application protocol and can implement a set of state-maintaining filters that allow specific application data to pass from one network to the next. Because the filters can follow the state of the protocol, they can change dynamically when the protocol changes state. This way, rules allow only properly authorized data to flow across the network boundary. Prudent policies are implemented through application proxy firewalls. Because prudent and permissive policies act as the network boundaries, they are referred to as perimeter security solutions. Once a company selects the appropriate security policy, the policy can be implemented according to a strict set of procedures with the support of software systems. These security procedures, which include a documented set of rules governing the management and administration of the security system and its generated events, record a trail of all modifications to the security system (auditing) and set off signal alarms when someone attempts to violate the policies. Properly followed, they protect an organization from all types of security violations, including accidental administrative mistakes, human factor attacks (i.e., people characteristics) and unauthorized modifications to the security policy. To reduce the risk of “inside” break-ins, many companies also require a background check of security systems personnel, and separate security management and auditing to prevent an administrator from altering the audit of management actions. Internet Firewalls

Internet application proxy firewalls are a prudent perimeter security solution. These systems sit between the Internet and the organization’s in-

ternal network, and control the traffic flow between the Internet and a company’s internal resources. A firewall provides application proxies for most popular Internet applications, as well as support for a more restrictive prudent policy. This policy might restrict the establishment of network connections from within the company outward to the Internet. In addition, rather than forwarding packets between networks, the firewall can require the application client to establish an application service connection to the firewall. The firewall then maintains the connection with the outside server. The firewall will only pass data for applications that it currently supports, which eliminates most security holes. Security holes created by incorrectly configured computers on the internal network are not visible to the Internet and therefore cannot be exploited by external Internet users. The organization’s own Internet application servers then sit outside the firewall in what is called the demilitarized zone. This eliminates the need for outside traffic to travel through the firewall into the organization’s internal network when it is using Web, FTP, or Telnet services. To maintain the integrity of the perimeter, the firewall must be constantly monitored for potential security breaches. Should a breach occur, an Internet security expert must be available to survey the damage and recommend a solution. Internet Firewall Configurations

Bastion Host. This is the only host on the customer’s internal network that is visible to the Internet. It has no customer-accessible accounts for logging into the bastion host. Customer communications travel through the bastion host via proxy applications. This is the most secure method of performing perimeter security today. In the popular dual-homed bastion host configuration, the toolkit software is installed on a host with two network interfaces. The toolkit software provides proxy services for common applications like FTP and TELNET, and security for SMTP mail. Since the bastion host is a securitycritical network strong point, it is important that the configuration of the software on that system be as secure as possible. Dual-homed gateways provide an appealing firewall, since they are simple to implement, require a minimum of hardware, and can be verified easily. Most Berkeley-based UNIX implementations have a kernel variable _ipforwardign, which can be set to indicate to the operating system that it should not route traffic between networks, even if it is connected to them (which would normally cause the system to act as a gateway router). By completely disabling routing, the administrator can have a high degree of confidence that any traffic between the protected network and any untrusted network has to occur through an application

that is running on the firewall. Since there is no traffic transferred directly between the internal network and the untrusted network, it is not necessary to show any routes to the protected network over the untrusted network. This effectively renders the protected network invisible to any systems except the bastion host. The only disadvantage of this type of firewall is that it implicitly provides a firewall of the type in which that which is not expressly permitted is prohibited. This means that it is impossible to weaken the firewall’s security to let a service through should one later decides to do so. Instead, all services must be supported via proxies on the firewall. Choke Router/Screened Host. The choke router reinforces the bastion host, enforces security policy, and isolates the internal network from the Internet. A screened host gateway relies on a router with some form of packet screening capacity to block off access between the protected network and the untrusted network. A single host is identified as a bastion host, and traffic is permitted only to that host. The software suite that is run on the bastion host is similar to a dual-homed gateway; the system must be as secure as possible, as it is the focal point for attack on the network. Screened host gateways are a very flexible solution, since they offer the opportunity to selectively permit traffic through the screening router for applications that are considered trustworthy, or between mutually trusted networks. The disadvantage of this configuration is that there are now two critical security systems in effect: the bastion host and the router. If the router has access control lists that permit certain services through, the firewall administrator has to manage an additional point of complexity. Verifying the correctness of a screened host firewall is a bit more difficult. It quickly becomes increasingly difficult as the number of services permitted through the router grows. Screened host firewalls also introduce management risks; because it is possible to open holes in the firewall for special applications or influential users, the firewall administrator must be careful to resist pressure to modify the screening rules in the router. In a screened subnet firewall, a small isolated network is placed between the trusted network and the untrusted network. Screening rules in routers protect access to this network by restricting traffic so that both networks can only reach hosts on the screened subnet. Conceptually, this is the dual-homed gateway approach applied to an entire network. The main utility of this approach is that it permits multiple hosts to exist on the outside network (again referred to as the demilitarized zone). An additional advantage to the screened host subnet is that the firewall administrator can configure network routing in a way that does not advertise routes to the private network from the Internet, or internal routes to the Internet. This is a powerful means to protect a large private network,

since it becomes very difficult for an outsider to direct traffic toward the hidden private network. If the routing is blocked, then all traffic must pass through an application on the bastion host, just as it must in the dual-homed gateway. Firewalls in a Partitioned Network. Not every network is a single, isolated network attached to an untrusted network. As the use of largescale networks continues to increase, businesses increasingly form business partnerships and transmit sensitive corporate information over public networks. In addition, single corporations seek to establish a common security perimeter among multiple facilities connected over a public backbone. In this type of situation, a business can effectively combine a firewall with network-level encryption hardware (or software) to produce a virtual network, with a common security perimeter. A company can establish a common security perimeter between two facilities, over a public Wide Area Network (WAN). The encryption is separate from the router, but need not be if integrated encrypting routers are available. Currently, there are several products that act as encrypting bridges at a frame level. These products work by examining the source and destination address of all packets arriving via one interface and retransmitting the packet out via another interface. If the encrypting bridge/router is configured to encrypt traffic to a specific network, the packet data is encrypted, and a new checksum is inserted into the packet header. Once the packet is received at the other computer, the peer encrypting bridge/router determines that it is from a network with which the router is encrypting traffic, and decrypts the packet, patches the checksum, and retransmits it. Anyone intercepting traffic between the two encrypting networks would see only useless cipher text. An additional benefit of this approach is that it protects against attempts to inject traffic by spoofing the source network address. Unless attackers know the cipher key that is in use, their packets will be encrypted into junk when they go through the encrypting bridge/router. If the encrypting bridge/router gets traffic for a network with which it does not have an encryption arrangement, traffic is transmitted normally. In this manner, a firewall can be configured, with encrypted tunnels to other networks. For example, a company could safely share files via NFS or safely use weakly authenticated network login programs, such as rlogin over their encrypted link, and still have a strong firewall protecting access between the corporate perimeter and the rest of the world. Two companies that wanted to establish a business connection for proprietary information could apply a similar approach, in which traffic between the firewall bastion host on one corporate network and the firewall bastion host on the other corporate network was automatically encrypted.

PRACTICAL WEB SECURITY SOLUTIONS

Thus, it is easy to see that businesses need not be intimidated into bypassing the opportunities available to them on the Internet. Several security solutions exist immediately to reduce or remove the risk involved in connecting to the Internet. We list and summarize a few of them: A Back Door Connection

This method connects the Internet server (Web server, List server, etc.) to other company computer systems through a dial-up link, which is not made available anywhere on the Internet. A back door data transfer method might include setting up a program like ProComm Plus (by Datastorm) on a computer connected to the Web Server. The company’s other computer systems then periodically dial into that back door computer via ProComm to upload files that are then imported to the Web server’s database via a custom import program. This same method works well for sending order or questionnaire data in batches from a Web server to other computers within the company. In using this approach, the communications lines between the company’s computers and its Internet presence are severed most of the time. Even when the link is established between computers, it does not use an insecure network protocol like TCP/IP, which is easy for hackers to penetrate. This prevents Internet hackers from drilling through to vital company systems and information. A Network Firewall

A network firewall connects the Internet server into the company’s existing computer network system via a permanent firewall router. Firewall routers are sold by a growing number of network hardware and software companies. They serve as a security barrier between network systems. By placing such a barrier between the company’s Web server and the rest of the company’s network, a network administrator can restrict the flow of network data packets between these segments. The firewall could restrict all inbound packets to those generated by the Web server itself; thus only the Web server can access internal information. A good hacker can get through a firewall, although attempting to gain access beyond the firewall would require the use of sophisticated IP source-address spoofing techniques. These techniques fool the firewall into believing that the hacker’s connection has the same network address as the Web server or some other privileged user. At this point, the hacker would need sufficient motivation to expend the effort and time to get through. Any time a company plans to connect their in-house computer network directly to an Internet server, a firewall should be used to deter casual hacking and other less malicious security risks.

A Pseudo-Firewall

A pseudo-firewall connects the Internet server into the company’s existing computer network system via standard router equipment, but segregates network traffic with different network protocols (i.e., TCP/IP and IPX/SPX). The main security problem on the Internet exists due to certain flaws in the Internet network protocol (TCP/IP). Thus, using a different protocol to connect the company’s internal computers to its Internet server solves this problem. For example, if a company’s Internet server used a Pentium PC running Microsoft Windows NT as its Web server over a leased line connected to an Internet Service Provider, this method would entail running two network protocols on the Web server. The Web server must use TCP/IP to connect to the Internet. Yet, to access information on internal computer networks, that same Web server could be configured to use something else, such as IPX/SPX, which is native to Novell’s Netware. The hacker could spoof the TCP/IP address, but would find no other network connections beyond the Web server. This method is not proven to work more effectively than a firewall. However, its appeal is that it can provide a similar level of security to a firewall router, at lower cost. Our discussion now moves to the application language, Java, and the risks and opportunities it provides to organizational computing. JAVA RISK ISSUES

Another area for management review in corporate use of the World Wide Web is the use of Java. Java is an object-oriented programming language in which small programs (called applets) can be compiled and run on any computing platform. Within an internal intranet, applets could deliver software and data to client workstations only as needed. The applet would only need to include the functions of a software application and the data that the client needed to accomplish a specific task. Thus, corporations could save on software licenses and workstation computing power across the enterprise. On the Internet, Java applets are downloaded by the client from a server on the Internet. However, many individuals fear the destructive potential of Java applets from unknown sources. Current browsers allow users to refuse Java applets or accept them only from trusted sources. Although Java provides benefits and cost effective measures to a corporation, the current versions of Java are not mature enough to satisfy the needs of corporate security. Java may be fine for building Windows applets, but it is not yet a real tool for mission critical programs that draw on legacy data. The earlier Java tools provided weak data validation and relied too heavily on object linking and embedding (OLE). These older

Java tools were geared too much towards Windows and often lacked some of the key features such as debuggers and compilers that are essential in a workbench. Recent studies by universities and private industry groups have identified three areas which pose the most significant risks to Java applications: (1) the lack of audit trails, (2) the variances between Java language and bytecode semantics, and the (3) deficiencies in the design of the language and byte code format and the input/output object classes. Presently, the Java environment does not provide a standard or default mechanism to produce audit trails. The developer must customize all verification into the application. Java needs built-in accountability functions to maintain protected and selective auditing information much like an audit log, which identifies the parties responsible for various actions performed on the computer. Users also need to understand that they do not control a Java applet once it is downloaded into the local environment. For example, users may not necessarily know that an applet has been downloaded or may not have information on how many applets are in operation, unless they set up adequate security on their Internet browsers. A common form of malicious applet can continue running on the client and force the user to restart the system. There are other security problems as well. Today, compiler languages such as C or Ada can produce bytecode that looks like Java bytecode to the verifier. If the verifier erroneously accepts the non-Java bytecode, it is unlikely to follow Java’s language restrictions and it may allow performance of illegal procedures. For example, a hostile applet could be used to create a classloader containing unacceptable statements. The classloader, which is responsible for defining namespace seen by other classes, could then allow the attacking applet to customize the user’s computer environment. Finally, from an IS audit standpoint, Java input/output object classes are public. Even though this feature improves the usefulness of Java, it provides hackers with a way to deliver damage. This major weakness of Java makes the use of audit tools critical to safe use of Java programs. For the average corporate IS developer, accustomed to Visual Basic and similar drag-and-drop development tools, the early Java environments seemed to take two steps backwards. Therefore, Java’s competitors took advantage of this weakness and prepared a second generation of Java toolsets to resolve some of the weaknesses of the Java programming language. These tools were intended to give corporate IS developers the same warm, fuzzy feeling of confidence they get from other visual development environments. Corporate IS developers want to build Web applications for the long term. Many corporate and government IS departments are caught up in testing new Web-based development technologies, primarily centered on

Java-based development. These include tools such as Visix’s-eleven, and emerging technologies such as remote method invocation (RMI) and object serialization. One of the documented weaknesses that most toolsets do not redress is Sun’s implementation of the abstract Windowing Toolkit for building user interface features. Developers are still working to resolve this problem. JAVA SECURITY IMPROVEMENTS

Java has additional shortcomings in the area of security. Most companies that use Java will not yet use it for security-sensitive data because it lacks the necessary security functions. Development experts describe the programming language as “a few cups short of a full pot.” Unresolved issues revolve around database access, security, bi-directional communication, and the way in which Java handles compound documents. Sun Microsystems has several initiatives to make Java more suitable for utilizing security-sensitive data. These include creation of several API programs for encryption, digital signatures, authentication, and support for a key management system. The latest version of the Java tools addresses many concerns by offering: • Strong memory protection. Java applications and applets cannot gain unauthorized memory access to read or change accounts because Java removes the possibility of either maliciously or inadvertently reading and/or corrupting memory locations outside boundaries of the programs. • Encryption and signatures. Java uses powerful encryption technology to verify that an applet came from an authorized source and has not been modified. • Rules enforcement. Java objects and classes make it simple to represent corporate information entities, and the rules governing their use are embedded within the objects themselves. The result is that the introduction of ad hoc access and manipulation methods can be controlled. • Runtime Code verification. The Java run-time verification system inspects all code for viruses and tampering before running it, ensuring that all applications and applets downloaded to the client do not violate the integrity of the environment. Even with these improvements, there is no singular approach to solve the major concerns with Java. Recently, Microsoft Corporation and Netscape announced a security plan, which includes a series of security techniques for forthcoming products. These include ways to verify authorship, improvements to proxy-server and firewalls, and an information database on the security

status of Java applets. However, the continued competition between Microsoft and other companies over definition of Java language standards may not be doing much to contribute to the development of a mature, stable Java programming language. CONCLUSIONS

For CIOs and CEOs, the new millennium promises many exciting opportunities and risks in information technology. As unsettling and unnerving as many of these changes are, managers must employ common sense and informed business judgement to understand both risks and benefits. We have attempted to provide an overview of Web and Java security issues facing business today. We understand the technical complexities and encourage decision-makers to carefully weigh the investment in security against the potential risks. We also reiterate that there are answers and solutions for many of the security issues we discuss. Effective measures exist to protect both access security and transaction security over the Internet. As improvements are made to Java and as the programming language matures, we can also expect that it will incorporate more and better security measures, because Java language developers realize that security is critical to the acceptance and success of the language. Java provides an entirely new kind of cross-platform computing environment that can be used to integrate and work with an organization’s existing systems and networks. As Java matures, it may well replace costlier, less efficient elements in existing computing systems and make feasible the continued use of existing legacy systems. This is especially important today, when multiple incompatible platforms and legacy systems are typical in global corporate and private information systems infrastructures. The Web and Java hold great promise for organizations that want to integrate their existing, incompatible applications and make them available through one common user interface, an Internet browser. Web platforms and application platforms are incredibly complex and resource-intensive, expensive to buy and maintain, and costly to update or expand. But, as troublesome as these existing systems may be, the CEO and CIO have to consider whether they can afford to scrap huge corporate investments in existing information systems. It is very costly to replace systems, convert databases that contain invaluable information, and retrain workers in new computing environments and techniques. Throughout the business and personal computing world, industry leaders, software vendors, and software developers are showing utmost support for Java, the programming language that they believe will transcend all barriers. Most business organizations will benefit by using adaptable application architecture. This new technology can save a company millions of corporate dollars per fiscal year on hardware, software, and systems development by converting a “custom fat client” into a “thin client.”

While Web technology and Java are still somewhat immature, there is no doubt that they are here to stay. Major software developers continue to give credence to Java’s future, and have addressed user concerns by announcing plans to embed Java in future versions of their operating systems. As other higher-order tools are built up around it, Java should become one of the best enablers on the market. Those higher order tools are on their way to the marketplace now, so sit tight, and be prepared to embrace the Web and the Java revolution.

Louise L. Soe, Ph.D. is an Associate Professor of Computer Information Systems at California State Polytechnic University, Pomona. She received her Ph.D. from UCLA and has worked in and studied the IS field for more than 15 years. She has spoken and written extensively on Internet and Web development topics, and presently is the advisor for the Interactive Web Development career track. Frederick Gallegos, CISA, CDE, CGFM, the MSBA - IS Audit Advisor, and faculty member of the Computer Information Systems Department of California State Polytechnic University, Pomona. He has more than 25 years of Industry experience in the Information Systems Audit, Security and Control field. He has more than 20 years of teaching in this field at the academic and professional level and has published two books and more that 120 articles in the IS field.