Path: utzoo!attcan!uunet!dino!ux1.cso.uiuc.edu!brutus.cs.uiuc.edu!zaphod.mps.ohio-state.edu!usc!pollux.usc.edu
From: tsudik@pollux.usc.edu (Gene Tsudik)
Newsgroups: comp.protocols.tcp-ip
Subject: Security services in border GWs (was: Suspicious Secure GW)
Message-ID: <25040@usc.edu>
Date: 1 Jun 90 22:26:43 GMT
Sender: news@usc.edu
Organization: University of Southern California, Los Angeles, CA
Lines: 47


The inadequacies of the gateway-based filtering have been discussed in a number
of recent messages. To sum things up, it was pointed out (by Phil Karn) that
"..there is no substitute for each individual taking the responsibility for
his own local domain...".

It is hard to disagree with this point of view. However, the argument was in the
context of end-system protection. It is both inadequate and inappropriate for a
gateway to protect hosts that are subject to the outside exposure. Instead,
these hosts should be able to protect themselves.

However, another important issue is the protection of network resources other
than the end-systems. This includes internal gateways, bridges and links. It is
obviously undesirable to have unauthorized external traffic interfere with
local traffic. This is why internal network resources should be protected
from unauthorized use. Note that simply detecting bad packets at the
end-systems is inadequate since by the time unauthorized traffic reaches
an end-system, it has already consumed internal network resources. So, if
protection of network resources is desired, border GWs need to check incoming
packets for i) authenticity, ii) data integrity, and iii) replay.

Furthermore, when an organization connects to an internet, more often
then not, only a small number of select end-systems are exposed. Should all
other strictly-internal end-systems be expected to implement adequate security
measures? The answer is dependent on one's "religion". If one subscribes to

Phil Karn's point of view, there should be no such things as "unprotected "
end-systems in the first place. Alternatively, if there is a need to preclude
any kind of external access to strictly-internal end-systems, border
gateway-based mechanisms can be employed to restrict incoming traffic to
only exposed end-systems. This can be done with complete transparency to
the internal (unprotected) end-systems.

Note, that an intruder can still use the exposed end-systems as a conduit for
accessing the internal systems. However, using Phil Karn's argument above,
the exposed end-systems should ensure that this doesn't happen.

In summary, end-system controls are inadequate for protecting internal network
resources. To control access to such resources, border gateways need to
implement appropriate security mechanisms.

Gene Tsudik and Deborah Estrin

Computer Networks and Distributed Systems Laboratory
Computer Science Department
University of Southern California
Los Angeles, Ca