- 14 -
Servers awaiting connections may be eligible to run at multiple levels; when the connection is
instantiated, however, the process must be forced to the level of the connection request packet.
IP also makes use of the security option
[50]
. A packet may not be sent over a link with a lower
clearance level. If a link is rated for Secret traffic, it may carry Unclassified or Confidential traffic, but
it may not carry Top Secret data. Thus, the security option constrains routing decisions. The security
level of a link depends on its inherent characteristics, the strength of any encryption algorithms used, the
security levels of the hosts on that network, and even the location of the facility. For example, an
Ethernet cable located in a submarine is much more secure than if the same cable were running through
a dormitory room in a university.
Several points follow from these constraints. First, TCP-level attacks can only achieve penetration at the
level of the attacker. That is, an attacker at the Unclassified level could only achieve Unclassified
privileges on the target system, regardless of which network attack was used
11
. Incoming packets with
an invalid security marking would be rejected by the gateways.
Attacks based on any form of source-address authentication should be rejected as well. The Orange
Book requires that systems provide secure means of identification and authentication; as we have shown,
simple reliance on the IP address is not adequate. As of the B1 level, authentication information must
be protected by cryptographic checksums when transmitted from machine to machine
12
.
The authentication server is still problematic; it can be spoofed by a sequence number attack, especially
if netstat is available. This sort of attack could easily be combined with source routing for full
interactive access. Again, cryptographic checksums would add significant strength.
B1-level systems are not automatically immune from routing attacks; RIP-spoofing could corrupt their
routing tables just as easily. As seen, that would allow an intruder to capture passwords, perhaps even
some used on other trusted systems. To be sure, the initial penetration is still restricted by the security
labelling, but that may not block future logins captured by these means.
Routing attacks can also be used for denial of service. Specifically, if the route to a secure destination is
changed to require use of an insecure link, the two hosts will not be able to communicate. This change
would probably be detected rather quickly, though, since the gateway that noticed the misrouted packet
would flag it as a security problem.
At the B2 level, secure transmission of routing control information is required. Similar requirements
apply to other network control information, such as ICMP packets.
Several attacks we have described rely on data derived from ‘‘information servers’’, such as netstat and
finger. While these, if carefully done, may not represent a direct penetration threat in the civilian sense,
they are often seen to represent a covert channel that may be used to leak information. Thus, many B-
division systems do not implement such servers.
In a practical sense, some of the technical features we have described may not apply in the military
world. Administrative rules
[51]
tend to prohibit risky sorts of interconnections; uncleared personnel are
not likely to have even indirect access to systems containing Top Secret data. Such rules are, most
likely, an accurate commentary on anyone’s ability to validate any computer system of non-trivial size.
8. CONCLUSIONS
Several points are immediately obvious from this analysis. The first, surely, is that in general, relying
on the IP source address for authentication is extremely dangerous
13
. Fortunately, the Internet
__________________
11. We are assuming, of course, that the penetrated system does not have bugs of its own that would allow further access.
12. More precisely, user identification information must be protected to an equal extent with data sensitivity labels. Under certain
circumstances, described in the Red Book, cryptographic checks may be omitted. In general, though, they are required.
13. There are some exceptions to this rule. If the entire network, and all of its components (hosts, gateways, cables, etc.) are
physically protected, and if all of the operating systems are sufficiently secure, there would seem to be little risk.