Video Screencast Help

Designing Secure Networks Based on the Software ProcessModel

Created: 08 Apr 2001 • Updated: 03 Nov 2010
Language Translations
Anonymous's picture
0 0 Votes
Login to vote

by Paul Innella

Designing Secure Networks Based on the Software Process Model
by Paul Innella CISSP, Tetrad Digital Integrity LLC
last updated April 9, 2001


My graduate professor at Johns Hopkins once told me that software engineering - when compared with civil engineering as a discipline- had progressed no further than the discovery of the right angle. He explained further that there is no silver bullet or panacea available to perfect the "art" of software engineering; rather, it requires a methodology and a process to be successful. Various authorities, including Carnegie Mellon's Software Engineering Institute, agree that the software process model dramatically improves productivity, effectiveness and overall return on investment. Advancements in software engineering development have come about mainly as a result of the introduction of the software process model, or software lifecycle.

Network security engineers, following in the wake of software engineers, are scrambling to find their own silver bullet to provide solutions in the network security world. Much like software engineers of old, who mistakenly felt that reusable software and object-oriented design were universal solutions, security engineers are now using firewalls, PKI, smart cards, Kerberos, and intrusion detection tools as universal remedies. They too will learn that network security engineering ultimately requires a process to be effective and complete. Without this process, these perceived solutions are simply patches on the armor of a secure network and not a true defense.

The Principles of Secure Network Design

Prior to developing, executing, and implementing a network security process in your environment, several fundamental ideas must be kept in mind. These notions are the foundation for the process of network security and are thus crucial to the creation of a secure network. The three principles of integrity, confidentiality, and availability must be a part of the development of any secure network. Sound principles, like those of Adequate Protection, Effectiveness, and Easiest Penetration must be incorporated into the design of the network. In the context of secure network process, these terms can be understood as follows:

  • The principle of adequate protection means that computers, and the information stored upon or transmitted by them, must be protected to a degree commensurate with their value and the value of that information. Computer items must be protected only until they lose their value and they must be protected to a degree consistent with their value. [PFL97]
  • The principle of effectiveness stipulates that controls that are implemented must be effective in securing the network and its component parts. However, they must be also be efficient, easy to use and appropriate to the size and type of organization in which they operate. [PFL97]
  • The principle of easiest penetration means that it must be assumed that an intruder will attempt to use any available means of penetration. This does not necessarily entail the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. [PFL97]

Ensuring network security is an ongoing task. Due to the increasing number of new threats, network security must be an evolutionary process, the progression and subsequent protection of which will occur in stages. The network must be perpetually monitored and managed to ensure optimal security.

Adapting the Software Process Model to Network Security

In order to completely design and deploy a secure network, the software process model described below must be adapted as a framework for network security. "Network security should be initiated at the beginning of a network design and development process and be managed throughout the life cycle." [SHA94] There are eight generic phases of the software process model beginning with the Systems Requirement Phase and progressing through to the end of the life cycle. Each of these phases will be described further, as will the role of network security within each stage.

Phase 1: Systems Requirements

The systems requirements phase, consists of recognizing the security needs of your network and defining the goals of addressing those needs. When predicting the effect of addressing the identified needs, be sure to use the preliminary network security measures, which include:

  1. assessing the need for and overall level of network security in your environment;
  2. evaluating the dependency on information within your network and determining the level of security necessary to protect that information. This measure, along with step one, will satisfy the principle of adequate protection; and,
  3. measuring any foreseeable weaknesses in the current network, thereby partially fulfilling the principle of easiest penetration.

Also, while focusing on the principle of adequate protection, network designers must decide whether the need for an increased level of network security exists and is practical. "The application of network security policies, procedures, and countermeasures should be driven by defined and quantifiable needs." [SHA94]

Phase 2: Concept Formulation

This phase entails considering the different methods of attaining the goals that were identified in the systems requirements phase. Positive and negative aspects of each possible plan of attack must be determined. While deciding, network developers must analyze different methods for integration into the network security solution such as the ISO's OSI standard. Finally, the chosen course of action should be transformed into a detailed plan for providing security across your network. The strategy produced at this time will detail how the remaining phases will unfold.

Risk Analysis

Risk analysis is a critical task that occurs during the initial two phases of the process model, revealing important information that will be assimilated into the design of the secure network. As with the software process model, network security design and development requires proper risk analysis before it is complete. "Performing a comprehensive risk analysis with technically qualified security engineers is the most important network security activity." [SHA94]

Risk analysis is divided into three different stages: sensitivity assessment, risk assessment, and economic assessment.

  • Sensitivity assessment defines the various needs determined in the systems requirement phase as they relate to the value of your network's assets.
  • Risk assessment is the "most significant activity of the overall risk analysis. It is used to define threats against [the] network, vulnerability of the network, and the risk levels that result from the postulated exploitation of network vulnerabilities by the defined threats against the network." [SHA94] Certain simple inquiries facilitate the assessment of a network's susceptibility to a risk becoming a reality. For example, risks to your network include the lack of a daily backup and disaster recovery plan, anti-virus software, intrusion detection methods, access control software, firewalls, password practices, encryption and strong authentication.
  • Economic assessment approximates the expected value of a loss, in the case that any of the defined risks become a reality and the network's security is compromised.

Phase 3: Systems Definition

During this stage, actual system specifications are created that detail the exact operation of the system. Tailored to meet the needs of developing a secure network, this phase explains the behavior of the network under any foreseeable circumstances. Using the information gathered from risk analysis, network designers must further predict its actions in an unforeseeable scenario. Based upon the information collected in the previous stages and the system specifications designed here, designers must decide to proceed or discontinue the network security development.

Phase 4: Engineering Design

During this phase, the specifications produced in the previous phase will be used to create a design that explains in detail the means by which each specification will be realized. For example, the engineering design should detail how the network would repel a hacker attempting an IP spoof by utilizing circuit-level gateways, a threat whose effect would have been described in the systems definition phase. Actual prototypes and simulations may be developed during this phase to help determine whether or not the design is comprehensive enough to transform into an operational system.

Phase 5: Design Verification

The design must be substantiated in the design verification phase. This phase constitutes a testing period, which will scrutinize the system's usability, security, and sustainability. Using the previous example of the hacker attempting an IP spoof, this stage would test the feasibility or the likelihood of that hacker circumventing the circuit-level gateway. Network designers may elect to discontinue the process if the system is incomplete or vulnerable, or proceed and fully develop the designed secure network.

Phase 6: Production and Installation

During this phase, the secure network is installed and prepared to go operational. Prior to flipping the switch, designers will examine the network to see that it still meets all of the objectives laid out in the systems requirements phase. Provided that the previous phases have been completed thoroughly, this phase will be the rewarding stage in which the design and development becomes a reality - the result being a network that can be considered secure. Nevertheless, as stated earlier, the process of securing a network is evolutionary and ongoing and, as such, compels the need for the following phase.

Phase 7: Operations

In the operations phase, network designers and managers will manage the deployed system and focus on identifying any points that need improvement, so that the network remains secure and effective. Using penetration tests and various hacking and intrusion tools, they must continuously challenge the security of the network to find its weak points. Once any of these vulnerabilities are discovered, they must perform the necessary updates to the network. Due to the increasing number of new threats to network security, this process must be continual.

Phase 8: Retirement

Eventually, systems that can no longer benefit from modifying or enhancing their design must be retired. The network, for example, that cannot be improved to prevent against external threats must be resigned. It is here where the cyclical nature of the process returns to the systems requirements phase to refortify the network and keep it effective.

Conclusion

The process model for software engineering is sound and effective. As an engineering discipline, network security must also institutionalize rigid methodologies and processes in the hope of attaining equally concrete results.

This article has presented the basic tenets of a network security engineering process; it does not identify the vast assortment of alternative tools and methods that must be used to facilitate its success. The purpose has been simply to show that the network security process, as opposed to a point tool, coincides with the creation of new threats. Therefore, network security is an evolutionary process constantly shifting to meet new requirements.

Network security cannot be equated to a simple tool - such as a firewall - any more than software development can be boiled down to just Java. Consequently, security engineers must adhere to the concept that has elevated software engineers to a level at which their art has become a discipline: the process model. Only when network security engineers invoke a process built upon the sound engineering principles from the software process model, and in turn evolve network security into a process, will our networks truly become secure.


References

[ALE96] Alexander, Michael, The Underground Guide to Computer Security, Addison-Wesley Publishing Company, 1996.
[BAR96] Barrett, Daniel J., Bandits on the Information Superhighway, O'Reilly & Associates, Inc., 1996.
[COH95] Cohen, Frederick B., Protection and Security on the Information Superhighway, Johen Wiley & Sons, Inc., 1995.
[KRO92] Krol, Ed, The Whole Internet, O'Reilly & Associates, Inc., 1992.
[PFA97] Pfaffenberger, Bryan, Protect Your Privacy on the Internet, Johen Wiley & Sons, Inc., 1997.
[PFL97] Pfleeger, Charles P., Security in Computing, Prentice Hall PTR, 1997.
[SHA94] Shaffer, Steven L., and Alan R. Simon, Network Security, Academic Press, 1994.
[STA95] Stallings, William, Internet Security Handbook, IDG Books Worldwide, Inc., 1995.
[UDE98] Udell, J., "In Search of SSL Spidering," BYTE, February 1998, pp. 97-100.

Paul Innella CISSP is the President and CEO of Tetrad Digital Integrity (TDI) LLC, an information security services company in the Washington DC area. Mr. Innella has nearly ten years of experience in the computer industry working at several commercial and government companies serving the role of engineer, developer, integrator, systems administrator, and security architect. He also has a keen understanding of many varying security concepts including PKI, Kerberos, SSO, Strong Authentication, Intrusion Detection, VPNs, and Firewalls.

This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.