by Paul Innella
|Designing Secure Networks Based on the Software Process Model
by Paul Innella CISSP, Tetrad Digital Integrity LLC
last updated April 9, 2001
My graduate professor at Johns Hopkins once told me that software engineering - when compared with civil engineering as a discipline- had progressed no further than the discovery of the right angle. He explained further that there is no silver bullet or panacea available to perfect the "art" of software engineering; rather, it requires a methodology and a process to be successful. Various authorities, including Carnegie Mellon's Software Engineering Institute, agree that the software process model dramatically improves productivity, effectiveness and overall return on investment. Advancements in software engineering development have come about mainly as a result of the introduction of the software process model, or software lifecycle.
Network security engineers, following in the wake of software engineers, are scrambling to find their own silver bullet to provide solutions in the network security world. Much like software engineers of old, who mistakenly felt that reusable software and object-oriented design were universal solutions, security engineers are now using firewalls, PKI, smart cards, Kerberos, and intrusion detection tools as universal remedies. They too will learn that network security engineering ultimately requires a process to be effective and complete. Without this process, these perceived solutions are simply patches on the armor of a secure network and not a true defense.
The Principles of Secure Network Design
Prior to developing, executing, and implementing a network security process in your environment, several fundamental ideas must be kept in mind. These notions are the foundation for the process of network security and are thus crucial to the creation of a secure network. The three principles of integrity, confidentiality, and availability must be a part of the development of any secure network. Sound principles, like those of Adequate Protection, Effectiveness, and Easiest Penetration must be incorporated into the design of the network. In the context of secure network process, these terms can be understood as follows:
Ensuring network security is an ongoing task. Due to the increasing number of new threats, network security must be an evolutionary process, the progression and subsequent protection of which will occur in stages. The network must be perpetually monitored and managed to ensure optimal security.
Adapting the Software Process Model to Network Security
In order to completely design and deploy a secure network, the software process model described below must be adapted as a framework for network security. "Network security should be initiated at the beginning of a network design and development process and be managed throughout the life cycle." [SHA94] There are eight generic phases of the software process model beginning with the Systems Requirement Phase and progressing through to the end of the life cycle. Each of these phases will be described further, as will the role of network security within each stage.
Phase 1: Systems Requirements
The systems requirements phase, consists of recognizing the security needs of your network and defining the goals of addressing those needs. When predicting the effect of addressing the identified needs, be sure to use the preliminary network security measures, which include:
Also, while focusing on the principle of adequate protection, network designers must decide whether the need for an increased level of network security exists and is practical. "The application of network security policies, procedures, and countermeasures should be driven by defined and quantifiable needs." [SHA94]
Phase 2: Concept Formulation
This phase entails considering the different methods of attaining the goals that were identified in the systems requirements phase. Positive and negative aspects of each possible plan of attack must be determined. While deciding, network developers must analyze different methods for integration into the network security solution such as the ISO's OSI standard. Finally, the chosen course of action should be transformed into a detailed plan for providing security across your network. The strategy produced at this time will detail how the remaining phases will unfold.
Risk analysis is a critical task that occurs during the initial two phases of the process model, revealing important information that will be assimilated into the design of the secure network. As with the software process model, network security design and development requires proper risk analysis before it is complete. "Performing a comprehensive risk analysis with technically qualified security engineers is the most important network security activity." [SHA94]
Risk analysis is divided into three different stages: sensitivity assessment, risk assessment, and economic assessment.
Phase 3: Systems Definition
During this stage, actual system specifications are created that detail the exact operation of the system. Tailored to meet the needs of developing a secure network, this phase explains the behavior of the network under any foreseeable circumstances. Using the information gathered from risk analysis, network designers must further predict its actions in an unforeseeable scenario. Based upon the information collected in the previous stages and the system specifications designed here, designers must decide to proceed or discontinue the network security development.
Phase 4: Engineering Design
During this phase, the specifications produced in the previous phase will be used to create a design that explains in detail the means by which each specification will be realized. For example, the engineering design should detail how the network would repel a hacker attempting an IP spoof by utilizing circuit-level gateways, a threat whose effect would have been described in the systems definition phase. Actual prototypes and simulations may be developed during this phase to help determine whether or not the design is comprehensive enough to transform into an operational system.
Phase 5: Design Verification
The design must be substantiated in the design verification phase. This phase constitutes a testing period, which will scrutinize the system's usability, security, and sustainability. Using the previous example of the hacker attempting an IP spoof, this stage would test the feasibility or the likelihood of that hacker circumventing the circuit-level gateway. Network designers may elect to discontinue the process if the system is incomplete or vulnerable, or proceed and fully develop the designed secure network.
Phase 6: Production and Installation
During this phase, the secure network is installed and prepared to go operational. Prior to flipping the switch, designers will examine the network to see that it still meets all of the objectives laid out in the systems requirements phase. Provided that the previous phases have been completed thoroughly, this phase will be the rewarding stage in which the design and development becomes a reality - the result being a network that can be considered secure. Nevertheless, as stated earlier, the process of securing a network is evolutionary and ongoing and, as such, compels the need for the following phase.
Phase 7: Operations
In the operations phase, network designers and managers will manage the deployed system and focus on identifying any points that need improvement, so that the network remains secure and effective. Using penetration tests and various hacking and intrusion tools, they must continuously challenge the security of the network to find its weak points. Once any of these vulnerabilities are discovered, they must perform the necessary updates to the network. Due to the increasing number of new threats to network security, this process must be continual.
Phase 8: Retirement
Eventually, systems that can no longer benefit from modifying or enhancing their design must be retired. The network, for example, that cannot be improved to prevent against external threats must be resigned. It is here where the cyclical nature of the process returns to the systems requirements phase to refortify the network and keep it effective.
The process model for software engineering is sound and effective. As an engineering discipline, network security must also institutionalize rigid methodologies and processes in the hope of attaining equally concrete results.
This article has presented the basic tenets of a network security engineering process; it does not identify the vast assortment of alternative tools and methods that must be used to facilitate its success. The purpose has been simply to show that the network security process, as opposed to a point tool, coincides with the creation of new threats. Therefore, network security is an evolutionary process constantly shifting to meet new requirements.
Network security cannot be equated to a simple tool - such as a firewall - any more than software development can be boiled down to just Java. Consequently, security engineers must adhere to the concept that has elevated software engineers to a level at which their art has become a discipline: the process model. Only when network security engineers invoke a process built upon the sound engineering principles from the software process model, and in turn evolve network security into a process, will our networks truly become secure.
[ALE96] Alexander, Michael, The Underground Guide to Computer Security, Addison-Wesley Publishing Company, 1996.
Paul Innella CISSP is the President and CEO of Tetrad Digital Integrity (TDI) LLC, an information security services company in the Washington DC area. Mr. Innella has nearly ten years of experience in the computer industry working at several commercial and government companies serving the role of engineer, developer, integrator, systems administrator, and security architect. He also has a keen understanding of many varying security concepts including PKI, Kerberos, SSO, Strong Authentication, Intrusion Detection, VPNs, and Firewalls.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.