Inverting the Desktop Computer Network Paradigm -- Draft

This document provides a brief explanation of some computer networking terms and then considers the strengths and weaknesses of CAS' current desktop computer methodology. It presents, hopefully in practical terms, why we should consider inverting our current desktop network paradigm, and the respective strengths and weaknesses of that path.

Technical Background

Understanding the basic terms which follow in particular order should aid you in understanding this document.

Server: Similar to library staff, servers provide you with various services. For example, a library provides services such as reference desks, circulation, etc. On a computer, servers use software to provide services, typically (but not necessarily) on a network. A network contains servers, but servers are not the network.

Services: Services Similar to library services, services enable you to access data in various ways. In a library, you may get and manipulate information using the microfiche, copiers, books, etc.. Similarly, a server runs various services to enable you to manipulate information (data). For example, most CAS desktop computers use data storage services (the H:, R:, and/or S: drives where you put files), network print services (to print to a shared department printer), and web services (to access EIS). Depending on the task, services may or may not open a network port to communicate with other computers.

(Network) Ports: The Latin stem "port" represents a way into something (e.g., gate, entrance, ship harbor, etc.). On desktop computers, we use the stem "port" in a similar fashion. Some services open network ports (similar to opening a gate) to send and receive information. Like your home's "front" and "back" door, we conventionally reserve some names for "well known" ports (the IANA oversees assigning port numbers, http://www.iana.org/assignments/port-numbers).

Applications (aka Programs, Clients, Client Software): Applications use the server services. In the library analogy above, you could consider the customer using the service an "application" (or client) of the card catalog service provided by the library (which you could consider a server).

Network: Similar to a network of roads and bridges, a computer network consists of many communication pathways connecting one network device to another network device. We use the word "device" in this case because networks contain more than just computers. However, for this document's focus, you may consider all these devices as computers.
NB: Frequently, people confuse the terms "network" and "server." For example, some people say "I can't login to the network," when they really mean they cannot login to a server (or service) on the network.

Protocol: Similar to etiquette protocols (such as shaking hands or bowing when you meet others), computers communicate with each other using protocols with names such as "TCP" and "UDP." For the purposes of this document, do not concern yourself with what "TCP" and "UDP" acronyms represent. Spend your time better by understanding that each Internet communicate using "TCP" and "UDP and that those protocols represent different language types that share the same language root. This idea is similar to understanding that, while different in many respects, languages like Spanish and Romanian share common "Romance" language roots.

Firewall: A firewall provides a very special service. Think of a firewall as a border checkpoint where each person going past must be authorized before going to/from another location. Firewalls work by watching monitoring protocols to/from network ports.
NB: Contrary to popular belief, UNT does not currently have a firewall. The way UNT currently responds to security threats is to modify our campus communication system to prevent the flow of that specific threat. While conceptually acting like a firewall, this solution lacks any sort of sophistication of a true firewall solution, and also poses it's own sort of hazards since a mistake could cause substantially more problems.

Desktop Computer (aka workstation): Most customers typically use desktop computers to perform their day-to-day work. Although desktop computers provide some of their own services (file and printing, for example), they only use those services for the benefit of the user, and not other network clients.

Understanding the above terms should help you understand our current desktop computer network paradigm.

Current Desktop Computer Network Paradigm

In the past, for a variety of reasons, most campuses did not need to concern themselves with many security issues. I suspect this stems from the long-established culture of openness and information sharing we enjoy in academia. Because of this, CAS deploys desktop computers enabling people to do as much as they possibly can with as little interference from CAS as possible. That also includes making network 131,070 ports, for two Internet protocols (65,525 TCP and 65,525 UDP ports) open for use on every desktop computers. Another analogy may help you realize this idea.

For the purposes of this document, I ask you to consider a gated neighborhood community. Consider the main gate into the community as the community's firewall (in our network's case, the campus "firewall"). The main gate allows everybody through unless they identify the person (or persons) as known troublemakers. Consider each home (including yours) in the community may have a maximum possible 131,070 doors (in our case, "ports") which may or may not be in use at any given time (depending on what "services" your home ("server") provides) by anyone inside the home. That fairly accurately depicts our campus' network.

Unfortunately, there are some bad people in the world and we can't keep track of them all. Fairly frequently in your gated community, some heretofore unknown bad person goes past the main gate and gets into your community. Once inside, the bad person may then pick any and/or every house and set up their own service. They may start a video and/or service and distribute illegal copies of recently-released movies. Maybe they just want to provide a safe-haven for other bad people to come and stay. Maybe they want to set recruit a bunch of homes for their army in hopes to launch a concurrent, scheduled attack on some other home in some other neighborhood (what network administrators call a "distributed, denial of service" attack, or DDoS).

Because you only enter your home through the front door, you never know these people set up those services or are even staying in your house until something unusual happens.

Whenever intruders (viruses, worms, hackers) compromise our systems, computing support staff attempt to identify how the exploit happens. As hackers modify the virus/worm software, computer support staff must identify additional things to turn off to limit the problem's scope. This approach soundly places computing support staff in the reactive mode, establishing our current desktop network paradigm (in priority order):

By default, leave all ports open.
Block traffic to/from only specific ports we don't want.

Inverting the Desktop Computer Network Paradigm

There is no way to prevent security compromises. Like terrorism or natural disasters, they are a part of computing culture. However, we can take reasonable steps to limit the destruction's scope. Let's consider inverting our desktop network paradigm so it looked like the following (in priority order):

By default, block all network ports.
Allow only traffic to/from specific protocols/ports we do want.

The strength of this model comes mostly from a general computing concept called the "principle of least privilege," which is typically attributed to work done by Saltzer and Schroeder:

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job."
— Saltzer and Schroeder, The protection of information in computer systems

With this model, it doesn't matter if someone gets by the main gate ("firewall") because every home only has specific doors ("ports") available for ingress and egress. Can someone break into the open doors? Yes. Do we expect customer may more likely to know a home-invasion (compromise) happened? Yes, because the known-good doors are known-good because they are significantly more likely to be used by someone in the college on a regular basis. Additionally, as mobile computing becomes more ubiquitous (IBM sales claim notebook computer sales surpassed desktop computer sales this year), then we expect more computers to run outside of the campus firewall. Finally, the primary difference is this model actively blocks unused ports, making the hacker's job more difficult and subsequent success less likely.

The problem with this model is that it will break things (even if only temporarily). The diversity in our college demands many different types of network access and computing support staff do not pretend to know all the different ways people currently use the network. Even if we "sniffed" the network to see what applications people typically use, it would not help us determine whether or not the application was legitimate.

Frequently Asked Questions

Why not just have a campus firewall?: Firewalls are good at keeping things out. Once something gets behind the firewall, it does you no good. For example, different weaknesses found in both Internet Explorer and Netscape last year enabled hackers to compromise computers when people visited innocuous-looking web sites. Visiting web sites is a necessary job function for most customers, so we can't block that action. If we have each computer blocked behind the firewall, though, then it limits the damage's scope.

Additional Unanswered Questions/Considerations

What ports should we open by default?: See tentative list, which is highly technical, though you may be able to discern a general idea of the things we could make available by default. It was initially built using the UNT wireless network open-port list. The UNT wireless network (Eaglenet), since it was initially built with "principle of least privilege" in mind, has already established some feasibility for this topic.

How do customers report issues and at what priority are they resolved?

Are traditional communication channels (phone, email, web site form, etc.) sufficiently fast?
Should we make it the highest priority to resolve since we caused the problem (unbreak the communication until resolution can be found and/or real threat is raised) or enter it into our job queue as normal?

How fast and far and what are the consequences?

Status quo
Keep ourselves available for future similar attacks to the recent worms/hackers. This is mitigated by the recent deployment of a McAfee ViruScan update, which contains some network protocol validation tools.
Block ports only on new operating system builds
May cause some software to fail (even if temporarily). Enable a gradual build-up of the approved port list.
Block most ports now
May cause some software to fail (even if temporarily). Windows 2000 isn't particularly clever in how it blocks ports, it is primarily "on" or "off" without a concept of which service on which end is initiating the communication.
Should we follow suite by specifying applications that may use the protocol/port? Should that be by default or in the future?
Windows XP software can specify which programs can use various protocols/ports. This makes a hackers job much more difficult because they must find out the valid programs and then replace them, usually making their presence obvious.m

End of document. From here you may return to the table of contents.
Last updated on Mon Sep 05 16:41:35 Central Standard Time 2005 by Tim Christian(tim@unt.edu)