An educational and military effort is currently working on a chaos encryption system. This system would operate on the premise that background noise can be used to filter the underlying data stream and that such a technique could thwart hackers even if they knew the data was present. This concept carries over to existing encryption challenges as well.

To Encrypt or Not to Encrypt

One prevalent debate in encryption is whether to encrypt all data or only the important datagrams. In the days of slower encryption engines and processors, this issue was of more importance than it is today.

Also at issue is the concept of marking important data for the hacker—it is much easier for the attacker to locate important data when it is labeled (encrypted). The same argument could be made in a file-cabinet-based system—is it prudent to label the drawer “Top Secret”? The alternative is to encrypt everything from lunch plans to financial statements. Hackers can still try to decrypt the data, but they have an equal chance of getting an order for a pastrami sandwich as they do the blueprint for a new product. Thus, designers and corporations alike have to decide if the performance hit is worth this level of subterfuge.

Another debate in encryption is the security of private media cables. Clearly, a private fiber-optic link is more secure that a copper connection to the Internet, but would a company benefit significantly from encrypting the private fiber? Note Table 11.1, which describes the security risks of private and public fiber-optic and copper cables in descending order.

	Table 11.1 is based on the electrical characteristics of the media. Electrical signals carried on copper cables can be monitored from an external detector, whereas fiber prevents such eavesdropping. Fiber connections can be tapped with an optical splitter, though this requires disrupting the circuit.

Host Security

The majority of host-based security solutions employ the basic tenet of physical isolation. Typically, this places the server in a locked room with limited access.

Unfortunately, many companies augment this security model only with simple passwords and don’t use the network devices—primarily routers—to enhance the security model. This leads to two interesting schools of thought regarding whether the network is a security device. (Ignore firewalls and other applications on the network that provide security; we’re focusing only on the infrastructure in the network, including switches, routers, and hubs.)

One school claims that the network is not a security device. Proponents of this view argue that the network is for the transport of packets and that security is the responsibility of the end station. Conversely, the other school contends that the network is a security device and that routers are to be used as instruments of that policy.

In practice, the real answer to this question generally requires a hybrid of these two schools. This is where most host security models fail—the ideal is to have the host and network work together to provide the most secure solution, but many companies enter into security focused solely on the network and firewalls. From a security perspective, using simple access lists and strong passwords along with giving much consideration to performance will likely yield the best solution.

Of course, one of the risks in data security is developing a solution that impedes productivity. A perfect example of this in the workstation world is the analog modem. Many companies approve the installation of a measured business phone line, not realizing that the employee can use it with remote-control software. The user unintentionally thwarts the security policy by installing a program that can provide a connection via the phone line. Once the attacker controls the machine connected to both the modem and the LAN, they can access corporate resources on the network. This circumvents any protections installed by the network designer or administrator.

Authentication and Authorization

The security triad is composed of three distinct functions: authentication, authorization, and accounting. (The accounting function will be described in the following section.) Authentication and authorization work hand-in-hand to provide the proper parties with the access permitted. Authentication typically includes a user identification and password, though some systems use tokens (something you have and something you know). Token systems are similar to bank ATM cards—I have the card, and I know my PIN. Authorization operates once an individual has been authenticated, and this process defines what may or may not be allowed. For example, you may know the enable password, but your user account will not authorize the use of the enable command.

Together, these methods provide better protection than either one on its own. Newer systems are using voice-print technology and fingerprinting, in addition to optical scanners that image the face or retina. Programs that record the cadence of keystrokes have been around for years—they operate on the premise that everyone types a bit differently than others. So you may know my password is “secret,” but unless you pause between the c and r, the system will not let you in.

It is possible to maintain databases on these devices in order to provide authentication and authorization, but it should be clear that this solution is very limited and will not scale. Two of the more popular centralization systems/protocols used are TACACS+ (Enhanced Terminal Access Controller Access Control System) and RADIUS (Remote Access Dial-In User Service).