Richard Kuhn
The public switched network (PSN) provides services that are essential to U.S. citizens and government agencies alike. Disruption of telecommunications services would clearly represent a serious threat to public safety and security. A 1989 report of the National Research Council (NRC), ``The Growing Vulnerability of the Public Switched Network'' [Cou89], outlined the concerns of the government for maintaining the integrity of the PSN against intruders. A report the following year by the President's National Security Telecommunications Advisory Committee (NSTAC) concluded that ``until there is confidence that strong, comprehensive security programs are in place, the industry should assume that a motivated and resourceful adversary, in one concerted manipulation of the network software, could degrade at least portions of the PSN and monitor or disrupt the telecommunications serving [government] users'' [Cou90]. In addition, outages experienced by telecommunications providers in the recent past have focused the federal government's attention on the need to ensure dependable communications.
In the past, there were relatively few telecommunications providers, and their products were built on proprietary platforms. The Federal Communication Commission's Open Network Architecture (ONA) requirements specify unbundled and equal access to the PSN for Bell Operating Companies and their enhanced services competitors [Com86]. The National Research Council notes that ONA can increase network vulnerability in two ways:
First, ONA increases greatly the number of users who have access to network software. In any given universe of users, some will be hostile. By giving more users access to network software, ONA will open the network to additional hostile users. Second, as more levels of network software are made visible to users for purposes of affording parity of network access, users will learn more about the inner workings of the network software, and those with hostile intent will learn more about how to misuse the network [Cou89,p. 36].
Greater network access is changing the telecommunications industry to one where many third party service providers are building products that must work with products from other companies [Dol88], [Sim88], [SH88]. This new telecommunications environment has been characterized as one with: a large number of features; multi-media, multi-party services; partial knowledge of the feature set by service designers; lower skill and knowledge levels of some service creators; multiple execution environments from different vendors; and distributed intelligence [Dwo91]. As noted in the NRC report, some fraction of those with access to the network must be assumed to be hostile. Those with hostile intent may include employees of telecommunications service providers.
Like most of the computer industry, both the Bell Operating Companies and third party service providers are moving toward use of standards-based, open system products to reduce costs and improve interoperability and portability of their products. For example, one Bell Operating Company is revising its operations center computing support to ``transition the existing networks to use the ISO Open System Interconnection (OSI) based network and the common network services that are independent of specific computing and application environments [bel90].'' Computing systems based on standard interfaces such as OSI are referred to as ``open systems.''
Beginning with the ISO OSI and the IEEE POSIX operating system interface standard, a great many open systems standards are beginning to appear, and open systems products are being provided by every major computer vendor. In short, an open system standard is an interface specification to which any vendor can build products [Kuh91]. There are two important points. First, the specification simply defines an interface. For example, although POSIX is derived from UNIX, non-UNIX operating systems such as Digital's VMS can also provide a POSIX interface. Second, the specification is available to any vendor and evolves through a consensus process that is open to the entire industry.
Until now, users were often ``locked in'' to products from a particular vendor because their applications would run only on that vendor's operating system. The move to open systems will reduce this dependence. Application systems will increasingly be built on products from a variety of vendors. But many needed standards are not complete, and some non-standard functions will always be needed because standards must necessarily lag innovations in technology. Organizations must build applications from both standard and non-standard components. In addition, the inherent limitations of software testing make it likely that many ``standard'' components will have subtle incompatibilities.
The term ``open'' thus applies to two different aspects of the telecommunications environment: the FCC's ONA requirements that allow multiple vendors to have equal access to the network; and the open system platforms based on standards, such as POSIX and OSI, that are used in building computer based applications for the new open telecommunications environment. It may be easier for intruders to attack a system whose behavior is standardized and well known, or which shares common flaws with other systems built on the same standards. A Bellcore report found that ``intruders were assisted in their endeavors by the openness and standardization that the telecommunications industry has undergone in the last decade [Klu92].'' Security is thus a vital concern with open systems.
This report was prepared to help service designers use standard, open systems platforms in building security into their software applications. Security in an open system environment may be affected by the need to use both standard and non-standard components, and by the possibility for incompatibilities among products that claim to meet the same standard. The large number of third party service providers whose products must work together may severely complicate efforts to ensure dependability and security of the PSN. Software developers who are challenged with building applications on open system platforms will be faced with questions such as the following:
This report is intended to aid software developers who are building telecommunications applications on open systems platforms. It is designed to help programmers understand the open system environment and to use open system services in building secure applications. The next chapter introduces the IEEE POSIX Open System Environment, which is centered on POSIX and OSI standards. Following this introduction to open systems, four parts of the document explain security features for four main categories of open system services: operating system services, human/computer interface services, data management services, and network services. It is not possible to describe all of them in this document. Furthermore, not all have security features (e.g., most programming languages). The approach taken in this document is to describe the most important standards in each category. In addition to de jure standards from IEEE and ISO, some de facto standards such as the Kerberos authentication protocol and the X Window System are also discussed. These are included because they are almost universally available on POSIX based systems, and because they provide critical functions that may not have counterparts in formal standards.
Although this document is intended to provide technical information for programmers, introductory material is included that should be of value to product planners, administrators, users, and management personnel who are interested in understanding the capabilities and limitations of open systems.