About Us

Free E-mail Newsletter from

Visit the home page Browse the four-year online archive Download platform-neutral CPU/FPU benchmarks Find information for advertisers, authors, vendors, subscribers Request free information on products written about or advertised in BYTE Submit a press release, or scan recent announcements Talk with BYTE's staff and readers about products and technologies

ArticlesIs Your Network Secure?

January 1996 / Core Technologies / Is Your Network Secure?

Securing your corporate network while connecting to the Internet doesn't have to be difficult. Just start with a good foundation.

Dan Thomsen and Winn Schwartau

When building new systems, there are always design trade-offs to be made between functionality and security. Do we include the cool widget or that boring, constraining security feature? Historically, the widget usually won. But as Internet connectivity grows, a new class of criminals is causing electronic mayhem and committing crimes.

Despite the fact that strong, easy-to-manage information security is on the top of corporate wish lists, it is often pushed to the bottom of the heap when it comes to implementation. Security is never free, but you can redu ce the cost of secure systems by creating flexible security mechanisms as a solid base to build on. Type enforcement is a straightforward security mechanism that provides the flexibility to balance security and functionality.

The Dawn of Computer Security

In 1985, the federal government published the first set of computer security criteria that computer professionals could understand and build into systems. Officially called the Trusted Computer Security Evaluation Criteria, it is more popularly known as the Orange Book. It offers a range of ratings for secure systems. The ratings start with D, for systems with no security, and go to A1, which requires formal methods to verify security.

One of the key elements of the Orange Book was mandatory access control, where all the resources in the computer (i.e., users, files, services, and programs) are labeled with a security level, or sensitivity. The label identifies the degree of sensitivity of e ach resource, such as Unclassified, Confidential, Secret, and Top Secret. Labels effectively assign the data on the system to separate "buckets." The goal, or security policy, is to keep sensitive data from getting into the least-sensitive bucket.

Many initial Orange Book implementations were too restrictive. The federal government funded seven years of R&D to create a flexible implementation. At the heart of this solution is the type-enforcement security model.

Type Enforcement

Type enforcement is a security mechanism that gives every program on the system permission to do only those things it requires to do its job. This is called least privilege and applies to applications, files, and OSes.

Type enforcement works by grouping all the processes of the system into classes based on least privilege. Each process group is called a domain. In a similar manner, the files on the system are grouped into classes called types. The Domain Definition Table on page 156 describes ea ch domain's access rights for each type. The table cannot be changed while the system is running.

The DBMS can interact only with database files, and the text editor can interact only with user files. The World Wide Web server can read user files but not modify them and is the only domain with access to the network. A similar table is constructed for controlling how domains can interact with each other.

One of the most important file types is the executable file. Tight controls are placed on which programs can be executed in a domain and who can modify them. Destructive software, such as viruses and Trojan horses, can be stopped cold because they cannot modify the executable files.

Assured Pipelines

Providing separation of applications is not enough to ensure security; you must also control how the information flows through the system. Type enforcement creates a kind of pipeline to organize data flow between programs (see the figure "Assured Pipeline").

Many appli cations are part of larger systems. To assure that information moves securely, type enforcement controls the data each program can read and write. Each program can only read from the stage in front of it and write to the next stage of the pipeline. No stage of the pipeline can be skipped, and how the data flows through the system is tightly controlled.

A divide-and-conquer approach to building secure applications is another advantage of assured pipelines. By splitting a large program into smaller pieces, it is easier to analyze and be sure the pieces are operating correctly.

For example, suppose you wanted all the outgoing mail messages to be digitally signed before leaving your network, to prove who sent the message. You could modify the word processor to include the digital signature, but it would be difficult to make sure you modified it in all the correct places. If instead you created a program whose job was to check for the digital signature, you could feel confident the program was working correctly. By using an assured pipeline, you can make sure no data reaches the network software unless it has passed through the new data filter.

Type Enforcement in a Firewall

Today, type enforcement has been incorporated in a firewall to provide flexible isolation between networks. Isolation between the Internet and an organization's internal network is extremely important to protect against malicious attack. Type enforcement offers an ideal mechanism to isolate internal corporate and organizational networks from the Internet.

If a firewall is to secure internetwork access, placing it on an insecure platform makes little sense. Incorporating type enforcement allows for a flexible policy to be enforced. Equally important is to make the policy mandatory -- do not let key security information be changed while the system is connected to the hostile network. This eliminates the possibility of "helpful reconfigurations" by Internet hackers.

Separate the two networks on the inside of the machine. An Internet firewall's prime goal is to keep the information separate until a security check has been performed to verify that the information is permitted to cross the policy-driven barrier. The solution is network stack separation, using two distinct network cards.

A type-enforcement firewall with two network cards can also always tell where information originated, no matter how clever the intruder. The two network feeds are connected to two domain-separated network drivers, thus preventing network protocol spoofing (i.e., an advanced hacking technique where attackers handcraft network packets to mask their true origin). The two stacks maintain control over the information coming from either side. Only software defined and controlled by type enforcement can determine which information may move between networks (see the figure "Using Type Enforcement in a Firewall" below).

Always be on the lookout for malicious acts. If any software on the system tries to access information outside its bucket, either the software is flawed or a potentially harmful entity is controlling it. Take control of the situation. Watch the software more closely through auditing, or shut the software down immediately.

Finally, apply the concept of least privilege. By limiting the privilege a system has, the amount of damage that can be caused if that system is compromised can be limited. Consider, for example, the sendmail program. It is the network server that receives and forwards mail on most Internet hosts. Unfortunately, sendmail has been littered with vulnerabilities that have let attackers take control of an entire system. The latest vulnerability revolved around the syslog system call letting attackers overwrite sendmail's stack and take control of sendmail. Once in control, the attackers started an interactive shell program and launched their attack on the rest of the system.

Using type enforcement and least privilege prevents the syslog vulnerability from being exploited without chan ging the sendmail code. Sendmail is placed in a separate domain that can only read data from the external network and write data into the queues to be forwarded to the internal network. Sendmail cannot cause other programs to be created or executed.

Even if the attacker got control of sendmail, all he or she could do is interrupt the mail service, which could have been done anyway using a network flooding attack. Because type enforcement controls execution, the hacker could not even execute an interactive shell and would have no hope of penetrating other domains.

Not Just for Firewalls

Many other applications can be secured cost-effectively using type enforcement. Nowhere is security as critical as it is in cryptographic systems. Key management controls, encryption algorithms, key distribution, public-key repositories, and other critical subsystems can all be tightly controlled in their own protected domains.

Applying type enforcement and its data separation is a natura l extension to databases containing sensitive information. And in environments where strict controls are placed on communications resources, type enforcement can control access to the communications resources and make sure that the software allocating the resources cannot be tampered with or bypassed.

By their nature, secure systems are more expensive to build. As a result, secure products often lag behind in current functionality. If you are going to get the features into secure systems in a timely and cost-effective manner, good tools are needed. Nowhere is that more important than in putting the right building blocks in the OS.

The type-enforcement security mechanism gives the OS a solid foundation for securing applications. Type enforcement can be used to protect applications from malicious modification by outsiders, other errant applications, and the application itself.

Domain Definition Table

A file's type specifies what domain, or application, can access the

Application             Database        User file       Network
DBMS                    Read, write     No access       No access
Text editor             No access       Read, write     No access
World Wide Web server   No access       Read            Read, write

Assured Pipeline

illustration_link (43 Kbytes)

Using Type Enforcement in a Firewall

illustration_link (29 Kbytes)

A type-enforcement firewall secures data by separating information from the Internet and the internal network.

Dan Thomsen is a senior research scientist at Secure Computing Corp. He is working on the Sidewinder Internet firewall. Winn Schwartau is a security consultant and author of Information Warfare: Chaos on the Electronic Superhighway. They can be reached on the Internet at and or on BIX c/o "editors."

Up to the Core Technologies section contentsGo to previous article: Go to next article: Clean Up: C++ Garbage CollectionSearchSend a comment on this articleSubscribe to BYTE or BYTE on CD-ROM   Copyright
Flexible C++
Matthew Wilson
My approach to software engineering is far more pragmatic than it is theoretical--and no language better exemplifies this than C++.


BYTE Digest

BYTE Digest editors every month analyze and evaluate the best articles from Information Week, EE Times, Dr. Dobb's Journal, Network Computing, Sys Admin, and dozens of other CMP publications—bringing you critical news and information about wireless communication, computer security, software development, embedded systems, and more!

Find out more Store

NOW, on one CD-ROM, you can instantly access more than 8 years of BYTE.
The Best of BYTE Volume 1: Programming Languages
The Best of BYTE
Volume 1: Programming Languages
In this issue of Best of BYTE, we bring together some of the leading programming language designers and implementors...

Copyright © 2005 CMP Media LLC, Privacy Policy, Your California Privacy rights, Terms of Service
Site comments:
SDMG Web Sites:, C/C++ Users Journal, Dr. Dobb's Journal, MSDN Magazine, New Architect, SD Expo, SD Magazine, Sys Admin, The Perl Journal,, Windows Developer Network