Internaut: HSD should fix a big weakness -- spoofing
- By Shawn McCarthy
- Apr 30, 2003
Shawn P. McCarthy
As the Homeland Security Department starts collecting data about infrastructure vulnerabilities, I hope it will focus on one of the most obvious: hackers' ability to cover their tracks by spoofing IP addresses.
In the interest of protecting national infrastructures, HSD recently asked high-tech and telecommunications companies to keep the government in the loop about glitches in their Internet, telecom and other services. The department has proposed regulations for sharing and protecting such information, at edocket.access.gpo.gov/2003/03-9126.htm
. Comments will be accepted until June 16.
The proposal is controversial because most companies won't discuss their vulnerabilities. They fear such info might find its way to competitors, the media or thieves. Also, they're uncertain whether government-collected data could be shielded from Freedom of Information Act requests.
Beyond the political issues, there's plenty of reason to get cracking on some already well-known infrastructure problems.
The Internet was designed so that a packet dropped anywhere can still be routed to its destination as long as the packet holds the correct destination data. The Net trustingly assumes that the 'from' data is correct. As we now know, that's a bad assumption.
But fixing it means overhauling the Internet Protocol, which isn't going to happen overnight. In fact, that's been under way for a decade.
Most Net traffic still uses IP Version 4, which is more than 20 years old. Besides its security issues, it's running short of IP address space.
IP Version 6 solves the address problem and fixes some but not all spoofing problems via encryption and authentication. More information appears at www.ipv6.org
If the Homeland Security folks want to make the Internet infrastructure more secure, focusing on the future of IP is a good place to start.
In the meantime, egress filtering can help. That simply means not passing along a packet that cannot be verified as authentic. Setting up subnetworks of trusted Internet providers that do egress filtering is one way to reduce spoofing, though we'd never be able to trust the whole Net.
Managers looking for other solutions can study antihacker Steve Gibson's RSVP Agent. It's in a new version of his Shields Up site, which upon request will probe a visitor's PC for vulnerabilities. See grc.com/x/ne.dll?bh0bkyd2
To ensure that the site connects to the PC from which the request supposedly originated, Gibson establishes a secure temporary connection before trading information or services.
It would be interesting to apply this idea to government servers as yet another defense against spoofing. Learn more about RSVP Agent at grc.com/np/rsvptech.htm
. Shawn P. McCarthy designed products for a Web search engine provider. E-mail him at [email protected].
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.