THE PRESIDENT’S

NATIONAL SECURITY TELECOMMUNICATIONS

ADVISORY COMMITTEE

 

 

 

 

 

 

 

 

 

 

Network Security/Vulnerability Assessments TASK FORCE REPORT

 

 

 

March 2002

 

 

TABLE OF CONTENTS

Executive Summary...................................................................................................... es-1

Recommendations to the President................................................................................... ES-3

Introduction.......................................................................................................................... 1

Factors Impacting Network Security.................................................................... 3

Physical Vulnerabilities........................................................................................................... 3

Cyber Vulnerabilities............................................................................................................. 4

DDoS Attacks.......................................................................................................... 4

Control Space Vulnerabilities................................................................................................. 6

Wireless Network Vulnerabilities........................................................................................... 8

Wireless application Protocol.................................................................................... 8

Wireless Local Area Networks................................................................................. 9

Personal Area Networks......................................................................................... 10

NS/EP implications.............................................................................................................. 12

Countermeasures/ Mitigation Strategies......................................................... 13

Standards Support.............................................................................................................. 13

Government  Contractual Specifications............................................................................... 13

Stakeholder Awareness....................................................................................................... 13

Legislation and Regulation.................................................................................................... 14

conclusions.......................................................................................................................... 16

Recommendations TO THE PRESIDENT..................................................................... 18

 

APPENDIX A:  TASK FORCE MEMBERS AND OTHER PARTICIPANTS

 

APPENDIX B:  UNDERSTANDING NETWORK CONVERGENCE AND THE NEXT

GENERATION NETWORK

 

APPENDIX C:  THE EMERGENCY TELECOMMUNICATIONS SERVICE (ETS) IN

EVOLVING NETWORKS

 

APPENDIX D:  ISSUES FOR STANDARDS DEVELOPMENT BEING PURSUED FOR

THE EMERGENCY TELECOMMUNICATIONS SERVICE

 

APPENDIX E:  LEGISLATIVE AND REGULATORY TASK FORCE REPORT

Executive Summary

At the National Security Telecommunications Advisory Committee (NSTAC) XXIV meeting, Mr. Richard Clarke, then National Coordinator for Security, Infrastructure Protection, and Counterterrorism,[1] requested the NSTAC’s continued assistance in assessing and responding to cyber attacks, particularly distributed denial of service (DDoS) attacks, which could impact national security and emergency preparedness (NS/EP) communications in the converged network environment.  Responding to Mr. Clarke’s request, the NSTAC subsequently tasked the Network Security and Vulnerability Assessments Task Force (NS/VATF) to assess the policy and technical issues related to the evolving public network (PN) supporting NS/EP communications for—

 

1.      Network disruptions, particularly DDoS attacks

2.      Security and vulnerability of the converged network control space, including wireless, network simulation and testing, standards and consequence management issues

3.      Needed countermeasures (e.g., functional requirements) to address 1 and 2 above.

 

The September 11, 2001, terrorist attacks on the World Trade Center and the Pentagon renewed concerns regarding physical threats to the PN.  While to date the telecommunications infrastructure has not been a direct target of terrorism, it could be in the future.  Therefore, it is important that Federal, State, and local government assistance related to preventing, mitigating, and responding to such an occurrence be coordinated through the Telecommunications Information Sharing and Analysis Center (Telecom-ISAC).  In addition to the enduring physical threat to the Nation’s networks, cyber attacks present a growing threat to the security of U.S. information systems and consequently critical communications of the NS/EP community.  As cyber network attack techniques increase in sophistication and intruders continue using DDoS techniques to exploit vulnerabilities, cyber attacks will likely cause greater collateral impacts to NS/EP communications.  Because of this environment, industry and Government are focusing their efforts through participation in ISACs to further develop and implement unified and centralized capabilities to identify and mitigate the effects of an attack as it is occurring. 

 

In 2001, the NSTAC Convergence Task Force noted many control space vulnerability issues related to convergence and the Next Generation Network (NGN) that could impact NS/EP communications.  The NS/VATF remains concerned about the security of the control space of the evolving PN and believes additional steps are needed to enhance its security.  As network convergence continues, malicious attacks focusing on the network control space are increasingly likely.  Because of this volatile environment, the NS/VATF believes industry and Government cooperation is necessary to address control space vulnerabilities and implement remedial tools, including the Internet Protocol Security set of solutions.  Furthermore, industry and Government should support the Network Security and Information Exchanges’ efforts to develop a cross-industry security posture that could help provide a foundation for protecting the control space of the emerging PN. 

 

The NS/VATF is also concerned about security issues involving wireless protocols and systems, including the wireless application protocol (WAP), wireless local area networks (WLAN), and personal area networks (PAN), when related to NS/EP communications transiting wireless networks and technologies.  Accordingly, the NS/VATF recommends that the Government work with standards bodies to ensure consideration of NS/EP communications functional requirements during work addressing the security of the interoperation of wireless and wireline networks and, more specifically, activities addressing WAP.  The task force also recommends that the Government deploy WLANs with higher levels of security and consider policies that would allow for PAN devices and yet reduce their risk of compromise.

 

On the basis of our analysis, the NS/VATF believes some of the best strategies for countering vulnerabilities of the critical telecommunications infrastructure involve—

 

         Increasing emphasis on, and providing adequate support of, Government participation in standards bodies as well as instituting a coordinated Government approach to standards development 

         Specifying security standards elements in contracts and purchase orders to help establish the market.  This process would result in more commercial off-the-shelf products and services, which the Government can then procure at reduced cost

         Increasing stakeholder awareness of cyber vulnerabilities and mitigation strategies, including strong cyber security and response plans. 

 

In addition, based on the NSTAC Legislative and Regulatory Task Force report, the NS/VATF concludes that the legal issues underlying the provision of NS/EP priority services to the Federal Government in an NGN environment are extremely complex and may require further study in response to any proposed legislation or regulation.  However, until the standards for packet-based services are established, including provisions for the Emergency Telecommunications Service, and the Government’s requirements in the evolving environment are certain, new legislation or regulation is premature.

 

The NS/VATF then concludes that the PN and its services supporting NS/EP users will continue to be at risk from those seeking to exploit known vulnerabilities by operating in an increasingly technologically sophisticated, well-coordinated manner.  Given these factors, industry and Government must continue to work together to devise countermeasures and strategies that would mitigate the impacts of physical and cyber attacks on the PN and other critical infrastructures.  Automated rather than manual responses to such attacks would expedite the capability to respond.

Recommendations to the President

Recommend that the President, in accordance with responsibilities and existing mechanisms established by Executive Order 12472, Assignment of National Security and Emergency Preparedness Telecommunications Functions, and Executive Order 13231, Critical Infrastructure Protection in the Information Age, direct the appropriate departments and agencies, in coordination with industry to—

 

         Coordinate and prioritize through the Telecommunications Information Sharing and Analysis Center, Government assistance to industry to protect the Nation’s critical communications assets and to mitigate the effects of an attack as it is occurring  

         Encourage and adequately support the development and adoption of baseline standards and technologies including Internet Protocol version 6, Internet Protocol Security, and the Emergency Telecommunications Service scheme, to help bolster core security and reliability of the Next Generation Network

         Support the Network Security and Information Exchanges’ efforts to develop a cross-industry security posture that could help provide a foundation for containing the control space of the emerging public network

         Work with standards bodies to ensure consideration of NS/EP communications functional requirements while addressing the security of the interoperation of wireless and wireline networks, and more specifically, activities addressing wireless application protocol

         Ensure that all wireless local area networks used by the Government meet the highest level of security standards available, with priority given to those supporting NS/EP missions

         Develop policies and procedures to support the use of personal area network devices while reducing their risk of compromise.

 

Text Box: Definitions The PN is any switching system or voice, data, or video transmission system that is used to provide communications services to the public (e.g., public switched networks, public data networks, private line services, wireless systems, and signaling networks). (The Network Security Information Exchanges, An Assessment of the Risk to the Security of Public Networks, National Communications System, Washington, DC, December 12, 1995). A widespread outage is a sustained interruption of telecommunications service that will have strategic significance to Government, industry, and the general public. Such an outage would likely affect the telecommunications service in at least one region of the country, including at least one major metropolitan area. It would involve multiple carriers, affecting both long distance and local service, and significantly degrade the ability of other essential infrastructures to function. Such an outage would have an impact on the availability and integrity of telecommunications service for at least a significant portion of a business day. (Report on the Likelihood of a Widespread Telecommunications Outage, The President’s National Security Telecommunications Advisory Committee, December 1997). Introduction

P

resident George W. Bush’s Executive Order 13231, Critical Infrastructure Protection in the Information Age, states that the policy of the United States is:

 

…to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible.[2] 

 

Such protection for the telecommunications sector is essential as more critical communications and data services are now carried over the evolving public network (PN).  In fact, national security and emergency preparedness (NS/EP) operations and communications are heavily reliant on, and often inseparable from, the evolving PN, which today increasingly consists of converged information systems networks of traditional circuit switched networks interoperating with broadband packet-based Internet Protocol (IP) networks, including the Internet.  In addition, because of the interconnectivity of critical infrastructures, the impact of a widespread outage in the telecommunications sector could ripple through other critical infrastructure operations, such as banking and finance activities.  Therefore, an attack on the PN, whether physical or cyber, could have dramatic and detrimental effects on national security (including national economic security).  To understand how this might be possible, it is necessary to examine recent network “events” and their consequences; studying these events could also help predict future attack methods and suggest possible policy actions that could help mitigate vulnerabilities.  Recent network events have made it clear that four critical factors are affecting the security and reliability of networks and network services today:

 

         Difficulty experienced by network managers in tracking their network topology

         Software product features inadequate for the effective control of user access and authentication 

         Text Box: Definition The NGN is a public, broadband, diverse, and scalable packet-based network evolving from the public switched telephone network (PSTN), Advanced Intelligent Network (AIN), and Internet. The NGN is characterized by a core fabric enabling network connectivity and transport with periphery-based service intelligence. (NSTAC Convergence Task Force Report, June 2001) Inadequate administrative practices and procedures for using the available features

         Lack of complete and effective project management processes for tracking and applying available software patches for known vulnerabilities.

 

Because of these factors, the PN and its services supporting NS/EP users will continue to be at risk from those seeking to exploit known vulnerabilities by operating in an increasingly technologically sophisticated, well-coordinated manner. 

 

Although alternative network architectures and approaches have been developed to address network security issues, with designs ranging from commercial and Government systems that are connected in varying levels to the Internet to dedicated minimum essential networks not connected to the Internet, few networks are truly private or dedicated.  Alternative network architectures and approaches seek to enhance reliability and availability of NS/EP communications by condensing security and management into smaller, more controllable components.  Despite the benefits of using such dedicated networks, many NS/EP activities today are supported by the PN because of the network’s ability to reliably offer “just in time” affordable connections with suppliers, customers, and the general public.  Because the PN has become vital for the continuity of business, this study focuses primarily on—

 

         Vulnerabilities of the evolving PN and their potential for affecting NS/EP communications

         Possible solutions to help protect the service assurance reliability of the evolving public next generation network (NGN). 

 

(For detailed information on network convergence and the NGN, see Appendix B.)  Future analysis by Government could focus on alternative network configurations as they evolve (e.g., GovNet).

 

 

 

Factors Impacting Network Security

T

he September 11, 2001, terrorist attacks on the World Trade Center (WTC) and the Pentagon renewed concerns regarding physical threats to the PN.  The operations of a major Verizon switching center were heavily impacted by the WTC attack, and many service providers suffered either full or partial loss of service in lower Manhattan.[3]  Additionally, within days of the terrorist attacks, the “Nimda” worm distributed denial of service (DDoS) attack was launched, affecting Internet services within many organizations.  This attack, however, did not cause prolonged Internet damage.  While the Internet’s ability to rapidly recover from such events is evidence of the resilience of its overall design, the Nimda worm illustrated the potential for economic harm and disruption to communications stemming from such malicious code attacks.  In essence, these recent events remind us how important it is, in this time of network evolution and convergence, to consider the wide realm of physical and cyber threats to the evolving PN and its control space, and to make effective policy recommendations to mitigate them. 

Text Box: Definitions The Telecommunications Electric Service Priority (TESP) program promotes, on a voluntary basis, the inclusion of telecommunications facilities considered critical to NS/EP in existing electric utility emergency priority restoration systems. The TSP System is the regulatory, administrative, and operational framework for priority restoration and provisioning of any qualified NS/EP telecommunications service.

Physical Vulnerabilities

To date, the telecommunications infrastructure has not been a direct target of terrorism.  However, the infrastructure was an incidental victim of the events of September 11, 2001.

 

In the future, the telecommunications infrastructure might be the target.  Given that eventuality, it may be necessary for the Federal Government to assist industry in protecting the Nation’s critical communications assets.  The Telecommunications Information Sharing and Analysis Center (Telecom-ISAC) is the best place to coordinate and prioritize Federal assistance to the telecommunications industry. 

 

In addition, the Network Security/ Vulnerability Assessments Task Force (NS/VATF) discussed the responsibility of State and local governments to provide physical protection for the Nation’s telecommunications assets.  The task force concluded that such efforts could best be facilitated through existing Federal mechanisms and also the Telecom-ISAC. 

 

Because of the changeable threat environment, another important goal is to increase efforts to mitigate impacts to NS/EP services.  Reenergizing the Telecommunications Electric Service Priority (TESP) program and supporting the Telecommunications Service Priority (TSP) system could aid this goal. 

 

Although physical security of critical communications facilities is essential,[4] the effects of a physical attack are mitigated by the presence of multiple, diverse facilities-based networks.  This alleviates the impact of communications disruption at an affected site and makes it unlikely that any single point of failure would cause regional or national disruption.  The NSTAC’s “Last Mile” Bandwidth Availability Task Force (LMBATF) Report describes essential requirements to maintain multiple access and various methods of backup for critical facilities.  The LMBATF noted that facilities should not rely on only wireline infrastructure but also on wireless backup systems.  The NS/VATF endorses the LMBATF recommendation that industry and Government cooperate to develop and maintain comprehensive and adequate plans to ensure that multiple paths of communications into critical facilities are in place. 

 

Notwithstanding the discussion above, all of the critical elements of the Nation’s infrastructures cannot be protected against all possible physical attacks. 

 

Cyber Vulnerabilities

In addition to the enduring physical threat to the Nation’s networks, cyber attacks present a growing threat to the security of U.S. information systems and consequently critical communications of the NS/EP community.  Also, as the U.S. economy becomes ever more tightly connected through telecommunications, electronic signaling systems, power generation, information lines, financial connections, transportation nodes, and other connections involving critical infrastructures, possible disruptions have a far greater potential than ever before to ripple through the economy.[5]  The tools and techniques used to attack the PN and information systems supporting NS/EP users have grown considerably in sophistication, while the availability of user-friendly tools has enabled less knowledgeable hackers to conduct attacks with relative ease.  These tools are often developed to specifically target known vulnerabilities that are not yet patched, allowing systems to be exploited easily.    

 

In addition, variants of an attack tool are often developed within hours of forensic analysis and distribution of the attack tool source code within the cyber security community.  In particular, the PN has witnessed a profound increase in DDoS attacks. 

 

DDoS Attacks

The “Code Red” worms marked the beginning of a new era in sophisticated attack tools and techniques by combining the worm propagation technique with a DDoS attack capability.  DDoS involves an attack on a network using multiple infected computers,   or “zombies.”  Code Red exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) Web server software and installed itself onto vulnerable systems.  The worm spread until July 20, 2001, at which point all infected hosts participated in a DDoS attack against the White House Web site (www.whitehouse.gov).  Code Red then became dormant and reappeared the first day of the next month to restart its cycle.  Code Red II, which was the second worm that appeared, used the same Microsoft vulnerability to spread but offered a different payload.  Unlike Code Red, which was memory resident, Code Red II left a back door on the infected server to allow attackers to exploit the system. 

 

The Code Red worms illustrated how widespread automated propagation of malicious code has developed into a means for establishing the foundation for DDoS attacks.  Furthermore, network topology is evolving to one in which high-powered user devices are connected to the backbone via high-speed connections.  This capability, if not protected, can be subverted by improved methods of launching DDoS and other types of malicious Internet attacks. 

 

As attack techniques increase in sophistication and intruders continue using DDoS techniques to exploit vulnerabilities, cyber attacks will likely cause greater collateral damage.[6]  This is of particular significance to NS/EP communications because even if such communications capabilities are not a primary target of specific attacks, they can still be collaterally impacted by attacks on other entities or capabilities.

 

Collateral damage was witnessed during the Nimda worm incident.  In September 2001, the Nimda worm spread through e-mail and unprotected network shares, much like “Sircam,” which spread via e-mail in July 2001 and added a new sophistication by merging a virus, worm, and Trojan horse into one malicious code.  Nimda also spread from clients to Web servers; the clients actively scanned for and exploited various Microsoft IIS vulnerabilities on Web servers and scanned for back doors left behind from the Code Red and Code Red II worms.[7]  The Nimda worm used some of the significant attack profile aspects of Code Red II, allowing it to spread widely and rapidly.  It also generated a denial of service (DoS) as a result of network scanning and e-mail propagation.[8]  The Nimda worm appeared on the heels of the terrorist attacks of September 11, 2001, contributing to communication congestion and delays experienced by emergency responders. 

 

Attackers’ use of source IP address spoofing and the emergence of distributed attack techniques and tools persistently challenge those who respond to and attempt to mitigate the impacts of DoS attacks.[9]  This challenge is compounded by the lack of complete and accurate analytical information related to such attacks and a lack of unified response mechanisms to counter the attacks.  Infection rates of the Code Red worms were tracked worldwide, but there were divergent reports of infection.  For example, one Web page reported 53,000 infections and 250,000 infections, simultaneously.  This example of data divergence demonstrates the need for a reliable, coordinated way to count and report infection rates in a public forum.  The telecommunications infrastructure operators have taken steps to address this need through the creation of, and participation in, the Telecom-ISAC. 

 

Also needed is a better coordination mechanism for the expeditious disclosure of new vulnerabilities, as well as the availability of patches and their application.  These shortfalls are of particular concern because of the speed at which vulnerabilities are being exploited.  A vulnerability may remain open to exploit regardless of the availability of a patch because typically, several hours elapse between the announcement of a vulnerability and the implementation of a successful patch.  This brief window requires quicker detection of vulnerabilities, and deployment and application of countermeasures.  Because of this threat environment, industry and Government are participating in Information Sharing and Analysis Centers (ISAC) to further develop and implement unified and centralized capabilities to identify and respond to attacks as they are occurring.  In addition, each Government organization and private sector enterprise must maintain stringent version control of hardware, software, and current patch releases to ensure effective threat deterrence. 

 

Control Space Vulnerabilities

As network convergence continues, malicious attacks that focus on the network control space are increasingly likely.  The NSTAC, and more specifically the Convergence Task Force (CTF), previously addressed key issues regarding the security of the control space of converged networks (see Convergence Task Force Report, June 2001).  The NS/VATF remains concerned that additional steps are needed to enhance the security of the control space of evolving networks.  Therefore, the NS/VATF believes it necessary to reiterate the issues raised by the CTF.  The CTF noted that the interoperation of the intelligent network of the public switched telephone network (PSTN) with IP networks via signaling gateways is of particular concern.  Specifically, the CTF said, “As this occurs, IP networks could present those with malicious intent a ‘back door’ into the control space of the PSTN, which could enable malicious activities such as insertion of false Signaling System 7 (SS7) messages.  If unauthorized parties gain access to a signaling gateway, they could disrupt or suspend its operations, alter its routing tables, or use it to forward false communications to other signaling gateways.  Such activities could precipitate network disruptions and impact overall network reliability and availability.  Also, if the operations of a media gateway controller (with SS7 capabilities) were maliciously targeted, all customers whose service depends on that controller would likely experience service disruptions to include Enhanced 911 and NS/EP services.  Because the media gateway controller will likely play a critical role in the NGN, and because of its coordinating function among other network elements, security mechanisms are vital to sustain its reliability.”

 

“Another matter of concern involves the coupling of call control with bearer channels in packet networks.  In the traditional PSTN, the SS7 network is an out-of-band signaling system that provides call setup and call services separate from the actual transport of the voice data.  However, in IP networks, the network intelligence data is transmitted over the same infrastructure as the data itself.  Therefore, in IP-based networks, signaling messages are not accorded any higher priority than any other data or voice traffic in the network.  During periods of congestion, signaling messages are as likely to be blocked or dropped as any other messages.  In a converged network, such events could impact availability and reliability of the Government Emergency Telecommunications Service (ETS), which relies on the signaling network for functionality.”[10]  

The NS/VATF believes that industry and Government must continue to work together to secure the control space of emerging networks for NS/EP communications.  Foremost, it is essential to secure the command and control mechanisms of the telecommunications infrastructure through interdevice communications.  Given that the current command and control mechanisms are evolving toward Transmission Control Protocol/IP-based applications, implementation of secure data transmissions can be facilitated using IP Security (IPSec).  IPSec should be implemented in operational systems used in the deployment, management, and provisioning of telecommunications infrastructure.

 

Ensuring authenticated, secure communications where there is interaction of shared infrastructures (i.e., SS7) is also critically important.  In addition, industry must ensure network perimeter security wherever control data transits nonprivate networks, through use of state-of-the-art intrusion detection systems and signaling gateway firewalls.  Essentially, the detection and deterrence capabilities of network edge equipment must be enhanced to minimize the negative impacts of distributed attacks.

Text Box: Definitions IP version 6 (IPv6) is a new version of the Internet Protocol, designed as a successor to IP version 4 (IPv4), the predominant protocol in use today. The changes from IPv4 to IPv6 are primarily in the following areas: expanded addressing capabilities; header format simplification; improved support for extensions and options; flow labeling capability; and consolidated authentication and privacy capabilities. (Source: The Internet Society, URL: http://www.isoc.org/briefings/001/). IP Security (IPSec) is a suite of protocols designed to provide high-quality security for Internet traffic. Some of the advantages of IPSec are— · It is below the transport level so it is transparent to applications and end users. · When implemented in a firewall or router, it provides strong perimeter security. · It can provide security to individual users if needed.

The NS/VATF con