FIPS PUB 191
`
`
`Federal Information
`
`Processing Standards Publication 191
`
`
`November 9, 1994
`
`
`Specifications for
`
`
`Guideline for The Analysis Local Area Network Security
`
`
`Contents
`
`
`1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`
`1.1 Why LAN Security is Important
`. . . . . . . . . . . . . . . . . . . . . . . . . 5
`
`1.2 Purpose
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`
`1.3 Overview of Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`
`1.4 LAN Definition
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`
`1.4.1 Distributed File Storing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`
`1.4.2 Remote Computing
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`
`1.4.3 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`
`1.5 The LAN Security Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`
`1.5.1 Distributed File Storing - Concerns
`. . . . . . . . . . . . . . . . . . . . . . 7
`
`1.5.2 Remote Computing - Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`
`1.5.3 Topologies and Protocols - Concerns
`. . . . . . . . . . . . . . . . . . . . . 8
`
`1.5.4 Messaging Services - Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`
`1.5.5 Other LAN Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`
`1.6 Goals of LAN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`
`
`2 THREATS, VULNERABILITIES, SERVICES & MECHANISMS . . 10
`
`2.1 Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`
`2.1.1 Unauthorized LAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
`
`2.1.2 Inappropriate Access to LAN Resources
`. . . . . . . . . . . . . . . . . . 12
`
`2.1.3 Disclosure of Data
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
`
`2.1.4 Unauthorized Modification of Data and Software . . . . . . . . . . . . 13
`
`2.1.5 Disclosure of LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
`
`2.1.6 Spoofing of LAN Traffic
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
`
`2.1.7 Disruption of LAN Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`
`2.2 Security Services and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 16
`
`2.2.1 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . 17
`
`2.2.2 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`
`2.2.3 Data and Message Confidentiality
`. . . . . . . . . . . . . . . . . . . . . . . 21
`
`
`3
`
`
`1
`
`EX 1019
`IPR of Pat. No. 6,892,304
`
`

`

`FIPS PUB 191
`
`
`2.2.4 Data and Message Integrity
`. . . . . . . . . . . . . . . . . . . . . . . . . . . 22
`
`2.2.5 Non-repudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
`
`2.2.6 Logging and Monitoring
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
`
`
`3 RISK MANAGEMENT
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
`
`3.1 Current Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
`
`3.2 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
`
`3.3 Elements of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
`
`3.4 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
`
`3.4.1 Process 1 - Define the Scope and Boundary, and Methodology
`. . 30
`
`3.4.2 Process 2 - Identify and Value Assets . . . . . . . . . . . . . . . . . . . . . 31
`
`3.4.3 Process 3 - Identify Threats and Determine Likelihood . . . . . . . . 32
`
`3.4.4 Process 4 - Measure Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
`
`3.5 Risk Mitigation
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
`
`3.5.1 Process 5 - Select Appropriate Safeguards
`. . . . . . . . . . . . . . . . . 35
`
`3.5.2 Process 6 - Implement And Test Safeguards . . . . . . . . . . . . . . . . 37
`
`3.5.3 Process 7 - Accept Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . 38
`
`
`Appendix A - LAN Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
`
`
`Appendix B - Personal Computer Considerations
`
`. . . . . . . . . . . . . . . . . . . . . . . . . . 48
`
`
`Appendix C - Contingency Planning for LANs
`
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`
`
`Appendix D - Training and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
`
`
`References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
`
`
`Further Reading
`
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`
`
`4
`
`
`2
`
`

`

`FIPS PUB 191
`
`
`1 INTRODUCTION
`
`1.1 Why LAN Security is Important
`
`Local area networks (LANs) have become a major tool to many organizations in meeting data
`processing and data communication needs. Prior to the use of LANs, most processing and
`communications were centralized; the information and control of that information were
`centralized as well. Now LANs logically and physically extend data, processing and
`communication facilities across the organization
`
`Security services that protect the data, processing and communication facilities must also be
`distributed throughout the LAN. For example, sending sensitive files that are protected with
`stringent access controls on one system, over a LAN to another system that has no access control
`protection, defeats the efforts made on the first system. Users must ensure that their data and
`the LAN itself are adequately protected. LAN security should be an integral part of the whole
`LAN, and should be important to all users.
`
`Electronic mail (email), a major application provided by most LANs, replaces much of the
`interoffice and even interorganizational mail that is written on paper and placed in an envelope.
`This envelope provides some confidentiality between the sender and receiver, and it can even be
`argued that the integrity of the paper envelope provides the receiver with some degree of
`assurance that the message was not altered. Using electronic mail does not provide these
`assurances. Simple transfers on unprotected LANs of inadequately protected electronic mail
`messages can be captured and read or perhaps even altered. For some LANs, there can be no
`assurance that the message actually was sent from the named sender. Fortunately tools such as
`encryption, digital signatures, and message authentication codes help solve these problems and
`can help provide some assurance.
`
`Understanding the necessity to provide security on a LAN and how to decide the appropriate
`security measures needed are major goals of this document.
`
`1.2 Purpose
`
`The intended readers of this document include organizational management, LAN administrators,
`system administrators, security officers, LAN users and others who have a responsibility for
`protecting information processed, stored or associated with a LAN. The purpose of this
`document is to help the reader understand the need for LAN security and to provide guidance
`in determining effective LAN security controls.
`
`5
`
`
`3
`
`

`

`FIPS PUB 191
`
`
`1.3 Overview of Document
`
`Section 1 - Introduction - This section discusses the properties of a LAN, and the security
`concerns that result from those properties.
`
`Section 2 - Threats, Vulnerabilities, Security Services & Mechanisms - This section describes
`threats, related vulnerabilities and the possible security services and mechanisms that could be
`used to protect the LAN from these threats.
`
`Section 3 - Risk Management - This section describes the risk management process and how it
`can be used to plan and implement appropriate LAN security.
`
`1.4 LAN Definition
`
`The Institute of Electrical and Electronic Engineers (IEEE) has defined a LAN as "a datacomm
`system allowing a number of independent devices to communicate directly with each other,
`within a moderately sized geographic area over a physical communications channel of moderate
`rates" [MART89]. Typically, a LAN is owned, operated, and managed locally rather than by a
`common carrier. A LAN usually, through a common network operating system, connects servers,
`workstations, printers, and mass storage devices, enabling users to share the resources and
`functionality provided by a LAN.
`
`According to [BARK89] the types of applications provided by a LAN include distributed file
`storing, remote computing, and messaging.
`
`1.4.1 Distributed File Storing
`
`Distributed file storing provides users transparent access to part of the mass storage of a remote
`server. Distributed file storing provides capabilities such as a remote filing and remote printing.
`Remote filing allows users to access, retrieve, and store files. Generally remote filing is provided
`by allowing a user to attach to part of a remote mass storage device (a file server) as though it
`were connected directly. This virtual disk is then used as though it were a disk drive local to
`the workstation. Remote printing allows users to print to any printer attached to any component
`on the LAN. Remote printing addresses two user needs: ongoing processing while printing, and
`shared use of expensive printers. LAN print servers can accept files immediately, allowing users
`to continue work on their local workstations, instead of waiting for the print job to be completed.
`Many users utilizing the same printer can justify the cost of high quality, fast printers.
`
`6
`
`
`4
`
`

`

`FIPS PUB 191
`
`
`1.4.2 Remote Computing
`
`Remote computing refers to the concept of running an application or applications on remote
`components. Remote computing allows users to (1) remotely login to another component on the
`LAN, (2) remotely execute an application that resides on another component, or (3) remotely run
`an application on one or more components, while having the appearance, to the user, of running
`locally. Remote login allows users to login to a remote system (such as a multi-user system)
`as though the user were directly connected to the remote system. The ability to run an
`application on one or more components allows the user to utilize the processing power of the
`LAN as a whole.
`
`1.4.3 Messaging
`
`Messaging applications are associated with mail and conferencing capabilities. Electronic mail
`has been one of the most used capabilities available on computer systems and across networks.
`Mail servers act as local post offices, providing users the ability to send and receive messages
`across a LAN. A conferencing capability allows users to actively communicate with each other,
`analogous to the telephone.
`
`1.5 The LAN Security Problem
`
`The advantages of utilizing a LAN were briefly discussed in the previous section. With these
`advantages however, come additional risks that contribute to the LAN security problem.
`
`1.5.1 Distributed File Storing - Concerns
`
`File servers can control users’ accesses to various parts of the file system. This is usually done
`by allowing a user to attach a certain file system (or directory) to the user’s workstation, to be
`used as a local disk. This presents two potential problems. First, the server may only provide
`access protection to the directory level, so that a user granted access to a directory has access to
`all files contained in that directory. To minimize risk in this situation, proper structuring and
`management of the LAN file system is important. The second problem is caused by inadequate
`protection mechanisms on the local workstation. For example, a personal computer (PC) may
`provide minimal or no protection of the information stored on it. A user that copies a file from
`the server to the local drive on the PC loses the protection afforded the file when it was stored
`on the server. For some types of information this may be acceptable. However, other types of
`information may require more stringent protections. This requirement focuses on the need for
`controls in the PC environment.
`
`7
`
`
`5
`
`

`

`FIPS PUB 191
`
`
`1.5.2 Remote Computing - Concerns
`
`Remote computing must be controlled so that only authorized users may access remote
`components and remote applications. Servers must be able to authenticate remote users who
`request services or applications. These requests may also call for the local and remote servers
`to authenticate to each other. The inability to authenticate can lead to unauthorized users being
`granted access to remote servers and applications. There must be some level of assurance
`regarding the integrity of applications utilized by many users over a LAN.
`
`1.5.3 Topologies and Protocols - Concerns
`
`The topologies and protocols used today demand that messages be made available to many nodes
`in reaching the desired destination. This is much cheaper and easier to maintain than providing
`a direct physical path from every machine to every machine. (In large LANs direct paths are
`infeasible.) The possible threats inherent include both active and passive wiretapping. Passive
`wiretapping includes not only information release but also traffic analysis (using addresses, other
`header data, message length, and message frequency). Active wiretapping includes message
`stream modifications (including modification, delay, duplication, deletion or counterfeiting).
`
`1.5.4 Messaging Services - Concerns
`
`Messaging services add additional risk to information that is stored on a server or in transit.
`Inadequately protected email can easily be captured, and perhaps altered and retransmitted,
`effecting both the confidentiality and integrity of the message.
`
`1.5.5 Other LAN Security Concerns
`
`Other LAN security problems include (1) inadequate LAN management and security policies, (2)
`lack of training for proper LAN usage and security, (3) inadequate protection mechanisms in the
`workstation environment, and (4) inadequate protection during transmission.
`
`A weak security policy also contributes to the risk associated with a LAN. A formal security
`policy governing the use of LANs should be in place to demonstrate management’s position on
`the importance of protecting valued assets. A security policy is a concise statement of top
`management’s position on information values, protection responsibilities, and organizational
`commitment. A strong LAN security policy should be in place to provide direction and support
`from the highest levels of management. The policy should identify the role that each employee
`has in assuring that the LAN and the information it carries are adequately protected.
`
`The LAN security policy should stress the importance of, and provide support for, LAN
`management. LAN management should be given the necessary funding, time, and resources.
`Poor LAN management may result in security lapses. The resulting problems could include
`
`8
`
`
`6
`
`

`

`FIPS PUB 191
`
`
`security settings becoming too lax, security procedures not being performed correctly, or even
`the necessary security mechanisms not being implemented.
`
`The use of PCs in the LAN environment can also contribute to the risk of the LAN. In general,
`PCs have a relative lack of control with regard to authenticating users, controlling access to files,
`auditing, etc. In most cases the protection afforded information that is stored and processed on
`a LAN server does not follow the information when it is sent locally to a PC.
`
`Lack of user awareness regarding the security of the LAN can also add risk. Users who are not
`familiar with the security mechanisms, procedures, etc. may use them improperly and perhaps
`less securely. Responsibilities for implementing security mechanisms and procedures and
`following the policies regarding the use of the PC in a LAN environment usually fall to the user
`of the PC. Users must be given the proper guidance and training necessary to maintain an
`acceptable level of protection in the LAN environment.
`
`1.6 Goals of LAN Security
`
`The following goals should be considered to implement effective LAN security.
`
`• Maintain the confidentiality of data as it is stored, processed or transmitted on a LAN;
`
`• Maintain the integrity of data as it is stored, processed or transmitted on a LAN;
`
`• Maintain the availability of data stored on a LAN, as well as the ability to process and transmit
`the data in a timely fashion;
`
`• Ensure the identity of the sender and receiver of a message;
`
`Adequate LAN security requires the proper combination of security policies and procedures,
`technical controls, user training and awareness, and contingency planning. While all of these
`areas are critical to provide adequate protection, the focus of this document is on the technical
`controls that can be utilized. The other areas of control mentioned above are discussed in the
`appendices.
`
`9
`
`
`7
`
`

`

`FIPS PUB 191
`
`
`2 THREATS, VULNERABILITIES, SERVICES & MECHANISMS
`
`A threat can be any person, object, or event that, if realized, could potentially cause damage to
`the LAN. Threats can be malicious, such as the intentional modification of sensitive information,
`or can be accidental, such as an error in a calculation, or the accidental deletion of a file. Threats
`can also be acts of nature, i.e. flooding, wind, lightning, etc. The immediate damage caused by
`a threat is referred to as an impact.
`
`Vulnerabilities are weaknesses in a LAN that can be exploited by a threat. For example,
`unauthorized access (the threat) to the LAN could occur by an outsider guessing an obvious
`password. The vulnerability exploited is the poor password choice made by a user. Reducing
`or eliminating the vulnerabilities of the LAN can reduce or eliminate the risk of threats to the
`LAN. For example, a tool that can help users choose robust passwords may reduce the chance
`that users will utilize poor passwords, and thus reduce the threat of unauthorized LAN access.
`
`A security service is the collection of security mechanisms, supporting data files, and procedures
`that help protect the LAN from specific threats. For example, the identification and
`authentication service helps protect the LAN from unauthorized LAN access by requiring that
`a user identify himself, as well as verifying that identity. The security service is only as robust
`as the mechanisms, procedures, etc. that make up the service.
`
`Security mechanisms are the controls implemented to provide the security services needed to
`protect the LAN. For example, a token based authentication system (which requires that the user
`be in possession of a required token) may be the mechanism implemented to provide the
`identification and authentication service. Other mechanisms that help maintain the confidentiality
`of the authentication information can also be considered as part of the identification and
`authentication service.
`
`This section is composed of two parts. The first part discusses threats, impacts and related
`vulnerabilities. The threats are generally categorized based on the impact caused if the threat is
`realized. For each impact category there is a discussion regarding the threats that may cause the
`impact, potential losses from the threat, and the vulnerabilities that may be exploited by the
`threat. The second part of this section discusses LAN security services and the possible
`mechanisms that can be implemented to provide these services.
`
`2.1 Threats and Vulnerabilities
`
`Identifying threats requires one to look at the impact and consequence of the threat if it is
`realized. The impact of the threat, which usually points to the immediate near-term problems,
`results in disclosure, modification, destruction, or denial of service. The more significant long-
`term consequences of the threat being realized are the result of lost business, violation of privacy,
`
`10
`
`
`8
`
`

`

`FIPS PUB 191
`
`
`civil law suits, fines, loss of human life or other long term effects. Consequences of threats will
`be discussed in Section 3, Risk Management. The approach taken here is to categorize the types
`of impacts that can occur on a LAN so that specific technical threats can be grouped by the
`impacts and examined in a meaningful manner. For example, the technical threats that can lead
`to the impact ’LAN traffic compromise’ in general can be distinguished from those threats that
`can lead to the impact ’disruption of LAN functionalities’. It should be recognized that many
`threats may result in more than one impact; however, for this discussion a particular threat will
`be discussed only in conjunction with one impact. The impacts that will be used to categorize
`and discuss the threats to a LAN environment are:
`
`•
`
`• Unauthorized LAN access - results from an unauthorized individual gaining access to the
`LAN.
`Inappropriate access to LAN resources - results from an individual, authorized or
`unauthorized, gaining access to LAN resources in an unauthorized manner.
`• Disclosure of data - results from an individual accessing or reading information and possibly
`revealing the information in an accidental or unauthorized intentional manner.
`• Unauthorized Modification to data and software - results from an individual modifying,
`deleting or destroying LAN data and software in an unauthorized or accidental manner.
`• Disclosure of LAN traffic - results from an individual accessing or reading information and
`possibly revealing the information in an accidental or unauthorized intentional manner as it
`moves through the LAN.
`• Spoofing of LAN traffic - results when a message appears to have been sent from a
`legitimate, named sender, when actually the message had not been.
`• Disruption of LAN functions - results from threats that block LAN resources from being
`available in a timely manner.
`
`2.1.1 Unauthorized LAN Access
`
`LANs provide file sharing, printer sharing, file storage sharing, etc. Because resources are shared
`and not used solely by one individual there is need for control of the resources and accountability
`for use of the resources. Unauthorized LAN access occurs when someone, who is not authorized
`to use the LAN, gains access to the LAN (usually by acting as a legitimate user of LAN). Three
`common methods used to gain unauthorized access are password sharing, general password
`guessing and password capturing. Password sharing allows an unauthorized user to have the LAN
`access and privileges of a legitimate user; with the legitimate user’s knowledge and acceptance.
`General password guessing is not a new means of unauthorized access. Password capturing is
`a process in which a legitimate user unknowingly reveals the user’s login id and password. This
`may be done through the use of a trojan horse program that appears to the user as a legitimate
`login program; however, the trojan horse program is designed to capture passwords. Capturing
`a login id and password as it is transmitted across the LAN unencrypted is another method used
`to ultimately gain access. The methods to capture cleartext LAN traffic, including passwords, is
`
`11
`
`
`9
`
`

`

`FIPS PUB 191
`
`
`readily available today. Unauthorized LAN access can occur by exploiting the following types
`of vulnerabilities:
`
`• lack of, or insufficient, identification and authentication scheme,
`• password sharing,
`• poor password management or easy to guess passwords,
`• using known system holes and vulnerabilities that have not been patched,
`• single-user PCs that are not password protected at boot time,
`• underutilized use of PC locking mechanisms,
`• LAN access passwords that are stored in batch files on PCs,
`• poor physical control of network devices,
`• unprotected modems,
`• lack of a time-out for login time period and log of attempts,
`• lack of disconnect for multiple login failures and log of attempts,
`• lack of ’last successful login date/time’ and ’unsuccessful login attempt’ notification and log,
`• lack of real-time user verification (to detect masquerading).
`
`2.1.2 Inappropriate Access to LAN Resources
`
`One of the benefits of using a LAN is that many resources are readily available to many users,
`rather than each user having limited dedicated resources. These resources may include file stores,
`applications, printers, data, etc. However, not all resources need to be made available to each
`user. To prevent compromising the security of the resource (i.e. corrupting the resource, or
`lessening the availability of the resource), only those who require the use of the resource should
`be permitted to utilize that resource. Unauthorized access occurs when a user, legitimate or
`unauthorized, accesses a resource that the user is not permitted to use. Unauthorized access may
`occur simply because the access rights assigned to the resource are not assigned properly.
`However, unauthorized access may also occur because the access control mechanism or the
`privilege mechanism is not granular enough. In these cases, the only way to grant the user the
`needed access rights or privileges to perform a specific function is to grant the user more access
`than is needed, or more privileges than are needed. Unauthorized access to LAN resources can
`occur by exploiting the following types of vulnerabilities:
`
`• use of system default permission settings that are too permissive to users,
`• improper use of administrator or LAN manager privileges,
`• data that is stored with an inadequate level or no protection assigned,
`• lack of or the improper use of the privilege mechanism for users,
`• PCs that utilize no access control on a file level basis.
`
`12
`
`
`10
`
`

`

`FIPS PUB 191
`
`
`2.1.3 Disclosure of Data
`
`As LANs are utilized throughout an agency or department, some of the data stored or processed
`on a LAN may require some level of confidentiality. The disclosure of LAN data or software
`occurs when the data or software is accessed, read and possibly released to an individual who
`is not authorized for the data. This can occur by someone gaining access to information that is
`not encrypted, or by viewing monitors or printouts of the information. The compromise of LAN
`data can occur by exploiting the following types of vulnerabilities:
`
`• improper access control settings,
`• data, that has been deemed sensitive enough to warrant encryption, stored in unencrypted form,
`• application source code stored in unencrypted form,
`• monitors viewable in high traffic areas,
`• printer stations placed in high traffic areas,
`• data and software backup copies stored in open areas.
`
`2.1.4 Unauthorized Modification of Data and Software
`
`Because LAN users share data and applications, changes to those resources must be controlled.
`Unauthorized modification of data or software occurs when unauthorized changes (additions,
`deletions or modifications) are made to a file or program.
`
`When undetected modifications to data are present for long periods of time, the modified data
`may be spread through the LAN, possibly corrupting databases, spreadsheet calculations, and
`other various application data. This can damage the integrity of most application information.
`
`When undetected software changes are made, all system software can become suspect, warranting
`a thorough review (and perhaps reinstallation) of all related software and applications. These
`unauthorized changes can be made in simple command programs (for example in PC batch files),
`in utility programs used on multi-user systems, in major application programs, or any other type
`of software. They can be made by unauthorized outsiders, as well as those who are authorized
`to make software changes (although the changes they make are not authorized). These changes
`can divert information (or copies of the information) to other destinations, corrupt the data as it
`is processed, or harm the availability of system or LAN services.
`
`PC viruses can be a nuisance to any organization that does not choose to provide LAN users the
`tools to effectively detect and prevent virus introduction to the LAN. Currently viruses have
`been limited to corrupting PCs, and generally do not corrupt LAN servers (although viruses can
`use the LAN to infect PCs). [WACK89] provides guidance on detecting and preventing viruses.
`
`The unauthorized modification of data and software can occur by exploiting the following types
`
`13
`
`
`11
`
`

`

`FIPS PUB 191
`
`
`of vulnerabilities:
`
`• write permission granted to users who only require read permission to access,
`• undetected changes made to software, including the addition of code to create a trojan horse
`program,
`• lack of a cryptographic checksum on sensitive data,
`• privilege mechanism that allow unnecessary write permission,
`• lack of virus protection and detection tools.
`
`2.1.5 Disclosure of LAN Traffic
`
`The disclosure of LAN traffic occurs when someone who is unauthorized reads, or otherwise
`obtains, information as it is moved through the LAN. LAN traffic can be compromised by
`listening and capturing traffic transmitted over the LAN transport media (tapping into a network
`cable, listening to traffic transmitted over the air, misusing a provided network connection by
`attaching an analysis device, etc.). Many users realize the importance of confidential information
`when it is stored on their workstations or servers; however, it is also important to maintain that
`confidentiality as the information travels through the LAN. Information that can be compromised
`in this way includes system and user names, passwords, electronic mail messages, application
`data, etc. For example, even though passwords may be in an encrypted form when stored on a
`system, they can be captured in plaintext as they are sent from a workstation or PC to a file
`server. Electronic mail message files, which usually have very strict access rights when stored
`on a system, are often sent in plaintext across a wire, making them an easy target for capturing.
`The compromise of LAN traffic can occur by exploiting the following types of vulnerabilities:
`
`• inadequate physical protection of LAN devices and medium,
`• transmitting plaintext data using broadcast protocols,
`• transmitting plaintext data (unencrypted) over the LAN medium,
`
`2.1.6 Spoofing of LAN Traffic
`
`Data that is transmitted over a LAN should not be altered in an unauthorized manner as a result
`of that transmission, either by the LAN itself, or by an intruder. LAN users should be able to
`have a reasonable expectation that the message sent, is received unmodified. A modification
`occurs when an intentional or unintentional change is made to any part of the message including
`the contents and addressing information.
`
`Messages transmitted over the LAN need to contain some sort of addressing information that
`reports the sending address of the message and the receiving address of the message (along with
`
`14
`
`
`12
`
`

`

`FIPS PUB 191
`
`
`other pieces of information). Spoofing of LAN traffic involves (1) the ability to receive a message
`by masquerading as the legitimate receiving destination, or (2) masquerading as the sending
`machine and sending a message to a destination. To masquerade as a receiving machine, the
`LAN must be persuaded into believing that the destination address is the legitimate address of
`the machine. (Receiving LAN traffic can also be done by listening to messages as they are
`broadcast to all nodes.) Masquerading as the sending machine to deceive a receiver into
`believing the message was legitimately sent can be done by masquerading the address, or by
`means of a playback. A playback involves capturing a session between a sender and receiver,
`and then retransmitting that message (either with the header only, and new message contents, or
`the whole message). The spoofing of LAN traffic or the modification of LAN traffic can occur
`by exploiting the following types of vulnerabilities:
`
`Vulnerabilities
`
`• transmitting LAN traffic in plaintext,
`• lack of a date/time stamp (showing sending time and receiving time),
`• lack of message authentication code mechanism or digital signature,
`• lack of real-time verification mechanism (to use against playback).
`
`2.1.7 Disruption of LAN Functions
`
`A LAN is a tool, used by an organization, to share information and tran