Guidance on data protection questions concerning the access of public administration networks to the Internet

Prepared by the Working Group on Technology for the German Conference of Federal and State Data Protection Commissioners

1st December 1995

I. Introduction

There has been a growing demand for some time in public bodies for access to global data networks, and in particular the Internet. The networking should be used both for gaining information and also for supplying their own information to others.

However, the access to the Internet involves considerable threats to data protection and data security. The risks result largely from the fact that the Internet was not developed under security considerations. There are weaknesses in the protocols for data transmission, in the implementations and installations of the programs for the Internet services, and in the connected computer systems. For example, there are no secure mechanisms for identification and authentication in the network. Without special protective measures a hacker can often exploit the security gaps with little effort to gain unauthorised access to others' computers and spy on or even manipulate or destroy their data. This is especially serious in view of the more than 40 million current Internet users, as the number of potential hackers using these security gaps and thereby threatening public administration computers connected to the Internet is consequently also very large.

For those responsible for the operation of public administration networks, this guide should highlight the security risks which can be expected for the "internal” networks when connecting to the Internet, and indicate how these risks can be limited. The question whether, and if so under which conditions administrations may exchange personal data over the Internet, is not the subject of this guide, and must be specifically investigated in each case.

The risk limitation strategies developed here require further specification in individual cases: as well as the firewall architectures described, further actions have to be taken to avoid a threat to personal data (possibly use of encryption procedures). In view of a continually changing threat level as new unexpected security problems are "discovered”, considerable residual risks remain even when firewall systems are used.

In view of this threat level, the connection to the Internet is only justifiable from a data protection point of view if a thorough analysis and assessment of the risks involved has taken place beforehand and the dangers can be reliably controlled by technical and organisational measures. The recommendations below represent a collection from the more detailed considerations which follow.

II. Recommendations

Public administration networks may only be connected to the Internet if and so far as this is necessary. The communication facilities have to follow the communication need. It should also be checked how far the authority network must be segmented into connectable, non connectable and conditionally connectable parts, and whether the task can be carried out by a computer which is not linked into the administration network.

A precondition for linking an authority network to the Internet is the presence of a cogent security plan, and its consistent adoption. The Internet connection may only take place if the risks can effectively be controlled by technical and organisational measures.

The security of the administration network and the protection of personal data which is processed on networked systems should be ensured with suitable firewall systems, which support differentiated communications control and the assignment of rights. The requirements which are to be met by these firewall components should be defined in advance: the authority should also make use of externcl expertise if necessary.

To check the danger of masquerading and investigating of the protected network's structures, a separate internal address structure should be used. The internal addresses should be converted by the central firewall to external Internet addresses.

The exclusive use of a central firewall solution is only justifiable if it is directed towards the highest protection requirement, even if this means disadvantages for less sensitive areas. The question of monitoring internal connections remains open with such a solution. Furthermore, an exclusively central solution is hard to reconcile with the maxim of local maintenance and management of security-related data (user profile maintenance). If such data are not managed by those who can directly assess the managed area, there is a risk of significant differences between reality and security image.

The concept of successive firewalls fits in with the data protection requirements of administration networks which consist of many different sub-networks, in which data of varying sensitivity are processed from different places for various tasks, and in which there are consequently different security requirements in each case. The sub-networks safeguarded with separate firewalls should each be given a defined transition to the overall network. The access of the entire network to the Internet should always be through a central gateway which is protected by a firewall.

The personal and functional cost for firewall solutions is generally high. It is nevertheless essential to use highly specialised personnel, in order to be protected against hackers who are at least as specialised. However, this cost is always justified if administration networks in which sensitive personal data are processed are to be connected to the Internet.

The operation of firewall systems must follow clear guidelines. As well as rules on jurisdiction, these guidelines must also include standards for tracing, handling of security-relevant events and sanctions for breaches of security.

Even if firewalls are used there are still residual risks, which must be dealt with according to the application. Thus even when using firewalls it is still necessary to transfer sensitive data in encrypted form only; as well as particularly sensitive personal data this also includes passwords and other authentication data.

If the residual risk is unjustifiable, the network concerned will have to do without a connection to the Internet. The access to Internet services must be restricted in this case to systems which are not linked to the administration network, and on which otherwise no sensitive data is processed.

Firewall concepts do not relieve the decentralised administrators of networked systems of their responsibility to ensure data protection; the demands on the local system administration are rather increased with networking, as errors could have far more serious consequences than with computers operated in isolation.

III. Security risks in the Internet

The risks presented below reflect only a small section of the possible attacks on computer systems with an Internet access. Even if counter-measures are taken against the known threats, complete protection is not feasible without giving up the networking. As soon as a computer has access to a data network, it can be reached from other connected computers. The local system is thus exposed to the danger of unauthorised use. However, there is a range of protective measures to minimise the security risk.

1. Protocol-inherent security risks

In the current services, both the user identification code and the password are mostly transferred in plain text over the local network (e.g. Ethernet) and over the Internet. Programs which are known as packet sniffers can be used to eavesdrop on data traffic in the network or on the nodes, and search for interesting information. Thus these sniffer programs can spy out numerous user codes with the associated passwords, which a hacker can use to obtain unauthorised access to a computer.

Packets can not only be listened to: they can also be manipulated. Since in many Internet services the computer authentication is simply by the user's IP number, a hacker can make use of this by sending IP packets with falsified sender addresses to the foreign computer system (IP spoofing). If the system considers the IP address to be trustworthy, the intruder is granted access, in some circumstances even with administrator rights. Furthermore, the transmission path can be changed by dynamic routing. Packets can be intercepted so that they do not arrive at their destination; a hacker can replace them with his own packets. In addition, an authorised user's communication can be recorded and later played back again, by which means the hacker obtains the user's rights in many services (e.g. for disk access over NFS (Network File System)).

2. Service-specific security risks

E-mail and Usenet News:

Private messages can be monitored if they are not encrypted. E-mail and news items without a digital signature can easily be changed or falsified. Programs and text documents with viruses can get into the system through the electronic mail route. Even an automatic search of the messages for viruses does not offer complete protection.

The information on the creation date and time of a message can be analysed to obtain a personality profile of the sender. Address collectors also search for e-mail and postal addresses for sending unsolicited advertising.

Sendmail, the program most commonly used on UNIX computers for sending electronic mail, has furthermore a whole series of security-related bugs, which can lead to possible access with administrator rights.

In addition, it cannot be guaranteed that an e-mail message reaches the recipient at all, or that the sender receives a proof of delivery.

Telnet:

If the Telnet service is not restricted, but possible from any addresses to any ports on the local computer, the access control is put at risk. A hacker who cannot manage to gain access with administrator rights often still has a chance to use a non-privileged account on the computer. This account can then be used as a starting point for attacking further computers.

FTP:

Badly maintained FTP servers represent a risk, as older versions of the FTP server program (ftpd) contain security loopholes which could allow administrator rights to be obtained. Particular care is advisable, as many descriptions of the installation and configuration of anonymous FTP servers include errors which present security threats. Incorrect configurations can allow a hacker to load the file with the encrypted passwords of all users on to his computer, for decryption at leisure. If users of an FTP server are permitted to store their own files in directories where others can fetch them, the FTP server can rapidly become a trade centre for pirate copies.

WWW:

Threats exist with WWW servers from incorrect software or configurations. If the SSL (Secure Socket Layer) is not used, the communication can be monitored. Furthermore, CGI (Common Gateway Interface) scripts often have security loopholes. WWW browsers which allow files to be stored on the server are currently under development. This could lead to further security problems. When the World Wide Web is used, extensive data exchanges can be logged about the user and his behaviour (who read what, when, for how long?), so that a comprehensive personality profile can be created.

Finger:

The data output by the "Finger service" can provide a hacker with information about the user identification codes on the system which can be used selectively for an attack. This service was made famous in 1988 by the so-called "Internet worm". It involved an attack program which utilised the fact that the parameters passed when Finger was called were written to a fixed-length buffer. The data which did not fit into the buffer overwrote the stack in working memory, where it was treated and executed as program code. Thus any code can be brought to execution by a suitable choice of the transferred character string. Similar program errors can still be found today in many other server programs. At the end of 1995, for example, a further error in the program "Sendmail" became public knowledge. The trace command "Syslog" and some WWW browsers (including MS-Windows products) also contain errors of this kind.

IV. Communications analysis

Before a public body seeks access to the Internet, it must perform an analysis of the communication need. A strict standard should be applied in assessing the necessity for an Internet connection. Even if the necessity is conceded, it should be investigated whether the purpose cannot be achieved by connecting an isolated computer.

The type of access to be implemented depends essentially on which Internet services are to be used. A distinction should be made here between services which are called by local users in the Internet, and services which are provided by local computers for users in the Internet. Because of the differing tasks, these communications requirements must be analysed both for the central access to the Internet and also for each individual computer. Only the IP packets which are necessary for the service to be used in relation to the computer authorised for the use may be forwarded.

If it is established in the communication requirement analysis that the Internet access is needed at IP level, thus that the full functional range of the TCP/IP protocol will be used, further security examinations must be performed which are preconditions for the design and implementation of security plans. The starting points of such a risk analysis are the necessity to safeguard the data to be processed, and the security aims of the public body.

Following the recommendations of the Basic Protection Manual issued by the Federal Office of Information Security, the following questions should be answered in establishing the need for protection:

Which data packets may be forwarded to the network, on the basis of which protocols, to which computer?

Which information should be kept secret?

How can e.g. the internal network structure and user names be made invisible to the outside world?

What authentication procedures should be used; are user-specific authentication procedures necessary?

What accesses are needed (e.g. only over an Internet service provider)?

Which data volumes are likely to be transferred?

Which computers with which data are in the network, requiring special protection?

Which users are there in the network, and what services should be made available to the individual users?

Which activities in the network should be logged? (This may affect questions of employee data protection)

Which services should never be used?

Is it guaranteed that only the services which have been expressly released can be used (what is not allowed is forbidden)?

What damage can be caused in the network to be protected, if unauthorised access is gained?

What are the residual risks if the envisaged protection measures were implemented?

What restrictions would users accept because of the application of protective measures?

To be able to assess in the recommended communications analysis which services are actually needed by which user at which computer, the individual units should first attempt to obtain precise knowledge of the advantages and threats of the communications options on offer (maybe by appropriate tests with a single system connected to the Internet).

V. Firewalls

If an administration network is to be connected to the Internet, this can be done either through one central access or through several decentrally. A central access is preferable on security grounds. Once the administration network is connected to the Internet, the security risks caused by the link-up can be reduced by use of a firewall.

A firewall is understood as a threshold between two networks; it must be passed to reach systems in the other network. The main task of a firewall is to ensure that only permitted internetwork activities are allowed, and that attempted misuse is detected early. It is usually assumed that the users of the internal network (here the administration network) are more trustworthy than those of the external network (here the Internet). Firewall solutions are nevertheless also suitable for limiting the "cross-border” activities of the internal users, i.e. the transition between the various sub-networks (e.g. the department networks) within an administration network.

Firewalls have the following characteristics:

The firewall is the defined and monitored interface between the network to be protected and the untrustworthy one;

There is a uniform security standard in each internal (sub)network; there is no further differentiation by security level - at least at the network level;

The firewall requires a defined security policy for the network to be protected; the requirements of all networked systems must be included in this;

There is a need for a firewall-related user administration of those internal users who may communicate with computers in the external network.

The strength of the firewall depends essentially on the applied technology and its correct administration; however, the successive and the organisational integration of firewalls into the IT infrastructure are also crucial to security.

It is especially relevant that the necessary protection level is defined for an area protected by a firewall. This requirement can be met by three solution variants:

1. Uniformly high protection level in the whole internal network, i.e. oriented towards the highest protection requirement present;

2. Uniformly low protection level; i.e. oriented towards the lowest protection requirement present, or an overall low or medium protection requirement;

3. Uniformly low protection level and realization of additional services to protect network components with a higher protection requirement.

Variants 1 and 2 correspond most closely to central firewall solutions; in view of the sensitive nature of the data processed in public administration, only variant 1 can be compatible with the requirements of the data protection law. Variant 3 leads to the successive firewalls solution, i.e. to a situation in which as well as a central firewall covering the medium protection requirement (which among other things secures the internal network structure against attacks from outside), area-related and demand-oriented firewall connections can be implemented with differing security levels. Staggered firewalls can in fact make sense even with a uniformly high protection level in the overall network, in order that the possible damage involved in security violations can be limited to one network segment. This also applies in particular to preventing internal misuse.

1. Central firewalls

Purely central firewall solutions are characterised by the following aspects:

The central firewall forms the only interface between the complete administrative authority network to be protected and the rest of the Internet;

Within the administration network there is a uniform security standard, and no further differentiation by security levels;

Monitoring of the internal connections by the firewall is not possible;

The central firewall requires a defined security policy for the overall administration network; differing security policies cannot be imposed at network level for areas meriting higher protection;

There is a need for a central user administration. The permitted communication must be specified for each user, both at service level and also in terms of the permitted addresses.

As a central firewall does not support differentiation by sub-networks, and accordingly presupposes a uniform security level for the overall administration network, the level of protection achieved must be aligned with the most sensitive data and is correspondingly high. However, for administrative areas with less sensitive data this has the disadvantage of creating unnecessarily high barriers. This leads to the danger that additional Internet accesses with lower restrictions will be created from these units, making a mockery of the entire purpose of the firewall.

A further disadvantage of central firewalls is the problem (familiar from mainframes) that user administration which is distant from the department concerned often leads to deviations between the reality of user rights and their mapping in the form of accounts.

As firewall solutions are primarily suitable for protection against external attacks, and secondarily also for protection against attacks outward from within, but not for control of purely internal accesses, there is a danger with purely central solutions that the entire administration network is seen as one unit, and consequently only the accesses from or to the outside are restricted. Although this aspect is only indirectly part of the "Internet access” theme, it is essential to include it in any overall examination of network security.

The use of a solely central firewall is at best justifiable if all connected sub-networks have a similar security need or level, and there is furthermore no danger of internal misuse. However, this cannot be assumed in inter-authority administration networks with a variety of interconnected computers.

2. Successive firewalls (Preconditions, application options, demands)

Successive firewall solutions are characterised by the following aspects:

This is a combination of central and decentralised components, where a minimum protection in the Internet is implemented for the overall network with a central firewall, and decentralised firewalls secure appropriate protection levels in sub-networks with special protection needs;

Within each protected sub-network there is a uniform security level;

It is possible to monitor the access within the administration, if the communication goes beyond the area protected by decentralised firewalls;

A successive firewall also presupposes a defined security policy for the overall network; in particular, this must include the requirements for a guaranteed basic protection; in addition to this, separate security requirements should be defined for the sub-networks;

The user administration can largely be decentralised. However, uniform rules should be specified according to which the users have the right to establish contact with the Internet over the central firewall.

Decentralised firewalls suggest in principle the same mechanisms as a central firewall. The combination of central and decentralised protection mechanisms allows the principle of an autonomous protection to be implemented; with careful configuration, specially protected sub-networks remain secure even if an intruder gets past the central firewall.

Successive firewalls, unlike central solutions, can map the significant data protection principle of separation of powers, with which it would be incompatible for the administrative authority to be seen as an informational whole. The sub-networks can be sealed off against attacks from outside - from the Internet- and also from one another.

Since successive solutions can map the users' requirements better than exclusively central firewalls, there is also less danger that protected interfaces will be bypassed by the creation of unauthorised Internet accesses. The consequences of such infringements of the stipulated security policy could also be better isolated.

Successive firewalls also involve a high total administration and maintenance cost, though this is distributed over the central firewall and the respective areas. The specification of the individual user rights can essentially be assigned to the decentralised firewalls which are closer to the applications.