N-1-2-040.33.1 Towards an Internet Security Architecture: Part I by Stephen Kent*, kent@bbn.com In this issue I begin a multi-part series addressing architectural security issues in the Internet. Policy statements about user, vendor, system administrator, and network provider responsibilities have been published (RFC 1281), as have more detailed statements about good security procedures (RFC 1244). However, these very high level and very low level approaches to security should be complemented by an architectural view of security for the Internet. This, and succeeding columns, will explore various aspects of Internet security architecture as the community begins to be explored in the Internet community. Some of the text in this column is extracted from background material I prepared for the second workshop on the future of the Internet architecture, an event which took place in January, 1992. As the Internet grows in size, in geographic extent, and in cultural diversity, security becomes increasingly important and increasingly difficult to achieve. Growth in the size and cultural diversity of the user population increases the likelihood that not all users will share the same concepts of security and privacy. Increases in the size and geographic extent of the Internet make efforts to identify and trace incidents of unauthorized access more difficult, especially when international boarders are crossed. As the Internet grows to include organizations beyond educational, research, and computer and network vendor organizations, new demands are being made for security. Security in the Internet can be characterized in various ways. For example, one can distinguish security requirements for different types of Internet participants: network service providers, application service providers, end users, and vendors. In general, network service providers may emphasize security requirements that allow them to provide robust ("hardened") network services to their subscribers. Secure management of network components (authentication, integrity, access control, and confidentiality) is an important aspect of a hardened network offering. Other service provider requirements may best be met by security mechanisms addressing quality of service guarantees. Some, e.g., regional and other backbone, network service providers also may be interested in mechanisms to support accounting/billing, to support policy routing, and may wish to provide subscribers with mechanisms to create virtual private networks using common transmission and switching facilities. The latter requirements might focus on confidentiality and access control mechanisms. In a campus network environment, provision of standard (user and process) authentication facilities may be of major concern, e.g., as input to access control for network resources, policy routing, etc. Here too security for management of network components (authentication, integrity, access control, and confidentiality) is important. Most local network administrations do not bill for transmission and switching, but they still have a need for secure network management in support of availability. Moreover, an administrator may have a need to control access between his facilities and the Internet in general, to protect his local user population against external threats. Many of these administrators also function as local providers of application services, e.g., print and file servers, and they may need to perform accounting for cost recovery purposes. Network application service providers are concerned with controlling access to resources, i.e., the network application services the provide. They would seem to be ideal candidates for authentication, access control and non-repudiation mechanisms, e.g., in support of accounting and billing and to ensure access to application services for authorized users. To the extent that end users require other features, e.g., confidentiality, in using applications, they, too, become requirements for these service providers. End users may have a variety of security requirements, depending on individual perceptions of security threats and how they value their data. Access control facilities may rank high for users who wish to protect their computers and data against unauthorized disclosure or modification. When communicating with other users, the end user may wish to employ security technology to ensure the privacy, authenticity, and integrity of his communications. A user may be required to employ a combination of security techniques to establish his authorization before being allowed to access various network applications, both locally and on an Internet-wide basis. Finally, vendors bring to the table concern about the costs of implementing various security technology, including performance and export control limitations. The specific security services offered in products should be driven by customer demands from end users, service providers, system administrators, etc. In addition to the client-derived requirements, software license management issues also may call for authentication, access control, non-repudiation, and confidentiality mechanisms. This characterization illustrates that security in the Internet can take on different meanings for different participants in the Internet. Subsequent columns will continue this theme, examining how to characterize security requirements for the various elements of the Internet community, exploring security mechanisms being developed into Internet standards, and discussing principles which might form the basis of a security architecture for the Internet. * Chief Scientist, BBN Communications, Cambridge, MA