A Short History of the Internet

Most historical reviews of the Internet imply that networking began with ARPAnet. In a sense, digital transmission of data began when Samuel B. Morse publicly demonstrated the telegraph in 1844. In 1874, Thomas Edison invented the idea of multiplexing two signals in each direction over a single wire. With higher speeds and multiplexing, Edison’s teletype replaced Morse’s manual system; and a few teletype installations still exist today.

NOTE
In 1837 both Sir Charles Wheatstone in Great Britain and Samuel B. Morse in the United States announced their telegraphic inventions.

The early telegraph systems were, in modern terms, point-to-point links. As the industry grew, switching centers acted as relay stations and paper tape was the medium that the human routers used to relay information from one link to another. Figure 1.1 illustrates a simple single-layer telegraphic network configuration. Figure 1.2 shows a more complex multilayered network.

f1-1
Figure 1.1 : A simple asynchronous network.
f1-2
Figure 1.2 : A multilayered asynchronous network.

The links of these networks were point-to-point asynchronous serial connections. For a paper tape network, the incoming information was punched on paper tape by high-speed paper tape punches and was then manually loaded on an outgoing paper tape reader.

Although this activity might seem like ancient history to younger readers, let us put this story into a more understandable framework. In early 1962, Paul Baran and his colleagues at the Rand Corporation were tackling the problem of how to build a computer network that would survive a nuclear war.

The year 1969 was a year of milestones. Not only did NASA place the first astronauts on the moon but also, and with much less fanfare, Department of Defense’s Advanced Research Projects Agency (ARPA) contracted with Bolt, Baranek, and Newman (BBN) to develop a packet-switched network based on Paul Baran’s ideas. The initial project linked computers at the University of California at Los Angeles (UCLA), Stanford Research Institute (SRI) in Menlo Park, California, and University of Utah in Salt Lake City, Nevada.  On the other side of the continent from the ARPAnet action, Brian W. Kernighan and Dennis M. Ritchie brought UNIX to life at Bell Labs (now Lucent Technologies) in Murray Hills, New Jersey.

Even though message switching was well known, the original ARPAnet provided only three services: remote login (telnet), file transfer, and remote printing. In 1972, when ARPAnet consisted of 37 sites, e-mail joined the ranks of ARPAnet services. In October 1972 ARPAnet was demonstrated to the public at the International Conference on Computer Communications in Washington, D.C. In the following year, TCP/IP was proposed as a standard for ARPAnet.

The amount of military-related traffic continued to increase on ARPAnet. In 1975 the Defense Communications Agency (DCA) changed its name to DARPA (Defense Advanced Research Projects Agency) and took control of ARPAnet. Many non-government organizations wanted to connect to ARPAnet, but DARPA limited private sector connections to defense-related organizations. This policy led to the formation of other networks such as BBN’s commercial network Telenet.

The year 1975 marked the beginning of the personal computer industry’s rapid growth. In those days when you bought a microcomputer, you received bags of parts that you then assembled. Assembling a computer was a lot of work, for a simple 8KB memory card required over 1,000 solder connections. Only serious electronic hobbyists, such as those who attended the Home Brew computer club meetings at the Stanford Linear Accelerator Laboratories on Wednesday nights, built computers.

In 1976, four years after the initial public announcement that ARPAnet would use packet-switching technology, telephone companies from around the world through the auspices of CCITT (Consultative Committee for International Telegraphy and Telephony) announced the X.25 standard. Although both ARPAnet and X.25 used packet switching, there was a crucial difference in the implementations. As the precursor of TCP/IP, the ARPAnet protocol was based on the end-to-end principle; that is, only the ends are trusted and the carrier is considered unreliable.

On the other hand, the telephone companies preferred a more controllable protocol. They wanted to build packet-switched networks that used a trusted carrier, and they (the phone companies) wanted to control the input of network traffic. Therefore, CCITT based the X.25 protocol on the hop-to-hop principle in which each hop verified that it received the packet correctly. CCITT also reduced the packet size by creating virtual circuits.

In contrast to ARPAnet, in which every packet contained enough information to take its own path, with the X.25 protocol the first packet contains the path information and establishes a virtual circuit. After the initial packet, every other packet follows the same virtual circuit. Although this optimizes the flow of traffic over slow links, it means that the connection depends on the continued existence of the virtual circuit.

The end-to-end principle of TCP/IP and the hop-to-hop principle of X.25 represent opposing views of the data transfer process between the source and destination. TCP/IP assumes that the carrier is unreliable and that every packet takes a different route to the destination, and does not worry about the amount of traffic flowing through the various paths to the destination. On the other hand, X.25 corrects errors at every hop to the destination, creates a single virtual path for all packets, and regulates the amount of traffic a device sends to the X.25 network.

The year 1979 was another milestone year for the future of the Internet. Computer scientists from all over the world met to establish a research computer network called Usenet. Usenet was a dial-up network using UUCP (UNIX-to-UNIX copy). It offered Usenet News and mail servers. The mail service required a user to enter the entire path to the destination machine using the UUCP bang addressing wherein the names of the different machines were separated by exclamation marks (bangs). Even though I sent mail on a regular basis, I always had problems getting the address right. Only a few UUCP networks are left today, but Usenet News continues as NetNews. Also in 1979, Onyx Systems released the first commercial version of UNIX on a microcomputer.

The most crucial event for TCP/IP occurred on January 1, 1983, when TCP/IP became the standard protocol for ARPAnet, which provided connections to 500 sites. On that day the Internet was born. Since the late 1970s, many government, research, and academic networks had been using TCP/IP; but with the final conversion of ARPAnet, the various TCP/IP networks had a protocol that facilitated internetworking. In the same year, the military part of ARPAnet split off to form MILNET. As the result of funding from DARPA, the University of California’s Berkeley Software Distribution released BSD 4.2 UNIX with a TCP/IP stack. In addition, Novell released NetWare based on the XNS protocol developed at Xerox Park, Proteon shipped a software base router using the PDP-11, and C++ was transformed from an idea to a viable language.

That was the year in which the idea of building local-area networks (LANs) was new and hot. With the introduction of LANs, the topology of networks changed from the representation shown in Figure 1.2, which ties legacy systems together, to that shown in Figure 1.3, which ties LANs together.

f1-3
Figure 1.3 : A LAN-based model for internetworks.

With the growth in number of organizations connecting to ARPAnet and the increasing number of LANs connected to ARPAnet, another problem surfaced. TCP/IP routes traffic according to the destination’s IP address.

The IP address is a 32-bit number divided into four octets for the sake of human readability. Whereas computers work with numbers, humans remember names better than numbers. When ARPAnet was small, systems used the host file (in UNIX the file is /etc/hosts) to resolve names to Internet Protocol (IP) addresses. The Network Information Center (NIC) maintained the master file, and individual sites periodically downloaded the file. As the size of the ARPAnet grew, this arrangement became unmanageable in a fast-growing and dynamic network.

In 1984 the domain name system (DNS) replaced downloading the host file from NIC (the section “IP Addresses and Domain Names” discusses the relationship between the two in more detail). With the implementation of DNS, the management of mapping names to addresses moved out to the sites themselves.

For the next seven years, the Internet entered a growth phase. In 1987 the National Science Foundation created NFSNET to link super-computing centers via a high-speed backbone (56Kbps). Although NFSNET was strictly noncommercial, it enabled organizations to obtain an Internet connection without having to meet ARPAnet’s defense-oriented policy. By 1990 organizations connected to ARPAnet completed their move to NSFNET, and ARPAnet ceased to exist. NSFNET closed its doors five years later, and commercial providers took over the Internet world.

Until 1990 the primary Internet applications were e-mail, listserv, telnet, and FTP. In 1990, McGill University introduced Archie, an FTP search tool for the Internet. In 1991, the University of Minnesota released Gopher.

Gopher
Gopher

Gopher’s hierarchical menu structure helped users organize documents for presentation over the Internet. Gopher servers became so popular that by 1993 thousands of Gopher servers contained over a million documents. To find these documents, a person used the Gopher search tool Veronica (very easy rodent-oriented netwide index to computerized archives). These search tools are important, but they are not the ones that sparked the Internet explosion.

In 1992 Tim Berners-Lee, a physicist at CERN in Geneva, Switzerland, developed the protocols for the World Wide Web (WWW). Seeking a way to link scientific documents together, he created the Hypertext Markup Language (HTML), which is a subset of the Standard Generalized Markup Language (SGML). In developing the WWW, he drew from the 1965 work of Ted Nelson, who coined the word hypertext. However, the event that really fueled the Internet explosion was the release of Mosaic by the National Center for Supercomputing (NCSA) in 1993.

From a standard for textual documents, HTML now includes images, sound, video, and interactive screens via the common gateway interface (CGI), Microsoft’s ActiveX (previously called control OLE), and Sun Microsystem’s Java. The changes occur so fast that the standards lag behind the market.

How large is the Internet today?

That is a good question. We could measure the size of the Internet by the number of network addresses granted by InterNIC, but these addresses can be “subnetted,” so the number of networks is much larger than InterNIC figures suggest. We could measure the size of the Internet by the number of domain names, yet some of these names are vanity names (a domain name assigned to an organization, but supported by servers that support multiple domain names) and other aliases. Vanity names and aliases result in a higher name count than the number of IP addresses, because multiple names point to the same IP address.

Starting in the fall of 1995, companies and organizations began to include their uniform resources locator (URL), along with their street address, telephone number, and fax number, in television ads, newspaper ads, and consumer newsletters. Therefore, a company’s presence on the Internet, as represent by its Web address (the URL), reached a new level of general acceptance. The Internet emerged from academia to become a household word.

The question arises as to where all this technology is going. Because my crystal ball is broken, please don’t hold me to what I say.

Advertisements

Glossary Of Computer Security Terms

Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (Source:
GCST).
Access Control
The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. (Source: GCST)
Accreditation
A formal declaration by the designated approving authority (DAA) that the automated information system (AIS) is approved to operate in a particular security mode using a prescribed sete of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation
statement affixes security responsibility with the DAA and shows that due care has been taken for security. (Source: GCST)
Assurance
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Compare with trusted computer system. (Source: GCST)
Audit Trail
A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. (Source: GCST)
Authenticate
1.To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
2.To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
(Source: GCST)
Authorization
The granting of acccess rights to a user, program, or process. (Source: GCST)
Automated Information System
An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. (Source: GCST)
Availability
The state when data is in the place needed by [or accessible to] the user, at the time the user needs them, and in the form needed by the user. (Source: GCST)
Certification
The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a  particular design and implementation meet a specified set of security requirements. (Source: GCST)
Compartmented Mode of Operation
An AIS is operating in the compartmented mode when each user with direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for the most restricted information on the system.
Formal access approval for, and has signed nondisclosure agreements for, that information to which the user is to have access.
A valid need-to-know for that information to which the user is to have access.
(Source: GCST)
Covert Channel
A communications channel that allows two cooperating processes
to transfer information in a manner that violates the system’s security policy. Synonymous with confinement channel. (Source: GCST)
Covert Storage Channel
A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channnels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. (Source: GCST)
Covert Timing Channel
A covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process. (Source: GCST)
Dedicated Mode of Operation
An AIS is operating in the dedicated mode when each user with
direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for all information contained within the system.
(Source: GCST)
Denial of Service
Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction. (Source: GCST)
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS, or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. (Source: GCST)
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity and need-to-know of the user, process, and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare mandatory access control. (Source: GCST)
Evaluation
An assessment of a product agains the Trusted Computer System Evaluation Criteria (The Orange Book).
Information Warfare
Information warfare is the activity by a hacker, terrorist, or other adversary to disrupt an information system. Traditional security addresses the protection of information. Information warfare is aimed at protecting the systems that collect, store, manipulate, and transport information so that they are not accessed by unauthorized persons and are available as needed. (Source: Defense Information Infrastructure Master Plan)
Mandatory Access Control (MAC)
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. Compare discretionary access control. (Source: GCST)
Multilevel Mode of Operation
An AIS is operating in the multilevel mode when all of the following statements are satisfied concerning the users with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts:
Some do not have a valid personnel clearance for all of the information processed in the system.
All have the proper clearance and have the appropriate formal access approval for that information to which they are to have access.
All have a valid need-to-know for that information to which they are to have access.
(Source: GCST)
Multilevel Security (MLS)
An MLS system is a system containing information with different security classifications that simultaneously permits access by users with different security clearances and needs to know. This system prevents users from obtaining access to information for which they lack authorization. (Source: DOD Directive 5200.28)
Risk
The probability that a particular threat will exploit a particular vulnerability of the system. (Source: GCST)
Risk Analysis
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. (Source: GCST)
Risk Management
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost/benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. (Source: GCST)
Sensitive Compartmented Information
Information restricted to people who have been given formal access to the security program, called a compartment.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. (Source: GCST)
System-High Mode of Operation
An AIS is operating in the system-high mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for some of the information contained within the system.
(Source: GCST)
Trusted Computer System
A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information. (Source: GCST)
————————————————————————

Note: “GCST” means the Glossary of Computer Security Terms, NCSC-TG-004, 21 Oct 88 (the “Olive” Book).