Upload
clementine-barrett
View
225
Download
2
Embed Size (px)
Citation preview
Cryptography and Cryptography and Network SecurityNetwork Security
UNIT V - SYSTEM LEVEL UNIT V - SYSTEM LEVEL SECURITYSECURITY
SYSTEM LEVEL SECURITYSYSTEM LEVEL SECURITY
Intrusion DetectionIntrusion Detection Password ManagementPassword Management Viruses and related threatsViruses and related threats Virus Counter measuresVirus Counter measures Firewall design principlesFirewall design principles Trusted SystemsTrusted Systems
IntrudersIntruders
significant issue for networked systems is significant issue for networked systems is hostile or unwanted accesshostile or unwanted access
either via network or localeither via network or local can identify classes of intruders:can identify classes of intruders:
masqueradermasqueradermisfeasormisfeasorclandestine userclandestine user
varying levels of competencevarying levels of competence
IntrudersIntruders
clearly a growing publicized problemclearly a growing publicized problemfrom “Wily Hacker” in 1986/87from “Wily Hacker” in 1986/87to clearly escalating CERT statsto clearly escalating CERT stats
may seem benign, but still cost resourcesmay seem benign, but still cost resources may use compromised system to launch may use compromised system to launch
other attacksother attacks awareness of intruders has led to the awareness of intruders has led to the
development of development of CERTsCERTs
Intrusion TechniquesIntrusion Techniques
aim to gain access and/or increase aim to gain access and/or increase privileges on a systemprivileges on a system
basic attack methodology basic attack methodology target acquisition and information gathering target acquisition and information gathering initial access initial access privilege escalation privilege escalation covering tracks covering tracks
key goal often is to acquire passwordskey goal often is to acquire passwords so then exercise access rights of ownerso then exercise access rights of owner
Password CapturePassword Capture
another attack involves another attack involves password capturepassword capture watching over shoulder as password is entered watching over shoulder as password is entered using a trojan horse program to collectusing a trojan horse program to collect monitoring an insecure network login monitoring an insecure network login
eg. telnet, FTP, web, emaileg. telnet, FTP, web, email
extracting recorded info after successful login (web extracting recorded info after successful login (web history/cache, last number dialed etc) history/cache, last number dialed etc)
using valid login/password can impersonate userusing valid login/password can impersonate user users need to be educated to use suitable users need to be educated to use suitable
precautions/countermeasures precautions/countermeasures
Intrusion DetectionIntrusion Detection
inevitably will have security failuresinevitably will have security failures so need also to detect intrusions so canso need also to detect intrusions so can
block if detected quicklyblock if detected quicklyact as deterrentact as deterrentcollect info to improve securitycollect info to improve security
assume intruder will behave differently to a assume intruder will behave differently to a legitimate userlegitimate userbut will have imperfect distinction betweenbut will have imperfect distinction between
Password GuessingPassword Guessing one of the most common attacksone of the most common attacks attacker knows a login (from email/web page attacker knows a login (from email/web page
etc) etc) then attempts to guess password for it then attempts to guess password for it
defaults, short passwords, common word searchesdefaults, short passwords, common word searches user info (variations on names, birthday, phone, user info (variations on names, birthday, phone,
common words/interests) common words/interests) exhaustively searching all possible passwordsexhaustively searching all possible passwords
check by login or against stolen password file check by login or against stolen password file success depends on password chosen by usersuccess depends on password chosen by user surveys show many users choose poorly surveys show many users choose poorly
Approaches to Intrusion Approaches to Intrusion DetectionDetection
statistical anomaly detectionstatistical anomaly detectionthresholdthresholdprofile basedprofile based
rule-based detectionrule-based detectionanomalyanomalypenetration identificationpenetration identification
Audit RecordsAudit Records
fundamental tool for intrusion detectionfundamental tool for intrusion detection native audit recordsnative audit records
part of all common multi-user O/Spart of all common multi-user O/Salready present for usealready present for usemay not have info wanted in desired formmay not have info wanted in desired form
detection-specific audit recordsdetection-specific audit recordscreated specifically to collect wanted infocreated specifically to collect wanted infoat cost of additional overhead on systemat cost of additional overhead on system
Statistical Anomaly DetectionStatistical Anomaly Detection
threshold detectionthreshold detectioncount occurrences of specific event over timecount occurrences of specific event over timeif exceed reasonable value assume intrusionif exceed reasonable value assume intrusionalone is a crude & ineffective detectoralone is a crude & ineffective detector
profile basedprofile basedcharacterize past behavior of userscharacterize past behavior of usersdetect significant deviations from thisdetect significant deviations from thisprofile usually multi-parameterprofile usually multi-parameter
Audit Record AnalysisAudit Record Analysis
foundation of statistical approachesfoundation of statistical approaches analyze records to get metrics over timeanalyze records to get metrics over time
counter, gauge, interval timer, resource usecounter, gauge, interval timer, resource use use various tests on these to determine if use various tests on these to determine if
current behavior is acceptablecurrent behavior is acceptablemean & standard deviation, multivariate, mean & standard deviation, multivariate,
markov markov process, time series, operationalprocess, time series, operational key advantage is no prior knowledge usedkey advantage is no prior knowledge used
Rule-Based Intrusion Rule-Based Intrusion DetectionDetection
observe events on system & apply rules to observe events on system & apply rules to decide if activity is suspicious or notdecide if activity is suspicious or not
rule-based anomaly detectionrule-based anomaly detectionanalyze historical audit records to identify analyze historical audit records to identify
usage patterns & auto-generate rules for themusage patterns & auto-generate rules for themthen observe current behavior & match then observe current behavior & match
against rules to see if conformsagainst rules to see if conformslike statistical anomaly detection does not like statistical anomaly detection does not
require prior knowledge of security flawsrequire prior knowledge of security flaws
Rule-Based Intrusion Rule-Based Intrusion DetectionDetection
rule-based penetration identificationrule-based penetration identificationuses expert systems technologyuses expert systems technologywith rules identifying known penetration, with rules identifying known penetration,
weakness patterns, or suspicious behaviorweakness patterns, or suspicious behaviorcompare audit records or states against rulescompare audit records or states against rulesrules usually machine & O/S specificrules usually machine & O/S specificrules are generated by experts who interview rules are generated by experts who interview
& codify knowledge of security admins& codify knowledge of security adminsquality depends on how well this is donequality depends on how well this is done
Base-Rate FallacyBase-Rate Fallacy
practically an intrusion detection system practically an intrusion detection system needs to detect a substantial percentage needs to detect a substantial percentage of intrusions with few false alarmsof intrusions with few false alarmsif too few intrusions detected -> false securityif too few intrusions detected -> false securityif too many false alarms -> ignore / waste timeif too many false alarms -> ignore / waste time
this is very hard to dothis is very hard to do existing systems seem not to have a good existing systems seem not to have a good
recordrecord
Distributed Intrusion Distributed Intrusion DetectionDetection
traditional focus is on single systemstraditional focus is on single systems but typically have networked systemsbut typically have networked systems more effective defense has these working more effective defense has these working
together to detect intrusionstogether to detect intrusions issuesissues
dealing with varying audit record formatsdealing with varying audit record formatsintegrity & confidentiality of networked dataintegrity & confidentiality of networked datacentralized or decentralized architecturecentralized or decentralized architecture
Distributed Intrusion Detection - Distributed Intrusion Detection - ArchitectureArchitecture
Distributed Intrusion Detection – Distributed Intrusion Detection – Agent ImplementationAgent Implementation
HoneypotsHoneypots decoy systems to lure attackersdecoy systems to lure attackers
away from accessing critical systemsaway from accessing critical systemsto collect information of their activitiesto collect information of their activitiesto encourage attacker to stay on system so to encourage attacker to stay on system so
administrator can respondadministrator can respond are filled with fabricated informationare filled with fabricated information instrumented to collect detailed instrumented to collect detailed
information on attackers activitiesinformation on attackers activities single or multiple networked systemssingle or multiple networked systems cf IETF Intrusion Detection WG standardscf IETF Intrusion Detection WG standards
Password ManagementPassword Management
front-line defense against intrudersfront-line defense against intruders users supply both:users supply both:
login – determines privileges of that userlogin – determines privileges of that userpassword – to identify thempassword – to identify them
passwords often stored encryptedpasswords often stored encryptedUnix uses multiple DES (variant with salt)Unix uses multiple DES (variant with salt)more recent systems use crypto hash functionmore recent systems use crypto hash function
should protect password file on systemshould protect password file on system
Password StudiesPassword Studies
Purdue 1992 - many short passwordsPurdue 1992 - many short passwords Klein 1990 - many guessable passwordsKlein 1990 - many guessable passwords conclusion is that users choose poor conclusion is that users choose poor
passwords too oftenpasswords too often need some approach to counter thisneed some approach to counter this
Managing Passwords - Managing Passwords - EducationEducation
can use policies and good user education can use policies and good user education educate on importance of good passwordseducate on importance of good passwords give guidelines for good passwords give guidelines for good passwords
minimum length (>6) minimum length (>6) require a mix of upper & lower case letters, require a mix of upper & lower case letters,
numbers, punctuation numbers, punctuation not dictionary wordsnot dictionary words
but likely to be ignored by many usersbut likely to be ignored by many users
Managing Passwords - Managing Passwords - Computer GeneratedComputer Generated
let computer create passwordslet computer create passwords if random likely not memorisable, so will if random likely not memorisable, so will
be written down (sticky label syndrome)be written down (sticky label syndrome) even pronounceable not rememberedeven pronounceable not remembered have history of poor user acceptancehave history of poor user acceptance FIPS PUB 181 one of best generatorsFIPS PUB 181 one of best generators
has both description & sample codehas both description & sample codegenerates words from concatenating random generates words from concatenating random
pronounceable syllablespronounceable syllables
Managing Passwords - Managing Passwords - Reactive CheckingReactive Checking
reactively run password guessing tools reactively run password guessing tools note that good dictionaries exist for almost note that good dictionaries exist for almost
any language/interest groupany language/interest group cracked passwords are disabledcracked passwords are disabled but is resource intensivebut is resource intensive bad passwords are vulnerable till foundbad passwords are vulnerable till found
Managing Passwords - Managing Passwords - Proactive CheckingProactive Checking
most promising approach to improving most promising approach to improving password securitypassword security
allow users to select own passwordallow users to select own password but have system verify it is acceptablebut have system verify it is acceptable
simple rule enforcement (see earlier slide)simple rule enforcement (see earlier slide)compare against dictionary of bad passwordscompare against dictionary of bad passwordsuse algorithmic (use algorithmic (markov model or bloom filter) markov model or bloom filter)
to detect poor choicesto detect poor choices
SummarySummary
have considered:have considered:problem of intrusionproblem of intrusionintrusion detection (statistical & rule-based)intrusion detection (statistical & rule-based)password managementpassword management
Malicious SoftwareMalicious Software
Viruses and Other Malicious Viruses and Other Malicious ContentContent
computer viruses have got a lot of publicity computer viruses have got a lot of publicity one of a family of one of a family of malicious softwaremalicious software effects usually obvious effects usually obvious have figured in news reports, fiction, have figured in news reports, fiction,
movies (often exaggerated) movies (often exaggerated) getting more attention than deserve getting more attention than deserve are a concern though are a concern though
Malicious SoftwareMalicious Software
TrapdoorsTrapdoors
secret entry point into a programsecret entry point into a program allows those who know access bypassing allows those who know access bypassing
usual security proceduresusual security procedures have been commonly used by developershave been commonly used by developers a threat when left in production programs a threat when left in production programs
allowing exploited by attackersallowing exploited by attackers very hard to block in O/Svery hard to block in O/S requires good s/w development & updaterequires good s/w development & update
Logic BombLogic Bomb
one of oldest types of malicious softwareone of oldest types of malicious software code embedded in legitimate programcode embedded in legitimate program activated when specified conditions metactivated when specified conditions met
eg presence/absence of some fileeg presence/absence of some fileparticular date/timeparticular date/timeparticular userparticular user
when triggered typically damage systemwhen triggered typically damage systemmodify/delete files/disksmodify/delete files/disks
Trojan HorseTrojan Horse
program with hidden side-effects program with hidden side-effects which is usually superficially attractivewhich is usually superficially attractive
eg game, s/w upgrade etc eg game, s/w upgrade etc when run performs some additional taskswhen run performs some additional tasks
allows attacker to indirectly gain access they allows attacker to indirectly gain access they do not have directlydo not have directly
often used to propagate a virus/worm or often used to propagate a virus/worm or install a backdoorinstall a backdoor
or simply to destroy dataor simply to destroy data
ZombieZombie
program which secretly takes over another program which secretly takes over another networked computernetworked computer
then uses it to indirectly launch attacksthen uses it to indirectly launch attacks often used to launch distributed denial of often used to launch distributed denial of
service (DDoS) attacksservice (DDoS) attacks exploits known flaws in network systemsexploits known flaws in network systems
VirusesViruses
a piece of self-replicating code attached to a piece of self-replicating code attached to some other codesome other codecf biological viruscf biological virus
both propagates itself & carries a payloadboth propagates itself & carries a payloadcarries code to make copies of itselfcarries code to make copies of itselfas well as code to perform some covert taskas well as code to perform some covert task
Virus OperationVirus Operation
virus phases:virus phases:dormant – waiting on trigger eventdormant – waiting on trigger eventpropagation – replicating to programs/diskspropagation – replicating to programs/diskstriggering – by event to execute payloadtriggering – by event to execute payloadexecution – of payloadexecution – of payload
details usually machine/OS specificdetails usually machine/OS specificexploiting features/weaknessesexploiting features/weaknesses
Virus StructureVirus Structure
program V :=program V :={goto main;{goto main;1234567;1234567;subroutine infect-executable :=subroutine infect-executable := {loop:{loop:
file := get-random-executable-file;file := get-random-executable-file;if (first-line-of-file = 1234567) then goto loopif (first-line-of-file = 1234567) then goto loopelse prepend V to file; }else prepend V to file; }
subroutine do-damage :=subroutine do-damage := {whatever damage is to be done}{whatever damage is to be done}subroutine trigger-pulled :=subroutine trigger-pulled := {return true if some condition holds}{return true if some condition holds}main: main-program :=main: main-program := {infect-executable;{infect-executable;
if trigger-pulled then do-damage;if trigger-pulled then do-damage;goto next;}goto next;}
next:next:}}
Types of VirusesTypes of Viruses
can classify on basis of how they attack can classify on basis of how they attack parasitic virusparasitic virus memory-resident virusmemory-resident virus boot sector virus boot sector virus stealthstealth polymorphic virus polymorphic virus macro virus macro virus
Macro VirusMacro Virus
macro codemacro code attached to some attached to some data filedata file interpreted by program using fileinterpreted by program using file
eg Word/Excel macroseg Word/Excel macros esp. using auto command & command macrosesp. using auto command & command macros
code is now platform independent code is now platform independent is a major source of new viral infectionsis a major source of new viral infections blurs distinction between data and program files blurs distinction between data and program files
making task of detection much harder making task of detection much harder classic trade-off: "ease of use" vs "security" classic trade-off: "ease of use" vs "security"
Email VirusEmail Virus
spread using email with attachment spread using email with attachment containing a macro viruscontaining a macro viruscf Melissacf Melissa
triggered when user opens attachmenttriggered when user opens attachment or worse even when mail viewed by using or worse even when mail viewed by using
scripting features in mail agentscripting features in mail agent usually targeted at Microsoft Outlook mail usually targeted at Microsoft Outlook mail
agent & Word/Excel documentsagent & Word/Excel documents
WormsWorms
replicating but not infecting program replicating but not infecting program typically spreads over a network typically spreads over a network
cf Morris Internet Worm in 1988cf Morris Internet Worm in 1988 led to creation of CERTs led to creation of CERTs
using users distributed privileges or by exploiting using users distributed privileges or by exploiting system vulnerabilities system vulnerabilities
widely used by hackers to create widely used by hackers to create zombie PC'szombie PC's, , subsequently used for further attacks, esp DoS subsequently used for further attacks, esp DoS
major issue is lack of security of permanently major issue is lack of security of permanently connected systems, esp PC's connected systems, esp PC's
Worm OperationWorm Operation
worm phases like those of viruses:worm phases like those of viruses:dormantdormantpropagationpropagation
search for other systems to infectsearch for other systems to infectestablish connection to target remote systemestablish connection to target remote systemreplicate self onto remote systemreplicate self onto remote system
triggeringtriggeringexecutionexecution
Morris WormMorris Worm
best known classic wormbest known classic worm released by Robert Morris in 1988released by Robert Morris in 1988 targeted Unix systemstargeted Unix systems using several propagation techniquesusing several propagation techniques
simple password cracking of local pw filesimple password cracking of local pw fileexploit bug in finger daemonexploit bug in finger daemonexploit debug trapdoor in sendmail daemonexploit debug trapdoor in sendmail daemon
if any attack succeeds then replicated selfif any attack succeeds then replicated self
Recent Worm AttacksRecent Worm Attacks new spate of attacks from mid-2001new spate of attacks from mid-2001 Code RedCode Red
exploited bug in MS IIS to penetrate & spreadexploited bug in MS IIS to penetrate & spread probes random IPs for systems running IISprobes random IPs for systems running IIS had trigger time for denial-of-service attackhad trigger time for denial-of-service attack 22ndnd wave infected 360000 servers in 14 hours wave infected 360000 servers in 14 hours
Code Red 2Code Red 2 had backdoor installed to allow remote controlhad backdoor installed to allow remote control
NimdaNimda used multiple infection mechanismsused multiple infection mechanisms
email, shares, web client, IIS, Code Red 2 backdooremail, shares, web client, IIS, Code Red 2 backdoor
Virus CountermeasuresVirus Countermeasures
viral attacks exploit lack of integrity control viral attacks exploit lack of integrity control on systems on systems
to defend need to add such controls to defend need to add such controls typically by one or more of: typically by one or more of:
preventionprevention - block virus infection mechanism - block virus infection mechanismdetectiondetection - of viruses in infected system - of viruses in infected system reactionreaction - restoring system to clean state - restoring system to clean state
Anti-Virus SoftwareAnti-Virus Software first-generationfirst-generation
scanner uses virus signature to identify virusscanner uses virus signature to identify virus or change in length of programsor change in length of programs
second-generation second-generation uses heuristic rules to spot viral infectionuses heuristic rules to spot viral infection or uses program checksums to spot changesor uses program checksums to spot changes
third-generation third-generation memory-resident programs identify virus by actions memory-resident programs identify virus by actions
fourth-generation fourth-generation packages with a variety of antivirus techniquespackages with a variety of antivirus techniques eg scanning & activity traps, access-controlseg scanning & activity traps, access-controls
Advanced Anti-Virus TechniquesAdvanced Anti-Virus Techniques
generic decryptiongeneric decryptionuse CPU simulator to check program use CPU simulator to check program
signature & behavior before actually running itsignature & behavior before actually running it digital immune system (IBM)digital immune system (IBM)
general purpose emulation & virus detectiongeneral purpose emulation & virus detectionany virus entering org is captured, analyzed, any virus entering org is captured, analyzed,
detection/shielding created for it, removeddetection/shielding created for it, removed
Behavior-Blocking SoftwareBehavior-Blocking Software
integrated with host O/Sintegrated with host O/S monitors program behavior in real-timemonitors program behavior in real-time
eg file access, disk format, executable mods, eg file access, disk format, executable mods, system settings changes, network accesssystem settings changes, network access
for possibly malicious actionsfor possibly malicious actionsif detected can block, terminate, or seek okif detected can block, terminate, or seek ok
has advantage over scannershas advantage over scanners but malicious code runs before detectionbut malicious code runs before detection
SummarySummary
have considered:have considered:various malicious programsvarious malicious programstrapdoor, logic bomb, trojan horse, zombietrapdoor, logic bomb, trojan horse, zombievirusesviruseswormswormscountermeasurescountermeasures
FirewallsFirewalls
IntroductionIntroduction
seen evolution of information systemsseen evolution of information systems now everyone want to be on the Internet now everyone want to be on the Internet and to interconnect networks and to interconnect networks has persistent security concernshas persistent security concerns
can’t easily secure every system in orgcan’t easily secure every system in org need "harm minimisation" need "harm minimisation" a a FirewallFirewall usually part of this usually part of this
What is a Firewall?What is a Firewall?
a a choke pointchoke point of control and monitoring of control and monitoring interconnects networks with differing trustinterconnects networks with differing trust imposes restrictions on network servicesimposes restrictions on network services
only authorized traffic is allowed only authorized traffic is allowed auditing and controlling accessauditing and controlling access
can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior is itself immune to penetrationis itself immune to penetration provides provides perimeter defenceperimeter defence
Firewall LimitationsFirewall Limitations
cannot protect from attacks bypassing itcannot protect from attacks bypassing iteg sneaker net, utility modems, trusted eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)organisations, trusted services (eg SSL/SSH) cannot protect against internal threatscannot protect against internal threats
eg disgruntled employeeeg disgruntled employee cannot protect against transfer of all virus cannot protect against transfer of all virus
infected programs or filesinfected programs or filesbecause of huge range of O/S & file typesbecause of huge range of O/S & file types
Firewalls – Packet FiltersFirewalls – Packet Filters
Firewalls – Packet FiltersFirewalls – Packet Filters
simplest of components simplest of components foundation of any firewall system foundation of any firewall system examine each IP packet (no context) and examine each IP packet (no context) and
permit or deny according to rules permit or deny according to rules hence restrict access to services (ports)hence restrict access to services (ports) possible default policiespossible default policies
that not expressly permitted is prohibited that not expressly permitted is prohibited that not expressly prohibited is permittedthat not expressly prohibited is permitted
Firewalls – Packet FiltersFirewalls – Packet Filters
Attacks on Packet FiltersAttacks on Packet Filters
IP address spoofingIP address spoofingfake source address to be trustedfake source address to be trustedadd filters on router to blockadd filters on router to block
source routing attackssource routing attacksattacker sets a route other than defaultattacker sets a route other than defaultblock source routed packetsblock source routed packets
tiny fragment attackstiny fragment attackssplit header info over several tiny packetssplit header info over several tiny packetseither discard or reassemble before checkeither discard or reassemble before check
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
examine each IP packet in contextexamine each IP packet in contextkeeps tracks of client-server sessionskeeps tracks of client-server sessionschecks each packet validly belongs to onechecks each packet validly belongs to one
better able to detect bogus packets out of better able to detect bogus packets out of context context
Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)
Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)
use an application specific gateway / proxy use an application specific gateway / proxy has full access to protocol has full access to protocol
user requests service from proxy user requests service from proxy proxy validates request as legal proxy validates request as legal then actions request and returns result to user then actions request and returns result to user
need separate proxies for each service need separate proxies for each service some services naturally support proxying some services naturally support proxying others are more problematic others are more problematic custom services generally not supported custom services generally not supported
Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway
Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway
relays two TCP connectionsrelays two TCP connections imposes security by limiting which such imposes security by limiting which such
connections are allowedconnections are allowed once created usually relays traffic without once created usually relays traffic without
examining contentsexamining contents typically used when trust internal users by typically used when trust internal users by
allowing general outbound connectionsallowing general outbound connections SOCKS commonly used for thisSOCKS commonly used for this
Bastion HostBastion Host
highly secure host system highly secure host system potentially exposed to "hostile" elements potentially exposed to "hostile" elements hence is secured to withstand this hence is secured to withstand this may support 2 or more net connectionsmay support 2 or more net connections may be trusted to enforce trusted may be trusted to enforce trusted
separation between network connectionsseparation between network connections runs circuit / application level gateways runs circuit / application level gateways or provides externally accessible services or provides externally accessible services
Firewall ConfigurationsFirewall Configurations
Firewall ConfigurationsFirewall Configurations
Firewall ConfigurationsFirewall Configurations
ACCESS CONTROLACCESS CONTROL
Access ControlAccess Control
given system has identified a user given system has identified a user determine what resources they can accessdetermine what resources they can access general model is that of access matrix withgeneral model is that of access matrix with
subjectsubject - active entity (user, process) - active entity (user, process) objectobject - passive entity (file or resource) - passive entity (file or resource) access rightaccess right – way object can be accessed – way object can be accessed
can decompose bycan decompose bycolumns as access control listscolumns as access control listsrows as capability ticketsrows as capability tickets
Access Control MatrixAccess Control Matrix
TRUSTED SYSTEMSTRUSTED SYSTEMS
Trusted Computer SystemsTrusted Computer Systems
information security is increasingly important information security is increasingly important have varying degrees of sensitivity of informationhave varying degrees of sensitivity of information
cf military info classifications: confidential, secret etc cf military info classifications: confidential, secret etc subjects (people or programs) have varying subjects (people or programs) have varying
rights of access to objects (information)rights of access to objects (information) want to consider ways of increasing confidence want to consider ways of increasing confidence
in systems to enforce these rightsin systems to enforce these rights known as multilevel securityknown as multilevel security
subjects have subjects have maximummaximum & & currentcurrent security level security level objects have a fixed security level objects have a fixed security level classificationclassification
Bell Bell LaPadula (BLP) ModelLaPadula (BLP) Model
one of the most famous security modelsone of the most famous security models implemented as mandatory policies on system implemented as mandatory policies on system has two key policies: has two key policies: no read upno read up (simple security property) (simple security property)
a subject can only read/write an object if the current a subject can only read/write an object if the current security level of the subject dominates (>=) the security level of the subject dominates (>=) the classification of the objectclassification of the object
no write downno write down (*-property) (*-property) a subject can only append/write to an object if the a subject can only append/write to an object if the
current security level of the subject is dominated by current security level of the subject is dominated by (<=) the classification of the object(<=) the classification of the object
Reference MonitorReference Monitor
Evaluated Computer SystemsEvaluated Computer Systems
governments can evaluate IT systemsgovernments can evaluate IT systems against a range of standards:against a range of standards:
TCSEC, IPSEC and now Common CriteriaTCSEC, IPSEC and now Common Criteria define a number of “levels” of evaluation define a number of “levels” of evaluation
with increasingly stringent checkingwith increasingly stringent checking have published lists of evaluated productshave published lists of evaluated products
though aimed at government/defense usethough aimed at government/defense usecan be useful in industry alsocan be useful in industry also
SummarySummary
have considered:have considered:firewallsfirewallstypes of firewallstypes of firewallsconfigurationsconfigurationsaccess controlaccess controltrusted systemstrusted systems