CS695OL Live Classroom 3 Slides

8/13/2019 CS695OL Live Classroom 3 Slides

http://slidepdf.com/reader/full/cs695ol-live-classroom-3-slides 1/20

1CS 695, Copyright © 2010 Stuart Jacobs

MET CS 695

Enterprise Information Security

Live Classroom 3 slides






Access Control Approaches

Access Control List

Objects ACLs

LectureNotes ( Professor, {r,w}), ( Instructor, {r}), (Student, {r})

Assignments ( Professor, {r,g}), ( Instructor, {r,g}), (Student, {r,w})

Discussions ( Professor, {r,w}), ( Instructor, {r,w,g}), (Student, {r,w})

Exams ( Professor, {r,g}), ( Instructor, {r,g}), (Student, {r,w})

GradeBook ( Professor, {r,w}), ( Instructor, {r,w}), (Student, {r})

Access Control Matrix

Objects

Subjects Lecture

Notes

Assignments Discussions Exams GradeBook

Professor {r, w} {r,g} {r,w} {r,g} {r,w}

Instructor {r} {r,g} {r,w, g} {r,g} {r,w}

Student {r} {r,w} {r,w} {r,w} {r}

Role Based Access Control (RBAC)




Security Models• A security model will

– Describe the entities governed by the policy – Define the rules that instantiate the policy

• Security models

– Capture policies for confidentiality and for integrity – Some are formal and others are informal

• Example Security Models – Bell-LaPadula (BLP) (mandatory)

• Not really useful: only static relationships

– HRU (Harrison-Ruzzo-Ullman ) (mandatory)• Basis of Multi Level Secure system information access concepts

– Chinese Wall Model (multilateral)• Requires major effort to implement within applications

– Biba (mandatory)• Basis of OS integrity ring structuring

– Clark-Wilson (mandatory)• Very applicable to:

- Commerce (Accounting AP, AR) activities- Internet business (Merchant vs. Payment Service)

- General Transaction Processing and DBMS applications






Protocol Layering & End-Points




Main Internet Protocols

• Internet Protocol version 4 (IPv4)

– Internet Control Management Protocol (ICMP)

• Internet Protocol version 6 (IPv6)

• Transmission Control Protocol (TCP)

• Stream Control Transmission Protocol (SCTP)

– Transaction-oriented, transports data in 1 or more messages

• User Datagram Protocol (UDP)

• Address Resolution Protocol (ARP)• Dynamic Host Configuration Protocol (DHCP)

• Mobile IP




Layer 1 (L1) - Physical

• Broadcast Free Air Radio Frequency Media

– Many frequencies and signal encoding schemes (WiFi, Bluetooth,Military, Commercial)

• Point–to-Point Free Air Radio Frequency Media

– Microwave, Wage Guide, Fixed Wireless (802.16)• Broadcast Constrained Radio Frequency Media

– Coax (i.e., 10base5, 10base2, QAM)

• Point–to-Point Constrained Radio Frequency Media

– T1/T3, Coax

• Broadcast Free Air Optical Media

– IR

• Point–to-Point Free Air Optical Media

– Laser with many forms of signal encoding schemes

• Broadcast Constrained Optical Media – none

• Point–to-Point Constrained Optical Media

– Single Mode Fiber w/wo DWDM




Current Typical DLL Arrangements

Optical Fiber

GFP

G-MPLS 1(10)gigEthernet SONET

C/D WDM

IP

802.3

FR

xDSL

Serial

PPPIP

IP

IP

MPLSIP ATM

PPPoE

C/D WDM

GFP

IP

TP RF

802.11PON

10/100baseT

IP

IP

IP

Layer

2

Layer

3

Layer

1

• Typical DLL protocols layered upon each other in today’s infrastructures

– IP over Point-to-Point Protocol (PPP) over Serial (dial-up access) – IP over PPP over ATM over TP (xDSL access)

– IP over 10/100baseT over GigE/ATM over Fiber (PON access)

– IP over 802.11 over RF (WiFi LANs and HotSpots)

– IP over 1(10)-GigE over Fiber (LANs & business access)

– IP over (MPLS) over 10/100baseT (TP) (LANs)

– IP over MPLS over 1(10)-GigE over (WDM) Fiber ( business access)

– SONET over GFP over (WDM) Fiber ( business access & Metro-core)

– IP over 10/100/1,000/10,000 Ethernet over G-MPLS over GFP over (WDM)

Fiber ( business access, Metro-core, Inter-metro)




Typical Subnet Arrangements

Simple 10base2 Subnet

Simple switched 10/100baseT Subnet

Residential - SOHO Subnet




Wireless LANs & Personal LANs

• Did not exist until FCC opened the ISM bands

– 902–928 MHz (center frequency 915 MHz)

– 2.400–2.500 GHz (center frequency 2.450 GHz)

– 5.725–5.875 GHz (center frequency 5.800 GHz)

in the mid 1990s for data communications purposes.

• Initial products were proprietary (i.e., ATT’s WaveLAN).

• IEEE 802.11 link layer protocol published in 1997 with two versions

802.11a (54 Mbps), 802.11b (11 Mbps); 802.11g (54 Mbps) added.

• Wireless signals are broadcasted everywhere within the range of an

access point (up to 100M) with attenuation from walls/windows, etc.

• Wireless eves-dropping/sniffing equipment for available, done

without service disruption, and without detection.

• Strong encryption necessary for:

– confidentiality

– control LAN access (authorization).

• Security issues and mechanisms discussed later in course.




Metropolitan Campus Networks (MCAN)

• A Metropolitan Campus Area Network (MCAN) usually consists of local

networks that span several buildings on a campus and multiple campuses.

• This type of network 1s exposed to the outside world, which poses additional

security risks.

• Can result in major threats since the best security provisions are usually

provided within a building.

• Due to size, network

management more

complex• Network

Operation Center

(NOC) usually

required.

• Can interconnect

many locations

and facilities




The Internet

ISP Alpha

Core

Network

Web

Server

ATT Tier 1

Network

Wireless

Access

Network

Smart PhoneEcommerce

Server

Gateway

(Peering)

Router

Laptop

Cell Tower

(MTSO)

AP

Access

Router

ISP Bravo

Core

Network

Web

Server

Fiber

AccessNetwork

Ecommerce

Server

Gateway

(Peering)

Router

Access

Router

xDSL

Access

Network`

PC or

Workstation

Verizon

Tier 1

Network

Gateway

(Peering)

Router

Gateway

(Peering)

Router

`

PC or

Workstation

ISP Zulu

Core

Network

Web

Server

Cable

Access

Network

Ecommerce

Server

Gateway

(Peering)

Router

Access

Router

Gateway

(Peering)

Router

Telephone

Cable or

IP TV

`

PC or

Workstation

VoIP

Telephone

VoIP

Telephone

Cable or

IP TV

International

(NTT) Tier 1

Network

Quest or

Sprint Tier 1

Network

ISP Delta

Core

Network

Gateway

(Peering)

Router

L3 or GBLX

Tier 1

Network

ISP Echo

Core

Network

Gateway

(Peering)

Router

ISP Tango

Core

Network

Gateway

(Peering)

Router




General Computer Security

• Protection in Operation Systems

– OS Memory Security Mechanisms

• Segmentation

• Paging

• Combining Paging &Segmentation

– User Authentication & Protection of Passwords – Why File System Security

• Basic forms of file protection

• Group Protection• Single Permissions




OS Memory Security Mechanisms

User Process #1Memory Segment 1

MMR #a

MMR #b

MMR #c

User Process #1

Memory Segment 2

Heap Fence, MMR #d

Stack Fence, MMR #e

MMR #f

MMR #g

MMR #h

User Process #1 Heap

within

Memory Segment 1

User Process #1 Stack

Within

Memory Segment 1

User Process #1

Memory Segment 3

User Process #1 Page 1
















Physical Memory Page p+3


Physical Memory Page r


Physical Memory Page p

Physical Memory Page s+2

Physical Memory Page 17



Physical Memory Page u+1

Physical Memory Page t+1

Physical Memory Page t

Physical Memory Page u



Physical Memory Page v

Physical Memory Page r+1

Physical Memory Page 17Physical Memory Page s

Physical Memory Page s+1

• Paging offers implementation efficiency while segmentation

offers logical protection characteristics

• In paged

segmentation, a program is

divided into

logical segments

and each

segment is

broken into

fixed-size pages




User Authentication

• OS protection based on knowing who a user of the system is

• Authentication mechanisms fall into the following categories calledFactors: – What the user posses: Card with a magnetic strip, a door key, etc. (Weakest)

– What the user knows: Passwords, PINs, etc. (Stronger)

– What the user is:• Biometrics, based on a physical characteristic of the user (Strongest)

– Fingerprint, voice, vein pattern within an eye

• Factors can be combined to increase reliability of authentication – E.g., PIN/password and card, card and fingerprint, etc.

• Use of Passwords – The most common authentication mechanism

– Assumed to be known only to the user and the system – How systems should behave during login authentication:• Someone enters (a guessed) username

– Do not respond with the message UNKNOWN user

• Ask for both username and password and only then respond with LOGINFAILURE if user ID or password incorrect




• Attacks on Passwords – Exhaustive attack

• An attacker tries all possible passwords in an automated fashion

– Probable passwords (check for words in dictionary, names, birthdates, etc.)• Easier to try than the brute-force method

– Access the password file – ‘Shoulder surfing’ = watching someone enter/type password

– ‘post-it searching’ = writing passwords down

• One-Time passwords – Changes about every 60 seconds

– Based on synchronized random numbers in a token and server – Random number is appended to user chosen password, e.g. “password146010”

– Typically random number changes every 60 seconds

– Tokens good for about 2 to 4 years, one product is RSA’s SecureID

• Challenge-response for remote server access

– Changes every time it is used

– Remote system sends a random number which requester has to return encryptedto sending system

– Relies on use of pre-distributed shared secret keys

– Issues include key distribution and ensuring requester proves identity first

Protection of Passwords




• Identify groups of users who have some common relationship – Administrator, Security Admin., Development, Finance, Guest, HR, Research, etc.

• Frequently three classes of subjects recognized: – Individual users, Working group, All other users

• Historically no user could belong to more than one group

– This is still true with some operating systems (unix, linux) – But not other operating systems (Solaris, Windows)

• Grouping users focuses on users and what they can access

• Group Issues? – When a user cannot belong to two groups

• To overcome the above restriction, some users can have multiple accounts

• Which leads to proliferation of accounts and inconvenience to users

– Limited sharing

• Instead of sharing only within groups or with the world, what if you wish to share one filewith ten people and another file with twenty others?

• Alternative is to use Roles – Focus on user types and what these types of users can access

– Access rights assigned to a role

– Users are assigned (allowed to assume) roles as their responsibilities change

– As users come and go, much easier to manage than groups or individuals

User Groups vs. Roles




Why file system security

• Secrecy of data – Confidentiality (both from outsiders and insiders with improper authority)

– Can optionally encrypt data files and even whole disk file systems

• Integrity of data

– Unauthorized users should not make changes

– Detection of changes, utilities available that use cryptographic hashes, ie:

• For linux and unix only:

http://sourceforge.net/projects/tripwire/

http://sourceforge.net/projects/integrit/• For linux, unix and windows:

www.tripwire.com

http://sourceforge.net/projects/afick/

• Availability of data – Replicate data via:

• Redundant Array of Inexpensive Disks (RAID)

• Dual ported disks

– Disk backup & restore




General Purpose (GP) Computing context

Applications (Apps)

– Ftpd, httpd, VoIP, Email,

'Office suites', editors, graphics, …

Application Services

– Corba, DCE, Java (JVM), Active-X, … – Databases, …

– Networking ('Sockets', DNS,

LDAP, Active Directory, …

Operating System (OS)

– Graphics (Xwindows, 'desktops',

– File Subsystems – Networking (L2, L3, L4)

– Peripherals (printers, terminals, etc)

– User & Process management

OS Kernel (kernel)

– Memory Management, Device Drivers

– Scheduler (process & threads

– Interrupt Handling, Reference Monitor

Hardware

– CPU, memory, Storage, Peripherals

Hardware

OS Kernel

Applications

Services

Operating System

<Ring 3>

<Ring 2>

<Ring 1>

<Ring 0>

Documents

CS695OL Live Classroom 3 Slides