Issues Relevant To Distributed Security xuhong Zhang.

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

BARNALI CHAKRABARTY. What is an Operating System ?

AUTHENTICATION AND KEY DISTRIBUTION

Operating System Security

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Vinay Kumar Madhadi 10/28/2009 CSC Outline  Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control  Part 2 : Different Models-Lattice.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Database Administration and Security Transparencies 1.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

8.2 Discretionary Access Control Models Weiling Li.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Chapter 11 Firewalls.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21,

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Understanding Active Directory

Summary For Chapter 8 Student: Zhibo Wang Professor: Yanqing Zhang.

Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Chapter 20 Firewalls.

Intranet, Extranet, Firewall. Intranet and Extranet.

Cryptography and Network Security

What is FORENSICS? Why do we need Network Forensics?

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Distributed computer security 8.2 Discretionary Access Control Models -Ranjitha Shivarudraiah.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

CSC8320. Outline Content from the book Recent Work Future Work.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Issues Relevant To Distributed Security CSC 8320 Nidhi Gahlot.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Discretionary Access Control Models Adith Srinivasan.

Computer Security: Principles and Practice

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Cryptography and Network Security

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Computer Security Distributed System Security

PLANNING A SECURE BASELINE INSTALLATION

Access Control What’s New?

Presentation transcript:

Issues Relevant To Distributed Security xuhong Zhang

 Security in Distributed Systems  Popular Security Mechanism in Distributed Systems  Protection Methods Against Security Threats  Complex Security Policies  Concept of Proxy  Covert channels  Traffic analysis prevention  Auditing  Current research  Future work OUTLINE

 Different from operating system security:  No central trusted authority that mediates interaction between users and processes.  Distributed system runs on top of a large number of loosely coupled autonomous hosts, that maybe running different OS’s with possibly different security policies.  So, issue of security becomes even more complex in Distributed Systems.  Two Key Terms  Objects, example:- a file  Subjects, example:- a user Security in Distributed Systems[1]

 Authentication  Allows only authentic subjects to have access to the system.  Authorization  Allows an object access only to authorized subjects.  Auditing  Process of maintaining an audit log which records all activity. This helps in tracing security attacks. Protection Methods Against Security Threats [2]

Complex Security policies  The Access Control List (ACL) and Capability List (CL) security models are stateless. Properties remain fixed unless explicitly changed by the server.  Complex Access Control Policies are state dependent. Authorization of access depends on subjects past history and interaction with other objects. [1998 Chow and Johnson]

 Complex access control policies have state dependent security requirements.  Example:- A security policy which decides its course by reading the subject’s past access history:  A subject S is not allowed to access object O1 if it has read object O2.  “If” is the keyword here which makes the security policies in distributed systems state dependent. …..Complex Security policies[2]

 Information flow model:  lattice structure in which information can flow in the direction the properties used to construct the lattice permit.  But, In Distributed Systems,  There are some applications which need information flow which violates some properties of lattice.  These are called information flow exceptions. Multilevel Information Flow Exceptions[2]

 There are 3 types of information flow exceptions:  Transitivity: A->B and B->C implies A->C  Transitivity exception : A->B and B->C but A-/->C  Aggregation: A->C and B->C implies A U B ->C  Aggregation exception: A->C and B->C, but A U B -/->C  Separation: A U B ->C implies A->C and B->C  Separation exception: A U B ->C,but A -/-> C and B -/-> C ….. Multilevel Information Flow Exceptions[2]

 Main operations between entities in access control are:  Read(confidentiality)&Write(integrity).  So, A → B means A writes information to object B. Redefining flow exceptions in terms of Access Control[2]

……Redefining flow exceptions in terms of Access Control[2]

Computer Automated Bank Loan Application  Only clerk(S 1 ) can prepare loan application (write permissions for object O).  One of two bank officers, the manager (S 2 ) or accountant (S 3 ) (but not both) must approve the application (append permissions).  Approved loan is the appended with electronic check signed by both bank manager (S 2 ) and cashier (S 4 ). Example of a Complex Access Control Policy

Graphical Representation

 Definition:  A “Proxy” is a certificate which verifies that a subject has truly given a subset of its rights to another subject for performing some tasks on its behalf.  Usage example:  A client process makes a request to a print server to print a file.  The client can make the print server its proxy. Proxy and its use[2][3]

 Amount of file transfer in the network is reduced.  Client does not have to wait for print server even if it does not have sufficient buffer space for the file at the time of the request.  So, the delegation of responsibilities to proxies improves the efficiency of processing. Advantages of Proxy[2][3]

 Definition:-  A communication path that conveys information illegitimately by seemingly legitimate use of computer resources.  Maybe intentional or unintentional  Traditionally, categories of covert channels:  Storage channels  Timing channels  Network covert channels Covert Channels[2][4]

 The key is to regulate information flow in the network such that the spatial and temporal imparity of the network traffic pattern is reduced.  Common approaches:-  Encryption  Padding  Routing  Scheduling Traffic Analysis Prevention[2]

 Passive protection – acts as a last resort when other mechanisms such as authentication and authorization are not sufficient to protect the security of the system  Can be performed online in the firewalls for early detection of threats or offline when an attack or problem has already occured  Maintain log files that record all activity in the system and the network Auditing

 Security policy conformance is a crucial issue in large- scale critical cyber-infrastructure  Previous methods do not adequately addressed the issue of scaling to networks of thousands of nodes or of resilience to attacks  This new approach addresses the scaling problem by decomposing policies and distributing the validation process Current Research Distributed Security Policy Conformance

 Each of the complex rules that define the compliant and non-compliant states of the system is decomposed into local components and an aggregate component  Securely delegate the validation of local components to secure agents installed on hosts.  These agents are able to reliably monitor the state of the system using virtual machine introspection.  Using this information, we partition the validation of aggregate components across several distributed servers. Current research

 One approach in auditing : Artificially Intelligent systems that enforce security policies and detect/prevent attacks based on past occurrences and heuristics Future Work

 [1]. Feng, Fujun; Lin, Chuang; Peng, Dongsheng; Li, Junshan. “A Trust and Context Based Access Control Model for Distributed Systems” High Performance Computing and Communications, HPCC '08. 10th IEEE International Conference on Sept Page(s):629 – 634 High Performance Computing and Communications, HPCC '08. 10th IEEE International Conference on  [2]. Distributed Operating Systems & Algorithms, Randy Chow and Theodore Johnson, Addison Wesley,  [3]. Dave, A.; Sefika, M.; Campbell, R.H.; “ Proxies, application interfaces, and distributed system” Object Orientation in Operating Systems, 1992., Proceedings of the Second International Workshop on Sept Page(s): Object Orientation in Operating Systems, 1992., Proceedings of the Second International Workshop on  [4]. 1 Nov.,2008  [5]. Montanari, Mirko, Chan Ellick, Larson Kevin, Yoo Wucherl, and Campbell Roy H. “Distributed Security Policy Conformance”, 2011Distributed Security Policy Conformance REFERENCES