Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-1 Naming and Certificates Certificates issued to a principal –Principal uniquely.

Published byTobias Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-1 Naming and Certificates Certificates issued to a principal –Principal uniquely."— Presentation transcript:

1 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-1 Naming and Certificates Certificates issued to a principal –Principal uniquely identified to avoid confusion Problem: names may be ambiguous –Does the name “Matt Bishop” refer to: The author of this book? A programmer in Australia? A stock car driver in Muncie, Indiana? Someone else who was named “Matt Bishop”

2 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-2 CAs and Policies Matt Bishop wants a certificate from Certs-from- Us –How does Certs-from-Us know this is “Matt Bishop”? CA’s authentication policy says what type and strength of authentication is needed to identify Matt Bishop to satisfy the CA that this is, in fact, Matt Bishop –Will Certs-from-Us issue this “Matt Bishop” a certificate once he is suitably authenticated? CA’s issuance policy says to which principals the CA will issue certificates

3 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-3 Example: Verisign CAs Class 1 CA issued certificates to individuals –Authenticated principal by email address Idea: certificate used for sending, receiving email with various security services at that address Class 2 CA issued certificates to individuals –Authenticated by verifying user-supplied real name and address through an online database Idea: certificate used for online purchasing

4 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-4 Example: Verisign CAs Class 3 CA issued certificates to individuals –Authenticated by background check from investigative service Idea: higher level of assurance of identity than Class 1 and Class 2 CAs Fourth CA issued certificates to web servers –Same authentication policy as Class 3 CA Idea: consumers using these sites had high degree of assurance the web site was not spoofed

5 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-5 Internet Certification Hierarchy Tree structured arrangement of CAs –Root is Internet Policy Registration Authority, or IPRA Sets policies all subordinate CAs must follow Certifies subordinate CAs (called policy certification authorities, or PCAs), each of which has own authentication, issuance policies Does not issue certificates to individuals or organizations other than subordinate CAs –PCAs issue certificates to ordinary CAs Does not issue certificates to individuals or organizations other than subordinate CAs –CAs issue certificates to organizations or individuals

6 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-6 Example University of Valmont issues certificates to students, staff –Students must present valid reg cards (considered low assurance) –Staff must present proof of employment and fingerprints, which are compared to those taken when staff member hired (considered high assurance)

7 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-7 Certificate Differences Student, staff certificates signed using different private keys (for different CAs) –Student’s signed by key corresponding to low assurance certificate signed by first PCA –Staff’s signed by key corresponding to high assurance certificate signed by second PCA To see what policy used to authenticate: –Determine CA signing certificate, check its policy –Also go to PCA that signed CA’s certificate CAs are restricted by PCA’s policy, but CA can restrict itself further

8 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-8 Types of Certificates Organizational certificate –Issued based on principal’s affiliation with organization –Example Distinguished Name /O=University of Valmont/OU=Computer Science Department/CN=Marsha Merteuille/ Residential certificate –Issued based on where principal lives –No affiliation with organization implied –Example Distinguished Name /C=US/SP=Louisiana/L=Valmont/PA=1 Express Way/CN=Marsha Merteuille/

9 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-9 Meaning of Identity Authentication validates identity –CA specifies type of authentication –If incorrect, CA may misidentify entity unintentionally Certificate binds external identity to crypto key and Distinguished Name –Need confidentiality, integrity, anonymity Recipient knows same entity sent all messages, but not who that entity is

10 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-10 Persona Certificate Certificate with meaningless Distinguished Name –If DN is /C=US/O=Microsoft Corp./CN=Bill Gates/ the real subject may not (or may) be Mr. Gates –Issued by CAs with persona policies under a PCA with policy that supports this PGP certificates can use any name, so provide this implicitly

11 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-11 PGP Certificates Level of trust in signature field Four levels –Generic (no trust assertions made) –Persona (no verification) –Casual (some verification) –Positive (substantial verification) What do these mean? –Meaning not given by OpenPGP standard –Signer determines what level to use –Casual to one signer may be positive to another

12 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-12 Identity on the Web Host identity –Static identifiers: do not change over time –Dynamic identifiers: changes as a result of an event or the passing of time State and Cookies Anonymity –Anonymous email –Anonymity: good or bad?

13 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-13 Host Identity Bound up to networking –Not connected: pick any name –Connected: one or more names depending on interfaces, network structure, context Name identifies principal Address identifies location of principal –May be virtual location (network segment) as opposed to physical location (room 222)

14 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-14 Example Layered network –MAC layer Ethernet address: 00:05:02:6B:A8:21 AppleTalk address: network 51, node 235 –Network layer IP address: 192.168.35.89 –Transport layer Host name: cherry.orchard.chekhov.ru

15 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-15 Danger! Attacker spoofs identity of another host –Protocols at, above the identity being spoofed will fail –They rely on spoofed, and hence faulty, information Example: spoof IP address, mapping between host names and IP addresses

16 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-16 Domain Name Server Maps transport identifiers (host names) to network identifiers (host addresses) –Forward records: host names  IP addresses –Reverse records: IP addresses  host names Weak authentication –Not cryptographically based –Various techniques used, such as reverse domain name lookup

17 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-17 Reverse Domain Name Lookup Validate identity of peer (host) name –Get IP address of peer –Get associated host name via DNS –Get IP addresses associated with host name from DNS –If first IP address in this set, accept name as correct; otherwise, reject as spoofed If DNS corrupted, this won’t work

18 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-18 Dynamic Identifiers Assigned to principals for a limited time –Server maintains pool of identifiers –Client contacts server using local identifier Only client, server need to know this identifier –Server sends client global identifier Client uses global identifier in other contexts, for example to talk to other hosts Server notifies intermediate hosts of new client, global identifier association

19 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-19 Example: DHCP DHCP server has pool of IP addresses Laptop sends DHCP server its MAC address, requests IP address –MAC address is local identifier –IP address is global identifier DHCP server sends unused IP address –Also notifies infrastructure systems of the association between laptop and IP address Laptop accepts IP address, uses that to communicate with hosts other than server

20 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-20 Example: Gateways Laptop wants to access host on another network –Laptop’s address is 10.1.3.241 Gateway assigns legitimate address to internal address –Say IP address is 101.43.21.241 –Gateway rewrites all outgoing, incoming packets appropriately –Invisible to both laptop, remote peer Internet protocol NAT works this way

21 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-21 Weak Authentication Static: host/name binding fixed over time Dynamic: host/name binding varies over time –Must update reverse records in DNS Otherwise, the reverse lookup technique fails –Cannot rely on binding remaining fixed unless you know the period of time over which the binding persists

22 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-22 DNS Security Issues Trust is that name/IP address binding is correct Goal of attacker: associate incorrectly an IP address with a host name –Assume attacker controls name server, or can intercept queries and send responses

23 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-23 Attacks Change records on server Add extra record to response, giving incorrect name/IP address association –Called “cache poisoning” Attacker sends victim request that must be resolved by asking attacker –Attacker responds with answer plus two records for address spoofing (1 forward, 1 reverse) –Called “ask me”

24 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-24 Cookies Token containing information about state of transaction on network –Usual use: refers to state of interaction between web browser, client –Idea is to minimize storage requirements of servers, and put information on clients Client sends cookies to server

25 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-25 Some Fields in Cookies name, value: name has given value expires: how long cookie valid –Expired cookies discarded, not sent to server –If omitted, cookie deleted at end of session domain: domain for which cookie intended –Consists of last n fields of domain name of server –Must have at least one “.” in it secure: send only over secured (SSL, HTTPS) connection

26 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-26 Example Caroline puts 2 books in shopping cartcart at books.com –Cookie: name bought, value BK=234&BK=8753, domain.books.com Caroline looks at other books, but decides to buy only those –She goes to the purchase page to order them Server requests cookie, gets above –From cookie, determines books in shopping cart

27 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-27 Who Can Get the Cookies? Web browser can send any cookie to a web server –Even if the cookie’s domain does not match that of the web server –Usually controlled by browser settings Web server can only request cookies for its domain –Cookies need not have been sent by that browser

28 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-28 Where Did the Visitor Go? Server books.com sends Caroline 2 cookies –First described earlier –Second has name “id”, value “books.com”, domain “adv.com” Advertisements at books.com include some from site adv.com –When drawing page, Caroline’s browser requests content for ads from server “adv.com” –Server requests cookies from Caroline’s browser –By looking at value, server can tell Caroline visited “books.com”

29 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-29 Chapter 23: Network Security Introduction to the Drib Policy Development Network Organization Availability Anticipating Attacks

30 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-30 Network Organization Partition network into several subnets –Guards between them prevent leaks

31 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-31 DMZ Portion of network separating purely internal network from external network –Allows control of accesses to some trusted systems inside the corporate perimeter –If DMZ systems breached, internal systems still safe –Can perform different types of checks at boundary of internal,DMZ networks and DMZ,Internet network

32 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-32 Firewalls Host that mediates access to a network –Allows, disallows accesses based on configuration and type of access Example: block Back Orifice –BO allows external users to control systems Requires commands to be sent to a particular port (say, 25345) –Firewall can block all traffic to or from that port So even if BO installed, outsiders can’t use it

33 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-33 Filtering Firewalls Access control based on attributes of packets and packet headers –Such as destination address, port numbers, options, etc. –Also called a packet filtering firewall –Does not control access based on content –Examples: routers, other infrastructure systems

34 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-34 Proxy Intermediate agent or server acting on behalf of endpoint without allowing a direct connection between the two endpoints –So each endpoint talks to proxy, thinking it is talking to other endpoint –Proxy decides whether to forward messages, and whether to alter them

35 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-35 Proxy Firewall Access control done with proxies –Usually bases access control on content as well as source, destination addresses, etc. –Also called an applications level or application level firewall –Example: virus checking in electronic mail Incoming mail goes to proxy firewall Proxy firewall receives mail, scans it If no virus, mail forwarded to destination If virus, mail rejected or disinfected before forwarding

36 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-36 Views of a Firewall Access control mechanism –Determines which traffic goes into, out of network Audit mechanism –Analyzes packets that enter –Takes action based upon the analysis Leads to traffic shaping, intrusion response, etc.

37 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-37 Analysis of Drib Network Security policy: “public” entities on outside but may need to access corporate resources –Those resources provided in DMZ No internal system communicates directly with systems on Internet –Restricts flow of data to “public” –For data to flow out, must pass through DMZ Firewalls, DMZ are “pump”

38 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-38 Implementation Conceal all internal addresses –Make them all on 10., 172., or 192.168. subnets Inner firewall uses NAT to map addresses to firewall’s address –Give each host a non-private IP address Inner firewall never allows those addresses to leave internal network Easy as all services are proxied by outer firewall –Email is a bit tricky …

39 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-39 Email Problem: DMZ mail server must know address in order to send mail to internal destination –Could simply be distinguished address that causes inner firewall to forward mail to internal mail server Internal mail server needs to know DMZ mail server address –Same comment

40 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-40 DMZ Web Server In DMZ so external customers can access it without going onto internal network –If data needs to be sent to internal network (such as for an order), transmission is made separately and not as part of transaction

41 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-41 Application of Principles Least privilege –Containment of internal addresses Complete mediation –Inner firewall mediates every access to DMZ Separation of privilege –Going to Internet must pass through inner, outer firewalls and DMZ servers

42 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-42 Application of Principles Least common mechanism –Inner, outer firewalls distinct; DMZ servers separate from inner servers –DMZ DNS violates this principle If it fails, multiple systems affected Inner, outer firewall addresses fixed, so they do not depend on DMZ DNS

43 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-43 Outer Firewall Configuration Goals: restrict public access to corporate network; restrict corporate access to Internet Required: public needs to send, receive email; access web services –So outer firewall allows SMTP, HTTP, HTTPS –Outer firewall uses its address for those of mail, web servers

44 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-44 Details Proxy firewall SMTP: mail assembled on firewall –Scanned for malicious logic; dropped if found –Otherwise forwarded to DMZ mail server HTTP, HTTPS: messages checked –Checked for suspicious components like very long lines; dropped if found –Otherwise, forwarded to DMZ web server Note: web, mail servers different systems –Neither same as firewall

45 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-45 Attack Analysis Three points of entry for attackers: –Web server ports: proxy checks for invalid, illegal HTTP, HTTPS requests, rejects them –Mail server port: proxy checks email for invalid, illegal SMTP requests, rejects them –Bypass low-level firewall checks by exploiting vulnerabilities in software, hardware Firewall designed to be as simple as possible Defense in depth

46 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-46 Defense in Depth Form of separation of privilege To attack system in DMZ by bypassing firewall checks, attacker must know internal addresses –Then can try to piggyback unauthorized messages onto authorized packets But the rewriting of DMZ addresses prevents this

47 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-47 Inner Firewall Configuration Goals: restrict access to corporate internal network Rule: block all traffic except for that specifically authorized to enter –Principle of fail-safe defaults Example: Drib uses NFS on some internal systems –Outer firewall disallows NFS packets crossing –Inner firewall disallows NFS packets crossing, too DMZ does not need access to this information (least privilege) If inner firewall fails, outer one will stop leaks, and vice versa (separation of privilege)

48 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-48 More Configuration Internal folks require email –SMTP proxy required Administrators for DMZ need login access –So, allow SSH through provided: Destination is a DMZ server Originates at specific internal host (administrative host) –Violates least privilege, but ameliorated by above DMZ DNS needs to know address of administrative host –More on this later

49 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-49 DMZ Look at servers separately: –Web server: handles web requests with Internet May have to send information to internal network –Email server: handles email with Internet Must forward email to internal mail server –DNS Used to provide addresses for systems DMZ servers talk to –Log server DMZ systems log info here

50 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-50 DMZ Mail Server Performs address, content checking on all email Goal is to hide internal information from outside, but be transparent to inside Receives email from Internet, forwards it to internal network Receives email from internal network, forwards it to Internet

51 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-51 Mail from Internet Reassemble messages into header, letter, attachments as files Scan header, letter, attachments looking for “bad” content –“Bad” = known malicious logic –If none, scan original letter (including attachments and header) for violation of SMTP spec Scan recipient address lines –Address rewritten to direct mail to internal mail server –Forward letter there

52 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-52 Mail to Internet Like mail from Internet with 2 changes: –Step 2: also scan for sensitive data (like proprietary markings or content, etc.) –Step 3: changed to rewrite all header lines containing host names, email addresses, and IP addresses of internal network All are replaced by “drib.org” or IP address of external firewall

53 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-53 Administrative Support Runs SSH server –Configured to accept connections only from trusted administrative host in internal network –All public keys for that host fixed; no negotiation to obtain those keys allowed –Allows administrators to configure, maintain DMZ mail host remotely while minimizing exposure of host to compromise

54 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-54 DMZ Web Server Accepts, services requests from Internet Never contacts servers, information sources in internal network CGI scripts checked for potential attacks –Hardened to prevent attacks from succeeding –Server itself contains no confidential data Server is www.drib.org and uses IP address of outer firewall when it must supply one

55 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-55 Updating DMZ Web Server Clone of web server kept on internal network –Called “WWW-clone” All updates done to WWW-clone –Periodically admins copy contents of WWW-clone to DMZ web server DMZ web server runs SSH server –Used to do updates as well as maintenance, configuration –Secured like that of DMZ mail server

56 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-56 Internet Ordering Orders for Drib merchandise from Internet –Customer enters data, which is saved to file –After user confirms order, web server checks format, content of file and then uses public key of system on internal customer subnet to encipher it This file is placed in a spool area not accessible to web server program –Original file deleted –Periodically, internal trusted administrative host uploads these files, and forwards them to internal customer subnet system

57 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-57 Analysis If attacker breaks into web server, cannot get order information –There is a slight window where the information of customers still on system can be obtained Attacker can get enciphered files, public key used to encipher them –Use of public key cryptography means it is computationally infeasible for attacker to determine private key from public key

58 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-58 DMZ DNS Server Supplies DNS information for some hosts to DMZ: –DMZ mail, web, log hosts –Internal trusted administrative host Not fixed for various reasons; could be … –Inner firewall –Outer firewall Note: Internal server addresses not present –Inner firewall can get them, so DMZ hosts do not need them

59 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-59 DMZ Log Server DMZ systems all log information –Useful in case of problems, attempted compromise Problem: attacker will delete or alter them if successful –So log them off-line to this server Log server saves logs to file, also to write-once media –Latter just in case log server compromised Runs SSH server –Constrained in same way server on DMZ mail server is

60 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-60 Summary Each server knows only what is needed to do its task –Compromise will restrict flow of information but not reveal info on internal network Operating systems and software: –All unnecessary features, servers disabled –Better: create custom systems Proxies prevent direct connection to systems –For all services except SSH from internal network to DMZ, which is itself constrained by source, destination

61 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-61 Internal Network Goal: guard against unauthorized access to information –“read” means fetching file, “write” means depositing file For now, ignore email, updating of DMZ web server, internal trusted administrative host Internal network organized into 3 subnets, each corresponding to Drib group –Firewalls control access to subnets

62 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-62 Internal Mail Server Can communicate with hosts on subnets Subnet may have mail server –Internal DNS need only know subnet mail server’s address Subnet may allow mail to go directly to destination host –Internal DNS needs to know addresses of all destination hosts Either satisfies policy

63 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-63 Analysis DMZ servers never communicate with internal servers –All communications done via inner firewall Only client to DMZ that can come from internal network is SSH client from trusted administrative host –Authenticity established by public key authentication Only data non-administrative folks can alter are web pages –Even there, they do not access DMZ

64 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-64 Analysis Only data from DMZ is customer orders and email –Customer orders already checked for potential errors, enciphered, and transferred in such a way that it cannot be executed –Email thoroughly checked before it is sent to internal mail server

65 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-65 Assumptions Software, hardware does what it is supposed to –If software compromised, or hardware does not work right, defensive mechanisms fail –Reason separation of privilege is critical If component A fails, other components provide additional defenses Assurance is vital!

66 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-66 Availability Access over Internet must be unimpeded –Context: flooding attacks, in which attackers try to overwhelm system resources Example: SYN flood –Problem: server cannot distinguish legitimate handshake from one that is part of this attack Only difference is whether third part of TCP handshake is sent –Flood can overwhelm communication medium Can’t do anything about this (except buy a bigger pipe) –Flood can overwhelm resources on our system We start here

67 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-67 Intermediate Hosts Use routers to divert, eliminate illegitimate traffic –Goal: only legitimate traffic reaches firewall –Example: Cisco routers try to establish connection with source (TCP intercept mode) On success, router does same with intended destination, merges the two On failure, short time-out protects router resources and target never sees flood

68 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-68 Intermediate Hosts Use network monitor to track status of handshake –Example: synkill monitors traffic on network Classifies IP addresses as not flooding (good), flooding (bad), unknown (new) Checks IP address of SYN –If good, packet ignored –If bad, send RST to destination; ends handshake, releasing resources –If new, look for ACK or RST from same source; if seen, change to good; if not seen, change to bad Periodically discard stale good addresses

69 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-69 Intermediate Hosts Problem: don’t solve problem! –They move the locus of the problem to the intermediate system –In Drib’s case, Drib does not control these systems So, consider endpoints

70 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-70 Against Outer Firewall Unsuccessful attacks –Logged, then ignored –Security folks use these to justify budget, train new personnel Successful attack against SMTP proxy –Proxy will start non-standard programs –Anomaly detection component of IDS on log server will report unusual behavior Security officers monitor this around the clock

71 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-71 In the DMZ Very interested in attacks, successful or not Means someone who has obtained access to DMZ launched attack –Some trusted administrator shouldn’t be trusted –Some server on outer firewall is compromised –Software on DMZ system not restrictive enough IDS system on DMZ log server looks for misuse (known attacks) to detect this

72 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-72 Checking the IDS IDS allows Drib to add attack signatures and tune parameters to control reporting of events –Experimented to find good settings –Verify this every month by doing manual checks for two 1-hour periods (chosen at random) and comparing with reported events

73 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-73 Key Points Begin with policy Craft network architecture and security measures from it Assume failure will occur –Try to minimize it –Defend in depth –Have plan to handle failures

74 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-74 Chapter 24: System Security Introduction Policy Networks Users Authentication Processes Files Retrospective

75 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-75 Introduction How does administering security affect a system? Focus on two systems –DMZ web server –User system in development subnet Assumptions –DMZ system: assume any user of trusted administrative host has authenticated to that system correctly and is a “trusted” user –Development system: standard UNIX or UNIX-like system which a set of developers can use

76 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-76 Policy Web server policy discussed in Chapter 23 –Focus on consequences Development system policy components, effects Comparison

77 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-77 DMZ Web Server: Consequences of Policy 1.Incoming web connections come from outer firewall 2.Users log in from trusted administrative host; web pages also downloaded through it 3.Log messages go to DMZ log host only 4.Web server may query DMZ DNS system for IP addresses 5.Other than these, no network services provided 6.Runs CGI scripts – One writes enciphered data to spool area 7.Implements services correctly, restricts access as much as possible 8.Public keys reside on web server

78 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-78 Constraints on DMZ Web Server WC1No unrequested network connections except HTTP, HTTPS from outer firewall and SSH from trusted administrative host – Replies to DNS queries from DMZ DNS okay WC2User access only to those with user access to trusted administrative host – Number of these users as small as possible – All actions attributed to individual account, not group or group account

79 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-79 Constraints on DMZ Web Server WC3Configured to provide minimal access to system –Transfer of enciphered file to spool area should not be under web server control WC4Software is high assurance –Needs extensive logging WC5Contains as few programs, as little software, configuration information, and other data as possible –Minimizes effects of successful attack

80 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-80 Development System Development network (devnet) background –Firewall separating it from other subnets –DNS server –Logging server for all logs –File servers –User database information servers –Isolated system used to build “base system configuration” for deployment to user systems –User systems What follows applies only to user systems

81 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-81 Devnet User System: Policy Components 1.Only authorized users can use devnet systems; can work on any workstation 2.Sysadmins must be able to access workstations at any time 3.Authorized users trusted not to attack systems 4.All network communications except email confidential, integrity checked 5.Base standard configuration cannot be changed 6.Backups allow any system to be restored 7.Periodic, ongoing audits of devnet systems

82 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-82 Consequences for Infrastructure Firewall at boundary enforces network security policy –Changes to network policy made only at firewall –Devnet systems need not be as tightly secured No direct access between Internet, devnet systems –Developers who need to do so have separate workstations connected to commercial ISP –These are physically disconnected from devnet and cannot be easily reconnected

83 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-83 Consequences for User Systems DC1Communications authenticated, enciphered, integrity checked –Consistent naming scheme across systems DC2Each workstation has privileged accounts for administrators –Multiple administrative accounts to limit access to particular privileged functions DC3Notion of “audit” or “login” identity associated with each action –So actions can be tied to individuals

84 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-84 Consequences for User Systems DC4Need approval to install program, and must install it in special area –Separates it from base system software DC5Each workstation protects base system software from being altered –Best way: keep it on read-only media DC6Employee’s files be available continuously –Even if workstation goes down –Same permissions wherever employee accesses them

85 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-85 Consequences for User Systems DC7Workstations store only transient files, so need not be backed up –Permanent files stores on file server, mounted remotely –Software, kernel on read-only media DC8Logging system to hold logs needed –Security officers need access to systems, network

86 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-86 Procedural Mechanisms Some restrictions cannot be enforced by technology –Moving files between ISP workstation, devnet workstation using a floppy –No technological way to prevent this except by removing floppy drive Infeasible due to nature of ISP workstations –Drib has made procedures, consequences for violating procedures, very clear

87 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-87 DMZ Web Server Accepts web requests only from inner firewall –May allow internal users to access web site for testing purposes in near future Configuration file for web server software: order allow, deny evaluate allow, then deny lines allow from outer_firewall anything outer firewall sends is okay allow from inner_firewall anything inner firewall sends is okay deny from all don’t accept anything else Note inner firewall prevents internal hosts from accessing DMZ web server (for now) –If changed, web server configuration will stay same

88 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-88 DMZ Web Server: Web Server Accepts SSH connections only from trusted administrative host Configuration file for web software: order allow, deny evaluate allow, then deny lines allow from outer_firewall anything outer firewall sends is okay allow from inner_firewall anything inner firewall sends is okay deny from all don’t accept anything else Note inner firewall prevents internal hosts from accessing DMZ web server (for now) –If changed, web server configuration will stay same

89 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-89 DMZ Web Server: SSH Server Accepts SSH connections only from authorized users coming in from trusted administrative server –SSH provides per host and per user authentication –Public keys pre-loaded on web server Configuration file for ssh server: allow trusted_admin_server connections from admin server okay deny all refuse all others Note inner firewall prevents other internal hosts from accessing SSH server on this system –Not expected to change

90 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-90 DMZ Web Server: Clients DNS client to get IP addresses, host names from DMZ DNS –Client ignores extraneous data –If different responses to query, discard both Logging client to send log messages to DMZ log server –Log any attempted connections to any port

91 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-91 Checking Security Security officers scan network ports on systems –Compare to expected list of authorized systems and open ports Discrepencies lead to questions Security officers attack devnet systems –Goal: see how well they withstand attacks –Results used to change software, procedures to improve security

92 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-92 DMZ Web Server At most 2 users and 1 sysadmin –First user reads (serves) web pages, writes to web transaction areas –Second user moves files from web transaction area to commerce transaction spooling area –Sysadmin manages system

93 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-93 DMZ Web Server SSH: cryptographic authentication for hosts –Does not use IP addresses –Reject connection if authentication fails SSH: crypto for user; password on failure –Experimenting with smart card systems, so uses PAM Passwords: use MD-5 hash to protect passwords –Can be as long as desired –Proactive password checking to ensure they are hard to guess –No password aging

94 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-94 DMZ Web Server Necessary processes: –Web server Enough privileges to read pages, execute CGI scripts –Commerce server Enough privileges to copy files from web server’s area to spool area; not enough to alter web pages –SSH server (privileged) –Login server (privileged) If a physical terminal or console –Any essential OS services (privileged) Page daemon, etc.

95 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-95 DMZ Web Server System programs, configuration files, etc. are on CD-ROM –If attacker succeeds in breaking in, modifying in-core processes, then sysadmins simply reboot to recover –Public key for internal commerce server here, too Only web pages change –Too often to make putting them on CD-ROM –Small hard drive holds pages, spool areas, temp directories, sysadmin home directory

96 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-96 DMZ Web Server Everything statically linked –No compilers, dynamic loaders, etc. Command interpreter for sysadmin –Programs to start, stop servers –Programs to edit, create, delete, view files –Programs to monitor systems No other programs –None to read mail or news, no batching, no web browsers, etc.

97 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-97 DMZ Web Server Checking integrity of DMZ web server –Not done If question: –Stop web server –Transfer all remaining transaction files –Reboot system from CD-ROM –Reformat hard drive –Reload contents of user directories, web pages from WWW-clone –Restart servers

98 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-98 Summary: DMZ Web Server Runs as few services as possible Keeps everything on unalterable media Checks source of all connections –Web: from outer firewall only –SSH: from trusted administrative host only Web, commerce servers transfer files via shared directory –They do not directly communicate

99 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-99 Summary: Devnet Workstation Runs as few programs, servers as possible –Many more than DMZ web server, though Security prominent but not dominant –Must not interfere with ability of developer to do job –Security mechanisms hinder attackers, help find attackers, and enable rapid recovery from successful attack Access from network allowed –Firewall(s) assumed to keep out unwanted users, so security mechanisms are second line of defense

Download ppt "November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #10-1 Naming and Certificates Certificates issued to a principal –Principal uniquely."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #23-1 Chapter 23: Network Security Introduction to the Drib Policy Development.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #23-1 Chapter 23: Network Security Introduction to the Drib Policy Development.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #24-1 Chapter 24: System Security Introduction Policy Networks Users Authentication.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #24-1 Chapter 24: System Security Introduction Policy Networks Users Authentication.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google