Protection of Components based on a Smart Card Enhanced Security Module

Size: px
Start display at page:

Download "Protection of Components based on a Smart Card Enhanced Security Module"

Transcription

1 Protection of Components based on a Smart Card Enhanced Security Module J. García-Alfaro 1,2, S. Castillo 1, J. Castellà-Roca, 3 G. Navarro 1, and J. Borrell 1 1 Autonomous University of Barcelona, Department of Information and Communications Engineering, Bellaterra - Spain 2 Ecole Nationale Supérieure des Télécommunications de Bretagne, Multimedia Networks and Services Department, Cesson Sévigné - France 3 Rovira i Virgili University Department of Computer Engineering and Maths, Tarragona - Spain García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

2 Introduction: Starting Point Protection of Network Security Components: - J. García, S. Castillo, G. Navarro, and J. Borrell Mechanisms for Attack Protection on a Prevention Framework 39th Annual IEEE International Carnahan Conference on Security Technology Protection based on an AC integrated in the operating system s kernel Implemented as a Linux Security Module through the LSM framework Open architecture for the inclusion of security enhancements at operating system s kernel level García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

3 Introduction: Protection strategy García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

4 Introduction: Protection strategy García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

5 Intra-kernel Access Control Coexistence of the protection AC (more restrictive) with the native operating system AC (less restrictive) The protected system calls are intercepted and, according to a set of security rules, will be accepted or denied: [ P ID ] [ UID] [Device] [inode] [Syscall] [P arameters] {accept, deny} García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

6 Example: protection of processes KERNEL Space KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR 1000 USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

7 Example: protection of processes KERNEL Space PID = 1234 UID= admin Syscall = kill_process Parameter = KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

8 Example: protection of processes KERNEL Space KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

9 Native operating system s AC García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

10 Intra-kernel Access Control García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

11 Constraints of our approach It introduces some administration constraints Officers are not longer allowed to throw system calls which may suppose a threat to the protected component To solve these constraints, we propose the use of a two-factor authentication mechanism Based on a cryptographic protocol and a smart card token Holds to the officer the indispensable privileges to carry out management activities after ensuring the administrator s identity García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

12 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

13 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

14 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

15 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

16 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

17 Authentication Mechanism SMARTCOP NODE 1234 SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

18 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

19 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

20 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

21 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

22 Public key protocol SMARTCOP SERVER SMARTCOP NODE SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

23 Authentication Mechanism: security considerations The console s executable is compiled in a static manner The LSM module, moreover, protects: the AC itself the binary file of the console the normal execution flow of the console s process the communication channel between the LSM module, the smart-card, and the console process García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

24 Related Works - SELINUX: P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. 11th FREENIX Track: 2001 USENIX Annual Technical Conference, USA, RSBAC: A. Ott. The Role Compatibility Security Model. 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), Karlstad University, Sweden, Reinforce traditional operating system security features Control of the outcoming system calls García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

25 Benefits of our intra-kernel AC approach Unified methodology Integrated in the system as a LSM module, without having to modifile and recompile the kernel Two-factor authentication mechanism Solves the administration and configuration constraints of such an enhanced reinforcement García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

26 Deployment and Evaluation (1) Written in C as a set of modules through the LSM (Linux Security Modules) framework Smart card authentication: LSM and smart card communication and cryptographic operations based on etoken PRO (Aladdin) cards Deployed over the components of our platform, implemented for GNU/Linux 2.6 systems García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

27 Deployment and Evaluation (2) Access control subsytem Authentication subsytem Application Admin. console Enhanced Access Control (LSM) USB etoken driver Auth. core RSA sign. verif. module Security componet OS Access Control Syscall Interface García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

28 Evaluation: processes tests stop process resume process finish process fork process fork + execve fork + /bin/sh Overhead (%) Number of rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

29 Evaluation: filesystem and communications chmod i-node rename i-node unlink i-node mmap read 10K file create 10K file delete Overhead (%) Number of rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

30 Conclusions and Future Work Conclusions: Protection of critical processes and resources based on an AC integrated into the operating system s kernel Smart card based authentication protocol for management and configuration activities Good degree of transparency and reasonable performance penalty Future Work: Improving the customizing of policies Possibility of reload of policies at runtime Improving the matching algorithm of security rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

31 Conclusions and Future Work Conclusions: Protection of critical processes and resources based on an AC integrated into the operating system s kernel Smart card based authentication protocol for management and configuration activities Good degree of transparency and reasonable performance penalty Future Work: Improving the customizing of policies Possibility of reload of policies at runtime Improving the matching algorithm of security rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

32 Thank you for your attention! Questions? García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System

ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System Joaquín García, Sergio Castillo, Guillermo Navarro, Joan Borrell {jgarcia,scastillo,gnavarro,jborrell}@deic.uab.es

More information

SMARTCOP A Smart Card Based Access Control for the Protection of Network Security Components

SMARTCOP A Smart Card Based Access Control for the Protection of Network Security Components SMARTCOP A Smart Card Based Access Control for the Protection of Network Security Components Joaquín García-Alfaro 1, Sergio Castillo 1, Jordi Castellà-Roca 2, Guillermo Navarro 1, and Joan Borrell 1 1

More information

LSM-based Secure System Monitoring Using Kernel Protection Schemes

LSM-based Secure System Monitoring Using Kernel Protection Schemes LSM-based Secure System Monitoring Using Kernel Protection Schemes Takamasa Isohara, Keisuke Takemori, Yutaka Miyake KDDI R&D Laboratories Saitama, Japan {ta-isohara, takemori, miyake}@kddilabs.jp Ning

More information

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012 Strong authentication of GUI sessions over Dedicated Links ipmg Workshop on Connectivity 25 May 2012 Agenda Security requirements The T2S U2A 2 Factor Authentication solution Additional investigation Terminal

More information

A Simple Implementation and Performance Evaluation Extended-Role Based Access Control

A Simple Implementation and Performance Evaluation Extended-Role Based Access Control A Simple Implementation and Performance Evaluation Extended-Role Based Access Control Wook Shin and Hong Kook Kim Dept. of Information and Communications, Gwangju Institute of Science and Technology, 1

More information

Linux OS-Level Security Nikitas Angelinas MSST 2015

Linux OS-Level Security Nikitas Angelinas MSST 2015 Linux OS-Level Security Nikitas Angelinas MSST 2015 Agenda SELinux SELinux issues Audit subsystem Audit issues Further OS hardening 2 SELinux Security-Enhanced Linux Is NOT a Linux distribution A kernel

More information

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

I. Configuring Digital signature certificate in Microsoft Outlook 2003: I. Configuring Digital signature certificate in Microsoft Outlook 2003: In order to configure Outlook 2003 to use the new message security settings please follow these steps: 1. Open Outlook. 2. Go to

More information

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study CS 377: Operating Systems Lecture 25 - Linux Case Study Guest Lecturer: Tim Wood Outline Linux History Design Principles System Overview Process Scheduling Memory Management File Systems A review of what

More information

DESIGN AND IMPLEMENTATION OF A WEB SERVER FOR A HOSTING SERVICE

DESIGN AND IMPLEMENTATION OF A WEB SERVER FOR A HOSTING SERVICE DESIGN AND IMPLEMENTATION OF A WEB SERVER FOR A HOSTING SERVICE Daisuke Hara, Ryota Ozaki, Kazuki Hyoudou, and Yasuichi Nakayama Department of Computer Science The University of Electro-Communications

More information

NSA Security-Enhanced Linux (SELinux)

NSA Security-Enhanced Linux (SELinux) NSA Security-Enhanced Linux (SELinux) http://www.nsa.gov/selinux Stephen Smalley sds@epoch.ncsc.mil Information Assurance Research Group National Security Agency Information Assurance Research Group 1

More information

Apache Server Implementation Guide

Apache Server Implementation Guide Apache Server Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042

More information

Cisco Storage Media Encryption for Disk and Tape

Cisco Storage Media Encryption for Disk and Tape Data Sheet Cisco Storage Media Encryption for Disk and Tape Product Overview Cisco Storage Media Encryption (SME) protects data at rest on heterogeneous tape drives, virtual tape libraries (VTLs), and

More information

RE-TRUST Design Alternatives on JVM

RE-TRUST Design Alternatives on JVM RE-TRUST Design Alternatives on JVM ( - Italy) paolo.falcarin@polito.it http://softeng.polito.it/falcarin Trento, December, 19 th 2006 Tamper-Detection Tamper-detection goals Detect malicious modifications

More information

Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls

Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls Machon Gregory Peter Loscocco mbgrego@tycho.nsa.gov loscocco@tycho.nsa.gov National Security Agency Abstract Risk Adaptable

More information

Introducing etoken. What is etoken?

Introducing etoken. What is etoken? Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant

More information

VPN Solutions FAQ www.aladdin.com/contact North America International Germany Benelux France Spain Israel Asia Pacific Japan

VPN Solutions FAQ www.aladdin.com/contact North America International Germany Benelux France Spain Israel Asia Pacific Japan A l a d d i n. c o m / e T o k e n VPN Solutions FAQ VPN authentication is a critical link in the chain of trust for remote access to your organization. Compromising that trust can expose your private

More information

Safety measures in Linux

Safety measures in Linux S a f e t y m e a s u r e s i n L i n u x Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Standard Unix security measures: permissions, capabilities, ACLs, chroot Linux kernel

More information

Laboratory Report. An Appendix to SELinux & grsecurity: A Side-by-Side Comparison of Mandatory Access Control & Access Control List Implementations

Laboratory Report. An Appendix to SELinux & grsecurity: A Side-by-Side Comparison of Mandatory Access Control & Access Control List Implementations Laboratory Report An Appendix to SELinux & grsecurity: A Side-by-Side Comparison of Mandatory Access Control & Access Control List Implementations 1. Hardware Configuration We configured our testbed on

More information

Performance Analysis Of Policy Based Mobile Virtualization in Smartphones Using MOSES Algorithm

Performance Analysis Of Policy Based Mobile Virtualization in Smartphones Using MOSES Algorithm Performance Analysis Of Policy Based Mobile Virtualization in Smartphones Using MOSES Algorithm Ms.MALARVIZHI.M, Mrs.RAJESWARI.P Abstract: Now a day s most of the people used in smart phones. Smartphone

More information

Plan 9 Authentication in Linux

Plan 9 Authentication in Linux Plan 9 Authentication in Linux Ashwin Ganti University of Illinois at Chicago aganti@cs.uic.edu ABSTRACT This paper talks about the implementation of the Plan 9 authentication mechanisms for Linux. As

More information

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008 7 Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008 All information herein is either public information or is the property of and owned

More information

Performance Measuring in Smartphones Using MOSES Algorithm

Performance Measuring in Smartphones Using MOSES Algorithm Performance Measuring in Smartphones Using MOSES Algorithm Ms.MALARVIZHI.M, Mrs.RAJESWARI.P ME- Communication Systems, Dept of ECE, Dhanalakshmi Srinivasan Engineering college, Perambalur, Tamilnadu, India,

More information

USB etoken and USB Flash Features Support

USB etoken and USB Flash Features Support USB etoken and USB Flash Features Support USB etoken and USB Flash Features Support Cisco Integrated Services Routers provide secure, wire-speed delivery of concurrent data, voice, and video services (Figure

More information

A Secure Autonomous Document Architecture for Enterprise Digital Right Management

A Secure Autonomous Document Architecture for Enterprise Digital Right Management A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier LIUPPA Université de Pau et des Pays de l Adour Mont de Marsan, France manuel.munier@univ-pau.fr SITIS 2011

More information

YubiKey Integration for Full Disk Encryption

YubiKey Integration for Full Disk Encryption YubiKey Integration for Full Disk Encryption Pre-Boot Authentication Version 1.2 May 7, 2012 Introduction Disclaimer yubico Yubico is the leading provider of simple, open online identity protection. The

More information

TrustKey Tool User Manual

TrustKey Tool User Manual TrustKey Tool User Manual 1 Table of Contents 1 Introduction... 5 2 TrustKey Product...6 2.1 TrustKey Tool... 6 2.2 TrustKey function modules...7 2.3 TrustKey using environment...7 3 TrustKey Tool Installation...

More information

Smartcard Logon Overview

Smartcard Logon Overview etoken for Windows Smartcard Logon Lesson 9 April 2004 etoken Certification Course Smartcard Logon Overview Windows 2000/2003 Enterprise Server built-in feature Smartcard logon requires issuing a personal

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Shakambaree Technologies Pvt. Ltd.

Shakambaree Technologies Pvt. Ltd. Welcome to Support Express by Shakambaree Technologies Pvt. Ltd. Introduction: This document is our sincere effort to put in some regular issues faced by a Digital Signature and USB Token user doing on

More information

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16 Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16 Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization

More information

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric

More information

SGFS: Secure, Flexible, and Policy-based Global File Sharing

SGFS: Secure, Flexible, and Policy-based Global File Sharing SGFS: Secure, Flexible, and Policy-based Global File Sharing Vishal Kher Eric Seppanen Cory Leach Yongdae Kim {vkher,seppanen,leach,kyd}@cs.umn.edu University of Minnesota Motivation for Network attached

More information

File System Encryption with Integrated User Management

File System Encryption with Integrated User Management File System Encryption with Integrated User Management Stefan Ludwig Corporate Technology Siemens AG, Munich fsfs@stefan-ludwig.de Prof. Dr. Winfried Kalfa Operating Systems Group Chemnitz University of

More information

Analysis of the Linux Audit System 1

Analysis of the Linux Audit System 1 Analysis of the Linux Audit System 1 Authors Bruno Morisson, MSc (Royal Holloway, 2014) Stephen Wolthusen, ISG, Royal Holloway Overview Audit mechanisms on an operating system (OS) record relevant system

More information

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems QUIRE: : Lightweight Provenance for Smart Phone Operating Systems Dan S. Wallach Rice University Joint work with Mike Dietz, Yuliy Pisetsky, Shashi Shekhar, and Anhei Shu Android's security is awesome

More information

SafeNet Authentication Client (Linux) Administrator s Guide Version 8.1 Revision A

SafeNet Authentication Client (Linux) Administrator s Guide Version 8.1 Revision A SafeNet Authentication Client (Linux) Administrator s Guide Version 8.1 Revision A Copyright 2011, SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document

More information

PROXKey Tool User Manual

PROXKey Tool User Manual PROXKey Tool User Manual 1 Table of Contents 1 Introduction...4 2 PROXKey Product... 5 2.1 PROXKey Tool... 5 2.2 PROXKey function modules...6 2.3 PROXKey using environment...6 3 PROXKey Tool Installation...7

More information

Secure web transactions system

Secure web transactions system Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Compliance and Security Challenges with Remote Administration

Compliance and Security Challenges with Remote Administration Sponsored by Netop Compliance and Security Challenges with Remote Administration A SANS Whitepaper January 2011 Written by Dave Shackleford Compliance Control Points Encryption Access Roles and Privileges

More information

Red Hat. www.redhat.com. By Karl Wirth

Red Hat. www.redhat.com. By Karl Wirth Red Hat Enterprise Linux 5 Security By Karl Wirth Abstract Red Hat Enterprise Linux has been designed by, and for, the most security-conscious organizations in the world. Accordingly, security has always

More information

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces Software Engineering, Lecture 4 Decomposition into suitable parts Cross cutting concerns Design patterns I will also give an example scenario that you are supposed to analyse and make synthesis from The

More information

Mandatory Access Control in Linux

Mandatory Access Control in Linux Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ In the early 2000s Root and administrator Many

More information

SafeNet Authentication Client

SafeNet Authentication Client SafeNet Authentication Client QUICK STRAT GUIDE Using Certificate-based Authentication with SafeNet Authentication Client for Citrix XenApp 6.5 Contents Description... 2 The Multi-Factor Authentication

More information

Yale Software Library

Yale Software Library Yale Software Library http://www.yale.edu/its/software/ For assistance contact the ITS Help Desk 203-432-9000, helpdesk@yale.edu Two-factor authentication: Installation and configuration instructions for

More information

SafeNet Authentication Client (Windows)

SafeNet Authentication Client (Windows) SafeNet Authentication Client (Windows) Version 8.1 SP1 Revision A User s Guide Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete

More information

iphone in Business Security Overview

iphone in Business Security Overview iphone in Business Security Overview iphone can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods

More information

Global Journal of Computer Science and Technology

Global Journal of Computer Science and Technology Global Journal of Computer Science and Technology Volume 12 Issue 10 Version 1.0 2012 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN:

More information

Chapter 2 Addendum (More on Virtualization)

Chapter 2 Addendum (More on Virtualization) Chapter 2 Addendum (More on Virtualization) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ More on Systems Virtualization Type I (bare metal)

More information

Features. The Samhain HIDS. Overview of available features. Rainer Wichmann

Features. The Samhain HIDS. Overview of available features. Rainer Wichmann Overview of available features November 1, 2011 POSIX (e.g. Linux, *BSD, Solaris 2.x, AIX 5.x, HP-UX 11, and Mac OS X. Windows 2000 / WindowsXP with POSIX emulation (e.g. Cygwin). Please note that this

More information

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks

More information

COS 318: Operating Systems. Virtual Machine Monitors

COS 318: Operating Systems. Virtual Machine Monitors COS 318: Operating Systems Virtual Machine Monitors Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318/ Introduction u Have

More information

RSA SecurID Two-factor Authentication

RSA SecurID Two-factor Authentication RSA SecurID Two-factor Authentication Today, we live in an era where data is the lifeblood of a company. Now, security risks are more pressing as attackers have broadened their targets beyond financial

More information

SpiderCloud E-RAN Security Overview

SpiderCloud E-RAN Security Overview SpiderCloud E-RAN Security Overview Excerpt for SpiderCloud Wireless, Inc. 408 East Plumeria Drive San Jose, CA 95134 USA -hereafter called SpiderCloud- Page 1 of 7 Table of Contents 1 Executive Summary...5

More information

Confining the Apache Web Server with Security-Enhanced Linux

Confining the Apache Web Server with Security-Enhanced Linux Confining the Apache Web Server with Security-Enhanced Linux Michelle J. Gosselin, Jennifer Schommer mgoss@mitre.org, jschommer@mitre.org Keywords: Operating System Security, Web Server Security, Access

More information

2013 AWS Worldwide Public Sector Summit Washington, D.C.

2013 AWS Worldwide Public Sector Summit Washington, D.C. Washington, D.C. Next Generation Privileged Identity Management Control and Audit Privileged Access Across Hybrid Cloud Environments Ken Ammon, Chief Strategy Officer Who We Are Security software company

More information

Deploying Load balancing for Novell Border Manager Proxy using Session Failover feature of NBM 3.8.4 and L4 Switch

Deploying Load balancing for Novell Border Manager Proxy using Session Failover feature of NBM 3.8.4 and L4 Switch Novell Border Manager Appnote Deploying Load balancing for Novell Border Manager Proxy using Session Failover feature of NBM 3.8.4 and L4 Switch Bhavani ST and Gaurav Vaidya Software Consultant stbhavani@novell.com

More information

Gerd Behrmann CISS & Institut for Datalogi Aalborg Universitet. behrmann@cs.aau.dk

Gerd Behrmann CISS & Institut for Datalogi Aalborg Universitet. behrmann@cs.aau.dk Vaccine til mobilen Gerd Behrmann CISS & Institut for Datalogi Aalborg Universitet behrmann@cs.aau.dk Motivations Security Threats over Internet Complexity of Internet, Protocols and Applications are all

More information

Session ID: Session Classification:

Session ID: Session Classification: Session ID: Session Classification: Protecting Data with Encryption Access Control Protect Sensitive Data Protect and Manage Threats Groundbreaking Malware Resistance Protects the client, data, and corporate

More information

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006 Adjusting Prevention Policy Options Based on Prevention Events Version 1.0 July 2006 Table of Contents 1. WHO SHOULD READ THIS DOCUMENT... 4 2. WHERE TO GET MORE INFORMATION... 4 3. VERIFYING THE OPERATION

More information

Building Blocks Towards a Trustworthy NFV Infrastructure

Building Blocks Towards a Trustworthy NFV Infrastructure Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical

More information

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 1210 Parkview Arlington

More information

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa Global eid Developments Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa Agenda Country View on eid initiatives Trustworthy Identity Scenarios Microsoft eid update Summary

More information

Digital evidence in virtual honeynets based on operating system level virtualization

Digital evidence in virtual honeynets based on operating system level virtualization Digital evidence in virtual honeynets based on operating system level virtualization Security and Protection of Information 2013, 22.-24.5.2013, Brno Pavol Sokol, Peter Pisarčík 2 Outline 1) Introduction

More information

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy External Authentication with CiscoSecure ACS Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 1210 Parkview Arlington Business

More information

IQS Identity and Access Management

IQS Identity and Access Management IQS Identity and Access Management Identity Management Authentication Authorization Administration www.-center.com The next generation security solution 2003 RSA Security Conference IAM is a combination

More information

Secure Data Exchange Solution

Secure Data Exchange Solution Secure Data Exchange Solution I. CONTENTS I. CONTENTS... 1 II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE DOCUMENT EXCHANGE SOLUTIONS... 3 INTRODUCTION... 3 Certificates

More information

Trent Jaeger Systems and Internet Infrastructure Security Lab Pennsylvania State University

Trent Jaeger Systems and Internet Infrastructure Security Lab Pennsylvania State University Reference Monitor Trent Jaeger Systems and Internet Infrastructure Security Lab Pennsylvania State University Related Concepts Access control Access control policy Security kernel Definition A reference

More information

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University Virtual Machine Monitors Dr. Marc E. Fiuczynski Research Scholar Princeton University Introduction Have been around since 1960 s on mainframes used for multitasking Good example VM/370 Have resurfaced

More information

Example of Standard API

Example of Standard API 16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface

More information

Compiled By: Chris Presland v1.0. 29 th September. Revision History Phil Underwood v1.1

Compiled By: Chris Presland v1.0. 29 th September. Revision History Phil Underwood v1.1 Compiled By: Chris Presland v1.0 Date 29 th September Revision History Phil Underwood v1.1 This document describes how to integrate Checkpoint VPN with SecurEnvoy twofactor Authentication solution called

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET Giuseppe Gippa Paternò gpaterno@gpaterno.com June 2008 WHO AM I Experienced architect Linux, Networking and Security Focused on Telcos

More information

ERserver. iseries. Secure Sockets Layer (SSL)

ERserver. iseries. Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted

More information

ITG Software Engineering

ITG Software Engineering IBM WebSphere Administration 8.5 Course ID: Page 1 Last Updated 12/15/2014 WebSphere Administration 8.5 Course Overview: This 5 Day course will cover the administration and configuration of WebSphere 8.5.

More information

RSA SecurID Ready Implementation Guide

RSA SecurID Ready Implementation Guide RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 18, 2006 Product Information Partner Name Microsoft Web Site http://www.microsoft.com/isaserver Product Name Internet

More information

Stonesoft Corp. Stonegate Firewall and VPN

Stonesoft Corp. Stonegate Firewall and VPN Stonesoft Corp. Stonegate Firewall and VPN RSA SecurID Ready Implementation Guide Last Modified: February 2, 2011 Partner Information Product Information Partner Name Stonesoft Corp. Web Site www.stonesoft.com

More information

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess SafeNet Authentication Service Integration Guide SAS Using RADIUS Protocol with Microsoft DirectAccess Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet,

More information

CipherShare Features and Benefits

CipherShare Features and Benefits CipherShare s and CipherShare s and Security End-to-end Encryption Need-to-Know: Challenge / Response Authentication Transitive Trust Consistent Security Password and Key Recovery Temporary Application

More information

LSM RELEASE NOTES LOCKING SYSTEM MANAGEMENT SOFTWARE

LSM RELEASE NOTES LOCKING SYSTEM MANAGEMENT SOFTWARE Page 1 LOCKING SYSTEM MANAGEMENT SOFTWARE 1.0 PRELIMINARY NOTES Release Notes version 3.1 SP1 (3.1.11020) October 2011 The main purpose of this version is to provide additional new hardware products. Several

More information

INTEGRATED SECURITY SERVICE FOR ON DEMAND SERVICES IN IAAS CLOUD AUTHOR

INTEGRATED SECURITY SERVICE FOR ON DEMAND SERVICES IN IAAS CLOUD AUTHOR INTEGRATED SECURITY SERVICE FOR ON DEMAND SERVICES IN IAAS CLOUD AUTHOR MANISHANKAR.S Assistant Professor Amrita Vishwa Vidhyapeetham Mysore Email: manishankar1988@gmail.com Abstract: Security has remained

More information

Ensuring the security of your mobile business intelligence

Ensuring the security of your mobile business intelligence IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive

More information

The OpenEapSmartcard platform. Pr Pascal Urien ENST Paris

The OpenEapSmartcard platform. Pr Pascal Urien ENST Paris The OpenEapSmartcard platform Pr Pascal Urien ENST Paris /20 Pascal URIEN, CARTES 2005, November 16 th 2005 Introduction 1/4: Network ages Analog networks (Tree age) 1876, Alexander Graham Bell invents

More information

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P) How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P) Scenario # 1: Single Node or Standalone SA... 2 Scenario

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE

Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE A P P L I C A T I O N V E R S I O N : 8. 0 Dear User! Thank you for choosing our product. We hope that this documentation will help you in your

More information

SwiftStack Filesystem Gateway Architecture

SwiftStack Filesystem Gateway Architecture WHITEPAPER SwiftStack Filesystem Gateway Architecture March 2015 by Amanda Plimpton Executive Summary SwiftStack s Filesystem Gateway expands the functionality of an organization s SwiftStack deployment

More information

Virtualization Technologies (ENCS 691K Chapter 3)

Virtualization Technologies (ENCS 691K Chapter 3) Virtualization Technologies (ENCS 691K Chapter 3) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ The Key Technologies on Which Cloud Computing

More information

Lync SHIELD Product Suite

Lync SHIELD Product Suite Lync SHIELD Product Suite The Natural Solution For Securing Lync Connectivity For today s mobile enterprise, the need to connect smartphones to the corporate network has become a vital business requirement.

More information

Designing and Coding Secure Systems

Designing and Coding Secure Systems Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

CRYPTOCard. Strong Two Factor Authentication

CRYPTOCard. Strong Two Factor Authentication CRYPTOCard Strong Two Factor Authentication CRYPTOCard Solutions Overview Cybercrime is a serious, real, and all-to-prevalent threat to networked assests. With the abundance of deployed workers requiring

More information

Virtual Private Systems for FreeBSD

Virtual Private Systems for FreeBSD Virtual Private Systems for FreeBSD Klaus P. Ohrhallinger 06. June 2010 Abstract Virtual Private Systems for FreeBSD (VPS) is a novel virtualization implementation which is based on the operating system

More information

Print Manager Plus 2010 How to Migrate your Database to a New SQL or Print Server

Print Manager Plus 2010 How to Migrate your Database to a New SQL or Print Server 1) Make a Copy of the Existing PMP SQL Database Files. 2) Upgrade PMP by running the installer on the old server 3) Install SQL 2005 or 2008 SQL server on the New Server (you may also use the PMP 2010

More information

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,

More information

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics

More information

Encrypt-FS: A Versatile Cryptographic File System for Linux

Encrypt-FS: A Versatile Cryptographic File System for Linux Encrypt-FS: A Versatile Cryptographic File System for Linux Abstract Recently, personal sensitive information faces the possibility of unauthorized access or loss of storage devices. Cryptographic technique

More information

Cloud Web-Based Operating System (Cloud Web Os)

Cloud Web-Based Operating System (Cloud Web Os) Cloud Web-Based Operating System (Cloud Web Os) Hesham Abusaimeh Department of Computer Science, Faculty of Information Technology, Applied Science University, Amman, 11931 Jordan. ABSTRACT The cloud computing

More information

ITRAINONLINE MMTK WIRELESS CLIENT INSTALLATION HANDOUT

ITRAINONLINE MMTK WIRELESS CLIENT INSTALLATION HANDOUT ITRAINONLINE MMTK WIRELESS CLIENT INSTALLATION HANDOUT Developed by: Tomas B. Krag (Linux) Bruno Roger, ESMT (Windows) Edited by: Alberto Escudero Pascual, IT +46 Table of Contents 1.

More information

Mandatory Access Control for Linux Clustered Servers

Mandatory Access Control for Linux Clustered Servers Mandatory Access Control for Linux Clustered Servers Miroslaw Zakrzewski Open Systems Lab Ericsson Research 8400 Decarie Blvd Town of Mont Royal, Quebec Canada H4P 2N2 Miroslaw.Zakrzewski@ericsson.ca Abstract

More information