1 COMP3441 Lecture 9: Security Architecture Ron van der Meyden (University of New South Wales Sydney, Australia) May 6, 2014 Overview Security Design Principles Security Architecture Security Design in the Large
2 Saltzer and Schroeder s Security Design Principles Economy of Mechanism (simpler = easier to assure) Fail-safe defaults (e.g. deny by default/allow by exception) Complete Mediation (every access request checked) Open design (= Kerckhoff s Principle) Separation of Privilege (e.g. employ dual control) Least Privilege Least Common Mechanism (minimise sharing) Psychological Acceptability Security Perimiters One of the key defensive mechanisms is the placement of difficult to cross boundaries between assets and adversaries. physical separation s sandboxing Once crossed, these leave the assets vulnerable.
3 (Image: Maginot Line, from Wikimedia Commons) Defence in Depth A general approach to defence: multiple layers of defence, rather than a single layer complimentary defensive mechanisms the higher the value of an asset, the greater the number of protective layers around it.
4 (Image: Himeji Castle, from Wikimedia Commons) Example: use anti-virus products both at the on user machines and use different ones (which are likely to detect different attacks).
5 Security Architecture A security architecture is a high level design of the structure of the system, identifying main system components, defensive measures, and their interconnections. The lack of connectedness of certain components is a key aspect of the security design: it forces causal effects in the system to flow through the defensive measures. Example: Access Control Policy Architecture The enterprise has a general security policy. Multiple applications (e.g., , accounts system, HR system,corporate planning system) need to be consistent with this policy.
6 Design 1: Enforcement within application code Application 1 Application 2 Application 3 Application Code Policy enforcing code Application Code Policy enforcing code Application Code Policy enforcing code Database Design 2: Policy Server Application 1 Application 2 Application 3 Application Code Application Code Application Code Policy Access Control Monitor Database Advantages: No complex interleaving of application and security code. Application programmer errors cannot cause security breaches Policy changes take immediate effect Policy enforced consistently across all applications
7 Isolated Users User 1 User 2 User 3 Data 1 Data 2 Data 3 CPU/Storage Sharing User 1 User 2 User 3 Machine Data 1 Data 2 Data 3 Disk
8 Separation User 1 User 2 User 3 Machine Separation kernel Data 1 Data 2 Data 3 Disk Following the principle of economy of mechanism, a separation kernel is a small layer of the operating system with the function of isolating user processes (and nothing more). Storage Sharing 2 User 1 User 2 User 3 Encryption Encryption Encryption Encrypted Data 1 Encrypted Data 2 Encrypted Data 3 Disk/ Cloud
9 Military Security Architectures Low Level Data Diode High Level Hinke-Schaefer Architecture An architecture for multi-level secure databases High Level Database H DBMS can read but not write Low level files L F. H user L user H DBMS L DBMS H F L F
10 Military Security Architectures: Downgrading In practice, High Level data needs to be released to the Low level domain from time to time.. Low Level Data Diode High Level Downgrader Starlight Switch An architecture for allowing an intelligence analyst to securely access low level information (e.g. web browsing) while operating in the High level domain. Low Level Data Diode High Level Starlight Switch User Machine Keyboard
11 Security Architecture In a network security architecture, we describe the structure of network topology and the placement of defensive measures such as s virtual private networks anti virus servers honeypots application servers, etc. Web Servers The public needs to be able to read content served by these, but they need to be protected from defacement, data theft. Compromise of the server should not impact company internal data. De-militarized zone Internal Internet Web server
12 Virtual Private s A cryptographic tunnel is a cryptographically secured channel, with encrypted messages carried in some insecure protocol (e.g. IP). Virtual Private s employ cryptographic tunnels as an isolation mechanism to connect two or more protected networks/machines through the internet as if they were directly connected. Remote Branch Offices Office 1 Internet Office2 encrypted channel
13 Joint Ventures Company 1 Internet Company 2 encrypted channel Joint data area Joint data area Telecommuting/Travelling Staff Company Internet encrypted channel employee laptop/ home machine
14 Telecommuting/Travelling Staff Company Internet encrypted channel/ ssh employee laptop/ home machine Telecommuting/Travelling Staff With software VPN s the previous two have the risk that a direct channel between internet and remote machine may exist, making the previous two equivalent to: Company Internet employee laptop/ home machine
15 Telecommuting/Travelling Staff Company Internet encrypted channel Hardware VPN employee laptop/ home machine A hardware VPN (plus disabling wireless connection capability) can disallow all unencrypted/unauthenticated internet connections, forcing all remote internet connections through the. Telecommuting/Travelling Staff And when the kids want to play... Company Internet encrypted channel Router family subnet Hardware VPN employee work subnet
16 Intrusion Detection Technology IDS Objective: detect attacks in progress, to enable a timely response Basic Infrastructure: Logging of events Sensors: collect information Analyzers: process sensor data Management Modules: interface to operators IDS: Types of Information that can be collected At the host: Login (attempts) File accesses Operating system calls On the network: packet traffic flow protocol type packet payload
17 Sensor Placement sensor placement determines which attacks can be detected, but needs to be traded off against cost De-militarized zone Internal Internet Web server Sensor Data Aggregation Where is the aggregated sensor data analyzed? Host based intrusion detection Gossip: hosts share data with each other Centralized analysis server
18 Analysis Approaches Anomaly Detection: patterns of activity that differ from the usual behaviour e.g.: login to machine/account not usually used login outside of usual hours, or from unknown machine higher frequency than usual of some event types Signature Detection: patterns of activity that an attacker is likely to engage in (e.g. access to system files) Attacker response to this: slow down rate of attack The Statistics of Detection 1 in 100 people suffer from disease D Test T has 87% accurracy, i.e.: if person P has D, the test is positive with probability 87% if person P does not have D, the test is negative with probability 87% Your doctor administers the test T and the results are positive. What is the probability that you do not have the disease D? low: 0-15% medium: 16-50% high: 51-90% very high: %
19 A Fundamental Problem with Intrusion Detection Answer: very high! (I.e. you probably don t have it!) By Bayes theorem: Pr(D = no T = yes) = Pr(T =Yes D=no)Pr(D=no) Pr(D=Yes T =yes)pr(t =yes)+pr(d=yes T =no)pr(t =no) = = Note that we get a large contribution of false alarms compared to the small number of correct alarms! This problem affects IDS: if intrusions are rare, a high percentage of alarms will be false alarms! Security in the Large Real world security design requires meeting multiple requirements from multiple sources balancing conflicting requirements trust relationships between independent organisations
20 Example: Airport Security Travel from Toronto to Los Angeles requires Airline must ensure that passengers have paid to travel Clearance by US Immigration (before boarding, so it does not need to be done on arrival) US Customs Clearance Flight Security Check (no bombs/weapons on plane) Problem: Conduct a risk analysis and design the architecture of a security system for these requirements. Actual Design at Toronto Airline Checkin, issue boarding pass bag weigh US Immigration Security Check US Customs Checked Luggage Drop Boarding pass check people Bag Xray bags
PHYSICAL SECURITY OVER INFORMATION TECHNOLOGY GUIDANCE DOCUMENT March 2014 This guidance document has been produced by CPNI in conjunction with MWR InfoSecurity. Disclaimer Reference to any specific commercial
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
WIRELESS NETWORKING SECURITY Dec 2010 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Chapter 9........................................ Shih planned to make a great wall by extending and enlarging preexisting walls made by previous rulers. This great wall would serve as a barricade to keep
In this White Paper Connectivity is good. Secure connectivity is essential. This white paper by Thales UK explains how Thales Gateway Services protect the exchange of data across security domains. It discusses
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture 2 Disclaimer This document is not comprehensive for any systems using the given
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2
An ISS Technical White Paper Wireless LAN Security 802.11b and Corporate Networks 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Although a variety of wireless network
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases,
C H A P T E R 3 IP Network Traffic Plane Security Concepts IP traffic plane concepts provide the mechanisms from which comprehensive IP network security strategies can be implemented. Before discussing
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies October 2009 DISCLAIMER This report was prepared as an account of work sponsored by an agency of
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
Bachelor s Thesis (UAS) Degree Program In Information Technology Specialization: Internet Technology 2012 SULAIMON ADENIJI ADEBAYO NETWORK SECURITY BACHELOR S THESIS ABSTRACT TURKU UNIVERSITY OF APPLIED
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
White Paper WP152002EN Supersedes January 2014 electrical distribution systems Authors Max Wandera, Brent Jonasson, Jacques Benoit, James Formea, Tim Thompson, Zwicks Tang, Dennis Grinberg, Andrew Sowada,
Payment and Security Experts Implementing PCI A Guide for Network Security Engineers Updated For PCI Data Security Standard Version 1.2.1 Tom Arnold, CISSP, ISSMP, CFS, CPISM/A, PCI/QSA Partner, PSC Sponsored
Top 10 SIEM Implementer s Checklist Operationalizing Information Security Compliments of AccelOps www.accelops.com Table of Contents Executive Summary....................................................................
Best Practice Guide for Securing Active Directory Installations Microsoft Corporation First published: October 2005 Updated and republished: January 2009 Abstract This guide contains recommendations for
Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology John Wack, Ken Cutler, Jamie Pole NIST Special Publication 800-41
Best Practices for Securing Privileged Accounts 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Risk management 2 2.1 Baseline risks............................................
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND