Verifying Security Policies using Host Attributes

Size: px
Start display at page:

Download "Verifying Security Policies using Host Attributes"

Transcription

1 Verifying Security Policies using Host Attributes 34 th IFIP International Conference on Formal Techniques for Distributed Objects, Components and Systems Cornelius Diekmann 1 Stephan-A. Posselt 1 Heiko Niedermayer 1 Holger Kinkelin 1 Oliver Hanka 2 Georg Carle Airbus Group Innovations FORTE, 2014, Verifying Security Policies Using Host Attributes 1/21

2 Fakulta t fu r Informatik Technische Universita t Mu nchen Example: Aircraft Cabin Data Network google image search FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 2/21

3 Example: Aircraft Cabin Data Network Policy CC IFEsrv SAT C1 C2 IFE1 IFE2 WiFi P1 P2 Policy Access Control Matrix Network Connectivity Structure FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 3/21

4 Example: Security Invariants as Host Attributes Crew Entertain CC! IFEsrv INET SAT POD INET C1 C2 IFE1 IFE2 WiFi! crew entertain P1 POD P2 FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 4/21

5 Example: Security Invariants as Host Attributes Crew Entertain CC! IFEsrv master INET SAT POD INET C1 C2 IFE1 slave IFE2 slave WiFi! crew entertain P1 POD P2 FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 4/21

6 Example: Security Invariants as Host Attributes Crew Entertain CC secret! IFEsrv declassify master INET SAT POD INET C1 secret C2 secret IFE1 confid. slave IFE2 confid. slave WiFi! crew entertain P1 POD P2 FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 4/21

7 Big Picture: Verification Demo Formal verification Executable, no need for hand-crafted proofs FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 5/21

8 Big Picture: Debugging Demo add coffee machine, connect it to IFE1 [invalid] inv1 :... [invalid] inv2 :... [valid] inv3 :... IFE1 Aircraft-Entertain 1 DomainMember POD2 Aircraft-Entertain-POD SatGW POD1 Aircraft-Entertain-INET Aircraft-Entertain-POD IFE2 WifiAccess Crew2 Aircraft-Entertain Aircraft-Entertain-POD trust: 1 Aircraft-Crew 1 2 DomainMember coffee IFEsrv Aircraft-Entertain 0!trusted! SecurityGatewayIN Crew1 Aircraft-Crew 2 CabinCoreSrv Aircraft-Crew trust: 1 2 FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 6/21

9 Big Picture: Invariant Feedback Demo CC secret! IFEsrv declassify master INET SAT C1 secret C2 secret IFE1 confid. slave IFE2 confid. slave WiFi! crew.aircraft entertain.aircraft P1 POD P2 FORTE, 2014, Verifying Security Policies Using Host Attributes: Example & Demo 7/21

10 This Talk policy = security invariants security invariants = policy It s all about the security invariants! Scenario-Specific Knowledge Security Invariant Host Attribute Mapping + Generic Invariant Formal HOL Semantics Security Policy Directed Graph G =(hosts, allowed flows) Firewalls, ACL, etc FORTE, 2014, Verifying Security Policies Using Host Attributes: This Talk 8/21

11 Definitions Policy G = (V, E) directed graph G = (V set) ((V V) set) Host mapping P: V Ψ total function maps a host to an attribute FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 9/21

12 Definitions Policy G = (V, E) directed graph G = (V set) ((V V) set) Host mapping P: V Ψ total function maps a host to an attribute Security invariant template m: m(g, (V Ψ)) Predicate (total, Boolean-valued function) first argument: security policy second argument: host attribute mapping m(g, P) G fulfills the invariant specified by m and P FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 9/21

13 Example Label-based information flow security: Bell LaPadula model Security clearances, i. e. host attributes Ψ = {unclassified, confidential, secret, topsecret} Invariant template, i. e. no read-up and no write-down: m ( (V, E), P ) (s, r) E. P(s) P(r) FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 10/21

14 Example Label-based information flow security: Bell LaPadula model Security clearances, i. e. host attributes Ψ = {unclassified, confidential, secret, topsecret} Invariant template, i. e. no read-up and no write-down: m ( (V, E), P ) (s, r) E. P(s) P(r) Scenario-specific knowledge P(db1 ) = confidential all other hosts are unclassified P = (λh. if h = db 1 then confidential else unclassified) m(g, P) db 1 does not leak confidential information there is no non-reflexive outgoing edge from db1 FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 10/21

15 Security Invariants cont. Security strategy Information Flow Strategy (IFS) confidentiality Access Control Strategy (ACS) integrity, controlled access m must be either IFS or ACS Monotonicity Prohibiting more does not harm security m((v, E), P) and E E then m((v, E ), P) Composition Composability and modularity enabled by design m1 (G, P 1 ) m k (G, P k ) FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 11/21

16 Offending Flows If a security invariant is violated m(g, P) Flows F E responsible for the violation set offending flows ( G, P ) is the set of all such minimal F FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 12/21

17 Offending Flows If a security invariant is violated m(g, P) Flows F E responsible for the violation set offending flows ( G, P ) is the set of all such minimal F i.e. the set of all minimal sets which violate m set offending flows ( G, P ) = { F E m ( G, P ) m ( (V, E \ F), P ) (s, r) F. m ( (V, (E \ F ) {(s, r)}), P )} FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 12/21

18 Offending Flows If a security invariant is violated m(g, P) Flows F E responsible for the violation set offending flows ( G, P ) is the set of all such minimal F Example: m is that v 1 must not access v 3 transitively v 2 v 2 v 2 v 1 v 3 v 1 v 3 v 1 v 3 G {(v 1, v 2 )} {(v 2, v 3 )} set offending flows ( G, P ) = { {(v 1, v 2 )}, {(v 2, v 3 )} } FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 12/21

19 Example: Offending Flows for the Bell LaPadula Model Recall: m ( (V, E), P ) (s, r) E. P(s) P(r) set offending flows ( G, P ) = {{ {(s, r) E P(s) > P(r)} } if m(g, P) if m(g, P) Uniquely defined Can be computed in linear time This holds for all similar-structured security invariants FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 13/21

20 Analysis: Offending Flows Do the offending flows always exist? Theorem 1. For m monotonic, let G deny-all = (V, ). If m(g, P) then m ( G deny-all, P ) set offending flows(g, P) A security violation can be fixed by tightening the policy iff the invariant holds for the deny-all policy FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 14/21

21 Example: Policy Construction G all = (V, V V ) G max = (V, V V \ set offending flows ( G all, P ) ) Iterate this over all m i Sound for arbitrary m Complete for m similar to Bell LaPadula Gmax is the uniquely defined maximum policy FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 15/21

22 Who is responsible for a violation? A violation either happens at the sender or the receiver ACS initiator provokes an access control restriction IFS leak only occurs when the information reaches the unintended receiver Definition. For F set offending flows(g, P) { { s (s, r) F} if ACS offenders(f ) = { r (s, r) F} if IFS FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 16/21

23 Auto Completion of Host Mappings P is a total function V Ψ User-specified incomplete host mapping: P C V Ψ Default value: Ψ { ψ if (v, ψ) P C P(v) = else FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 17/21

24 Auto Completion of Host Mappings P is a total function V Ψ User-specified incomplete host mapping: P C V Ψ Default value: Ψ { ψ if (v, ψ) P C P(v) = else What is a secure? Everything forbidden? Barely usable! can never solve an existing security violation must never mask potential security risks! FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 17/21

25 Secure Auto Completion of Host Mappings Replacing the host attribute of any offenders by must guarantee that no security-relevant information is masked. Definition. is a secure default attribute if G P. F set offending flows ( G, P ). v offenders(f). m ( G, P v ) Secure and permissive = everything forbidden, security proof easy can be more permissive, e.g., Bell LaPadula = unclassified hosts can freely interact P C = (db 1, confidential) Security invariant for complete network restrictions only for interactions with db 1 FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 18/21

26 Example m(g, P) New host x P(x) = (P is not updated) Magic oracle P oracle (x) = ψ x is an attacker m(g, P oracle ) Is the security violation exposed without the oracle? If m(g, P oracle ) then m(g, P x ) Hence m(g, P) The security violation is never masked! FORTE, 2014, Verifying Security Policies Using Host Attributes: Formalization 19/21

27 Conclusion Monotonic Security Invariants Verify policy Fix security violations Construct policy Construct easily and end-user-friendly Fully machine-verified with Isabelle/HOL https://github.com/diekmann/topos = λ β Isabelle α FORTE, 2014, Verifying Security Policies Using Host Attributes: Conclusion 20/21

28 Thanks for your attention! Questions? FORTE, 2014, Verifying Security Policies Using Host Attributes: Thank You! 21/21

29 Backup Slides FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

30 Example: Aircraft Cabin Data Network CC The Cabin Core Server (essential aircraft features). air conditioning, crew telecommunication... C1, C2 Two crew mobile devices. identify passenger calls, make announcements... IFEsrv The In-Flight Entertainment server. movies, Internet... IFE1, IFE2 Two In-Flight entertainment displays (thin client). Mounted at the back of seats Movies and Internet... Wifi A wifi hotspot. Internet access for passengers owned devices Sat A satellite uplink to the Internet. P1, P2 Two passenger owned devices. laptops, smartphones... FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

31 Example: Security Invariants Invariant 1: Domain Hierarchy Different protection domains Devices may send to their own (sub-)domains entertain aircraft crew Trust level are available INET POD Invariant 2: Security Gateway Slave devices are bound to a master Master controls all communication to/between them. IFE displays (thin clients) are strictly bound to IFEsrv Invariant 3: Bell LaPadula Information flow restrictions secret crew communication confidential (< secret) passenger communication (privacy) FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

32 Stateful Implementation C2 P2 C1 P1 IFE2 IFE1 CC Wifi IFEsrv SAT Cornelius Diekmann, Lars Hupel, and Georg Carle. Directed Security Policies: A Stateful Network Implementation. In ESSS, Singapore, May FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

33 Bell LaPadula with Trust Prevent information leakage P(v).sc is v s security clearance P(v).trust m ( (V, E), P ) (s, r) E. { True P(s).sc P(r).sc if P(r).trust otherwise FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

34 Domain Hierarchy Hierarchical structures Ψ = fully qualified domain names {a.b.c, b.c, c,...} is below or at the same hierarchy level a.b.c a.b.c a.b.c b.c a.b.c c Trust: Act as if were in higher hierarchy position Trust 1 = one position higher chop(a.b.c, 1) = a.c m ( (V, E), P ) (s, r) E. P(r).level chop ( P(s).level, P(s).trust ) FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

35 Security Gateway Approve intra-domain communication between domain members by a central instance (security gateway) m ( (V, E), P ) (s, r) E, s r. table ( P(s), P(r) ) snd rcv rslt explanation sgw * Can send to the world. sgwa * memb sgw Can contact its security gateway. memb sgwa memb memb Must not communicate directly. May communicate via sgw(a). memb default No restrictions for direct access to outside world. Outgoing accesses are not within the invariant s scope. default sgw Not accessible from outside. default sgwa Accessible from outside. default memb Protected from outside world. default default No restrictions. FORTE, 2014, Verifying Security Policies Using Host Attributes: Appendix 21/21

About this talk: Keywords. Network Security Policy Stateful Firewalls Isabelle/HOL

About this talk: Keywords. Network Security Policy Stateful Firewalls Isabelle/HOL About this talk: Keywords Network Security Policy Stateful Firewalls Isabelle/HOL Directed Security Policies: A Stateful Network Implementation 3rd International Workshop on Engineering Safety and Security

More information

Deterministic Discrete Modeling

Deterministic Discrete Modeling Deterministic Discrete Modeling Formal Semantics of Firewalls in Isabelle/HOL Cornelius Diekmann, M.Sc. Dr. Heiko Niedermayer Prof. Dr.-Ing. Georg Carle Lehrstuhl für Netzarchitekturen und Netzdienste

More information

Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations

Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations mansdn/nfv 2015 Cornelius Diekmann Andreas Korsten Georg Carle Chair for Network Architectures and Services Munich,

More information

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Semantics-Preserving Simplification of Real-World Firewall Rule Sets Semantics-Preserving Simplification of Real-World Firewall Rule Sets Formal Methods 2015 Cornelius Diekmann * Lars Hupel Georg Carle * * Chair for Network Architectures and Services Chair for Logic and

More information

Information Flows and Covert Channels

Information Flows and Covert Channels Information Flows and Covert Channels Attila Özgit METU, Dept. of Computer Engineering ozgit@metu.edu.tr Based on: Mike McNett s presentation slides CENG-599 Data Security and Protection Objectives Understand

More information

Network Security. Chapter 1. Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Technische Universität München

Network Security. Chapter 1. Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Technische Universität München Network Security Chapter 1 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: June 13, 2015 IN2101,

More information

Bell & LaPadula Model Security Policy Bell & LaPadula Model Types of Access Permission Matrix

Bell & LaPadula Model Security Policy Bell & LaPadula Model Types of Access Permission Matrix 1 Security Policy A document that expresses clearly and concisely what the protection mechanisms are to achieve A statement of the security we expect the system to enforce Bell & LaPadula Model Formalization

More information

20% more formulas. Verified Firewall Ruleset Verification. Now with. with Isabelle/HOL. Cornelius Diekmann

20% more formulas. Verified Firewall Ruleset Verification. Now with. with Isabelle/HOL. Cornelius Diekmann Verified Firewall Ruleset Verification with Isabelle/HOL Cornelius Diekmann Now with 20% more formulas 1 Introduction to Firewalls Chain INPUT (policy CCEPT) target prot source destination DOS_PROTECT

More information

Chapter 6: Episode discovery process

Chapter 6: Episode discovery process Chapter 6: Episode discovery process Algorithmic Methods of Data Mining, Fall 2005, Chapter 6: Episode discovery process 1 6. Episode discovery process The knowledge discovery process KDD process of analyzing

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 10 Trusted Computing and Multilevel Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Trusted Computing and

More information

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Access Control Models Part I. Murat Kantarcioglu UT Dallas UT DALLAS Erik Jonsson School of Engineering & Computer Science Access Control Models Part I Murat Kantarcioglu UT Dallas Introduction Two main categories: Discretionary Access Control Models (DAC) Definition:

More information

Firewalls CSCI 454/554

Firewalls CSCI 454/554 Firewalls CSCI 454/554 Why Firewall? 1 Why Firewall (cont d) w now everyone want to be on the Internet w and to interconnect networks w has persistent security concerns n can t easily secure every system

More information

Certifying the Security of Android Applications with Cassandra

Certifying the Security of Android Applications with Cassandra 1 15 th International School on Foundations of Software Security and Design August 31 st, 2015, Bertinoro Certifying the Security of Android Applications with Cassandra Steffen Lortz, Heiko Mantel, David

More information

Computer security Lecture 3. Access control

Computer security Lecture 3. Access control Computer security Lecture 3 Access control Access control, the basic problem: Efficient representation of access rights Simply listing, per subject and object, what access is allowed and/or denied is very

More information

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module CS 665: Computer System Security Designing Trusted Operating Systems Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Trusted? An operating system is

More information

Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations

Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations Cornelius Diekmann, Andreas Korsten, Georg Carle Technische Universität München Abstract In network management, when

More information

Part III. Access Control Fundamentals

Part III. Access Control Fundamentals Part III Access Control Fundamentals Sadeghi, Cubaleska @RUB, 2008-2009 Course Operating System Security Access Control Fundamentals 105 / 148 10 3.1 Authentication and Access Control 11 Examples for DAC

More information

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0 How to set up the HotSpot module with SmartConnect Panda GateDefender 5.0 Content Introduction... 3 Minimum requirements to enable the hotspot module... 4 Hotspot settings... 6 General settings....6 Configuring

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software

More information

How users bypass your security!

How users bypass your security! How users bypass your security! IT Days Security issues 20 th November 2014 Tom Leclerc, Security Consultant SAGS - Security Audits and Governance Services, a Telindus Security department Classification:

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described

More information

Instructions Android Smartphone & Tablet Page 1

Instructions Android Smartphone & Tablet Page 1 Instructions Android Smartphone & Tablet Page 1 Instructions Android Smartphone & Tablet This manual is written for users who already have an e-mail account configured in their Android phone or tablet

More information

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University CS377: Database Systems Data Security and Privacy Li Xiong Department of Mathematics and Computer Science Emory University 1 Principles of Data Security CIA Confidentiality Triad Prevent the disclosure

More information

Understanding Android s Security Framework

Understanding Android s Security Framework Understanding Android s Security Framework William Enck and Patrick McDaniel Tutorial October 2008 Systems and Internet Infrastructure Security Laboratory (SIIS) 1 2 Telecommunications Nets. The telecommunications

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

Configuring Security for SMTP Traffic

Configuring Security for SMTP Traffic 4 Configuring Security for SMTP Traffic Securing SMTP traffic Creating a security profile for SMTP traffic Configuring a local traffic SMTP profile Assigning an SMTP security profile to a local traffic

More information

HP ProtectTools Email Release Manager

HP ProtectTools Email Release Manager HP ProtectTools Email Release Manager White Paper Introduction... 2 User Interface... 3 Configuration... 3 Message Properties... 3 Message Classification Prompt... 3 Labels... 5 Destinations... 5 Users...

More information

Identity Management and Access Control

Identity Management and Access Control and Access Control Marek Rychly mrychly@strathmore.edu Strathmore University, @ilabafrica & Brno University of Technology, Faculty of Information Technology Enterprise Security 7 December 2015 Marek Rychly

More information

Configuring CQ Security

Configuring CQ Security Configuring CQ Security About Me CQ Architect for Inside Solutions http://inside-solutions.ch CQ Blog: http://cqblog.inside-solutions.ch Customer Projects with Adobe CQ Training Material on Adobe CQ Agenda

More information

Guardian Digital Secure Mail Suite Quick Start Guide

Guardian Digital Secure Mail Suite Quick Start Guide Guardian Digital Secure Mail Suite Quick Start Guide Copyright c 2004 Guardian Digital, Inc. Contents 1 Introduction 1 2 Contacting Guardian Digital 2 3 Purpose of This Document 3 3.1 Terminology...............................

More information

Getting Started Manual: Authors

Getting Started Manual: Authors PaperPlaza and PaperCept Conference Manuscript Management and Registration Systems Getting Started Manual: Authors PaperCept, Inc. (Revised October 5, 2011) Getting Started Manual: Authors Contents 1.

More information

E-mail rules in brief

E-mail rules in brief Tampere University of Technology E-Mail rules 1 (6) E-mail rules in brief Every e-mail user has one or more roles There are slightly different rules, for example, for staff members and students. All rules

More information

Research Paper Available online at: www.ijarcsse.com A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS

Research Paper Available online at: www.ijarcsse.com A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS Volume 2, Issue 2, February 2012 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: A COMPARATIVE STUDY OF CLOUD

More information

Access Control Fundamentals

Access Control Fundamentals C H A P T E R 2 Access Control Fundamentals An access enforcement mechanism authorizes requests (e.g., system calls) from multiple subjects (e.g., users, processes, etc.) to perform operations (e.g., read,,

More information

HP PROTECTTOOLS EMAIL RELEASE MANAGER

HP PROTECTTOOLS EMAIL RELEASE MANAGER HP PROTECTTOOLS EMAIL RELEASE MANAGER Business white paper HP ProtectTools Email Release Manager provides enhancements to the Microsoft Exchange and Outlook clients. HP has developed HP ProtectTools Email

More information

Email Rules in Brief. Every email user has one or more roles 28.11.2013. the rules are partly different for e.g. the staff and the students

Email Rules in Brief. Every email user has one or more roles 28.11.2013. the rules are partly different for e.g. the staff and the students Email Rules in Brief Every email user has one or more roles the rules are partly different for e.g. the staff and the students All rules shall be obeyed use different passwords at the university of applied

More information

Access Control Intro, DAC and MAC. System Security

Access Control Intro, DAC and MAC. System Security Access Control Intro, DAC and MAC System Security System Security It is concerned with regulating how entities use resources in a system It consists of two main phases: Authentication: uniquely identifying

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Acceptable Use Policy (AUP) ionfish Group, LLC s network and services have been designed to serve its clients, partners, and employees (each individually a User ), and to enhance

More information

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Microsoft Forefront TMG How to use SQL Server 2008 Express Reporting Services Abstract In this

More information

CS346: Advanced Databases

CS346: Advanced Databases CS346: Advanced Databases Alexandra I. Cristea A.I.Cristea@warwick.ac.uk Data Security and Privacy Outline Chapter: Database Security in Elmasri and Navathe (chapter 24, 6 th Edition) Brief overview of

More information

1 P a g e. Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University

1 P a g e. Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University 1 P a g e Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University Trust is to rely upon or place confidence in someone or something. However, this is not a definition that

More information

ON HOLD ANNOUNCER. Once you receive your audio announcer, check the packaging to ensure that all of the following items are enclosed:

ON HOLD ANNOUNCER. Once you receive your audio announcer, check the packaging to ensure that all of the following items are enclosed: ON HOLD ANNOUNCER The is a high quality digital on-hold announcer. It is designed to be attached to a 100BASE-T Ethernet network to receive audio production updates via the Internet. These instructions

More information

Introduction to Dropbox. Jim Miller, LCITO Office 785.296.5566 Mobile 913.484.8013 Email jim.miller@las.ks.gov

Introduction to Dropbox. Jim Miller, LCITO Office 785.296.5566 Mobile 913.484.8013 Email jim.miller@las.ks.gov Introduction to Dropbox Jim Miller, LCITO Office 785.296.5566 Mobile 913.484.8013 Email jim.miller@las.ks.gov Introduction to Dropbox What is it? Why use it? Mitigating the risks of using Dropbox? Dropbox

More information

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

DAC vs. MAC. Most people familiar with discretionary access control (DAC) DAC vs. MAC Most people familiar with discretionary access control (DAC) - Example: Unix user-group-other permission bits - Might set a fileprivate so only groupfriends can read it Discretionary means

More information

A Security Model for Military Message Systems: Retrospective

A Security Model for Military Message Systems: Retrospective A Security Model for Military Message Systems: Retrospective Carl E. Landwehr Constance L. Heitmeyer John D. McLean Mitretek Systems, Inc. Naval Research Laboratory Naval Research Laboratory Carl.Landwehr@mitretek.org

More information

Certifying Spoofing-Protection of Firewalls

Certifying Spoofing-Protection of Firewalls Certifying Spoofing-Protection of Firewalls Cornelius Diekmann, Lukas Schwaighofer, and Georg Carle Technische Universität München Email: {diekmann schwaighofer carle}@net.in.tum.de Abstract We present

More information

Implementing Failover Capabilities in Red Hat Network Satellite

Implementing Failover Capabilities in Red Hat Network Satellite Implementing Failover Capabilities in Red Hat Network Satellite By Vladimir Zlatkin Abstract This document will help you create two identical Red Hat Network (RHN) Satellites functioning in failover mode.

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

Automated Program Behavior Analysis

Automated Program Behavior Analysis Automated Program Behavior Analysis Stacy Prowell sprowell@cs.utk.edu March 2005 SQRL / SEI Motivation: Semantics Development: Most engineering designs are subjected to extensive analysis; software is

More information

Instructions Microsoft Outlook Express Page 1

Instructions Microsoft Outlook Express Page 1 Instructions Microsoft Outlook Express Page 1 Instructions Microsoft Outlook Express This manual is written for users who already have an e-mail account configured in Outlook Express and will therefore

More information

OMICS Group. Contact us at: contact.omics@omicsonline.org

OMICS Group. Contact us at: contact.omics@omicsonline.org OMICS Group OMICS Group International through its Open Access Initiative is committed to make genuine and reliable contributions to the scientific community. OMICS Group hosts over 400 leading-edge peer

More information

Translation Service Provider according to ISO 17100

Translation Service Provider according to ISO 17100 www.lics-certification.org Certification Scheme S06 Translation Service Provider according to ISO 17100 Date of issue: V2.0, 2015-11-15 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 1020

More information

Reconciling multiple IPsec and firewall policies

Reconciling multiple IPsec and firewall policies Reconciling multiple IPsec and firewall policies Tuomas Aura, Moritz Becker, Michael Roe, Piotr Zieliński Submission to SPW 2007 Abstract Manually configuring large firewall policies can be a hard and

More information

Secure Web Access Solution

Secure Web Access Solution Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...

More information

Firewall Design: Consistency, Completeness, Compactness

Firewall Design: Consistency, Completeness, Compactness Firewall Design: Consistency, Completeness, Compactness Alex X. Liu alex@cs.utexas.edu Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-1188, U.S.A. March, 2004 Co-author:

More information

Avion. apex AWARD 2012. BoardConnect: Run the future, not cables. Revolutionizing in-flight entertainment

Avion. apex AWARD 2012. BoardConnect: Run the future, not cables. Revolutionizing in-flight entertainment apex Avion AWARD 2012 BoardConnect: Run the future, not cables. Revolutionizing in-flight entertainment Discover the potential of wireless IFE Imagine creating a new, unique experience for your passengers.

More information

CSC 373: Algorithm Design and Analysis Lecture 16

CSC 373: Algorithm Design and Analysis Lecture 16 CSC 373: Algorithm Design and Analysis Lecture 16 Allan Borodin February 25, 2013 Some materials are from Stephen Cook s IIT talk and Keven Wayne s slides. 1 / 17 Announcements and Outline Announcements

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

VIA CONNECT PRO Deployment Guide

VIA CONNECT PRO Deployment Guide VIA CONNECT PRO Deployment Guide www.true-collaboration.com Infinite Ways to Collaborate CONTENTS Introduction... 3 User Experience... 3 Pre-Deployment Planning... 3 Connectivity... 3 Network Addressing...

More information

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL Paper By: Chow, R; Golle, P; Jakobsson, M; Shai, E; Staddon, J From PARC & Masuoka, R And Mollina From Fujitsu Laboratories

More information

IT TECHNOLOGY ACCESS POLICY

IT TECHNOLOGY ACCESS POLICY IT TECHNOLOGY ACCESS POLICY Effective Date May 19, 2016 Cross- Reference 1. IT Access Control and User Access Management Policy Responsibility Director, Information 2. IT Acceptable Use Policy Technology

More information

ANS Monitoring as a Service. Customer requirements

ANS Monitoring as a Service. Customer requirements ANS Monitoring as a Service Customer requirements Version History Version: 1.0 Date: 29/03/2015 Version Date Summary Of Changes Pages Changed Author 0.1 17/07/15 Initial document created ALL Dale Marshall

More information

Model-Based Quality Assurance of The SMB2 Protocol Documentation

Model-Based Quality Assurance of The SMB2 Protocol Documentation Model-Based Quality Assurance of The SMB2 Protocol Documentation Wolfgang Grieskamp Architect, Protocol Engineering Team, Microsoft Corporation Microsoft Part of the company s interoperability initiative

More information

Application Security Policy

Application Security Policy Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

More information

Comfort without compromise

Comfort without compromise Zuzana Hrnkova Head of Aircraft Interiors Marketing Comfort without compromise Every inch counts How can an airframe manufacturer influence cabin comfort and efficiency? Does an inch really matter? Efficient

More information

This guide is intended to help you troubleshoot problems connecting a wireless device to the Gogo Biz network.

This guide is intended to help you troubleshoot problems connecting a wireless device to the Gogo Biz network. This guide is intended to help you troubleshoot problems connecting a wireless device to the Gogo Biz network. TABLE OF CONTENTS Windows Operating System... 3 Blackberry... 5 Android... 6 Apple Macbook...

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure

More information

Globalstar 9600. User Guide for Mac

Globalstar 9600. User Guide for Mac Globalstar 9600 User Guide for Mac This guide is based on the production version of the Globalstar 9600 and Sat-Fi Apps. Software changes may have occurred after this printing. Globalstar reserves the

More information

Privacy-Preserving Distributed Encrypted Data Storage and Retrieval

Privacy-Preserving Distributed Encrypted Data Storage and Retrieval Privacy-Preserving Distributed Encrypted Data Storage and Retrieval Sibi Antony Master Thesis Starting Talk WS12/13 1 Overview Motivation Thesis Goals Methodology Initial Analysis Time Table 2 Motivation

More information

World Wide Web Publishing Standard

World Wide Web Publishing Standard Issue Date: January 1, 2011 World Wide Web Publishing Standard Office of the Vice President for Operations / CIO Information Security Office Effective Date: November 21, 2014 KSU World Wide Web Publishing

More information

The Designer estimates reaching satisfactory completion of the Services within six weeks of the Effective Date.

The Designer estimates reaching satisfactory completion of the Services within six weeks of the Effective Date. Website Design Agreement 1. Description of the Services The Designer will design a website (the "Website") for the Owner by providing the design and programming services listed on Schedule A (the "Services")

More information

Secure Email Frequently Asked Questions

Secure Email Frequently Asked Questions Secure Email Frequently Asked Questions Frequently Asked Questions Contents General Secure Email Questions and Answers Forced TLS Questions and Answers SecureMail Questions and Answers Glossary Support

More information

Securing the Interconnect Signaling Network Security

Securing the Interconnect Signaling Network Security Securing the Interconnect Signaling Network Security Travis Russell Director, Cyber Security, Service Provider Networks Oracle Communications August, 2015 Current security landscape Much attention has

More information

The Road from Software Testing to Theorem Proving

The Road from Software Testing to Theorem Proving The Road from Software Testing to Theorem Proving A Short Compendium of my Favorite Software Verification Techniques Frédéric Painchaud DRDC Valcartier / Robustness and Software Analysis Group December

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

ABET General Outcomes. Student Learning Outcomes for BS in Computing

ABET General Outcomes. Student Learning Outcomes for BS in Computing ABET General a. An ability to apply knowledge of computing and mathematics appropriate to the program s student outcomes and to the discipline b. An ability to analyze a problem, and identify and define

More information

CEIA NetID Network Management System

CEIA NetID Network Management System CEIA NetID Network Management System www.ceia.net CEIA NetID Network Management System NetID System Goals Data collection from each CEIA Security Device detailing the information on every single screening

More information

Bridging Formal Methods and Data Science

Bridging Formal Methods and Data Science Bridging Formal Methods and Data Science Vijay Murali Rice University IEEE 2015 Slides courtesy of Swarat Chaudhuri Data Science / Data mining Algorithms and tools to extract knowledge or insights from

More information

Global Network Mobility RIPE 48

Global Network Mobility RIPE 48 John Bender Don Bowman cbbrouting@boeing.com Global Network Mobility RIPE 48 Implementing Network Mobility Summary What is Connexion by Boeing? Network and Service Challenges BGP as a mobility solution

More information

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

More information

(67902) Topics in Theory and Complexity Nov 2, 2006. Lecture 7

(67902) Topics in Theory and Complexity Nov 2, 2006. Lecture 7 (67902) Topics in Theory and Complexity Nov 2, 2006 Lecturer: Irit Dinur Lecture 7 Scribe: Rani Lekach 1 Lecture overview This Lecture consists of two parts In the first part we will refresh the definition

More information

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has

More information

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T.

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T. Reputation and Blacklist Monitoring Basic Professional Business Enterprise Reputation Monitoring Blacklist Monitoring Standard Malware Detection Scan for known Malware Scan for known viruses All pages

More information

VNC User Guide. Version 5.3. December 2015

VNC User Guide. Version 5.3. December 2015 VNC User Guide Version 5.3 December 2015 Trademarks RealVNC, VNC and RFB are trademarks of RealVNC Limited and are protected by trademark registrations and/or pending trademark applications in the European

More information

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION United States Department of Agriculture Marketing and Regulatory Programs Grain Inspection, Packers and Stockyards Administration Directive GIPSA 3140.5 11/30/06 WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

More information

ACPT: Access Control Policy Tool

ACPT: Access Control Policy Tool 12/10/08 1 Access Control Policy Tool (ACPT) ACPT: Access Control Policy Tool 12/10/08 2 Access Control Policy Presently Policy authoring are hand crafted by administrators, and difficult to check for

More information

CA arcserve Unified Data Protection Agent for Linux

CA arcserve Unified Data Protection Agent for Linux CA arcserve Unified Data Protection Agent for Linux User Guide Version 5.0 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as

More information

Automating Compliance Reporting for PCI Data Security Standard version 1.1

Automating Compliance Reporting for PCI Data Security Standard version 1.1 PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

ST0-141 Q&A. DEMO Version

ST0-141 Q&A. DEMO Version Symantec Backup Exec 2012 Technical Assessment Q&A DEMO Version Copyright (c) 2012 Chinatag LLC. All rights reserved. Important Note Please Read Carefully For demonstration purpose only, this free version

More information

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation PLDI 03 A Static Analyzer for Large Safety-Critical Software B. Blanchet, P. Cousot, R. Cousot, J. Feret L. Mauborgne, A. Miné, D. Monniaux,. Rival CNRS École normale supérieure École polytechnique Paris

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

Outline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats

Outline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats Outline EE 22: Interdomain Routing Protocol (BGP) Ion Stoica TAs: Junda Liu, DK Moon, David Zats http://inst.eecs.berkeley.edu/~ee22/fa9 (Materials with thanks to Vern Paxson, Jennifer Rexford, and colleagues

More information

Summary of Last Lecture. Automated Reasoning. Outline of the Lecture. Definition. Example. Lemma non-redundant superposition inferences are liftable

Summary of Last Lecture. Automated Reasoning. Outline of the Lecture. Definition. Example. Lemma non-redundant superposition inferences are liftable Summary Automated Reasoning Georg Moser Institute of Computer Science @ UIBK Summary of Last Lecture C A D B (C D)σ C s = t D A[s ] (C D A[t])σ ORe OPm(L) C s = t D u[s ] v SpL (C D u[t] v)σ C s t Cσ ERR

More information

enicq 5 System Administrator s Guide

enicq 5 System Administrator s Guide Vermont Oxford Network enicq 5 Documentation enicq 5 System Administrator s Guide Release 2.0 Published November 2014 2014 Vermont Oxford Network. All Rights Reserved. enicq 5 System Administrator s Guide

More information

ARGUS SUPPORT: INSTALLATION AND CONFIGURATION GUIDE FOR BEST PRACTICE

ARGUS SUPPORT: INSTALLATION AND CONFIGURATION GUIDE FOR BEST PRACTICE ARGUS SUPPORT: (03) 5335 2221 or support@argusconnect.com.au INSTALLATION AND CONFIGURATION GUIDE FOR BEST PRACTICE VERSION 1.6.1.x ArgusConnect Pty Ltd: Phone: (03) 5335 2220 Support: (03) 5335 2221 Email:

More information

Network Security - ISA 656 Intro to Firewalls

Network Security - ISA 656 Intro to Firewalls Network Security - ISA 656 Intro to s Angelos Stavrou August 28, 2007 What s a Intro to s What s a Why Use s? Traditional s Advantages Philosophies Devices examining traffic making access control decisions

More information