L16: Ring-based Access Control



Similar documents
Chapter 14: Access Control Mechanisms

ACL Compliance Director FAQ

Table of Contents. Configuring IP Access Lists

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

CIS433/533 - Computer and Network Security Operating System Security

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Firewall Technologies. Access Lists Firewalls

Terminal Server Configuration and Reference Errata

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

FIREWALLS & CBAC. philip.heimer@hh.se

CISCO IOS NETWORK SECURITY (IINS)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Security and Access Control Lists (ACLs)

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Introduction to Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

SNMP/HTTP Access Control User Manual

Configuring a Backup Path Test Using Network Monitoring

Configuring Network Security with ACLs

Firewall Authentication Proxy for FTP and Telnet Sessions

Troubleshooting the Firewall Services Module

Access Control Lists: Overview and Guidelines

Lab Developing ACLs to Implement Firewall Rule Sets

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Proxy Server, Network Address Translator, Firewall. Proxy Server

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Lab Configure Basic AP Security through IOS CLI

A Model Design of Network Security for Private and Public Data Transmission

8 steps to protect your Cisco router

TIBCO LogLogic. SOX and COBIT Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

Building Energy Security Framework

Firewall Support for SIP

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Implementing Secure Converged Wide Area Networks (ISCW)

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Network Security in Practice

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Introduction to Cisco router configuration

Configuring NetFlow Secure Event Logging (NSEL)

Lab Configure IOS Firewall IDS

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Virtual Fragmentation Reassembly

Traffic Mirroring Commands on the Cisco IOS XR Software

MANAGING NETWORK COMPONENTS USING SNMP

Internet Infrastructure Security Technology Details. Merike Kaeo

Firewalls, IDS and IPS

Cisco Configuring Commonly Used IP ACLs

Introduction of Intrusion Detection Systems

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Enterprise Security Interests Require SSL with telnet server from outside the LAN

Secure Software Programming and Vulnerability Analysis

Advanced Systems Security

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

How To Protect Your Network From Attack From Outside From Inside And Outside

Configuring NetFlow Secure Event Logging (NSEL)

What is Auditing? Auditing. Problems. Uses. Audit System Structure. Logger. Reading: Chapter 24. Logging. Slides by M. Bishop are used.

Security Technology: Firewalls and VPNs

Traffic Mirroring Commands on the Cisco ASR 9000 Series Router

Firewalls. Chapter 3

Lecture 18: More Assurance

Troubleshooting the Firewall Services Module

How To Secure Network Threads, Network Security, And The Universal Security Model

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Firewalls. Network Security. Firewalls Defined. Firewalls

Compter Networks Chapter 9: Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

z/os Firewall Technology Overview

Cisco Secure PIX Firewall with Two Routers Configuration Example

- Basic Router Security -

CS555: Distributed Systems [Fall 2015] Dept. Of Computer Science, Colorado State University

Network Security Knowledge is Everything! Network Operations

Design. Syntactic Issues

PRINTER SECURITY AUDIT: THE UNIVERSITY OF VIRGINIA. Kevin Savoy, CPA, CISA, CISSP Brian Daniels, CISA, GCFA

Securing Networks with PIX and ASA

Configuration of Cisco Routers. Mario Baldi

What is Auditing? IT 4823 Information Security Administration. Problems. Uses. Logger. Audit System Structure. Logging. Auditing. Auditing November 7

MPLS VPN Security Best Practice Guidelines

Lab Exercise Configure the PIX Firewall and a Cisco Router

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Cisco IOS NetFlow Version 9 Flow-Record Format

Controlling Access to a Virtual Terminal Line

Networking Security IP packet security

Transcription:

L16: Ring-based Access Control Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/26/2015 CSCI 451 - Fall 2015 1

Acknowledgement Many slides are from or are revised from the slides of the author of the textbook Matt Bishop, Introduction to Computer Security, Addison- Wesley Professional, October, 2004, ISBN-13: 978-0-321-24774-5. Introduction to Computer Security @ VSU's Safari Book Online subscription http://nob.cs.ucdavis.edu/book/book-intro/slides/ 10/26/2015 CSCI 451 - Fall 2015 2

Outline Locks and keys Rings-based access control Propagated access control lists 10/26/2015 CSCI 451 - Fall 2015 3

Locks and Keys Associate information (lock) with object, information (key) with subject Latter controls what the subject can access and how Subject presents key; if it corresponds to any of the locks on the object, access granted Can be dynamic ACLs, Capability-Lists are static and must be manually changed Locks and keys can change based on system constraints, other factors (not necessarily manual) 10/26/2015 CSCI 451 - Fall 2015 4

Cryptographic Implementation Enciphering key is lock; deciphering key is key Encipher object o; store E k (o) Use subject s key k to compute D k (E k (o)) Any of n can access o: store o = (E 1 (o),, E n (o)) Requires consent of all n to access o: store o = (E 1 (E 2 ( (E n (o)) )) 10/26/2015 CSCI 451 - Fall 2015 5

Example: IBM 370 IBM 370: process gets access key; pages get storage key and fetch bit Fetch bit clear: read access only Fetch bit set, access key 0: process can write to (any) page Fetch bit set, access key matches storage key: process can write to page Fetch bit set, access key non-zero and does not match storage key: no access allowed 10/26/2015 CSCI 451 - Fall 2015 6

Example: Cisco Router Dynamic access control lists access-list 100 permit tcp any host 10.1.1.1 eq telnet access-list 100 dynamic test timeout 180 permit ip any host \ 10.1.2.3 time-range my-time time-range my-time periodic weekdays 9:00 to 17:00 line vty 0 2 login local autocommand access-enable host timeout 10 Limits external access to 10.1.2.3 to 9AM 5PM Adds temporary entry for connecting host once user supplies name, password to router Connections good for 180 minutes Drops access control entry after that 10/26/2015 CSCI 451 - Fall 2015 7

Type Checking Lock is type, key is operation Example: UNIX system call write can t work on directory object but does work on file Example: split I&D space of PDP-11 Example: countering buffer overflow attacks on the stack by putting stack on non-executable pages/segments Then code uploaded to buffer won t execute Does not stop other forms of this attack, though 10/26/2015 CSCI 451 - Fall 2015 8

More Examples LOCK system: Compiler produces data Trusted process must change this type to executable becore program can be executed Sidewinder firewall Subjects assigned domain, objects assigned type Example: ingress packets get one type, egress packets another All actions controlled by type, so ingress packets cannot masquerade as egress packets (and vice versa) 10/26/2015 CSCI 451 - Fall 2015 9

Ring-Based Access Control Privileges increase 0 1 n Process (segment) accesses another segment Read Execute Gate is an entry point for calling segment Rights: r read; w write; a append; e execute 10/26/2015 CSCI 451 - Fall 2015 10

Reading/Writing/Appending Procedure executing in ring r Data segment with access bracket (a 1, a 2 ) Mandatory access rule r a 1 allow access a 1 < r a 2 allow r access; not w, a access a 2 < r deny all access 10/26/2015 CSCI 451 - Fall 2015 11

Executing Procedure executing in ring r Call procedure in segment with access bracket (a 1, a 2 ) and call bracket (a 2, a 3 ) Often written (a 1, a 2, a 3 ) Mandatory access rule r < a 1 a 1 r a 2 a 2 < r a 3 a 3 < r allow access; ring-crossing fault allow access; no ring-crossing fault allow access if through valid gate deny all access 10/26/2015 CSCI 451 - Fall 2015 12

Versions Multics 8 rings (from 0 to 7) Digital Equipment s VAX 4 levels of privilege: user, monitor, executive, kernel Older systems 2 levels of privilege: user, supervisor 10/26/2015 CSCI 451 - Fall 2015 13

Propagated Access Control List PACLs Implements ORGON Creator kept with PACL, copies Only owner can change PACL Subject reads object: object s PACL associated with subject Subject writes object: subject s PACL associated with object Notation: PACL s means s created object; PACL(e) is PACL associated with entity e 10/26/2015 CSCI 451 - Fall 2015 14

Multiple Creators Betty reads Ann s file dates PACL(Betty) = PACL Betty PACL(dates) = PACL Betty PACL Ann Betty creates file dc PACL(dc) = PACL Betty PACL Ann PACL Betty allows Char to access objects, but PACL Ann does not; both allow June to access objects June can read dc Char cannot read dc 10/26/2015 CSCI 451 - Fall 2015 15

Exercise L16-1 Question 7 of Exercise 14.8 in the textbook (page 259) 10/26/2015 CSCI 451 - Fall 2015 16

Summary Access control mechanisms provide controls for users accessing files Many different forms ACLs, capabilities, locks and keys Type checking too Ring-based mechanisms (Mandatory) PACLs (ORCON) 10/26/2015 CSCI 451 - Fall 2015 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information