COMP3441 Lecture 9: Security Architecture Ron van der Meyden (University of New South Wales Sydney, Australia) May 6, 2014 Overview Security Design Principles Security Architecture Security Design in the Large
Saltzer and Schroeder s Security Design Principles Economy of Mechanism (simpler = easier to assure) Fail-safe defaults (e.g. deny by default/allow by exception) Complete Mediation (every access request checked) Open design (= Kerckhoff s Principle) Separation of Privilege (e.g. employ dual control) Least Privilege Least Common Mechanism (minimise sharing) Psychological Acceptability Security Perimiters One of the key defensive mechanisms is the placement of difficult to cross boundaries between assets and adversaries. physical separation s sandboxing Once crossed, these leave the assets vulnerable.
(Image: Maginot Line, from Wikimedia Commons) Defence in Depth A general approach to defence: multiple layers of defence, rather than a single layer complimentary defensive mechanisms the higher the value of an asset, the greater the number of protective layers around it.
(Image: Himeji Castle, from Wikimedia Commons) Example: use anti-virus products both at the on user machines and use different ones (which are likely to detect different attacks).
Security Architecture A security architecture is a high level design of the structure of the system, identifying main system components, defensive measures, and their interconnections. The lack of connectedness of certain components is a key aspect of the security design: it forces causal effects in the system to flow through the defensive measures. Example: Access Control Policy Architecture The enterprise has a general security policy. Multiple applications (e.g., email, accounts system, HR system,corporate planning system) need to be consistent with this policy.
Design 1: Enforcement within application code Application 1 Application 2 Application 3 Application Code Policy enforcing code Application Code Policy enforcing code Application Code Policy enforcing code Database Design 2: Policy Server Application 1 Application 2 Application 3 Application Code Application Code Application Code Policy Access Control Monitor Database Advantages: No complex interleaving of application and security code. Application programmer errors cannot cause security breaches Policy changes take immediate effect Policy enforced consistently across all applications
Isolated Users User 1 User 2 User 3 Data 1 Data 2 Data 3 CPU/Storage Sharing User 1 User 2 User 3 Machine Data 1 Data 2 Data 3 Disk
Separation User 1 User 2 User 3 Machine Separation kernel Data 1 Data 2 Data 3 Disk Following the principle of economy of mechanism, a separation kernel is a small layer of the operating system with the function of isolating user processes (and nothing more). Storage Sharing 2 User 1 User 2 User 3 Encryption Encryption Encryption Encrypted Data 1 Encrypted Data 2 Encrypted Data 3 Disk/ Cloud
Military Security Architectures Low Level Data Diode High Level Hinke-Schaefer Architecture An architecture for multi-level secure databases High Level Database H DBMS can read but not write Low level files L F. H user L user H DBMS L DBMS H F L F
Military Security Architectures: Downgrading In practice, High Level data needs to be released to the Low level domain from time to time.. Low Level Data Diode High Level Downgrader Starlight Switch An architecture for allowing an intelligence analyst to securely access low level information (e.g. web browsing) while operating in the High level domain. Low Level Data Diode High Level Starlight Switch User Machine Keyboard
Security Architecture In a network security architecture, we describe the structure of network topology and the placement of defensive measures such as s virtual private networks anti virus servers honeypots application servers, etc. Web Servers The public needs to be able to read content served by these, but they need to be protected from defacement, data theft. Compromise of the server should not impact company internal data. De-militarized zone Internal Internet Web server
Virtual Private s A cryptographic tunnel is a cryptographically secured channel, with encrypted messages carried in some insecure protocol (e.g. IP). Virtual Private s employ cryptographic tunnels as an isolation mechanism to connect two or more protected networks/machines through the internet as if they were directly connected. Remote Branch Offices Office 1 Internet Office2 encrypted channel
Joint Ventures Company 1 Internet Company 2 encrypted channel Joint data area Joint data area Telecommuting/Travelling Staff Company Internet encrypted channel employee laptop/ home machine
Telecommuting/Travelling Staff Company Internet encrypted channel/ ssh employee laptop/ home machine Telecommuting/Travelling Staff With software VPN s the previous two have the risk that a direct channel between internet and remote machine may exist, making the previous two equivalent to: Company Internet employee laptop/ home machine
Telecommuting/Travelling Staff Company Internet encrypted channel Hardware VPN employee laptop/ home machine A hardware VPN (plus disabling wireless connection capability) can disallow all unencrypted/unauthenticated internet connections, forcing all remote internet connections through the. Telecommuting/Travelling Staff And when the kids want to play... Company Internet encrypted channel Router family subnet Hardware VPN employee work subnet
Intrusion Detection Technology IDS Objective: detect attacks in progress, to enable a timely response Basic Infrastructure: Logging of events Sensors: collect information Analyzers: process sensor data Management Modules: interface to operators IDS: Types of Information that can be collected At the host: Login (attempts) File accesses Operating system calls On the network: packet traffic flow protocol type packet payload
Sensor Placement sensor placement determines which attacks can be detected, but needs to be traded off against cost De-militarized zone Internal Internet Web server Sensor Data Aggregation Where is the aggregated sensor data analyzed? Host based intrusion detection Gossip: hosts share data with each other Centralized analysis server
Analysis Approaches Anomaly Detection: patterns of activity that differ from the usual behaviour e.g.: login to machine/account not usually used login outside of usual hours, or from unknown machine higher frequency than usual of some event types Signature Detection: patterns of activity that an attacker is likely to engage in (e.g. access to system files) Attacker response to this: slow down rate of attack The Statistics of Detection 1 in 100 people suffer from disease D Test T has 87% accurracy, i.e.: if person P has D, the test is positive with probability 87% if person P does not have D, the test is negative with probability 87% Your doctor administers the test T and the results are positive. What is the probability that you do not have the disease D? low: 0-15% medium: 16-50% high: 51-90% very high: 91-100%
A Fundamental Problem with Intrusion Detection Answer: very high! (I.e. you probably don t have it!) By Bayes theorem: Pr(D = no T = yes) = Pr(T =Yes D=no)Pr(D=no) Pr(D=Yes T =yes)pr(t =yes)+pr(d=yes T =no)pr(t =no) = 0.13 0.99 0.87+0.01+0.13 0.99 = 0.937 Note that we get a large contribution 0.13 0.99 0.13 of false alarms compared to the small number 0.87 0.01 0.0087 of correct alarms! This problem affects IDS: if intrusions are rare, a high percentage of alarms will be false alarms! Security in the Large Real world security design requires meeting multiple requirements from multiple sources balancing conflicting requirements trust relationships between independent organisations
Example: Airport Security Travel from Toronto to Los Angeles requires Airline must ensure that passengers have paid to travel Clearance by US Immigration (before boarding, so it does not need to be done on arrival) US Customs Clearance Flight Security Check (no bombs/weapons on plane) Problem: Conduct a risk analysis and design the architecture of a security system for these requirements. Actual Design at Toronto Airline Checkin, issue boarding pass bag weigh US Immigration Security Check US Customs Checked Luggage Drop Boarding pass check people Bag Xray bags