DISTRIBUTED SYSTEMS SECURITY



Similar documents
External Supplier Control Requirements

Strategic Information Security. Attacking and Defending Web Services

CompTIA Security+ (Exam SY0-410)

External Supplier Control Requirements

Passing PCI Compliance How to Address the Application Security Mandates

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

A Systems Engineering Approach to Developing Cyber Security Professionals

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Introduction to Cyber Security / Information Security

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

How to Build a Trusted Application. John Dickson, CISSP

CYBERTRON NETWORK SOLUTIONS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Information Security. Training

I. Introduction to Privacy: Common Principles and Approaches

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Fundamentals of Network Security - Theory and Practice-

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

90% of data breaches are caused by software vulnerabilities.

Principles of Information Assurance Syllabus

[CEH]: Ethical Hacking and Countermeasures

Application Security Testing

Development Processes (Lecture outline)

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Security Goals Services

JVA-122. Secure Java Web Development

Privacy + Security + Integrity

CEH Version8 Course Outline

Designing and Coding Secure Systems

8070.S000 Application Security

Huawei Network Edge Security Solution

NIST s Guide to Secure Web Services

Apigee Gateway Specifications

What is Web Security? Motivation

Learn Ethical Hacking, Become a Pentester

Assessing Network Security

Security aspects of e-tailing. Chapter 7

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Reducing Application Vulnerabilities by Security Engineering

How To Achieve Pca Compliance With Redhat Enterprise Linux

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

05.0 Application Development

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Chap. 1: Introduction

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Software Development: The Next Security Frontier

EC Council Certified Ethical Hacker V8

Eleventh Hour Security+

Jort Kollerie SonicWALL

PCI DSS 3.0 Compliance

Course Outline Computing Science Department Faculty of Science. COMP Credits Computer Network Security (3,1,0) Fall 2015

The Key to Secure Online Financial Transactions

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Weighted Total Mark. Weighted Exam Mark

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Chapter 4 Application, Data and Host Security

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

MS Information Security (MSIS)

An Oracle White Paper Dec Oracle Access Management Security Token Service

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

White Paper Secure Reverse Proxy Server and Web Application Firewall

How To Evaluate Watchguard And Fireware V11.5.1

The Education Fellowship Finance Centralisation IT Security Strategy

IT Networking and Security

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

LINUX / INFORMATION SECURITY

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Preliminary Course Syllabus

Build Your Own Security Lab

elearning for Secure Application Development

Network Security: A Practical Approach. Jan L. Harrington

Transcription:

DISTRIBUTED SYSTEMS SECURITY Issues, Processes and Solutions Abhijit Belapurkar, Yahoo! Software Development India Pvt. Ltd., India Anirban Chakrabarti, Infosys Technologies Ltd., India Harigopal Ponnapalli, Infosys Technologies Ltd., India Niranjan Varadarajan, Infosys Technologies Ltd., India Srinivas Padmanabhuni, Infosys Technologies Ltd., India Srikanth Sundarrajan, Infosys Technologies Ltd., India WILEY A John Wiley and Sons, Ltd., Publication

Contents > List of Figures List of Tables Foreword Preface Chapter 1 Introduction 1.1 Background 1.2 Distributed Systems 1.2.1 Characteristics of Distributed Systems 1.2.2 Types of Distributed System 1.2.3 Different Distributed Architectures 1.2.4 Challenges in Designing Distributed Systems 1.3 Distributed Systems Security 1.3.1 Enterprise IT - A Layered View 1.3.2 Trends in IT Security 1.4 About the Book 1.4.1 Target Audience References Chapter 2 Security Engineering 2.1 Introduction 2.2 Secure Development Lifecycle Processes - An Overview 2.2.7 Systems Security Engineering Capability Maturity Model (SSE-CMM) 2.2.2 Microsoft's Security Development Lifecycle (SDL) 2.2.3 Comprehensive Lightweight Application Security Process (CLASP) 2.2.4 Build Security In 2.3 A Typical Security Engineering Process 2.3.1 Requirements Phase 2.3.2 Architecture and Design Phase

viii Contents 2.3.3 Development (Coding) Phase 33 2.3.4 Testing Phase 34 2.4 Important Security Engineering Guidelines and Resources 35 2.4.1 Security Requirements 35 2.4.2 Architecture and Design 37 2.4.3 Secure Coding 38 2.4.4 Security Testing 39 2.5 Conclusion 39 References 40 Chapter 3 Common Security Issues and Technologies 43 3.1 Security Issues 43 3.1.1 Authentication 43 3.1.2 Authorization 43 3.1.3 Data Integrity 44 3.1.4 Confidentiality AA 3.1.5 Availability 45 3.1.6 Trust 45 3.1.7 Privacy 46 3.1.8 Identity Management 48 3.2 Common Security Techniques 48 3.2.1 Encryption 48 3.2.2 Digital Signatures and Message Authentication Codes 49 3.2.3 Authentication Mechanisms 49 3.2.4 Public Key Infrastructure (PKI) 50 3.2.5 Models of Trust 52 3.2.6 Firewalls 53 3.3 Conclusion 53 References 54 Chapter 4 Host-Level Threats and Vulnerabilities 55 4.1 Background 55 4.1.1 Transient Code Vulnerabilities 55 4.1.2 Resident Code Vulnerabilities 56 4.2 Malware 56 4.2.1 Trojan Horse 57 4.2.2 Spyware 57 4.2.3 Worms/Viruses 58 4.3 Eavesdropping 58 4.3.1 Unauthorized Access to Confidential Data - by Users 58 4.3.2 Unauthorized Access to Protected or Privileged Binaries - by Users 60 4.3.3 Unauthorized Tampering with Computational Results 60 4.3.4 Unauthorized Access to Private Data - by Jobs 61 4.4 Job Faults 62

Contents ix 4.5 4.6 Resource Starvation Overflow 62 63 4.6.1 Stack-Based Buffer Overflow 64 4.6.2 Heap-Based Buffer Overflow 65 4.7 4.8 Privilege Escalation Injection Attacks 65 66 4.8.1 Shell/PHP Injection 66 4.8.2 SQL Injection 66 4.9 Conclusion 67 References 69 Chapter 5 Infrastructure-Level Threats and Vulnerabilities 71 5.1 Introduction 71 5.2 Network-Level Threats and Vulnerabilities 71 5.2.1 Denial-of-Service Attacks 72 5.2.2 DNS Attacks 76 5.2.3 Routing Attacks 77 5.2.4 Wireless Security Vulnerabilities 79 5.3 Grid Computing Threats and Vulnerabilities 82 5.3.1 Architecture-Related Issues 82 5.3.2 Infrastructure-Related Issues 86 5.3.3 Management-Related Issues 88 5.4 Storage Threats and Vulnerabilities 92 5.4.1 Security in Storage Area Networks 92 5.4.2 Security in Distributed File Systems 95 5.5 Overview of Infrastructure Threats and Vulnerabilities 96 References 98 Chapter 6 Application-Level Threats and Vulnerabilities 101 6.1 Introduction 101 6.2 Application-Layer Vulnerabilities 102 6.2.7 Injection Vulnerabilities 102 6.2.2 Cross-Site Scripting (XSS) 105 6.2.3 Improper Session Management 106 6.2.4 Improper Error Handling 108 6.2.5 Improper Use of Cryptography 109 6.2.6 Insecure Configuration Issues 110 6.2.7 Denial of Service 111 6.2.8 Canonical Representation Flaws 112 6.2.9 Overflow Issues 113 6.3 Conclusion 114 References 114 Further Reading 114

X Contents Chapter 7 Service-Level Threats and Vulnerabilities 115 7.1 7.2 7.3 7.4 7.5 Introduction SOA and Role of Standards 7.2.1 Standards Stack for SOA Service-Level Security Requirements 7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7 7.3.8 7.3.9 Authentication Authorization and Access Control Auditing and Nonrepudiation Availability Confidentiality Data Integrity Privacy Trust Federation and Delegation Service-Level Threats and Vulnerabilities 7.4.1 Anatomy of a Web Service Service-Level Attacks 7.5.1 7.5.2 7.5.3 7.5.4 7.5.5 7.5.6 7.5.7 7.5.8 7.5.9 7.5.10 7.5.11 7.5.12 7.5.13 7.5.14 7.5.15 7.5.16 7.6 7.7 References Further Reading Known Bug Attacks SQL Injection Attacks XPath and XQuery Injection Attacks Blind XPath Injection Cross-Site Scripting Attacks WSDL Probing Enumerating Service from WSDL Parameter-Based Attacks Authentication Attacks Man-in-the-Middle Attacks SOAP Routing Attacks SOAP Attachments Virus XML Signature Redirection Attacks XML Attacks Schema-Based Attacks UDDI Registry Attacks Services Threat Profile Conclusion Chapter 8 8.1 8.2 Host-Level Solutions 115 116 116 117 117 118 118 118 120 120 122 122 123 124 126 126 128 128 129 131 133 134 136 136 136 139 139 140 140 142 143 Background Sandbc ixing 145 145 8.2.1 Kernel-Level Sandboxing 146 8.2.2 User-Level Sandboxing 147 8.2.3 Delegation-Based Sandboxing 148 8.2.4 File-System Isolation 148 145

Contents xi 8.3 Virtualization 149 8.3.1 Full-System Virtualization 149 8.3.2 Para Virtualization 150 8.3.3 Shared-Kernel Virtualization 151 8.3.4 Hosted Virtualization 153 8.3.5 Hardware Assists 153 8.3.6 Security Using Virtualization 155 8.3.7 Future Security Trends Based on Virtualization 157 8.3.8 Application Streaming 157 8.4 Resource Management 157 8.4.1 Advance Reservation 158 8.4.2 Priority Reduction 158 8.4.3 Solaris Resource Manager 158 8.4.4 Windows System Resource Manager 159 8.4.5 Citrix ARMTech 159 8.4.6 Entitlement-Based Scheduling 159 8.5 Proof-Carrying Code 160 8.6 Memory Firewall 161 8.7 Antimalware 162 8.7.1 Signature-Based Protection 162 8.7.2 Real-Time Protection 163 8.7.3 Heuristics-Based Worm Containment 164 8.7.4 Agent Defense 164 8.8 Conclusion 166 References 166 Chapter 9 Infrastructure-Level Solutions 169 9.1 Introduction 169 9.2 Network-Level Solutions 169 9.2.1 Network Information Security Solutions 170 9.2.2 Denial-of-Service Solutions 173 9.2.3 DNS Solution - DNSSEC 178 9.2.4 Routing Attack Solutions 179 9.2.5 Comments on Network Solutions 182 9.3 Grid-Level Solutions 182 9.3.1 Architecture Security Solutions 184 9.3.2 Grid Infrastructure Solutions 188 9.3.3 Grid Management Solutions 191 9.3.4 Comments on Grid Solutions 195 9.4 Storage-Level Solutions 196 9.4.1 Fiber-Channel Security Protocol (FC-SP) - Solution for SAN Security 196 9.4.2 Distributed File System (DFS) Security 197 9.4.3 Comments on Storage Solutions 199 9.5 Conclusion 199 References 200

xii Contents Chapter 10 Application-Level Solutions 205 10.1 Introduction 205 10.2 Application-Level Security Solutions 206 10.2.1 Input Validation Techniques 206 10.2.2 Secure Session Management 208 10.2.3 Cryptography Use 210 10.2.4 Preventing Cross-Site Scripting 213 10.2.5 Error-Handling Best Practices 214 10.3 Conclusion 215 References 215 Chapter 11 Service-Level Solutions 217 11.1 Introduction 217 11.2 Services Security Policy 217 11.2.1 Threat Classification 218 11.3 SOA Security Standards Stack 219 11.3.1 Inadequacy of SSL for Web Services 219 11.4 Standards in Depth 221 11.4.1 XML Signature 221 11.4.2 XML Encryption 221 11.4.3 Web-Services Security (WS Security) 223 11.4.4 Security Assertions Mark-Up Language (SAML) 226 11.4.5 WS Policy 228 11.4.6 WS Trust 229 11.4.7 WS Security Policy 234 11.4.8 WS Secure Conversation 234 11.4.9 XKMS (XML Key Management Specification) 234 11.4.10 WS Privacy and P3P 235 11.4.11 Federated Identity Standards - Liberty Alliance Project and WS Federation 238 11.4.12 WS-I Basic Security Profile 238 11.4.13 Status of Standards 240 11.5 Deployment Architectures for SOA Security 241 11.5.1 Message-Level Security and Policy Infrastructure 241 11.5.2 XML Firewalls 241 11.6 Managing Service-Level Threats 246 11.6.1 Combating SQL and XPath Injection Attacks 247 11.6.2 Combating Cross-Site Scripting Attacks 248 11.6.3 Combating Phishing and Routing Attacks 248 11.6.4 Handling Authentication Attacks 249 11.6.5 Handling Man-in-the-Middle Attacks 251 11.6.6 Handling SOAP Attachment Virus Attacks 253 11.6.7 Handling Parameter-Tampering Attacks 254 11.6.8 XML Attacks 254 11.6.9 Known-Bug Attacks 257

Contents ми 11.7 Service Threat Solution Mapping 257 11.8 XML Firewall Configuration-Threat Mapping 257 11.9 Conclusion 262 References 262 Further Reading 262 Chapter 12 Case Study: Compliance in Financial Services 265 12.1 Introduction 265 12.2 SOX Compliance 267 12.2.1 Identity Management 269 12.2.2 Policy-Based Access Control 270 12.2.3 Strong Authentication 270 12.2.4 Data Protection and Integrity 270 12.3 SOX Security Solutions 271 12.3.1 People 271 12.3.2 Process 272 12.3.3 Technology 272 12.4 Multilevel Policy-Driven Solution Architecture 273 12.4.1 Logical Architecture and Middleware 275 12.5 Conclusion 277 References 277 Further Reading 277 Chapter 13 Case Study: Grid 279 13.1 Background 280 13.2 The Financial Application 281 13.3 Security Requirements Analysis 283 13.3.1 Confidentiality Requirement Analysis 283 13.3.2 Authentication Requirement Analysis 284 13.3.3 Single Sign-On and Delegation Requirement Analysis 284 13.3.4 Authorization Requirement Analysis 284 13.3.5 Identity Management Requirement Analysis 285 13.3.6 Secure Repository Requirement Analysis 285 13.3.7 Trust Management Requirement Analysis 286 13.3.8 Monitoring and Logging Requirement Analysis 286 13.3.9 Intrusion Detection Requirement Analysis 287 13.3.10 Data Protection and Isolation Requirement Analysis 287 13.3.11 Denial of Service Requirement Analysis 288 13.4 Final Security Architecture 289 Chapter 14 Future Directions and Conclusions 291 14.1 Future Directions 291 14.1.1 Cloud Computing Security 291 14.1.2 Security Appliances 292

xiv Contents 14.1.3 Usercentric Identity Management 294 14.1.4 Identity-Based Encryption (IBE) 295 14.1.5 Virtualization in Host Security 296 14.2 Conclusions 297 References 300 Further Reading 300 Index 303

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information