Chapter 1: Introduction

Download Report

Transcript Chapter 1: Introduction

Naming and Certificates
• Certificates issued to a principal
– Principal uniquely identified to avoid confusion
• Problem: names may be ambiguous
– Does the name “Matt Bishop” refer to:
•
•
•
•
The author of this book?
A programmer in Australia?
A stock car driver in Muncie, Indiana?
Someone else who was named “Matt Bishop”
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-1
CAs and Policies
• Matt Bishop wants a certificate from Certs-fromUs
– How does Certs-from-Us know this is “Matt Bishop”?
• CA’s authentication policy says what type and strength of
authentication is needed to identify Matt Bishop to satisfy the
CA that this is, in fact, Matt Bishop
– Will Certs-from-Us issue this “Matt Bishop” a
certificate once he is suitably authenticated?
• CA’s issuance policy says to which principals the CA will issue
certificates
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-2
Example: Verisign CAs
• Class 1 CA issued certificates to individuals
– Authenticated principal by email address
• Idea: certificate used for sending, receiving email
with various security services at that address
• Class 2 CA issued certificates to individuals
– Authenticated by verifying user-supplied real
name and address through an online database
• Idea: certificate used for online purchasing
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-3
Example: Verisign CAs
• Class 3 CA issued certificates to individuals
– Authenticated by background check from
investigative service
• Idea: higher level of assurance of identity than Class
1 and Class 2 CAs
• Fourth CA issued certificates to web servers
– Same authentication policy as Class 3 CA
• Idea: consumers using these sites had high degree of
assurance the web site was not spoofed
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-4
Internet Certification Hierarchy
• Tree structured arrangement of CAs
– Root is Internet Policy Registration Authority, or IPRA
• Sets policies all subordinate CAs must follow
• Certifies subordinate CAs (called policy certification
authorities, or PCAs), each of which has own authentication,
issuance policies
• Does not issue certificates to individuals or organizations other
than subordinate CAs
– PCAs issue certificates to ordinary CAs
• Does not issue certificates to individuals or organizations other
than subordinate CAs
– CAs issue certificates to organizations or individuals
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-5
Example
• University of Valmont issues certificates to
students, staff
– Students must present valid reg cards
(considered low assurance)
– Staff must present proof of employment and
fingerprints, which are compared to those taken
when staff member hired (considered high
assurance)
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-6
Certificate Differences
• Student, staff certificates signed using different
private keys (for different CAs)
– Student’s signed by key corresponding to low assurance
certificate signed by first PCA
– Staff’s signed by key corresponding to high assurance
certificate signed by second PCA
• To see what policy used to authenticate:
– Determine CA signing certificate, check its policy
– Also go to PCA that signed CA’s certificate
• CAs are restricted by PCA’s policy, but CA can restrict itself
further
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-7
Types of Certificates
• Organizational certificate
– Issued based on principal’s affiliation with organization
– Example Distinguished Name
/O=University of Valmont/OU=Computer Science
Department/CN=Marsha Merteuille/
• Residential certificate
– Issued based on where principal lives
– No affiliation with organization implied
– Example Distinguished Name
/C=US/SP=Louisiana/L=Valmont/PA=1 Express
Way/CN=Marsha Merteuille/
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-8
Meaning of Identity
• Authentication validates identity
– CA specifies type of authentication
– If incorrect, CA may misidentify entity
unintentionally
• Certificate binds external identity to crypto
key and Distinguished Name
– Need confidentiality, integrity, anonymity
• Recipient knows same entity sent all messages, but
not who that entity is
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-9
Persona Certificate
• Certificate with meaningless Distinguished Name
– If DN is
/C=US/O=Microsoft Corp./CN=Bill Gates/
the real subject may not (or may) be Mr. Gates
– Issued by CAs with persona policies under a PCA with
policy that supports this
• PGP certificates can use any name, so provide this
implicitly
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-10
PGP Certificates
• Level of trust in signature field
• Four levels
–
–
–
–
Generic (no trust assertions made)
Persona (no verification)
Casual (some verification)
Positive (substantial verification)
• What do these mean?
– Meaning not given by OpenPGP standard
– Signer determines what level to use
– Casual to one signer may be positive to another
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-11
Identity on the Web
• Host identity
– Static identifiers: do not change over time
– Dynamic identifiers: changes as a result of an
event or the passing of time
• State and Cookies
• Anonymity
– Anonymous email
– Anonymity: good or bad?
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-12
Host Identity
• Bound up to networking
– Not connected: pick any name
– Connected: one or more names depending on
interfaces, network structure, context
• Name identifies principal
• Address identifies location of principal
– May be virtual location (network segment) as
opposed to physical location (room 222)
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-13
Example
• Layered network
– MAC layer
• Ethernet address: 00:05:02:6B:A8:21
• AppleTalk address: network 51, node 235
– Network layer
• IP address: 192.168.35.89
– Transport layer
• Host name: cherry.orchard.chekhov.ru
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-14
Danger!
• Attacker spoofs identity of another host
– Protocols at, above the identity being spoofed
will fail
– They rely on spoofed, and hence faulty,
information
• Example: spoof IP address, mapping
between host names and IP addresses
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-15
Domain Name Server
• Maps transport identifiers (host names) to
network identifiers (host addresses)
– Forward records: host names  IP addresses
– Reverse records: IP addresses  host names
• Weak authentication
– Not cryptographically based
– Various techniques used, such as reverse
domain name lookup
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-16
Reverse Domain Name Lookup
• Validate identity of peer (host) name
– Get IP address of peer
– Get associated host name via DNS
– Get IP addresses associated with host name
from DNS
– If first IP address in this set, accept name as
correct; otherwise, reject as spoofed
• If DNS corrupted, this won’t work
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-17
Dynamic Identifiers
• Assigned to principals for a limited time
– Server maintains pool of identifiers
– Client contacts server using local identifier
• Only client, server need to know this identifier
– Server sends client global identifier
• Client uses global identifier in other contexts, for
example to talk to other hosts
• Server notifies intermediate hosts of new client,
global identifier association
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-18
Example: DHCP
• DHCP server has pool of IP addresses
• Laptop sends DHCP server its MAC address,
requests IP address
– MAC address is local identifier
– IP address is global identifier
• DHCP server sends unused IP address
– Also notifies infrastructure systems of the association
between laptop and IP address
• Laptop accepts IP address, uses that to
communicate with hosts other than server
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-19
Example: Gateways
• Laptop wants to access host on another network
– Laptop’s address is 10.1.3.241
• Gateway assigns legitimate address to internal
address
– Say IP address is 101.43.21.241
– Gateway rewrites all outgoing, incoming packets
appropriately
– Invisible to both laptop, remote peer
• Internet protocol NAT works this way
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-20
Weak Authentication
• Static: host/name binding fixed over time
• Dynamic: host/name binding varies over
time
– Must update reverse records in DNS
• Otherwise, the reverse lookup technique fails
– Cannot rely on binding remaining fixed unless
you know the period of time over which the
binding persists
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-21
DNS Security Issues
• Trust is that name/IP address binding is
correct
• Goal of attacker: associate incorrectly an IP
address with a host name
– Assume attacker controls name server, or can
intercept queries and send responses
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-22
Attacks
• Change records on server
• Add extra record to response, giving incorrect
name/IP address association
– Called “cache poisoning”
• Attacker sends victim request that must be
resolved by asking attacker
– Attacker responds with answer plus two records for
address spoofing (1 forward, 1 reverse)
– Called “ask me”
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-23
Cookies
• Token containing information about state of
transaction on network
– Usual use: refers to state of interaction between
web browser, client
– Idea is to minimize storage requirements of
servers, and put information on clients
• Client sends cookies to server
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-24
Some Fields in Cookies
• name, value: name has given value
• expires: how long cookie valid
– Expired cookies discarded, not sent to server
– If omitted, cookie deleted at end of session
• domain: domain for which cookie intended
– Consists of last n fields of domain name of server
– Must have at least one “.” in it
• secure: send only over secured (SSL, HTTPS)
connection
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-25
Example
• Caroline puts 2 books in shopping cartcart at
books.com
– Cookie: name bought, value BK=234&BK=8753,
domain .books.com
• Caroline looks at other books, but decides to buy
only those
– She goes to the purchase page to order them
• Server requests cookie, gets above
– From cookie, determines books in shopping cart
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-26
Who Can Get the Cookies?
• Web browser can send any cookie to a web server
– Even if the cookie’s domain does not match that of the
web server
– Usually controlled by browser settings
• Web server can only request cookies for its
domain
– Cookies need not have been sent by that browser
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-27
Where Did the Visitor Go?
• Server books.com sends Caroline 2 cookies
– First described earlier
– Second has name “id”, value “books.com”, domain
“adv.com”
• Advertisements at books.com include some from
site adv.com
– When drawing page, Caroline’s browser requests
content for ads from server “adv.com”
– Server requests cookies from Caroline’s browser
– By looking at value, server can tell Caroline visited
“books.com”
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-28
Chapter 23: Network Security
•
•
•
•
•
Introduction to the Drib
Policy Development
Network Organization
Availability
Anticipating Attacks
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-29
Network Organization
• Partition network into several subnets
– Guards between them prevent leaks
Internet
DMZ
Outer firewall
Web server
Mail serv er
INTERNAL
Corporate data subnet
DNS server
Customer data subnet
Inner firewall
Internal
DNS server
November 1, 2004
Development subnet
Internal
mail server
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-30
DMZ
• Portion of network separating purely
internal network from external network
– Allows control of accesses to some trusted
systems inside the corporate perimeter
– If DMZ systems breached, internal systems still
safe
– Can perform different types of checks at
boundary of internal,DMZ networks and
DMZ,Internet network
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-31
Firewalls
• Host that mediates access to a network
– Allows, disallows accesses based on configuration and
type of access
• Example: block Back Orifice
– BO allows external users to control systems
• Requires commands to be sent to a particular port (say, 25345)
– Firewall can block all traffic to or from that port
• So even if BO installed, outsiders can’t use it
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-32
Filtering Firewalls
• Access control based on attributes of
packets and packet headers
– Such as destination address, port numbers,
options, etc.
– Also called a packet filtering firewall
– Does not control access based on content
– Examples: routers, other infrastructure systems
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-33
Proxy
• Intermediate agent or server acting on
behalf of endpoint without allowing a direct
connection between the two endpoints
– So each endpoint talks to proxy, thinking it is
talking to other endpoint
– Proxy decides whether to forward messages,
and whether to alter them
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-34
Proxy Firewall
• Access control done with proxies
– Usually bases access control on content as well as
source, destination addresses, etc.
– Also called an applications level or application level
firewall
– Example: virus checking in electronic mail
•
•
•
•
Incoming mail goes to proxy firewall
Proxy firewall receives mail, scans it
If no virus, mail forwarded to destination
If virus, mail rejected or disinfected before forwarding
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-35
Views of a Firewall
• Access control mechanism
– Determines which traffic goes into, out of
network
• Audit mechanism
– Analyzes packets that enter
– Takes action based upon the analysis
• Leads to traffic shaping, intrusion response, etc.
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-36
Analysis of Drib Network
• Security policy: “public” entities on outside
but may need to access corporate resources
– Those resources provided in DMZ
• No internal system communicates directly
with systems on Internet
– Restricts flow of data to “public”
– For data to flow out, must pass through DMZ
• Firewalls, DMZ are “pump”
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-37
Implementation
• Conceal all internal addresses
– Make them all on 10., 172., or 192.168. subnets
• Inner firewall uses NAT to map addresses to firewall’s address
– Give each host a non-private IP address
• Inner firewall never allows those addresses to leave internal
network
• Easy as all services are proxied by outer firewall
– Email is a bit tricky …
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-38
Email
• Problem: DMZ mail server must know
address in order to send mail to internal
destination
– Could simply be distinguished address that
causes inner firewall to forward mail to internal
mail server
• Internal mail server needs to know DMZ
mail server address
– Same comment
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-39
DMZ Web Server
• In DMZ so external customers can access it
without going onto internal network
– If data needs to be sent to internal network
(such as for an order), transmission is made
separately and not as part of transaction
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-40
Application of Principles
• Least privilege
– Containment of internal addresses
• Complete mediation
– Inner firewall mediates every access to DMZ
• Separation of privilege
– Going to Internet must pass through inner, outer
firewalls and DMZ servers
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-41
Application of Principles
• Least common mechanism
– Inner, outer firewalls distinct; DMZ servers
separate from inner servers
– DMZ DNS violates this principle
• If it fails, multiple systems affected
• Inner, outer firewall addresses fixed, so they do not
depend on DMZ DNS
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-42
Outer Firewall Configuration
• Goals: restrict public access to corporate
network; restrict corporate access to Internet
• Required: public needs to send, receive
email; access web services
– So outer firewall allows SMTP, HTTP, HTTPS
– Outer firewall uses its address for those of mail,
web servers
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-43
Details
• Proxy firewall
• SMTP: mail assembled on firewall
– Scanned for malicious logic; dropped if found
– Otherwise forwarded to DMZ mail server
• HTTP, HTTPS: messages checked
– Checked for suspicious components like very long
lines; dropped if found
– Otherwise, forwarded to DMZ web server
• Note: web, mail servers different systems
– Neither same as firewall
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-44
Attack Analysis
• Three points of entry for attackers:
– Web server ports: proxy checks for invalid,
illegal HTTP, HTTPS requests, rejects them
– Mail server port: proxy checks email for
invalid, illegal SMTP requests, rejects them
– Bypass low-level firewall checks by exploiting
vulnerabilities in software, hardware
• Firewall designed to be as simple as possible
• Defense in depth
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-45
Defense in Depth
• Form of separation of privilege
• To attack system in DMZ by bypassing
firewall checks, attacker must know internal
addresses
– Then can try to piggyback unauthorized
messages onto authorized packets
• But the rewriting of DMZ addresses
prevents this
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-46
Inner Firewall Configuration
• Goals: restrict access to corporate internal network
• Rule: block all traffic except for that specifically
authorized to enter
– Principle of fail-safe defaults
• Example: Drib uses NFS on some internal systems
– Outer firewall disallows NFS packets crossing
– Inner firewall disallows NFS packets crossing, too
• DMZ does not need access to this information (least privilege)
• If inner firewall fails, outer one will stop leaks, and vice versa
(separation of privilege)
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-47
More Configuration
• Internal folks require email
– SMTP proxy required
• Administrators for DMZ need login access
– So, allow SSH through provided:
• Destination is a DMZ server
• Originates at specific internal host (administrative host)
– Violates least privilege, but ameliorated by above
• DMZ DNS needs to know address of
administrative host
– More on this later
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-48
DMZ
• Look at servers separately:
– Web server: handles web requests with Internet
• May have to send information to internal network
– Email server: handles email with Internet
• Must forward email to internal mail server
– DNS
• Used to provide addresses for systems DMZ servers talk to
– Log server
• DMZ systems log info here
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-49
DMZ Mail Server
• Performs address, content checking on all
email
• Goal is to hide internal information from
outside, but be transparent to inside
• Receives email from Internet, forwards it to
internal network
• Receives email from internal network,
forwards it to Internet
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-50
Mail from Internet
• Reassemble messages into header, letter,
attachments as files
• Scan header, letter, attachments looking for “bad”
content
– “Bad” = known malicious logic
– If none, scan original letter (including attachments and
header) for violation of SMTP spec
• Scan recipient address lines
– Address rewritten to direct mail to internal mail server
– Forward letter there
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-51
Mail to Internet
• Like mail from Internet with 2 changes:
– Step 2: also scan for sensitive data (like
proprietary markings or content, etc.)
– Step 3: changed to rewrite all header lines
containing host names, email addresses, and IP
addresses of internal network
• All are replaced by “drib.org” or IP address of
external firewall
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-52
Administrative Support
• Runs SSH server
– Configured to accept connections only from
trusted administrative host in internal network
– All public keys for that host fixed; no
negotiation to obtain those keys allowed
– Allows administrators to configure, maintain
DMZ mail host remotely while minimizing
exposure of host to compromise
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-53
DMZ Web Server
• Accepts, services requests from Internet
• Never contacts servers, information sources
in internal network
• CGI scripts checked for potential attacks
– Hardened to prevent attacks from succeeding
– Server itself contains no confidential data
• Server is www.drib.org and uses IP address
of outer firewall when it must supply one
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-54
Updating DMZ Web Server
• Clone of web server kept on internal network
– Called “WWW-clone”
• All updates done to WWW-clone
– Periodically admins copy contents of WWW-clone to
DMZ web server
• DMZ web server runs SSH server
– Used to do updates as well as maintenance,
configuration
– Secured like that of DMZ mail server
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-55
Internet Ordering
• Orders for Drib merchandise from Internet
– Customer enters data, which is saved to file
– After user confirms order, web server checks format,
content of file and then uses public key of system on
internal customer subnet to encipher it
• This file is placed in a spool area not accessible to web server
program
– Original file deleted
– Periodically, internal trusted administrative host
uploads these files, and forwards them to internal
customer subnet system
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-56
Analysis
• If attacker breaks into web server, cannot get order
information
– There is a slight window where the information of
customers still on system can be obtained
• Attacker can get enciphered files, public key used
to encipher them
– Use of public key cryptography means it is
computationally infeasible for attacker to determine
private key from public key
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-57
DMZ DNS Server
• Supplies DNS information for some hosts to
DMZ:
– DMZ mail, web, log hosts
– Internal trusted administrative host
• Not fixed for various reasons; could be …
– Inner firewall
– Outer firewall
• Note: Internal server addresses not present
– Inner firewall can get them, so DMZ hosts do not need
them
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-58
DMZ Log Server
• DMZ systems all log information
– Useful in case of problems, attempted compromise
• Problem: attacker will delete or alter them if
successful
– So log them off-line to this server
• Log server saves logs to file, also to write-once
media
– Latter just in case log server compromised
• Runs SSH server
– Constrained in same way server on DMZ mail server is
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-59
Summary
• Each server knows only what is needed to do its
task
– Compromise will restrict flow of information but not
reveal info on internal network
• Operating systems and software:
– All unnecessary features, servers disabled
– Better: create custom systems
• Proxies prevent direct connection to systems
– For all services except SSH from internal network to
DMZ, which is itself constrained by source, destination
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-60
Internal Network
• Goal: guard against unauthorized access to
information
– “read” means fetching file, “write” means depositing
file
• For now, ignore email, updating of DMZ web
server, internal trusted administrative host
• Internal network organized into 3 subnets, each
corresponding to Drib group
– Firewalls control access to subnets
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-61
Internal Mail Server
• Can communicate with hosts on subnets
• Subnet may have mail server
– Internal DNS need only know subnet mail server’s
address
• Subnet may allow mail to go directly to
destination host
– Internal DNS needs to know addresses of all destination
hosts
• Either satisfies policy
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-62
Analysis
• DMZ servers never communicate with internal
servers
– All communications done via inner firewall
• Only client to DMZ that can come from internal
network is SSH client from trusted administrative
host
– Authenticity established by public key authentication
• Only data non-administrative folks can alter are
web pages
– Even there, they do not access DMZ
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-63
Analysis
• Only data from DMZ is customer orders
and email
– Customer orders already checked for potential
errors, enciphered, and transferred in such a
way that it cannot be executed
– Email thoroughly checked before it is sent to
internal mail server
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-64
Assumptions
• Software, hardware does what it is supposed
to
– If software compromised, or hardware does not
work right, defensive mechanisms fail
– Reason separation of privilege is critical
• If component A fails, other components provide
additional defenses
• Assurance is vital!
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-65
Availability
• Access over Internet must be unimpeded
– Context: flooding attacks, in which attackers try to
overwhelm system resources
• Example: SYN flood
– Problem: server cannot distinguish legitimate
handshake from one that is part of this attack
• Only difference is whether third part of TCP handshake is sent
– Flood can overwhelm communication medium
• Can’t do anything about this (except buy a bigger pipe)
– Flood can overwhelm resources on our system
• We start here
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-66
Intermediate Hosts
• Use routers to divert, eliminate illegitimate
traffic
– Goal: only legitimate traffic reaches firewall
– Example: Cisco routers try to establish
connection with source (TCP intercept mode)
• On success, router does same with intended
destination, merges the two
• On failure, short time-out protects router resources
and target never sees flood
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-67
Intermediate Hosts
• Use network monitor to track status of handshake
– Example: synkill monitors traffic on network
• Classifies IP addresses as not flooding (good), flooding (bad),
unknown (new)
• Checks IP address of SYN
– If good, packet ignored
– If bad, send RST to destination; ends handshake, releasing
resources
– If new, look for ACK or RST from same source; if seen, change
to good; if not seen, change to bad
• Periodically discard stale good addresses
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-68
Intermediate Hosts
• Problem: don’t solve problem!
– They move the locus of the problem to the
intermediate system
– In Drib’s case, Drib does not control these
systems
• So, consider endpoints
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-69
Against Outer Firewall
• Unsuccessful attacks
– Logged, then ignored
– Security folks use these to justify budget, train
new personnel
• Successful attack against SMTP proxy
– Proxy will start non-standard programs
– Anomaly detection component of IDS on log
server will report unusual behavior
• Security officers monitor this around the clock
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-70
In the DMZ
• Very interested in attacks, successful or not
• Means someone who has obtained access to DMZ
launched attack
– Some trusted administrator shouldn’t be trusted
– Some server on outer firewall is compromised
– Software on DMZ system not restrictive enough
• IDS system on DMZ log server looks for misuse
(known attacks) to detect this
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-71
Checking the IDS
• IDS allows Drib to add attack signatures
and tune parameters to control reporting of
events
– Experimented to find good settings
– Verify this every month by doing manual
checks for two 1-hour periods (chosen at
random) and comparing with reported events
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-72
Key Points
• Begin with policy
• Craft network architecture and security
measures from it
• Assume failure will occur
– Try to minimize it
– Defend in depth
– Have plan to handle failures
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-73
Chapter 24: System Security
•
•
•
•
•
•
•
•
Introduction
Policy
Networks
Users
Authentication
Processes
Files
Retrospective
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-74
Introduction
• How does administering security affect a system?
• Focus on two systems
– DMZ web server
– User system in development subnet
• Assumptions
– DMZ system: assume any user of trusted administrative
host has authenticated to that system correctly and is a
“trusted” user
– Development system: standard UNIX or UNIX-like
system which a set of developers can use
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-75
Policy
• Web server policy discussed in Chapter 23
– Focus on consequences
• Development system policy components,
effects
• Comparison
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-76
DMZ Web Server:
Consequences of Policy
1. Incoming web connections come from outer firewall
2. Users log in from trusted administrative host; web pages
also downloaded through it
3. Log messages go to DMZ log host only
4. Web server may query DMZ DNS system for IP addresses
5. Other than these, no network services provided
6. Runs CGI scripts
– One writes enciphered data to spool area
7. Implements services correctly, restricts access as much as
possible
8. Public keys reside on web server
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-77
Constraints on DMZ Web Server
WC1
No unrequested network connections except
HTTP, HTTPS from outer firewall and SSH
from trusted administrative host
– Replies to DNS queries from DMZ DNS okay
WC2
User access only to those with user access to
trusted administrative host
– Number of these users as small as possible
– All actions attributed to individual account, not
group or group account
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-78
Constraints on DMZ Web Server
WC3
Configured to provide minimal access to
system
– Transfer of enciphered file to spool area should
not be under web server control
WC4
Software is high assurance
– Needs extensive logging
WC5
Contains as few programs, as little software,
configuration information, and other data as
possible
– Minimizes effects of successful attack
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-79
Development System
• Development network (devnet) background
–
–
–
–
–
–
Firewall separating it from other subnets
DNS server
Logging server for all logs
File servers
User database information servers
Isolated system used to build “base system
configuration” for deployment to user systems
– User systems
• What follows applies only to user systems
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-80
Devnet User System:
Policy Components
1.
2.
3.
4.
5.
6.
7.
Only authorized users can use devnet systems; can work
on any workstation
Sysadmins must be able to access workstations at any
time
Authorized users trusted not to attack systems
All network communications except email confidential,
integrity checked
Base standard configuration cannot be changed
Backups allow any system to be restored
Periodic, ongoing audits of devnet systems
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-81
Consequences for Infrastructure
• Firewall at boundary enforces network security
policy
– Changes to network policy made only at firewall
– Devnet systems need not be as tightly secured
• No direct access between Internet, devnet systems
– Developers who need to do so have separate
workstations connected to commercial ISP
– These are physically disconnected from devnet and
cannot be easily reconnected
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-82
Consequences for User Systems
DC1
Communications authenticated, enciphered,
integrity checked
– Consistent naming scheme across systems
DC2
Each workstation has privileged accounts for
administrators
– Multiple administrative accounts to limit access
to particular privileged functions
DC3
Notion of “audit” or “login” identity
associated with each action
– So actions can be tied to individuals
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-83
Consequences for User Systems
DC4
Need approval to install program, and must
install it in special area
– Separates it from base system software
DC5
Each workstation protects base system
software from being altered
– Best way: keep it on read-only media
DC6
Employee’s files be available continuously
– Even if workstation goes down
– Same permissions wherever employee accesses
them
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-84
Consequences for User Systems
DC7 Workstations store only transient files,
so need not be backed up
– Permanent files stores on file server,
mounted remotely
– Software, kernel on read-only media
DC8 Logging system to hold logs needed
– Security officers need access to systems,
network
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-85
Procedural Mechanisms
• Some restrictions cannot be enforced by
technology
– Moving files between ISP workstation, devnet
workstation using a floppy
– No technological way to prevent this except by
removing floppy drive
• Infeasible due to nature of ISP workstations
– Drib has made procedures, consequences for
violating procedures, very clear
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-86
DMZ Web Server
• Accepts web requests only from inner firewall
– May allow internal users to access web site for testing
purposes in near future
• Configuration file for web server software:
order allow, deny
allow from outer_firewall
allow from inner_firewall
deny from all
evaluate allow, then deny lines
anything outer firewall sends is okay
anything inner firewall sends is okay
don’t accept anything else
• Note inner firewall prevents internal hosts from
accessing DMZ web server (for now)
– If changed, web server configuration will stay same
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-87
DMZ Web Server: Web Server
• Accepts SSH connections only from trusted
administrative host
• Configuration file for web software:
order allow, deny
allow from outer_firewall
allow from inner_firewall
deny from all
evaluate allow, then deny lines
anything outer firewall sends is okay
anything inner firewall sends is okay
don’t accept anything else
• Note inner firewall prevents internal hosts from
accessing DMZ web server (for now)
– If changed, web server configuration will stay same
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-88
DMZ Web Server: SSH Server
• Accepts SSH connections only from authorized
users coming in from trusted administrative server
– SSH provides per host and per user authentication
– Public keys pre-loaded on web server
• Configuration file for ssh server:
allow trusted_admin_server
deny all
connections from admin server okay
refuse all others
• Note inner firewall prevents other internal hosts
from accessing SSH server on this system
– Not expected to change
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-89
DMZ Web Server: Clients
• DNS client to get IP addresses, host names
from DMZ DNS
– Client ignores extraneous data
– If different responses to query, discard both
• Logging client to send log messages to
DMZ log server
– Log any attempted connections to any port
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-90
Checking Security
• Security officers scan network ports on
systems
– Compare to expected list of authorized systems
and open ports
• Discrepencies lead to questions
• Security officers attack devnet systems
– Goal: see how well they withstand attacks
– Results used to change software, procedures to
improve security
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-91
DMZ Web Server
• At most 2 users and 1 sysadmin
– First user reads (serves) web pages, writes to
web transaction areas
– Second user moves files from web transaction
area to commerce transaction spooling area
– Sysadmin manages system
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-92
DMZ Web Server
• SSH: cryptographic authentication for hosts
– Does not use IP addresses
– Reject connection if authentication fails
• SSH: crypto for user; password on failure
– Experimenting with smart card systems, so uses PAM
• Passwords: use MD-5 hash to protect passwords
– Can be as long as desired
– Proactive password checking to ensure they are hard to
guess
– No password aging
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-93
DMZ Web Server
• Necessary processes:
– Web server
• Enough privileges to read pages, execute CGI scripts
– Commerce server
• Enough privileges to copy files from web server’s area to spool
area; not enough to alter web pages
– SSH server (privileged)
– Login server (privileged)
• If a physical terminal or console
– Any essential OS services (privileged)
• Page daemon, etc.
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-94
DMZ Web Server
• System programs, configuration files, etc. are on
CD-ROM
– If attacker succeeds in breaking in, modifying in-core
processes, then sysadmins simply reboot to recover
– Public key for internal commerce server here, too
• Only web pages change
– Too often to make putting them on CD-ROM
– Small hard drive holds pages, spool areas, temp
directories, sysadmin home directory
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-95
DMZ Web Server
• Everything statically linked
– No compilers, dynamic loaders, etc.
• Command interpreter for sysadmin
– Programs to start, stop servers
– Programs to edit, create, delete, view files
– Programs to monitor systems
• No other programs
– None to read mail or news, no batching, no web
browsers, etc.
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-96
DMZ Web Server
• Checking integrity of DMZ web server
– Not done
• If question:
–
–
–
–
–
Stop web server
Transfer all remaining transaction files
Reboot system from CD-ROM
Reformat hard drive
Reload contents of user directories, web pages from
WWW-clone
– Restart servers
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-97
Summary: DMZ Web Server
• Runs as few services as possible
• Keeps everything on unalterable media
• Checks source of all connections
– Web: from outer firewall only
– SSH: from trusted administrative host only
• Web, commerce servers transfer files via
shared directory
– They do not directly communicate
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-98
Summary: Devnet Workstation
• Runs as few programs, servers as possible
– Many more than DMZ web server, though
• Security prominent but not dominant
– Must not interfere with ability of developer to do job
– Security mechanisms hinder attackers, help find
attackers, and enable rapid recovery from successful
attack
• Access from network allowed
– Firewall(s) assumed to keep out unwanted users, so
security mechanisms are second line of defense
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #10-99