Com puter Security Part Four Last tim e Cryptography - - PDF document

Com puter Security – Part Four

Last tim e

• Cryptography
• Authentication
• Key Management

– KDC – Symmetric keys – Asymmetric keys – PKI

• Security Protocols

– Kerberos – (SSL/ TLS) Threats Policy Specification Design Implementation Operation and Maintenance

Today’s lecture

• More mechanisms

– Firewalls – Intrusion Detection Systems

• Design principles
• What goes wrong?
• What to do, how to do it, and when are you done?
• The future
• Also: Confused Deputy Problem (right after the break)

Firew alls - I ntroduction

• A “gatekeeper”
• Mechanism that removes unwanted traffic
• … but usually also limits wanted traffic

Access channel

Information system

Computing resources (processor, memory, I/O) Data Processes Software Internal security controls

Opponent

Human Software

Gatekeeper function

Firew alls – Design purposes

• 1. The firewall should always be up when the network is up
• 2. The firewall should always be small and simplistic to be

easily verified

• 3. All external traffic must pass through the firewall
• 4. Only permitted traffic (according to the policy) should pass

through the firewall

• 5. The firewall itself must not be vulnerable
• 6. It should provide a minimal amount of services, only the

required ones

Firew alls - Default behavior

• Two versions:

– Everything not explicitly forbidden is allowed – Everything not explicitly allowed is forbidden

Firew alls

Strengths

• 1. Single point of defense

– Simplifies

• 2. A good place for

surveillance

• 1. Logs and alarms
• 3. VPN - Virtual Private

Network (4. Platform for other mechanisms, e.g., network surveillance and address translation) Limitations

• 1. Only protecting against

attacks that pass through the firewall

• 2. Only useful against

external threats

• 3. Can not protect against

“malicious programs” and viruses

Firew alls - Configuration

• The proxy is either in the firewall or in a DMZ

(DeMilitarized Zone)

Firewall WAN LAN DMZ

I ntrusion Detection System s - I DS

• Firewalls are not enough

– All traffic does not go through the firewall – Does not protect against threats from the inside – Might be vulnerable themselves – Cannot protect against tunneled attacks

• IDS analyzes the behavior and patterns within the

system

I DS – W hat do they do?

• Looking for signs of

– Trespassing – Misuse of resources

• Analyzes information collected from many

different places

• Assisted by vulnerability assessment systems

– Look for errors in the system and configuration that can pose a threat to security

I DS – Possible Services

• Surveillance and analysis of users and system
• Control of the system configuration and its weaknesses
• Integrity control of critical files and (sub)system
• Pattern detection matching known attacks
• Statistical analysis to find abnormalities in usage
• Log auditing to detect policy violations
• Automatic patch installation
• Traps for attackers (honey pots)

I DS - Methods

• Offline:

– Passive

• Configuration control (passwords etc.)

– Active

• Simulate known attacks and evaluate the

response of the system – Periodic controls

• Online:

– Passive – Reactive

I DS - Lim itations

• Hard to tune

– What is abnormal and what is normal – False positives vs. false negatives

• Alarm at the right moments
• Is anyone listening to the alarms?
• Diagnosis – what to do?
• Static (rule based) or AI?

Design principles

• Specific design principles underlie the design and

implementation of security mechanisms

• Build on simplicity

– Makes it easier to understand – Less can go wrong – Reduces the potential for inconsistencies

• and restriction

– Minimizes the interaction of system component – Minimizes the power of an entity

Design principles ( 2 )

• The function (not identity) of the subject should control the

assignment of rights

• Rights should be removed when not needed any more
• Example:

– Mail server and file access

• Def. The principle of least privilege states that a subject

should be given only those privileges it needs in order to complete its task.

Design principles ( 3 )

• No ”security through obscurity”
• (”Dumpster-diving”)
• Especially true of cryptographic software and systems
• Issues of proprietary software and trade secrets complicate
• Example:

– DVD and the Content Scrambling System

• Def. The principle of open design states that the

security of a mechanism should not depend on the secrecy of its design or implementation.

Netw ork based threats

• Interaction means exposure
• Best possible network security is to stay offline
• Browsers

– Many users use the Internet only through browsers, and cannot tell the difference between them – A lot of software has moved inside the browser – There are several “major” browsers, and they all have different vulnerabilities and different bugs. – Compared to “real” systems, web sites are often managed and developed by inexperienced staff.

Netw ork based threats ( 2 )

• OS

– Many services, and many are activated by default

• Examples of LAN based attacks

– Password sniffing – NFS

• Examples of WAN based attacks

– SYN Flooding – Smurfing – DDOS – Spam and address spoofing – Routing-attacks – Combined attacks

Defense against netw ork based attacks

• Keeping the system / staff up to date

– Most attacks and problems are not new

• Configuration Management

– Very important that it is carried out correctly

• Cryptography

– IPsec – VPN

• Firewalls

Other

• Sandbox

– Limited area with restricted rights (e.g. Java, Browsers to some extent)

• Proof-carrying code

– Code must contain evidence that it is correct

• Object Request Brokers

– Component responsible for the communication between object – Controls access between different security domains

Assurance

• Assurance is the basis of trust

– Development methodologies – Formal methods for design analysis – Testing

• Higher level:

– What are you allowed to do?

• Rules and politics

– How do you organize the work?

• Methodology

– When do you know that you are done?

• Evaluation and assurance

W hat? – Cryptography

• SigInt – Signal Intelligence

– Echelon

• USA, GB, Canada, Australia and New Zeeland

– Important

• The development of cryptography has always been
• pposed
• Key escrow

– Escrowed Encryption Standard (EES)

W hat? – Personal I ntegrity

• Protect personal information from unsuitable use
• Difference between Europe and the US

– Europe: rights concerning contents and spread – US: self regulating

• Value of the data
• We will always be under surveillance

W hat? - Evidence

• Hard to design systems that produce evidence
• I court:

– Competency and experts

• Digital Signatures
• Risk dumping

– Worse for clients – Incentive to build secure system decreases

How ? – Lead Security Projects

• Core

– What should be protected and how?

• Revenue, risk, and reward
• Risk management

– The responsibility of the company management – Make sure everyone does their part and understand each other's functions

• The value of staff

How ? – Methodology

• Lots to learn from Software Development
• Top-down

– Waterfall model

• Iterative design

– Spiral model – Evolutionary development (Extreme programming)

• To consider:

– Reduce TCB – Keep track of the competency of employees – Error masking is not good for the security margin – Include security documents among the other development documents – Security must be built in from the start

How ? – Deal w ith Changes

• Reasons

– Fix a bug

• Have a plan (find, patch, distribute, PR)

– Develop / enhance the system – Changed environment – Changed organization

• Enforced technologies

How ? - Econom y

• Network economy

– “They did not want a secure system, only what security they could get for $10,000” – “We will release it on Wednesday and fix everything to version 3” – No use of standards – Vendor lock-in – No altruistic motives – “money talks”

W hen? - Assurance

• Assurance is a process
• Test with regard to security
• Formal methods

– Useful, but hard and the proof can have flaws

• Who controls the testers?

– Error injection, history of tester

• Difference between implementor / team
• Standards
• Thorough testing secures complex systems
• Easier to find some bug than a specific bug (ref.

Birthday attack)

W hen? - Evaluation

• Prove to others that the system works
• Often a lesser product is bought instead
• The usability is often secondary
• There are standardized testing methodologies

W hen? – W ays forw ard

• Open source

– Pro: Many watchers – a lot is found – Con: Large and complex software is rarely examined, functionality bloat – Open questions

• Does everyone reveal what they find?
• How much time has actually been spent on

testing?

• What should you do when you find a bug?

W hat goes w rong?

• Large operating systems -> many bugs and many

users -> many bugs are found

• Target for attack

– Acquire a regular account -> become system admin – Many bugs allows user -> root

• Smashing the Stack

– Verify input data!

W hat goes w rong? ( 2 )

• Race conditions

– An operation is done in two or more steps, and something gets to run in between

• Service denial

– E.g. syn flooding

• Fault in the user interface

– Trojan horses – Own version of known program, e.g. ls

W hy so m any errors?

• Testers exploit instead of report
• Kernel bloat – there is a lot to trust
• Programs are run as root when they do not have to

– But, restrictive privileges might cause programmers to ignore securing sensitive parts

Counter m easures

• Tools against stack-overflow
• Program should only have the rights that they need

– The principle of least privilege

• Default should be secure (restrictive)

– The principle of fail safe defaults

The future

• Increased complexity means increased risks
• Learn from the mistakes?

– Buffer-overflow (60- ) – Cryptology algorithms – Patches – New versions

• Laws – Crime and punishment
• Security Engineering
• Outsourcing

Security – Bottom line

• It will always be unsafe!
• You cannot make it completely secure
• Important to chose the right kind of protection
• Important to monitor and update
• Risk management

Sum m ary

• Design principles
• Access control

– Access control lists – Capabilities – Firewalls – IDS

• Assurance

– What are you allowed to do? – How do you organize the work? – When do you know that you are done?

• What goes wrong
• The future

Rest of the course

• Tuesday 26: th, last lecture

– Repetition: Old exam – Assignment due