UNIT 5 SYSTEM SECURITY •Intruder – Intrusion detection system • Virus and related threats – Countermeasures • Firewalls design principles ‐Trusted systems •Practical implementation of cryptography and security Slides Courtesy of William Stallings, “Cryptography & Network Security”, Pearson Education, 4th Edition
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UNIT 5 SYSTEM SECURITY
•Intruder – Intrusion detection system
• Virus and related threats – Countermeasures
• Firewalls design principles ‐Trusted systems
•Practical implementation of cryptography and security
Slides Courtesy of William Stallings, “Cryptography & Network Security”, Pearson Education, 4th Edition
Chapter‐1 Intruders
• Intrusion detection system
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local
• can identify classes of intruders:– masquerader
– misfeasor
– clandestine user
• varying levels of competence
Presenter
Presentation Notes
A significant security problem for networked systems is hostile, or at least unwanted, trespass being unauthorized login or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse. One of the two most publicized threats to security is the intruder (or hacker or cracker), which Anderson identified three classes of: • Masquerader: An individual who is not authorized to use the computer (outsider) • Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider) • Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection (either) Intruder attacks range from the benign (simply exploring net to see what is there); to the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system)
Intruders
• clearly a growing publicized problem– from “Wily Hacker” in 1986/87
– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
• awareness of intruders has led to the development of CERTs
Presenter
Presentation Notes
The intruder threat has been well publicized,particularly because of the famous “Wily Hacker”incident of 1986–1987, documented by Cliff Stoll. Benign intruders might be tolerable, although they do consume resources and may slow performance for legitimate users. However, there is no way in advance to know whether an intruder will be benign or malign. Intruders may use compromised systems to launch attacks on other systems, further degrading performance. One of the results of the growing awareness of the intruder problem has been the establishment of a number of computer emergency response teams (CERTs). These cooperative ventures collect information about system vulnerabilities and disseminate it to systems managers.
Intrusion Techniques
• aim to gain access and/or increase privileges on a system
• basic attack methodology – target acquisition and information gathering – initial access – privilege escalation – covering tracks
• key goal often is to acquire passwords• so then exercise access rights of owner
Presenter
Presentation Notes
Knowing the standard attack methods is a key element in limiting your vulnerability. The basic aim is to gain access and/or increase privileges on some system. The basic attack methodology list is taken from McClure et al "Hacking Exposed". A basic technique for gaining access is to acquire a user (preferably administrator) password, so the attacker can login and exercise all the access rights of the account owner.
Password Guessing
• one of the most common attacks
• attacker knows a login (from email/web page etc)
• then attempts to guess password for it – defaults, short passwords, common word searches
– user info (variations on names, birthday, phone, common words/interests)
– exhaustively searching all possible passwords
• check by login or against stolen password file
• success depends on password chosen by user
• surveys show many users choose poorly
Presenter
Presentation Notes
Password guessing is a common attack. If an attacker has obtained a poorly protected password file, then can mount attack off-line, so target is unaware of its progress. Some O/S take less care than others with their password files. If have to actually attempt to login to check guesses, then system should detect an abnormal number of failed logins, and hence trigger appropriate countermeasures by admins/security. Likelihood of success depends very much on how well the passwords are chosen. Unfortunately, users often don’t choose well (see later).
Password Capture
• another attack involves password capture– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login • eg. telnet, FTP, web, email
– extracting recorded info after successful login (web history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable precautions/countermeasures
Presenter
Presentation Notes
There is also a range of ways of "capturing" a login/password pair, from the low-tech looking over the shoulder, to the use of Trojan Horse programs (eg. game program or nifty utility with a covert function as well as the overt behaviour), to sophisticated network monitoring tools, or extracting recorded info after a successful login - say from web history or cache, or last number dialed memory on phones etc. Need to educate users to be aware of whose around, to check they really are interacting with the computer system (trusted path), to beware of unknown source s/w, to use secure network connections (HTTPS, SSH, SSL), to flush browser/phone histories after use etc.
Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between
Presenter
Presentation Notes
Inevitably, the best intrusion prevention system will fail. A system’s second line of defense is intrusion detection, which aims to detect intrusions so can: block access & minimize damage if detected quickly; act as deterrent given chance of being caught; or can collect info on intruders to improve future security. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. This is imperfect at best.
Approaches to Intrusion Detection
• statistical anomaly detection– threshold
– profile based
• rule‐based detection– anomaly
– penetration identification
Presenter
Presentation Notes
Can identify the following approaches to intrusion detection: Statistical anomaly detection: collect data relating to the behavior of legitimate users, then use statistical tests to determine with a high level of confidence whether new behavior is legitimate user behavior or not. a. Threshold detection: define thresholds, independent of user, for the frequency of occurrence of events. b. Profile based: develop profile of activity of each user and use to detect changes in the behavior 2. Rule-based detection: attempt to define a set of rules used to decide if given behavior is an intruder a. Anomaly detection: rules detect deviation from previous usage patterns b. Penetration identification: expert system approach that searches for suspicious behavior
Audit Records
• fundamental tool for intrusion detection
• native audit records– part of all common multi‐user O/S
– already present for use
– may not have info wanted in desired form
• detection‐specific audit records– created specifically to collect wanted info
– at cost of additional overhead on system
Presenter
Presentation Notes
A fundamental tool for intrusion detection is the audit record. Some record of ongoing activity by users must be maintained as input to an intrusion detection system. Basically,two plans are used: • Native audit records: Virtually all main O/S’s include accounting software that collects information on user activity, advantage is its already there, disadvantage is it may not contain the needed information • Detection-specific audit records: implement collection facility to generates custom audit records with desired info, advantage is it can be vendor independent and portable, disadvantage is extra overhead involved
Statistical Anomaly Detection
• threshold detection– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based– characterize past behavior of users
– detect significant deviations from this
– profile usually multi‐parameter
Presenter
Presentation Notes
Statistical anomaly detection techniques cover threshold detection and profile-based systems. Threshold detection involves counting no occurrences of a specific event type over an interval of time, if count surpasses a reasonable number, then intrusion is assumed. By itself, is a crude and ineffective detector of even moderately sophisticated attacks. Profile-based anomaly detection focuses on characterizing past behavior of users or groups, and then detecting significant deviations. A profile may consist of a set of parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert. Foundation of this approach is analysis of audit records.
Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time– counter, gauge, interval timer, resource use
• use various tests on these to determine if current behavior is acceptable– mean & standard deviation, multivariate, markov process, time series, operational
• key advantage is no prior knowledge used
Presenter
Presentation Notes
An analysis of audit records over a period of time can be used to determine the activity profile of the average user. Then current audit records are used as input to detect intrusion, by analyzing incoming audit records to determine deviation from average behavior. Examples of metrics that are useful for profile-based intrusion detection are: counter, gauge, interval timer, resource use. Given these general metrics, various tests can be performed to determine whether current activity fits within acceptable limits, such as: Mean and standard deviation, Multivariate, Markov process, Time series, Operational; as discussed in the text. Stallings Table18.1 shows various measures considered or tested for the Stanford Research Institute (SRI) intrusion detection system. The main advantage of the use of statistical profiles is that a prior knowledge of security flaws is not required. Thus it should be readily portable among a variety of systems.
Rule‐Based Intrusion Detection
• observe events on system & apply rules to decide if activity is suspicious or not
• rule‐based anomaly detection– analyze historical audit records to identify usage patterns & auto‐generate rules for them
– then observe current behavior & match against rules to see if conforms
– like statistical anomaly detection does not require prior knowledge of security flaws
Presenter
Presentation Notes
Rule-based techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious. Can characterize approaches as either anomaly detection or penetration identification, although there is overlap. Rule-based anomaly detection is similar in terms of its approach and strengths to statistical anomaly detection. Historical audit records are analyzed to identify usage patterns and to automatically generate rules that describe those patterns. Current behavior is then observed and matched against the set of rules to see if it conforms to any historically observed pattern of behavior. As with statistical anomaly detection, rule-based anomaly detection does not require knowledge of security vulnerabilities within the system.
Rule‐Based Intrusion Detection
• rule‐based penetration identification– uses expert systems technology
– with rules identifying known penetration, weakness patterns, or suspicious behavior
– compare audit records or states against rules
– rules usually machine & O/S specific
– rules are generated by experts who interview & codify knowledge of security admins
– quality depends on how well this is done
Presenter
Presentation Notes
Rule-based penetration identification takes a very different approach based on expert system technology. It uses rules for identifying known penetrations or penetrations that would exploit known weaknesses, or identify suspicious behavior. The rules used are specific to machine and operating system. The rules are generated by “experts”, from interviews of system administrators and security analysts. Thus the strength of the approach depends on the skill of those involved in setting up the rules.
Base‐Rate Fallacy
• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected ‐> false security
– if too many false alarms ‐> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record
Presenter
Presentation Notes
To be of practical use, an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. If only a modest percentage of actual intrusions are detected, the system provides a false sense of security. On the other hand, if the system frequently triggers an alert when there is no intrusion (a false alarm), then either system managers will begin to ignore the alarms, or much time will be wasted analyzing the false alarms. Unfortunately, because of the nature of the probabilities involved, it is very difficult to meet the standard of high rate of detections with a low rate of false alarms. A study of existing intrusion detection systems indicated that current systems have not overcome the problem of the base-rate fallacy.
Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working together to detect intrusions
• issues– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
Presenter
Presentation Notes
Until recently, work on intrusion detection systems focused on single-system standalone facilities. The typical organization, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork, where a more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network. Porras points out the following major issues in the design of a distributed IDS: • A distributed intrusion detection system may need to deal with different audit record formats • One or more nodes in the network will serve as collection and analysis points for the data, which must be securely transmitted to them • Either a centralized (single point, easier but bottleneck) or decentralized (multiple centers must coordinate) architecture can be used.
Distributed Intrusion Detection ‐ Architecture
Presenter
Presentation Notes
Stallings Figure18.2 shows the overall architecture, consisting of three main components, of the system independent distributed IDS developed at the University of California at Davis. The components are: • Host agent module: audit collection module operating as a background process on a monitored system • LAN monitor agent module: like a host agent module except it analyzes LAN traffic • Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion
Distributed Intrusion Detection – Agent Implementation
Presenter
Presentation Notes
Stallings Figure 18.3 shows the general approach that is taken. The agent captures each native O/S audit record, & applies a filter that retains only records of security interest. These records are then reformatted into a standardized format (HAR). Then a template-driven logic module analyzes the records for suspicious activity. When suspicious activity is detected, an alert is sent to the central manager. The central manager includes an expert system that can draw inferences from received data. The manager may also query individual systems for copies of HARs to correlate with those from other agents.
Honeypots
• decoy systems to lure attackers– away from accessing critical systems– to collect information of their activities– to encourage attacker to stay on system so administrator can respond
• are filled with fabricated information• instrumented to collect detailed information on attackers activities
• single or multiple networked systems• cf IETF Intrusion Detection WG standards
Presenter
Presentation Notes
Honeypots are decoy systems, designed to lure a potential attacker away from critical systems, and: • divert an attacker from accessing critical systems • collect information about the attacker’s activity • encourage the attacker to stay on the system long enough for administrators to respond These systems are filled with fabricated information designed to appear valuable but which any legitimate user of the system wouldn’t access, thus, any access is suspect. They are instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attacker’s activities. Have seen evolution from single host honeypots to honeynets of multiple dispersed systems. The IETF Intrusion Detection Working Group is currently drafting standards to support interoperability of IDS info (both honeypot and normal IDS) over a wide range of systems & O/S’s.
Summary
• have considered:– problem of intrusion
– intrusion detection (statistical & rule‐based)
– password management
Presenter
Presentation Notes
Chapter 18 summary.
Chapter‐2 Viruses and Other Malicious Content
• Virus and related threats – Countermeasures
Viruses and Other Malicious Content
• computer viruses have got a lot of publicity
• one of a family of malicious software
• effects usually obvious
• have figured in news reports, fiction, movies (often exaggerated)
• getting more attention than deserve
• are a concern though
Presenter
Presentation Notes
This chapter examines malicious software (malware), especially viruses and worms, which exploit vulnerabilities in computing systems. These have been given a lot of (often uninformed) comment in the general media. They are however, of serious concern.
Malicious Software
Presenter
Presentation Notes
The terminology used for malicious software presents problems because of a lack of universal agreement on all terms and because of overlap. Stallings Table 19.1, and this diagram from 3/e, provide a useful taxonomy. It can be divided into two categories: those that need a host program (being a program fragment eg virus), and those that are independent programs (eg worm); alternatively you can also differentiate between those software threats that do not replicate (are activated by a trigger) and those that do (producing copies of themselves). Will now survey this range of malware.
Backdoor or Trapdoor
• secret entry point into a program• allows those who know access bypassing usual security procedures
• have been commonly used by developers• a threat when left in production programs allowing exploited by attackers
• very hard to block in O/S• requires good s/w development & update
Presenter
Presentation Notes
A backdoor, or trapdoor, is a secret entry point into a program that allows someone that is aware of it to gain access without going through the usual security access procedures. Have been used legitimately for many years to debug and test programs, but become a threat when left in production programs. It is difficult to implement operating system controls for backdoors. Security measures must focus on the program development and software update activities.
Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met– eg presence/absence of some file
– particular date/time
– particular user
• when triggered typically damage system– modify/delete files/disks, halt machine, etc
Presenter
Presentation Notes
A logic bomb is one of the oldest types of program threat, being code embedded in some legitimate program that is set to “explode” when certain conditions, such as the examples shown, are met. Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some other damage.
Trojan Horse
• program with hidden side‐effects • which is usually superficially attractive
– eg game, s/w upgrade etc
• when run performs some additional tasks– allows attacker to indirectly gain access they do not have directly
• often used to propagate a virus/worm or install a backdoor
• or simply to destroy data
Presenter
Presentation Notes
A Trojan horse is a useful, or apparently useful, program or command procedure (eg game, utility, s/w upgrade etc) containing hidden code that performs some unwanted or harmful function that an unauthorized user could not accomplish directly. Commonly used to make files readable, propagate a virus or worm, or simply to destroy data.
Zombie
• program which secretly takes over another networked computer
• then uses it to indirectly launch attacks
• often used to launch distributed denial of service (DDoS) attacks
• exploits known flaws in network systems
Presenter
Presentation Notes
A zombie is a program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used in denial-of-service attacks, being planted on hundreds of computers belonging to unsuspecting third parties, and then used to overwhelm the target Web site by launching an overwhelming onslaught of Internet traffic. Typically zombies exploit known flaws in networked computer systems.
Viruses
• a piece of self‐replicating code attached to some other code– cf biological virus
• both propagates itself & carries a payload– carries code to make copies of itself
– as well as code to perform some covert task
Presenter
Presentation Notes
A virus is a piece of software that can “infect” other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. It can be compared to biological viruses, and like them, a computer virus carries in its instructional code the recipe for making perfect copies of itself. Once a virus is executing, it can perform any function, such as erasing files and programs.
Virus Operation
• virus phases:– dormant – waiting on trigger event
– propagation – replicating to programs/disks
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific– exploiting features/weaknesses
Presenter
Presentation Notes
During its lifetime, a typical virus goes through the following four phases: • Dormant phase: virus is idle, waiting for trigger event (eg date, program or file , disk capacity). Not all viruses have this stage • Propagation phase: virus places a copy of itself into other programs / system areas • Triggering phase: virus is activated by some trigger event to perform intended function • Execution phase: desired function (which may be harmless or destructive) is performed Most viruses work in a manner specific to a particular operating system or even hardware platform, and are designed to take advantage of the details and weaknesses of particular systems.
Virus Structure
program V :={goto main;1234567;subroutine infect‐executable := {loop:
file := get‐random‐executable‐file;if (first‐line‐of‐file = 1234567) then goto loopelse prepend V to file; }
subroutine do‐damage := {whatever damage is to be done}subroutine trigger‐pulled := {return true if condition holds}main: main‐program := {infect‐executable;
if trigger‐pulled then do‐damage;goto next;}
next:}
Presenter
Presentation Notes
Stallings Figure 19.1 shows a general depiction of virus structure. The virus code (V) is prepended to infected programs (assuming the entry point is the first line of the program). The first line of code jumps to the main virus program. The second line is a special marker for infected programs. The main virus program first seeks out uninfected executable files and infects them. Then it may perform some action, usually detrimental to the system, depending on some trigger. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program. This type of virus can be detected because the length of the program changes. More sophisticated variants attempt to hide their presence better, by for example, compressing the original program.
Types of Viruses
• can classify on basis of how they attack
• parasitic virus
• memory‐resident virus
• boot sector virus
• stealth
• polymorphic virus
• metamorphic virus
Presenter
Presentation Notes
There has been a continuous arms race between virus writers and writers of antivirus software, with the following categories being among the most significant types of viruses: • Parasitic virus: traditional and still most common form of virus, it attaches itself to executable files and replicates when the infected program is executed • Memory-resident virus: Lodges in main memory as part of a resident system program, and infects every program that executes • Boot sector virus: Infects a master boot record and spreads when a system is booted from the disk containing the virus • Stealth virus: a virus explicitly designed to hide itself from detection by antivirus software • Polymorphic virus: mutates with every infection, making detection by the “signature”of the virus impossible. • Metamorphic virus: mutates with every infection, rewriting itself completely at each iteration changing behavior and/or appearance, increasing the difficulty of detection.
Macro Virus
• macro code attached to some data file• interpreted by program using file
– eg Word/Excel macros– esp. using auto command & command macros
• code is now platform independent • is a major source of new viral infections• blur distinction between data and program files• classic trade‐off: "ease of use" vs "security”• have improving security in Word etc • are no longer dominant virus threat
Presenter
Presentation Notes
In the mid-1990s, macro viruses became by far the most prevalent type of virus, and were particularly threatening because they’re platform independent, infect documents not executable code, and are easily spread. Macro viruses take advantage of the macro feature found in Word and other office applications. A macro is an executable program embedded in a word processing document or other type of file, blurring distinction between document & program. There is a continuing arms race in the field of macro viruses. Successive releases of Word provide increased protection against macro viruses, and they no longer are the predominant virus threat.
Email Virus
• spread using email with attachment containing a macro virus– cf Melissa
• triggered when user opens attachment• or worse even when mail viewed by using scripting features in mail agent
• hence propagate very quickly• usually targeted at Microsoft Outlook mail agent & Word/Excel documents
• need better O/S & application security
Presenter
Presentation Notes
A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in an attachment, triggered when the attachment was opened. At the end of 1999, a more powerful version of the e-mail virus appeared, activated merely by opening an e-mail that contains the virus rather than opening an attachment. As a result, instead of taking months or years to propagate, now take only hours.This makes it very difficult for antivirus software to respond before much damage is done. Ultimately, a greater degree of security must be built into Internet utility and application software on PCs to counter this growing threat.
Worms
• replicating but not infecting program • typically spreads over a network
– cf Morris Internet Worm in 1988– led to creation of CERTs
• using users distributed privileges or by exploiting system vulnerabilities
• widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS
• major issue is lack of security of permanently connected systems, esp PC's
Presenter
Presentation Notes
A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again, and usually to also perform some unwanted function. A worm actively seeks out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machines. To replicate itself, a network worm uses some sort of network vehicle such as email, remote execution, or remote login. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
Worm Operation
• worm phases like those of viruses:– dormant– propagation
• search for other systems to infect• establish connection to target remote system• replicate self onto remote system
– triggering– execution
Presenter
Presentation Notes
A network worm exhibits the same characteristics as a computer virus: a dormant phase, a propagation phase, a triggering phase, and an execution phase. The propagation phase generally: Searches for other systems to infect by examining host tables etc 2. Establishes a connection with a remote system 3. Copies itself to the remote system and cause the copy to be run.
Morris Worm
• best known classic worm
• released by Robert Morris in 1988
• targeted Unix systems
• using several propagation techniques– simple password cracking of local pw file
– exploit bug in finger daemon
– exploit debug trapdoor in sendmail daemon
• if any attack succeeds then replicated self
Presenter
Presentation Notes
Until recently, the best known was the Morris worm released onto the Internet by Robert Morris in 1998. It was designed to spread on UNIX systems and used a number of different techniques for propagation, including cracking the local password file to get logins/passwords, exploiting a bug in the finger protocol, or exploiting a trapdoor in the debug option of the sendmail mail daemon. If any attack succeeded then the worm had a means of running on another system and replicating itself.
Recent Worm Attacks
• new spate of attacks from mid‐2001• Code Red ‐ used MS IIS bug
– probes random IPs for systems running IIS– had trigger time for denial‐of‐service attack– 2nd wave infected 360000 servers in 14 hours
• Code Red 2 ‐ installed backdoor • Nimda ‐multiple infection mechanisms• SQL Slammer ‐ attacked MS SQL server• Sobig.f ‐ attacked open proxy servers• Mydoom ‐mass email worm + backdoor
Presenter
Presentation Notes
The contemporary era of worm threats began with the release of the Code Red worm in July of 2001. Code Red exploited a security hole in Microsoft Internet Information Server (IIS) to penetrate and spread, & also disabled the system file checker in Windows. It probed random IP addresses to spread to other hosts, & had a trigger time for a DDoS attack. It infected nearly 360,000 servers in 14 hours, & consumed enormous amounts of Internet capacity, disrupting service. Code Red II is a variant that installed a backdoor allowing a hacker to direct activities of victim computers. Nimda appeared in late 2001 & spreads by multiple mechanisms: email, shares, web client, IIS, Code Red 2 backdoor. It modifies Web documents & certain executable files and creates numerous copies of itself under various filenames. SQL Slammer worm appeared in early 2003, exploiting a buffer overflow vulnerability in Microsoft SQL server. It was extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes. Sobig.f worm appeared in late 2003, exploiting open proxy servers to turn infected machines into spam engines. At its peak, it accounted for one in every 17 messages and produced more than one million copies of itself within the first 24 hours. Mydoom appeared in 2004 & is a mass-mailing e-mail worm that installed a backdoor in infected computers. It replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.
Worm Techology
• multiplatform• multiexploit• ultrafast spreading• polymorphic• metamorphic• transport vehicles• zero‐day exploit
Presenter
Presentation Notes
The state of the art in worm technology includes the following: • Multiplatform: not limited to Windows, can attack a variety of O/S’s, esp UNIX. • Multiexploit: penetrate systems in a variety of ways • Ultrafast spreading: using prior scan to get addresses of vulnerable machines • Polymorphic: adopt virus polymorphic technique to evade detection • Metamorphic: change both appearance & behavior patterns • Transport vehicles: to spread other distributed attack tools, eg zombies • Zero-day exploit: exploit unknown vulnerability
Virus Countermeasures
• best countermeasure is prevention
• but in general not possible
• hence need to do one or more of: – detection ‐ of viruses in infected system
– identification ‐ of specific infecting virus
– removeal ‐ restoring system to clean state
Presenter
Presentation Notes
The ideal solution to the threat of viruses is prevention, but in general this is impossible to achieve. The next best approach is to be able to do the following: • Detection: determine that infection has occurred and locate the virus • Identification: of the specific virus that has infected a program • Removal: of all traces of the virus from the infected program and restore it to its original state; or discard infected program and reload a clean backup version
Anti‐Virus Software
• first‐generation– scanner uses virus signature to identify virus– or change in length of programs
• second‐generation – uses heuristic rules to spot viral infection– or uses crypto hash of program to spot changes
• third‐generation – memory‐resident programs identify virus by actions
• fourth‐generation – packages with a variety of antivirus techniques– eg scanning & activity traps, access‐controls
• arms race continues
Presenter
Presentation Notes
As the virus arms race has evolved,both viruses and, necessarily, antivirus software have grown more complex and sophisticated. See four generations of antivirus software: • First generation: simple scanners use a virus signature to identify a virus, limited to known viruses; or use length of program to detect changes to it • Second generation: heuristic scanners use rules to search for probable virus infection, eg for code fragments; or use crypto hash of programs to detect changes • Third generation: activity traps which identify a virus by its actions rather than its structure • Fourth generation: full-featured protection using packages consisting of a variety of antivirus techniques used in conjunction, including scanning and activity trap components The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general purpose computer security measures.
Advanced Anti‐Virus Techniques
• generic decryption– use CPU simulator to check program signature & behavior before actually running it
• digital immune system (IBM)– general purpose emulation & virus detection
– any virus entering org is captured, analyzed, detection/shielding created for it, removed
Presenter
Presentation Notes
More sophisticated antivirus approaches and products continue to appear, such as: Generic Decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds, using a CPU simulator to scan program for virus signatures & to monitor its behavior before actually running it. Have issue of how long to do this for. The Digital Immune System from IBM is a comprehensive approach to virus protection, and provides a general purpose emulation and virus-detection system. When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running IBM AntiVirus so it can be detected before it is run elsewhere.
Digital Immune System
Presenter
Presentation Notes
Stallings Figure19.4 illustrates the typical steps in digital immune system operation: A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine 2. The administrative machine encrypts the sample and sends it to a central virus analysis machine 3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus 4. The resulting prescription is sent back to the administrative machine 5. The administrative machine forwards the prescription to the infected client 6. The prescription is also forwarded to other clients in the organization 7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.
Behavior‐Blocking Software
• integrated with host O/S
• monitors program behavior in real‐time– eg file access, disk format, executable mods, system settings changes, network access
• for possibly malicious actions– if detected can block, terminate, or seek ok
• has advantage over scanners
• but malicious code runs before detection
Presenter
Presentation Notes
Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. & blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include the following: • Attempts to open, view, delete, and/or modify files • Attempts to format disk drives and other unrecoverable disk operations • Modifications to the logic of executable files or macros • Modification of critical system settings,such as start-up settings • Scripting of e-mail and instant messaging clients to send executable content • Initiation of network communications. If the behavior blocker detects that a program is initiating would-be malicious behaviors as it runs, it can block these behaviors in real-time and/or terminate the offending software. The behavior blocker has a fundamental advantage over such established antivirus detection techniques since it can intercept all suspicious requests, & can identify and block malicious actions regardless of how obfuscated the program logic appears to be. But this does mean the malicious code must actually run on the target machine before all its behaviors can be identified.
Distributed Denial of Service Attacks (DDoS)
• Distributed Denial of Service (DDoS) attacks form a significant security threat
• making networked systems unavailable
• by flooding with useless traffic
• using large numbers of “zombies”
• growing sophistication of attacks
• defense technologies struggling to cope
Presenter
Presentation Notes
Distributed denial of service (DDoS) attacks present a significant security threat to corporations, and the threat appears to be growing. DDoS attacks make computer systems inaccessible by flooding servers, networks, or even end user systems with useless traffic so that legitimate users can no longer gain access to those resources. In a typical DDoS attack, a large number of compromised (zombie) hosts are amassed to send useless packets. In recent years, the attack methods and tools have become more sophisticated, effective, and more difficult to trace to the real attackers, while defense technologies have been unable to withstand large-scale attacks.
Distributed Denial of Service Attacks (DDoS)
Presenter
Presentation Notes
A DDoS attack attempts to consume the target’s resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed, either an internal host resource on the target system, or data transmission capacity in the target local network. Stallings Figure19.5a shows an example of an internal resource attack - the SYN flood attack. 1. The attacker takes control of multiple hosts over the Internet 2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target 3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in. Stallings Figure 19.5b illustrates an example of an attack that consumes data transmission resources. 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.
Contructing the DDoS Attack Network
• must infect large number of zombies
• needs:
1. software to implement the DDoS attack
2. an unpatched vulnerability on many systems
3. scanning strategy to find vulnerable systems– random, hit‐list, topological, local subnet
Presenter
Presentation Notes
The first step in a DDoS attack is for the attacker to infect a number of machines with zombie software that will ultimately be used to carry out the attack. The essential ingredients are: Software that can carry out the DDoS attack, runnable on a large number of machines, concealed, communicating with attacker or time-triggered, and can launch intended attack toward the target 2. A vulnerability in a large number of systems, that many system admins/users have failed to patch 3. A strategy for locating vulnerable machines, known as scanning, such as: • Random: probe random IP addresses in the IP address space • Hit-list: use a long list of potential vulnerable machines • Topological: use info on infected victim machine to find more hosts • Local subnet: look for targets in own local network
DDoS Countermeasures
• three broad lines of defense:1. attack prevention & preemption (before)2. attack detection & filtering (during)3. attack source traceback & ident (after)
• huge range of attack possibilities• hence evolving countermeasures
Presenter
Presentation Notes
Have three lines of defense against DDoS attacks: • Attack prevention and preemption (before the attack): to enable victim to endure attack attempts without denying service to legitimate clients • Attack detection and filtering (during the attack): to attempt to detect attack as it begins and respond immediately, minimizing impact of attack on the target • Attack source traceback and identification (during and after the attack): to identify source of attack to prevent future attacks. The challenge in coping with DDoS attacks is the sheer number of ways in which they can operate, hence countermeasures must evolve with the threat.
Summary
• have considered:– various malicious programs
– trapdoor, logic bomb, trojan horse, zombie
– viruses
– worms
– countermeasures
– distributed denial of service attacks
Presenter
Presentation Notes
Chapter 19 summary.
Chapter‐3 Firewalls
Introduction
• seen evolution of information systems• now everyone want to be on the Internet • and to interconnect networks • has persistent security concerns
– can’t easily secure every system in org
• typically use a Firewall• to provide perimeter defence• as part of comprehensive security strategy
Presenter
Presentation Notes
Information systems in corporations,government agencies,and other organizations have undergone a steady evolution from mainframes to LANs. Internet connectivity is no longer optional, with information and services essential to the organization. Moreover, individual users want and need Internet access. However, while Internet access provides benefits, it enables the outside world to reach and interact with local network assets, creating a threat to the organization. While it is possible to equip each workstation and server on the premises network with strong security features, this is not a practical approach in general. Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet. However they need to be part of a wider security strategy including host security.
What is a Firewall?
• a choke point of control and monitoring • interconnects networks with differing trust• imposes restrictions on network services
– only authorized traffic is allowed
• auditing and controlling access– can implement alarms for abnormal behavior
• provide NAT & usage monitoring• implement VPNs using IPSec• must be immune to penetration
Presenter
Presentation Notes
A firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed. A firewall: defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. 2. provides a location for monitoring security-related events 3. is a convenient platform for several Internet functions that are not security related, such as NAT and Internet usage audits or logs 4. A firewall can serve as the platform for IPSec to implement virtual private networks. The firewall itself must be immune to penetration, since it will be a target of attack.
Firewall Limitations
• cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats– eg disgruntled or colluding employees
• cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types
Presenter
Presentation Notes
Firewalls have their limitations, including that they: cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP, or dial-in modem pool use 2. do not protect against internal threats, eg disgruntled employee or one who cooperates with an attacker 3. cannot protect against the transfer of virus-infected programs or files, given wide variety of O/S & applications supported
Firewalls – Packet Filters
• simplest, fastest firewall component
• foundation of any firewall system
• examine each IP packet (no context) and permit or deny according to rules
• hence restrict access to services (ports)
• possible default policies– that not expressly permitted is prohibited
– that not expressly prohibited is permitted
Presenter
Presentation Notes
Have three common types of firewalls: packet filters, application-level gateways, & circuit-level gateways. A packet-filtering router applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface. Some advantages are simplicity, transparency & speed. If there is no match to any rule, then one of two default policies are applied: • that which is not expressly permitted is prohibited (default action is discard packet), conservative policy • that which is not expressly prohibited is permitted (default action is forward packet), permissive policy
Firewalls – Packet Filters
Presenter
Presentation Notes
Stallings Figure 20.1a illustrates the packet filter firewall placement in the border router, on the security perimeter, between the external less-trusted Internet, and the internal more trusted private network.
Firewalls – Packet Filters
Presenter
Presentation Notes
Stallings Table 20.1 gives some examples of packet-filtering rule sets. In each set, the rules are applied top to bottom. A. Inbound mail is allowed to a gateway host only (port 25 is for SMTP incoming B. explicit statement of the default policy C. tries to specify that any inside host can send mail to the outside, but has problem that an outside machine could be configured to have some other application linked to port 25 D. properly implements mail sending rule, by checking ACK flag of a TCP segment is set E. this rule set is one approach to handling FTP connections
Attacks on Packet Filters
• IP address spoofing– fake source address to be trusted– add filters on router to block
• source routing attacks– attacker sets a route other than default– block source routed packets
• tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check
Presenter
Presentation Notes
Some of the attacks that can be made on packet-filtering routers & countermeasures are: • IP address spoofing: where intruder transmits packets from the outside with internal host source IP addr, need to filter & discard such packets • Source routing attacks: where source specifies the route that a packet should take to bypass security measures, should discard all source routed packets • Tiny fragment attacks: intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate fragments to circumvent filtering rules needing full header info, can enforce minimum fragment size to include full header.
Firewalls – Stateful Packet Filters
• traditional packet filters do not examine higher layer context– ie matching return packets with outgoing flow
• stateful packet filters address this need• they examine each IP packet in context
– keep track of client‐server sessions– check each packet validly belongs to one
• hence are better able to detect bogus packets out of context
Presenter
Presentation Notes
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context.
Firewalls ‐ Application Level Gateway (or Proxy)
• have application specific gateway / proxy
• has full access to protocol – user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
– can log / audit traffic at application level
• need separate proxies for each service – some services naturally support proxying
– others are more problematic
Presenter
Presentation Notes
An application-level gateway (or proxy server), acts as a relay of application-level traffic. A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints. If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used. Note that some services naturally support proxying, whilst others are more problematic. Application-level gateways tend to be more secure than packet filters, &can log and audit traffic at application level.
Firewalls ‐ Application Level Gateway (or Proxy)
Presenter
Presentation Notes
Stallings Figure 20.1b illustrates an application-level gateway (or proxy server), emphasizing that it only supports a specific list of application services.
Firewalls ‐ Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general outbound connections
• SOCKS is commonly used
Presenter
Presentation Notes
A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access. One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.
Firewalls ‐ Circuit Level Gateway
Presenter
Presentation Notes
Stallings Figure 20.1c illustrates a circuit-level gateway, showing how it relays between 2 TCP connections. Note that it can be implemented in a stand-alone system or can be a specialized function in an application-level gateway for certain applications. Note also that relaying UDP packets is more problematical, because of the lack of connection context, and require a parallel TCP connection to provide these details.
Bastion Host
• highly secure host system • runs circuit / application level gateways • or provides externally accessible services• potentially exposed to "hostile" elements • hence is secured to withstand this
– hardened O/S, essential services, extra auth– proxies small, secure, independent, non‐privileged
• may support 2 or more net connections• may be trusted to enforce policy of trusted separation between these net connections
Presenter
Presentation Notes
A bastion host is a critical strong point in the network’s security, serving as a platform for an application-level or circuit-level gateway, or for external services. It is thus potentially exposed to "hostile" elements and must be secured to withstand this. Common characteristics of a bastion host include that it: • executes a secure version of its O/S, making it a trusted system • has only essential services installed on the bastion host • may require additional authentication before a user is allowed access to the proxy services • is configured to support only a subset of the standard application’s command set, with access only to specific hosts • maintains detailed audit information by logging all traffic • has each proxy module a very small software package specifically designed for network security • has each proxy independent of other proxies on the bastion host • have a proxy performs no disk access other than to read its initial configuration file • have each proxy run as a nonprivileged user in a private and secured directory A bastion host may have two or more network interfaces (or ports), and must be trusted to enforce trusted separation between these network connections, relaying traffic only according to policy.
Firewall Configurations
Presenter
Presentation Notes
In addition to the use of a simple configuration consisting of a single system, more complex configurations are possible and indeed more common. Stallings Figure 20.2 illustrates three common firewall configurations. Figure 20.2a shows the “screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems: a packet-filtering router - allows Internet packets to/from bastion only a bastion host - performs authentication and proxy functions This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.
Firewall Configurations
Presenter
Presentation Notes
Stallings Figure 20.2b illustrates the “screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.
Firewall Configurations
Presenter
Presentation Notes
Stallings Figure 20.2c shows the “screened subnet firewall configuration”, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked. This configuration offers several advantages: • There are now three levels of defense to thwart intruders • The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet • Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet
Access Control
• given system has identified a user
• determine what resources they can access
• general model is that of access matrix with– subject ‐ active entity (user, process)
– object ‐ passive entity (file or resource)
– access right – way object can be accessed
• can decompose by– columns as access control lists
– rows as capability tickets
Presenter
Presentation Notes
Following successful logon, a user has been granted access to one or a set of hosts and applications. Associated with each user there can be a profile that specifies permissible operations and file accesses, which the operating system can then enforce. A general model of access control is that of an access matrix, the basic elements of which are: • Subject: An entity (typically a process) capable of accessing objects • Object: Anything to which access is controlled, eg files, portions of files, programs, memory segments • Access right: The way in which an object is accessed by a subject, eg. read,write,and execute One axis of an access matrix consists of identified subjects that may attempt data access, the other lists objects that may be accessed, & each entry in the matrix indicates the access rights of that subject for that object. In practice, an access matrix is usually sparse and is implemented by decomposition in one of two ways. If decomposed by columns, you have access control lists, which list users & their permitted access rights for each object. If decomposed by rows it yields capability tickets, which specify authorized objects & operations for a user.
Access Control Matrix
Presenter
Presentation Notes
Stallings Figure20.3a illustrates an an access control matrix.
Trusted Computer Systems
• information security is increasingly important
• have varying degrees of sensitivity of information– cf military info classifications: confidential, secret etc
• subjects (people or programs) have varying rights of access to objects (information)
• known as multilevel security– subjects have maximum & current security level
– objects have a fixed security level classification
• want to consider ways of increasing confidence in systems to enforce these rights
Presenter
Presentation Notes
Another widely applicable requirement is to protect data or resources on the basis of levels of security, as is commonly found in the military where information is categorized as unclassified (U), confidential (C), secret (S), top secret (TS), or higher. Here subjects (people or programs) have varying rights of access to objects (information) based on their classifications. This is known as multilevel security. A system that can be proved to enforce this is referred to as a trusted system.
Bell LaPadula (BLP) Model
• one of the most famous security models• implemented as mandatory policies on system • has two key policies: • no read up (simple security property)
– a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object
• no write down (*‐property)– a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object
Presenter
Presentation Notes
The general statement of the requirement for multilevel security is that a subject at a high level may not convey information to a subject at a lower or incompatible level unless that flow accurately reflects the will of an authorized user. This can be implemented using the Bell LaPadula Model, in which a multilevel secure system must enforce: • No read up: A subject can only read an object of less or equal security level - Simple Security Property • No write down: A subject can only write into an object of greater or equal security level - * (star) Property These two rules, if properly enforced, provide multilevel security.
Reference Monitor
Presenter
Presentation Notes
Stallings Figure20.4 illustrates the reference monitor as a controlling element in the h/w & O/S of a computer. It regulates access of subjects to objects on the basis of their security parameters. It has access to the security kernel database, which lists the access privileges (security clearance) of each subject & the protection attributes (classification level) of each object. The reference monitor enforces the security rules (no read up,no write down). It must have properties of: • Complete mediation: security rules are enforced on every access • Isolation: reference monitor & database are protected from unauthorized modification • Verifiability: reference monitor’s correctness must be provable These are stiff requirements, usually met only by a trusted system.
Evaluated Computer Systems
• governments can evaluate IT systems
• against a range of standards:– TCSEC, IPSEC and now Common Criteria
• define a number of “levels” of evaluation with increasingly stringent checking
• have published lists of evaluated products– though aimed at government/defense use
– can be useful in industry also
Presenter
Presentation Notes
Trusted systems need to be evaluated against a suitable set of criteria by an approved government agency. The original standard developed by the US DoD & NSA was TCSEC in the early 80’s. Later standards were developed by other countries, harmonized in the EU with IPSEC (which was also used in Australia), and now internationally with the Common Criteria. These standards define a number of “levels” of evaluation with increasingly stringent checking, to which an evaluation center evaluates commercially available products as meeting the security requirements specified, within a given functionality area. These evaluations are needed for Defense procurements but are published and freely available, & can serve as guidance to commercial customers for the purchase of commercially available,off-the-shelf equipment.
Common Criteria
• international initiative specifying security requirements & defining evaluation criteria
• incorporates earlier standards– eg CSEC, ITSEC, CTCPEC (Canadian), Federal (US)
• specifies standards for– evaluation criteria– methodology for application of criteria– administrative procedures for evaluation, certification
and accreditation schemes
Presenter
Presentation Notes
The Common Criteria (CC) for Information Technology and Security Evaluation is an international initiative by standards bodies in a number of countries to develop international standards for specifying security requirements and defining evaluation criteria. It provides standards for the evaluation criteria, the methodology forthe application of these criteria, & the administrative procedures used for evaluation, certification and accreditation schemes.
Common Criteria
• defines set of security requirements• have a Target Of Evaluation (TOE)• requirements fall in two categories
– functional– assurance
• both organised in classes of families & components
Presenter
Presentation Notes
The CC defines a common set of potential security requirements for use in evaluation. The term target of evaluation (TOE) refers to that part of the product or system that is subject to evaluation. The requirements fall in two categories: • Functional requirements: define desired security behavior, have a set of security functional components that provide a standard way of expressing the security functional requirements for a TOE • Assurance requirements: basis for gaining confidence that the claimed security measures are effective and implemented correctly Both functional requirements and assurance requirements are organized into classes, being a collection of requirements that share a common focus or intent. Each of these classes contains a number of families which share security objectives, & in turn contain one or more components.
Common Criteria Requirements
• Functional Requirements– security audit, crypto support, communications,
user data protection, identification & authentication, security management, privacy, protection of trusted security functions, resource utilization, TOE access, trusted path
• Assurance Requirements– configuration management, delivery & operation, development, guidance documents, life cycle support, tests, vulnerability assessment, assurance maintenance
Presenter
Presentation Notes
The CC defines the broad functionality requirements to be addressed as shown, taken from Stallings Table 20.3. It also defines the assurance requirements, taken from Stallings Table 20.4.
Common Criteria
Presenter
Presentation Notes
The CC also defines two kinds of documents that can be generated using the CC-defined requirements • Protection profiles (PPs): define an implementation-independent reusable set of security requirements and objectives for a category of products or systems that meet similar consumer needs for IT security, reflecting user security requirements • Security targets (STs): contain the IT security objectives and requirements of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements, and forms the basis for an evaluation Stallings Figure 20.6 illustrates the relationship between requirements and profiles and targets.
Common Criteria
Presenter
Presentation Notes
Stallings Figure 20.7 shows the security functional requirements paradigm. It is based on the reference monitor concept but makes use of the terminology and design philosophy of the CC.
Summary
• have considered:– firewalls– types of firewalls– configurations– access control– trusted systems– common criteria
Presenter
Presentation Notes
Chapter 20 summary.
Related Documents
