1.

INTRUDERS
One of the publicized threats to security is the intruders generally referred to as hackers or
crackers.
There are three classes of intruders
Significant issue for networked systems is hostile or unwanted access either via network
or local.
Can identify classes of intruders
Masquerader: - An individual who is not authorized to use the computer and
who penetrates a systems access controls to exploit a
legitimate users account.
Misfeasor: - A legitimate user who accesses data, program, or resources for
which such access is not authorized, or who is authorized for
such access but misuse his or her privileges.
Clandestine user: - An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls
or to suppress audit collection
Intrusion Techniques
Aim to increase privileges on system
Basic attack methodology

Target acquisition and information gathering

Initial access
Privilege escalation
Covering tracks

Key goal often is to acquire passwords so then exercise access rights of owner
Intrusion Detection
Inevitably will have security failures
So need also to detect intrusions so can
Block if detected quickly act as deterrent
Collect info to improve security
Assume intruder will behave differently to a legitimate user
But will have imperfect distinction between

Approaches to Intrusion Detection

a. Statistical Anomaly Detection
Threshold detection
Count occurrences of specific event over time
If exceed reasonable value assume intrusion alone is a crude &
ineffective detector
Profile based
Characterize past behavior of users
Detect significant deviations from this profile usually multi-parameter.
b. Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if activity is
Suspicious or not.
Rule-based anomaly detection
Analyze historical audit records to identify usage patterns & autogenerate rules for them
Then observe current behavior & match against rules to see if
conforms.
Like statistical anomaly detection does not require prior knowledge of
security flaws
Audit Records
Fundamental tool for intrusion detection
Native audit records
Part of all common multi-users O/S already present for use.
May not have info wanted in desired form.
Detection-specific audit records
Created specifically to collect wanted info at cost of additional overhead on
system.
Audit Record Analysis
Foundation of statistical approaches
Analyze records to get metrics over time

 Counter, gauge, interval timer, resource use

Use various tests on these to determine if current behavior is acceptable
Mean & standard deviation, multivariate, markov process, time
series, operational
Key advantage is no prior knowledge used.
Statistical Anomaly Detection
Threshold detection
Counting the number of occurrences of a specific event type over an
interval of time.
Threshold analysis is a crude and ineffective detector of even
moderately sophisticated attacks.
Profile based
Characterize past behavior of users
Detect significant deviations from this
Profile usually multi-parameter.
Metrics are useful foe profile based intrusion detection are the following
Counter:O

A non-negative integer that may be incremented.

A count of certain event types is kept over a particular

period of time.

Gauge: - Gauge is used to measure the current value of

some entity.
Interval timer: - The length of time between two related
Events.
Resource utilization: - Quantity of resources consumed
during a specified period.
Various tests can be performed to determine whether current activity fits within acceptable limits.
Mean and Standard Deviation:To measure the mean and SD of a parameter over some historical period.
The use of mean and SD is applicable to a
Wide variety of counters

Timers and
Resource measures

Multivariate:Model is based on correlations between to or more variables.

Markov Process:Used to establish transition probabilities among various states.
Time Series:-

Model focuses on time intervals

looking for sequences of events that happen too rapidly or too slowly.
Operational:Is based on a judgment of what is considered abnormal rather than an
automated analysis of past automated analysis of past audit records.

Rule-Based Intrusion Detection

Observe events on system & apply rules to decide if activity is suspicious or not
a.Rule-based anomaly detection
Analyze historical audit records to identify usage patterns & autogenerate rules for them
Then observe current behavior & match against rules to see if
conforms
Like statistical anomaly detection does not require prior knowledge
of security flaws
b.Rule-based penetration identification
Uses expert systems technology
With rules identifying known penetration, weakness patterns, or
suspicious behavior.
Rules usually machine & O/S specific
Rules are generated by experts who interview & codify knowledge
of security admins.
Quality depends on how well this is done.

 Compare audit records or states against rules

Base-Rate Fallacy
Practically an intrusion detection system needs to detect a substantial percentage of
intrusions with few false alarms
If too few intrusions detected False security
If too many false alarms
Ignore / waste time
This is very hard to do existing systems seem not to have a good record
Distributed Intrusion Detection
Traditional focus is on single systems but typically have networked systems
More effective defense has these working together to detect intrusions
Issues
Dealing with varying audit record formats
Integrity & Confidentiality of networked data
Centralized or Decentralized architecture.
Distributed Intrusion Detection - Architecture

The overall architecture which consists of three main components

Host agent Module:-

An audit collection module operating as a background process on a monitored

system.
The purpose is to collect data on security related events on the host and transmit
these to the central manager.
LAN monitor agent module:Operates in the same fashion as a host agent module except that it analyses LAN
traffic and reports the results to the central manager.
Central manger module:Receives reports from LAN monitor and host agents and processes and correlates
these reports to detect intrusion.
Distributed Intrusion Detection Agent Implementation

Honey pots

Decoy systems to lure attackers

Away from accessing critical systems
To collect information of their activities
To encourage attacker to stay on system so administrator can respond
These system are filled with fabricated information
Instrumented to collect detailed information on attackers activities
may be single or multiple networked systems.

2. PASSWORD MANAGEMENT
Password Protection

Front-line defense against intruders is the password system.

Virtually all multi-user systems require that a user provide not only a name or identifier
(ID) but also a password.

The password serves to authenticate the ID of the individual logging on to the system
The ID provides security in the following ways
The ID determines whether the user is authorized to gain access to system.

The ID determines the privileges accorded to the user.

The ID is used in what is referred to as discretionary access control.
Managing Passwords

Need policies and good user education

Ensure every account has a default password

Ensure users change the default passwords to something they can remember

Protect password file from general access

Set technical policies to enforce good passwords

Minimum length (>6)

Require a mix of upper & lower case letters, numbers, punctuation

Block know dictionary words
May reactively run password guessing tools
note that good dictionaries exist for almost any language/interest group

May enforce periodic changing of passwords

Have system monitor failed login attempts, & lockout account if see too many in a short
period.

Do need to educate users and get support

Balance requirements with user acceptance

Be aware of social engineering attacks

Password selection strategies

Many user shares password that is too short or too easy to guess.
At the other extreme, if the user is assigned password consisting of eight randomly selected
printable characters, password cracking is effectively impossible.
Four basic techniques are in use:

User education
Computer generated passwords
Reactive password checking
Proactive password checking.
a. User Education :-

User can be told the important of using hard to guess password and can be
provided with the guidelines for selecting the strong passwords.
This user education strategy is likely to succeed at more installation,
particularly where there is large user population or lot of turnover.
b.Computer Generated Passwords :Computer generated passwords also create problems.
If the password is quite random in nature user will not be able to remember
them.
Even if the password is pronounceable, the user may have difficult in
remembering it and so be tempted to write it down.

c.Reactive Password checking:A reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords
. The system cancels any password that is guessed by the user.
d. Proactive Password Checking
The most promising approach to provide password security is proactive password
checker.
In this a user is allowed to select his/her own password.
The possible approaches to proactive password checking are
All passwords must be at least eight characters long.

In the first eight characters, the password must include atleast one
each of uppercase, lowercase, numeric digits and punctuation marks.
Usually user password or password file is essential to intrude.
Protection of password file
One-way encryption: - The system stores an encrypted form of the users
password, and compares it with the encrypted output of presented
password.
Access control: - Access to the password file is limited to one or a very
few accounts.

UNIX PASSWORD SCHEME

Techniques for learning passwords

Try default passwords used with standard accounts that are shipped with the
system.
Exhaustively try all short passwords ( 1~3 characters).
Try words in the systems on-line dictionary of a list of likely passwords.
Collect information about users (names, books, hobbies, etc)
Try users phone numbers, Social Security numbers, and room numbers.
Try all legitimate license plate numbers.
Use a Trojan horse.
Tap the line between a remote user and the host system.

Crypt(3)

25 times DES encryptions

Related to time

Salt

Prevents duplicate passwords from being visible in the password file

Increase the length of the passwords ( 2 characters)

Prevent the use of a hardware implementation of DES, which would ease the
difficulty of a brute-force guessing attack

The vulnerability of Passwords

Two threat to the UNIX password scheme

Gaining access on a machine and then run a password guessing program on

that machine with little resource consumption

Obtaining a copy of the password file, then a cracker program can be run on
another machine

Not yet feasible to use a brute-force technique of trying all possible combinations of
characters
Passwords must NOT be too short, NOT be too easy to guess

Access Control
Denies the opponent access to the password file
Has several flaws
Many systems are susceptible to unanticipated break-ins
An accident of protection might render the password file readable
Some users use the same password on other machines.

Eliminate guessable passwords, while allow memorable passwords.

Four basic techniques

User education
Ignoring guidelines, misunderstanding what a strong password is
Computer-generated passwords
Hard to remember even if they are pronounceable.
Reactive password checking
The system periodically runs its password cracker to find guessable
passwords
Resource intensive
Unchecked passwords remains vulnerable.
Proactive password checking
When a user selects his or her own password, the system checks to see if the
password is allowable.

Proactive Password Checking

Rule enforcement
All passwords must be at least eight characters long
In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.

Compiling a large dictionary of bad passwords

When a user selects a password, the system checks
Large space (storage) and time consumption.

Two techniques for developing an effective and efficient password checker

Markov model
Bloom filter
Based on rejecting words on a list show promise

Markov Model

[m, A, T, k]
where
m : number of states
A : state space
T : matrix of transition prob.
k : order of the model
prob. depends on previous k
characters

2nd order Markov Model

Calculating transition matrix

When a dictionary of guessable passwords is constructed.

Determine the freq. matrix f(i,j,k) which is the number of occurrences of the
trigram consisting of the ith, jth ,and kth character.

For each bigram ij, calculate f(i,j,) as the total number of trigrams
beginning with ij

Compute the entries of T

T(i,j,k) = f(i,j,k) / f(i,j,)

T reflects the structure of the words in the dictionary.

Is this a bad password?

Was this password generated by this model?

Passwords likely to be generated by the model are rejected.

3. VIRUSES AND RELATED THREATS

Malicious Programs
An overall of software threats or malicious programs
These threats can be divided into 2 categories
a. Needs host program
b. Independent

Taxonomy of Malicious Programs

a. Backdoor or Trapdoor

Secret entry point into a program allows those who know access bypassing usual
security procedures.

Have been commonly used by developers.

A threat when left in production programs allowing exploited by attackers very hard
to block in OS

b. Logic Bomb

One of oldest types of malicious software

Code embedded in legitimate program

Activated when specified conditions met

E.g. Presence/absence of some file
Particular date/time
Particular user

When triggered typically damage system.

Modify/delete files/disks, halt machine, etc.

c. Trojan Horse

Program with hidden side-effects

When invoked it performs some unwanted or harmful function.

Which is usually superficially attractive

E.g., game, s/w upgrade, etc.

When run performs some additional tasks

allows attacker to indirectly gain access they do not have directly

Often used to propagate a virus/worm or install a backdoor or simply to destroy

data.

Mail the password file.

d. Zombie

Program which secretly takes over another networked computer

Then uses it to indirectly launch attacks (difficult to trace zombies creator)

Often used to launch distributed denial of service (DDoS) attacks

Exploits known flaws in network systems.

A piece of self-replicating code attached to some other code

Attaches itself to another program and executes secretly when the host program is
executed.

Propagates itself & carries a payload

e.Viruses

Carries code to make copies of itself.

As well as code to perform some covert task.
Virus Operation
Virus phases
Dormant Phase:The virus is idle.

The virus will eventually be activated by some event

Such as
Date
Presence of another program or file and or
The capacity of the disk exceeding some limit Waiting on
trigger event.

Propagation Phase:The virus places an identical coy of itself into other programs or into
certain system areas on the disk.
Each infected program will now contain a clone of the virus which
will itself propagation phase.
Triggering Phase :The virus is activated to perform the function for which it was
intended.
It can be caused by a variety of system events including a count of
the number of times that this copy of the virus has made copies of
itself.
Execution Phase:The function is performed
The function may be harmless Such as Message on the screen or
Damaging such as the destruction of programs and data files.
Virus Structure
Program V :=
{
goto main;
1234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :=
{return true if condition holds}
main: main-program := {infectexecutable;
if trigger-pulled then do-damage;
goto next;}

next:
}
Types of Viruses
Can classify on basis of how they attack

Parasitic virus
-- attaches itself to executable files and replicates

Memory-resident virus
-- Lodges in the main memory and infects every program
that executes.

Boot sector virus

-- Infects a boot record and spreads when the system is
booted from the disk.

Stealth
-- Designed to hide itself from antivirus software.

Polymorphic virus
-- A virus that mutates with every infection, making
detection very difficult.

Metamorphic virus
-- Mutates with every infection, making detection by the
signature of the virus impossible..

f. Email Virus

Spread using email with attachment containing a macro virus

Triggered when user opens attachment

or worse even when mail viewed by using scripting features in mail agent

Hence propagates very quickly

Usually targeted at Microsoft Outlook mail agent & Word/Excel documents

Replicating but not infecting program (does not attach itself to a program)

Typically spreads over a network

g.Worms

 Morris Internet Worm in 1988

Using users distributed privileges or by exploiting system vulnerabilities

Worms perform unwanted functions

Widely used by hackers to create zombie PC's, subsequently used for further
attacks, esp DoS.

Major issue is lack of security of permanently connected systems, esp PC's

To replicate itself a network worms uses some sort of network vehicles
Electronic mail facility : A worm mails a copy of itself to
otherprograms.
Remote execution capability: - A worm executes a copy of itself
onanother system.
Remote Login capability :- A worm logs onto a remote system as
auser and then uses commands to
copy itself from one system to the other

Worm Operation

Worm has phases like those of viruses

Dormant
Propagation

Search for other systems to infect

Establish connection to target remote system
Replicate self onto remote system.

Triggering
Execution
h.Morris Worm

Best known classic worm

Released by Robert Morris in 1988

Targeted Unix systems

Using several propagation techniques

Simple password cracking of local pw file
Exploit bug in finger daemon
Exploit debug trapdoor in send mail daemon

If any attack succeeds then replicated self

4. VIRUS COUNTERMEASURES

Best countermeasure is prevention (Do not allow a virus to get into the system in the
first place.)
But in general not possible Hence need to do one or more of
Detection - of viruses in infected system
Identification - of specific infecting virus
Removal - restoring system to clean state

Anti-Virus Software

First-generation:- Simple Scanners

Scanner requires a virus signature to identify a virus.
The virus may contain wildcards but essentially the same structure
and bit pattern in all copies such Signature-specific scanners are
limited to the detection of known viruses.
Another type scanner maintain a record maintains a record of the
length of programs and looks for changes in length.

Second-generation :- Heuristic Scanners

Scanner does not rely on a specific signature.
The scanner uses heuristic rules to search for probable virus
infection.

 Such as scanners looks for fragments of code that are often

associated with viruses.

Third-generation :- Activity Traps

Programs are memory-resident programs that identify a virus by its
actions rather than its structures in an infected program.

Fourth-generation :- Full-Featured protection

Packages with a variety of antivirus techniques
These include scanning and activity trap components.
In addition it includes access control capability

Which limits the ability of viruses to penetrate a system and

Then limits the ability of a virus to update files in order to

pass on the infection.

Advanced Anti-Virus Techniques

Generic decryption
Generic Decryption (GD) Technology:Enables the antivirus program to detect easily even the most complex polymorphic
viruses while maintaining fast scanning speeds.
When a file containing a polymorphic virus is executed the virus must decrypt itself to
activate.
To detect such a structure, executable files are run through a GD scanner which
contains the following elements.
CPU Emulator: -

A software-based virtual computer.

Instructions in an executable file are interpreted by the emulator rather than

executed on the underlying processor.

The emulator includes

Software versions of all registers and other processor hardware so that

the underlying processor is unaffected by programs interpreted on the
emulator.
Virus Signature Scanner:-

A module that scans the target code looking for known virus signatures.
Emulation Control Module:-

Controls the execution of the target code.

Digital immune system (IBM)
The Digital immune system is a comprehensive approach to virus protection
developed by IBM.
The motivation for this development has been the rising threat of Internet-Based
virus propagation.

Two major trends in Internet Technology have had an increasing impact on the
rate of virus propagation in recent years

Integrated mail Systems :- Systems such as Lotus Notes and

MicrosoftOutlook make it very simple to send
anything to anyone and to work with objects that
are received.
Mobile-program systems:- Capabilities such as Java and ActiveX
allowprograms to move on their own
from one system to another.

 A monitoring program on each PC uses a variety of heuristics based on system

behaviour, suspicious changes to programs, or family signature to infer that a virus
may
be present.
The monitoring program forwards a copy of any program thought to be infected to
an administrative machine within the organization.

The administrative machine encrypts the sample and sends it to a central virus analysis
machine.

This machine creates an environment in which the infected program can be safely run
for analysis.

Techniques used for this purpose include

Emulation or the creation of a protected environment within which the suspect
program can be executed and monitored.

The virus analysis machine then produces a prescription for identifying and
removing the virus.

The resulting prescription is sent back to the administrative machine.

The administrative machine forwards the prescription to the infected client.

The prescription is also forwarded to other clients in the organization.

Subscribers around the world receive regular antivirus updates that protect them from
the new virus.

Behavior-Blocking Software

Integrated with host OS

Monitors program behavior in real-time

Attempts to open, view, delete and /or modify files.

Attempts to format disk drives and other unrecoverable disk operations

Modifications to the logic executable files, scripts of macros.

Modifications of critical system settings such as start-up settings

Scripting of e-mail and instant messaging clients to send executable content.

Initiation of network communications.

For possibly malicious actions

If detected can block, terminate, or seek ok

Has advantage over scanners but malicious code runs before detection

5. FIREWALLS
5.1 FIREWALLS

Firewall can be an effective means of protecting a local system or network of systems from
network-based security threats while affording access to the outside world via WANs and
the Internet.

5.2 FIREWALL DESIGN PRINCIPLES

Evolution of information systems

Centralized data processing system

A central mainframe + directly connected terminals

LAN ( Local Area Network )

Interconnecting PCs ,terminals & mainframe.

servers, terminals & mainframe

Premises network

Consisting of a number of LANs,Interconnecting PCs,Servers and perhaps a

mainframe or two.

Enterprise-wide network

Consisting of distributed premises networks interconnected by a private

WAN

Internet connectivity

Consisting of various premises networks all hook into the Internet.

Internet & firewalls

Internet connectivity is no longer an option for most organizations
Strong security features for all workstations and servers not established (not practical)
The firewall is inserted between the premises network and the Internet to establish a
controlled link.

Aims of firewall
Protecting the premises network from Internet-based attacks
Providing a single choke point (where security & audit can be imposed)

5.3 FIREWALL CHARACTERISTICS

Design goals
All traffic from inside to outside, and vice versa, must pass through the firewall
(physically blocking all access to the local network except via the firewall)
Only authorized traffic (defined by the local security police) will be allowed to pass
The firewall itself is immune to penetration (use of trusted system with a secure
operating system)
General techniques
Service control

Determines the types of Internet services that can be accessed, inbound or

outbound (filtering with IP address & service port #, e.g. Web or email
service).

Direction control

Determines the direction in which particular service requests are allowed to

flow thru the firewall.

User control

Controls access to a service according to which user is attempting to access

it (both local users and external users).

Behavior control

Controls how particular services are used (e.g. filtering e-mail to eliminate
spam)

Firewall capabilities

Defines a single choke point (security capabilities are consolidated on a single

system)

Provides a location for monitoring security-related events (auditing & alarming)

Provides convenient platform for some Internet functions (e.g. address translation,
logging Internet usage)

Can serves as the platform for IPSec (used to implement VPN)

Firewall Limitations
O

Cannot protect against attacks that bypass it (e.g. dial-up access)

Does not protect against internal threats (e.g. a disgruntled employee)

Cannot protect against the transfer of virus-infected programs or files (because

various OS & applications are supported inside, it is impractical to scan all
incoming files, emails, etc)

5.4 TYPES OF FIREWALLS

Three common types of firewalls

a. Packet-filtering routers
b. Application-level gateways
c. Circuit-level gateways and
d. Bastion Host

a. Packet-Filtering Router

Filtering by rules
Applies a set of rules to each IP packet and then forwards or discards the packet (in
both directions)
The packet filter is typically set up as a list of rules based on matches to fields in the
IP or transport (TCP or UDP) header

Source IP address:- The IP address of the system that originated the IP packet.
Destination IP address :- The IP address of the system the IP packet is trying
to reach.
Source & Destination transport-level address :- The transport level(e.g
TCPor UDP) port numbers which defines
applications such as SNMP or TELNET.
IP protocol field :- Defines the transport protocol.

Interfaces: - For a router with three or more ports which interface of the
routerthe packet came from or which interface of the router the
packet is destined for .

If a match to a rule is found, the rule is invoked.

If no match is found, a default policy is taken

Default policies

Discard : Discard, if not expressly permitted (tradeoff : ease of use,

security)

Forward : Forward, if not expressly prohibited (tradeoff : ease of

use, security)

Example A : Inbound mail is allowed, but only to a gateway host. However, mail from host
SPIGOT is blocked.

Example B : Explicit statement of the default policy.

Example C : Any inside host can send mail to the outside. The problem with this rule is
that the use of port 25 for SMTP receipt is only a default.

Example D : This rule set achieves the intended result that was not achieved in C taking
advantage of a feature of TCP connections (ACK flag of a TCP segment).

Example E : This rule set is one approach to handling FTP-like services with two
connections (using control connection port and data connection port). The 3rd rule allows
packets destined for a high-numbered port (nonservers) on an internal machine.

Advantages
Simplicity
Transparency to users
High speed
Disadvantages
Difficulty of dealing with applications at the packet-filtering level
Difficulty of setting up packet filter rules correctly
Lack of Authentication
Possible attacks vs. countermeasures (Possible attacks on Packet filtering routers and the
appropriate countermeasures)
IP address spoofing

The attacker replaces source address of packets with an address of trusted

internal host

Discards packets with an inside source address if the packet arrives on an

external interface

Source routing attacks

The source station specifies the route that a packet should take as it crosses
the Internet (in the hope that this will bypass security measures)

Discards all packets that use the source route option.

Tiny fragment attacks

The intruder uses IP fragmentation option to create extremely small

fragments and force the TCP header information into a separate packet
fragment (in the hope that only the first fragment is examined and the
remaining are passed thru).

Discards all packets where the protocol type is TCP and the IP Fragment
Offset is equal to 1

b. Application-Level Gateway

Also called a proxy server

Acts as a relay of application-level traffic
If the gateway does not implement the proxy code for a specific application, the
service is not supported
The gateway can be configured to support only application-specific features
Authentication : The user is asked for the name of the remote host, valid user ID and
authentication information

Advantages
More secure than packet filters.
Only need to scrutinize a few allowable applications (rather than trying to deal with
the numerous possible combinations that are to be allowed and forbidden at the TCP
and IP level).
Easy to log and audit all incoming traffic at the application level.
Disadvantages
Additional processing overhead on each connection (as the splice point, the gateway
must examine and forward all traffic in both directions)

c. Circuit-Level Gateway

Types of circuit-level gateway

A stand-alone system

 A specialized function performed by an application-level gateway.

Security function
The gateway relays TCP segments without examining the contents
The gateway determines which connections will be allowed.

Use of circuit-level gateway

A situation in which the system admin trusts the internal users.
The gateway can be configured to support

Application-level or proxy service on inbound connections

Incurs examining overhead for incoming application data for
forbidden functions.

Circuit-level functions for outbound connections

Does not incur overhead on outgoing data.

Example implementation : SOCKS package

 Defined in RFC 1928 (SOCKS version 5)

SOCKS components

The SOCKS server (runs on UNIX-based firewall)

The SOCKS client library (runs on internal hosts)

SOSKS-ified versions of several client (such as FTP and TELNET).

SOCKS procedures

The client opens a TCP connection to the SOCKS port (TCP 1080) on the
SOCKS server

The client performs authentication with negotiated method

The client sends a relay request

After evaluating the request, the SOCKS server either establishes the
connection or denies it

d. Bastion Host

A system identified by the firewall administrator as a critical strong point in the networks
security

It serves as a platform for an application-level or circuit-level gateway.

Common characteristics

A trusted system with secure OS.

Only the services considered essential are installed.

Additional authentication required to access the proxy service.

Each proxy is configured to support only a subset of the standard applications

command set.

Each proxy is configured to allow access only to specific hosts.

Each proxy maintains detailed audit information.

Each proxy module is a very small SW package specifically designed for network
security.

Each proxy is independent of other proxies.

A proxy generally performs no disk access other than to read its initial configuration
file.

Each proxy runs as a nonprivileged user in a private and secured directory.

5.5 FIREWALL CONFIGURATIONS

In addition to the use of simple configuration of a single system (single packet filtering
router or single gateway), more complex configurations are possible.

Three common configurations

a. Screened host firewall with single-homed bastion
b. Screened host firewall with dual-homed bastion
c. Screened subnet firewall

a. Screened Host Firewall, Single-Homed Bastion

Consists of two systems

A packet-filtering router

Configured so that only packets from and to the bastion host are allowed to
pass thru

A bastion host

Performs authentication and proxy functions.

Advantages
Greater security than single configurations

This configuration implements both packet-level and application-level

filtering (allowing for flexibility in defining security policy).

An intruder must generally penetrate two separate systems

Flexibility in providing direct Internet access

For public information server (such as a Web server), the router can be
configured to allow direct traffic from the Internet.

Disadvantages
If the router is completely compromised, traffic could flow directly thru the
router between the Internet and the private network.
b. Screened Host Firewall, Dual-Homed Bastion

Physically prevents security breach of the previous configuration

Traffic between the Internet and other hosts on the private network has to flow
through the bastion host.
The advantages of the previous configuration are present here as well.

c.Screened Subnet Firewall

The most secure configuration of the these are

Two packet-filtering routers are used (creation of an isolated subnet)
Advantages
Three levels of defense to thwart intruders.
The outside router advertises only the existence of the screened subnet to the Internet
(internal network is invisible to the Internet).
The inside router advertises only the existence of the screened subnet to the internal
network (the systems on the inside network cannot construct direct routes to the
Internet).

5.6 TRUSTED SYSTEMS

One way to enhance the ability of a system to defend against intruders and malicious
programs is to implement trusted system technology.
Data Access Control
Access control by OS
Through the user access control procedure (log on), a user can be
identified to the system
Associated with each user, there can be a profile that specifies
permissible operations and file accesses
The operating system can enforce rules based on the user profile (and
may grant a user permission to access a file or use an application,
no
further security checks)
Access control by DBMS
Previous scheme is not sufficient for a system including sensitive data
in its database
The DBMS must control access to specific records or even portions of
records in the database
Access control models
a. Access matrix
b. Access control list
c. Capability list (Capability tickets).

a. Access Matrix

A general model of access control

Basic elements
Subject : An entity capable of accessing objects (generally a process
representing any user or application that gains access to an object).
Object : Anything to which access is controlled (e.g. files, portions of
files, programs and segments of memory)
Access right : The way in which an object is accessed by a subject
(e.g. read, write and execute)

b. Access
Control List
Decomposition of the access matrix by columns
An access control list lists users (processes) and their permitted access
Rights
The list may contain a default or public entry : defines default set of
rights)

c. Capability List

Decomposition of the access matrix by rows

A capability list (ticket) specifies authorized objects and operations
for a user (process)
Each user has a number of tickets and may be authorized to loan or
give them to others

Management of tickets
Tickets may be dispersed around the system great security
problem
The ticket must be unforgeable
A solution : the OS holds all tickets in a region of memory
inaccessible to users

The

Concept

of
Trusted Systems

Multilevel security
Definition of multiple categories or levels of data
Commonly found in the military (information category : unclassified, confidential,
secret, top secret)
A subject at a high level may not convey information to a subject at a lower level
or noncomparable level unless that flow accurately reflects the will of an
authorized user.
Two rules of multilevel security

 No read up : a subject can only read an object of less or equal security level
(simple security property)
No write down : a subject can only write into an object of greater or equal
security level (*-Property)
Reference monitor concept
Multilevel security for a data processing system

Reference monitor
Controlling element in the HW and OS of a computer that regulates the access of
subjects to objects on basis of security parameters.
Accesses security kernel database
Enforces the security rules (no read up & no write down)

Security kernel database

A file that lists

Security clearance : the access privileges of each subject

Classification level : the protection attributes of each object.

Audit file
Stores important security events such as
Detected security violations
Authorized changes to the security kernel database.

Reference monitor properties

Complete mediation : the security rules are enforced on every access

Every access to data in memory, disk and tape must be mediated

Pure SW implementation : too high performance penalty

Isolation : The reference monitor and database are protected from unauthorized
modification

It must not be possible for an attacker to change the logic of the reference
monitor or the contents of the security kernel database.

Verifiability : the reference monitors correctness must be provable

It must be possible to demonstrate mathematically that the reference monitor

enforces the security rules and provides complete mediation and isolation

Trusted system
A system that can provide such verification

The Commercial Product Evaluation Program

The Computer Security Center (within the NSA) evaluates commercially available
products as meeting the security requirement.
The center classifies evaluated products according to the range of security features.
The evaluations are needed for DoD procurements but are published and freely
available.
The evaluations can serve as guidance to customers for the purchase of commercial
equipment

Trojan Horse Defense

Trojan horse attack

Secure, trusted operating systems

One way to secure against Trojan Horse attacks

Security level assignment

Bob and Bobs data file : Sensitive (higher)
Alice and Alices data file : Public (lower)
When the Trojan horse program attempts to store the string in the Back-pocket file
*-Property (no write down rule) is violated
The attempt is disallowed by the reference monitor