1 / 20

Bishop: Chapter 27 System Security

Bishop: Chapter 27 System Security. Outline. Various systems require different configurations and administration. web server system, development system, corporate data system, … Policy System Administration Networks Users Authentication Processes Files.

Jimmy
Télécharger la présentation

Bishop: Chapter 27 System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bishop: Chapter 27System Security csci5233 Computer Security

  2. Outline • Various systems require different configurations and administration. • web server system, development system, corporate data system, … • Policy • System Administration • Networks • Users • Authentication • Processes • Files csci5233 Computer Security

  3. Sample Network Organization (from chapter 26, net security) Demilitarized Zone (DMZ) Inner Firewall DNS Server(DMZ) Mail Server Intranet Corporate data subnet Customer data subnet Web Server Log Server Outer Firewall Internal DNS Server(internal) Mail server Internet Development subnet csci5233 Computer Security

  4. Policy • Limited Services • Traffic filtering: All incoming web connections and all replies must pass the outer firewall. • Authentication: All users (administrator, developers) log in from an internal trusted server running SSH.  Only connections made through the firewall over the HTTP and HTTPS ports, and those from the internal trusted server are accepted. csci5233 Computer Security

  5. Policy • Limited Services (cont.) • No local updates: Web pages are never updated locally. New pages are downloaded through the SSH tunnel. • Log transmission: Log messages are transmitted to the DMZ log server only. • DNS query: The web server may query the DMZ DNS system for IP addresses. csci5233 Computer Security

  6. Policy (cont.) • Other than those services expressly mentioned above, no other network services are provided by the web server.  To prevent the web server from being used by hackers as a jumping board to launch attacks at the network or the other servers csci5233 Computer Security

  7. Policy (cont.) • Data generated by the web server (e.g., by a CGI script or a Java servlet) are enciphered and then written into a spooling area, which can only be retrieved by a trusted internal host using the SSH tunnel. The public key of the principal who will decipher the data must reside on the web server. • Web server services must be implemented correctly.  high assurance csci5233 Computer Security

  8. Networks • The principle of separation of privilege: • Access to the web server should be limited even when the firewalls fail. • The firewall and the SSH tunnel assures that only connections made through the firewall over the HTTP and HTTPS ports, and those from the internal trusted server are accepted. • All connections from other sources should be blocked. • All attempts to connect should be monitored. csci5233 Computer Security

  9. Networks • Questions: • Should FTP connections from the Internet be accepted by the web server? • How about TELNET connections? • How if the web server administrator wants to work from home? • Should connections from an internal host be accepted? csci5233 Computer Security

  10. Users • A valid assumption: The web server may be compromised. • The number of user accounts on the web server should be minimal. + the least privilege principle • Users • Sysadmin • User 1: A user with enough privileges to read (and serve) web pages and to write to the web server transaction area • User 2: A user who can move files from the web transaction area to the commerce transaction spooling area csci5233 Computer Security

  11. Users • Questions: • Should multiple system administrator accounts be created (one for each of the administrator)? • If yes, how can the actions of each of the administrators be logged (for the sake of accountability)? • What are the advantages / disadvantages? csci5233 Computer Security

  12. Authentication • The SSH server uses cryptographic authentication to ensure the source of the connection to the web server is the trusted internal administrative host. • Other authentication methods may be used for the purpose of authentication: smart cards, biometric, one time password, etc. • Authenticated external access ? csci5233 Computer Security

  13. Processes • Each process running in the system is a potential vulnerability. Why? • The web server system should run a minimum set of processes. • Web server process: to serve web pages, • Commerce server: to support commerce operations • SSH server • Login server • Any essential OS services • Unnecessary processes/services should be disabled. csci5233 Computer Security

  14. Processes • Issues: • Level of privileges assigned to each of the processes • SSH server: sysadmin privileges • Login server: sysadmin • Web server: minimal privileges to read the web pages + privilege to invoke scripts • The scripts: read web pages, write transaction data, communicate with the DBMS • Commerce server: privileges to copy transaction files from the web server area to the transaction spooling area csci5233 Computer Security

  15. Processes • Issues: (cont.) • File access • File system access control lists (ACLs) should function effectively. • Be aware of chroot system call in UNIX  may be a vulnerability allowing a malicious process to have illegal access to the file system • Inter-process communications • Processes should be able to communicate only through known, well-defined communication channels. csci5233 Computer Security

  16. Files • Types of files • the web pages • Log files • Spooling area for the e-commerce transactions • Program and configuration files • The system programs and configuration files will not change. They can be stored in a CD-ROM to prevent alterations. csci5233 Computer Security

  17. Files • Questions • Should the CGI scripts be stored on the CD-ROM? • How about the web pages? • What files must be in a hard drive? • How often the transaction data should be transferred out of the web server? csci5233 Computer Security

  18. Summary • The web server in the DMZ runs a minimal set of services. • Unalternable media • The web server process must accept connections from any host on the Internet  public connections • The outer firewall can be configured to prevent DOS attacks from the Internet. • Except for the web server process, the system accepts only enciphered, authenticated connections from a known, trusted host by known, trusted users  SSH connections csci5233 Computer Security

  19. Summary (cont.) • The web server and other servers in the DMZ run with minimal privileges. • Unnecessary services and programs are removed from the system to prevent accidental running. • A direct communication between the web server and the backend servers are not allowed; a spooling area or proxy server is used for the two sides to transfer data. • Data collected by the web server (such as transaction files) are protected by encryption. • Administrative access to the web server is only allowed via a trusted host + authentication csci5233 Computer Security

  20. Next • Potential Research Areas: • Network security • Web security • Wireless security • Web services security • . . . csci5233 Computer Security

More Related