1 / 18

Chapter 7

Chapter 7. Multilevel Security What can everyone learn from military and government application security. Military. Huge amount of money spent on research for Computer Science Products developed will find themselves in commercial applications Commercial systems use multilevel security

curt
Télécharger la présentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 Multilevel Security What can everyone learn from military and government application security

  2. Military • Huge amount of money spent on research for Computer Science • Products developed will find themselves in commercial applications • Commercial systems use multilevel security • Multilevel systems also applied where not necessary or required

  3. Security Policy • What it a Security Policy • Who determines need-to-know and how • How is it enforced what are the consequences • How do we detect breaches

  4. Bell-LaPadula Security Policy Model (BLP) • Classifications and Clearances • Rules and controls built around these clearances including software • Known as MultiLevel Security (MLS) • Basic property is information can not flow downward. • No Read Up (NRU) • No Write Down (NWD) • High Water Mark • Role based access Control (RBAC)

  5. Biba Model • Confidentiality integrity are dual concepts • Confidentiality who can read • Integrity who can write • Often need to protect integrity with no concern for confidentiality • Read up • Write down • Used to build many systems • Often called using low-water mark • LOMAC Linux extension uses it

  6. MultiLevel security systems • Secure communications Processor SCOMP 1983 DOD sponsored • MLS Unix • NRL Pump • Logistics information • Purple Penelope • Future

  7. What goes wrong • Composability • Cascade problem • Covert channels • Threat from virus • Polyinstantiation • MLS systems very costly • Application software needs to re-written to run on MLS system • Others issues pointed out pages 156-157

  8. Broader implications of MLS • MLS and it’s development and funding has spun off a lot of useful ideas • The biggest hole in secure systems remain people • Government and it’s levels of bureaucracy and secrecy will remain an issue for any system

  9. Discussion • What are some current security models and how are they being used • LOMAC and Linux • MLS based firewalls

  10. Discussion articles • http://www.cisilion.com/netforensics.htm • http://www.sans.org/rr/whitepapers/tools/408.php - Firewalls, by "area" •             - ecommerce •             - inside out •             - partners • - Intrusion detection •             - 40,000 day one • - Forensic server product • - All outside web content cached •             - check for malware before caching • - Level 7 switches for load balancing web traffic

  11. Discussion articles • Google Chinese site: • Interesting way to rebel against censorship… • http://www.eweek.com/article2/0,1895,1917739,00.asp • Current situation and stance: http://www.progressiveu.org/161618-google-china-vs-google-usa • IPv6 • http://www.ipv6.ru/docs/ebsco/fulltext14.htm   Privacy issues of IPv6 • http://www.internetnews.com/infra/article.php/3570211  -- Cost of IPv6 • http://www.larta.org/lavox/articlelinks/2004/041129_ipv6.asp -- Older article but great reasons to adopt IPv6. • http://www.tcpipguide.com/free/t_IPv6InterfaceIdentifiersandPhysicalAddressMapping.htm IPv6 addressing scheme • Threat modeling • http://www.theserverside.net/news/thread.tss?thread_id=33973 • http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx

  12. List of Resources • Bell-LaPadula • http://en.wikipedia.org/wiki/Bell-LaPadula_model • http://www.cs.unc.edu/~dewan/242/f96/notes/prot/node13.html • http://courses.cs.vt.edu/~cs5204/fall99/protection/harsh/

  13. List of Resources • Multi Level Security • http://en.wikipedia.org/wiki/Multi-level_security • http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html • http://nsi.org/Library/Compsec/sec0.html • http://www.smat.us/crypto/mls/index.html

  14. List of Resources • Role Based Access Control • http://csrc.nist.gov/rbac/NIST-ITL-RBAC-bulletin.html • http://csrc.nist.gov/rbac/ • http://en.wikipedia.org/wiki/RBAC

  15. List of Resources • Biba model • http://en.wikipedia.org/wiki/Biba_model • http://en.wikipedia.org/wiki/Biba_Integrity_Model • http://www.answers.com/topic/biba-integrity-model

  16. List of Resources • LOMAC • http://linas.org/mirrors/opensource.nailabs.com/2002.02.28/lomac/ • http://alum.wpi.edu/~tfraser/Software/LOMAC/index.html • http://freshmeat.net/projects/lomac

  17. List of Resources • SCOMP • http://users.tkk.fi/~lhuovine/study/secbas98/skernel.html • http://www.stsc.hill.af.mil/crosstalk/2005/08/0508Vanfleet_etal.html • http://www.windowsecurity.com/whitepaper/NCSCTG007_Burgundy_book_.html

  18. List of Resources • MLS Unix • http://www.cs.dartmouth.edu/~doug/IX/ • http://citeseer.ist.psu.edu/mcilroy92multilevel.html • NRL pump/Purple Penelope • http://www.networkpenetration.com/adv_steg_posix_flock.html • http://www.security-protocols.com/modules.php?name=News&file=print&sid=1360

More Related