Bishop: Chapter 27 System Security - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Bishop: Chapter 27 System Security

Description:

Bishop: Chapter 27 System Security Outline Various systems require different configurations and administration. web server system, development system, corporate data ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 21
Provided by: sceUhclE
Category:

less

Transcript and Presenter's Notes

Title: Bishop: Chapter 27 System Security


1
Bishop Chapter 27System Security
2
Outline
  • Various systems require different configurations
    and administration.
  • web server system, development system, corporate
    data system,
  • Policy
  • System Administration
  • Networks
  • Users
  • Authentication
  • Processes
  • Files

3
Sample Network Organization (from chapter 26,
net security)
Demilitarized Zone (DMZ)
Inner Firewall

DNS Server(DMZ)
Mail Server
Intranet
Web Server
Corporate data subnet
Customer data subnet
Log Server
Outer Firewall
Internal DNS Server(internal)
Mail server
Internet
Development subnet
4
Policy
  • Limited Services
  • Traffic filtering All incoming web connections
    and all replies must pass the outer firewall.
  • Authentication All users (administrator,
    developers) log in from an internal trusted
    server running SSH.
  • ? Only connections made through the firewall over
    the HTTP and HTTPS ports, and those from the
    internal trusted server are accepted.

5
Policy
  • Limited Services (cont.)
  • No local updates Web pages are never updated
    locally. New pages are downloaded through the SSH
    tunnel.
  • Log transmission Log messages are transmitted to
    the DMZ log server only.
  • DNS query The web server may query the DMZ DNS
    system for IP addresses.

6
Policy (cont.)
  • Other than those services expressly mentioned
    above, no other network services are provided by
    the web server.
  • ? To prevent the web server from being used by
    hackers as a jumping board to launch attacks at
    the network or the other servers

7
Policy (cont.)
  • Data generated by the web server (e.g., by a CGI
    script or a Java servlet) are enciphered and then
    written into a spooling area, which can only be
    retrieved by a trusted internal host using the
    SSH tunnel. The public key of the principal who
    will decipher the data must reside on the web
    server.
  • Web server services must be implemented
    correctly. ? high assurance

8
Networks
  • The principle of separation of privilege
  • Access to the web server should be limited even
    when the firewalls fail.
  • The firewall and the SSH tunnel assures that only
    connections made through the firewall over the
    HTTP and HTTPS ports, and those from the internal
    trusted server are accepted.
  • All connections from other sources should be
    blocked.
  • All attempts to connect should be monitored.

9
Networks
  • Questions
  • Should FTP connections from the Internet be
    accepted by the web server?
  • How about TELNET connections?
  • How if the web server administrator wants to work
    from home?
  • Should connections from an internal host be
    accepted?

10
Users
  • A valid assumption The web server may be
    compromised.
  • The number of user accounts on the web server
    should be minimal. the least privilege
    principle
  • Users
  • Sysadmin
  • User 1 A user with enough privileges to read
    (and serve) web pages and to write to the web
    server transaction area
  • User 2 A user who can move files from the web
    transaction area to the commerce transaction
    spooling area

11
Users
  • Questions
  • Should multiple system administrator accounts be
    created (one for each of the administrator)?
  • If yes, how can the actions of each of the
    administrators be logged (for the sake of
    accountability)?
  • What are the advantages / disadvantages?

12
Authentication
  • The SSH server uses cryptographic authentication
    to ensure the source of the connection to the web
    server is the trusted internal administrative
    host.
  • Other authentication methods may be used for the
    purpose of authentication smart cards,
    biometric, one time password, etc.
  • Authenticated external access ?

13
Processes
  • Each process running in the system is a potential
    vulnerability. Why?
  • The web server system should run a minimum set of
    processes.
  • Web server process to serve web pages,
  • Commerce server to support commerce operations
  • SSH server
  • Login server
  • Any essential OS services
  • Unnecessary processes/services should be disabled.

14
Processes
  • Issues
  • Level of privileges assigned to each of the
    processes
  • SSH server sysadmin privileges
  • Login server sysadmin
  • Web server minimal privileges to read the web
    pages privilege to invoke scripts
  • The scripts read web pages, write transaction
    data, communicate with the DBMS
  • Commerce server privileges to copy transaction
    files from the web server area to the transaction
    spooling area

15
Processes
  • Issues (cont.)
  • File access
  • File system access control lists (ACLs) should
    function effectively.
  • Be aware of chroot system call in UNIX ? may be a
    vulnerability allowing a malicious process to
    have illegal access to the file system
  • Inter-process communications
  • Processes should be able to communicate only
    through known, well-defined communication
    channels.

16
Files
  • Types of files
  • the web pages
  • Log files
  • Spooling area for the e-commerce transactions
  • Program and configuration files
  • The system programs and configuration files will
    not change. They can be stored in a CD-ROM to
    prevent alterations.

17
Files
  • Questions
  • Should the CGI scripts be stored on the CD-ROM?
  • How about the web pages?
  • What files must be in a hard drive?
  • How often the transaction data should be
    transferred out of the web server?

18
Summary
  • The web server in the DMZ runs a minimal set of
    services.
  • Unalternable media
  • The web server process must accept connections
    from any host on the Internet ? public
    connections
  • The outer firewall can be configured to prevent
    DOS attacks from the Internet.
  • Except for the web server process, the system
    accepts only enciphered, authenticated
    connections from a known, trusted host by known,
    trusted users ? SSH connections

19
Summary (cont.)
  • The web server and other servers in the DMZ run
    with minimal privileges.
  • Unnecessary services and programs are removed
    from the system to prevent accidental running.
  • A direct communication between the web server and
    the backend servers are not allowed a spooling
    area or proxy server is used for the two sides to
    transfer data.
  • Data collected by the web server (such as
    transaction files) are protected by encryption.
  • Administrative access to the web server is only
    allowed via a trusted host authentication

20
Next
  • Potential Research Areas
  • Network security
  • Web security
  • Wireless security
  • Web services security
  • . . .
Write a Comment
User Comments (0)
About PowerShow.com