Distributed computer security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 24

Distributed Computer Security PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on
  • Presentation posted in: General

Distributed Computer Security. 8320 Advanced Operating Systems - Section 8.1 Qiong Cheng Fall 2007. Outline. Characteristics in Robust Systems Security Threats Examples: Denial-of-Service Layered Approach for Defense Security Policy, Mechanism and Model

Download Presentation

Distributed Computer Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Distributed Computer Security

8320 Advanced Operating Systems - Section 8.1

Qiong Cheng

Fall 2007


Outline

  • Characteristics in Robust Systems

  • Security Threats

    • Examples: Denial-of-Service

  • Layered Approach for Defense

  • Security Policy, Mechanism and Model

    • Example: Enterprise Access Security Architecture

  • Security Issues in Distributed Systems


Distributed Computer Security

  • Security and Fault Tolerance

  • Robust System

    • Secrecy

      Protection from unauthorized disclosure of system objects

    • Integrity

      Only authorized users modify system objects

    • Availability

      Authorized users are not prevented from accessing respective objects

    • Reliability and Safety are fault-tolerant features


Security Threats

  • Interruption (availability)

    • Loss of data and denial of service

  • Interception

    • Related to secrecy

  • Modification and Fabrication are violations of system integrity


Threats from Web/Network

  • Client Side

    • What can the server do to the client?

      • Fool it

      • Install or run unauthorized software, inspect/alter files

  • Server Side

    • What can the client do to the server?

      • Bring it down (denial of service)

      • Gain access (break-in)

  • Network

    • Is anyone listening? (Sniffing)

    • Is the information genuine? Are the parties genuine?

Source : www.cse.sc.edu/~farkas/csce522-2003/lectures/csce522-lect22.ppt


Packet Sniffing (Network threat)

EVERY NETWORK INTERFACE CARD HAS A UNIQUE 48-BIT MEDIA ACCESS CONTROL (MAC) ADDRESS, e.g. 00:0D:84:F6:3A:10

24 BITS ASSIGNED BY IEEE; 24 BY CARD VENDOR

Packet Sniffer

Server

Client

NETWORK INTERFACE CARD

ALLOWS ONLY PACKETS

FOR THIS MAC ADDRESS

PACKET SNIFFER SETS HIS CARD

TO PROMISCUOUS MODE TO

ALLOW ALL PACKETS THROUGH


Network Security Problem

REMOVABLE

MEDIA

REMOTE

LOCATION

USER

MODEM +

TELEPHONE

“BACKDOOR”

INTERNET

CONNECTION

RADIO

EMISSIONS

LOCAL AREA

NETWORK

WIRELESS

USER

INTERNET

CONNECTION

ISP

REMOTEUSER

VENDORS AND

SUBCONTRACTORS

SOURCE: CERT


Sophistication v. Intruder Knowledge

SOURCE: CERT


Denial-of-Service

  • Attack to disable a machine (server) by making it unable to respond to requests

  • Use up resources

    • Bandwidth, swap space, RAM, hard disk

  • Some attacks yield millions of service requests per second


Internet

Ping Flooding

Attacking System(s)

Victim System

SOURCE: PETER SHIPLEY


SYN

ACK

Server

SYN | ACK

Client

Three-Way Handshake

1: Send SYN seq=x

2: Send SYN seq=y, ACK x+1

3: Send ACK y+1

SOURCE: PETER SHIPLEY


1 SYN

10,000 SYN/ACKs -- VICTIM IS DEAD

SMURF ATTACK

INTERNET

PERPETRATOR

VICTIM

INNOCENTREFLECTOR SITES

BANDWIDTH MULTIPLICATION:

A T1 (1.54 Mbps) can easily

yield 100 MBbps of attack

ICMP echo (spoofed source address of victim) Sent to IP broadcast address

ICMP echo reply

ICMP = Internet Control

Message Protocol

SOURCE: CISCO


Distributed Denial of Service Attack

INTRUDER SENDS

COMMANDS TO

HANDLERS

INTRDER

VICTIM

SOURCE: CERT


DDOS Attack

SOURCE: CERT


DDOS Attack

SOURCE: CERT


Strong passwords, ACLs, backup and restore strategy

Policies, procedures, and awareness

Physical security

Data

Application

Application hardening

OS hardening, authentication,

security update management, antivirus updates, auditing

Host

Internal network

Network segments, NIDS

Firewalls, boarder routers, VPNs with quarantine procedures

Perimeter

Guards, locks, tracking devices

Security policies, procedures, and education

A Layered Approach for Defense

  • Increases an attacker’s risk of detection

  • Reduces an attacker’s chance of success


Security Policy

  • Access Control Policy

    • Describes how objects are accessed by subjects

  • Flow Control Policy

    • Regulates the information flow between objects and subjects

  • Subjects

    • Active entities that access objects

  • Objects

    • Passive entities that must be protected

    • Examples: data, hardware, software and communication links


Security Mechanism

  • Authentication

    • Verification

  • Authorization

    • Extending permission

  • Fault Tolerance

    • Sustaining faults

  • Encryption

    • Prevents exposure of information and maintains privacy

  • Auditing

    • Passive form of protection


Security Model

  • Discretionary

    • Provides separation of users and data

    • E.g. access control matrix

  • Mandatory

    • Requires access control of all subjects and orders under its control on a system wide basis

    • E.g. multilevel security, all subjects and objects in the system are assigned a sensitivity label. The labels are used as the basis for mandatory access control decisions.


Firewall

  • A device placed between two networks or machines

    • All traffic in and out must pass through the firewall

    • Only authorized traffic is allowed to pass

    • The firewall itself is immune to penetration

Company Network

Firewall

Internet

SOURCE: ADAM COLDWELL


Internet Access

Authentication Server

Internet

RSA Agent

RSA Agent

RSA Agent

Remote Access

Enterprise Access Security

Enterprise Access

RSA Agents

Mainframe

Web Server

Firewall

Enterprise

Intranet

UNIX

RAS

SOURCE: RSA


Security Issues in Distributed Systems

  • Interoperability and Transparency

    • Gives rise to security issues

  • Approaches to Implementing New Services

    • Add an additional layer of software that runs on top of the existing system to provide the new services

    • Redesign the system so that the new services can be executed more efficiently in the kernel mode


Strong passwords, ACLs, backup and restore strategy

Policies, procedures, and awareness

Physical security

Data

Application

Application hardening

OS hardening, authentication,

security update management, antivirus updates, auditing

Host

Internal network

Network segments, NIDS

Firewalls, boarder routers, VPNs with quarantine procedures

Perimeter

Guards, locks, tracking devices

Security policies, procedures, and education

Comprehensive Consideration


References

1.http://www.owasp.org/index.php/Top_10_2007

2. www.cert.org

3. www.cse.sc.edu/~farkas/csce522-2003/lectures/csce522-lect22.ppt

4. Randy Chow, Theodore Jognson. Distributed Operating Systems and Algorithms, Addison-Wesley 1997


  • Login