310 likes | 477 Views
Security For Large computer systems Lecture 11. Outline. Challenges in security Information value and risks Complexity of security Security and intrusion detection Security and prevention. Challenge. Many new initiatives. Increasing varieties and complexity of technology.
E N D
Outline • Challenges in security • Information value and risks • Complexity of security • Security and intrusion detection • Security and prevention Information and Nework Security
Challenge • Many new initiatives. • Increasing varieties and complexity of technology. • Increasing integration of networks and applications. • Poor visibility – “If you can’t foresee it, you will not be able to manage it.” Information and Nework Security
Risk and Security • Risks arise from valuable assets residing in vulnerable systems being exposed to capable, motivated threats. • Assets are getting more valuable. • New vulnerabilities are constantly being discovered. • Threat agents are becoming more capable. • New software and hardware technology added to the system. • So … risks are increasing! Information and Nework Security
Complexity of Security New service requirements IT Operations IT Design Network Operations Server Operations Application Operations Security Operations Wireless Internet/Web E-Commerce VPNs Information and Nework Security
Security Policy Security Lifecycle Prevention Detection Recovery Response Information and Nework Security
Good Practice Security balance: • People, Processes, Tools. Continuous Risk Management: • Risk assessments. • Configuration management. • Periodic security assessments. People Tools Processes Information and Nework Security
Security – Layer Architecture Organizational Security Three Levels: • Organizational Level • Security Architecture • Low-level Technical Security Architecture Technical Information and Nework Security
Security Complexity and Defence Systems Defence Systems CommunicationsEquipments (Routers, wireless devices, etc.) ApplicationSecurity SegmentedNetwork OperatingSystemSecurity Firewalls & ContentsScanning MPs Protection IntrusionDetection System Information and Nework Security
Security Complexity and Defence Systems • In general, security can be enforced at the hardware and software levels, however • We should consider security at different sub-levels. • Network communications equipments can play a role in securing the network. • Segmenting the network can make the security of the network more manageable. • Firewalls may not do everything and contents scanning can reduce the risk. • Intrusion detection systems should be considered high priority. • Malicious program protection can play an important role in many systems which are vulnerable to attacks by malicious programs. • Operating system security can prevent some serious internal attacks. • Application security needs considerable attention due to the nature of its services. Information and Nework Security
Security Prevention – some guidelines • Build a state-of-the-art malicious program detection system. • Use host access control to limit who can access services. • Limit trusted hosts. • Use internal audit tools like COPS. • Request a network security scan of new and reconfigured systems. • Upgrade your system hardware and software and security. • Etc. Information and Nework Security
Security Prevention (e.g) Some examples about security prevention: • Take especial care when configuring: • NFS servers • FTP servers • Web servers • Mail servers • Etc. • Don’t run them unless you must. • Do not add unnecessary software for no or less important additional functionality. • Think ahead of security when design and implement applications. Information and Nework Security
Security Prevention • Using immutable and append-only mechanisms • Immutable files are files that cannot be modified when the computer is running • Append-only files are files to which data can be appended but existing data can’t be changed • Using read-only storage for system files • A set of standard binary files can be put on servers and the set can be used by the rest of the system Information and Nework Security
Security Prevention –(eg) • Using immutable and append-only mechanisms • Free BSD Unix (4.4) and NetBSD use this mechanism • System configuration files such as /etc/inetd.conf and /etc/rc files can be made as immutable files • System log files should be made append-only files • Using read-only storage for system files • For medium and large organisations, such as banking computer systems, standard software should be stored on some main servers and used by the rest of the system ( e.g: client machines booting from the main servers). Information and Nework Security
Security Prevention • Preventing modified files from executing (can be used for prevention and detection): • Compare copies of files to be monitored (1) • Monitor metadata about items to be protected (2) • Monitors the modification times of entries as kept by the OS and monitors logs or audit trails • Uses some form of signatures of the data to be monitored (3) • Periodically computes and compares the signatures against stored values Information and Nework Security
Security Prevention • (1) not only can be used to indicate the change occurred but also to indicate what that change involved – however, it is expensive. • (1) can be done using some tools like bdiff. • (2) uses the summary of important characteristics of each file and directory. • (2) can detect change in ownership and protection modes of files but (1) can’t. Information and Nework Security
Security Prevention • (1) and (2) are not strong enough to protect files from modifications in some cases. • (3) uses Message Digest or digital signature. • Used for selected important files • Different algorithms can be used • Hard to be defeated • However, it can be expensive Information and Nework Security
Intrusion Detection • Intrusion detection analyses the “manifestation” of an attack (not the attack itself). • It analyses actions performed by users and programs. • It looks for evidence of malicious activities. • It works with computer systems to generate data for analysis of normal and anomalous usage. Information and Nework Security
Challenge to Intrusion Detection • Recognise malicious activities in the huge stream of events provided by network monitors and host auditing facilities. • There are so many activities and events! • Detect intrusion in real-time. • How can the system detect anomaly in time? • Perform detection at different abstract levels. • Computer systems are built with many abstract layers, should we perform detection at different layer? • Correlate detection results within and across security domains. • Security is enforced in each domain differently, how can we correlate detection results? • Integrate different systems so that different analysis techniques and data sources are covered. • Deploy intrusion detection systems in different environments and take into account the characteristics of the protected networks. Information and Nework Security
Intrusion Detection System (IDS) Analysis Engine Response Module Knowledge Base Alert Database Event Provider Other machines Information and Nework Security
Intrusion Detection System (IDS) • Intrusion detection is the process of identifying and responding to malicious activity targeted at resources • IDS is a system designed to test/analyse network system traffic/events against a given set of parameters and alert/capture data when these thresholds are met. • IDS uses collected information and predefined knowledge base system to reason about the possibility of an intrusion • IDS also provides services to cop with intrusion such as giving alarms, activating programs to try to deal with intrusion, etc. Information and Nework Security
Intrusion Detection Methods • Knowledge-based: uses the information about the attacks and look for evidence of the exploitation of these attacks. • Behaviour-based: uses the information about the normal behaviour of the system it monitors and look for deviations from the observed usage. Information and Nework Security
Knowledge-based Intrusion Detection Knowledge-based IDS can be based on: • Expert systems • Signature analysis • Petri nets • State-transition analysis Information and Nework Security
Behavior-based Intrusion Detection Behavior-based IDS can be based on: • Statistics • Expert systems • Neural networks Information and Nework Security
Efficiency of an IDS • Accuracy: the proper detection of attacks and the absence of false alarms • Performance: the rate at which audit events are processed • Completeness: to detect all attacks • Fault tolerance: resistance to attacks • Timeliness: time elapsed between intrusion and detection Information and Nework Security
Some Simple Intrusion Detection Techniques • Most Intruders use some kind of attack tool, such as root kits, to break into a system. • Root kits modify system configuration file and binaries, which could be detected. • Look for unusual actions by users • Trying to rename files • Copying privileged files • Trying to delete system files • Trying to log in as super user • Etc. Information and Nework Security
Some Simple Intrusion Detection Techniques • Look for inconsistent behavior of privileged programs • Ftpd trying to read system configuration files • passwd trying to write something to a file in user home directory • etc Information and Nework Security
IDS (eg) • Snort (http://www.snort.org) • Cisco IDS (http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml) Information and Nework Security
Common Security Practice • Define a security policy • Implement what you define • Make the policy known and enforce it • Never put default installations into production • Never allow a new service through your perimeter without analysing it Information and Nework Security
Common Security Practice (con’t) • Review code & scripts before you use them • Log important events, and routinely review what you’ve logged • Learn how to gather evidence from audit/log data • Learn how to obtain information from system and user events Information and Nework Security
Summary • Risks are increasing, but can be managed (to certain degree) • Periodic assessments are a primary ingredient in risk management • Security is a process that needs to be reviewed regularly • Security spans several logical and technical plans and is best implemented in layers • Security involves in IT management, IT design, IT operations, and IT new services • Knowledge update is critical in security • Prevention and detection systems are critical in modern network security since networked computer systems become more and more complex. Information and Nework Security