Ch12: Electronic Mail Security - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Ch12: Electronic Mail Security

Description:

Internet connectivity. Consisting of various premises networks all hook into the Internet ... Internet connectivity is no longer an option for most organizations ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 46
Provided by: hyo5
Category:

less

Transcript and Presenter's Notes

Title: Ch12: Electronic Mail Security


1
Firewalls
2
Outline
  • Firewall design principles
  • Firewall characteristics
  • Types of firewalls
  • Firewall configurations
  • Trusted systems
  • Data access control
  • The concept of trusted systems
  • Trojan horse defense

3
Firewalls
  • Effective means of protecting a local system or
    network of systems from network-based security
    threats while affording access to the outside
    world via WANs or the Internet

4
Firewall Design Principles
  • Evolution of information systems
  • Centralized system
  • A central mainframe directly connected
    terminals
  • LAN
  • Interconnecting PCs, servers, terminals
    mainframe
  • Premises network
  • Consisting of LANs
  • Enterprise-wide network
  • Consisting of distributed premises networks
    interconnected by a private WAN
  • Internet connectivity
  • Consisting of various premises networks all hook
    into the Internet

5
Firewall Design Principles
  • Internet firewalls
  • Internet connectivity is no longer an option for
    most organizations
  • Strong security features for all workstations and
    servers not established (not practical)
  • The firewall is inserted between the premises
    network and the Internet to establish a
    controlled link
  • Aims of firewall
  • Protecting the premises network from
    Internet-based attacks
  • Providing a single choke point (where security
    audit can be imposed)

6
Firewall Characteristics
  • Design goals
  • All traffic from inside to outside, and vice
    versa, must pass through the firewall (physically
    blocking all access to the local network except
    via the firewall)
  • Only authorized traffic (defined by the local
    security police) will be allowed to pass
  • The firewall itself is immune to penetration (use
    of trusted system with a secure operating system)

7
Firewall Characteristics
  • General techniques
  • Service control
  • Determines the types of Internet services that
    can be accessed, inbound or outbound (filtering
    with IP address service port , e.g. Web or
    email service)
  • Direction control
  • Determines the direction in which particular
    service requests are allowed to flow thru the
    firewall
  • User control
  • Controls access to a service according to which
    user is attempting to access it (both local users
    and external users)
  • Behavior control
  • Controls how particular services are used (e.g.
    filtering e-mail to eliminate spam)

8
Firewall Characteristics
  • Firewall capabilities
  • Defines a single choke point (security
    capabilities are consolidated on a single system)
  • Provides a location for monitoring
    security-related events (auditing alarming)
  • Provides convenient platform for some Internet
    functions (e.g. address translation, logging
    Internet usage)
  • Can serves as the platform for IPSec (used to
    implement VPN)
  • Firewall limitations
  • Cannot protect against attacks that bypass it
    (e.g. dial-up access)
  • Does not protect against internal threats (e.g. a
    disgruntled employee)
  • Cannot protect against the transfer of
    virus-infected programs or files (because various
    OS applications are supported inside, it is
    impractical to scan all incoming files, emails,
    etc)

9
Types of Firewalls
  • Three common types of firewalls
  • Packet-filtering routers
  • Application-level gateways
  • Circuit-level gateways
  • Bastion host

10
Packet-Filtering Router
  • Filtering by rules
  • Applies a set of rules to each IP packet and then
    forwards or discards the packet (in both
    directions)
  • The packet filter is typically set up as a list
    of rules based on matches to fields in the IP or
    transport (TCP or UDP) header
  • If a match to a rule is found, the rule is
    invoked
  • If no match is found, a default policy is taken
  • Default policies
  • Discard Discard, if not expressly permitted
    (tradeoff ease of use?, security?)
  • Forward Forward, if not expressly prohibited
    (tradeoff ease of use?, security?)

11
Packet-Filtering Router
  • Example A Inbound mail is allowed, but only to
    a gateway host. However, mail from host SPIGOT is
    blocked.
  • Example B Explicit statement of the default
    policy.
  • Example C Any inside host can send mail to the
    outside. The problem with this rule is that the
    use of port 25 for SMTP receipt is only a
    default.

12
Packet-Filtering Router
  • Example D This rule set achieves the intended
    result that was not achieved in C taking
    advantage of a feature of TCP connections (ACK
    flag of a TCP segment).
  • Example E This rule set is one approach to
    handling FTP-like services with two connections
    (using control connection port and data
    connection port). The 3rd rule allows packets
    destined for a high-numbered port (nonservers) on
    an internal machine.

13
Packet-Filtering Router
  • Advantages
  • Simplicity
  • Transparency to users
  • High speed
  • Disadvantages
  • Difficulty of dealing with applications at the
    packet-filtering level
  • Difficulty of setting up packet filter rules
    correctly
  • Lack of Authentication

14
Packet-Filtering Router
  • Possible attacks vs. countermeasures
  • IP address spoofing
  • The attacker replaces source address of packets
    with an address of trusted internal host
  • ? Discards packets with an inside source address
    if the packet arrives on an external interface
  • Source routing attacks
  • The source station specifies the route that a
    packet should take as it crosses the Internet (in
    the hope that this will bypass security measures)
  • ? Discards all packets that use the source route
    option
  • Tiny fragment attacks
  • The intruder uses IP fragmentation option to
    create extremely small fragments and force the
    TCP header information into a separate packet
    fragment (in the hope that only the first
    fragment is examined and the remaining are passed
    thru).
  • ? Discards all packets where the protocol type
    is TCP and the IP Fragment Offset is equal to 1

15
Application-Level Gateway
  • Also called a proxy server
  • Acts as a relay of application-level traffic
  • If the gateway does not implement the proxy code
    for a specific application, the service is not
    supported
  • The gateway can be configured to support only
    application-specific features
  • Authentication the user is asked for the name
    of the remote host, valid user ID and
    authentication information

16
Application-Level Gateway
  • Advantages
  • More secure than packet filters
  • Only need to scrutinize a few allowable
    applications (rather than trying to deal with the
    numerous possible combinations that are to be
    allowed and forbidden at the TCP and IP level)
  • Easy to log and audit all incoming traffic at the
    application level
  • Disadvantages
  • Additional processing overhead on each connection
    (as the splice point, the gateway must examine
    and forward all traffic in both directions)

17
Circuit-Level Gateway
  • Types of circuit-level gateway
  • A stand-alone system
  • A specialized function performed by an
    application-level gateway
  • Security function
  • The gateway relays TCP segments without examining
    the contents
  • The gateway determines which connections will be
    allowed

18
Circuit-Level Gateway
  • Use of circuit-level gateway
  • A situation in which the system admin trusts the
    internal users
  • The gateway can be configured to support
  • Application-level or proxy service on inbound
    connections
  • ? incurs examining overhead for incoming
    application data for forbidden functions
  • Circuit-level functions for outbound connections
  • ? does not incur overhead on outgoing data

19
Circuit-Level Gateway
  • Example implementation SOCKS package
  • Defined in RFC 1928 (SOCKS version 5)
  • SOCKS components
  • The SOCKS server (runs on UNIX-based firewall)
  • The SOCKS client library (runs on internal hosts)
  • SOSKS-ified versions of several client (such as
    FTP and TELNET)
  • SOCKS procedures
  • The client opens a TCP connection to the SOCKS
    port (TCP 1080) on the SOCKS server
  • The client performs authentication with
    negotiated method
  • The client sends a relay request
  • After evaluating the request, the SOCKS server
    either establishes the connection or denies it

20
Bastion Host
  • A system identified by the firewall administrator
    as a critical strong point in the networks
    security
  • It serves as a platform for an application-level
    or circuit-level gateway

21
Bastion Host
  • Common characteristics
  • A trusted system with secure OS
  • Only the services considered essential are
    installed
  • Additional authentication required to access the
    proxy service
  • Each proxy is configured to support only a subset
    of the standard applications command set
  • Each proxy is configured to allow access only to
    specific hosts
  • Each proxy maintains detailed audit information
  • Each proxy module is a very small SW package
    specifically designed for network security
  • Each proxy is independent of other proxies
  • A proxy generally performs no disk access other
    than to read its initial configuration file
  • Each proxy runs as a nonprivileged user in a
    private and secured directory

22
Firewall Configurations
  • In addition to the use of simple configuration of
    a single system (single packet filtering router
    or single gateway), more complex configurations
    are possible
  • Three common configurations
  • Screened host firewall with single-homed bastion
  • Screened host firewall with dual-homed bastion
  • Screened subnet firewall

23
Screened Host Firewall, Single-Homed Bastion
  • Consists of two systems
  • A packet-filtering router
  • Configured so that only packets from and to the
    bastion host are allowed to pass thru
  • A bastion host
  • Performs authentication and proxy functions

24
Screened Host Firewall, Single-Homed Bastion
  • Advantages
  • Greater security than single configurations
  • This configuration implements both packet-level
    and application-level filtering (allowing for
    flexibility in defining security policy)
  • An intruder must generally penetrate two separate
    systems
  • Flexibility in providing direct Internet access
  • For public information server (such as a Web
    server), the router can be configured to allow
    direct traffic from the Internet
  • Disadvantages
  • If the router is completely compromised, traffic
    could flow directly thru the router between the
    Internet and the private network

25
Screened Host Firewall, Dual-Homed Bastion
  • Physically prevents security breach of the
    previous configuration
  • Traffic between the Internet and other hosts on
    the private network has to flow through the
    bastion host
  • The advantages of the previous configuration are
    present here as well

26
Screened Subnet Firewall
  • The most secure configuration of the three
  • Two packet-filtering routers are used (creation
    of an isolated subnet)
  • Advantages
  • Three levels of defense to thwart intruders
  • The outside router advertises only the existence
    of the screened subnet to the Internet (internal
    network is invisible to the Internet)
  • The inside router advertises only the existence
    of the screened subnet to the internal network
    (the systems on the inside network cannot
    construct direct routes to the Internet)

27
Trusted Systems
  • One way to enhance the ability of a system to
    defend against intruders and malicious programs
    is to implement trusted system technology

28
Data Access Control
  • Access control by OS
  • Through the user access control procedure (log
    on), a user can be identified to the system
  • Associated with each user, there can be a profile
    that specifies permissible operations and file
    accesses
  • The operating system can enforce rules based on
    the user profile (and may grant a user permission
    to access a file or use an application, no
    further security checks)
  • Access control by DBMS
  • Previous scheme is not sufficient for a system
    including sensitive data in its database
  • The DBMS must control access to specific records
    or even portions of records in the database

29
Data Access Control
  • Access control models
  • Access matrix
  • Access control list
  • Capability list (Capability tickets)

30
Access Matrix
  • A general model of access control
  • Basic elements
  • Subject An entity capable of accessing objects
    (generally a process representing any user or
    application that gains access to an object)
  • Object Anything to which access is controlled
    (e.g. files, portions of files, programs and
    segments of memory)
  • Access right The way in which an object is
    accessed by a subject (e.g. read, write and
    execute)

31
Access Control List
  • Decomposition of the access matrix by columns
  • An access control list lists users (processes)
    and their permitted access rights
  • The list may contain a default or public entry
    defines default set of rights)

32
Capability List
  • Decomposition of the access matrix by rows
  • A capability list (ticket) specifies authorized
    objects and operations for a user (process)
  • Each user has a number of tickets and may be
    authorized to loan or give them to others
  • Management of tickets
  • Tickets may be dispersed around the system ?
    great security problem
  • The ticket must be unforgeable
  • A solution the OS holds all tickets in a region
    of memory inaccessible to users

33
The Concept of Trusted Systems
  • Multilevel security
  • Definition of multiple categories or levels of
    data
  • Commonly found in the military (information
    category unclassified, confidential, secret,
    top secret)
  • A subject at a high level may not convey
    information to a subject at a lower level or
    noncomparable level unless that flow accurately
    reflects the will of an authorized user
  • Two rules of multilevel security
  • No read up a subject can only read an object of
    less or equal security level (simple security
    property)
  • No write down a subject can only write into an
    object of greater or equal security level
    (-Property)

34
The Concept of Trusted Systems
  • Reference monitor concept
  • Multilevel security for a data processing system

35
The Concept of Trusted Systems
  • Reference monitor
  • Controlling element in the HW and OS of a
    computer that regulates the access of subjects to
    objects on basis of security parameters
  • Accesses security kernel database
  • Enforces the security rules (no read up no
    write down)
  • Security kernel database
  • A file that lists
  • Security clearance the access privileges of
    each subject
  • Classification level the protection attributes
    of each object
  • Audit file
  • Stores important security events such as
  • Detected security violations
  • Authorized changes to the security kernel database

36
The Concept of Trusted Systems
  • Reference monitor properties
  • Complete mediation the security rules are
    enforced on every access
  • Every access to data in memory, disk and tape
    must be mediated
  • Pure SW implementation too high performance
    penalty
  • Isolation the reference monitor and database
    are protected from unauthorized modification
  • It must not be possible for an attacker to change
    the logic of the reference monitor or the
    contents of the security kernel database
  • Verifiability the reference monitors
    correctness must be provable
  • It must be possible to demonstrate mathematically
    that the reference monitor enforces the security
    rules and provides complete mediation and
    isolation

37
The Concept of Trusted Systems
  • Trusted system
  • A system that can provide such verification
  • The Commercial Product Evaluation Program
  • The Computer Security Center (within the NSA)
    evaluates commercially available products as
    meeting the security requirement
  • The center classifies evaluated products
    according to the range of security features
  • The evaluations are needed for DoD procurements
    but are published and freely available
  • The evaluations can serve as guidance to
    customers for the purchase of commercial
    equipment

38
Trojan Horse Defense
  • Trojan horse attack

RW
RW
39
Trojan Horse Defense
  • Secure, trusted operating systems
  • One way to secure against Trojan Horse attacks

RW
RW
  • Security level assignment
  • Bob and Bobs data file Sensitive (higher)
  • Alice and Alices data file Public (lower)
  • When the Trojan horse program attempts to store
    the string in the Back-pocket file
  • -Property (no write down rule) is violated
  • The attempt is disallowed by the reference
    monitor

40
Appendix A1 Firewall Products
PS (Proxy Service) / FW (Firewall)
41
Appendix A2 LINUX Firewall
  • Original IP firewall (2.0 kernels) configuration

Categories -I Input rule -O Output rule
-F Forwarding rule Commands -a
policy Append a new rule -i
policy Insert a new rule -d
policy Delete an existing rule -p
policy Set the default policy -l List all
existing rules -f Flush all existing
rules Policies accept Allows matching
datagrams to be received, forwarded, or
transmitted deny Blocks matching datagrams
from being received, forwarded, or transmitted
reject Blocks matching datagrams from being
received, forwarded, or transmitted, and sends
ICMP error message Parameters -P
protocol Can be TCP, UDP, ICMP, or all (-P
tcp) -S address/mask port Source IP
address that this rule will match (-S
172.29.16.1/24 ftpftp-data) -D address/mask
port Specify the destination IP address that
this rule will match (-D 172.29.16.1/24 smtp)
-V address Specify the address of the network
interface on which the packet is received (-I) or
is being sent (-O) (-V 172.29.16.1) -W
name Specify the name of the network interface
(-W ppp0) Options -b This is used for
bidirectional mode -o This enables logging of
matching datagrams to the kernel log -y This
is used to match TCP connect datagrams
-k This is used to match TCP acknowledgement
datagrams
42
Appendix A2 LINUX Firewall
  • Example command
  • We want our internal network users to be able to
    log into FTP servers on the Internet to read and
    write files. But we don't want people on the
    Internet to be able to log into our FTP servers.
  • We know that FTP uses two TCP ports
  • Port 20 ftp-data
  • Port 21 ftp

43
Appendix A2 LINUX Firewall
  • Firewall configuration script

The TCP services we wish to allow to pass - ""
empty means all ports note space
separated TCPIN"smtp www" TCPOUT"smtp www ftp
ftp-data irc" The UDP services we wish to
allow to pass - "" empty means all ports note
space separated UDPIN"domain" UDPOUT"domain"
The ICMP services we wish to allow to pass - ""
empty means all types ref /usr/include/netinet/
ip_icmp.h for type numbers note space
separated ICMPIN"0 3 11" ICMPOUT"8 3 11"
Logging uncomment the following line to enable
logging of datagrams that are blocked by the
firewall. LOGGING1
!/bin/bash
IPFWADM
VERSION This sample configuration is for a
single host firewall configuration with no
services supported by the firewall machine
itself.
USER CONFIGURABLE
SECTION The name and location of the ipfwadm
utility. Use ipfwadm-wrapper for 2.2.
kernels. IPFWADMipfwadm The path to the
ipfwadm executable. PATH"/sbin" Our internal
network address space and its supporting network
device. OURNET"172.29.16.0/24" OURBCAST"172.29.1
6.255" OURDEV"eth0" The outside address and
the network device that supports
it. ANYADDR"0/0" ANYDEV"eth1"
44
Appendix A2 LINUX Firewall
  • Firewall configuration script (contd)

UDP - INCOMING We will allow UDP datagrams in
on the allowed ports. IPFWADM -I -a accept -P
udp -W ANYDEV -D OURNET UDPIN UDP -
OUTGOING We will allow UDP datagrams out on the
allowed ports. IPFWADM -I -a accept -P udp -W
OURDEV -D ANYADDR UDPOUT ICMP - INCOMING
We will allow ICMP datagrams in of the allowed
types. IPFWADM -I -a accept -P icmp -W ANYDEV
-D OURNET UDPIN ICMP - OUTGOING We will
allow ICMP datagrams out of the allowed
types. IPFWADM -I -a accept -P icmp -W OURDEV
-D ANYADDR UDPOUT DEFAULT and LOGGING All
remaining datagrams fall through to the default
rule and are dropped. They will be logged if
you've configured the LOGGING variable
above. if "LOGGING" then Log barred
TCP IPFWADM -I -a reject -P tcp -o Log
barred UDP IPFWADM -I -a reject -P udp -o
Log barred ICMP IPFWADM -I -a reject -P icmp
-o fi end.
END USER CONFIGURABLE SECTION

Flush the Incoming table rules IPFWADM -I -f
We want to deny incoming access by
default. IPFWADM -I -p deny SPOOFING We
should not accept any datagrams with a source
address matching ours from the outside, so we
deny them. IPFWADM -I -a deny -S OURNET -W
ANYDEV SMURF Disallow ICMP to our broadcast
address to prevent "Smurf" style attack. IPFWADM
-I -a deny -P icmp -W ANYDEV -D OURBCAST
TCP We will accept all TCP datagrams belonging
to an existing connection (i.e. having the ACK
bit set) for the TCP ports we're allowing
through. This should catch more than 95 of
all valid TCP packets. IPFWADM -I -a accept -P
tcp -D OURNET TCPIN -k -b TCP - INCOMING
CONNECTIONS We will accept connection requests
from the outside only on the allowed TCP
ports. IPFWADM -I -a accept -P tcp -W ANYDEV -D
OURNET TCPIN -y TCP - OUTGOING CONNECTIONS
We accept all outgoing tcp connection requests on
allowed TCP ports. IPFWADM -I -a accept -P tcp
-W OURDEV -D ANYADDR TCPOUT -y
45
Appendix B TCSEC
  • TCSEC (Trusted Computer System Evaluation
    Criteria)
  • Published 1985 by DoD
  • Orange Book (DoD 5200.28-STD)
  • Defines 7 levels of security
  • D, C1, C2, B1, B2, B3, A1
  • Basis of
  • ITSEC (Information Technology Security Evaluation
    Criteria), EU
  • CTCPEC (Canadian Trusted Computer Product
    Evaluation Criteria), Canada
  • CC (Common Criteria)
  • ISO standard (ISO 15408)
  • Based on TCSEC, ITSEC and CTCPEC
  • TNI (Trusted Network Interpretation of TCSEC)
  • Published 1987
  • Red Book (part 1 2)
Write a Comment
User Comments (0)
About PowerShow.com