System Structure. Steven M. Bellovin December 14,

Similar documents
Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Architecture. Steven M. Bellovin October 31,

Analyzing Systems. Steven M. Bellovin November 26,

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Web Servers and Security

Web Servers and Security

The Internet of Things. Steven M. Bellovin November 24,

Architecture. Steven M. Bellovin October 27,

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

10 Hidden IT Risks That Might Threaten Your Business

Teradata and Protegrity High-Value Protection for High-Value Data

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

What every attorney should know about E-security Also, ESI

Moving Application Security into the Network

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

How to Build a Culture of Security

Get started with ReVirt

The poor state of SIP endpoint security

The Problem with Privileged Users

Keys and Passwords. Steven M. Bellovin October 17,

Securing Access to Network Devices

LEARN READ ON TO MORE ABOUT:

RouterCheck Installation and Usage

P2_L12 Web Security Page 1

Cyber security tips and self-assessment for business

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

CtrlS Datacenters Placement Questions And Answers

50+ Incident Response Preparedness Checklist Items.

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

CSci530 Final Exam. Fall 2011

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

A Technical Overview of the Lucent Managed Firewall

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

CE Advanced Network Security

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Rethinking Authentication. Steven M. Bellovin

Are You Avoiding These Top 10 File Transfer Risks?

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Network Security - ISA 656 Routing Security

SECURITY. The changing Face and Focus. UPDATED - May Sr. Advisor/Partner at PostMark 21 years in corporate IT P&G and RJ Reynolds

Web Security. Outline

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Oracle Database Security - Top Things You Could & Should Be Doing Differently

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Eight Rules of Security

5 IT security hot topics How safe are you?

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Cyber Crime Seminar. No Victim Too Small Why Small Businesses Are Low Hanging Fruit

Security Edge Filter For Lync Server 2013, 2010 and Office Communications Server 2007 R2

Exam: : VPN/Security. Ver :

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Hosted Testing and Grading

NETWORK THREATS DEMAN

Top 10 Considerations for Securing Private Clouds

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Network Security - ISA 656 Routing Security

QuickBooks Online Security White Paper July 2017

On the Internet, nobody knows you re a dog.

Disk Encryption Buyers Guide

The security challenge in a mobile world

Securing trust in electronic supply chains

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Registry Vulnerabilities An Overview

Exposing The Misuse of The Foundation of Online Security

Secure Remote Access And Password Management

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

A General Review of Key Security Strategies

Secure Access & SWIFT Customer Security Controls Framework

Security. 1 Introduction. Alex S. 1.1 Authentication

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Security Solutions. Overview. Business Needs

EVERYTHING YOU NEED TO KNOW ABOUT NETWORK FAILOVER

2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Case Study: Access Control. Steven M. Bellovin October 4,

Solutions Business Manager Web Application Security Assessment

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

How to Choose a CDN. Improve Website Performance and User Experience. Imperva, Inc All Rights Reserved

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

ON SCHEDULE TERMS AND CONDITIONS (September 23rd 2018)

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

6 Tips to Help You Improve Configuration Management. by Stuart Rance

Modern IP Communication bears risks

Network Security - ISA 656 Intro to Firewalls

Cybersecurity and Communications Based Train Control

Transcription:

System Structure Steven M. Bellovin December 14, 2015 1

Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin December 14, 2015 2

Some of Our Tools Encryption Authentication mechanisms Access control mechanisms Confinement mechanisms Lots of computers hardware is relatively cheap Steven M. Bellovin December 14, 2015 3

What Should We Build? Let s build a large e-commerce site Lots of machines Lots of processes Steven M. Bellovin December 14, 2015 4

What Are the Pieces? Web server itself A replicated web server, for load-sharing and reliability Databases Firewalls (well, we haven t covered those) Steven M. Bellovin December 14, 2015 5

More Pieces Customer care Mail servers Links to suppliers, banks, shipping companies, etc. NOC System adminstrators Webmasters Development machines Steven M. Bellovin December 14, 2015 6

Developer access Even More Pieces Tier N customer care often your top developers Backup servers Geographically diverse machines? Environmental control systems air conditioning, power, backup generators Console servers Personnel machines (stay tuned) DNS servers KDC and/or CA Probably a lot more Steven M. Bellovin December 14, 2015 7

How Do We Connect These? First which pieces go on separate machines? Does that even matter? Yes... Steven M. Bellovin December 14, 2015 8

A Real-World Example I looked at the internal documentation for a billing system Four different databases 18 other processing elements Transaction and web inputs; external link to credit card processor Steven M. Bellovin December 14, 2015 9

The Web Server Complex ISP ISP Router Router Inverse Proxy/ Load Balancer Inverse Proxy/ Load Balancer Router Router Web Server Web Server Web Server Database Database Database Database Routers To Back Ends Steven M. Bellovin December 14, 2015 10

Why So Complex? Availability primarily against ordinary failures Everything is replicated: routers, links, Ethernets, servers, etc. The only security feature of the redundancy is some protection against DDoS attacks if your two routers connect to different ISPs Steven M. Bellovin December 14, 2015 11

Other Security Functionality The inverse proxies are effectively firewalls they only pass ports 80 and 443 The database servers are not accessible from the outside you have to hack through a web server to get any access at all Steven M. Bellovin December 14, 2015 12

What are the Danger Points? How are these devices managed? How does the NOC talk to the routers? How is software upgraded on the Web servers? Something is missing The link to the back-end systems how is that protected? Steven M. Bellovin December 14, 2015 13

Managing the Network Elements Some NOC machine has to be able to talk to the network elements The top ( north ) routers and the inverse proxies are exposed to the public Internet Must use strong cryptographic authentication Add network access control to limit sites that can talk to them What about the middle routers? Does the inverse proxy permit access to them? That s a slight weakening of the firewall functionality Are they reached from the north LANs? Does that weaken the protection of the database servers? Steven M. Bellovin December 14, 2015 14

How Many NOCs? The NOC really needs to see all network elements To talk to the south and middle routers, it has to be on the inside To talk to the north routers, it has to be able to reach the outside Some problems are most easily diagnosed if you have the ability to connect to all of the elements Conclusion: we need a special firewall for the NOC machines Steven M. Bellovin December 14, 2015 15

What are Our Goals? The usual trilogy: confidentiality, integrity, availability Ah but what resources need what type of security? What are the consequences of failures? Steven M. Bellovin December 14, 2015 16

If the Web Server is Hacked... Embarrassment see, for example, http://www.zone-h.org/archive Passwords from active users Access to the database machines? Passwords for your userbase are stored in a database Steven M. Bellovin December 14, 2015 17

How to Protect Web Servers? Use strategies already discussed Major advantage these are dedicated machines, with no ordinary users Can we use separate UIDs? Steven M. Bellovin December 14, 2015 18

Separate UIDs on the Web Server In general, it s a good idea Principle of least privilege protect different functions from each other Example: login CGI script runs as a different user than the browsing CGIs, to protect the user password database Often harder than it seems functions interact a lot Steven M. Bellovin December 14, 2015 19

Should We Chroot the Web Server? What do we protect if we do that? The rest of the system? Maybe but there s nothing else on the system It doesn t hurt, but it isn t that big a help This machine is a web server appliance Steven M. Bellovin December 14, 2015 20

The Database Machines These are the crown jewels of the company If the database is tampered with, very bad things can happen, including loss of lots of money How are the database machines attacked? Hacking attack first the web server falls, then the database machine Database queries and changes the web servers have access to the database; therefore, the hackers on that machine do, too SQL injection attacks through the web server Steven M. Bellovin December 14, 2015 21

Databases for a Simple Configuration User information: login, password, credit card numbers, shipping and billing addresses, etc. Orders: active orders, past orders, etc. Inventory: stock on hand, prices, etc. Steven M. Bellovin December 14, 2015 22

Hacking Attacks This is nothing special it s just another machine to lock down The database machine runs very different software than the web server does; probably no common mode failures Not a major threat but don t forget to lock it down Steven M. Bellovin December 14, 2015 23

Database Query Attacks The web server can perform lots of database operations How do we stop the hacker from doing them? Answer: have the customer log in to the database! That is, all customer-type operations must be accompanied by a customer-specific authenticator A compromised web server machine can only modify database records for active users Steven M. Bellovin December 14, 2015 24

More Generally Let s adjust the control and information flow Only let the web server write what it has to Thus: the user database creates the order, not the web server Why? Because the web server is much more exposed and hence vulnerable Steven M. Bellovin December 14, 2015 25

What About the Inventory Database? When a customer buys something, the inventory needs to be adjusted That isn t customer-specific how do we secure that database? Use a separate database and database machine for orders; the order database can adjust the inventory Put sanity-checking and customer limit enforcement into that machine, too (This is an oversimplification; the shipping database also needs to adjust the inventory in may situations) Steven M. Bellovin December 14, 2015 26

Information Flow Among the Databases Web Server Encryption User Information Orders Inventory Bank Arrows show direction of information flow Steven M. Bellovin December 14, 2015 27

Protecting Information The databases will only reveal certain information to certain other machines Example: credit card numbers are not readable by the web server or even the order server. The web server can tell the user information machine to send a debit message to the bank Steven M. Bellovin December 14, 2015 28

What About a Small Site? Divide the functions up the same way Use chroot() and equivalent to isolate the different components We are using chroot() here as a weaker version of separate machines Steven M. Bellovin December 14, 2015 29

The Biggest Weakness? ISP ISP Router Router Inverse Proxy/ Load Balancer Inverse Proxy/ Load Balancer Router Router Web Server Web Server Web Server Database Database Database Database Routers To Back Ends Steven M. Bellovin December 14, 2015 30

That Link to the Back End The link in the southeast to back-end systems is the most dangerous part of the diagram What is the protection from the rest of the company? What essential functions are there? Steven M. Bellovin December 14, 2015 31

Two Major Classes Normal operations Unusual circumstances Steven M. Bellovin December 14, 2015 32

Normal Operations Customer care Outside links Mail servers These go on a LAN with reasonable access to the server complex customer care, for example, has to be able to read and write several databases Steven M. Bellovin December 14, 2015 33

Protecting Us from Customer Care What do we do about a rogue customer care agent? Prevent access to some kinds of information (i.e., credit card numbers) Log everything; audit periodically Route all requests through a logging proxy This call may be monitored for quality assurance purposes Steven M. Bellovin December 14, 2015 34

Isolating Customer Care Customer care is often outsourced or done from home How do you protect home computers? Supply agents with locked-down laptops Use a VPN and firewall that go only to the customer care proxy/logging machine Be ready to ship replacement machines in case of trouble Steven M. Bellovin December 14, 2015 35

Outsourced Functions Many other functions might be outsourced If there are interconnections, you can be attacked that way According to press reports, Target was hacked via their HVAC contractor Isolate the networks Use enclaves with proxies and logging Steven M. Bellovin December 14, 2015 36

Enclaves VPN to Partner Master Database Proxy Log File Steven M. Bellovin December 14, 2015 37

Unusual Circumstances Maintenance Problem recovery Out-of-hours emergencies Put a gateway between these functions and the server complex Steven M. Bellovin December 14, 2015 38

Maintenance On a production system, maintenance is a scheduled activity This means that access controls can be relaxed during that window only Be careful about relaxing the controls only to the extent necessary Steven M. Bellovin December 14, 2015 39

Problem Recovery Problem don t occur on a nice, neat schedule Often, development staff has to do the repairs How do we mediate access? Steven M. Bellovin December 14, 2015 40

Remote Access Often, development staff has to do the repairs at night, from home Sometimes, the development staff is in another country We can t institute a physical access only rule; it s not realistic Steven M. Bellovin December 14, 2015 41

Two Types of Access VPN access to the site (This may be normal anyway.) (Does your answer change if you use an off-site hosting company?) Authenticated access to the server complex Steven M. Bellovin December 14, 2015 42

Forms of Authentication What types of authentication should be used? Differs by function The NOC can t use anything that requires access to external servers; they have to talk when the network isn t working well Customer care agents can use more or less anything to log in to their machines but their machines would have credentials to permit database access Scheduled maintenance can use anything, but something secure should be used to relax access controls Emergency maintenance personnel need cryptographic keys for the VPN, and something secure a token? to get to the server complex. Note, of course, that the server complex may be experiencing connectivity problems... Steven M. Bellovin December 14, 2015 43

Revoking Access What do you do when an employee leaves? This is especially serious for employees with special access rights Solution: link the HR database to authentication servers Have some other way, driven by the HR database, to revoke access to other resources Caution: this means giving the HR machine a lot of access Steven M. Bellovin December 14, 2015 44

General Principles There s no one solution; a lot depends on context and budget Strive for separation of function Reserve your strongest controls for the most valuable pieces Log everything (but we talked about that already... ) Steven M. Bellovin December 14, 2015 45

The Final Steven M. Bellovin December 14, 2015 46

The Final Wednesday, December 23, 1:10-4:00 Open book Open notes No computers Same style as the midterm Cumulative, but a stress on the second half; some questions may span both halves Nominally 170 minutes, but I m going to aim for significantly less Steven M. Bellovin December 14, 2015 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback