Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Similar documents
System Structure. Steven M. Bellovin December 14,

Architecture. Steven M. Bellovin October 31,

Analyzing Systems. Steven M. Bellovin November 26,

Web Servers and Security

Web Servers and Security

The Internet of Things. Steven M. Bellovin November 24,

Architecture. Steven M. Bellovin October 27,

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Keys and Passwords. Steven M. Bellovin October 17,

How to Build a Culture of Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

10 Hidden IT Risks That Might Threaten Your Business

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Securing Access to Network Devices

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

What every attorney should know about E-security Also, ESI

The Problem with Privileged Users

CE Advanced Network Security

A Technical Overview of the Lucent Managed Firewall

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

The security challenge in a mobile world

Get started with ReVirt

Moving Application Security into the Network

LEARN READ ON TO MORE ABOUT:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CtrlS Datacenters Placement Questions And Answers

The poor state of SIP endpoint security

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

RouterCheck Installation and Usage

Page 2 Skype Connect Requirements Guide

Cyber security tips and self-assessment for business

Information Security at Veritext Protecting Your Data

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Eight Rules of Security

P2_L12 Web Security Page 1

Morningstar ByAllAccounts Service Security & Privacy Overview

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

ISP and IXP Design. Point of Presence Topologies. ISP Network Design. PoP Topologies. Modular PoP Design. PoP Design INET 2000 NTW

Rethinking Authentication. Steven M. Bellovin

Compliance and Privileged Password Management

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Advanced iscsi Management April, 2008

Are You Avoiding These Top 10 File Transfer Risks?

Disk Encryption Buyers Guide

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Oracle Database Security - Top Things You Could & Should Be Doing Differently

Exposing The Misuse of The Foundation of Online Security

Network Security - ISA 656 Routing Security

Internet Security in my Crystal Ball

Registry Vulnerabilities An Overview

Integrated Access Management Solutions. Access Televentures

Security. 1 Introduction. Alex S. 1.1 Authentication

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

QuickBooks Online Security White Paper July 2017

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

SECURITY AND DATA REDUNDANCY. A White Paper

CSci530 Final Exam. Fall 2011

Industrial Control System Security white paper

Cyber Crime Seminar. No Victim Too Small Why Small Businesses Are Low Hanging Fruit

Sucuri Webinar Q&A HOW TO IDENTIFY AND FIX A HACKED WORDPRESS WEBSITE. Ben Martin - Remediation Team Lead

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Top-Down Network Design

50+ Incident Response Preparedness Checklist Items.

Network Security - ISA 656 Intro to Firewalls

Integrating Password Management with Enterprise Single Sign-On

NETWORK THREATS DEMAN

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

Case Study: Access Control. Steven M. Bellovin October 4,

Access Control. Steven M. Bellovin September 13,

How to Choose a CDN. Improve Website Performance and User Experience. Imperva, Inc All Rights Reserved

A General Review of Key Security Strategies

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Network Security - ISA 656 Routing Security

Authentication. Steven M. Bellovin January 31,

Teradata and Protegrity High-Value Protection for High-Value Data

O365 Solutions. Three Phase Approach. Page 1 34

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Who We Are! Natalie Timpone

CSE 3482 Introduction to Computer Security. Introduction to Information/Computer Security

Security Architecture

DIRECTORY INTEGRATION: USING ACTIVE DIRECTORY FOR AUTHENTICATION. Gabriella Davis The Turtle Partnership

Evolution Of Cyber Threats & Defense Approaches

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

On the Internet, nobody knows you re a dog.

PCI DSS Compliance. White Paper Parallels Remote Application Server

Chapter 11: Networks

CS551 End to End Argument [Saltzer81a]

EVERYTHING YOU NEED TO KNOW ABOUT NETWORK FAILOVER

Transcription:

Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10, 2007 1

Some of Our Tools Encryption Authentication mechanisms Access control mechanisms Confinement mechanisms Lots of computers hardware is relatively cheap Steven M. Bellovin April 10, 2007 2

What Should We Build? Let s build an e-commerce site Lots of machines Lots of processes Steven M. Bellovin April 10, 2007 3

What Are the Pieces? Web server itself A replicated web server, for load-sharing and reliability Databases Firewalls (well, we haven t covered those) Steven M. Bellovin April 10, 2007 4

More Pieces Customer care Mail servers Links to suppliers, banks, shipping companies NOC System adminstrators Webmasters Development machines Steven M. Bellovin April 10, 2007 5

Developer access Even More Pieces Tier n customer care often your top developers Backup servers Geographically diverse machines? Environmental control systems air conditioning, power, backup generators Console servers Personnel machines (stay tuned) DNS servers KDC and/or CA Probably a lot more Steven M. Bellovin April 10, 2007 6

How Do We Connect These? First which pieces go on separate machines? Does that even matter? Yes... Steven M. Bellovin April 10, 2007 7

A Real-World Example I looked at the internal documentation for a billing system Four different databases 18 other processing elements Transaction and web inputs; external link to credit card processor Steven M. Bellovin April 10, 2007 8

The Web Server Complex Router Router Inverse Proxy/ Load Balancer Inverse Proxy/ Load Balancer Router Router Web Server Web Server Web Server Database Database Database Database Routers To Back Ends Steven M. Bellovin April 10, 2007 9

Why So Complex? Availability primarily against ordinary failures Everything is replicated: routers, links, Ethernets, servers, etc. The only security feature of the redundancy is some protection against DDoS attacks if your two routers connect to different ISPs Steven M. Bellovin April 10, 2007 10

Other Security Functionality The inverse proxies are effectively firewalls they only pass ports 80 and 443 The database servers are not accessible from the outside you have to hack through a web server to get any access at all Steven M. Bellovin April 10, 2007 11

What are the Danger Points? How are these devices managed? How does the NOC talk to the routers? How is software upgraded on the Web servers? Something is missing The link to the back-end systems how is that protected? Steven M. Bellovin April 10, 2007 12

Managing the Network Elements Some NOC machine has to be able to talk to the network elements The top ( north ) routers and the inverse proxies are exposed to the public Internet Must use strong cryptographic authentication and/or login mechanisms Add network access control to limit sites that can talk to them What about the middle routers? Does the inverse proxy permit access to them? That s a slight weakening of the firewall functionality Are they reached from the north LANs? Does that weaken the protection of the database servers? Steven M. Bellovin April 10, 2007 13

How Many NOCs? The NOC really needs to see all network elements To talk to the south and middle routers, it has to be on the inside To talk to the north routers, it has to be able to reach the outside Conclusion: we need a special firewall for the NOC machines Steven M. Bellovin April 10, 2007 14

What are Our Goals? The usual trilogy: confidentiality, integrity, availability Ah but what resources need what type of security? What are the consequences of failures? Steven M. Bellovin April 10, 2007 15

If the Web Server is Hacked... Embarrassment see, for example, http://www.zone-h.org/en/defacements/special Passwords from active users Access to the database machines? Steven M. Bellovin April 10, 2007 16

How to Protect Web Servers? Use strategies already discussed Major advantage these are dedicated machines, with no ordinary user Can we use separate UIDs? Steven M. Bellovin April 10, 2007 17

Separate UIDs on the Web Server In general, it s a good idea Principle of least privilege protect different functions from each other Example: login CGI script runs as a different user than the browsing CGIs, to protect the user password database Often harder than it seems functions interact a lot Steven M. Bellovin April 10, 2007 18

Should We Chroot the Web Server? What do we protect if we do that? The rest of the system? Maybe but there s nothing else on the system It doesn t hurt, but it isn t that big a help This machine is a web server appliance Steven M. Bellovin April 10, 2007 19

The Database Machines These are the crown jewels of the company If the database is tampered with, very bad things can happen, including loss of lots of money How are the database machines attacked? Hacking attack first the web server falls, then the database machine Database queries the web servers have access to the database; therefore, the hackers on that machine do, too Steven M. Bellovin April 10, 2007 20

Hacking Attacks This is nothing special it s just another machine to lock down The database machine runs very different software than the web server does; probably no common mode failures Not a major threat but don t forget to lock it down Steven M. Bellovin April 10, 2007 21

Database Query Attacks The web server can perform lots of database operations How do we stop the hacker from doing them? Answer: have the customer log in to the database! That is, all customer-type operations must be accompanied by a customer-specific authenticator A compromised web server machine can only modify database records for active users Steven M. Bellovin April 10, 2007 22

What About the Inventory Database? When a customer buys something, the inventory needs to be adjusted That isn t customer-specific how do we secure that database? Use a separate database and database machine for orders; the order database can adjust the inventory Put sanity-checking and customer limit enforcement into that machine, too (This is an oversimplification; the shipping database also needs to adjust the inventory in may situations) Steven M. Bellovin April 10, 2007 23

Information Flow Among the Databases Web Server User Information Orders Inventory Arrows show direction of information flow Steven M. Bellovin April 10, 2007 24

Protecting Information The databases will only reveal certain information to certain other machines Example: credit card numbers are not readable by the web server or even the order server. The web server can tell the user information machine to send a debit message to the bank Steven M. Bellovin April 10, 2007 25

What About a Small Site? Divide the functions up the same way Use chroot() and equivalent to isolate the different components We are using chroot() here as a weaker version of separate machines Steven M. Bellovin April 10, 2007 26

The Biggest Weakness? Router Router Inverse Proxy/ Load Balancer Inverse Proxy/ Load Balancer Router Router Web Server Web Server Web Server Database Database Database Database Routers To Back Ends Steven M. Bellovin April 10, 2007 27

That Link to the Back End The link in the southeast to back-end systems is the most dangerous part of the diagram What is the protection from the rest of the company? What essential functions are there? Steven M. Bellovin April 10, 2007 28

Two Major Classes Normal operations Unusual circumstances Steven M. Bellovin April 10, 2007 29

Normal Operations Customer care Outside links Mail servers These go on a LAN with reasonable access to the server complex customer care, for example, has to be able to read and write several databases Steven M. Bellovin April 10, 2007 30

Protecting Us from Customer Care What do we do about a rogue customer care agent? Prevent access to some kinds of information (i.e., credit card numbers) Log everything; audit periodically This call may be monitored for quality assurance purposes Steven M. Bellovin April 10, 2007 31

Unusual Circumstances Maintenance Problem recovery Out-of-hours emergencies Put a gateway between these functions and the server complex Steven M. Bellovin April 10, 2007 32

Maintenance On a production system, maintenance is a scheduled activity This means that access controls can be relaxed during that window only Be careful about relaxing the controls only to the extent necessary Steven M. Bellovin April 10, 2007 33

Problem Recovery Problem don t occur on a nice, neat schedule Often, development staff has to do the repairs How do we mediate access? Steven M. Bellovin April 10, 2007 34

Remote Access Often, development staff has to do the repairs at night, from home Sometimes, the development staff is in another country We can t institute a physical access only rule; it s not realistic Steven M. Bellovin April 10, 2007 35

Two Types of Access VPN access to the site (This may be normal anyway, if your server farm is on-premises, rather than being in an Internet hosting center) Authenticated access to the server complex Steven M. Bellovin April 10, 2007 36

Forms of Authentication What types of authentication should be used? Differs by function The NOC can t use anything that requires access to external servers; they have to talk when the network isn t working well Customer care agents can use more or less anything to log in to their machines but their machines would have credentials to permit database access Scheduled maintenance can use anything, but something secure should be used to relax access controls Emergency maintenance personnel need cryptographic keys for the VPN, and something secure a token? to get to the server complex Steven M. Bellovin April 10, 2007 37

Revoking Access What do you do when an employee leaves? This is especially serious for employees with special access rights Solution: link the HR database to authentication servers Have some other way, driven by the HR database, to revoke access to other resources Caution: this means giving the HR machine a lot of access Steven M. Bellovin April 10, 2007 38

General Principles There s no one solution; a lot depends on context and budget Strive for separation of function Reserve your strongest controls for the most valuable pieces Log everything (but we talked about that already... ) Steven M. Bellovin April 10, 2007 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback