Академический Документы
Профессиональный Документы
Культура Документы
April 2011
Table of Contents 1.0 Abstract ............................................................................................................................... 1 2.0 Introduction ......................................................................................................................... 1 3.0 Design of Security Architecture .......................................................................................... 2 3.1 Defense in Depth .............................................................................................................. 2 3.2 Perimeter Security ............................................................................................................ 3 3.3 Key Technology Components ........................................................................................... 4 3.3.1 Firewall ...................................................................................................................... 4 3.3.2 DMZ ......................................................................................................................... 10 3.3.1 Servers ..................................................................................................................... 11 3.3.1 IDS ............................................................................................................................ 15 3.3.4.1 Host-based IDS ................................................................................................. 15 3.3.4.2 Network-based IDS .......................................................................................... 16 4.0 Policies ............................................................................................................................... 17 4.1 SETA ................................................................................................................................ 17 4.1.1 Security Education ................................................................................................... 18 4.1.2 Security Training ...................................................................................................... 19 4.1.3 Security Awareness ................................................................................................. 19 5.0 Laws ................................................................................................................................... 20 5.1 Federal-level Authorities ................................................................................................ 20 5.2 State-level Investigative Services ................................................................................... 20 5.3 Local-level ....................................................................................................................... 20 6.0 Conclusion ......................................................................................................................... 21 APPENDIX A: ACRONYMS.......................................................................................................... ii APPENDIX B: REFERENCES........................................................................................................ iii
i|Page
1.0 Abstract
IT security architecture can be said to be a new concept to many computer users. Users are usually aware of computer security threats such as viruses, worms, spyware, and other malware. In addition, they might have heard of most of the antivirus programs and firewalls or even experienced most of them. On the other hand, many of them may use IDS. In facts, anti-virus programs, firewalls, and IDS are only the surface of the computer security. They all categorized as reactive measures which try to respond to active threats instead of as proactive measures which anticipate threats. Of course, these applications have their major role played in security field, but are not enough in themselves. Yet, architectural security remains a mystery to most computer users.
2.0 Introduction
Architectural computer security is a subject that fills dozens of books which shows how the security controls are placed and functioned. These security controls are purposely worked for maintaining the systems quality attributes such as confidentiality, integrity, availability, accountability and assurance.
[4]
Security qualities are often not essential in designing systems in order to meet their functional goals. Instead, these security qualities are needed for a given level of assurance that the system will perform to meet the functional requirements that have been defined.
[5]
[6]
1) Set a security policy for users system and know what is on it 2) Actions should be verifiable 3) Always give the least privilege practical 4) Practice defense in depth
1|Page
5) Auditing the system: keep and review system logs 6) Build to contain intrusions 7) A system is only as strong as its weakest link 8) Locking the barn door after the horse is gone is ineffective 9) Practice full disclosure
This defense in depth is a layering strategy, conceived by the NSA as comprehensive approach to IT security. It is originally a military tactic.
[2]
As professions named it as layered approach, there will be more than one layers constitutes this defense in depth. The layers are as follows: a) Physical security like deadbolt locks b) Perimeter security like firewalls and VPN c) Data security d) Server hardening like authentication and auditing e) Host-based firewall f) Virus protection like antivirus software g) Intrusion prevention such as IDS h) Patch management like security update management These layers of security control can be organized into policy, training and education, and technology.
2|Page
Basically, this perimeter security is enforced in few areas like physical access control, cab signing, device management and Microsoft Active Sync .
[1][7][8]
Perimeter security includes components such as border routers, firewalls, IDSs, IPSs, VPN devices, software architecture, and DMZs and screened subnets.
[9]
Figure below shows a design if perimeter with web servers, firewall gateway, mail gateway and HTTP proxy server. We can notice that there is no direct traffic connection between internal network and the Internet and vice versa.
[10]
3|Page
Figure 3.2 Network Perimeter Security [11] and Rules of Thumb for Perimeter Networks [10]
3.3 Key Technology Components
3.3.1 Firewall
Firewall is a device that makes simple decision whether accept or deny against information moving between untrusted network like the Internet and trusted network which known as inside world. It is usually a specially configured separate computer system sometimes might be a software running on router or server, or a separate network containing a number of supporting devices which controls the flow of information among the defined area based in a set if predefined rules. It can be either a single device or a firewall subnet, which consists of multiple firewalls creating a buffer between outer and inner networks.
[1][12][13]
4|Page
Details Also known as simply filtering firewall Installed on TCP/IP based network Functions at IP level (network layer) Checks the header information of data packet which transport into a network Scan network data packets and look for compliance with or violation of rules of firewalls database Contains restriction combinations o IP source + destination address o Direction (inbound/outbound)
5|Page
o TCP/UDP source + destination port requests 3 subsets o Static Filtering Firewall o Dynamic Filtering Firewall o Stateful Filtering Firewall Benefits o Cheap and fast o Easy to maintain o Widely available in many routers o User knowledge or cooperation is not essential Drawbacks o Come protocols do not suit well with this firewall o Some policies are not readily enforced
Also known as application-level firewall, application firewall, or proxy server Divided into 2 primary categories: o Network-based application firewalls o Host-based application firewalls
Frequently installed on dedicated computer, but commonly used in conjunction with filtering router Functions at application layer
6|Page
Proxy server evaluates users requests base on its filtering rules Example: firewalls which block response to requests for web pages and services Drawbacks: o Designed for certain protocol only o Slower than Packet Filtering Firewalls o More expensive than Packet Filtering Firewalls o Difficult to be configured or maintain o Restricted to single supplication (since this type of firewall blocks at application layer)
7|Page
o Able to hide information about the private network which it is protecting Drawback: o Do not filter single or individual packets
Functions at MAC layer (data link layer) Not well-known or widely referenced Filter flows based on specific host computers identity Link MAC addresses of host computers to ACL entries ACL entries identify types of packets which can be sent Posses combination of elements of other categories of firewalls Might consist of 2 separated but connected firewall devices First commercial firewall, DEC SEAL, was a hybrid firewall o Proxies on bastion host + packet filtering on gateway machine
Hybrid Firewalls
[12][22]
Benefit: o Enables addition of new services without replacing the existing firewalls in whole
Kernel Proxy
[12]
Kernel of Windows NT Specialized form which operates under Windows NT Executive Evaluates data packets at multiple layers of protocol stack Check security in kernels as data is transported along the protocol stack Implemented by Cisco in the security kernel of Centri Firewall
8|Page
CommercialGrade Firewall
[12][23]
SVEN enforces security policy which is configured into Kernel Proxy Commercial-grade firewall Considered mandatory on networks that connect to Internet Consists of commercial grade firewall appliances and systems
Commercial-Grade Firewall Appliances Stand alone, self contained system Consists of commercial-grade firewall appliances and systems Possess features of general-purpose computer + firmware-based instructions Firmware-based instruction: Increase appliances reliability and performance Minimize likelihood of being compromised Benefit: Periodically upgraded Sets of firewall rule are stored in non-volatile memory Rules can be changed by technical staff conveniently Drawback: Must be modified using a direct physical connection Can be modified after using extensive authorization and authentication protocols Commercial-Grade Firewall Systems Commercial-grade firewall Install on computer or purchase hardware that has been configured Consist of application software and run on a general-purpose computer Use common network connection to flow data from a network to another SOHO Firewall Appliances
[12]
Also known as broadband gateways or DSL/cable modem routers Residential-grade firewall Install directly on users computer system
9|Page
Serve as a stateful firewall Recently, this appliance can work as packet filtering firewall o Combine features of WAPs and small stackable LAN switches in a singe device
This combination device provides stronger protection to SOHO users Might include others function like: o Port Filtering o Simple IDS o Restrict access to certain MAC addresses
There are some ways in designing a network with DMZ. Two of the most basic method are with a single firewall and with dual firewalls.
[24]
10 | P a g e
DMZ configuration typically gives security from external attacks. Unfortunately, it has no bearing on internal attacks like sniffing communications or spoofing. Services that are offered by DMZ to users on external network include web servers, mail servers, proxy servers, reverse proxy servers, FRP servers, VoIP servers, and DNS servers.
3.3.3 Servers
In computing:
[19]
A computer program which executes as a service in serving the requests of other programs o the same computer A physical computer that runs one or more services in serving the needs other programs on the same network A system like database server, file server, mail server or print server
[39]
A program which functions as a socket listener A host that execute one or more programs Details Can be a hardware or software which helps in delivering packets Able to communicate with database servers o Either direct communication or communicate through application firewall Require access to the database server whenever web servers communicate with internal database Features: o Virtual hosting to serve Websites o Large file support that able to serve files whose size is greater than 2GB o Bandwidth throttling to limit speed
11 | P a g e
Also known as cache servers Proxy server is a secure gateway which is use to enable Internet connectivity for IP and IPX based networks Plays role as a gateway for internal users Operations of proxy server are transparent to client computers Services offered: o Packet filtering router o Web proxy o Winsock proxy o Socks proxy o Reverse web proxy
Features: o Tracks Internet usage of user o Limits accessible Websites o Offers proxy array o Provides NAT between private and public network o Caches websites that are requested in frequent o Provides dynamic packet filtering o Provides secure gateway to the Internet and operates as the control point between private and public networks
12 | P a g e
This server is an extra layer of security It is provided by using an applications-level firewall Offers same services as Proxy Servers, but in the other way round Enables internally hosted Web servers to be accessible from public networks such as the Internet Provides indirect access to the internal resources from external network like the Internet
Mail server is a computer which operates as an electronic post office for e-mail This term is also refer to a computer that is performing the MTA function Functions to pass incoming mail to the secured mail servers
13 | P a g e
A software which is running on a computer and executing the FTP Can be connected using FTP client and browsers Allows web users to upload or download files to server Blocks access by setting passwords HTTP hosting software is needed in developing FTP server Possesses low hardware requirements, except a large hard drive as the server hosts large numbers of data Fast processing power is not essential
14 | P a g e
Functions: o Resolution of humanly memorable domain names and hostnames into the respective numeric IP addresses
Figure 3.15 DNS Servers [40] Table 3.2 Types of Servers 3.3.4 IDS
IDS is a software application which monitors system activities for policy violation or malicious activities. It is implemented to detect unauthorized activity within inner network. There are two main types of IDS: Host-based IDS and Networked-based IDS. Both of these IDSs require database of their previous activities.
[1][41]
These are some application-based IDSs are categorized under this category host-based IDS. Example of host-based IDS is OSSEC.
[41]
15 | P a g e
Sensors are always located at DMZ of network borders in order to capture network traffics and analyze the content of the traffic packets for malicious activities. This type of IDS will create a database of normal activities based on a list of common attacks signatures. The newly developed database is used to compare with future activities.
[1][41]
Network-based IDS works with other systems too. This type of IDS can update firewalls blacklist using the IP addresses of computers used by intruders or attackers.
[45]
16 | P a g e
4.0 Policies
4.1 SETA Among the list of threats to information assets, employee errors are defined as one of the top threats. SETA is a control measure created to reduce the incidences of accidental security breaches in which these breaches are caused by employees of the organizations. SETA stand for Security Education, Training and Awareness. This approach is designed to supplement the general education and training programs which are held to educate staff of certain organization on information security. As a good practice, SETA should be included as one of the program during implementation phase in SDLC. Purposes of the creation of SETA include: a) Enhancing security by improving awareness of the importance in protecting system resources b) Enhancing security by developing skills and knowledge among computer users c) Enhancing security by building in-depth knowledge Try to analyze about the name of SETA, it is actually consists of 3 components: security education, security training, and security awareness.
[1]
17 | P a g e
Education Attribute Level Objective Teaching Method Why Insight Understanding Theoretical instruction Discussion seminar Background reading Hands-on practice Test Measure Essay (interpret learning) How
Training
Impact Timeframe
Long-term
Intermediate
Short-term
Table 4.1 Comparative Framework of SETA (from NIST SP800-12) [1] 4.1.1 Security Education
Courses are available in local institutes of higher learning or continuing education. Even formal coursework in information security are available in few hundreds of universities. Instead in doing researches on information security, there are resources available like the NSA-identified Centers of Excellence in Information Assurance Education (http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml). Other than that, there are also other resources which provide security education information such as Kennesaw States Center for Information Security Education (http://infosee.kennesaw.edu/).
[1]
18 | P a g e
ISSA
(https://www.issa.org/),
and
CSI
existence of the issue of information security. Consequently, risk of employee accidents and failures would likely to be increased.
[1]
5.0 Laws
Selection level of law enforcement is all depends on the part of type of crime suspected. These levels can be classified as federal-level, state-level, and local-level. 5.1 Federal-level Authorities Federal agencies: Federal
[1]
Bureau
of
Investigation:
Computer
crimes
which
are
categorized as felonies. FBI Computer Intrusion Squad: Investigate cyber-based attacks like intrusion and DoS. U.S. Secret Service: Crimes involving U.S. currency, counterfeiting, credit cards, and identity theft. U.S. Treasury Department: Possess a Bank Fraud Investigation Unit. Securities and Exchange Commission: Possess Investigation and Fraud Control Unit. 5.2 State-level Investigate Services Lots of states have their own FBI which arrests individuals, distributes warrant, and enforces laws that regulate properties owned by the state agency. In addition, these FBI will assist local law enforcement officials in enforcing state laws. For example, FBI in Georgia is known as Georgia Bureau of Investigation (GBI). 5.3 Local-level It is possible for each country and city has its own law enforcement agency. These agencies enforce local and state laws. Usually, local law enforcement agencies are responsible in investigating and processing crime scenes instead of building a computer crimes task force. Local law enforcement agencies would only handle
[1]
20 | P a g e
some common criminal activities. For example, physical theft or trespassing, damage to property, and apprehension and processing of suspects of cyber crimes.
[1]
6.0 Conclusion
In reality, there are still a lot of people who do not aware the importance of IT security as well as the impacts bring by the consequent of IT security violation. It is so common that most of the computer users realize the existence of viruses and worms and able to function the antivirus software which are installed in their computers. In facts, this knowledge does not essential for computer users in protecting their systems data as well as their personal or private information. In order to protect our computer system, we should really learn more on the security architecture. By understanding this architecture, we can know more about computer defends and how they really work to protect our computer systems. To conclude, SETA should be applied to every computer users to reduce the risks of being attack by cyber attackers. Even thought SETA unable to guarantee computer users can be totally free from cyber risks, at least the computer users can reduce their risk in facing attacks.
21 | P a g e
APPENDIX A: ACRONYMS
1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) 14) 15) 16) 17) 18) 19) 20) 21) 22) 23) 24) 25) 26) 27) 28) 29) 30) 31) 32) 33) 34) 35) 36) 37) IT: Information Technology IDS: Intrusion Detection System IA: Information Assurance NSA: National Security Agency VPN: Virtual Private Networks IPS: Intrusion Prevention Systems DMZ: Demilitarized Zones HTTP: Hypertext Transfer Protocol MAC: Media Access Control TCP/IP: Transmission Control Protocol/Internet Protocol IP: Internet Protocol TCP: Transmission Control Protocol UDP: User Datagram Protocol NNTP: Network News Transfer Protocol ACL: Access Control List SVEN: Security Verification Engine SOHO: Small Office/Home Office DSL: Digital Subscriber Line WAP: Wireless Access Point LAN: Local Area Network FTP: File Transfer Protocol VoIP: Voice over Internet Protocol (Voice over IP) DNS: Domain Name System GB: Gigabytes E-mail: Electronic Mail MTA: Mail Transfer Agent IPX: Internetwork Packet Exchange NAT: Network Address Exchange DoS: Denial of Service SDLC: Software Development Life Cycle NSA: National Security Agency SANS: System Administration, Networking and Security Institute ISC2: International Information Systems Security Certification Consortium ISSA: International Social Security Awareness CSI: Computer Security Institute FBI: Federal Bureau of Investigation U.S.: United States
ii | P a g e
APPENDIX B: REFERENCES
[1] Michael E. Whitman and Herbett J. Mattord, Planning for Security, Principles of Information Security, Second Edition, 2005 Course Technology, Boston, MA, pp. 199-234 [2] Defense in Depth (Computing), http://en.wikipedia.org/wiki/Defense_in_depth_(computing) (Retrieved 8th April 2012) [3] Defense in Depth Diagram, http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/ipcc_enterprise/srnd/7x/c7 scurty.html (Retrieved 8th April 2012) [4] IT Security Architecture, http://www.opensecurityarchitecture.org/cms/definitions/it-security-architecture (Retrieved 8th April 2012) [5] Security Architecture, 2011, http://en.wikipedia.org/wiki/Security_architecture (Retrieved 8th April 2012) [6] Bruce Byfield, Nine Principles of Security Architecture, 2005, http://www.linux.com/archieve/feed/49803 (Retrieved 8th April 2012) [7] MSDN Microsoft, Perimeter Security, 2010, http://msdn.microsoft.com/en-us/library/bb416253.aspx (Retrieved 8th April 2012) [8] McGraw-Hill Companies, Inc, Security Perimeter, McGraw-Hill Dictionary of Scientific and Technical Terms, McGraw-Hill Science & Technology Dictionary, http://www.answers.com/security-perimeter (Retrieved 8th April 2012) [9] informIT, Perimeter Security Fundamentals, 2005, http://www.informit.com/articles/article.aspx?p=376256 (Retrieved 8th April 2012) [10] Stefan Norberg, Windows NT/2000 Security, Securing Windows NT/2000 for Servers for Internet http://oreilly.com/catalog/securwinserv/chapter/ch01.html (Retrieved 8th April 2012) [11] Figure of Network Perimeter Security, http://oreilly.com/catalog/securwinserv/chapter/ch01.html (Retrieved 8th April 2012) [12] Michael E. Whitman and Herbett J. Mattrod, Security Technology: Firewalls and VPNs, Principles of Information Security, Second Edition, 2005 Course Technology, Boston, MA, pp. 241-277 [13] Packet Filtering Firewall, http://www.bglug.ca/articles/packet_filtering_firewall.pdf [10] Stefan Norberg, Windows NT/2000 Security, Securing Windows NT/2000 for Servers for Internet http://oreilly.com/catalog/securwinserv/chapter/ch01.html (Retrieved 9th April 2012) [14] Firewall (computing), 2011, http://en.wikipedia.org/wiki/Firewall_(computing) (Retrieved 9th April 2012) [15] Figure of Packet Filtering Firewall, http://www.diablotin.com/librairie/networking/firewall/figs/fire0601.gif (Retrieved 9th April 2012) [16] Packet Filtering, Building Internet Firewalls, http://www.diablotin.com/libairie/networking/firewall/ch06_01.htm (Retrieved 9th April 2012) [17] Proxy Server, 2011, http://en.wikipedia.org/wiki/Proxy_server (Retrieved 9th April 2012) [18] Application Firewall, 2011, http://en.wikiepdia.org/wiki/Application_layer_firewall (Retrieved 9th April 2012) [19] Figure of Proxy Server, http://www.google.com.my/imgres?start=21&num=10&hl=en&safe=off&gbv=2&biw=1366&bih=610&tbm=isc h&tbnid=XVJZ3Ks66KlGHM:&imgrefurl=http://basichackingskills.wordpress.com/category/proxy-server2/&docid=7O6dRAzGORJFfM&imgurl=http://basichackingskills.files.wordpress.com/2012/02/secure-
iii | P a g e
iv | P a g e
v|Page
vi | P a g e