Intrusion Detection: Network Security Beyond the Firewall:Intrusion Detection and the Classic Security Model
function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);
Keyword
Title
Author
ISBN
Publisher
Imprint
Brief
Full
Advanced Search
Search Tips
Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security
UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98
function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();
}
Search this book:
Previous
Table of Contents
Next
What Makes a Good Reference Monitor
A reference monitor should meet three requirements (Anderson, 1972). First, you must be able to isolate the reference monitor; it should be resistant to tampering. Next, the reference monitor must be complete in that it is invoked for every reference to an object by a subject. If a subject is allowed to access an object without going through the reference monitor, say good-bye to CIA. Finally, you must have some way to verify the reference monitor. In practice, this verification is done in many ways. You might trust the vendor’s reputation; you might have access to the source code; or the product may have been used for years without problems. Look for compact and simple implementations. If the reference monitor is a few hundred lines of code, you might feel more comfortable that the vendor was able to adequately test the implementation.
The reference monitor is an abstraction that must be programmed into a product to help enforce security. You can think of the reference monitor as a high-level design. The actual implementation of the reference monitor is called the security kernel.
The Security Kernel
The security kernel is the real-world implementation of the abstract reference monitor defined in the preceding section. In most systems, the security kernel includes hardware, firmware, and software that work together to control access in the system. The main design goal of a security kernel is simplicity. Ideally, the security kernel design can be written in such precise terms that you can perform mathematical proofs which conclusively show it works as designed. This naturally represents a very high level of assurance. In practice, few vendors go through this much trouble, and, for only a few, such formal mathematical undertakings have been successful (Schell and Brinkley, 1995).
You probably will not find mathematical proofs in the documentation accompanying commercial products. There is a continuum with poor software quality on the low end and provably secure systems on the high end. Decide what you can live with when looking for a product. Ask the vendor whether it is possible to discuss the security kernel design with you. Make inquiries about the degree of testing that the security kernel undergoes. If the security kernel includes software only, you need to verify fewer components. When the security kernel consists of hardware, firmware, and software, the resulting implementation naturally will be more complex. Workstations or servers running UNIX or NT naturally contain all three components in the security kernel.
Security kernels are found in a variety of products. Clearly, operating systems provide security kernels. Each commercial product you deploy also contains a security kernel. For example, did you know that firewalls also implement their own security kernels? When a firewall makes decisions about whether to permit or deny network traffic, it is consulting an authorization database commonly referred to as the firewall rule base. Like the reference monitor described, the firewall security kernel is also responsible for restricting who can change the rule base itself.
If you ask the vendor to explain the underlying security kernel, you are showing that you are an educated buyer. Seek clarification on the following three aspects of the product:
1. Is the reference monitor complete? In other words, is the reference monitor activated each time a subject accesses an object? Is every reference by a subject to an object passing through the reference monitor?
2. How is the reference monitor itself protected from unauthorized tampering? How is the authorization database protected?
3. Is the implementation of the reference monitor simple enough to verify with test cases? If the answer to this question is “No,” decide what information you will accept as proof that the reference monitor works.
Enhancing the Security Model Further
At this point, you must surely be asking how the reference monitor alone can adequately provide confidentiality and integrity. In fact, the reference monitor or security kernel trusts other components to help with security. Beyond the security kernel, you also need some way to verify the identity of subjects and objects. As mentioned previously, you also need an authorization database that is used to control access to objects. To know whether the reference monitor is behaving correctly, audit data must be produced to track its activities.
Taking a quick look back, you can see that the security model begins with subjects and objects and then incorporates an abstract reference monitor. The security model is now enhanced with the addition of three more components. The identification and authentication (I&A) component of a computer system interacts with the security kernel to positively identify subjects and objects. The authorization database component discussed earlier also is added to the security model. Finally, an audit mechanism is added for accountability and monitoring. With these three additions, the security model is complete enough to be useful for specifying a complete security policy. The trusted computing base (TCB) includes any hardware, software, or firmware used in the security kernel, the I&A subsystem, the authorization database, or the auditing subsystem to enforce the security policy.
Identification and Authentication (I&A)
A secure computer system must provide a trustworthy component for identifying subjects and objects. Like the reference monitor and security kernel introduced earlier, the I&A component should be tamper resistant and simple. If the I&A programs or hardware can be compromised, the confidentiality and integrity of the system will no longer be guaranteed. After penetrating your system, one of the first things a hacker will do is plant Trojan Horse routines for the real I&A programs. One of the oldest tricks is to leave a password grabber running on a computer terminal. The grabber pretends to be the real operating system login program, but its sole purpose is to trick an unsuspecting user. Because I&A is the first step in getting into a computer, it is obviously where a hacker will probe for weaknesses.
A confounding behavior of computing systems is on behalf of semantics. When a person wants to access a computer, the first step is typically I&A. What really happens after this initial phase will be described in detail in the next chapter for both UNIX and NT. However, unless you are starring in the motion picture Tron, you can be sure that you don’t physically enter the system yourself. Instead, things happen inside the computer on your behalf.
Previous
Table of Contents
Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Wyszukiwarka
Podobne podstrony:
012 015012 015v 01 015Lesson Plan 012 TextJ 012012 19 (4)więcej podobnych podstron