Is3230 Unit 7 Assignment 1 Vector

Presentation on theme: "Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”."— Presentation transcript:

1 Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

2 Database and Cloud Security
Chapter 5This chapter looks at the unique security issues that relate to databases.The focus of this chapter is on relational database management systems(RDBMS). The relational approach dominates industry, government, andresearch sectors and is likely to do so for the foreseeable future. We begin with anoverview of the need for database-specific security techniques. Then we providea brief introduction to database management systems, followed by an overviewof relational databases. Next, we look at the issue of database access control,followed by a discussion of the inference threat. Then we examine security issuesfor statistical databases. Next, we examine database encryption. Finally, weexamine the issues raised by the use of cloud technology.Database and Cloud Security

3 Database management system (DBMS)
DatabasesStructured collection of data stored for use by one or more applicationsContains the relationships between data items and groups of data itemsCan sometimes contain sensitive data that needs to be securedQuery languageProvides a uniform interface to the databaseDatabase management system (DBMS)Suite of programs for constructing and maintaining the databaseOffers ad hoc query facilities to multiple users and applicationsOrganizational databases tend to concentrate sensitive information in a singlelogical system. Examples include:• Corporate financial data• Confidential phone records• Customer and employee information, such as name, Social Security number,bank account information, credit card information• Proprietary product information• Health care information and medical recordsFor many businesses and other organizations, it is important to be able toprovide customers, partners, and employees with access to this information. But suchinformation can be targeted by internal and external threats of misuse or unauthorizedchange. Accordingly, security specifically tailored to databases is an increasinglyimportant component of an overall organizational security strategy.In some cases, an organization can function with a relatively simple collection of files ofdata. Each file may contain text (e.g., copies of memos and reports) or numerical data(e.g., spreadsheets). A more elaborate file consists of a set of records. However, for anorganization of any appreciable size, a more complex structure known as a databaseis required. A database is a structured collection of data stored for use by one or moreapplications. In addition to data, a database contains the relationships between dataitems and groups of data items. As an example of the distinction between data filesand a database, consider the following. A simple personnel file might consist of a setof records, one for each employee. Each record gives the employee’s name, address,date of birth, position, salary, and other details needed by the personnel department.A personnel database includes a personnel file, as just described. It may alsoinclude a time and attendance file, showing for each week the hours worked by eachemployee. With a database organization, these two files are tied together so that apayroll program can extract the information about time worked and salary for eachemployee to generate paychecks.Accompanying the database is a database management system (DBMS) ,which is a suite of programs for constructing and maintaining the database and foroffering ad hoc query facilities to multiple users and applications. A query languageprovides a uniform interface to the database for users and applications.

4 Figure 5. 1 provides a simplified block diagram of a DBMS architecture
Figure 5.1 provides a simplified block diagram of a DBMS architecture. Databasedesigners and administrators make use of a data definition language (DDL) to definethe database logical structure and procedural properties, which are represented bya set of database description tables. A data manipulation language (DML) providesa powerful set of tools for application developers. Query languages are declarativelanguages designed to support end users. The database management system makesuse of the database description tables to manage the physical database. The interfaceto the database is through a file manager module and a transaction manager module.In addition to the database description table, two other tables support the DBMS.The DBMS uses authorization tables to ensure the user has permission to executethe query language statement on the database. The concurrent access table preventsconflicts when simultaneous, conflicting commands are executed.Database systems provide efficient access to large volumes of data and are vitalto the operation of many organizations. Because of their complexity and criticality,database systems generate security requirements that are beyond the capability oftypical OS-based security mechanisms or stand-alone security packages.Operating system security mechanisms typically control read and writeaccess to entire files. So they could be used to allow a user to read or to write anyinformation in, for example, a personnel file. But they could not be used to limitaccess to specific records or fields in that file. A DBMS typically does allow this typeof more detailed access control to be specified. It also usually enables access controlsto be specified over a wider range of commands, such as to select, insert, update, ordelete specified items in the database. Thus, security services and mechanisms areneeded that are designed specifically for, and integrated with, database systems.

5 Structured Query Language (SQL)
Standardized language to define schema, manipulate, and query data in a relational databaseSeveral similar versions of ANSI/ISO standardAll follow the same basic syntax and semanticsSQL statements can be used to:Create tablesInsert and delete data in tablesCreate viewsRetrieve data with query statementsStructured Query Language (SQL) is a standardized language that can be used todefine schema, manipulate, and query data in a relational database. There are severalversions of the ANSI/ISO standard and a variety of different implementations,but all follow the same basic syntax and semantics.SQL statementscan be used to create tables, insert and delete data in tables, create views, andretrieve data with query statements.

6 SQL Injection Attacks (SQLi)
One of the most prevalent and dangerous network-based security threatsDesigned to exploit the nature of Web application pagesSends malicious SQL commands to the database serverMost common attack goal is bulk extraction of dataDepending on the environment SQL injection can also be exploited to:Modify or delete dataExecute arbitrary operating system commandsLaunch denial-of-service (DoS) attacksThe SQL injection (SQLi) attack is one of the most prevalent and dangerousnetwork-based security threats. Consider the following reports:1. The July 2013 Imperva Web Application Attack Report [IMPE13] surveyed across-section of Web application servers in industry and monitored eight differenttypes of common attacks. The report found that SQLi attacks rankedfirst or second in total number of attack incidents, the number of attackrequests per attack incident, and average number of days per month that anapplication experienced at least one attack incident. Imperva observed a singleWeb site that received 94,057 SQL injection attack requests in one day.2. The Open Web Application Security Project’s 2013 report [OWAS13] on theten most critical Web application security risks listed injection attacks, especiallySQLi attacks, as the top risk. This ranking is unchanged from its 2010 report.3. The Veracode 2013 State of Software Security Report [VERA13] found thatpercentage of applications affected by SQLi attacks is around 32% and thatSQLi attacks account for 26% of all reported breaches. Veracode also considersthis among the most dangerous threats, reporting that three of the biggestSQL injection attacks in 2012 resulted in millions of addresses, usernames, and passwords being exposed and damaged the respective brands.4. The Trustwave 2013 Global Security Report [TRUS13] lists SQLi attacks asone of the top two intrusion techniques. The report notes that poor codingpractices have allowed the SQL injection attack vector to remain on the threatlandscape for more than 15 years, but that proper programming and securitymeasures can prevent these attacks.In general terms, an SQLi attack is designed to exploit the nature of Web applicationpages. In contrast to the static Web pages of years gone by, most current Web siteshave dynamic components and content. Many such pages ask for information, suchas location, personal identity information, and credit card information. This dynamiccontent is usually transferred to and from back-end databases that contain volumes ofinformation—anything from cardholder data to which type of running shoes is mostpurchased. An application server Web page will make SQL queries to databases tosend and receive information critical to making a positive user experience.In such an environment, an SQLi attack is designed to send malicious SQLcommands to the database server. The most common attack goal is bulk extractionof data. Attackers can dump database tables with hundreds of thousands of customerrecords. Depending on the environment, SQL injection can also be exploitedto modify or delete data, execute arbitrary operating system commands, or launchdenial-of-service (DoS) attacks.

7 SQLi is an attack that exploits a security vulnerability occurring in the database layer
of an application (such as queries). Using SQL injection, the attacker can extract ormanipulate the web application’s data. The attack is viable when user input is eitherincorrectly filtered for string literal escape characters embedded in SQL statementsor user input is not strongly typed, and thereby unexpectedly executed.Figure 5.5, from [ACUN13], is a typical example of an SQLi attack. The stepsinvolved are as follows:1. Hacker finds a vulnerability in a custom Web application and injects an SQLcommand to a database by sending the command to the Web server. The commandis injected into traffic that will be accepted by the firewall.2. The Web server receives the malicious code and sends it to the Web applicationserver.3. The Web application server receives the malicious code from the Web serverand sends it to the database server.4. The database server executes the malicious code on the database. The databasereturns data from credit cards table.5. The Web application server dynamically generates a page with data includingcredit card details from the database.6. The Web server sends the credit card details to the hacker.

8 Subsequent text is ignored at execution time
Injection TechniqueThe SQLi attack typically works by prematurely terminating a text string and appending a new commandBecause the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark “- -”Subsequent text is ignored at execution timeThe SQLi attack typically works by prematurely terminating a text string andappending a new command. Because the inserted command may have additionalstrings appended to it before it is executed, the attacker terminates the injectedstring with a comment mark “--”. Subsequent text is ignored at execution time.

9 SQLi Attack Avenues User input Server variables Second-order injection
Attackers inject SQL commands by providing suitable crafted user inputUser inputAttackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headersServer variablesA malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itselfSecond-order injectionAn attacker could alter cookies such that when the application server builds an SQL query based on the cookie’s content, the structure and function of the query is modifiedCookiesApplying user input that constructs an attack outside the realm of web requestsPhysical user inputWe can characterize SQLi attacks in terms of the avenue of attack and the type ofattack [CHAN11, HALF06]. The main avenues of attack are as follows:• User input: In this case, attackers inject SQL commands by providing suitablycrafted user input. A Web application can read user input in severalways based on the environment in which the application is deployed. In mostSQLi attacks that target Web applications, user input typically comes fromform submissions that are sent to the Web application via HTTP GET orPOST requests. Web applications are generally able to access the user inputcontained in these requests as they would access any other variable in theenvironment.• Server variables: Server variables are a collection of variables that containHTTP headers, network protocol headers, and environmental variables. Webapplications use these server variables in a variety of ways, such as loggingusage statistics and identifying browsing trends. If these variables are loggedto a database without sanitization, this could create an SQL injection vulnerability.Because attackers can forge the values that are placed in HTTP andnetwork headers, they can exploit this vulnerability by placing data directlyinto the headers. When the query to log the server variable is issued to thedatabase, the attack in the forged header is then triggered.• Second-order injection: Second-order injection occurs when incompleteprevention mechanisms against SQL injection attacks are in place. In second-orderinjection, a malicious user could rely on data already present in thesystem or database to trigger an SQL injection attack, so when the attackoccurs, the input that modifies the query to cause an attack does not comefrom the user, but from within the system itself.• Cookies: When a client returns to a Web application, cookies can be usedto restore the client’s state information. Because the client has control overcookies, an attacker could alter cookies such that when the application serverbuilds an SQL query based on the cookie’s content, the structure and functionof the query is modified.• Physical user input: SQL injection is possible by supplying user input thatconstructs an attack outside the realm of web requests. This user-input couldtake the form of conventional barcodes, RFID tags, or even paper forms whichare scanned using optical character recognition and passed to a database managementsystem.

10 Inferential AttackThere is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database serverInclude:Illegal/logically incorrect queriesThis attack lets an attacker gather important information about the type and structure of the backend database of a Web applicationThe attack is considered a preliminary, information-gathering step for other attacksBlind SQL injectionAllows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attackerWith an inferential attack , there is no actual transfer of data, but the attackeris able to reconstruct the information by sending particular requests and observingthe resulting behavior of the Website/database server. Inferential attack typesinclude the following:• Illegal/logically incorrect queries: This attack lets an attacker gather importantinformation about the type and structure of the backend database of a Webapplication. The attack is considered a preliminary, information-gatheringstep for other attacks. The vulnerability leveraged by this attack is that thedefault error page returned by application servers is often overly descriptive.In fact, the simple fact that an error messages is generated can often revealvulnerable/injectable parameters to an attacker.• Blind SQL injection: Blind SQL injection allows attackers to infer the datapresent in a database system even when the system is sufficiently secure to notdisplay any erroneous information back to the attacker. The attacker asks theserver true/false questions. If the injected statement evaluates to true, the sitecontinues to function normally. If the statement evaluates to false, althoughthere is no descriptive error message, the page differs significantly from thenormally functioning page.

11 SQLi Countermeasures Three types: Defensive coding Detection
Manual defensive coding practicesParameterized query insertionSQL DOMDefensive codingSignature basedAnomaly basedCode analysisDetectionCheck queries at runtime to see if they conform to a model of expected queriesRun-time preventionBecause SQLi attacks are so prevalent, damaging, and varied both by attack avenue andtype, a single countermeasure is insufficient. Rather an integrated set of techniquesis necessary. In this section, we provide a brief overview of the types of countermeasuresthat are in use or being researched, using the classification in [SHAR13].These countermeasures can be classified into three types: defensive coding, detection,and run-time prevention.Many SQLi attacks succeed because developers have used insecure codingpractices. Thus, defensive coding is an effective way to dramatically reduce thethreat from SQLi. Examples of defensive coding include the following:• Manual defensive coding practices: A common vulnerability exploited bySQLi attacks is insufficient input validation. The straightforward solution foreliminating these vulnerabilities is to apply suitable defensive coding practices.An example is input type checking, to check that inputs that are supposed tobe numeric contain no characters other than digits. This type of techniquecan avoid attacks based on forcing errors in the database management system.Another type of coding practice is one that performs pattern matching to tryto distinguish normal input from abnormal input.• Parameterized query insertion: This approach attempts to prevent SQLi byallowing the application developer to more accurately specify the structureof an SQL query, and pass the value parameters to it separately such that anyunsanitary user input is not allowed to modify the query structure.• SQL DOM: SQL DOM is a set of classes that enables automated data typevalidation and escaping [MCCL05]. This approach uses encapsulation ofdatabase queries to provide a safe and reliable way to access databases. Thischanges the query-building process from an unregulated one that uses stringconcatenation to a systematic one that uses a type-checked API. Within theAPI, developers are able to systematically apply coding best practices such asinput filtering and rigorous type checking of user input.A variety of detection methods have been developed, including the following:• Signature based: This technique attempts to match specific attack patterns.Such an approach must be constantly updated and may not work against self-modifyingattacks.• Anomaly based: This approach attempts to define normal behavior and thendetect behavior patterns outside the normal range. A number of approacheshave been used. In general terms, there is a training phase, in which the systemlearns the range of normal behavior, followed by the actual detection phase.• Code analysis: Code analysis techniques involve the use of a test suite todetect SQLi vulnerabilities. The test suite is designed to generate a wide rangeof SQLi attacks and assess the response of the system.Finally, a number of run-time prevention techniques have been developed asSQLi countermeasures. These techniques check queries at runtime to see if theyconform to a model of expected queries. Various automated tools are available forthis purpose [CHAN12, SHAR13].

12 Database Access Control
Database access control system determines:If the user has access to the entire database or just portions of itWhat access rights the user has (create, insert, delete, update, read, write)Can support a range of administrative policiesCentralized administrationSmall number of privileged users may grant and revoke access rightsOwnership-based administrationThe creator of a table may grant and revoke access rights to the tableDecentralized administrationThe owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the tableCommercial and open-source DBMSs typically provide an access control capabilityfor the database. The DBMS operates on the assumption that the computer systemhas authenticated each user. As an additional line of defense, the computer systemmay use the overall access control system described in Chapter 4 to determinewhether a user may have access to the database as a whole. For users who areauthenticated and granted access to the database, a database access control systemprovides a specific capability that controls access to portions of the database.Commercial and open-source DBMSs provide discretionary or role-basedaccess control. We defer a discussion of mandatory access control considerationsto Chapter 13 . Typically, a DBMS can support a range of administrative policies,including the following:• Centralized administration: A small number of privileged users may grant andrevoke access rights.• Ownership-based administration: The owner (creator) of a table may grantand revoke access rights to the table.• Decentralized administration: In addition to granting and revoking access rightsto a table, the owner of the table may grant and revoke authorization rights toother users, allowing them to grant and revoke access rights to the table.As with any access control system, a database access control system distinguishesdifferent access rights, including create, insert, delete, update, read, and write. SomeDBMSs provide considerable control over the granularity of access rights. Accessrights can be to the entire database, to individual tables, or to selected rows or columnswithin a table. Access rights can be determined based on the contents of a table entry.For example, in a personnel database, some users may be limited to seeing salaryinformation only up to a certain maximum value. And a department manager mayonly be allowed to view salary information for employees in his or her department.

13 SQL Access Controls Two commands for managing access rights:
GrantUsed to grant one or more access rights or can be used to assign a user to a roleRevokeRevokes the access rightsTypical access rights are:SelectInsertUpdateDeleteReferencesSQL provides two commands for managing access rights, GRANT and REVOKE.For different versions of SQL, the syntax is slightly different. In general terms, theGRANT command has the following syntax:GRANT { privileges | role }[ON table]TO { user | role | PUBLIC }[IDENTIFIED BY password][WITH GRANT OPTION]This command can be used to grant one or more access rights or can be usedto assign a user to a role. For access rights, the command can optionally specify thatit applies only to a specified table. The TO clause specifies the user or role to whichthe rights are granted. A PUBLIC value indicates that any user has the specifiedaccess rights. The optional IDENTIFIED BY clause specifies a password thatmust be used to revoke the access rights of this GRANT command. The GRANTOPTION indicates that the grantee can grant this access right to other users, with orwithout the grant option.As a simple example, consider the following statement.GRANT SELECT ON ANY TABLE TO ricflairThis statement enables user ricflair to query any table in the database.Different implementations of SQL provide different ranges of access rights.The following is a typical list:• Select: Grantee may read entire database; individual tables; or specificcolumns in a table.• Insert: Grantee may insert rows in a table; or insert rows with values for specific• Update: Semantics is similar to INSERT.• Delete: Grantee may delete rows from a table.• References: Grantee is allowed to define foreign keys in another table thatrefer to the specified columns.The REVOKE command has the following syntax:REVOKE { privileges | role }FROM { user | role | PUBLIC }Thus, the following statement revokes the access rights of the preceding example:REVOKE SELECT ON ANY TABLE FROM ricflair

14 The grant option enables an access right to cascade through a number of users.We
consider a specific access right and illustrate the cascade phenomenonin Figure 5.4 .The figure indicates that Ann grants the access right to Bob at time t = 10 and toChris at time t = 20. Assume that the grant option is always used. Thus, Bob is ableto grant the access right to David at t = 30. Chris redundantly grants the access rightto David at t = 50. Meanwhile, David grants the right to Ellen, who in turn grants itto Jim; and subsequently David grants the right to Frank.Just as the granting of privileges cascades from one user to another usingthe grant option, the revocation of privileges also cascaded. Thus, if Annrevokes the access right to Bob and Chris, then the access right is also revokedto David, Ellen, Jim, and Frank. A complication arises when a user receives thesame access right multiple times, as happens in the case of David. Suppose thatBob revokes the privilege from David. David still has the access right becauseit was granted by Chris at t = 50. However, David granted the access right toEllen after receiving the right, with grant option, from Bob but prior to receivingit from Chris.Most implementations dictate that in this circumstance, the accessright to Ellen and therefore Jim is revoked when Bob revokes the access rightto David. This is because at t = 40, when David granted the access right toEllen, David only had the grant option to do this from Bob. When Bob revokesthe right, this causes all subsequent cascaded grants that are traceable solelyto Bob via David to be revoked. Because David granted the access rightto Frank after David was granted the access right with grant option from Chris,the access right to Frank remains. These effects are shown in the lower portion ofFigure 5.6 .To generalize, the convention followed by most implementations is as follows.When user A revokes an access right, any cascaded access right is also revoked,unless that access right would exist even if the original grant from A had neveroccurred. This convention was first proposed in [GRIF76].

15 Role-Based Access Control (RBAC)
Role-based access control eases administrative burden and improves securityA database RBAC needs to provide the following capabilities:Create and delete rolesDefine permissions for a roleAssign and cancel assignment of users to rolesCategories of database users:Application ownerAn end user who owns database objects as part of an applicationEnd userAn end user who operates on database objects via a particular application but does not own any of the database objectsAdministratorUser who has administrative responsibility for part or all of the databaseA role-based access control (RBAC) scheme is a natural fit for database accesscontrol. Unlike a file system associated with a single or a few applications, adatabase system often supports dozens of applications. In such an environment,an individual user may use a variety of applications to perform a variety of tasks,each of which requires its own set of privileges. It would be poor administrativepractice to simply grant users all of the access rights they require for all the tasksthey perform. RBAC provides a means of easing the administrative burden andimproving security.In a discretionary access control environment, we can classify database usersin three broad categories:• Application owner: An end user who owns database objects (tables, columns,rows) as part of an application. That is, the database objects are generated bythe application or are prepared for use by the application.End user other than application owner: An end user who operates on databaseobjects via a particular application but does not own any of the database objects.• Administrator: User who has administrative responsibility for part or all of thedatabase.We can make some general statements about RBAC concerning thesethree types of users. An application has associated with it a number of tasks,with each task requiring specific access rights to portions of the database.For each task, one or more roles can be defined that specify the needed accessrights. The application owner may assign roles to end users. Administrators areresponsible for more sensitive or general roles, including those having to dowith managing physical and logical database components, such as data files,users, and security mechanisms. The system needs to be set up to give certainadministrators certain privileges. Administrators in turn can assign users toadministrative-related roles.A database RBAC facility needs to provide the following capabilities:• Create and delete roles.• Define permissions for a role.• Assign and cancel assignment of users to roles.

Presentation on theme: "Storage Security and Management"— Presentation transcript:

1 Storage Security and Management
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Storage Security and ManagementSection 4(chap 10)ISMDR:BEIT:VIII:chap 10:Madhu N PIIT

2 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
Section ObjectiveUpon completion of this section, you will be able to:Define information securityList the critical security attributes for information systemsDefine storage security domainsList and analyze the common threats in each domainIdentify key parameters and components to monitor in a storage infrastructureList key management activities and examplesDefine storage management standards and initiativeISMDR:BEIT:VIII:chap 10:Madhu N PIIT

3 Securing the Storage Infrastructure
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Securing the Storage InfrastructureChapter 15ISMDR:BEIT:VIII:chap 10:Madhu N PIIT

4 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
Chapter ObjectiveUpon completion of this chapter, you will be able to:Define storage securityDiscuss storage security frameworkDescribe storage security domainsApplication, Management, Backup Recovery and Archive (BURA)List the security threats in each domain and describe the controls that can be appliedDiscuss the security implementations in SAN, NAS, and IP-SAN environmentsISMDR:BEIT:VIII:chap 10:Madhu N PIIT

5 Lesson: Building Storage Security Framework
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Lesson: Building Storage Security FrameworkUpon completion of this lesson, you will be able to:Define storage securityDiscuss the elements to build storage security frameworkSecurity servicesDefine Risk triadISMDR:BEIT:VIII:chap 10:Madhu N PIIT

6 What is Storage Security?
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.What is Storage Security?Application of security principles and practices to storage networking (data storage + networking) technologiesFocus of storage security: secured access to informationStorage security begins with building a frameworkSecurityStorageNetworkingISMDR:BEIT:VIII:chap 10:Madhu N PIIT

7 Storage Security Framework
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Storage Security FrameworkA systematic way of defining security requirementsFramework should incorporates:Anticipated security attacksActions that compromise the security of informationSecurity measuresControl designed to protect from these security attacksSecurity framework must ensure:ConfidentialityIntegrityAvailabilityAccountabilityISMDR:BEIT:VIII:chap 10:Madhu N PIIT

8 Storage Security Framework: Attribute
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Storage Security Framework: AttributeConfidentialityProvides the required secrecy of informationEnsures only authorized users have access to dataIntegrityEnsures that the information is unalteredAvailabilityEnsures that authorized users have reliable and timely access to dataAccountabilityAccounting for all events and operations that takes place in data center infrastructure that can be audited or traced laterHelps to uniquely identify the actor that performed an actionISMDR:BEIT:VIII:chap 10:Madhu N PIIT

9 Understanding Security Elements
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Understanding Security ElementsThe Risk TriadRiskThreat AgentThreatsAssetsGive rise toThreatWish to abuse and/or may damageThat exploitVulnerabilitiesVulnerabilitiesLeading toto reduceRiskCountermeasureimposeOwnertoAssetValueISMDR:BEIT:VIII:chap 10:Madhu N PIIT

10 Security Elements: Assets
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Elements: Assets“Information” – The most important assetOther assetsHardware, software, and network infrastructureProtecting assets is the primary concernSecurity mechanism considerations:Must provide easy access to information assets for authorized usersMake it very difficult for potential attackers to access and compromise the systemShould only cost a small fraction of the value of protected assetShould cost a potential attacker more, in terms of money and timeISMDR:BEIT:VIII:chap 10:Madhu N PIIT

11 Security Elements: Threats
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Elements: ThreatsPotential attacks that can be carried out on an IT infrastructurePassive attacksAttempts to gain unauthorized access into the systemThreats to confidentiality of informationActive attacksData modification, Denial of Service (DoS), and repudiation attacksThreats to data integrity and availabilityAttackConfidentialityIntegrityAvailabilityAccountabilityAccess√ModificationDenial of ServiceRepudiationISMDR:BEIT:VIII:chap 10:Madhu N PIIT

12 Security Elements: Vulnerabilities
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Elements: VulnerabilitiesVulnerabilities can occur anywhere in the systemAn attacker can bypass controls implemented at a single point in the systemRequires “defense in depth”Failure anywhere in the system can jeopardize the security of information assetsLoss of authentication may jeopardize confidentialityLoss of a device jeopardizes availabilityISMDR:BEIT:VIII:chap 10:Madhu N PIIT

13 Security Elements: Vulnerabilities (cont.)
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Elements: Vulnerabilities (cont.)Understanding VulnerabilitiesAttack surfaceRefers to various access points/interfaces that an attacker can use to launch an attackAttack vectorsSeries of steps necessary to launch an attackWork factorAmount of time and effort required to exploit an attack vectorSolution to protect critical assets:Minimize the attack surfaceMaximize the work factorManage vulnerabilitiesDetect and remove the vulnerabilities, orInstall countermeasures to lessen the impactISMDR:BEIT:VIII:chap 10:Madhu N PIIT

14 Countermeasures to Vulnerability
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Countermeasures to VulnerabilityImplement countermeasures (safeguards, or controls) in order to lessen the impact of vulnerabilitiesControls are technical or non-technicalTechnicalimplemented in computer hardware, software, or firmwareNon-technicalAdministrative (policies, standards)Physical (guards, gates)Controls provide different functionsPreventiveCorrectiveDetectiveISMDR:BEIT:VIII:chap 10:Madhu N PIIT

15 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
Lesson SummaryKey topics covered in this lesson:Storage securityStorage security frameworkSecurity attributesSecurity elementsSecurity controlsISMDR:BEIT:VIII:chap 10:Madhu N PIIT

16 Lesson: Storage Security Domains
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Lesson: Storage Security DomainsUpon completion of this lesson, you will be able to:Describe the three security domainsApplicationManagementBackup & Data StorageList the security threats in each domainDescribe the controls that can be appliedISMDR:BEIT:VIII:chap 10:Madhu N PIIT

17 Storage Security Domains
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Storage Security Domains: Application AccessManagement AccessSecondaryStorageBackup, Recovery & ArchiveApplication AccessSTORAGE NETWORKData StorageISMDR:BEIT:VIII:chap 10:Madhu N PIIT

18 Application Access Domain: Threats
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Application Access Domain: ThreatsSpoofing host/user identityArrayV2V2V2V2V2V2V2V2Host AVolumesLANFC SANArrayV1V1V1V1Host BV1V1V1V1Spoofing identityElevation ofprivilegeUnauthorizedHostVolumesMediatheftISMDR:BEIT:VIII:chap 10:Madhu N PIIT

19 Securing the Application Access Domain
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Securing the Application Access DomainSpoofing User Identity (Integrity, Confidentiality)Elevation of User privilege (Integrity, Confidentiality)User Authentication (Technical)User Authorization (Technical, Administrative)Strong authenticationNAS: Access Control ListsControlling User Access to DataSpoofing Host Identity (Integrity, Confidentiality)Elevation of Host privilege (Integrity, Confidentiality)Host and storage authentication (Technical)Access control to storage objects (Technical, Administrative)Storage Access Monitoring (Technical)iSCSI Storage: Authentication with DH-CHAPSAN Switches: ZoningArray: LUN MaskingControlling Host Access to DataThreatsAvailable ControlsExamplesISMDR:BEIT:VIII:chap 10:Madhu N PIIT

20 Securing the Application Access Domain
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Securing the Application Access DomainTampering with data at rest (Integrity)Media theft (Availability, Confidentiality)Encryption of data at rest (Technical)Data integrity (Technical)Data erasure (Technical)Storage Encryption ServiceNAS: Antivirus and File extension controlCAS: Content AddressData Erasure ServicesTampering with data in flight (Integrity)Denial of service (Availability)Network snooping (Confidentiality)IP Storage: IPSecFibre Channel: FC-SP (FC Security Protocol)Controlling physical access to Data CenterInfrastructure integrity (Technical)Storage network encryption (Technical)Protecting Storage InfrastructureProtecting Data at rest (Encryption)ThreatsAvailable ControlsExamplesISMDR:BEIT:VIII:chap 10:Madhu N PIIT

21 Management Access Domain: Threats
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Management Access Domain: ThreatsStorageManagementSpoofing user identityElevation of user privilegePlatformHost BSpoofing host identityHost AUnauthorizedHostConsoleLANor CLIFC SwitchProduction HostProductionRemoteStorage Array AStorage Array BStorage InfrastructureISMDR:BEIT:VIII:chap 10:Madhu N PIIT

22 Securing the Management Access Domain
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Securing the Management Access DomainSpoofing User / Administrator identity (Integrity)Elevation of User / Administrator privilege (Integrity)User AuthenticationUser AuthorizationAudit (Administrative, Technical)Authentication: Two factor authentication, Certificate ManagementAuthorization: Role Based Access Control (RBAC)Security Information Event ManagementControlling Administrative AccessSSH or SSL over HTTPEncrypted links between arrays and hostsPrivate management networkDisable unnecessary network servicesTempering with data (Integrity)Denial of service (Availability)Network snooping (confidentiality)Mgmt network encryption (Technical)Mgmt access control (Administrative, Technical)Protecting Mgmt InfrastructureThreatsAvailable ControlsExamplesISMDR:BEIT:VIII:chap 10:Madhu N PIIT

23 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
BURA Domain: ThreatsUnauthorizedHostSpoofing DR site identityStorage ArrayStorage ArrayDRNetworkLocal SiteDR SiteMediatheftISMDR:BEIT:VIII:chap 10:Madhu N PIIT

24 Protecting Secondary Storage and Replication Infrastructure
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Protecting Secondary Storage and Replication InfrastructureSpoofing DR site identity (Integrity, Confidentiality)Tampering with data (Integrity)Network snooping (Integrity, Confidentiality)Denial of service (Availability)Primary to Secondary Storage Access Control (Technical)Backup encryption (Technical)Replication network encryption (Technical)External storage encryption servicesBuilt in encryption at the software levelSecure replication channels (SSL, IPSec)ThreatsAvailable ControlsExamplesISMDR:BEIT:VIII:chap 10:Madhu N PIIT

25 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
Lesson SummaryKey topics covered in this lesson:The three security domainsApplicationManagementBackup & Data StorageSecurity threats in each domainSecurity controlsISMDR:BEIT:VIII:chap 10:Madhu N PIIT

26 Lesson: Security Implementations in Storage Networking
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Lesson: Security Implementations in Storage NetworkingUpon completion of this lesson, you will be able to:SAN security implementationsSAN security ArchitectureZoning, LUN masking, Port Binding, ACLs, RBAC, VSANNAS security implementationsACLs and PermissionsKerberosNetwork layer firewallsIP-SAN security implementationsCHAP, iSNS discovery domainsISMDR:BEIT:VIII:chap 10:Madhu N PIIT

27 Security Implementation in SAN
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Implementation in SANTraditional FC SANs being isolated is more secureHowever, scenario has changed with storage consolidation and larger SAN design that span multiple sites across the enterpriseFC-SP (Fibre Channel Security Protocol)Align security mechanisms and algorithms between IP and FC interconnectsThis standards describe guidelines for:Authenticating FC entitiesSetting up session keysNegotiating parameters required to ensure frame-by-frame integrity and confidentialityISMDR:BEIT:VIII:chap 10:Madhu N PIIT

28 SAN Security Architecture – “defense-in-depth”
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.SAN Security Architecture – “defense-in-depth”Security Zone AAdministratorFirewallSecurity Zone BLANSecurity Zone DHost - SwitchSecurity Zone CAccess Control - SwitchWANSecurity Zone FDistance ExtensionSecurity Zone ESwitch -Switch/RouterSecurity Zone GSwitch - StorageProtect traffic on your fabric by:(a) Using E_Port authentication(b) Encrypting the traffic in transit(c) Implementing FC switch controls and port controlsBlock inappropriate or dangerous traffic by:(a) Filtering out addresses that should not be allowed on your LAN(b) Screening for allowable protocols—block well-known ports that are not in useImplement encryption for in-flight data:(a) FCsec for long-distance FC extension(b) IPSec for SAN extension via FCIPAuthentication at Management Console(a) Restrict management LAN access to authorized users (lock down MAC addresses)(b) Implement VPN tunneling for secure remote access to the management LAN(c) Use two-factor authentication for network accessACL and ZoningRestrict FC access to legitimate hosts by:(a) Implementing ACLs: Known HBAs can connect on specific switch ports only(b) Implementing a secure zoning method such as port zoning (also known as hard zoning)Access Control SwitchAuthenticate users/administrators of FC switches using RADIUS (Remote Authentication DialIn User Service) DH-CHAP (Diffie-Hellman ChallengeHandshake Authentication Protocol), etc.Protect the storage arrays on your SAN via:(a) WWPN-based LUN masking(b) S_ID locking: Masking based on source FCID (Fibre Channel ID/Address)ISMDR:BEIT:VIII:chap 10:Madhu N PIIT

29 Basic SAN Security Mechanism
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Basic SAN Security MechanismSecurity Mechanism in SAN is implemented in various ways:Array-based Volume Access ControlSecurity on FC Switch PortsSwitch-wide and Fabric-wide Access ControlLogical Partitioning of a Fabric: VSANISMDR:BEIT:VIII:chap 10:Madhu N PIIT

30 Array-based Volume Access Control
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Array-based Volume Access ControlLUN MaskingFilters the list of LUNS that an HBA can accessS_ID Lockdown (EMC Symmetrix arrays)Stronger variant of maskingLUN access restricted to HBA with the specified 24-bit FC Address (Source ID)Port zoningZone member is of the form {Switch_Domain_ID, Port_Number}Mitigates against WWPN spoofing attacks and route-based attacksISMDR:BEIT:VIII:chap 10:Madhu N PIIT

31 Security on FC Switch Ports
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security on FC Switch PortsPort BindingLimits devices that can attach to a particular switch portA node must be connected to its corresponding switch port for fabric accessMitigates – but does not eliminate - WWPN spoofingPort Lockdown, Port LockoutRestricts the type of initialization of a switch portTypical variants include:Port cannot function as an E-Port; cannot be used for ISL, e.g. to a rogue switchPort role is restricted to just FL-Port, F-Port, E-Port, or some combinationPersistent Port DisablePrevents a switch port from being enabled, even after a switch rebootISMDR:BEIT:VIII:chap 10:Madhu N PIIT

32 Switch-wide and Fabric-wide Access Control
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Switch-wide and Fabric-wide Access ControlAccess Control Lists (ACLs)Typically implemented policies may includeDevice Connection ControlPrevents unauthorized devices (identified by WWPN) from accessing the fabricSwitch Connection ControlPrevents unauthorized switches (identified by WWN) from joining the fabricFabric BindingPrevents unauthorized switch from joining any existing switch in the fabricRBACSpecifies which user can have access to which device in a fabricISMDR:BEIT:VIII:chap 10:Madhu N PIIT

33 Logical Partitioning of a Fabric: VSAN
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Logical Partitioning of a Fabric: VSANVSAN 1 - ITVSAN 3 - HRVSAN 2 –EngineeringDividing a physical topology into separate logical fabricsAdministrator allocates switch ports to different VSANsA switch port (and the HBA or storage port connected to it) can be in only one VSAN at a timeEach VSAN has its own distinct active zone set and zonesFabric Events (e.g. RSCNs) in one VSAN are not propagated to the othersRole-based managementcan be on a per-VSAN basisISMDR:BEIT:VIII:chap 10:Madhu N PIIT

34 Security Implementation in NAS
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Security Implementation in NASPermissions and ACLsFirst level of protectionAuthentication and authorization mechanismsKerberos and Directory servicesIdentity verificationFirewallsProtection from unauthorized access and malicious attacksISMDR:BEIT:VIII:chap 10:Madhu N PIIT

35 NAS File Sharing: Windows ACLs
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.NAS File Sharing: Windows ACLsTypes of ACLsDiscretionary access control lists (DACL)Commonly referred to as ACLUsed to determine access controlSystem access control lists (SACL)Determines what accesses need to be audited if auditing is enabledObject OwnershipObject owner has hard-coded rights to that objectRights do not have to be explicitly granted in the SACLChild objects within a parent object automatically inherit the ACLsSIDsACLs applied to directory objectsUser ID/Login ID is a textual representation of true SIDsAutomatically created when a user or group is createdISMDR:BEIT:VIII:chap 10:Madhu N PIIT

36 NAS File Sharing: UNIX Permissions
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.NAS File Sharing: UNIX PermissionsUserA logical entity for assignment of ownership and operation privilegesCan be either a person or a system operationCan be organized into one or more groupsPermissions tell UNIX what can be done with that file and by whomCommon PermissionsRead/Write/ExecuteEvery file and directory (folder) has three access permissions:rights for the file ownerrights for the group you belong torights for all others in the facilityFile or Directory permission looks:# rwx rwx rwx (Owner, Group, Others)# : d for directory, - for fileISMDR:BEIT:VIII:chap 10:Madhu N PIIT

37 Authentication and Authorization
Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.Authentication and AuthorizationAuthorizationWindows and UNIX ConsiderationsNIS ServerUNIX object-rwxrwxrwxUNIX ClientWindows objectACLSID abc deny writeSID xyz allow writeUNIX AuthenticationUser rootNetworkWindowsAuthenticationNAS DeviceWindows ClientValidate DC/NIS connectivity and bandwidthMulti-protocol considerationsUser SID - abcWindows Domain ControllerActive Directory (LDAP)Kerberos, CHAPISMDR:BEIT:VIII:chap 10:Madhu N PIIT

38 Copyright © 2009 EMC Corporation. Do not Copy - All Rights Reserved.
KerberosA network authentication protocolUses secret-key cryptography.A client can prove its identity to a server (and vice versa) across an insecure network connectionKerberos clientAn entity that gets a service ticket for a Kerberos service.A client is can be a user or hostKerberos serverRefers to the Key Distribution Center

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *