sam-21 fortress model and defense in depth some revision on computer architecture
TRANSCRIPT
SAM-2 1
Fortress Model andDefense in Depth
Some revision on
Computer Architecture
SAM-2 2
Revision on Computer Architecture
• Central Processing Unit
– Arithmetic Logic Unit
– Control Unit
• Primary Storage
• Secondary Storage
• Cache Memory
• Paging
SAM-2 3
Revision on Computer Architecture
• Process: a program run in its own address space
• Thread: a piece of a program inside a process for a certain task, often called a light weight process
• A thread has less overhead than a process, it is faster to create, to switch to, and destroy
SAM-2 4
Revision on Computer Architecture
• Multi-tasking– A number of programs can be loaded into a
computer’s memory and they would be executed by time-slicing of the CPU
• Multi-processing– The computer has more than one CPU and
can execute more than one program at the same time
SAM-2 5
Revision on Computer Architecture
• Multi-threading– A style of programming that allows many
separate threads of control inside one process. The execution of tasks are easily switched within the process to give more efficient use of the CPU
– Must be supported by the OS– Improper use can lead to deadlock
SAM-2 6
Revision on Computer Architecture
Virtual Machine
• An environment created by the OS, in which an application can run and behave as if it had an entire machine all to itself. Windows can have multiple applications running in their own separate virtual machines at the same time.
• Problem in the virtual machine would not bring down the whole computer
SAM-2 7
Revision on Computer Architecture
• Operating state of a processor
– Ready state
– Supervisory state
– Problem state
– Wait state
SAM-2 8
Fortress Model
• Watch towers to detect threat
• Protection by:– Moat– Outer Wall– Inner Wall of Keep
• Draw bridge and Gate – controlled access
• Weapons to fight back?
SAM-2 9
Fortress Model for IS
• Give only authorized access
• Set up zones of security– Defense in depth– Layer system
• Anyone outside the gate is suspected
• Anyone inside is trusted???
SAM-2 10
Design of Computer to give more security
• Protection rings of CPU or/and OS
• Segmented memory
• File permission
SAM-2 11
Protection Ring
• Protection and access mechanism of CPU
• First developed in Multics
• A ring field in the register is used
• Ring 0 is most privileged, lower-numbered rings have more privileges than higher-number rings
• Multics has 8 rings
SAM-2 12
Protection Rings of Multics
0 1 2 3 4 5 6 7
|_______________|
Write Bracket|______________________________________________|
Read Bracket
SAM-2 13
Protection Rings
• They provide strict boundaries and definitions on what the processes that work within the ring can access and what commands that can successfully execute
• A process can access objects within its own ring and other objects in the outer rings
SAM-2 14
Protection Rings
• If a process has to use an object in an inner ring it has to make request through the operation system by making a system call
• Inner rings are said to work in the supervisor mode, and outer rings in the user mode
SAM-2 15
Protection Rings
• X86 CPU can have 4 rings
• Ring 0 – Operating system kernel
• Ring 1 - Remaining part of the operating system
• Ring 2 – I/O drivers and utilities
• Ring 3 – Applications and programs
SAM-2 16
Protection Rings
• Most processors use only two rings:– Supervisor– User
• Processes run by the supervisor/kernel are trusted, they can access the device I/O
• Processes run by the users are not trusted, they can only access the device I/O through system call to the kernel
SAM-2 17
Segmented Memory
• Most current CPU are multi-tasking
• A number of programs can be loaded to the memory first
• CPU is shared by executing one program in one instant and then switch to another program in another instant
• How to protect the memory space of the processes?
SAM-2 18
Segmented Memory
• Memory is partitioned into segments
• Each segment created in virtual memory associated with a process
• Each segment memory defined by segment address and offset address
• Control of segment with flags: read, write, execute etc. and according to the access right of the process
SAM-2 19
Segmented Memory
• It provides isolation of memory space of processes
• It protects memory from unauthorized access
SAM-2 20
File Permission (UNIX)
• Users divided into 3 classes to access files and directories
• User (u) – The user is the owner of the file, usually the
person who created it initially. • Group (g)
– All users are assigned one or more user groups. Therefore, there is also a group ownership associated with each file.
• Other (o) – All users other than the owner of the file or a
member of the file's group
SAM-2 21
Security Controls
Physical
Technical
Administrative
SAM-2 22
Security Controls
SAM-2 23
Protection Rings for Physical Security
• Ring1 – Areas on the perimeter of the building
• Ring 2 – Immediate area around the building
• Ring 3 – Internal location of the building
• Ring 4 – Human factor
SAM-2 24
Defense in DepthIT Infrastructure
• Perimeter defense– Firewall, IDS etc
• Network Infrastructure protection– Sub-netting, packet filtering
• Host defense– Authentication, system hardening
• Data Security– File permission, data encryption
SAM-2 25
Defense in Depthfor the Home User
SAM-2 26
Examples of Defense in Depth
• firewalls (more than one between important data and the Internet)
• tripwire for host integrity
• host hardening to shut down unneeded services
• anti-virus protection for email and vulnerable hosts
• preventative scanning for vulnerabilities
SAM-2 27
Administrative Controls
• Clearance and Access Rights
• Segregation of duties
• Mutual checking
• Audit trail
• Username and Password
• Training
• Awareness
SAM-2 28
Security is always an attitude