|
|
|
Date Submitted:
06/18/05
Hits: 939 Rating:  based on 0 votes
Security Architecture and ModelsAdded by Papergrl
by: Mitchell Rowton
This article parallels the CISSP Domain 6
Two concepts one needs to know are security model and security policy. The Security Policy outlines several high level points: how the data is accessed, the amount of security required, and what the steps are when these requirements are not met. The security model is more in depth and supports the security policy. If the security policy says "all public web servers must reside in a DMZ", the security model would specify "TCP port 80 and 443 should only be allowed through the firewall, if its destination is a DMZ off this firewall." A Central Processing Unit is a processor that contains primary storage, a control unit, and a Arithmetic Logic Unit (ALU) The Control Unit divides up the CPU's time, it directs who gets what time slices and for how long. Arithmetic Logic Unit (ALU) is the calculator of the computer, conducting mathematical functions on the data. Primary Storage is a temporary storage area for data entering and leaving the CPU Random Access Memory (RAM) is a temporary holding place for data used by the operating systems. It is volatile, meaning if it is turned off the data will be lost. Two types of RAM are Dynamic and Static. Dynamic RAM needs to be refreshed from time to time or the data will be lost, Static RAM does not need to be refreshed. Read-Only Memory (ROM) is nonvolatile, which means when a computer is turned off the data is not lost, for the most part ROM cannot be altered. ROM is sometimes referred to as firmware. Erasable and Programmable Read-Only Memory (EPROM) Is nonvolatile like ROM, however EPROM can be altered. Cache Memory Memory Mapping Secondary Storage Virtual Storage Paging Protection Rings
Operating states
A process is a program in its own address space, it communicates with other programs through the operating system A thread is a piece of a program inside a process The Bell-LaPadula Model was developed by the United States military in the 1970's, it provides a framework for handling data of different classifications. This enables users with different access rights or clearances to access data of different classifications on a system. This type of model, which contains different classifications of data on it, is also known as a multilevel security system. In this system the classification level of the data and the access rights of the users determine how the data is processed, leading to what data the user has authorized access to. These layers of classifications are called a latice, or the levels of authorized data. Different security classifications of data, or a latice of data is also used in mandatory access control (MAC) systems. To regroup, the Bell-LaPadula Model is a multilevel security system using mandatory access controls to grant access to a latice of data classifications. In the Bell-LaPadula Model if a user with a top secret clearance requested data which is unclassified, then the system would compare the subjects clearance to the security classification of the data and grant this user access. However, if a user with only a secret security clearance requested access to data with a top secret classification then this model would deny this request. In this manor the Bell-LaPadula system guarantees that data from a higher security level can never flow to a lower security level, in this way it is also known as a information flow security model. Meaning that information or data with a higher classification can never flow to a user with a lower classification level. While the Bell-LaPadula system does protect a lower classification from accessing a higher classification it also has to be careful not to let a higher classification from writing to a lower classification. For example, a subject with a top secret clearance receives a top secret e-mail concerning terrorist threats. While no subject with a lesser security level has authority to access this e-mail, we also have to protect the subject with the top secret clearance from moving the highly classified e-mail to a latice of lower classification. In essence, we can't let this subject with a top secret clearance e-mail this top secret data to another subject with a secret clearance. Basically the Bell-LaPadula system while not allowing subjects from a lower latice to read data in a higher latice, also cannot allow data in a higher latice to write to a lower latice. While this system does address the confidentiality of the data it does not account for the integrity of this data, which leads us to the Biba model. The Biba model was developed after the Bell-LaPadula model with a different interest in mind. While the Bell-LaPadula model does a wonderful job at guaranteeing the confidentiality of data for organization who care most about confidentiality, as stated before, it does not address the integrity of this data. To compare these two systems remember that the Bell-LaPadula follows to simple rules. Rule number one, a subject with a lower classification cannot read data at a higher classification. Rule number two, a subject with a higher classification cannot write data to a lower classification, thus ensuring the confidentiality, or secrecy of the data. The Biba system, in contrast, takes a different approach with two different rules designed to ensure the integrity of the data. Rule number one, a subject with a lower classification cannot write data to a higher classification. Rule number two, a subject with a higher classification cannot read date from a lower classification. These different sets of rules seem confusing at first glance, but imagine this example. Terrorist have bombed a US embassy in another country, and you are a reporter covering this news for CNN™ and are trying to find out how much it will cost to repair the damage. You would not want to get this information from just any source. You wouldn't want to ask the terrorist who did the bombing because they may say that they destroyed the entire embassy and it will cost millions of dollars to rebuild. Instead you may ask the building architect of the embassy how much damage was done and how much this would cost to repair. In this example the reporter for CNN™ has a higher integrity classification that the terrorist. Thus the reporter should not read information from this terrorist with a lower clearance. And the terrorist with a lower clearance should not write data to a higher classification, or give this data to the reporter. The Biba model is also an information flow security model because it deals with the flow of information through different classifications like the Bell-LaPadula model. The Clark-Wilson Model was developed after the Biba model and also ensures integrity. The Clark-Wilson Model utilizes separation of duties to ensure that authorized users do not make unauthorized changes to data. In this way task are divided into different parts and different subjects each do different parts. Often times subjects under the Clark-Wilson Model cannot access data directly, but must instead go through a program or other third party, which helps to ensure the subject has the proper classification. We will use the same example as above with the CNN™ reporter. In this example the task of covering the terrorist bombing is separated into two areas and assigned to two reporters. One reporter is assigned the task of deciding where to get the information (from the terrorist or the building architect) and the other report is tasked with interviewing and questioning the person. If the first reporter accidentally decides to use the terrorist who has a lower integrity level for the interview then the second reporter assigned with interviewing this person can see this error and decide not to interview the terrorist because the terrorist has a lower integrity level. In this example separating the task into two different duties and then assigning the duties to two different reporters helps ensure that the integrity classifications are not disobeyed. Another example of the Clark-Wilson Model, using software as a way of authenticating the users access involves the a database with all trusted CNN™ contacts in it. In this case the reporter assigned to investigate the bombing must check the database to make sure that his contact is trustworthy. The terrorist of course would not be in this database, however the building architect would be, thus ensuring that overall duty is separated and not the sole responsibility of one reporter. To recap, the Clark-Wilson Model ensures integrity by utilizing separation of duties. Often times using software so that subjects cannot make decisions or access data directly. The Clark-Wilson Model is also an information flow security model because it deals with the flow of information through different classifications like Bell-LaPadula and Biba.
Security Modes of Operation describes the security state of a system as it is actually operating, there are four modes of security operation.
|