Advanced Operating Systems, CSci555

advertisement
Security Systems
Lecture notes
Drs. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
1
CSci530: Security Systems
Lecture 1 – August 27, 2004
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
2
Administration
 Class
home page
http://ccss.isi.edu/CSci530.html
(or http://530.cliffordneuman.com)
– Preliminary Syllabus
– Assigned Readings
– Lecture notes
– Assignments
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
3
Who gets in
 Class
size is 120 students
– Main room holds 70
 50
will view from overflow room or through
webcast.
– Currently waiting list of about 30
 Most
will likely get in
 You must have given your name to the CS
department for addition to the waiting list, or
send mail to csci530@usc.edu.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
4
Structure of lecture
 Classes
from 9:00 AM – 11:50 AM
– 10-15 minute break halfway through
– Final 15 minutes for discussion of current
events in security.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
5
Administration
 Class
e-mail: csci530@usc.edu
 Instructors
– Dr. Clifford Neuman
– Office hours Friday 1:30-2:30
 TAs
– Ho Chung
– Office hours Tuesday 9:00 - Noon
– Second TA to be determined
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
6
Administration
 A separate
1 unit lab class is available
as a CS590 Advanced Security
Systems
http://www-scf.usc.edu/~csci590
– Provides hands on experience with
systems discussed in class.
– Developed jointly with this class.
– May take concurrently, or in subsequent
semester.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
7
Administration
 Grading
– Reading reports: 5,5,5
– Exams: 25,25
– Research paper, 35
– Class participation (up to 15% bonus)
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
8
Blackboard

Using the DEN Blackboard system
– Go to http://den.usc.edu
– Click “for on campus students”
– Follow the instructions to obtain your Blackboard
password for the DEN site.
– Contact webclass@usc.edu if you have difficulty
gaining access to the system.

Experimental interactive features for
discussion will be added within a couple
weeks.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
9
Class Participation

This is a large class, but I will promote discussion
as if it were smaller.
– Class participation is important.
Either by asking or answering questions in class.
 Or by asking, answering, and participating in discussion online.

– Bonus for class participation

If I don’t remember who you are from lecture or office hours,
then I go back and look at participation in the web forums, and
what kinds of participation.
– Did you ask good questions.
– Did you provide good answers to others that did not duplicate
earlier answers.
– Did you make good points in discussions.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
10
What is security

System, Network, Data
– What do we want to protect
– From what perspective

How to evaluate
– Balance costs to protect with costs of compromise
– Balance costs to compromise with benefit to attacker.

Security vs. Risk Management
– Prevent successful attacks vs. mitigate the consequences.

It’s not all technical
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
11
Why we aren’t secure
 Buggy
code
 Protocols design failures
 Weak crypto
 Social engineering
 Insider threats
 Poor configuration
 Incorrect policy specification
 Stolen keys or identities
 Denial of service
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
12
What do we want from security

Confidentiality
– Prevent unauthorized disclosure

Integrity
– Authenticity of document
– That it hasn’t changes

Availability
– That the system continues to operate
– That the system and data is reachable and readable.

Enforcement of policies
– Privacy
– Accountability and audit
– Payment
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
13
The role of policy in security architecture
Policy – Defines what is allowed and how the system
and security mechanisms should act.
Enforced By
Mechanism – Provides protection
interprets/evaluates
(firewalls, ID, access control, confidentiality, integrity)
Implemented as:
Software: which must be implemented correctly and
according to sound software engineering principles.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
14
Security Mechanisms
 Encryption
 Virtual
Private Nets
 Checksums
 Intrusion detection
 Key management  Intrusion response
 Authentication
 Development tools
 Authorization
 Virus Scanners
 Accounting
 Policy managers
 Firewalls
 Trusted hardware
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
15
Today’s security deployment
 Most
of the deployment of security services today
handles the easy stuff, implementing security at a
single point in the network, or at a single layer in the
protocol stack:
– Firewalls, VPN’s
– IPSec
– SSL
 Unfortunately,
security isn’t that easy. It must be
better integrated with the application.
– At the level at which it must ultimately be specified, security
policies pertain to application level objects, and identify
application level entities (users).
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
16
Security Systems vs Systems Security
INTRUSION
DETECTION
UNDER
ATTACK
Firewalls
Integration of dynamic security services
creates feedback path enabling effective
response to attacks
POLICY
Web Servers
Databases
IPSec
EACL
GAA API
Authentication
…
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
SECURITY
AUDIT
RECORDS
Fall 2003
17
Current event – What is security relevant here
From: Copyright_Compliance@usc.edu
Date: August 26, 2004
Subject: Copyright Compliance Notice
Dear Student:
This e-mail is being sent to all students at USC to make sure that they have
the same information about copyright compliance.
…
Furthermore, infringing conduct exposes the infringer to serious legal
penalties. In response to the growth of infringement through P2P networks, the
recording and motion picture industries have increased their efforts to
identify and stop those who download unauthorized music and video files.
Organizations such as the Recording Industry Association of America (RIAA) and
the Motion Picture Association of America (MPAA) can and do monitor P2P users,
obtaining "snapshots" of the users' Internet protocol addresses, the files they
are downloading or uploading from their P2P directories, the time that
downloading occurs, and the Internet service provider (ISP) through
which the files travel. (Gathering this information is not a violation of the
users' privacy rights, because the user has voluntarily made his or her P2P
directory available for public file sharing.)
…
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Fall 2003
18
Download