IT Networks and Security

& CERIAS
CISSP Luncheon Series

Security Architecture and Design

Presented by Rob Stanfield

 Domain Overview

ƒ Identify key principles and concepts

critical to securing the infrastructure
• Design
• Implementation
• Operation
ƒ Ensure security from a hardware/software
level
• Operating Systems
• Applications
• Equipment
• Networks
 CISSP Expectations

ƒ Identify physical components of IT architecture

ƒ Understand software relationships
ƒ Understand design principals for the architecture
ƒ Describe how to secure an enterprise
ƒ Identify trusted and un-trusted components
ƒ Discuss security models and architecture theory
ƒ Identify appropriate protection mechanisms
ƒ Discuss evaluation methods and criteria
ƒ Understand the role of assurance evaluations
ƒ Explain certification and accreditation
ƒ Identify techniques used to provide system security
 System Architecture

Three basic components

CPU – Central Processing Unit
Storage Devices – includes both long and
short-term storage, such as memory
and disk
Peripherals – includes both input and
output devices, such as keyboards and
printer
 CPU – Computer Brain

ƒ ALU – Arithmetic Logic Unit

ƒ Control Unit
ƒ Registers
• General and special registers
ƒ Bus
• Address and data
ƒ Privileged mode or user mode
ƒ Multiprocessor - symmetric or
asymmetric
CPU Example
 Storage Devices

Primary Storage
Cache or registers
Memory (RAM, ROM, Cache, Flash)
Secondary Storage
Disk
CD or Tape
Virtual Memory
Memory
 Peripherals or I/O Devices

Some examples are

Monitor
Keyboard
Printers
Basic Components Diagram
 Operating System
Architecture
ƒ An Operating System provides an
environment to run applications
ƒ Process Management for all processes
• Process - a set of instructions and the
information & resources needed to process
it.

ƒ Multitasking – cooperative, preemptive

ƒ Process State – running, ready, blocked
 Application Programs

ƒ Applications interact with the operating

system to perform a task
ƒ Each application is a process
ƒ Applications run in user mode
ƒ Threads

ƒ Other applications
• Firmware and Middleware
Protection Rings
 Security Models

ƒ Security Policy – documents the security

requirements for an organization
ƒ Security Model – formally outlines the
requirements needed to support the security
policy, and how authorization is enforced

ƒ Reference Monitor – abstract machine that

provides auditable access control to objects
ƒ Trusted Computing Base (TCB)
 Security Model Examples

ƒ Biba Integrity Model

ƒ Bell-LaPadula Confidentiality Model
ƒ Clark-Wilson Integrity Model
ƒ Brewer and Nash Model
ƒ Others
• State Machine Model
• Non-Interference Model
• Graham Denning Model
• Harrison-Ruzzo-Ullman Model
 Bell-LaPadula Confidentiality
Model

ƒ Subject to object model

• Objects you are able to access
ƒ Used to provide confidentiality
ƒ 3 main rules used and enforced
• Simple security rule (no read up)
» Subject cannot read data at a higher level
• The *-property rule (no write down)
» Subject cannot write data to a lower level
• Strong star property rule
» Subject with read/write – only at same level
 Biba Security Model

ƒ Similar to the Bell-LaPadula Model

ƒ First to address integrity
• Difference between Biba and Bell-LaPadula
ƒ Two main rules used and enforced
• *-integrity axiom (no write up)
» Subject cannot write data to objects at higher level
• Simple integrity axiom (no read down)
» Subject cannot read data from lower level

ƒ Biba and BP are informational flow models

• Concerned with data flowing up or down levels
 Clark-Wilson Model

ƒ Addresses all 3 integrity model goals

• Prevent unauthorized users from
making modifications
• Prevent authorized users from making
improper modifications (separation of
duties)
• Maintain internal/external consistency
(well-formed transaction)
 Other Models

ƒ Non-interference model - Actions at a higher

level (domain) cannot interfere with actions at a
lower level.
ƒ State machine model - Abstract math model
that uses state variables to represent the
system state. Failure of a state machine should
fail in a secure state.
ƒ Graham-Denning Modem – Used eight basic
protection rules.
ƒ Brewer and Nash Model (Chinese Wall Model) -
Allows for dynamically changing access
controls to protect against conflicts of interest
 Evaluation Methods and
Criteria
ƒ Trusted Computer Security Evaluation Criteria (TCSEC) –
addresses confidentiality only
• A Verified protection
» A1 verified design
• B Mandatory Protection
» B3 Labeled Security
» B2 Structured Protection
» B1 Labeled Security
• C Discretionary Protection
» C2 Discretionary Protection
» C1 Controlled Access
• D Minimal Security
ƒ Others are ITSEC, SEI
ƒ Common Criteria (ISO) based on TCSEC & ITSEC
• Evaluation Assurance Levels (EAL 1 – 7 )
 Certification and
Accreditation
ƒ These are distinct steps
• Certification relates to validation of the
system
» Security modes of operation
» Data sensitivity handling procedures
» System and facility configuration
» Intercommunication with other systems
• Accreditation relates to management
evaluation once the certification process is
complete. Does the system meet the needs of
the business while satisfying the security
needs?