| Previous | Table of Contents | Next |
Commercial products have been developed supporting MAC. These products are used in some of the most security sensitive sites that can be found. There also are some interesting formal properties that can be derived from MAC. For example, you can show that MAC is resistant to Trojan Horse attacks. Only a few of the products discussed in this book offer MAC capabilities, though. One reason is that developing software that runs on top of MAC-enabled operating systems is difficult, as is implementing the product so that it truly follows the MAC model. Still, you can find firewalls and Web servers designed to run on operating systems supporting MAC.
Access control is one of the most important components of the security policy. However, how do you know whether your access control rules have been entered correctly? Did you consider all of the possibilities? Is the reference monitor implementation working as designed, or did the vendor make some mistakes? To verify that the system is behaving correctly, you need to monitor or audit all of the security-relevant decisions being made by the TCB.
The security model needs one other addition to complete the picture. Auditing is a trusted mechanism, a part of the TCB, that the reference monitor invokes to keep a log of its activities. Information logged by the reference monitor should include the subject and object identifiers, the access right requested, the date and time, and the result of the reference request (success or failure). Audit records should be stored in a manner that ensures trustworthiness.
Most operating systems provide an audit subsystem that is at least capable of logging every file accessed by a user. Because many other subjects and objects exist in an operating system, the auditing mechanism is also responsible for recording events such as starting a program, ending a program, rebooting a system, adding a user, changing a password, and attaching a new disk drive. A number of different logs are maintained by an operating system, but not all of them contain sufficient information to accurately identify the subjects, objects, and access request. If you expect to be able to assign accountability for system activities, a complete record describing each access control decision is needed.
TIP: Only by actively auditing a system will you know that the intended security policy is correctly entered and enforced. Intrusion detection is based on this simple requirement. If you do not monitor systems and networks, you cannot detect intruders or misuse by insiders.
TIP: Auditing has always been recognized as an important part of the classic security model. Intrusion detection improves upon the traditional notion of auditing by helping you look for known attack scenarios, combinations of suspicious activities, and patterns of events that attempt to identify malicious behavior.
Auditing is important for another reason. Remember that the security policy at your site is implemented using a security model. A number of different products, with different reference monitors, participate to accomplish this task. Stating your security policy completely is extremely difficult, as is being sure that you have entered the policy into the computer products correctly.
A typical operating system is composed of several thousand files. Designing the access control rules for an operating system is exceedingly complex. History has shown that vendors have not always been successful at doing this. You are certain to encounter similar problems when entering your security policy into different products or parts of the same product. Auditing and monitoring can help you identify where you have made mistakes and can complete the feedback loop for improving your security.
To summarize, the classic security model consists of the following:
For each of the products you have at your site, you should be able to recognize each of these components in the security models they implement. When you do, you’ll be able to see what a product can do for you and what it cannot.
Previous sections have emphasized how complex a secure computing environment can be. This environment may contain many products, each implementing some security model, each with strengths and weaknesses, and all communicating with each other. Information flowing between security components is subject to attack just as the underlying product implementations are.
If you deploy different security products at a site, what kinds of roles do they play? What are the boundaries within which they exercise control? What relative value do different products bring? To answer these questions, products are broadly grouped into the following four complementary categories: I&A, access control, scanners, and intrusion detection.
Identification and authentication products are designed to improve the existing I&A facilities you are currently using. Using the same password for years on end is a bad idea. In general, reusable passwords are threatened by people who watch network traffic or try to guess passwords. Plenty of other threats also exist and will be discussed in the next chapter. I&A can be improved with products that do not rely on reusable passwords—products that require the user to have something such as a smart card or products that require the user to know something that might be supplied by a smart card. Some products also operate based on something you are, such as fingerprint scanners.
A number of products are offered to enhance the way information access is controlled. Most of the products improve on limitations of out-of-the-box versions of operating systems. However, firewalls also can be thought of as providing access control functions. Access control products work precisely as described previously in this chapter. Subjects, objects, and access rights are defined. A reference monitor is implemented to control access requests. What feature is an access control product missing? Access control products do not necessarily tell you whether the security policy has been entered correctly. To know whether you have made any mistakes, you can either scan the configuration occasionally or monitor the system for problems.
| Previous | Table of Contents | Next |