School of Medicine

Network Security

Some Security Concepts

Security requirements for a computer system differ depending on applications: electronic funds transfers, reservation systems and control systems all have different demands.

Threats to the SOM environment can be categorized into two categories, Accidental Threats and Attacks.   An example of an Accidental Threat would be when a user sends confidential mail to the wrong person.  An Attack is an intentional threat and is an action performed by an entity with the intention to violate security.

Attacks can be both direct and indirect. A direct attack aims directly at an object. Several components in a system may be attacked before the intended goal is reached. In this case, all these intermediate objects are targets for direct attacks. In an indirect attack, information is received from or about an object without attacking the object itself.  For example, it may be possible to derive confidential information without accessing any system at all, by gathering statistics and thereby derive the desired information. Indirect attacks are especially troublesome because of the difficulty in seeing the signs.

There are two different kinds of attacks: passive and active attacks. Passive attacks are done by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Examples of passive attacks are monitoring network traffic, CPU and disk usage. Encryption of network traffic can only partly solve the problem since even the presence of traffic on a network may reveal some information. Traffic analysis such as measuring the length, time and frequency of transmissions can be very valuable to detect unusual activities.  (Rumors say that prior to the US Panama invasion, Domino’s pizza deliveries to the Pentagon jumped 25%, a situation in which an external observer could detect that some-thing unusual was going on.)

An active attack changes the system behavior in some way. Examples can be to insert new messages on a network, to modify, delay, reorder, duplicate or delete existing messages, to deliberately abuse system software causing it to fail and to steal magnetic tapes. A simple operation such as the modification of a negative acknowledgment (NACK) from a database server into a positive acknowledgment (ACK) could result in great confusion and/or damage. Active attacks are, in contrast to passive attacks, more easy to detect if proper precautions have been taken.

SOM Security Mechanisms

The security that MSIS wants to implement at the School of Medicine consist of  three mechanisms, prevention, detection and recovery.  A security prevention mechanism is a mechanism enforcing security during the operation of a system by preventing a security violation from occurring, for example a mechanism restricting physical access to a system or the use of access control mechanisms based on encryption to prevent unauthorized users from accessing objects. A detection mechanism is used to detect both attempts to violate security and successful security violations, when or after they have occurred in a system. Alarms can be used to detect unauthorized physical accesses and audit trails can be used to detect unusual system activities after they have occurred. A recovery mechanism is a mechanism that is used after a security violation has been detected, and is a mechanism that restores the system to a pre security violation state, for example to have backup tapes and to add redundant hardware to a system.

The methods that MSIS tries to achieve these mechanisms are

• Authentication
• Access control: policies, models and implementations
• Separation mechanisms
• Communication mechanisms: routing control, traffic padding, signatures, etc.
• Detection and recovery mechanisms

An authentication mechanism makes it possible to uniquely identify entities, which is necessary before other mechanisms can make decisions based on the identity of an user.  All SOM systems are assumed to contain confidential information whether they do or not.  So all systems require account logins and those logins are granted the necessary access rights to specified information.

Once authenticated an entity's or user's ability to access information is further controlled by the access control mechanism which mediates all accesses to objects and controls the way in which entities can use them. Access rights describe the user's privileges and state under what conditions entities can access information and how they are allowed to access the information.  For example, after authentication a user has full access to their mailbox.  If another user has given them read access to a personal calendar then the user can access that information but is unable to change the information.  The SOM Firewall is also a means to provide an access control mechanism to all SOM computers since security threats can occur from or against any SOM system.

The SOM systems have different tasks and thus contain different kinds of information.  The need to for a mechanism to separate objects of different security classification levels from each other. There must be no information flow between systems and users without permission from the access control system, thus we need to have a mechanism separating objects and entities. Three of the ways this is accomplished is:

• Physical separation - Systems are physically contained in a controlled access area.
• Cryptographic separation - Information that needs protection can be encrypted wherever possible.
• Logical separation - Systems that don't share the same job task are on different servers.  For example, a web application that accesses a database consists physically of a web server and a separate database server.