Previous Table of Contents Next


Chapter 49
A New Security Model for Networks and the Internet

Dan Thomsen

Computer security is a matter of controlling how data is shared for reading and modifying. Type enforcement is a new security mechanism that can be used as the basic security building block for a large number of systems where security is an important factor. This chapter discusses basic computer security issues and introduces type enforcement as a method for establishing data security. It also presents the Sidewinder firewall system as an implementation of the type enforcement mechanism.

INTRODUCTION

Type enforcement is a new security mechanism that can be used as the basic security building block for a large number of systems in which security is an important factor. One of the most critical areas requiring protection is the system firewalls. Firewalls are the equivalent of walls around a castle and are under constant attack from external forces. Installing software to protect the network will not be effective if the software runs on a platform that cannot protect itself. It is like building the castle walls on a swamp.

Computer security is a matter of controlling how data is shared for reading and modifying. Only one person using an isolated computer is completely secure. However, people inside and outside of the organization need to share information. Type enforcement allows a computer to be divided into separate compartments, basically having a number of isolated computers inside of a single computer. Because the compartments are in a single computer, the process of sharing information among compartments can be controlled by type enforcement.

Most secure systems are difficult to work with and require extra development time. Type enforcement strikes a balance between security and flexibility. As a result, new security services can be provided more quickly, because they can build on the security of the underlying operating system. Type enforcement permits the incorporation of security more quickly because it allows the applications to be encapsulated. Each application is protected from:

  Hostile manipulation by outsiders.
  Interference from other applications.
  Erroneous behavior by the application itself.

SECURITY BASICS

An examination of the potential problems that can arise on a poorly secured system will help in understanding the need for security. Three basic kinds of malicious behavior are:

  Denial of service.
  Compromising the integrity of the information.
  Disclosure of information.

Denial of Service

Denial of service occurs when a hostile entity uses a critical service of the computer system in such a way that no service or severely degraded service is available to others. Denial of service is a difficult attack to detect and protect against, because it is difficult to distinguish when a program is being malicious or is simply greedy. An example of denial of service is an Internet attack, where a attacker requests a large number of connections to an Internet server. Through the use of an improper protocol, the attacker can leave a number of the connections half open. Most systems can handle only a small number of half-open connections before they are no longer able to communicate with other systems on the net. The attack completely disables the Internet server.

Compromising the Integrity of the Information

Most people take for granted that the information stored on the computer system is accurate, or, at least, has not been modified with a malicious intent. If the information loses its accuracy, the consequences can be extreme. For example, if competitors hacked into a company’s database and deleted customer records, a significant loss of revenues could result. Users must be able to trust that data is accurate and complete.

Disclosure of Information

Probably the most serious attack is disclosure of information. If the information taken off a system is important to the success of an organization, it has considerable value to a competitor. Corporate espionage is a real threat, especially from foreign companies, where the legal reprisals are much more difficult to enforce. Insiders also pose a significant threat. Limiting user access to the information needed to perform specific jobs increases data security dramatically.

The Information Bucket

Every security mechanism has the concept of limiting who can have access to data. This concept is called the “information bucket.” All related information is placed in the same bucket, and then access to that bucket is controlled. The information bucket is very similar to the access class or the security level in Department of Defense (DoD) systems. For example, most computer systems have the concept of users. Each user gets his or her own bucket in which to work. All user files reside in the appropriate bucket, and the users control who can access their files. In its simplest form, a bucket has a set of programs and a set of files that the programs can access.

A secure system must control at least four factors:

  Who can access a bucket.
  Which programs can run in that bucket.
  What those programs can access.
  Which programs can communicate with other programs.

Communication between programs must be controlled, because programs can send information to other programs, which then write that information into another bucket.

A system is very secure if no overlap exists between buckets, because in this configuration no user is able to read, modify data, or consume system resources from another bucket. However, this situation is equivalent to giving each user a separate computer and not allowing individual users to talk to each other. People in many computing environments need to share information. If the users are responsible for the information resources in their buckets and are careful about sharing their information with others, the system can remain secure.

Security problems arise when the boundaries between buckets are not well defined. For example, if two different buckets can read and write the same file, information can flow between the two buckets. This type of “leaky” bucket is a potential security problem. When leaky or overlapping buckets are combined with a complex system in which a large number of buckets exist, it becomes difficult to know how secure the system is.


Previous Table of Contents Next

Copyright © CRC Press LLC