BMIS 33243

DISTRIBUTED SYSTEMS MANAGEMENT

esson 8: Security and Distributed System

Contents
This lecture will address:

Special factors for security in DS;

What are the mechanism for security
in DS;
Security policies;
Risk assessment and its management;
Management functions of security;
International and other standards
which affect security

2
Introduction
Foundation of security in DS is
the security policies of the
organizations responsible for
the systems

Data is retained, processed &

transmitted so as to preserve
confidentiality / integrity is
maintained
Special factors of security in
DS
Security risks of DSs

Security strategies for DSs

Security of management

functions
Security risks of DSs
Existing DS offer significant
opportunities for the
introduction of insecure or
malicious software permit
hacking & browsing.
Vigilant management is
required against attacks
leading to denial of service.
Security risks of DSs
Types of risks/attacks leading to
denial of service:
1. Internet worm
2. Mail storms
3. Unprotected systems is used as
an entry point into other
inadequately protected but
sensitive systems
Security risks of DSs
Distribution also adds
complications to dealing with the
risks:
Communication may introduce
significant time-lag into the system in
respect of security-related information
Splitting the system into different
geographical, political, technical or
administrative domains complicates
the setting & management of a
coherent security policy, difficult of
tracing those security breached
initiated from a different domain
Security strategies for
DSs
Management should provide the
means both to maintain a secure
environment & to identify when
attempts are made to breach
security
First, consider what is to be
protected??
Security strategies for
DSs
Level of protection is desirable at 3
point:
1. Access to corporate data
Advantage of distribution in this case is that it
allows sensitive data to be distributed throughout
the system. Thus only by knowing the way in
which it is distributed & accessing it at all
locations is it possible to make a full
reconstruction.
2. Access to the systems processing &
communication capability
Distribution can provide alternative locations from
which to acquire processing resources.
Accidental failure typically occur at one site at a
time.
Deliberate attempts to deny a service require
interference with a large number of processors
simultaneously
Security strategies for
DSs
3. Access to the management system
Advantage of distribution in this case is that it
does not constraint all components of a
system to accept the same security rating
If the environment is partitioned into separate
security domains, each domain can reflect an
aspect of organizations policy concerning
security as well as possibly being related to a
partitioning on functional grounds
Some domain require more stringent security
policies, policies between the managers of
domain or by a hierarchical structuring of
domains with one manger taking
responsibility for coordinating the interactions
of all.
Security of management
functions
Securing data & processing
capability are of limited value if the
management system is not equally
protected
Management functions such as
configuration management have
implications for basic security of
the system & so control of access
to management operation is
needed.
Security of management
functions
Security to corporate data automatically
provides the mechanism which safeguard
the data used to control & monitor the
network.
Likewise, control of access to processing
capacity ensures that only those who
have the authority to manage the
network are in a position to do so.
Support system security policies
throughout necessitates a secure
configuration management system,
which employs techniques for the secure
distribution of software either manual
and/or encryption-based schemes of
tokens, seals and digital signature.
Security framework
Objectives of security within DS can be
defined at a number of different levels, from
a high-level objective to a low-level one,
with a hierarchy of objectives in between
Each level helps to achieve the objectives of
a higher level.
E.g.; the protection of data in transmission.
This can be achieved by link protection, by
end-to-end protection or at intermediate
level.
The combination of security objectives & the
architectural levels at which they may be
supported together form a security
framework
Security objectives
Primary objective of security
correspond to threats (such as
disclosure, corruption, loss, denial
of service, impersonation &
repudiation)
Secondary objectives lead to the
specification of services to support
the primary ones.
Security objectives
3 primary security objectives, apply both to stored data &
message in transit:
1. Data confidentiality
Maintaining confidentiality of information held within
systems or communicated between them
(prevention of unauthorized access to stored data files & the
prevention of eavesdropping on message in transmission
2. Data integrity
Maintaining the integrity of information held within systems
or communicated between them
(prevent loss or modification of the information due, for e.g.,
to unauthorized access, component failures or
communication errors
Integrity can be achieved in 2 ways:
Preventing the occurrences of failures at all
Detecting the occurrences & recovering from it
3. Data availability
Maintaining the availability of information held within
systems or communicated between them
(ensure the services which provide access to data are
available & that the data has not been lost
Security objectives
2 other primary objectives apply specifically
to communication between users and/or
programs:
1. Authentication
Authenticating the identity of
communication partners & authenticating
the origin & integrity of data which is
communicated between them
Important for several purposes:
Authenticating is the identity of the originator
of a message give confidence, in email, that
messages are genuine
Provides a basis for audit & accounting
Authentication of message contents enables
the detection of integrity failures in messages
Security objectives
2. Non-repudiation
Prevent user from wrongly denying
having sent (proof of origin) or
having received a message (proof
of delivery)
Important in which the interests of
the sending & receiving parties
may be conflict
E.g.; in a stock transfer system
where it would be in the financial
interest of the sender to repudiate
a selling order if the value of the
stock subsequently rises.
Secondary objectives
Secondary security objectives
identified by security architecture
are as follows:
1. Access control
Providing access control to services or their
components to ensure that users can only
access services, & perform data access, for
which they authorized.
Is a means used to achieved
confidentiality, integrity and availability
Unauthorized access to PC may be
prevented by a key lock disabling the
keyboard
Access to shared system may be controlled
by a logical access control system using
access rules based on the authenticated
Secondary objectives
2. Audit trail
Provide an audit trail of activities in the
system to enable user accountability
Provides evidence of who did what, and
when
3. Security alarm
The detection of occurrence indicating an
actual or potential security failure should
raise an alarm & cause the system to
operate in a fail-safe mode.
. The security objectives outlined above are
interdependent, & should not taken in
isolation
Architectural level of security
services
A security service, such as
confidentiality, can be applied to
communication at different layers
in the model, but it is not sensible
to apply the service at all of the
layers.
E.g., a user who is obtaining end-
to-end confidentiality through
encryption at layer 6, the
presentation layer, has no need of
data link encryption
Security mechanism
Types of mechanism used to
achieve security objective:
1. Physical & electronic security of
components of the system
2. Authentication mechanism
3. Access control mechanism
4. Communication security
mechanism
Physical security
mechanisms
Physical security requires 3
mechanisms:
1. Preventive security
Strong construction, locks on doors, fire
resistance & waterproofing
2. Detection & deterrence
Movement detectors & door switches linked
to alarms, security lighting & closed circuit
television
3. Recovery
The provision of a back-up site, with
alternatives computing & communication
arrangements
Electronic security
mechanism
Is needed for protection
interference from static electricity
& radio frequency (RF) interference
Also required for radiation security
to avoid the passive eavesdropping
made possible because visual
display units, printers & processors
can emit electromagnetic radiation
modulated by their internal
electronic activity
Authentication
Personal authentication
Is used to verify the claimed identity of a
human user
A number of mechanism of it, all based
on following principles:
a personal characteristic of the user
(fingerprint, hand geometry, signature) which
is unique to individual
A possession of the user, such as a
magnetically or electronically coded card,
which is unique to that person
Information known only to the user, for e.g. a
secret password or encryption key
Authentication
Use of password across open
communication channels in DS is problem
since password can be discovered by
eavesdropping on the channel & then used
to impersonate the user
Solution is to use of one-time password,
smart cards
Magnetically coded cards have some
advantages over password- they cannot be
copied so easily & are less easy to forget,
but suffer from potential exposure of their
content I open communication channels
Authentication
Smart cards offer increased security
because they can be programmed to
provide variable information
Several methods smart card can be
used for persona; authentication:
1. One-time password generates a different
password each time they are used
2. Challenge-response device. The host
sends a challenge number & the smart
card has to calculate the correct
response, including input from user
Logical access control
Has to be used when physical access
control is impossible, as is the case in
multi-user systems
Model for logical access control is
provided by a reference monitor, which
intercepts all access attempts & allows
them only if the access is authorized.
Otherwise the access is blocked, error
message is returned to user &
appropriate logging & alarm actions are
taken
Logical access control
2 main forms of logical
access control:
1. Mandatory access control
Based upon fixed rules
2. Discretionary access control
Permits users to share & control
access
Recommended discretionary
access control approach is
identification/authorization
Logical access control
2 main implementation of access
rules:
1. An access control list (ACL) is
attached to the target entities,
defining the user who are authorized
to access them and the operations
that they can perform
2. Users obtain authenticated
capabilities, which act as tickets
authorizing them to access defined
resources.
Communication Security
mechanism
Main mechanism in ensuring
communication security:
Traffic padding
Use to conceal the existence of message
on a communication line, by inserting
dummy message on the line to ensure that
there is a uniform level of traffic at all
times.
Encryption
To prevent eavesdropping, the detection of
message alteration & detection of message
deletion & replay
Physical protection of the lines &
equipment
Link or end-to-end encryption

Encryption may be used on individual

links or on an end-to-end basis
Refer Fig. 5.1 Link encryption covers only
the communication links, & information is
in clear at each communication processor
End-to-end encryption is carried out
directly between the initiating & target
systems.
An intermediate level is network
encryption, where encryption spans an
entire network, but not the gateways
between network
Encryption algorithms
2 main types of encryption:
1. Secret key encryption
Use a single secret key shared
between sender & receiver
2. Public key encryption
Use a related pair of keys. One key
is public available & may be used to
encrypt message, while the other
key is secret, known only to the
receiver, & may be used to decrypt
messages
Security policies
Policies are plan of an organization
to meet its objectives
Security policy defines the overall
objectives of an organization with
regard to security risks, & the plans
for dealing with the risks in
accordance with these objectives.
All organizations should have a
high-level security policy
Security policies
High-level objectives vary substantially
from organization to organization
Military place a high value on secrecy,
academic institution place a high value
on openness of information, financial
institution are concerned with
maintaining the integrity of data &
messages, which represent money.
The default for simple social organization
is to have no security policy at all
Security policies
Effective computer security policy
requires following questions are
answered:
What are the assets to be protected, &
what is their value?
What are the treats to these assets?
Which threats should be eliminated &
by what means?
Security policies
An effective high-level security
requires a risk analysis to be carried
out so as to understand the
vulnerability of the organization & the
consequences of security breaches
Results of risk analysis may help to
redefine or focus high-level policies,
as well as defining the lower-level
policies for managing the system in a
secure manner
Security interaction
policies
Its possible to create a DS where security
are centrally managed to a common
standard.
However, a DS is evolve from existing
different (& heterogeneous) systems that
have previously operated to a variety of
security policies
So possible these may be incompatible,
either because the policies of the systems
differ in the level of security they
provide/tolerate, or because there is
technical incompatibility, e.g. because
different encryption algorithms selected
Security interaction
policies
ISO recognized this problem &
introduced concept of security
interaction policy as part of
security framework
A security interaction policy in a DS
should lead to the generation of an
agreed schedule of required
security services & their supporting
mechanisms
Choice of security
service
Choice of security service have to
meet following conflicting
objectives:
Security policies are often defined
centrally but applied locally, or in each
application & at many intervening
points in the communication between
each user
Design of existing standard
communication products & many
operating system has avoided
consideration of security. Security
requirements therefore have to be
Risk assessment &
management
Recall security risk is concerned with
future events, in which an occurrence
leads only to loss through fraud, breach
of confidentiality or equipment failure
Business risk may result in either loss or
gain
Risk assessment & management is an
activity which takes a rational view of the
assets of an organization & the risks they
face & then makes decision about the
protection they are to be given
An essential element of the decisions is
that the cost of protection should be
commensurate with the expected costs
arising from security losses
Risk assessment & management

Computer-related security risk

management methodology have
following tasks:
Identification & valuation of assets
Construction of security risk scenario
Assessment of the probability of the
scenario & the losses that would ensue
Identification & costing of possible
security measures for each scenario
Selection of a portfolio of security
measures
Risk assessment &
management
Risk analysis is at its most effective when
carried out during the specification &
design phases of DS development
In these phases the risk implications of
design decision (identify where the
design shows its least robust
characteristics) & the security
requirement can be established & their
consequences identified
However, this ideal policy is seldom
practical for DS
Managing security
Its main functions:
The management of encryption keys &
password
This involve generation of keys as
required & distribution of the keys to the
relevant components in the system,
storing keys & archiving keys
Managing the registration of users & the
information used to check their identity
(encryption key or password)
Managing access control information
relating to users & servers
Providing security audit trails
Security standards
3 main categories of security
standards concerning DS
management
1. Standards related to the security of
individual computers
2. Standards for protection of
communication transmission &
remote authentication
3. Standards that integrate computer &
communication security standard to
provide DS security standards.