DOCSLIB.ORG

HP Security Handbook

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
HP Security Handbook The HP Security Handbook Vice President, HP Security Office Tony Redmond HP Security Handbook Lead Jan De Clercq Layout, Illustrations, Graphics and Production Lead Killian McHugh Primary Content Editors and Strategists Governance and Compliance: Stuart Hotchkiss (Lead) Proactive Security Management: Keith Millar (Lead) Identity Management: Jan De Clercq (Lead), Mark Crosbie Trusted Infrastructure: Boris Balacheff (Lead), Iver Band, Archie Reed, Mark Schiller, Bill Wear Innovation in Security: Simon Shiu (Lead), Joe Pato Additional Content Contributors Governance and Compliance: Lois Boliek, John Carchide, Frederic Gittler, David Graves, Jim Hoover, Cheryl Jackson, Paul Jeffries, Bill Kowaleski, Tari Schreider, Saida Wulteputte, Mike Yearworth Proactive Security Management: Hayden Brown, John Carchide, Tracy DeDore, Paul Jeffries, Montserrat Mane, Jim O'Shea, Christopher Peltz, Sarah Porten, Yann Vermast, Brian Volkoff, Doug Young Identity Management: Sai Allavarpu, Jean-Michel Argenville, Carolyn Bosco, Pete Bramhall, Christian Fischer, Ronald Luman, Marco Casassa Mont, Robert Neal-Joslin, Jason Rouault, Scott Swist, Ibrahim Wael, Manny Novoa Trusted Infrastructure: Enrico Albertin, Shivaun Albright, Sunil Amanna, Mike Balma, Ron Carelli, Lynne Christofanelli, Paul Congdon, Joanne Eames, Janusz Gebusia, Gary Lefkowitz, Shab Madina, Sunil Marolia, John Rhoton, Steve Scott, Rick Supplee, Tom Welsh, Chris Whitener Innovation in Security: Adrian Baldwin, Richard Brown, Chris Dalton, Bill Horne, Ed McDonnell, David Pym, Martin Sadler, Steve Simske, Richard Smith The HP Security Handbook is available online at www.hp.com/go/security/securityhandbook. For feedback, please e-mail [email protected]. For additional printed copies, please see your HP Sales Representative. About HP HP is a technology company that operates in more than 170 countries around the world. We explore how technology and services can help people and companies address their problems and challenges, and realize their possibilities, aspirations, and dreams. We apply new thinking and ideas to create more sim- ple, valuable, and trusted experiences with technology, continuously improving the way our customers live and work. No other company offers as complete a technology product portfolio as HP. We provide infrastructure and business offerings that span from handheld devices to some of the world's most powerful supercomputer installations. We offer consumers a wide range of products and services from digital photography to digi- tal entertainment and from computing to home printing. This comprehensive portfolio helps us match the right products, services, and solutions to our customers’ specific needs. HP focuses on simplifying technology experiences for all of its customers - from individual consumers to the largest businesses. With a portfolio that spans printing, personal computing, software, services and IT infrastructure, HP is among the world's largest IT companies, with revenue totaling $104.3 billion for the four fiscal quarters ended Oct. 31, 2007. More information about HP is available at www.hp.com. Fast facts • HP was incorporated in 1939. • Corporate headquarters are in Palo Alto, California. • Mark Hurd is president and CEO. • HP is a US Fortune 14 and a Global Fortune 41 company, with revenue totaling $104.3 billion for the fiscal year ended Oct. 31, 2007. • HP has 150,000 employees doing business in more than 170 countries around the world. Technology leadership HP's three business groups drive industry leadership in core technology areas: • The Personal Systems Group: Business and consumer PCs, mobile computing devices, and workstations • The Imaging and Printing Group: Inkjet, LaserJet and commercial printing, printing supplies, digital pho- tography, and entertainment • The Technology Solutions Group: Business products including storage and servers, managed services, and software Contribution HP strives to be an economic, intellectual, and social asset to each country and community in which we do business. Key areas of contribution are electronic waste, raising standards in our global supply chain and increasing access to information technology. Growth HP is focused on three technology shifts that have the power to transform our customers' lives and busi- nesses: • Next-generation data center • Always on, always connected mobile computing • Ubiquitous printing and imaging For more information, visit www.hp.com. About HP's Security Practice HP takes a holistic approach to security that includes the people, process and technology to ensure the effectiveness of the security solution. HP Services assists in defining a security strategy specifically tailored to the customer's environment and business processes. As a leader in IT management, and more specifi- cally IT service management, HP Services brings tremendous breadth and depth of management expertise to every consulting engagement. Our expert security staff includes Certified Information Systems Security Professionals (CISSPs) and certified Sysadmin, Audit, Network, Security (SANS) individuals who bring extensive experience in multi-vendor platforms including HP-UX, IBM AIX, Sun Solaris, OpenVMS, Microsoft Windows, and Linux. As a member of the Information Technology Information Sharing and Analysis Center (IT-ISAC), HP's security services team stays abreast of the latest information on cyber security issues and utilizes proven best practices and methodologies such as BS 7799/ISO 17799. Table of contents Introduction Note ........................................i Introduction.............................................ii The Security Landscape ...................................ii HP’s Security Framework .................................iii Business Context . iii Governance and Compliance. iii Proactive Security Management . iv Identity Management. iv Trusted Infrastructure . iv Security Handbook Contents . v Bringing the HP Security Strategy to Market: HP Secure Advantage. vi Chapter One: Governance and Compliance 1. Definition ...........................................1-1 2. Purpose ............................................1-2 3. Why Have Governance? ..............................1-3 4. The Importance of Information Assets ...................1-3 5. Information Security Defined ..........................1-3 5.1. Board of Directors’ Responsibilities . 1-4 5.2. IT Responsibilities. 1-4 6. Regulatory Standards ................................1-4 6.1. International Standards . 1-5 6.2. When to Use the International Standards . 1-6 6.3. Best-Practice Legislation . 1-7 6.4. Privacy Aspects and Issues . 1-7 7. The Governance and Risk Management Lifecycles . 1-8 7.1.ProcessSteps.........................................1-9 7.2. Gap Analysis . 1-9 7.3. Risk Analysis . 1-10 7.4. Security Control Architecture . 1-12 7.5. Security Implementation Architecture . 1-14 7.6. Implementation. 1-15 7.7. Support, Manage, and Operate . 1-15 7.8. Audit and Test . 1-15 7.9. Review and Update . 1-15 8. Managing Governance in Practice Information Security - Service Management (ISSM) ...........................1-16 8.1. ISSM Control Model . 1-17 9. Moving to Continuous Compliance .....................1-20 9.1. Comparison of Standard and Continuous Compliance . 1-20 9.2. Continuous Compliance Example . 1-21 9.3. The Efficiency of Continuous Compliance . 1-21 10. Using Models and Model based Technologies to Support - Security Governance .................................1-22 11. The Economics of Security An Example ................1 23 : - 12. Key Performance Indicators and Metrics ...............1-25 13. New Model based Analysis Approaches to Support Risk - Analysis Trust Economics ............................1 26 - - 14. HP Governance Services ............................1-26 15. Security and HP's Vision ............................1-27 16. Governance Summary ..............................1-28 Chapter Two: Proactive Security Management 1. Definition ...........................................2-2 1.1. Managing Protection Proactively and Reactively . 2-2 1.2. Responding to Changing Business Models . 2-2 1.3. Integrating with IT Management. 2-3 1.4. Maintaining Acceptable Security and Risk Levels . 2-3 2. Purpose ............................................2-3 2.1. Protecting Against Increasing Threats . 2-3 2.2. Enabling Changing Trust Models . 2-4 2.3. Managing Increased Process Complexity . 2-4 2.4. Complying with Changing Regulations. 2-5 2.5. Purpose of Proactive Security Management Depends on More Than Technology............................................2-5 2.6. IT Management Trends and Security Management. 2-5 3. HP Proactive Security Management Framework ..........2-6 3.1. Compliance, Security Monitoring and Reporting. 2-7 3.2. Vulnerability Management . 2-7 3.3. Content Management. 2-7 3.4. Identity Management Integration . 2-8 3.5. Host Management . 2-8 3.6. Intrusion Detection and Prevention . 2-9 3.7. Problem Management. 2-10 3.8. Investigations and IT Forensics . 2-10 3.9. Security Program Administration. 2-10 3.10. Incident Management . 2-11 3.11. Risk Management . 2-11 3.12. IT Administration Integration . 2-11 4. HP Proactive Security Management Offerings ...........2-12 4.1. HP Proactive Security Management Services. 2-12 4.2. HP Proactive Security Management Products . 2-19 5. Proactive Security Management Summary ..............2-28 Chapter Three: Identity Management 1. Definition ...........................................3-1 2. Purpose ............................................3-1
Load more

Recommended publications
  • HP Annual Report
    Meg Whitman President and CEO Dear Stockholders, Fiscal 2012 was the first year in a multi-year journey to turn HP around. We diagnosed the problems facing the company, laid the foundation to fix them, and put in place a plan to restore HP to growth. We know where we need to go, and we are starting to make progress. The Year in Review In the first year of our turnaround effort, we provided a frank assessment of the challenges facing HP, laid out clear strategies at all levels of the corporation, and mapped out our journey to restore HP’s financial performance. Most importantly, we did what we said we would do in fiscal 2012 – we began taking action to bring costs in line with the revenue trajectory of the business and met our full-year non-GAAP earnings per share outlook. We have just completed year one of our journey, and we are already seeing tangible proof that the steps we have taken are working. This includes generating $10.6 billion in cash flow from operations for fiscal $10.6B 2012. HP used that cash to make significant progress in rebuilding our balance sheet – reducing our in cash flow from net debt by $5.6 billion during the year – and returned $2.6 billion to stockholders in the form of share operations for repurchases and dividends. fiscal 2012 Our efforts in fiscal 2012 also included beginning to tackle the structural and execution issues we identified, and building the foundation we need to improve our performance in the face of dynamic market trends and macroeconomic challenges.
    [Show full text]
  • 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
    Case 4:13-md-02420-YGR Document 2321 Filed 05/16/18 Page 1 of 74 1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 NORTHERN DISTRICT OF CALIFORNIA 10 OAKLAND DIVISION 11 IN RE: LITHIUM ION BATTERIES Case No. 13-md-02420-YGR ANTITRUST LITIGATION 12 MDL No. 2420 13 FINAL JUDGMENT OF DISMISSAL This Document Relates To: WITH PREJUDICE AS TO LG CHEM 14 DEFENDANTS ALL DIRECT PURCHASER ACTIONS 15 AS MODIFIED BY THE COURT 16 17 18 19 20 21 22 23 24 25 26 27 28 FINAL JUDGMENT OF DISMISSAL WITH PREJUDICE AS TO LG CHEM DEFENDANTS— Case No. 13-md-02420-YGR Case 4:13-md-02420-YGR Document 2321 Filed 05/16/18 Page 2 of 74 1 This matter has come before the Court to determine whether there is any cause why this 2 Court should not approve the settlement between Direct Purchaser Plaintiffs (“Plaintiffs”) and 3 Defendants LG Chem, Ltd. and LG Chem America, Inc. (together “LG Chem”), set forth in the 4 parties’ settlement agreement dated October 2, 2017, in the above-captioned litigation. The Court, 5 after carefully considering all papers filed and proceedings held herein and otherwise being fully 6 informed, has determined (1) that the settlement agreement should be approved, and (2) that there 7 is no just reason for delay of the entry of this Judgment approving the settlement agreement. 8 Accordingly, the Court directs entry of Judgment which shall constitute a final adjudication of this 9 case on the merits as to the parties to the settlement agreement.
    [Show full text]
  • NSA Security-Enhanced Linux (Selinux)
    Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley [email protected] Information Assurance Research Group National Security Agency ■ Information Assurance Research Group ■ 1 Outline · Motivation and Background · What SELinux Provides · SELinux Status and Adoption · Ongoing and Future Development ■ Information Assurance Research Group ■ 2 Why Secure the Operating System? · Information attacks don't require a corrupt user. · Applications can be circumvented. · Must process in the clear. · Network is too far. · Hardware is too close. · End system security requires a secure OS. · Secure end-to-end transactions requires secure end systems. ■ Information Assurance Research Group ■ 3 Mandatory Access Control · A ªmissing linkº of security in current operating systems. · Defined by three major properties: ± Administratively-defined security policy. ± Control over all subjects (processes) and objects. ± Decisions based on all security-relevant information. ■ Information Assurance Research Group ■ 4 Discretionary Access Control · Existing access control mechanism of current OSes. · Limited to user identity / ownership. · Vulnerable to malicious or flawed software. · Subject to every user©s discretion (or whim). · Only distinguishes admin vs. non-admin for users. · Only supports coarse-grained privileges for programs. · Unbounded privilege escalation. ■ Information Assurance Research Group ■ 5 What can MAC offer? · Strong separation of security domains · System, application, and data integrity · Ability to limit program privileges · Processing pipeline guarantees · Authorization limits for legitimate users ■ Information Assurance Research Group ■ 6 MAC Implementation Issues · Must overcome limitations of traditional MAC ± More than just Multi-Level Security / BLP · Policy flexibility required ± One size does not fit all! · Maximize security transparency ± Compatibility for applications and existing usage.
    [Show full text]
  • Spf Based Selinux Operating System for Multimedia Applications
    International Journal of Reviews in Computing st 31 December 2011. Vol. 8 IJRIC © 2009 - 2011 IJRIC & LLS. All rights reserved. ISSN: 2076-3328 www.ijric.org E-ISSN: 2076-3336 SPF BASED SELINUX OPERATING SYSTEM FOR MULTIMEDIA APPLICATIONS 1NITISH PATHAK, 2NEELAM SHARMA 1BVICAM, GGSIPU, Delhi, India 2Department of Information Technology, Maharaja Agrasen Institute of Technology, Delhi, India E-mail: [email protected], [email protected] ABSTRACT Trusted Operating Systems, offer a number of security mechanisms that can help protect information, make a system difficult to break into, and confine attacks far better than traditional operating systems. However, this security will come at a cost, since it can degrade the performance of an operating system. This performance loss is one of the reasons why Trusted Operating Systems have not become popular. While Trusted Operating Systems offer an incredible amount of security, observations about computing workloads suggest that only some parts of the operating system security are actually necessary. Web servers are the best example. For many web servers, the majority of the information on the server is publicly readable and available on the Internet. Therefore, if a Trusted Operating System is used on a web server, any security used to secure the confidentiality of the server’s information is not necessary. Any security used to protect the confidentiality of web server data can be considered a waste of computational resources. The security needed in web servers is the security to protect the integrity of data, not the confidentiality of data. Other workloads such as multimedia or database workloads may also only need parts of the operating system security.
    [Show full text]
  • Looking Back: Addendum
    Looking Back: Addendum David Elliott Bell Abstract business environment produced by Steve Walker’s Com- puter Security Initiative.3 The picture of computer and network security painted in What we needed then and what we need now are “self- my 2005 ACSAC paper was bleak. I learned at the con- less acts of security” that lead to strong, secure commercial ference that the situation is even bleaker than it seemed. products.4 Market-driven self-interest does not result in al- We connect our most sensitive networks to less-secure net- truistic product decisions. Commercial and government ac- works using low-security products, creating high-value tar- quisitions with tight deadlines are the wrong place to ex- gets that are extremely vulnerable to sophisticated attack or pect broad-reaching initiatives for the common good. Gov- subversion. Only systems of the highest security are suffi- ernment must champion selfless acts of security separately cient to thwart such attacks and subversions. The environ- from acquisitions. ment for commercial security products can be made healthy again. 3 NSA Has the Mission In 1981, the Computer Security Evaluation Center was 1 Introduction established at the National Security Agency (NSA). It was charged with publishing technical standards for evaluating In the preparation of a recent ACSAC paper [1], I con- trusted computer systems, with evaluating commercial and firmed my opinion that computer and network security is in GOTS products, and with maintaining an Evaluated Prod- sad shape. I also made the editorial decision to soft-pedal ucts List (EPL) of products successfully evaluated. NSA criticism of my alma mater, the National Security Agency.
    [Show full text]
  • MHEC-10012015 Exhibit A1 - Network Products and Services December 2015
    MHEC-10012015 Exhibit A1 - Network Products and Services December 2015 MHEC Proposed HP Networking Product Line % off USUDDP Classic Procurve Wired and Wireless Portfolio HP Networking Switching and SBN APs, controllers, MSM APs, 6H, I5 34% Networking RF Manager, MSM415, TMS zl, PCM, IDM,NIM, ProCurve switches HP Networking Enterprise Routing A6600, A8800, A12500, I6, 34 34% and Switching A5820X, A9500, A7500 MSR Routers, IMC, 8800, A3100, A3600, A5100, A5500, A7500, E4200, E4500, E4800, E5500, V14xx, V19xx. HP Networking Routing I7 34% Wireless=A3000, A7700, HP Networking A8700, A9000, Airprotect, A- WA AP, A-WX Controller, E3000, etc. IPS, NAC, Controller, Net- Procurve Security I8 34% Optics, SMS License HPN Network Management, HP Network Management and Wired Accessories, Routers- 1U 34% Software I7 and WAN Accessories, Software, Wireless Devices HP Network Accessories HP Network Accessories 35 34% WLAN WLAN 3P 34% Telephony Server HP Telephony 1U 34% Storage/VCX Hardware Services 7G, I9 20% HP Networking Services Software Services 7G 20% Installation Services 7G 20% MHEC Proposed Enterprise Security Products (ESP) Product Line % off USUDDP ArcSight Term & Perpetual SW licenses 49, 51 34% ArcSight Appliance 59 34% ArcSight Education Online Training F9, 5C 20% Education Classroom-based Training F9, 5C 20% Professional Services F9, 5C 20% Tipping Point Hardware and Software I8 34% Tipping Point Tipping Point Support I9 20% Atalla 5W 30% MHEC Proposed Aruba Networks, Inc, a Hewlett Packard Enterprise Company % off USUDDP Aruba Networking
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • HP Proliant DL380 Gen7 to Arcsight Gen7 Appliances.Pdf
    Hewlett-Packard Company 11445 Compaq Center Drive West Mail Stop 050807 Houston, TX 77070, USA www.hp.com To: Certification Body July 16, 2013 From: Hewlett-Packard Company 11445 Compaq Center Drive West Houston, TX 77070 USA Declaration of Similarity (DoS) for Product Families We, the undersigned manufacturer, confirm hereby that the following appliances are identical in all electrical safety and electromagnetic aspects from the regulatory point of view. REGULATORY MODEL NO. MARKETING NAME (DESCRIPTION) HSTNS-5141 HP Proliant DL380 G7 Server HP StorageWorks X1800 G2 Network Storage System HP StorageWorks X1800 G2 4.8TB SAS Network Storage System HP StorageWorks X1800 G2 4.8TB SAS Network Storage System/S- Buy HP StorageWorks X3800 G2 Network Storage Gateway HP MAS V4.3 Virtualization Server HP MAS V4.2 SAN Storage Node HP MAS V4.2 SAN Ctrl Storage Node HP SMS XL Appliance HP StoreVirtual 4130 600GB SAS Storage HP StoreVirtual 4130 CN 600GB SAS Storage HP StoreVirtual 4330 450GB SAS Storage HP StoreVirtual 4330 CN 450GB SAS Storage HP StoreVirtual 4330 900GB SAS Storage HP StoreVirtual 4330 CN 900GB SAS Storage HP StoreVirtual 4330 1TB MDL SAS Storage HP StoreVirtual 4330 CN 1TB MDL SAS Storage HP StoreVirtual 4330 FC 900GB SAS Storage HP StoreVirtual 4330 FC CN 900GB SAS Storage HP ArcSight AE-7405 Server HP ArcSight AE-7405-HA Server HP ArcSight AE-7405-NP Server HP ArcSight AE-7410 Server HP ArcSight AE-7410-HA Server HP ArcSight AE-7410-NP Server HP ArcSight AE-7425 Server HP ArcSight AE-7425-HA Server Page 1 of 4 Hewlett-Packard
    [Show full text]
  • A Survey of Security Research for Operating Systems∗
    A Survey of Security Research for Operating Systems∗ Masaki HASHIMOTOy Abstract In recent years, information systems have become the social infrastructure, so that their security must be improved urgently. In this paper, the results of the sur- vey of virtualization technologies, operating system verification technologies, and access control technologies are introduced, in association with the design require- ments of the reference monitor introduced in the Anderson report. Furthermore, the prospects and challenges for each of technologies are shown. 1 Introduction In recent years, information systems have become the social infrastructure, so that improving their security has been an important issue to the public. Besides each of security incidents has much more impact on our social life than before, the number of security incident is increasing every year because of the complexity of information systems for their wide application and the explosive growth of the number of nodes connected to the Internet. Since it is necessary for enhancing information security to take drastic measures con- cerning technologies, managements, legislations, and ethics, large numbers of researches are conducted throughout the world. Especially focusing on technologies, a wide variety of researches is carried out for cryptography, intrusion detection, authentication, foren- sics, and so forth, on the assumption that their working basis is safe and sound. The basis is what is called an operating system in brief and various security enhancements running on it are completely useless if it is vulnerable and unsafe. Additionally, if the operating system is safe, it is an urgent issue what type of security enhancements should be provided from it to upper layers.
    [Show full text]
  • Vid6014-Vr-0001 Draft
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report BAE Systems Information Technology, Inc. XTS-400 Version 6.4.U4 Report Number: CCEVS-VR-VID10293-2008 Dated: July 3, 2008 Version: 2.3 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9600 Savage Road Suite 6757 Gaithersburg, Maryland 20878 Fort George G. Meade, MD 20755-6740 i Acknowledgements: The TOE evaluation was sponsored by: BAE Systems Information Technology Inc. Evaluation Personnel: Arca Common Criteria Testing Laboratory Ms. Diann Carpenter Mr. J. David Thompson Dr. Gary Grainger Mr. John Boone Ms. Louise Huang Mr. Ray Rugen Mr. Ken Dill The National Security Agency . Validation Personnel: Dr. Jerome Myers, The Aerospace Corporation Mr. Daniel Faigin, The Aerospace Corporation ii Table of Contents 1 Executive Summary................................................................................................................ 1 2 Identification............................................................................................................................ 3 3 Security Policy ........................................................................................................................ 5 3.1 Identification and Authentication Policy ......................................................................... 5 3.2 Mandatory Access Control Policy .................................................................................
    [Show full text]
  • Freebsd Advanced Security Features
    FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction ● Welcome! – Introduction to some of the advanced security features in the FreeBSD operating system ● Background – Introduce a series of access control and audit security features used to manage local security – Features appeared between FreeBSD 4.0 and FreeBSD 6.2, and build on the UNIX security model – To talk about new security features, we must understand the FreeBSD security architecture 19 May 2007 2 Post-UNIX Security Features ● Securelevels ● IPFW, PF, IPFilter ● Pluggable ● KAME IPSEC, authentication FAST_IPSEC modules (OpenPAM) ● Access control lists ● Crypto library and (ACLs) tools (OpenSSL) ● Security event audit ● Resource limits ● Mandatory access ● Jails, jail securelevels control (MAC) ● GBDE, GELI ● 802.11 security 19 May 2007 3 Brief History of the TrustedBSD Project ● TrustedBSD Project founded in April, 2000 – Goal to provide trusted operating system extensions to FreeBSD – DARPA funding began in July, 2001 – Continuing funding from a variety of government and industry sponsors – Work ranges from immediately practical to research – While many of these features are production- quality, some are still under development – Scope now also includes Apple's Mac OS X 19 May 2007 4 FreeBSD Security Architecture 19 May 2007 5 FreeBSD Security Architecture ● FreeBSD's security architecture is the UNIX security architecture – Entirely trusted monolithic kernel – UNIX process model – Kernel UIDs/GIDs driven by user-space user mode – Privileged root user – Various forms of access control (permissions, ...) ● Security features discussed here extend this security model in a number of ways 19 May 2007 6 Kernel and User Processes Kernel s s Inter-process e l c l communication c a a c m m e e t t s s y y s s e l i F User User User ..
    [Show full text]
  • CS526: Information Security
    Cristina Nita-Rotaru CS526: Information security Trusted Computing Base. Orange Book, Common Criteria Related Readings for This Lecture • Wikipedia } Trusted computing base } TCSEC } Common Criteria, } Evaluation Assurance Level 2 TCB Trusted vs. Trustworthy } A component of a system is trusted means that } the security of the system depends on it } if the component is insecure, so is the system } determined by its role in the system } A component is trustworthy means that } the component deserves to be trusted } e.g., it is implemented correctly } determined by intrinsic properties of the component Trusted Operating System is actually a misnomer 3 TCB Trusted Computing Base } A trusted computing base is the set of all hardware, software and procedural components that enforce the security policy. } in order to break security, an attacker must subvert one or more of them. } What consists of the conceptual Trusted Computing Based in a Unix/Linux system? } hardware, kernel, system binaries, system configuration files, etc. 4 TCB Trusted Path } A trusted path is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with (typically TCB) } attackers can't intercept or modify whatever information is being communicated. } defends attacks such as fake login programs } Example: Ctrl+Alt+Del for log in on Windows 5 TCB Trusted Computing and Trusted Platform Module } Trusted Computing means that the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. } Trusted Computing Group } an alliance of Microsoft, Intel, IBM, HP and AMD; } promotes a standard for a `more secure' PC.
    [Show full text]