Computer Security: Art and Science

26.9 Exercises

1:
Suppose a new class of users, the system security officers (SSOs), were to be added to the access control matrix discussed in Section 26.2.2. Augment the matrix with the change right. This right allows the user to alter the classes of other users in that category. For example, if user Amy had change rights over the class "developers," she could change the class of user Tom, who is currently in the "developers" class, to any of the other four classes.

Let Alice be a member of the SSO class, and let her have change rights over the "developers" and "employees" classes. Let Bob be a member of the SSO class, with change rights over "outsiders" and "employees." Redraw the matrix for this situation and write rules describing the allowed transformations of the matrix.
Describe any problems that might occur if Alice and Bob were not careful about the changes of classes they made. Could information leak in undesired ways? If so, give an example. If not, show why not.
Should members of the SSO class be allowed to apply the change right to members of that class? Justify your answer. In particular, state what damage could occur if this were allowed, and if it were not allowed.
2:
Assume that an attacker has found a technique for sending packets through the outer firewall to the DMZ without the packets being checked. (The attacker does not know the internal addresses of hosts in the DMZ.) Using this technique, how can the attacker arrange for a packet to be sent to the WWW server in the DMZ without the firewall checking the packet?
3:
Consider the scheme used to allow customers to submit their credit card and order information. Section 26.3.3.2 states that the enciphered version of the data is stored in a spooling area that the Web server cannot access.

Why is the file kept inaccessible to the Web server?
Because the file is inaccessible to the Web server, and no other services are available to an attacker from the Internet, the encipherment may seem unnecessary. Discuss this issue, but assume that the attacker is on the internal network.
4:
The organization of the network provides a DMZ to which the public has controlled access. This follows the principle of least privilege, as noted in Section 26.3.3.5. For each of Saltzer and Schroeder's other design principles [865] (see Chapter 13), explain how the principle is relevant to the creation of the DMZ. Justify your answer.
5:
A security analyst wishes to deploy intrusion detection monitors to determine if any attackers penetrate the Drib's network.

Where should the intrusion detection monitors be placed in the network's topology, and why?
If the analyst wished to monitor insider attacks (that is, attacks by people with access to the Drib's internal network), how would your answer to part (a) change (if at all)? Justify your changes (or lack of changes).
6:
The Drib has hired the computer security firm of Dewey, Cheatham, and Howe to audit their networks. The analyst from DC&H arrives and produces a floppy disk. She states that the disk is to be loaded onto a system on the internal network. She will then run the program. It will scan the Drib's networks and send the information to DC&H's headquarters in Upper Bottom. There, DC&H analysts will determine whether the Drib's security is acceptable, and will recommend changes.

The analyst informs the Drib that the program works by sending the data to DC&H's headquarters over the Internet using a proprietary protocol. She requests that the firewalls be opened to allow communications to remote hosts with destination port 80. The audit department manager, who was told to hire DC&H by the Drib's CEO, is nervous. Should his security expert recommend that the communication be allowed, or not? Why?
The analyst is asked exactly what the program does. She assures the Drib that it does nothing harmful. Given that she is so vague, the Drib security officers want to find out more information. Suggest four or five questions that they should ask to obtain the information they seek.
The analyst admits that her answers are based on what the DC&H auditors have told her. When asked for the source code of the program on the floppy, she states that it is proprietary and cannot be released. What could the Drib's officers do to assure themselves that the program is not harmful?
Based on the actions of the analyst, and assuming that finances are not a consideration, would you hire DC&H to analyze your network security? Why or why not?
7:
This exercise asks you to compare an SMTP server such as sendmail with an SMTP proxy for an application level firewall. Your answers should assume that the questions refer to the Drib's network.

The SMTP server must be able to parse electronic mail addresses. It may have to change the destination address (so the mail can be delivered correctly) and/or the source address (so the recipient can reply). Would an SMTP proxy on the outer firewall need to rewrite addresses of mail moving from the Internet to the DMZ? From the DMZ's mail server to the Internet? If not, explain why not. If so, explain which addresses would need to be rewritten, and how.
The SMTP server must be able to deliver mail locally. Does the SMTP proxy server need to deliver mail locally (that is, on the outer firewall)? Why or why not?
Considering your answers to the previous two parts, how does the complexity of the SMTP proxy compare with the complexity of the SMTP server? From the point of view of security, is this important? Justify your answer.
8:
Suppose the Drib wished to allow employes to telecommute. In order to protect the network, they require all remote connections (other than those for the Web and mail servers) to use SSH.

Discuss the required changes in the network infrastructure. In particular, should the outer firewall provide an SSH proxy or a packet filter to incoming SSH connections? Why?
The destination of an SSH connection from the Internet might be the address of any host on the internal network. Such addresses, however, are not broadcast to the Internet and in fact may be addresses that routers on the Internet should not pass (such as 10.x.x.x). Devise a method or protocol that will continue to conceal the addresses of the hosts on the internal network but still allow SSH connections from the Internet to arrive at the proper destinations. What supporting infrastructure must the Drib add to its network?
The inner firewall will pass SSH connections, provided that one endpoint is the trusted administration server on the internal network. With the above-mentioned change, the destination of the incoming SSH connection may be any host on the internal network. For this question, assume that the addresses of the hosts on the internal network are kept within the internal network�in other words, that the method or protocol in part (b) is implemented. What are the security implications of allowing SSH connections to any internal host through the inner firewall? Should such connections be restricted (for example, by requiring users to register the hosts from which they will be connecting)?
An alternative to allowing the SSH connections through the firewall is to provide a specific host (the "SSH host") on the internal network that is also connected to the Internet. Telecommuters could use SSH to log into this system, and from it reach systems on the internal network. (The difference between this method and allowing connections through the firewall is that the user must log into the intermediate host, and from there move to the internal system. The firewall approach makes the intermediate system transparent.) Identify the minimum number of services that this system should run in order to fulfill its function. Why must these services be run? As part of your answer, identify any other systems (such as DNS servers, mail servers, and so on) that this SSH host would have to trust.
From the point of view of Saltzer and Schroeder's design principles [865] (see Chapter 13), is the solution suggested in part (d) better than, worse than, or the same as the solutions involving access through the firewall? Justify your answer.
9:
Consider the first example in Section 26.4.1.

Why does the router not save time by opening a connection to the destination host before the pending connection completes its three-way handshake?
The router is protecting a target from being flooded. Is the router itself vulnerable to a flooding attack? If not, why not, and why won't the same property make the target immune? If the router is vulnerable, does the attack on the router differ from the attack on the target? How?
10:
The Linux system uses the SYN cookie approach discussed in the first example in Section 26.4.2, with one modification. The maximum segment size (MSS) is sent as part of the initial SYN. This value must be encoded in the sequence number so that the state can be properly reconstructed when the ACK arrives. The MSS used is three bits. The Linux system simply adds it to the SYN cookie shown in the example. How does the system recover the MSS from the ACK's sequence number?

Top

1:	Suppose a new class of users, the system security officers (SSOs), were to be added to the access control matrix discussed in Section 26.2.2. Augment the matrix with the change right. This right allows the user to alter the classes of other users in that category. For example, if user Amy had change rights over the class "developers," she could change the class of user Tom, who is currently in the "developers" class, to any of the other four classes. Let Alice be a member of the SSO class, and let her have change rights over the "developers" and "employees" classes. Let Bob be a member of the SSO class, with change rights over "outsiders" and "employees." Redraw the matrix for this situation and write rules describing the allowed transformations of the matrix. Describe any problems that might occur if Alice and Bob were not careful about the changes of classes they made. Could information leak in undesired ways? If so, give an example. If not, show why not. Should members of the SSO class be allowed to apply the change right to members of that class? Justify your answer. In particular, state what damage could occur if this were allowed, and if it were not allowed.
2:	Assume that an attacker has found a technique for sending packets through the outer firewall to the DMZ without the packets being checked. (The attacker does not know the internal addresses of hosts in the DMZ.) Using this technique, how can the attacker arrange for a packet to be sent to the WWW server in the DMZ without the firewall checking the packet?
3:	Consider the scheme used to allow customers to submit their credit card and order information. Section 26.3.3.2 states that the enciphered version of the data is stored in a spooling area that the Web server cannot access. Why is the file kept inaccessible to the Web server? Because the file is inaccessible to the Web server, and no other services are available to an attacker from the Internet, the encipherment may seem unnecessary. Discuss this issue, but assume that the attacker is on the internal network.
4:	The organization of the network provides a DMZ to which the public has controlled access. This follows the principle of least privilege, as noted in Section 26.3.3.5. For each of Saltzer and Schroeder's other design principles [865] (see Chapter 13), explain how the principle is relevant to the creation of the DMZ. Justify your answer.
5:	A security analyst wishes to deploy intrusion detection monitors to determine if any attackers penetrate the Drib's network. Where should the intrusion detection monitors be placed in the network's topology, and why? If the analyst wished to monitor insider attacks (that is, attacks by people with access to the Drib's internal network), how would your answer to part (a) change (if at all)? Justify your changes (or lack of changes).
6:	The Drib has hired the computer security firm of Dewey, Cheatham, and Howe to audit their networks. The analyst from DC&H arrives and produces a floppy disk. She states that the disk is to be loaded onto a system on the internal network. She will then run the program. It will scan the Drib's networks and send the information to DC&H's headquarters in Upper Bottom. There, DC&H analysts will determine whether the Drib's security is acceptable, and will recommend changes. The analyst informs the Drib that the program works by sending the data to DC&H's headquarters over the Internet using a proprietary protocol. She requests that the firewalls be opened to allow communications to remote hosts with destination port 80. The audit department manager, who was told to hire DC&H by the Drib's CEO, is nervous. Should his security expert recommend that the communication be allowed, or not? Why? The analyst is asked exactly what the program does. She assures the Drib that it does nothing harmful. Given that she is so vague, the Drib security officers want to find out more information. Suggest four or five questions that they should ask to obtain the information they seek. The analyst admits that her answers are based on what the DC&H auditors have told her. When asked for the source code of the program on the floppy, she states that it is proprietary and cannot be released. What could the Drib's officers do to assure themselves that the program is not harmful? Based on the actions of the analyst, and assuming that finances are not a consideration, would you hire DC&H to analyze your network security? Why or why not?
7:	This exercise asks you to compare an SMTP server such as sendmail with an SMTP proxy for an application level firewall. Your answers should assume that the questions refer to the Drib's network. The SMTP server must be able to parse electronic mail addresses. It may have to change the destination address (so the mail can be delivered correctly) and/or the source address (so the recipient can reply). Would an SMTP proxy on the outer firewall need to rewrite addresses of mail moving from the Internet to the DMZ? From the DMZ's mail server to the Internet? If not, explain why not. If so, explain which addresses would need to be rewritten, and how. The SMTP server must be able to deliver mail locally. Does the SMTP proxy server need to deliver mail locally (that is, on the outer firewall)? Why or why not? Considering your answers to the previous two parts, how does the complexity of the SMTP proxy compare with the complexity of the SMTP server? From the point of view of security, is this important? Justify your answer.
8:	Suppose the Drib wished to allow employes to telecommute. In order to protect the network, they require all remote connections (other than those for the Web and mail servers) to use SSH. Discuss the required changes in the network infrastructure. In particular, should the outer firewall provide an SSH proxy or a packet filter to incoming SSH connections? Why? The destination of an SSH connection from the Internet might be the address of any host on the internal network. Such addresses, however, are not broadcast to the Internet and in fact may be addresses that routers on the Internet should not pass (such as 10.x.x.x). Devise a method or protocol that will continue to conceal the addresses of the hosts on the internal network but still allow SSH connections from the Internet to arrive at the proper destinations. What supporting infrastructure must the Drib add to its network? The inner firewall will pass SSH connections, provided that one endpoint is the trusted administration server on the internal network. With the above-mentioned change, the destination of the incoming SSH connection may be any host on the internal network. For this question, assume that the addresses of the hosts on the internal network are kept within the internal network�in other words, that the method or protocol in part (b) is implemented. What are the security implications of allowing SSH connections to any internal host through the inner firewall? Should such connections be restricted (for example, by requiring users to register the hosts from which they will be connecting)? An alternative to allowing the SSH connections through the firewall is to provide a specific host (the "SSH host") on the internal network that is also connected to the Internet. Telecommuters could use SSH to log into this system, and from it reach systems on the internal network. (The difference between this method and allowing connections through the firewall is that the user must log into the intermediate host, and from there move to the internal system. The firewall approach makes the intermediate system transparent.) Identify the minimum number of services that this system should run in order to fulfill its function. Why must these services be run? As part of your answer, identify any other systems (such as DNS servers, mail servers, and so on) that this SSH host would have to trust. From the point of view of Saltzer and Schroeder's design principles [865] (see Chapter 13), is the solution suggested in part (d) better than, worse than, or the same as the solutions involving access through the firewall? Justify your answer.
9:	Consider the first example in Section 26.4.1. Why does the router not save time by opening a connection to the destination host before the pending connection completes its three-way handshake? The router is protecting a target from being flooded. Is the router itself vulnerable to a flooding attack? If not, why not, and why won't the same property make the target immune? If the router is vulnerable, does the attack on the router differ from the attack on the target? How?
10:	The Linux system uses the SYN cookie approach discussed in the first example in Section 26.4.2, with one modification. The maximum segment size (MSS) is sent as part of the initial SYN. This value must be encoded in the sequence number so that the state can be properly reconstructed when the ACK arrives. The MSS used is three bits. The Linux system simply adds it to the SYN cookie shown in the example. How does the system recover the MSS from the ACK's sequence number?