TEAMFLY Team-Fly ® Designing Security Architecture Solutions Jay Ramachandran John Wiley & Sons, Inc. Wiley Computer Publishing Designing Security Architecture Solutions Designing Security Architecture Solutions Jay Ramachandran John Wiley & Sons, Inc. Wiley Computer Publishing Publisher: Robert Ipsen Editor: Carol Long Managing Editor: Micheline Frederick Developmental Editor: Adaobi Obi Text Design & Composition: D&G Limited, LLC Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where John Wiley & Sons, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2002 by Jay Ramachandran. All rights reserved. Published by John Wiley & Sons, Inc. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authoriza- tion through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-6011, fax (212) 850-6008, E-Mail: PERMREQ @ WILEY.COM. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in professional services. If professional advice or other expert assistance is required, the services of a competent professional person should be sought. Library of Congress Cataloging-in-Publication Data: Ramachandran, Jay Designing security architecture solutions / Jay Ramachandran. p. cm. “Wiley Computer Publishing.” ISBN: 0-471-20602-4 (acid-free paper) 1. Computer security. I. Title. QA76.9.A25 R35 2002 005.8—dc21 2001006821 Printed in the United States of America. 10987654321 For Ronak, Mallika, and Beena DEDICATION vii PREFACE Preface xvii Acknowledgments xxvii Part One Architecture and Security 1 Chapter 1 Architecture Reviews 3 Software Process 3 Reviews and the Software Development Cycle 4 Software Process and Architecture Models 5 Kruchten’s 4+1 View Model 6 The Reference Model for Open Distributed Processing 7 Rational’s Unified Process 9 Software Process and Security 10 Architecture Review of a System 11 The Architecture Document 12 The Introduction Section 13 Sections of the Architecture Document 15 The Architecture Review Report 19 Conclusions 19 Chapter 2 Security Assessments 21 What Is a Security Assessment? 21 The Organizational Viewpoint 22 The Five-Level Compliance Model 23 The System Viewpoint 24 Pre-Assessment Preparation 26 The Security Assessment Meeting 26 Security Assessment Balance Sheet Model 27 Describe the Application Security Process 29 Identify Assets 30 Identify Vulnerabilities and Threats 30 Identify Potential Risks 30 Examples of Threats and Countermeasures 32 Post-Assessment Activities 32 CONTENTS [...]... Infrastructure 12 0 12 1 12 2 12 2 12 3 12 5 12 6 12 9 13 0 13 2 13 3 13 3 13 4 13 5 13 6 13 7 13 8 13 8 13 9 13 9 14 0 14 0 14 1 14 2 14 2 14 2 14 3 14 3 14 4 14 5 14 5 14 5 14 6 14 7 14 8 14 9 15 1 15 2 15 3 15 4 15 5 15 5 15 6 C O N T E N TS Security Extensions in Java Systems Architecture Microsoft Authenticode Global Infrastructure Local Infrastructure Structure within the Local Machine Authenticode and Safety Internet Explorer Zones Customizing Security. .. IPSec Architecture Layers IPSec Overview Policy Management IPSec Transport and Tunnel Modes IPSec Implementation Authentication Header Protocol Encapsulating Security Payload Internet Key Exchange Some Examples of Secure IPSec Datagrams IPSec Host Architecture IPSec Issues Conclusion xi 15 6 15 7 15 7 15 7 15 8 15 8 15 9 15 9 15 9 16 0 16 0 16 2 16 3 16 3 16 5 17 0 17 1 17 1 17 3 17 5 17 6 17 6 17 7 17 9 18 0 18 2 18 2 18 3 18 4 18 4... Avoidance Prevention by Using Validators Sentinel Layer Sandbox Wrapper Interceptors Why Are So Many Patterns Applicable? Stack Growth Redirection Hardware Support 10 7 10 8 11 1 11 1 11 2 11 3 11 4 11 4 11 4 11 5 11 5 11 6 11 6 11 8 11 8 11 9 12 0 x C O N T E N TS Security and Perl Syntax Validation Sentinel Sandbox Bytecode Verification in Java Good Coding Practices Lead to Secure Code Conclusion Chapter 6 Cryptography... 18 4 18 6 18 7 18 8 18 9 19 0 19 1 19 2 19 2 19 3 19 3 19 4 19 5 19 5 19 8 xii C O N T E N TS Part Three Chapter 9 Mid-Level Architecture 19 9 Middleware Security 2 01 Middleware and Security Service Access Service Configuration Event Management Distributed Data Management Concurrency and Synchronization Reusable Services The Assumption of Infallibility The Common Object Request Broker Architecture The OMG CORBA Security. .. 204 205 206 207 208 208 209 211 212 212 213 214 215 216 218 220 2 21 223 225 226 227 228 230 230 2 31 2 31 2 31 232 232 233 235 235 236 237 237 238 238 C O N T E N TS Enterprise Web Server Architectures The Java 2 Enterprise Edition Standard Server-Side Java Java Servlets Servlets and Declarative Access Control Enterprise Java Beans Conclusion Chapter 11 Application and OS Security Structure of an Operating... Chapter 14 Security and Other Architectural Goals Metrics for Non-Functional Goals Force Diagrams around Security Normal Architectural Design Good Architectural Design High Availability Security Issues Robustness Binary Patches Security Issues Reconstruction of Events Security Issues Ease of Use Security Issues 297 298 298 299 299 3 01 303 303 304 304 304 304 305 306 307 307 308 311 312 313 314 315 317 318 ... Enterprise Security and Low Amortized Cost Security Controls Conclusion Security Architecture Basics 43 Security As an Architectural Goal Corporate Security Policy and Architecture Vendor Bashing for Fun and Profit Security and Software Architecture System Security Architecture Definitions Security and Software Process Security Design Forces against Other Goals Security Principles Additional Security- Related... 313 314 315 317 318 319 3 21 323 324 324 325 327 328 3 31 332 333 334 335 335 336 337 C O N T E N TS Maintainability, Adaptability, and Evolution Security Issues Scalability Security Issues Interoperability Security Issues Performance Security Issues Portability Security Issues Conclusion Chapter 15 Enterprise Security Architecture Security as a Process Applying Security Policy Security Data Databases... Elements Wrapper Filter Interceptor Proxy Platforms Transport Tunnel Distributor Concentrator Layer Elevator Sandbox Magic Conclusion 81 81 82 83 83 84 84 87 88 89 89 91 93 95 96 96 97 98 98 10 0 10 1 10 3 10 4 Part Two Low-Level Architecture 10 5 Chapter 5 Code Review 10 7 Why Code Review Is Important Buffer Overflow Exploits Switching Execution Contexts in UNIX Building a Buffer Overflow Exploit Components... Control Rules Understanding the Application’s Access Needs Other Core Security Properties Analyzing a Generic System Conclusion 44 45 46 48 48 50 51 52 53 54 54 55 56 56 56 57 58 58 59 59 60 60 61 61 61 63 66 69 71 71 73 Architecture Patterns in Security 75 Pattern Goals Common Terminology Architecture Principles and Patterns The Security Pattern Catalog Entity Principal 75 76 77 78 78 78 TE AM FL Y . 11 4 Prevention by Using Validators 11 4 Sentinel 11 5 Layer 11 5 Sandbox 11 6 Wrapper 11 6 Interceptors 11 8 Why Are So Many Patterns Applicable? 11 8 Stack Growth Redirection 11 9 Hardware Support 12 0 CONTENTS ix CONTENTS x Security. UNIX 11 1 Building a Buffer Overflow Exploit 11 1 Components of a Stack Frame 11 2 Why Buffer Overflow Exploits Enjoy Most-Favored Status 11 3 Countermeasures Against Buffer Overflow Attacks 11 4 Avoidance. Process and Security 10 Architecture Review of a System 11 The Architecture Document 12 The Introduction Section 13 Sections of the Architecture Document 15 The Architecture Review Report 19 Conclusions