Security Architecture

Introduction

Dr. Ahmed Al Faresi

 Security Architecture
Security architecture as "a unified security design that addresses the
necessities and potential risks involved in a certain scenario or
environment. It also specifies when and where to apply security
controls.
 Security Architecture
The Information system architecture :
• Micro: protocol, application, physical device based on CIAA
• Macro: service-client, service-service, eco system of storage,
processing, transmission.
The key attributes of security architecture are:
• The study of the relationship of different components and how
they depend on each other.
• The determination of controls based on risk assessment, good
practice, finances, and legal matters.
• The standardization of controls.
Information Systems
 Wise decisions require:
 Accurate and timely information
 Information integrity

 Information system: comprised of components working together to

 produce and generate accurate information

 Categorized based on usage

Information Systems
(Cont’d)
Information Systems
(Cont’d)
Information Systems (Cont’d)
 Information Systems (Cont’d)
Information system components include:
• Data
• Procedures
• Hardware
• Software
• Network
• People
Information Systems (Cont’d)
 Information Systems (Cont’d)
• Client/server architecture:
• Based on the business model
• Can be implemented as one-tier; two-tier; n-tier
• Composed of three layers

• Tier: physical or logical platform

• Database management system (DBMS): collection of programs that manage

database
Information Systems (Cont’d)
 Concepts of system
architectures (1/5)
 Architecture: the organizational structure of a system of
components [IEEE Glossary]
 It is the overall structure of a system [Bass]
• Structure is the components and connectors [Bass]

 Architectural design: the process of defining a collection

of hardware and software components and
 their interfaces to establish the framework for the
development of a computer system [IEEE Glossary]
Concepts of system
architectures (2/5)
 Components (Computation)
 Hardware:
• Workstations, servers, mainframes, printers, sensors,
actuators, …

 Software:
• Operating systems, data base systems, middleware,
• Browsers, applications, utilities, firewalls, ...
Concepts of system
architectures (2/5)
 Connectors (Communication)
 Hardware:
• Communication links:
routers, switches, public telephone, network, leased lines, virtual
private networks, …

 Software:
• Communication protocols:
TCP/IP, SNMP, HTTP, FTP …, Linkage
• Conventions:
procedure calls, remote procedure calls, thread initiation, ...
 Concepts of system
architectures (3/5)
 Modern enterprise system architectures integrate
computation and communication:
Computation Communication

  Metcalf’s Law
Moore’s Law
  Speed and Cost
MIPS
  WAN
Processing Costs
  LAN
Storage Size and Costs
 Main Memory  SAN
 Secondary Storage

Enterprise
System
Architectures
 Concepts of system
architectures (4/5)
Architecture properties:
 Functional properties: Must satisfy domain-specific functional requirements
and specifications
 Non-functional properties (the “ilities”):
• Must satisfy performance, availability, reliability, safety, security,
survivability, maintainability, usability, manageability, … properties

Architecture trade-offs:
 Properties can conflict
 Trade-offs seek optimal combinations of properties based on cost/benefit
analysis
Concepts of system
architectures (5/5)
The Stages of Enterprise Information System
Architectures:
 Batch – 60s and 70s
• SW enabler: programming languages, job control
• Business motivation: automate clerical tasks
 On-line transaction processing – 80s
• SW enabler: networking, databases, transaction monitors
• Business motivation: automate the front office
 Integrated systems – 90s
• SW enabler: internet standards, middleware, components
• Business motivation: opening the business to the web
 Web services – 00s
• A possible fourth in the near future
• SW enabler: standards for data and services, composability
• Business motivation: efficiency, reduce IT costs?
An information system
architecture
 is a specification for development of a system
 composed of hardware and software components and
connectors
 whose external behavior satisfies the enterprise mission
and business requirements
Enterprise mission and System
business requirements operation

Design Validate

Design

System System
architecture development
Validate
Architecture and the system development
cycle
Define concept of operations for the enterprise/ business mission and the
Requirements system requirements

Specification Define required system external behavior

External behavior
Define components and Software and data
Architecture their connections Hardware and network

Design Define component designs or acquire

components

Implementation Develop code

(Architecture is the right level for
analysis and design of security)
Testing Exercise code against
(Effective life cycle processes are
specifications
incremental and iterative)

Operations Execute the

business
mission
Information Security
Architecture
 “The security architecture of an information system is
fundamental to enforcing an organization’s information
security policy.”

 Security architecture describes how system security is

integrated to satisfy security requirements.

 Security requirements are not just added steps to the

development process but they are specifications or
guidelines influencing the life cycle
Information Security Architecture
(Cont’d)
• Guidance

• Aligning business and security objectives

• Using security best practices

• Model for protecting logical and physical assets

• Is the overall design of a company’s implementation of C.I.A. triangle

Information Security Architecture
(Cont’d)
Information Security Architecture
(Cont’d)
ISA Components include:
• Policies and procedures
• Security personnel and administrators
• Detection equipment
• Security programs
• Monitoring equipment
• Monitoring applications
• Auditing procedures and tools
Process framework for a Security
Architecture

24
 The furnace system
example
• Remote temperature sensor (RTS) system exists to measure
temperatures of a set of 16 furnaces and
 report them to 16 clients (one furnace per client, client-server architecture)
• Normal scenario
 A client requests that the RTS server changes the schedule for temperature
readings for a furnace (each furnace can report on a different periodic
schedule)
 A furnace temperature is read by the RTS server and sent to the client based
on the current schedule for readings
 The furnace system
example
• Three architectures are proposed
 Client-server
 Client-server-server
 Client-intelligent cache-server

• Architecture tradeoffs are analyzed for performance, availability, and

security attributes
Furnace system architecture -
option1
Schedule Requests

LAN

Furnace client 1
Furnace 1 RTS Server

Furnace client 2
Furnace 2
... ...

Furnace 16 Furnace client 16

Temperatures
 Exercise
• Give some examples of attack scenarios for the option1.
 Attack scenarios -- 1
Man-in-Middle attack
 Use TCP intercept tool to modify temperature values during transmission
Man-in-Middle Attack

LAN

Furnace client 1

Furnace 1 RTS Server

Furnace client 2

Furnace 2 Attacker
...
...

Furnace 16 Furnace client 16

 Attack scenarios -- 2
Spoof-the-Server attack -- three methods
 Server failure
• Wait for server to fail, spoof its address, and take over connections
 Kill server
• Cause the server to fail, spoof its address, and take over connections
 Kill connection
• Disrupt client-server connection, spoof server address, and take over
connections
Spoof-the-Server Attack

LAN

Furnace 1 RTS Server

Furnace client 1

Furnace 2
... Furnace client 2

Furnace 16 ...

Furnace client 16

Attacker
Furnace system architecture -
option 2
Furnace 1 RTS Server 1
LAN
Furnace 2
Furnace client 1
...

Furnace 8
Furnace client 2

...
Furnace 9 RTS Server 2
Furnace client 16
Furnace 10
...
Each server is primary to 8 clients and backup
Furnace 16 to 8 clients
Furnace system architecture -
option 3
LAN

IC Furnace client 1
Furnace 1 RTS Server

IC Furnace client 2
Furnace 2
... ...

Furnace 16 IC Furnace client 16

IC = Intelligent Cache: saves history of

temperatures and extrapolates future values
if server or connection to server is lost
 The furnace system
example
• Three architectures are proposed
 Client-server
 Client-server-server
 Client-intelligent cache-server

• Architecture tradeoffs are analyzed for performance, availability, and

security attributes
Furnace system architecture -
option1
Schedule Requests

LAN

Furnace client 1
Furnace 1 RTS Server

Furnace client 2
Furnace 2
... ...

Furnace 16 Furnace client 16

Temperatures
Furnace system architecture -
option 2
Furnace 1 RTS Server 1
LAN
Furnace 2
Furnace client 1
...

Furnace 8
Furnace client 2

...
Furnace 9 RTS Server 2
Furnace client 16
Furnace 10
...
Each server is primary to 8 clients and backup
Furnace 16 to 8 clients
Furnace system architecture -
option 3
LAN

IC Furnace client 1
Furnace 1 RTS Server

IC Furnace client 2
Furnace 2
... ...

Furnace 16 IC Furnace client 16

IC = Intelligent Cache: saves history of

temperatures and extrapolates future values
if server or connection to server is lost
 Security model example (1/4)
Security requirement: focus on accuracy of temperature reports
 “The temperature readings must not be corrupted before they arrive at the
client”
Security model example
(2/4)
 To calculate probability of successful attack within
window of opportunity, estimate values for RTS attack
parameters:
Attack Component Value

attack exposure window 60 minutes

attack rate 0.05 systems/minute
server failure rate 24 failures/year
probability of server failure 0.0027
probability of TCP intercept 0.5
probability of spoof IP address 0.9
probability of kill connection 0.75
probability of kill server 0.25
 Security model example
(3/4)
Terminology
 W is length of time an intruder can operate undetected
 R is rate of attack within W
 P is probability of success in an attack step

Attack scenarios consist of several steps, each with some probability

of success, so general expression is:
Expectation (E) = W * R * P1 * …* Pn
Security model example
(4/4)
Man-in-Middle Attack: E = W * R * Ptcp-intercept
= 60 * 0.05 * 0.5 = 1.5
Spoof-the-Server attack
 Server failure: E = W * R * Pserver-failure * Pspoof-ip
= 60 * 0.05 * (0.0027) * 0.9 = 0.00729

 Kill server: E = W * R * Pkill-server * Pspoof-ip

= 60 * 0.05 * 0.25 * 0.9 = 0.66

 Kill connection: E = W * R * Pkill-connection * Pspoof-ip

= 60 * 0.05 * 0.75 * 0.9 = 2.04
 Architecture analysis and
evolution
Analysis shows security attribute is not satisfied in any of the three
architectures, which have no security features
Propose a revised architecture
 Add encryption/decryption to communication links
 Add “new intelligent cache” to clients to detect out-of-range temperature
variations possibly from intruders
Requires additional attack components
 Decryption: Decode and modify temperatures
 Replay: Intercept temperatures and resend later
 Key distribution: Intruder obtains encryption keys
Revised architecture will satisfy the security attribute
Revised furnace system
architecture
LAN

E/D new Furnace client 1

IC
Furnace 1 RTS Server

E/D new Furnace client 2

Furnace 2 IC
... ...
new
Furnace 16 E/D Furnace client 16
IC

E/D = encryption/decryption
Security analysis: just
encryption/decryption
 Adding encryption requires additional estimates:
Attack Component Value

probability of successful decryption 0.0005

probability of successful replay 0.05
probability of obtaining encryption keys 0.09

 Expected intrusions with encryption/decryption drop

by at least an order of magnitude:
Attack Type Expected Intrusions in 60 Minutes

kill connection 0.182

kill server 0.338
server failure 0.0006
Security analysis: just new intelligent
cache
 New cache treats out-of-bound temperature change
as possible result of intrusion and thus aids operator
in detecting intrusions
 Result: attack window drops from estimated 60 to 5
minutes
Attack Type Expected Intrusions in 60 Minutes

kill connection 0.169

kill server 0.056
server failure 0.005

 Thus, number of expected intrusions drops 1-2 orders

of magnitude (comparable to encryption), but at less
cost and performance impact -- this is the best
tradeoff choice
 Overall sensitivity analysis
Availability and performance attributes were positively correlated to
the number of servers

Security is negatively correlated to number of servers

 Additional server switching logic in clients is another entry point for spoofing
attacks not present when hard-wired to a single server
 Probability of server failure increases with number of servers

Number of servers is a significant architecture tradeoff point

Practice Design the following
information Systems
• University
• Public clinics
• E-commerce website