3.1.1 Interactions within the security engines

The structure of most ICT systems today follows a layered model as in figure 3.2 [GOL97, p.7]. It is a fundamental security design principle that security controls at various layers of an ICT system can be bypassed by getting access to ``the layer below'' [GOL97, p.39]. A person with super-user access to a computer system is in a position to subvert all programs enforcing security rules at the service or application level because he has direct access to the memory structures of the operating system. Similarly, security mechanisms can be implemented at various levels of the OSI or TCP/IP model (see appendix B). These mechanisms can be compromised when an attacker succeeds in obtaining access to the layer below. A good security system should therefore be able to relate incidents at various levels. Consider an IPSEC implementation using authenticated headers (AH). If an intruder manages to break security mechanisms at the IP-layer (e.g. data encryption), he could possibly replace the encapsulated TCP packets with a different payload and get authenticated access to higher level services.

  

Figure 3.2: Layers in an IT system

There are a number of reasons to provide security at all levels:

1.

Exhaustive security at the top level, the application level, protects services offered on computer systems. These services however can be expected to immediately support the business and are therefore quite likely to be subject to change over time. This makes exhaustive protection at the application layer only extremely difficult.

2.

By subverting security at a lower level, access to services higher up the model can be jeopardized. Take for instance a denial of service attack by ping-flooding. Lower level network protocols (ICMP e.g.) could also be used to convey information through covert channels that cannot be detected at higher levels.

3.

Different types of authentication may be required at different layers. Higher level services or applications tend to authenticate users, lower level services tend to authenticate computer hosts, based on their IP address for example. Combinations of authentication measures can be applied to control access to various resources depending on their security classification (like ``secret'' versus ``public'').

A security engine for a particular (set of) resources will therefore have to manage multiple levels of protection. Suppose access to a confidential subnet of a partitioned network is granted -- or refused -- based on the IP address and the protocol used by the originator of a service request. A second defense mechanism uses public key authentication for granting access to secret information on a webserver (e.g. using TLS/SSL). A security system monitoring transport layer requests would not notice an impersonation attack performed by spoofing the IP address to get access to the confidential subnet. A system that protects against IP spoofing would not detect someone with access to the confidential subnet breaking into the secret subnet.