Nicholas C. P. Humphrey (2008) Securing Financially Sensitive Environments with OpenBSD.
Full text access: Open
This thesis investigates the use of a free, open source UNIX-based operating system in providing security features to a financially sensitive business function such as a treasury. We start by examining some of the main security features (such as the pf firewall and systrace policies) which are included with the operating system, how they work and how such features can be used within a financial environment. We then examine possible problems with each feature and the introduction of such a feature into the business environment. We also explore some of the criticism that OpenBSD has received and additional features which could be useful to business. We then look at some examples of statutory and regulatory requirements, and how OpenBSD's features may be mapped to address such requirements. As part of this we examine how open source software in general can be utilised and some of the advantages and disadvantages of it against similar commercial offerings. We then see a case study based on a real-world treasury, and some of the serious security concerns which are faced by security officers responsible for such departments. We explore how OpenBSD can be applied within an infrastructure to provide key security services and address some of the specific concerns raised in the treasury security assessment. Finally, we provide conclusions and suggestions for future work.
This is a Published version This version's date is: 15/01/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/1cbe16be-b9c7-a419-1f66-909c70921a1e/1/
Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] Balmer, M. Supporting Radio Clocks in OpenBSD (ASIABSD07).http://www.openbsd.org/papers/radio-clocks-asiabsdcon07.pdf. Accessed 2007-07-28.
[2] Barrett, D. J., and Silverman, R. SSH, The Secure Shell: TheDefinitive Guide. O’Reilly, 2001.
[3] Black Viper. Windows 2000 Professional and Server Services Configuration.http://www.blackviper.com/WIN2K/servicecfg.htm. Accessed2007-07-27.
[4] BSDcertification.org. 2005 BSD Usage Survey.http://www.bsdcertification.org/downloads/pr 20051031usage survey en en.pdf. Accessed 2007-08-02.
[5] Cabinet Office. Open Source Software: Use Within UK Government.http://www.govtalk.gov.uk/documents/oss policy version2.pdf. Accessed 2007-07-04.
[6] Core Security. OpenBSD IPv6 mbufs Remote Kernel Buffer Overflow.http://www.coresecurity.com/?action=item&id=1703. Accessed2007-08-02.
[7] de Raadt, T. Exploit Mitigation Techniques BSDCAN04.http://www.openbsd.org/papers/auug04/index.html. Accessed2007-07-04.
[8] de Raadt, T. Exploit Mitigation Techniques PACSEC03.http://www.openbsd.org/papers/pacsec03/e/index.html. Accessed2007-07-04.
[9] de Raadt, T. Re: defaults for openssh.http://marc.info/?l=openbsd-misc\&m=116223117423784\&w=2.Accessed 2007-07-12.
[10] de Raadt, T. Re: IPFilter licence update.http://marc.info/?l=openbsd-misc&m=99159528204785&w=2. Accessed2007-07-24.
[11] de Raadt, T. Re: Why were all djb’s ports removed? no moreqmail?http://marc.info/?l=openbsd-ports\&m=99867670800407\&w=2.Accessed 2007-07-09.
[12] de Raadt, T., and Cranor, C. Opening the Source Repository withAnonymous CVS.http://www.openbsd.org/papers/anoncvs-slides.ps. Accessed2007-07-04.
[13] de Raadt, T., and Miller, T. C. strlcpy and strlcat - Consistent,Safe, String Copy and Concatenation.http://www.gratisoft.us/todd/papers/strlcpy.html. Accessed2007-07-04.
[14] Denning, D. E. Information Warfare and Security. ACM Press, 1999.
[15] Department for Trade & Industry. DTI Information SecurityBreaches Survey 2006.http://www.pwc.com/uk/eng/ins-sol/publ/pwcdti-fullsurveyresults06.pdf. Accessed 2007-07-04.
[16] DMOZ Open Directory Project. Firewall Product Directory.http://www.dmoz.org/Computers/Security/Firewalls/Products/.Accessed 2007-08-29.
[17] Erickson, J. M. Hacking: The Art of Exploitation. No Starch Press,2003.
[18] Financial Services Authority (FSA) United Kingdom. Handbook.http://fsahandbook.info/FSA/html/handbook/. Accessed 2007-07-29.
[19] Fyodor. nmap Network Mapper.http://insecure.org/nmap/. Accessed 2007-06-25.
[20] Garfinkel, S., Spafford, G., and Schwartz, A. Practical UNIXand Internet Security, 3rd ed. O’Reilly, 2003.
[21] Gwyne, D. The OpenBSD Culture.http://www.openbsd.org/papers/opencon06-culture.pdf. Accessed2007-08-01.
[22] IETF Network Working Group. RFC 1918: Address Allocationfor Private Internets.http://www.ietf.org/rfc/rfc1918.txt. Accessed 2007-08-02.
[23] IETF Network Working Group. RFC 2131: Dynamic Host ConfigurationProtocol.http://www.ietf.org/rfc/rfc2131.txt. Accessed 2007-08-02.
[24] IETF Network Working Group. RFC 4251: The Secure Shell(SSH) Protocol Architecture.http://www.ietf.org/rfc/rfc4251.txt. Accessed 2007-08-02.
[25] IETF Network Working Group. RFC 4256: Generic MessageExchange Authentication for the Secure Shell Protocol (SSH).http://www.ietf.org/rfc/rfc4256.txt. Accessed 2007-08-02.
[26] IETF Secure Shell Working Group. Internet Draft: SSH FileTransfer Protocol.http://tools.ietf.org/html/draft-ietf-secsh-filexfer-13.Accessed 2007-08-02.
[27] Infosecwriters.com. Sun Solaris 9 Default Configuration NessusScan Report.http://www.infosecwriters.com/projects/osscan/sun9dr.php.Accessed 2007-07-27.
[28] International Standards Organisation. ISO/IEC 17799 InformationTechnology - Security Techniques - Code of Practice for InformationSecurity Management (2005). Available from: http://www.bsi-global.com.
[29] International Standards Organisation. ISO/TR 17944 Banking- Security and Other Financial Services - Framework for Security inFinancial Systems (2002).
[30] ISACA. Cobit 4.0.http://www.isaca.org/cobit.htm. Accessed 2007-08-01.
[31] Kelley, D. SOX-in-a-box: One size does not fit all when it comes tocompliance.http://searchsecurity.techtarget.com/tip/0,289483,sid14 gci1079123,00.html. Accessed 2007-08-27.
[32] Kong, J. Designing BSD Rootkits: An Introduction to Kernel Hacking.No Starch Press, 2007.
[33] Lai, R. OpenCVS (BSDCAN07).http://www.openbsd.org/papers/bsdcan07-cvs/. Accessed 2007-08-04.
[34] Lucas, M. W. Absolute OpenBSD: UNIX for the Practical Paranoid.No Starch Press, 2003.
[35] Mason, M. Subversion for CVS Users.http://osdir.com/Article203.phtml. Accessed 2007-07-09.
[36] McNab, C. Network Security Assessment. O’Reilly, 2004.
[37] Microsoft Corporation. Coporate Home Page.http://www.microsoft.com/. Accessed 2007-07-20.
[38] Microsoft Corporation. Internal Firewall Design.http://www.microsoft.com/technet/security/guidance/networksecurity/secmod155.mspx#E5JAE. Accessed 2007-08-25.
[39] Microsoft Corporation. Licensing.http://www.microsoft.com/licensing/default.mspx. Accessed2007-07-20.
[40] OpenBSD. Commercial products.http://www.openbsd.org/products.html. Accessed 2007-07-02.
[41] OpenBSD. Cryptography.http://www.openbsd.org/crypto.html. Accessed 2007-08-01.
[42] OpenBSD. Errata Patches.http://www.openbsd.org/errata.html. Accessed 2007-08-06.
[43] OpenBSD. home page.http://www.openbsd.org/. Accessed 2007-07-01.
[44] OpenBSD. man page: brconfig(8).http://www.openbsd.org/cgi-bin/man.cgi?query=brconfig&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html. Accessed 2007-07-22.
[45] OpenBSD. man page: carp(4).http://www.openbsd.org/cgi-bin/man.cgi?query=carp\&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\&format=html. Accessed 2007-07-20.
[46] OpenBSD. man page: hoststated(8).http://www.openbsd.org/cgi-bin/man.cgi?query=hoststated&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html. Accessed 2007-07-22.
[47] OpenBSD. man page: pf.conf(5).http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf\&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\&format=html. Accessed 2007-07-18.
[48] OpenBSD. man page: pfsync(4).http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync\&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\&format=html. Accessed 2007-07-20.
[49] OpenBSD. man page: release(8).http://www.openbsd.org/cgi-bin/man.cgi?query=release\&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\&format=html. Accessed 2007-07-20.
[50] OpenBSD. man page: securelevel(7).http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel\&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\&format=html. Accessed 2007-07-30.
[51] OpenBSD. man page: sshd config(5).http://www.openbsd.org/cgi-bin/man.cgi?query=sshd config\&sektion=5\&arch=i386\&apropos=0\&manpath=OpenBSD+Current.Accessed 2007-07-30.
[52] OpenBSD. man page: syslogd(8).http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd&sektion=8&arch=i386&apropos=0&manpath=OpenBSD+Current. Accessed 2007-07-23.
[53] OpenBSD. man page: systrace(1).http://www.openbsd.org/cgi-bin/man.cgi?query=systrace\&apropos=0\&sektion=1\&manpath=OpenBSD+4.1\&arch=i386\&format=html. Accessed 2007-07-30.
[54] OpenBSD. man page: systrace(4).http://www.openbsd.org/cgi-bin/man.cgi?query=systrace\&apropos=0\&sektion=4\&manpath=OpenBSD+4.1\&arch=i386\&format=html. Accessed 2007-07-30.
[55] OpenBSD. OpenNTPd Project.http://www.openntpd.org/. Accessed 2007-07-16.
[56] OpenBSD. pf FAQ.http://www.openbsd.org/faq/pf/index.html. Accessed 2007-08-09.
[57] OpenBSD. pf FAQ: Logging.http://www.openbsd.org/faq/pf/logging.html. Accessed 2007-08-09.
[58] OpenBSD. Security.http://www.openbsd.org/security.html. Accessed 2007-07-02.
[59] OpenBSD. Supported hardware platforms.http://www.openbsd.org/plat.html. Accessed 2007-07-02.
[60] OpenSSH. Project homepage.http://www.openssh.org/. Accessed 2007-07-04.
[61] OpenSSH. Systems using OpenSSH.http://www.openssh.org/users.html. Accessed 2007-07-04.
[62] Ornaghi, A., and Valleri, M. Man in the Middle Attacks Demos.http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf. Accessed 2007-07-29.
[63] Palmer, B. Secure Architectures with OpenBSD. Pearson EducationInc., 2004.
[64] PCI Security Standards Council. Payment Card Industry - DataSecurity Standard v1.1.https://www.pcisecuritystandards.org/pdfs/pci dss v1-1.pdf.Accessed 2007-08-02.
[65] Peikari, C., and Chuvakin, A. Security Warrior. O’Reilly, 2004.
[66] Santana, G. OpenBSD binpatch Project.http://openbsdbinpatch.sourceforge.net/. Accessed 2007-08-20.
[67] Sauve-Frankel, M. Re: binpatch system.http://marc.info/?l=openbsd-misc\&m=110607028208153\&w=2.Accessed 2007-08-20.
[68] Schipper, J. Re: make build — securelevel=2.http://archives.neohapsis.com/archives/openbsd/2006-01/1914.html. Accessed 2007-07-06.
[69] Schlyter, J. OpenBSD & BIND 9 cache poisoning.http://marc.info/?l=openbsd-misc&m=118539211412877&w=2. Accessed2007-07-28.
[70] SecurityFocus.com. How Not to Respond to a Security Advisory.http://www.securityfocus.com/columnists/380. Accessed 2007-07-06.
[71] Silberschatz, A., Galvin, P. B., and Gagne, G. Operating SystemConcepts, 7th ed. John Wiley & Sons Inc., 2005.
[72] slashdot.org. Remote Exploit Discovered for OpenBSD.http://it.slashdot.org/it/07/03/15/0045207.shtml. Accessed2007-08-02.
[73] slashdot.org. Theo de Raadt Responds (Interview).http://bsd.slashdot.org/article.pl?sid=00/12/11/1455210&mode=thread. Accessed 2007-07-21.
[74] Stoll, C. The Cuckoo’s Egg. Pan Books, 1990.
[75] Sun Microsystems. Solaris 10 Security.http://www.sun.com/software/solaris/security.jsp. Accessed2007-08-17.
[76] Sysjail Project. Sysjail: A Userland Virtualisation System.http://sysjail.bsd.lv/. Accessed 2007-08-12.
[77] The Institute of Internal Auditors. Key Strategies for ImplementingISO 27001.http://www.theiia.org/itaudit/index.cfm?catid=21&iid=440.Accessed 2007-07-02.
[78] Thompson, K. Reflections on Trusting Trust. Communication of theAssociation for Computing Machinery Volume 27, No. 8 (1984).http://www.acm.org/classics/sep95/ Accessed 2007-07-05.
[79] Underwood, N. HOWTO: Transparent Packet Filtering withOpenBSD.http://ezine.daemonnews.org/200207/transpfobsd.html. Accessed2007-08-28.
[80] US Government Printing Office. Sarbanes Oxley Act of 2002.http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107 cong bills\&docid=f:h3763enr.tst.pdf. Accessed 2007-07-15.
[81] Watson, R. N. M. Exploiting Concurrency Vulnerabilities in SystemCall Wrappers.http://www.watson.org/robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. Accessed 2007-08-13.
[82] Wright, P. M. Time Insecurity and the Network Time Problem (Part1).http://www.ukcert.org.uk/time security.html. Accessed 2007-05-30.