Securing Financially Sensitive Environments with OpenBSD

Nicholas C. P. Humphrey

(2008)

Nicholas C. P. Humphrey (2008) Securing Financially Sensitive Environments with OpenBSD.

Our Full Text Deposits

Full text access: Open

Full Text - 2.23 MB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

This thesis investigates the use of a free, open source UNIX-based operating system in providing security features to a financially sensitive business function such as a treasury. We start by examining some of the main security features (such as the pf firewall and systrace policies) which are included with the operating system, how they work and how such features can be used within a financial environment. We then examine possible problems with each feature and the introduction of such a feature into the business environment. We also explore some of the criticism that OpenBSD has received and additional features which could be useful to business. We then look at some examples of statutory and regulatory requirements, and how OpenBSD's features may be mapped to address such requirements. As part of this we examine how open source software in general can be utilised and some of the advantages and disadvantages of it against similar commercial offerings. We then see a case study based on a real-world treasury, and some of the serious security concerns which are faced by security officers responsible for such departments. We explore how OpenBSD can be applied within an infrastructure to provide key security services and address some of the specific concerns raised in the treasury security assessment. Finally, we provide conclusions and suggestions for future work.

Information about this Version

This is a Published version
This version's date is: 15/01/2008
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/1cbe16be-b9c7-a419-1f66-909c70921a1e/1/

Item TypeMonograph (Technical Report)
TitleSecuring Financially Sensitive Environments with OpenBSD
AuthorsHumphrey, Nicholas C. P
DepartmentsFaculty of Science\Mathematics

Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[1] Balmer, M. Supporting Radio Clocks in OpenBSD (ASIABSD07).
http://www.openbsd.org/papers/radio-clocks-asiabsdcon07.
pdf. Accessed 2007-07-28.

[2] Barrett, D. J., and Silverman, R. SSH, The Secure Shell: The
Definitive Guide. O’Reilly, 2001.

[3] Black Viper. Windows 2000 Professional and Server Services Configuration.
http://www.blackviper.com/WIN2K/servicecfg.htm. Accessed
2007-07-27.

[4] BSDcertification.org. 2005 BSD Usage Survey.
http://www.bsdcertification.org/downloads/pr 20051031
usage survey en en.pdf. Accessed 2007-08-02.

[5] Cabinet Office. Open Source Software: Use Within UK Government.
http://www.govtalk.gov.uk/documents/oss policy version2.
pdf. Accessed 2007-07-04.

[6] Core Security. OpenBSD IPv6 mbufs Remote Kernel Buffer Overflow.
http://www.coresecurity.com/?action=item&id=1703. Accessed
2007-08-02.

[7] de Raadt, T. Exploit Mitigation Techniques BSDCAN04.
http://www.openbsd.org/papers/auug04/index.html. Accessed
2007-07-04.

[8] de Raadt, T. Exploit Mitigation Techniques PACSEC03.
http://www.openbsd.org/papers/pacsec03/e/index.html. Accessed
2007-07-04.

[9] de Raadt, T. Re: defaults for openssh.
http://marc.info/?l=openbsd-misc\&m=116223117423784\&w=2.
Accessed 2007-07-12.

[10] de Raadt, T. Re: IPFilter licence update.
http://marc.info/?l=openbsd-misc&m=99159528204785&w=2. Accessed
2007-07-24.

[11] de Raadt, T. Re: Why were all djb’s ports removed? no more
qmail?
http://marc.info/?l=openbsd-ports\&m=99867670800407\&w=2.
Accessed 2007-07-09.

[12] de Raadt, T., and Cranor, C. Opening the Source Repository with
Anonymous CVS.
http://www.openbsd.org/papers/anoncvs-slides.ps. Accessed
2007-07-04.

[13] de Raadt, T., and Miller, T. C. strlcpy and strlcat - Consistent,
Safe, String Copy and Concatenation.
http://www.gratisoft.us/todd/papers/strlcpy.html. Accessed
2007-07-04.

[14] Denning, D. E. Information Warfare and Security. ACM Press, 1999.

[15] Department for Trade & Industry. DTI Information Security
Breaches Survey 2006.
http://www.pwc.com/uk/eng/ins-sol/publ/pwc
dti-fullsurveyresults06.pdf. Accessed 2007-07-04.

[16] DMOZ Open Directory Project. Firewall Product Directory.
http://www.dmoz.org/Computers/Security/Firewalls/Products/.
Accessed 2007-08-29.

[17] Erickson, J. M. Hacking: The Art of Exploitation. No Starch Press,
2003.

[18] Financial Services Authority (FSA) United Kingdom. Handbook.
http://fsahandbook.info/FSA/html/handbook/. Accessed 2007-07-
29.

[19] Fyodor. nmap Network Mapper.
http://insecure.org/nmap/. Accessed 2007-06-25.

[20] Garfinkel, S., Spafford, G., and Schwartz, A. Practical UNIX
and Internet Security, 3rd ed. O’Reilly, 2003.

[21] Gwyne, D. The OpenBSD Culture.
http://www.openbsd.org/papers/opencon06-culture.pdf. Accessed
2007-08-01.

[22] IETF Network Working Group. RFC 1918: Address Allocation
for Private Internets.
http://www.ietf.org/rfc/rfc1918.txt. Accessed 2007-08-02.

[23] IETF Network Working Group. RFC 2131: Dynamic Host Configuration
Protocol.
http://www.ietf.org/rfc/rfc2131.txt. Accessed 2007-08-02.

[24] IETF Network Working Group. RFC 4251: The Secure Shell
(SSH) Protocol Architecture.
http://www.ietf.org/rfc/rfc4251.txt. Accessed 2007-08-02.

[25] IETF Network Working Group. RFC 4256: Generic Message
Exchange Authentication for the Secure Shell Protocol (SSH).
http://www.ietf.org/rfc/rfc4256.txt. Accessed 2007-08-02.

[26] IETF Secure Shell Working Group. Internet Draft: SSH File
Transfer Protocol.
http://tools.ietf.org/html/draft-ietf-secsh-filexfer-13.
Accessed 2007-08-02.

[27] Infosecwriters.com. Sun Solaris 9 Default Configuration Nessus
Scan Report.
http://www.infosecwriters.com/projects/osscan/sun9dr.php.
Accessed 2007-07-27.

[28] International Standards Organisation. ISO/IEC 17799 Information
Technology - Security Techniques - Code of Practice for Information
Security Management (2005). Available from: http://www.
bsi-global.com.

[29] International Standards Organisation. ISO/TR 17944 Banking
- Security and Other Financial Services - Framework for Security in
Financial Systems (2002).

[30] ISACA. Cobit 4.0.
http://www.isaca.org/cobit.htm. Accessed 2007-08-01.

[31] Kelley, D. SOX-in-a-box: One size does not fit all when it comes to
compliance.
http://searchsecurity.techtarget.com/tip/0,289483,
sid14 gci1079123,00.html. Accessed 2007-08-27.

[32] Kong, J. Designing BSD Rootkits: An Introduction to Kernel Hacking.
No Starch Press, 2007.

[33] Lai, R. OpenCVS (BSDCAN07).
http://www.openbsd.org/papers/bsdcan07-cvs/. Accessed 2007-
08-04.

[34] Lucas, M. W. Absolute OpenBSD: UNIX for the Practical Paranoid.
No Starch Press, 2003.

[35] Mason, M. Subversion for CVS Users.
http://osdir.com/Article203.phtml. Accessed 2007-07-09.

[36] McNab, C. Network Security Assessment. O’Reilly, 2004.

[37] Microsoft Corporation. Coporate Home Page.
http://www.microsoft.com/. Accessed 2007-07-20.

[38] Microsoft Corporation. Internal Firewall Design.
http://www.microsoft.com/technet/security/guidance/
networksecurity/secmod155.mspx#E5JAE. Accessed 2007-08-25.

[39] Microsoft Corporation. Licensing.
http://www.microsoft.com/licensing/default.mspx. Accessed
2007-07-20.

[40] OpenBSD. Commercial products.
http://www.openbsd.org/products.html. Accessed 2007-07-02.

[41] OpenBSD. Cryptography.
http://www.openbsd.org/crypto.html. Accessed 2007-08-01.

[42] OpenBSD. Errata Patches.
http://www.openbsd.org/errata.html. Accessed 2007-08-06.

[43] OpenBSD. home page.
http://www.openbsd.org/. Accessed 2007-07-01.

[44] OpenBSD. man page: brconfig(8).
http://www.openbsd.org/cgi-bin/man.cgi?query=
brconfig&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=
i386&format=html. Accessed 2007-07-22.

[45] OpenBSD. man page: carp(4).
http://www.openbsd.org/cgi-bin/man.cgi?query=carp\
&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\
&format=html. Accessed 2007-07-20.

[46] OpenBSD. man page: hoststated(8).
http://www.openbsd.org/cgi-bin/man.cgi?query=
hoststated&apropos=0&sektion=0&manpath=OpenBSD+
Current&arch=i386&format=html. Accessed 2007-07-22.

[47] OpenBSD. man page: pf.conf(5).
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf\
&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\
&format=html. Accessed 2007-07-18.

[48] OpenBSD. man page: pfsync(4).
http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync\
&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\
&format=html. Accessed 2007-07-20.

[49] OpenBSD. man page: release(8).
http://www.openbsd.org/cgi-bin/man.cgi?query=release\
&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\
&format=html. Accessed 2007-07-20.

[50] OpenBSD. man page: securelevel(7).
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel\
&apropos=0\&sektion=0\&manpath=OpenBSD+Current\&arch=i386\
&format=html. Accessed 2007-07-30.

[51] OpenBSD. man page: sshd config(5).
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd config\
&sektion=5\&arch=i386\&apropos=0\&manpath=OpenBSD+Current.
Accessed 2007-07-30.

[52] OpenBSD. man page: syslogd(8).
http://www.openbsd.org/cgi-bin/man.cgi?query=
syslogd&sektion=8&arch=i386&apropos=0&manpath=OpenBSD+
Current. Accessed 2007-07-23.

[53] OpenBSD. man page: systrace(1).
http://www.openbsd.org/cgi-bin/man.cgi?query=systrace\
&apropos=0\&sektion=1\&manpath=OpenBSD+4.1\&arch=i386\
&format=html. Accessed 2007-07-30.

[54] OpenBSD. man page: systrace(4).
http://www.openbsd.org/cgi-bin/man.cgi?query=systrace\
&apropos=0\&sektion=4\&manpath=OpenBSD+4.1\&arch=i386\
&format=html. Accessed 2007-07-30.

[55] OpenBSD. OpenNTPd Project.
http://www.openntpd.org/. Accessed 2007-07-16.

[56] OpenBSD. pf FAQ.
http://www.openbsd.org/faq/pf/index.html. Accessed 2007-08-09.

[57] OpenBSD. pf FAQ: Logging.
http://www.openbsd.org/faq/pf/logging.html. Accessed 2007-08-
09.

[58] OpenBSD. Security.
http://www.openbsd.org/security.html. Accessed 2007-07-02.

[59] OpenBSD. Supported hardware platforms.
http://www.openbsd.org/plat.html. Accessed 2007-07-02.

[60] OpenSSH. Project homepage.
http://www.openssh.org/. Accessed 2007-07-04.

[61] OpenSSH. Systems using OpenSSH.
http://www.openssh.org/users.html. Accessed 2007-07-04.

[62] Ornaghi, A., and Valleri, M. Man in the Middle Attacks Demos.
http://www.blackhat.com/presentations/bh-usa-03/
bh-us-03-ornaghi-valleri.pdf. Accessed 2007-07-29.

[63] Palmer, B. Secure Architectures with OpenBSD. Pearson Education
Inc., 2004.

[64] PCI Security Standards Council. Payment Card Industry - Data
Security Standard v1.1.
https://www.pcisecuritystandards.org/pdfs/pci dss v1-1.pdf.
Accessed 2007-08-02.

[65] Peikari, C., and Chuvakin, A. Security Warrior. O’Reilly, 2004.

[66] Santana, G. OpenBSD binpatch Project.
http://openbsdbinpatch.sourceforge.net/. Accessed 2007-08-20.

[67] Sauve-Frankel, M. Re: binpatch system.
http://marc.info/?l=openbsd-misc\&m=110607028208153\&w=2.
Accessed 2007-08-20.

[68] Schipper, J. Re: make build — securelevel=2.
http://archives.neohapsis.com/archives/openbsd/2006-01/
1914.html. Accessed 2007-07-06.

[69] Schlyter, J. OpenBSD & BIND 9 cache poisoning.
http://marc.info/?l=openbsd-misc&m=118539211412877&w=2. Accessed
2007-07-28.

[70] SecurityFocus.com. How Not to Respond to a Security Advisory.
http://www.securityfocus.com/columnists/380. Accessed 2007-
07-06.

[71] Silberschatz, A., Galvin, P. B., and Gagne, G. Operating System
Concepts, 7th ed. John Wiley & Sons Inc., 2005.

[72] slashdot.org. Remote Exploit Discovered for OpenBSD.
http://it.slashdot.org/it/07/03/15/0045207.shtml. Accessed
2007-08-02.

[73] slashdot.org. Theo de Raadt Responds (Interview).
http://bsd.slashdot.org/article.pl?sid=00/12/11/
1455210&mode=thread. Accessed 2007-07-21.

[74] Stoll, C. The Cuckoo’s Egg. Pan Books, 1990.

[75] Sun Microsystems. Solaris 10 Security.
http://www.sun.com/software/solaris/security.jsp. Accessed
2007-08-17.

[76] Sysjail Project. Sysjail: A Userland Virtualisation System.
http://sysjail.bsd.lv/. Accessed 2007-08-12.

[77] The Institute of Internal Auditors. Key Strategies for Implementing
ISO 27001.
http://www.theiia.org/itaudit/index.cfm?catid=21&iid=440.
Accessed 2007-07-02.

[78] Thompson, K. Reflections on Trusting Trust. Communication of the
Association for Computing Machinery Volume 27, No. 8 (1984).
http://www.acm.org/classics/sep95/ Accessed 2007-07-05.

[79] Underwood, N. HOWTO: Transparent Packet Filtering with
OpenBSD.
http://ezine.daemonnews.org/200207/transpfobsd.html. Accessed
2007-08-28.

[80] US Government Printing Office. Sarbanes Oxley Act of 2002.
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=
107 cong bills\&docid=f:h3763enr.tst.pdf. Accessed 2007-07-15.

[81] Watson, R. N. M. Exploiting Concurrency Vulnerabilities in System
Call Wrappers.
http://www.watson.org/robert/2007woot/
2007usenixwoot-exploitingconcurrency.pdf. Accessed 2007-
08-13.

[82] Wright, P. M. Time Insecurity and the Network Time Problem (Part
1).
http://www.ukcert.org.uk/time security.html. Accessed 2007-05-
30.

Details