Unix Systems security and security evaluation criteria

Agenda

• Overview of UNIX• Flavors and versions of UNIX• Open source vs proprietary software• Security evaluation criteria • Ten general security rule

Flavors and versions of UNIX• Following are the example of The proprietary flavors of unix that

have been designed to run only (or mainly) on proprietary hardware sold by the same company– AIX - developed by IBM for use on its mainframe computers– BSD/OS - a commercial version of BSD developed by Wind River for

Intel processors– HP-UX - developed by Hewlett-Packard for its HP 9000 series of

business servers– IRIX - developed by SGI for applications that use 3-D visualization and

virtual reality– QNX - a real time operating system developed by QNX Software

Systems primarily for use in embedded systems– Solaris - developed by Sun Microsystems for the SPARC platform and

the most widely used proprietary flavor for web servers– Tru64 - developed by Compaq for the Alpha processor

Flavors and versions of UNIX• Others are developed by groups of volunteers who

make them available for free. Among them are:– Linux - the most popular and fastest growing of all the

Unix-like operating systems– FreeBSD - the most popular of the BSD systems (all of

which are direct descendants of BSD UNIX, which was developed at the University of California at Berkeley)

– NetBSD - features the ability to run on more than 50 platforms, ranging from acorn26 to x68k

– OpenBSD - may have already attained its goal of becoming the most secure of all computer operating systems

– Darwin - the new version of BSD that serves as the core for the Mac OS X

Open source vs. Proprietary software

• Open source software– Some example are Linux distribution, PHP,

Apache, gdb, XML, gcc, java, perl etc

• Proprietary software– Example are Microsoft windows, Exchange server,

Adobe Acrobat, Photoshop, Mac os etc

Security evaluation criteria

• Computer security evaluation?– is the detailed examination and testing of the

security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities.

– It includes a claimed level of Assurance that determines how rigorous the evaluation is.

• Criteria– Criteria are the "standards" against which security

evaluation is carried out.

Security evaluation criteria• TCSEC(Trusted Computer System Evaluation Criteria)– The US Department of Defense published the first criteria

in 1983 as the TCSEC– more popularly known as the "Orange Book". – The current issue is dated 1985. – The US Federal Criteria were drafted in the early 1990s as

a possible replacement but were never formally adopted.• ITSEC (Information Technology Security Evaluation

Criteria)– During the 1980s, the UK, Germany, France and the

Netherlands produced versions of their own national criteria. These were harmonised and published as the ITSEC.

Security evaluation criteria• Common Criteria– The Common Criteria represents the outcome of

international efforts to align and develop the existing European and North American criteria.

– The Common Criteria project harmonizes ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (TCSEC)into the Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems and for stating security requirements in a standardized way.

Ten general security rule

• Rule 1: Security Through Obscurity Doesn't Work • Rule 2: Full Disclosure of Bugs and Holes Benefits

Security • Rule 3: System Security Degrades in Direct

Proportion to Use • Rule 4: Do It Right Before Someone Does It

Wrong For You • Rule 5: The Fear of Getting Caught is the

Beginning of Wisdom

Ten general security rule

• Rule 6: There's Always Someone Out There Smarter, More Knowledgeable, or Better-Equipped Than You

• Rule 7: There Are No Turnkey Security Solutions

• Rule 8: Good and Evil Blend into Gray • Rule 9: Think Like the Enemy • Rule 10: Trust is a Relative Concept