Fri Apr 8 06:47:17 PDT 2016

Technology: Logical Perimeters: What logical perimeters have what protection mechanisms?


For each type of logical facility, describe what protective mechanisms are associated with each layer.
Deceptions / Perceptions / Reputation / Intelligence information
Mobile Systems
Disk/file encryption / VPN / NAT / VMs / wrappers / Firewalls / Access controls / Authentication / TCB: TCG-TCSEC-CC / Audit / Filters / NIRDS
Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters
ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates / Filters
External users
Web and other services
Access limits / Personnel flow controls / Storage / Computing / Network / Telecommunications / Assistance / Firewall / Zoned architecture / Response support / Configuration controls / Filters
Access controls / Disk-file encryption / VPN / NAT / VMs / wrappers / VLAN / Addresses / Location / Audit / Authentication
Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / wrappers / VLAN
SysOps and DBAs
Access controls / Audit / Separation of duties / Code validation / Change management / VPN / NAT / VMs / wrappers / VLAN / Authentication
Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM
Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management
Data Center
MAC / NAC / NAT / VPN / Perimeters / FW / NIRDS / GW / Proxy / Audit / Query limits / Filters / Separation of duties / Redundancy / Identity Management / Change control / Testing
DMZ Servers and Proxies
Access controls / Disk-file encryption / VPN / NAT / VMs / wrappers / VLAN / Addresses / Location / Audit / Authentication / IDRS / Filters / Change controls / TCB:TCG-TCSEC-CC controls / Software controls
Security servers
Various special controls
Zone separation mechanisms
Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis / Filters
FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services
Control and audit zone machines
Various special controls
Application servers
Query limits / Access controls / Application firewalls / Audit / Redundancy / NAT / VMs / wrappers / Separation of duties / Roles and rules / Idm Interface / Aggregation controls
Database servers
Query limits / Access controls / Audit / Redundancy / Separation of duties / NAT / VMs / wrappers / Replay and rollback / Transaction mechanisms / Aggregation controls
FW / NIRDS / Audit / Filters / Transforms / TCB / NAT / VMs / wrappers
Storage area networks
Redundancy / Separation of duties / Backups
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical protection placement


The listed controls are identified here and details of their use are covered throughout the rest of the overarching architecture and standard of practice.

Access controls: Controls over who and what can access what.

Addresses: Generally, methods used to lead to something. Physical and Internet Protocol (IP) addresses are most commonly discussed, but other sorts exist (e.g., MAC, Ethernet, ...).

Aggregation controls: Controls over the aggregation of risk, content, etc..

Alert systems: Systems that provide alerts to people or other systems to cause actions to be undertaken.

Anti-Bad-Content: Any of the many methods for identifying and dealing with undesired or malicious content.

Application firewalls: Firewalls designed to work with specific applications, typically by detailed discrimination based on state and input.

Assistance: Human or automated assistance.

Audit: Internal and/or external reviews against a standard or defined set of objectives.

Authentication: Methods for verification of identification of a known mechanism or party.

Backups: Copies made as a protection against loss or damage to originals.

Certificates: Mechanisms intended to allow the verification of something about something by someone or something else. Generally a chain of trust is built in which trust of the certifying entity is relied upon to trust the person or thing being certified.

Change control: Controls over changes, typically involving verification, validation, testing, changes during defined windows of time, roll-out processes, separation of duties, reversion, and related matters.

Code validation: Method to determine whether and to what extent executable content meets its specification.

Computing: Mechanisms used to perform computations.

Configuration controls: Methods and practices used to control settings of mechanisms to within defined parameters for the situation.

Control zone: An area defined by the zoning architecture.

Correlation and analysis: Methods that relate information from different sources to each other and external criteria and provide output based on those combinations.

DMZ: An areas (demilitarized zone) defined by the zoning architecture.

Deceptions: Methods that induce or suppress signals to cause altered behavior in targets.

Dedicated lines: Communications media dedicated to specific users, uses, and/or purposes and not available to other users, uses, or purposes.

Encryption / Disk encryption / Disk-file encryption / File encryption: Transformation of content so as to render it unusable by parties without the necessary knowledge to reverse or use the result of the transform. In storage this is done by disk or media, directory area, file, or smaller portions of content.

Fiber: A communications media.

Filters: Mechanisms that examine content and make determinations about what can pass, what must be altered to pass, and what cannot pass. Filters may work in any/all directions.

FW / Firewalls: Mechanisms used to prevent certain traffic from passing from one or more communications media to one or more others.

GW / Gateways: Mechanisms used to support access from one location to another when direct access is not available.

Help desk: Support staff who provide assistance, typically based on a pre-defined set of assistance criteria and processes.

Hosting: Provisioning of services, typically in the form of hardware with configured software, as a service.

NIRDS / IDRS / IDS: (Network) Intrusion Detection (and Response) Systems.

ISP: Internet Service Provider

IdM / Identity Management / Idm Interface: Methods by which identified parties are associated with access and by which this is controlled and provisioned on large scale and with supporting automation.

Incident controls: Controls designed to detect, react, and adapt to incidents in an appropriate and planned manner.

Independent perimeter verification mechanisms: Mechanisms that are independent of perimeters that can verify that the perimeter is operating as specified.

Intelligence: Intelligence information that can inform threats of vulnerabilities and defenders of threats.

Key management: Mechanisms that manage keys for complex cryptographic mechanisms.

Location: Controls that act differently depending on the location of components.

MAC: Media Access Control address used to limit computation of interfaces regarding traffic not destined for their interface.

NAC: Network Address Translation used to allow multiple (internal / protected) addresses to share one or more (external / unprotected) addresses with sessions returned to only the proper protected system and uninitiated sessions not being passed from the external address(es) to the internal address(es).

Patches: Non-hardware changes to components made during operation or during reboots or other change control periods.

Penetration testing: Testing to identify weaknesses by exploiting those weaknesses.

Perceptions: Interpretation of observed phenomena by cognitive mechanisms. This ranges over things like keeping a low profile, appearing to be a hard target, not giving away intelligence targeting information or intelligence, and so forth.

Perimeters: Separations between areas.

Personnel flow controls: Controls that limit the movement of people during potentially different periods of operation.

Proxy: Mechanisms that act on behalf of other mechanisms or parties, typically be examining information to be passed on and rewriting that information in a different form elsewhere.

QoS: Quality of Service controls typically to provide guaranteed minimum service levels.

Query limits: Limitations on the input sequences allowed to pass to a mechanism that looks up information based on those input sequences. As a fundamental notion, in order to meet this condition, input checking as a function of state at each point where input could cause harm should be done and only known valid inputs should be allowed to pass. At a minimum such checks should include minimum and maximum input length and allowed symbols.

RF: Radio Frequency communications media.

Redundancy: Multiple mechanisms that operate when others of them fail, typically most resilient if separate and different in as many ways as possible, so as to avoid common mode failures.

Replay and rollback: Returning to a known prior state (roll-back) and replaying transactions (replay) to return a (transaction) system to a sound state without unnecessary data or state loss.

Reputation: Perceptions of others regarding suitability for purpose.

Response support: Support services to aide in response processes.

Risk aggregation controls: Controls that compensate for risk above threshold in a component by creating a composite that reduces risks on components.

Roles and rules: Roles are used to associate people or things with activities and rules are used to associate those roles with permitted acts.

SMTP: Simple Mail Transfer Protocol services that support protective functions as a service.

Separation of duties: Methods by which activities are partitioned so as to limit the consequences associated with one or more insiders acting against the best interest of the organization.

Software controls: Mechanisms used to control the effects of software.

Surveillance systems: Systems that observe activities that otherwise would not be observable for the purposes of verifying that those activities are appropriate and for potential subsequent investigative support.

TCB: Trusted Computing Base, any of several sorts.

TCG: Trusted Computing Group and its Trusted Platform Module approach to assuring integrity of hardware and software systems.

TCSEC: DoD's Trusted Computer System Evaluation Criteria.

CC: The Common Criteria.

Terminal services: Servers typically providing remote terminal or desktop access to virtual machines that act as an intermediary in accessing internal systems of an area from systems external to that area.

Testing: Processes intended to determine to within defined coverage, whether and to what extent protective (or other) functions operate as they should.

Transaction mechanisms: Mechanisms that take single atomic (non-severable) acts (transactions) and properly handle them with consistency and in an atomic manner.

Transforms: Mechanisms that transform from one form or format to another. Typically encryption, cryptographic checksums, encoding, compression, and similar methods.

Up-Down: Mechanisms that detect whether or not a service is apparently operating from a particular vantage point and report on the state of those services.

VLAN: Virtual Local Area Network presenting itself as if it were a private local area network even though portions of the network may not be within the local area or the network may be shared at the physical level with other local area networks. Typically augmented with encryption for higher surety when passing through untrusted locations, and typically controlled with performance mechanisms to guarantee prioritization or other QoS constraints with respect to other VLANs in the same infrastructure.

VMs: Virtual Machines, typically booted for sessions and then shut down when not in use, and usable as temporary separation mechanisms for periods of processing.

NAT: Network Address Translation, typically allowing inbound address space to initiate sessions to external address space but no initiation in the inbound direction. This is often part of firewalls or similar mechanisms.

VPN: Virtual Private Networks are typically used to form remote VLANs by encrypting traffic from peering point to peering point, making it appear as if there is a private network when the network is physically passing through public (or less private) infrastructure.

Vulnerability detection: Mechanisms designed to detect the presence of vulnerabilities, typically by testing for the presence of the vulnerability of for indicators of those vulnerabilities.

Wired: Physically connected through electrical wiring.

Wrappers: Programs that intervene between other programs to "wrap" them in an independent control mechanism.

Zone firewalls / Zoned architecture / Zones: Areas of an architecture defined by a zoning policy and controls.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved