网络安全-20：防火墙.ppt

* Chapter 19 summary. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Stallings Figure20.3a illustrates an an access control matrix. * * * * * Another widely applicable requirement is to protect data or resources on the basis of levels of security, as is commonly found in the military where information is categorized as unclassified (U), confidential (C), secret (S), top secret (TS), or higher. Here subjects (people or programs) have varying rights of access to objects (information) based on their classifications. This is known as multilevel security. A system that can be proved to enforce this is referred to as a trusted system. * * * * * The general statement of the requirement for multilevel security is that a subject at a high level may not convey information to a subject at a lower or incompatible level unless that flow accurately reflects the will of an authorized user. This can be implemented using the Bell LaPadula Model, in which a multilevel secure system must enforce: ? No read up: A subject can only read an object of less or equal security level - Simple Security Property ? No write down: A subject can only write into an object of greater or equal security level - * (star) Property These two rules, if properly enforced, provide multilevel security. * * * * * Stallings Figure20.4 illustrates the reference monitor as a controlling element in the h/w O/S of a computer. It regulates access of subjects to objects on the basis of their security parameters. It has access to the security kernel database, which lists the access privileges (security clearance) of each subject the protection attributes (classification level) of each object. The reference monitor enforces the security rules (no read up,no write down). It m