Trusted vs Untrusted

Video Activity

This lesson will cover the security principle: separation of trust using the Clark-Wilson Security Model: "keep users out of your stuff, or they'll break it." She will detail examples of various interfaces used to do that. Instructor Kelly Handerhan will also detail the different ways technology is used to keep untrusted networks separate from trus...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 54 minutes
Video Description

This lesson will cover the security principle: separation of trust using the Clark-Wilson Security Model: "keep users out of your stuff, or they'll break it." She will detail examples of various interfaces used to do that. Instructor Kelly Handerhan will also detail the different ways technology is used to keep untrusted networks separate from trusted networks.

  • Firewalls: allow/block traffic based on rules called ACLs (access control lists).

  • Static Packet Filters: base decisions on source/destination IP address and port.

  • Stateful Inspection: Knowledge of who initiated the session. It can block unsolicited replies.

  • Protocol Anomaly firewalls: can block traffic based on syntax being different than the RFC would specify.

  • Application Proxies/Kernel Proxies: make decisions on content, active directory integration, certificates, and time.

Video Transcription
Okay, let's talk about one of the foundational principles of security. And the idea behind this or or the idea I'm gonna talk about is separation of trust and the idea. There are different levels of trust in any environment.
So one of the things, uh, some of you may be aware of the fact that I teach several different security course ins and one of the courses that I teach the C I S S P goes into depth about the discussion of principles and models of security.
And there is a model called the Clark Wilson Security model.
That is beyond a doubt. I think one of the most important models that we have to consider when designing almost anything, whether it's technology based or even really world personnel implementations the corporals and security model is absolutely on point.
in a nutshell. What cork Wilson says is
keep users out of your stuff or they'll break it.
Keep users on your stuff or they'll break it.
Now I have to tell you the truth. Clark Wilson security model says it much more eloquently than that.
It says four swell form transactions through the use of an access triple, and that's fine. But really, what it means is keep users of your stuff or they'll break it.
I think about it. If I go to Amazon now, I want to make a purchase. Do I get the password for Amazon's database so that I can go in and remove the quantity of one from their inventory and their stock?
Oh, of course not. You know why?
If they were to allow me to access their stuff,
I would break it. I can assure you I would break it.
So what his name is Ahn do because they want me to purchase their books, which ultimately does wind up making a change into their database. What they do is they provide me with an inter fix a trusted front end application,
right? And that's the principle of Clark Wilson
is protected from untrusted.
And if untrusted needs to access trusted, it must go through an interface. So I used and I'm untrusted.
I use Amazon's interface there front and application, and that forces a well formed transaction. So, for instance, think about
what? I'm entering my address in the Amazon. And maybe they asked me for city state and sent could.
Well, I'm originally from North Carolina, so I could abbreviate that in sea in period C period
in care line on North Carolina. There's so many ways I could inter North Carolina,
and they're all the same in my mind. But they're definitely not all the same to a database.
So the interface restricts line entry because they know they can't count on me to make a well formed transaction. So what did they do that? Give me two characters for this state name. So I'm not gonna try to talk about the name in full or if I do in period C period, it won't take that.
And honestly, if they're even smarter than that, rather than giving me two characters,
they'll give me a drop down list. Right? And that's the interface. Controlling how an untrusted entity access is a trusted resource always goes through an interface
untrusted ghost or an interface to access Trusted right. And so if we look at a network environment frequently their various elements of trust. So if you look at my internal land, my local area network, this is where my company wide re sources are. This is where they're protected
things that my domain controllers,
my file servers, my information that sensitive. They're all on my local area network, and I control access to that land. Therefore, my local area network is considered to be trusted. Now that doesn't mean there's no way of compromise. But
because it's under my control and management,
we consider that to be trusted. Now the greatest untrusted area is the Internet, right? The Internet is a bad, bad neighborhood. We don't trust anything coming from outside anything from the Internet that's untrusted
and frequently will use a device, a firewall to separate out, trusted from untrusting mall periods that are sinning trusted.
And if you're familiar with the d. M. Z is just skip over a little bit. You know, Demilitarized Zone is an area that semi trusted. So basically, we're gonna allow public access to the D M. Z,
but we're still not gonna consider it totally trusted. Even though I apply security because we're allowing untrusted entities into the d m Z, it's senators, or generally, firewalls that provide this isolation in this segmentation there, the interface
that untrusted
processes and subjects must go through.
Okay, Now they're multiple types of firewalls. You have the very basic firewalls, and these are often referred to his packet filters there, static in nature. They don't give you a lot of decision making capabilities. You can block a protocol, but you can't brought block
So, for instance, if I'm worried about Ah Syn Flood,
which exploits a TCP Ah handshake process,
all I can do in a packet filter is blocked. TCP. And that would have disastrous effects on my network because many service's need TCP to operate. So we've got a static packet filter that can block things very generally, like maybe I don't want to allow ping packets. I seem to be package through
static firewalls. Static packet filter can do that for me.
Or if I don't have a Web server, let's block all Web traffic. Absolutely static filter can do that,
but it's when I want to get more specific and more granular than a static filter. Can't really help me. Ah, lot of times when we talk about static packet filters, these air screening brothers, these air the routers that are kind of our first point of defense between our network and the Internet.
I think of them sort of like bouncers at a nightclub. The job of a packet filtering firewall is to keep what's obviously riffraff off the network.
So malformed pack, Get out of here. Traffic on port 80. No, no Web service. Get out and acts sort of like the flippers on a pinball machine, right? Just what's obviously malicious or doesn't belong.
Now we can get more sophisticated when we go to a state ful firewall that understands the state of the connection and who initiated the connection.
So, for instance, will only allow the NS replies if there was a D. N s query initiated inside, that's a state full filter. And then the very
ah, the most complex and sophisticated device would be our proxies application proxies, colonel proxies These air the devices that get very particular, very granule. You know, let's prevent John Smith from accessing any website with violent content,
right? We get very, very specific
inner filtering boots, but the bottom line is the job of a firewall release to separate out areas of trust. Trusted semi trusted untrusted are those three main areas
Up Next