Stepping stone (computer security)

From Wikipedia, the free encyclopedia

This article is an orphan, as few or no other articles link to it. Please introduce links to this page from other articles related to it. (February 2009)

A stepping stone (StSt) is a type of computer security measure ^[1] which consists of placing several logical security systems, used as authentication servers, in a serial disposition to emulate a physical narrow channel, analogous to a physical path formed by stepping stones used to cross a river. Using this system, it is possible to apply a granular control over each system acting as a 'stone', establishing different risk levels as so many systems which have been placed in the series.

For example, to grant a user with access to an OpenSSH server, for executing an application in a high-security environment, we could put a front-end system such as a Sun Solaris with a Citrix Metaframe in the 1st security layer. The 2nd layer could be an MS Terminal Services with an SSH Client. Thirdly, the last layer could be based on a Linux system with an OpenSSH Server, which would grant access to the final application. Every system could to have a common secure system to log on as RSA SecureID, X.509 certificates-based, challenge/response systems, etc. or a mixture of them. It depends on the risk analysis over the environment treated.

This computer security practice tends to decrease the system usability and is hard to maintain, so it should be implemented only in high-security environments. This practice could be considered as part of a well-known security principle: Security In-Depth, in this case, applied to the access control, adding logical barriers and trenches, composed by diverse authentication systems.

[edit] Notes

1. ^ "Detecting Encrypted Interactive Stepping-stone Connections", ieeexplore.ieee.org, 2002, webpage (PDF file): IEEExplore-759.