Post on 14-Apr-2018
7/30/2019 ESP Technical Overview1
1/22
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Sponsored by the U.S. Department of Defense
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
ESP Technical Overview
Marty Lindner
September 2000
7/30/2019 ESP Technical Overview1
2/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
2
Agenda
What is ESP
Goals of the ESP
ESP Technology Overview
7/30/2019 ESP Technical Overview1
3/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
3
What is the ESP
Extranet forSecurityProfessional
7/30/2019 ESP Technical Overview1
4/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
4
What is the ESP
From a users perspective the ESP is a
web site that is used by a group of
people sharing a common interest orneed
7/30/2019 ESP Technical Overview1
5/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
5
What is the ESP
From an IT professionals perspective the
ESP is a secure web environment created
by using Commercial Off The Shelf (COTS) products
Good Programming Practices
Strict network policies enforced by multiple
firewalls and intrusion detection systems Automated intrusion detection software
developed for the ESP environment
7/30/2019 ESP Technical Overview1
6/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
6
What is the ESP
A set of collaboration
tools used thru a
common web interface Mail Tool Calendar Tool
Document
Collaboration Tool
Document Library
7/30/2019 ESP Technical Overview1
7/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
7
Goals of the ESP
Minimal cost to the end users
Provide a mechanism for sharing
FOUO/SBU information over the publicinternet
Maintain the highest level of security
7/30/2019 ESP Technical Overview1
8/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
8
ESP Technology Overview
7/30/2019 ESP Technical Overview1
9/22
7/30/2019 ESP Technical Overview1
10/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
10
End User Workstation
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
To: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
11/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
11
End User Workstation
One of the ESP goals is to minimize the
cost to the end user
The only end user requirement is a webbrowser that supports U.S. domestic
encryption (128 bits)
7/30/2019 ESP Technical Overview1
12/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
12
The Internet
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
To: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
13/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
13
The Internet
The ESP technology makes one
assumption about the Internet You can not trust it!
To overcome this lack of trust, the ESP
uses the Secure Socket Layer (SSL)
protocol and X.509 certificates to
provide authenticity, integrity andconfidentiality www.ietf.org\rfc\rfc2246.txt
7/30/2019 ESP Technical Overview1
14/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
14
SSL Security
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
SSL provides a
secure path through
the Internet
To: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
15/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
15
Firewall Strategy
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
Multiple inline
firewalls create
more complex maze
for intruders to
navigateTo: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
16/22 2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
16
Firewall Strategy
Multiple firewalls randomly inserted
into the network topology Sidewinder 5.0
www.securecomputing.com
Guardian www.netguard.com
Cisco Secure PIX Firewall www.cisco.com
Linux IPchains www.linuxdocs.org
7/30/2019 ESP Technical Overview1
17/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
17
Network Monitoring
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
Passive network
monitoring tools
assist and automate
the intrusion
detection processTo: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
18/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
18
Network Monitoring
Several passive network monitoring
agents are used to detect signs of
intrusion Real Secure 3.2
www.iss.net
Snort 1.6.3 www.snort.org
7/30/2019 ESP Technical Overview1
19/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
19
Web Server Security
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
The middleware
enhances security by
incorporating
additional
authentication
techniquesTo: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
20/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
20
Web Server Security
System is dedicated to web services only No additional services offered Software
Hardened Windows NT 4.0 www.microsoft.com
Tripwire system integrity software 2.2.1 www.tripwire.com
Netscape Enterprise Server 3.63 home.netscape.com
Cold Fusion Server 4.5.1 www.alliare.com
7/30/2019 ESP Technical Overview1
21/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
21
Database Security
Workstation
Database Servers
Firewall
Firewall
Router
Web Servers
The Internet
The database only
responds to
authenticated
requests from the
Web serversTo: George
Marty
From: Steve
7/30/2019 ESP Technical Overview1
22/22
2000 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
22
Database Security
Database servers only except
communications from an authenticated
IPsec session www.ietf.org\rfc\rfc2401.txt