20-771: Computer Security Lecture 14: Web, Firewalls
description
Transcript of 20-771: Computer Security Lecture 14: Web, Firewalls
![Page 1: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/1.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 1
20-771: Computer SecurityLecture 14: Web, Firewalls
Robert Thibadeau
School of Computer Science
Carnegie Mellon University
Institute for eCommerce, Fall 2002
![Page 2: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/2.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 2
Today’s lecture
• Web Security
• Firewall
• Q&A
![Page 3: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/3.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 3
This Week
• Read WS 14
Exam Wed 6PM
![Page 4: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/4.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 4
Windows 2000 IPAAA ModelWin 2000 SecurityWin 2000 Security
Files & Files & Other ObjectsOther Objects
Web SiteWeb SiteIIS – IE5IIS – IE5
ServicesServicesSome-other-time..Some-other-time..
YOU!YOU!
usernameusername
passwordpassword
certificatecertificate
kerberoskerberos
Active Directory Active Directory DACLs for DACLs for
AuthorizationAuthorization
Other MachinesOther Machines
Certs for Certs for AuthenticationAuthentication
Active DirectoryActive DirectorySACLs for AuditSACLs for Audit
Secure NetworkSecure NetworkPrivacy SSL & IPSecPrivacy SSL & IPSec
A UserA UserUser/groupsUser/groupsRights-e.g., Rights-e.g., delegationdelegation
Web VisitorWeb Visitor
Internal Privacy : File Internal Privacy : File EncryptionEncryption
Certs for Certs for IntegrityIntegrity
![Page 5: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/5.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 5
PKI works with two mechanisms
• Using the CA public key to unfold [the signing] to your public key (typically, the CA signs your PK cert).
– He vouches for you in a way that cannot be denied
– Key compromise
» Key revocation is a problem
• A file or resource has access granted by the demonstration that the requestor can privately encode that the resource can publicly decode (or that the resource can publicly encode that the requestor can privately decode).
– You can have MORE than one PK on a file or resource
– Example was revocation list
– User (not group) is a owner of a private/public key
– Can let Windows Base Crypto Services or Smart Card.
![Page 6: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/6.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 6
Our Class
Whole Facility / Internet Security – Protocols/Policy/Publicity
Path Security-
Physical security
Proxy/Router Security- Kind of Server
Host Security
Server SecurityClient Security
Server ApplicationsClient Applications
Proxy/Router Applications –
Put in Hardware!
(buy CISCO)
Security Server Applications
WINDOWS 2000
Security Assurance
Applications
Web Server
Security
Web Client
Security
Technology The Law
CryptographyHow To
Integrity/Privacy/Authenticate/
Authorize/Record
![Page 7: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/7.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 7
Exam
• What is a security association?
• What did you have to do to get encrypted email to work with a few of your classmates?
• One or more of the following:
• In 100 Words, Explain how file encryption works in Windows.
• In 100 Words, Explain how Kerberos works and what it protects.
• Analyse Windows in terms of IPAAAA in 100 words.
• What does Interdomain (or across domain, or across realm) Trust Mean?
• Why is a ‘memory only’ smart card a possible security problem?
• Explain the DACL in 100 words.
• Explain the SACL in 100 words.
• How is a file authorized to a user in Windows 2000/XP in 150 words?
• Summarize the chapter on X in Stein (since mid term) in two sentences.
![Page 8: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/8.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 8
WS 9. Configuring Win NT Web Server
• Know how to set one up (what to expect from IIS)
• Windows 2000 is IIS 5
• Security Scanner http://security1.norton.com
![Page 9: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/9.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 9
IIS
• Microsoft Internet Information Server– Like Apache and all others Has Own Layer of
Authorization and Authentication– Apache is completely separate (see .htaccess)– IIS is/can be completely integrated into the Domain
» Including trust among domains
• Front Page– Yet another access/authorization layer permitting
authoring but no other access in domain– Careful! FP uses “.htaccess” type files peppered around
the active directory giving FP access (not integrated into the ACLS!)
– DO NOT APPLY GLOBAL ACCESS CHANGES ON FP DIRECTORIES WITHOUT USING FP! (You may need a special FP administration tool to re-set all the access controls).
![Page 10: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/10.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 10
IIS
• Standard HTTP Server– Can basically behave exactly like one that utilizes all the
features of HTTP and related protocols (e.g., SSL, CGI, virtual hosting).
– Very easy to manage (right click and look).
– Since users/groups in and between domains are the same as in Active Directory, use “security” (not sharing) to set up Web Access.
– Creating the user “WebServer” for the web server (p. 230 Stein) is probably still good. Note this is the creator-owner of the server and has to have local login rights.
![Page 11: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/11.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 11
Access RightsGroup Admin
ToolsLogs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Don’t make yourself a web author and web master – you’ll wind up being a web author!
![Page 12: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/12.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 12
Web Access Control
• Basic Access– Response to 401– Send Base64 MIME plaintext username and password!– This is in the clear unless SSL protected!
• Digest Authentication– Server sends “nonce”– Client Send MD5 password
» Put digest, url, nonce inside digest to give integrity– Server checks hashed password, not the plaintext
password– Replay attack fails (except for the page in question).
• Kerberos (‘Windows Authentication’) // including SSL Smartcard Client
• IE 5.0 and IIS5 incorporate good security together.
![Page 13: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/13.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 13
WS 10. Web Access Control
• Apache has a separate user/group system layered on top on Unix.
• IIS uses the user/group access system built into the MS Windows OS.
• Principles of these systems are largely universal. Always do a security check out to “tighten down” access as much as possible
– Lincoln Stein is right : define special, highly limited, groups if you expose parts of your machine to the Internet.
![Page 14: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/14.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 14
Firewalls : Big Ideas
• Just a modified Gateway or Router or Server that doesn’t let every packet or message through.
• Extremely important for single point of control.
• Dedicated hardware (Bastion) is essential when possible
• Major Distinctions– Circuit Level (ip)
– Application Level (http, ftp, etc.)
– Packet Filters (ip/tcp ports and machines)
![Page 15: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/15.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 15
How to think about firewallsOSI
• Data link layer
• Network
• Transport
• Session
• Presentation
• Application
• Application Specific Access Controls
![Page 16: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/16.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 16
Typical Firewall
Firewall ComputerStein’s “Bastion”
Inside LAN Outside LAN/WAN
Sometimes you use a router (hardware) to direct “interesting packets” to Firewall Computer…to be forwarded if allowed. This is common for application layers, like web proxies.
“Proxy Servers” are application layer firewall/filter agents. They pretend to be the destination.When and why do they work?
Physical Separation
![Page 17: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/17.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 17
Proxy ARP Firewall
Proxy ARP Firewall Computer
Inside LAN Outside LAN/WAN
Proxy ARP Responds to ARP (Address Resolution Protocol) requests with it’s hardware Address … so it gets the packets.
Needs two (physical) interfaces: on eth0 ARPs are all correct, but
On eth1 all protected computer IP addresses get ARPed with Firewall’s Hardware Address.
(an ‘inside the LAN’ Firewall)
ARP: ‘broadcast what’s the hardware address for IP address n.n.n.n?’
eth0 eth1
![Page 18: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/18.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 18
NAT
Masquerading Firewalls : Look like one set of addresses from the outside and another from the Inside.
Address Translation (NATs). Many machines, one address and also to hide the many Machines. (One address from outside)
192.168.*.* 10.*.*.*
NATs are an RFC! www.rfc-editor.com RFC 1631
• Class A (1-126) – 17 million hosts each
• Class B (128-191) – 65000 hosts
• Class C (192-223) -- 256
![Page 19: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/19.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 19
What’s a Proxy?
• Needs to be defined in the protocol.
• Layer and Message Structure?
• IP: Source IP, Dest IP, ID, PROTOCOL, Length
![Page 20: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/20.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 20
Windows 2000 Firewall
• ISA (firewall protocol)
• http://support.microsoft.com/support/kb/articles/q179/4/42.asp
– Port 135, 137,138, 139 domain trust
– 389, 636, 3268, 3269, 88 LDAP and Kerberos
• IPSec Gateway mode is for firewalls that have to do proxy or address translation.
![Page 21: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/21.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 21
European Union(Modern Bldgs in BackGround).
![Page 22: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/22.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 22
InformationPrivacy
•Technology •Law
No matter how much you want to, you can’t get
technology out of privacy or the law out of privacy
![Page 23: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/23.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 23
Privacy (for People)
• Privacy means keeping things secret
• PII : Personally Identifiable Information
• PI : Personal Information
• Basic Tension: – Keep people safe from intrusion (bbb online)
– Market people (direct marketing assn.), keep statistics important to research and operations such as medicine and hospitals
• Literature : a major branch of security– Elaborate systems for anonymity
![Page 24: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/24.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 24
Out of Common Criteria
• Types of information privacy– Anonymity
– Pseudonymity
– Unlinkability
– Unobservability
• User control / info management– Notification, consent, accessibility, validation
• Security protection
![Page 25: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/25.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 25
Technological OrganizationDr. David-Olivier Jaquet-Chiffelle
Anonymity
Unlinkability
Unobservability
Theoretical
Practical
Conditional Unconditional
Pseudoanonymity
![Page 26: 20-771: Computer Security Lecture 14: Web, Firewalls](https://reader035.fdocuments.in/reader035/viewer/2022070410/56814667550346895db38a1d/html5/thumbnails/26.jpg)
Lecture 14, 20-771: Computer Security, Fall 2002 26
Legal/Technical Organization‘The Law defines its own world’
Anonymity
Unlinkability
Unobservability
Law
Technical
Conditional Unconditional
Pseudoanonymity