INTERNET SECURITY - Advanced
-
Upload
savannah-holland -
Category
Documents
-
view
33 -
download
1
description
Transcript of INTERNET SECURITY - Advanced
![Page 1: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/1.jpg)
Internet Security
INTERNET SECURITY
- Advanced
![Page 2: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/2.jpg)
Internet Security
Advanced Security ConceptsAdvanced Security Concepts
Detailed look at the types of attacks
Advanced Explanation of Solutions and Technologies
![Page 3: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/3.jpg)
Internet Security
Types of Attack (STRIDE)Types of Attack (STRIDE)
Spoofing Spoofing is attempting to gain access to a system by using a false identity
Tampering Tampering is the unauthorized modification of data
Repudiation Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions
![Page 4: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/4.jpg)
Internet Security
Types of Attack (STRIDE)Types of Attack (STRIDE)
Information disclosure Information disclosure is the unwanted exposure of private data
Denial of service Denial of service is the process of making a system or application unavailable
Elevation of privilege Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application.
![Page 5: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/5.jpg)
Internet Security
Microsoft GuideMicrosoft Guide
![Page 6: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/6.jpg)
Internet Security
Microsoft GuideMicrosoft GuideCategory Guidelines
Input Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range.
Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.
Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.
Configuration Management Use least privileged process and service accounts. Do not store credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.
Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.
Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.
Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.
Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.
Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.
Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.
![Page 7: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/7.jpg)
Internet Security
FBI GuideFBI Guide
BEST PRACTICES FOR ENTERPRISE NETWORK SECURITY MANAGEMENT(A.C.T.I.O.N.S)
Authentication Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.
Configuration management
Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings.
Training Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.
Incident response
Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.
Organization network
Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.
Network management
Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.
Smart procurement
Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than “bolting it on” after the fact.
Source: President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace
![Page 8: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/8.jpg)
Internet Security
The Technological SolutionsThe Technological Solutions
Access controls Software (e.g. Challenge/Response) Hardware (e.g. Firewalls, VPNs)
Cryptography Encryption (e.g. private/public keys) Digital certificates (e.g. SSL)
![Page 9: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/9.jpg)
Internet Security
The technologiesThe technologies
SSL (Secure Socket Layer) SSL protocol is widely used to protect
communications to and from the World Wide Web. Originally developed by Netscape Communications Corporation, SSL is built into most browsers and Web servers to provide data encryption, server authentication, message integrity, and optional client authentication.
![Page 10: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/10.jpg)
Internet Security
The technologiesThe technologies
FirewallsFirewalls provide a perimeter defense to guard a network or its nodes against unauthorized users.
VPNs (Virtual Private Networks)VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users far beyond the reach of private networks. Encrypted VPNs carry the private network traffic on a logical connection—a secure, encrypted "tunnel" over a public network
![Page 11: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/11.jpg)
Internet Security
Point-to-Point TunnellingPoint-to-Point Tunnelling
Virtual Private Network via PPTP
EncryptedTCP/IP Packets
Internet
Tunnel
Firewall
Windows NTServer RAS
Corporate LAN
Domain authentication
Windows NTServer RAS
Corporate LAN
Firewall
![Page 12: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/12.jpg)
Internet Security
The technologiesThe technologies
Windows Challenge/Response does not send a password across the
network uses the Internet standard MD4 hashing
algorithm to produce a 16-byte (128-bit) hash
impossible (theoretically) to take both the hash and the algorithm and mathematically reverse the process to determine the password
the password serves as a "private key"
![Page 13: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/13.jpg)
Internet Security
Server securityServer security
Windows Server software has strong levels of security - C2
Web service restricted to specified virtual roots e.g. WWWROOT
IP filtering e.g. port 80 only WWW Authentication
Anonymous Basic Authentication Challenge & Response
Access rights (now Active Directory) by user, by file, by directory
(now object)
![Page 14: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/14.jpg)
Internet Security
Server securityServer security
Configuration of server is key Security tips for server
configuration, see resources at the end
Holes are always being found in server software, so keep an eye on updates
![Page 15: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/15.jpg)
Internet Security
CryptographyCryptography
Ancient mathematical science
Algorithm strength Key length
USA Export Restrictions
Key management How do you keep keys secret Huge global scale
![Page 16: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/16.jpg)
Internet Security
10 = 2 x 560 = 2 x 2 x 3 x 5252601 = 41 x 61 x 1012113 - 1 = 3391 x 23279 x 65993 x
1868569 x 1066818132868207 … around 40 quadrillion years to factor
a 125-digit number
Ron Rivest (1977)
FactoringFactoring
Factoring a number means finding its prime factors
In 1994, a 129 digit number was factored
![Page 17: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/17.jpg)
Internet Security
EvolutionEvolution
Factoring the 129-digit number in 1994 required 5000 MIPS-years and used the idle time on 1600 computers around the world over an eight-month period
All predictions are out of date once they are made!
![Page 18: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/18.jpg)
Internet Security
Symmetric CryptographySymmetric Cryptography
Clear-textinput
Clear-textoutputCipher-text
Same key is used for both Encryption and
Decryption
“One man went to mow, went to mow a meadow”
“One man went to mow, went to mow a meadow”
“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”
Encryption Decryption
![Page 19: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/19.jpg)
Internet Security
Asymmetric CryptographyAsymmetric Cryptography
Clear-textinput
Clear-textoutputCipher-text
“One man went to mow, went to mow a meadow”
“One man went to mow, went to mow a meadow”
“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”
Encryption Decryption
Receivers public
key
Receivers private
key
![Page 20: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/20.jpg)
Internet Security
Digital SignaturesDigital Signatures
Signed document
DocumentDigital
Signature
Document
Message
DigestHASH
Encrypt withPrivate Key
Digital
Signature
![Page 21: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/21.jpg)
Internet Security
Certificate AuthoritiesCertificate Authorities
Trusted third parties Certificate contents include:
Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject
Validity timestamps Signed by Certificate Authority’s
private key X.509 defines the standards
![Page 22: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/22.jpg)
Internet Security
Secure Channels (SSL/SET)Secure Channels (SSL/SET)
Certification Authority (e.g. Verisign/Thawte) Creates Certificate Verifies Certificate owner
Provides Client Authentication Server Authentication Encryption Non repudiation Data Integrity Message Authentication
Stops: Imposters Spies Vandals
![Page 23: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/23.jpg)
Internet Security
Suppose Alice wants to verify Bob:
A B ”hello, I’m Alice” + random
A B “hello I’m Bob” + [Bobs Certificate]
Alice examines certificate using CA public key. Checks the user is Bob and retrieves Bob’s public key
A B “prove it”
A B random2 + { digest [random2] } B_private_key
Digital signature
Alice can verify the user is Bob by using Bob’s public key and checking for a match.
Secure Channels - Secure Channels - authenticationauthentication
![Page 24: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/24.jpg)
Internet Security
A bad guy Klone could do:
A K ”hello, I’m Alice” + random
A K “hello I’m Bob” + [Bobs Certificate]
A K “prove it”
A K ????
Klone does not have Bob’s private key and so cannot construct a message that Alice will believe
Secure Channels - Secure Channels - authenticationauthentication
![Page 25: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/25.jpg)
Internet Security
Alice can now send a message that only Bob can decipher
A B {Secret_Key} B_public_key
Both sides now know the Secret key and can use a symmetric cryptographic algorithm for future transmissions
A B {message X} Secret_Key
A B {message Y} Secret_Key
Lots of debate about how long a secret key should be in order to be effective.
Secure Channels - Secure Channels - encryptionencryption
![Page 26: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/26.jpg)
Internet Security
A bad guy Sniffer could do:
A S B ”hello, I’m Alice” + random
A S B “hello I’m Bob” + [Bobs Certificate]
A S B “prove it”
A S B random2 + { digest [random2] } B_private_key
A S B {Secret_Key} B_public_key
S B {message X} Secret_Key
A S Garbled message
Sniffer is unlikely to produce a valid message - but he might get lucky !!!Alice is trusting Bob so would act upon the message
Secure Channels - Secure Channels - message auth.message auth.
![Page 27: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/27.jpg)
Internet Security
MAC := digest[message,secret]
Secure Channels - Secure Channels - message auth.message auth.
Message Authentication Code (MAC) Calculated using digest algorithm
on message (or part of) and secret
Sniffer does not know secret: Cannot compute right value Chance of guessing is remote
![Page 28: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/28.jpg)
Internet Security
Secure SocketsSecure Sockets
Security protocols e.g. Secure Sockets Layer (SSL) Encryption Authentication of messages Authentication of end-points i.e.client and server
TCP
IP
HTTP TelnetGopherFTP
SSL/PCT
TCP/IP - designed to operate in layers
Icon
![Page 29: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/29.jpg)
Internet Security
SEC - SEC - Secure Electronic CommerceSecure Electronic Commerce
Satisfy customer requirements for secure payment Consumers Merchants Banks Brands
Enable electronic commerce applications
Provide interoperability
Certification authority
Cardholder
Merchant Acquirer
Electronic paymentElectronic payment
![Page 30: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/30.jpg)
Internet Security
VirusesViruses
Digital Code Signatures (Authenticode) Provides accountability for Java applets and ActiveX
Controls
Issued by a Certificate Authority Contents include:
Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject Validity timestamps
Signed by C.A. private key X.509 defines the standards
Accountability
TRUSTTRUST
![Page 31: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/31.jpg)
Internet Security
SummarySummary
Many facets Biggest danger is internal
Not implementing or fully understanding the available technologies
Risk assessment Suitable response
Process that must evolve
![Page 32: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/32.jpg)
Internet Security
Advanced ResourcesAdvanced Resources
‘ASP/MTS/ADSI Web Security’, Richard Harrison, 1999, Prentice Hall
Latest Microsoft Security bulletins http://www.microsoft.com/technet/security/current.asp
Microsoft IIS Security Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp
Apache Security Tips http://httpd.apache.org/docs/misc/security_tips.html
Top Ten Security Issues http://www.sans.org/topten.htm How SSL works
http://developer.netscape.com/tech/security/ssl/howitworks.html
Secure Applications Using Microsoft Technologies http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
![Page 33: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/33.jpg)
Internet Security
Alternatives - clientsAlternatives - clients
Browsers Microsoft Internet Explorer Netscape Navigator Mozilla etc...
Browser Objects
Microsoft ActiveX Java Applets
Objects
![Page 34: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/34.jpg)
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - file systemsAlternatives - file systems
File Systems Microsoft Windows 2000+ Unix
• HP/UX• IBM AIX• Sun Solaris etc..
IBM AS/400 etc...
![Page 35: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/35.jpg)
Internet Security
WebServer
FileSystem
Files
Programs
Web Server
DATA
Alternatives - web serversAlternatives - web servers
Web Servers Apache (TomCat) Microsoft Internet
Information Server
Oracle WebServer Sun One etc...
![Page 36: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/36.jpg)
Internet Security
WebServerMgtFile
System
Files
Programs
Web Server
DATA
Alternatives - server extensionsAlternatives - server extensions
Programs Microsoft –
• .Net• ASP• ISAPI
Common Gateway Interface
• C, Perl, Java etc..
PHP Java Servlets JSP
![Page 37: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/37.jpg)
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternative - filesAlternative - files
Files contain.. HTML XML .Net ASP Javascript Jscript VBScript REXX ..and any other scripting
language (you can make up your own)
![Page 38: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/38.jpg)
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - dataAlternatives - data
Access Data via.. Microsoft
• ADO.Net• ADO (Active Data Objects)• RDS (Remote Data Services)
Java• JDBC• Jconnect (Sybase)
Database vendors’ client tools• Microsoft SQL Server (db lib,
odbc)• Microsoft Access (DAO,ole db)• Oracle (SQL*Net)• Sybase (db lib)• Others..
![Page 39: INTERNET SECURITY - Advanced](https://reader036.fdocuments.in/reader036/viewer/2022062321/56812a57550346895d8db08f/html5/thumbnails/39.jpg)
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - data accessAlternatives - data access
Data.. Microsoft
• SqlServer• Access• Any document via MAPI, OLE-DB, etc.
Oracle 6/7 Sybase MySQL Interbase Informix Others..