Internet Security

INTERNET SECURITY

- Advanced

Internet Security

Advanced Security ConceptsAdvanced Security Concepts

Detailed look at the types of attacks

Advanced Explanation of Solutions and Technologies

Internet Security

Types of Attack (STRIDE)Types of Attack (STRIDE)

Spoofing Spoofing is attempting to gain access to a system by using a false identity

Tampering Tampering is the unauthorized modification of data

Repudiation Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions

Internet Security

Types of Attack (STRIDE)Types of Attack (STRIDE)

Information disclosure Information disclosure is the unwanted exposure of private data

Denial of service Denial of service is the process of making a system or application unavailable

Elevation of privilege Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application.

Internet Security

Microsoft GuideMicrosoft Guide

Internet Security

Microsoft GuideMicrosoft GuideCategory Guidelines

Input Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range.

Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.

Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.

Configuration Management Use least privileged process and service accounts. Do not store credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.

Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.

Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.

Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.

Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.

Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.

Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.

Internet Security

FBI GuideFBI Guide

BEST PRACTICES FOR ENTERPRISE NETWORK SECURITY MANAGEMENT(A.C.T.I.O.N.S)

Authentication Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.

Configuration management

Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings.

Training Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.

Incident response

Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.

Organization network

Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.

Network management

Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.

Smart procurement

Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than “bolting it on” after the fact.

Source: President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace

Internet Security

The Technological SolutionsThe Technological Solutions

Access controls Software (e.g. Challenge/Response) Hardware (e.g. Firewalls, VPNs)

Cryptography Encryption (e.g. private/public keys) Digital certificates (e.g. SSL)

Internet Security

The technologiesThe technologies

SSL (Secure Socket Layer) SSL protocol is widely used to protect

communications to and from the World Wide Web. Originally developed by Netscape Communications Corporation, SSL is built into most browsers and Web servers to provide data encryption, server authentication, message integrity, and optional client authentication.

Internet Security

The technologiesThe technologies

FirewallsFirewalls provide a perimeter defense to guard a network or its nodes against unauthorized users.

VPNs (Virtual Private Networks)VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users far beyond the reach of private networks. Encrypted VPNs carry the private network traffic on a logical connection—a secure, encrypted "tunnel" over a public network

Internet Security

Point-to-Point TunnellingPoint-to-Point Tunnelling

Virtual Private Network via PPTP

EncryptedTCP/IP Packets

Internet

Tunnel

Firewall

Windows NTServer RAS

Corporate LAN

Domain authentication

Windows NTServer RAS

Corporate LAN

Firewall

Internet Security

The technologiesThe technologies

Windows Challenge/Response does not send a password across the

network uses the Internet standard MD4 hashing

algorithm to produce a 16-byte (128-bit) hash

impossible (theoretically) to take both the hash and the algorithm and mathematically reverse the process to determine the password

the password serves as a "private key"

Internet Security

Server securityServer security

Windows Server software has strong levels of security - C2

Web service restricted to specified virtual roots e.g. WWWROOT

IP filtering e.g. port 80 only WWW Authentication

Anonymous Basic Authentication Challenge & Response

Access rights (now Active Directory) by user, by file, by directory

(now object)

Internet Security

Server securityServer security

Configuration of server is key Security tips for server

configuration, see resources at the end

Holes are always being found in server software, so keep an eye on updates

Internet Security

CryptographyCryptography

Ancient mathematical science

Algorithm strength Key length

USA Export Restrictions

Key management How do you keep keys secret Huge global scale

Internet Security

10 = 2 x 560 = 2 x 2 x 3 x 5252601 = 41 x 61 x 1012113 - 1 = 3391 x 23279 x 65993 x

1868569 x 1066818132868207 … around 40 quadrillion years to factor

a 125-digit number

Ron Rivest (1977)

FactoringFactoring

Factoring a number means finding its prime factors

In 1994, a 129 digit number was factored

Internet Security

EvolutionEvolution

Factoring the 129-digit number in 1994 required 5000 MIPS-years and used the idle time on 1600 computers around the world over an eight-month period

All predictions are out of date once they are made!

Internet Security

Symmetric CryptographySymmetric Cryptography

Clear-textinput

Clear-textoutputCipher-text

Same key is used for both Encryption and

Decryption

“One man went to mow, went to mow a meadow”

“One man went to mow, went to mow a meadow”

“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”

Encryption Decryption

Internet Security

Asymmetric CryptographyAsymmetric Cryptography

Clear-textinput

Clear-textoutputCipher-text

“One man went to mow, went to mow a meadow”

“One man went to mow, went to mow a meadow”

“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”

Encryption Decryption

Receivers public

key

Receivers private

key

Internet Security

Digital SignaturesDigital Signatures

Signed document

DocumentDigital

Signature

Document

Message

DigestHASH

Encrypt withPrivate Key

Digital

Signature

Internet Security

Certificate AuthoritiesCertificate Authorities

Trusted third parties Certificate contents include:

Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject

Validity timestamps Signed by Certificate Authority’s

private key X.509 defines the standards

Internet Security

Secure Channels (SSL/SET)Secure Channels (SSL/SET)

Certification Authority (e.g. Verisign/Thawte) Creates Certificate Verifies Certificate owner

Provides Client Authentication Server Authentication Encryption Non repudiation Data Integrity Message Authentication

Stops: Imposters Spies Vandals

Internet Security

Suppose Alice wants to verify Bob:

A B ”hello, I’m Alice” + random

A B “hello I’m Bob” + [Bobs Certificate]

Alice examines certificate using CA public key. Checks the user is Bob and retrieves Bob’s public key

A B “prove it”

A B random2 + { digest [random2] } B_private_key

Digital signature

Alice can verify the user is Bob by using Bob’s public key and checking for a match.

Secure Channels - Secure Channels - authenticationauthentication

Internet Security

A bad guy Klone could do:

A K ”hello, I’m Alice” + random

A K “hello I’m Bob” + [Bobs Certificate]

A K “prove it”

A K ????

Klone does not have Bob’s private key and so cannot construct a message that Alice will believe

Secure Channels - Secure Channels - authenticationauthentication

Internet Security

Alice can now send a message that only Bob can decipher

A B {Secret_Key} B_public_key

Both sides now know the Secret key and can use a symmetric cryptographic algorithm for future transmissions

A B {message X} Secret_Key

A B {message Y} Secret_Key

Lots of debate about how long a secret key should be in order to be effective.

Secure Channels - Secure Channels - encryptionencryption

Internet Security

A bad guy Sniffer could do:

A S B ”hello, I’m Alice” + random

A S B “hello I’m Bob” + [Bobs Certificate]

A S B “prove it”

A S B random2 + { digest [random2] } B_private_key

A S B {Secret_Key} B_public_key

S B {message X} Secret_Key

A S Garbled message

Sniffer is unlikely to produce a valid message - but he might get lucky !!!Alice is trusting Bob so would act upon the message

Secure Channels - Secure Channels - message auth.message auth.

Internet Security

MAC := digest[message,secret]

Secure Channels - Secure Channels - message auth.message auth.

Message Authentication Code (MAC) Calculated using digest algorithm

on message (or part of) and secret

Sniffer does not know secret: Cannot compute right value Chance of guessing is remote

Internet Security

Secure SocketsSecure Sockets

Security protocols e.g. Secure Sockets Layer (SSL) Encryption Authentication of messages Authentication of end-points i.e.client and server

TCP

IP

HTTP TelnetGopherFTP

SSL/PCT

TCP/IP - designed to operate in layers

Icon

Internet Security

SEC - SEC - Secure Electronic CommerceSecure Electronic Commerce

Satisfy customer requirements for secure payment Consumers Merchants Banks Brands

Enable electronic commerce applications

Provide interoperability

Certification authority

Cardholder

Merchant Acquirer

Electronic paymentElectronic payment

Internet Security

VirusesViruses

Digital Code Signatures (Authenticode) Provides accountability for Java applets and ActiveX

Controls

Issued by a Certificate Authority Contents include:

Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject Validity timestamps

Signed by C.A. private key X.509 defines the standards

Accountability

TRUSTTRUST

Internet Security

SummarySummary

Many facets Biggest danger is internal

Not implementing or fully understanding the available technologies

Risk assessment Suitable response

Process that must evolve

Internet Security

Advanced ResourcesAdvanced Resources

‘ASP/MTS/ADSI Web Security’, Richard Harrison, 1999, Prentice Hall

Latest Microsoft Security bulletins http://www.microsoft.com/technet/security/current.asp

Microsoft IIS Security Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp

Apache Security Tips http://httpd.apache.org/docs/misc/security_tips.html

Top Ten Security Issues http://www.sans.org/topten.htm How SSL works

http://developer.netscape.com/tech/security/ssl/howitworks.html

Secure Applications Using Microsoft Technologies http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Internet Security

Alternatives - clientsAlternatives - clients

Browsers Microsoft Internet Explorer Netscape Navigator Mozilla etc...

Browser Objects

Microsoft ActiveX Java Applets

Objects

Internet Security

WebServer

FileSystem

Files

Programs

Server

DATA

Alternatives - file systemsAlternatives - file systems

File Systems Microsoft Windows 2000+ Unix

• HP/UX• IBM AIX• Sun Solaris etc..

IBM AS/400 etc...

Internet Security

WebServer

FileSystem

Files

Programs

Web Server

DATA

Alternatives - web serversAlternatives - web servers

Web Servers Apache (TomCat) Microsoft Internet

Information Server

Oracle WebServer Sun One etc...

Internet Security

WebServerMgtFile

System

Files

Programs

Web Server

DATA

Alternatives - server extensionsAlternatives - server extensions

Programs Microsoft –

• .Net• ASP• ISAPI

Common Gateway Interface

• C, Perl, Java etc..

PHP Java Servlets JSP

Internet Security

WebServer

FileSystem

Files

Programs

Server

DATA

Alternative - filesAlternative - files

Files contain.. HTML XML .Net ASP Javascript Jscript VBScript REXX ..and any other scripting

language (you can make up your own)

Internet Security

WebServer

FileSystem

Files

Programs

Server

DATA

Alternatives - dataAlternatives - data

Access Data via.. Microsoft

• ADO.Net• ADO (Active Data Objects)• RDS (Remote Data Services)

Java• JDBC• Jconnect (Sybase)

Database vendors’ client tools• Microsoft SQL Server (db lib,

odbc)• Microsoft Access (DAO,ole db)• Oracle (SQL*Net)• Sybase (db lib)• Others..

Internet Security

WebServer

FileSystem

Files

Programs

Server

DATA

Alternatives - data accessAlternatives - data access

Data.. Microsoft

• SqlServer• Access• Any document via MAPI, OLE-DB, etc.

Oracle 6/7 Sybase MySQL Interbase Informix Others..