Security System 1 - 14

8/14/2019 Security System 1 - 14

1/40

#14. Securing Internet Connections


2/40

AGENDA

Understanding Infrastructure Security


3/40

Introduction

The Internet is perhaps the area of largest

growth for networks. The Internet is a worldwide

network that offers the capability of

instantaneous connections between networks,no matter where theyre located.


4/40

Introduction

The technology started as a research project

funded by the Department of Defense and has

grown at an enormous rate. Within a few years,

virtually every computer in the world isexpected to be connected to the Internet. This

situation creates a security nightmare and is one

of the primary reasons the demand for

professionals trained in information andcomputer security is expected to grow

exponentially.


5/40

Working with Ports and

Sockets As weve already discussed, the primary method

of connection between systems using the

Internet is the TCP/IP protocol. This protocol

establishes connections and circuits using acombination of the IP address and a port. Aport

is an interface that is used to connect to a

device. Sockets are a combination of the IP

address and the port. For example, if youattempt to connect to a remote system with the

IP address 192.168.0.100, which is running


6/40


Sockets Securing Internet Connections a website, youll

use port 80 by default. The combination of these

two elements gives you a socket. The full

address and socket description would then be192.168.0.100:80.


7/40


Sockets IP is used to route the information from one host

to another through a network. The four layers of

TCP/IP encapsulate the information into a valid

IP packet that is then transmitted across thenetwork. Figure 3.15 illustrates the key

components of a TCP packet requesting the

home page of a website. The data will be

returned from the website to port 1024 on theoriginating host.


8/40


9/40


Sockets The source port is the port that is addressed on

the destination. The destination port is the port

to which the data is sent. In the case of a web

application, the data for port addresses wouldboth contain 80. A number of the fields in this

packet are used by TCP for verification and

integrity, and you need not be concerned with

them at this time.


10/40


Sockets However, the data field contains the value Get/.

This value requests the home or starting page

from the web server. In essence, this command

or process requested the home page of the site192.168.0.100 port 80. The data is formed into

another data packet that is passed down to IP

and sent back to the originating system on port

1024.


11/40


Sockets The connections to most services using TCP/IP

are based on this port model. Many of the ports

are well documented, and the protocols to

communicate with them are well known. If avendor has a technological weakness or

implements security poorly, the vulnerability

will become known and exploited in a short time.


12/40

Working with E-Mail

E-mail is one of the most popular applications in

use on the Internet. Several good e-mail servers

and clients are available. Figure 3.16

demonstrates the process of transferring an e-mail message.


13/40


14/40

Working with E-Mail

Simple Mail Transport Protocol

Simple Mail Transport Protocol (SMTP) is a mail

delivery protocol that is used to send e-mail

between an e-mail client and an e-mail serveras well as between e-mail servers. Messages

are moved from client to server to client via the

Internet.


15/40

Working with E-Mail

Each e-mail message can take a different path

from the client to the server. In the case of

Figure 3.16, the clients are on two different e-

mail servers; they could both be on the sameserver, and the process would appear

transparent to the user. SMTP uses port 25 and

TCP for connections.


16/40

Working with E-Mail

Post Office Protocol

Post Office Protocol (POP) is a newer protocol

that relies on SMTP for message transfer to

receive e-mail. POP provides a message storethat can be used to store and forward

messages. If a server isnt operating, the

originating server can store a message and try

to resend it later. POP3 uses port 110. The POPprotocol uses TCP for connections.


17/40

Working with E-Mail

Internet Message Access Protocol

Internet Message Access Protocol (IMAP) is the

newest player in the e-mail field, and its rapidly

becoming the most popular. Like POP, IMAPhas a store-and-forward capability. However, it

has much more functionality


18/40

Working with E-Mail

IMAP allows messages to be stored on an e-

mail server instead of being downloaded to the

client. It also allows messages to be

downloaded based on search criteria. ManyIMAP implementations also allow connections

using web browsers. The current version of

IMAP (IMAP 4) uses port 143 and TCP for

connections.


19/40

Working with the Web

When two hosts communicate across the Web,

data is returned from the host using Hypertext

Markup Language (HTML). HTML is nothing

more than a coding scheme to allow text andpictures to be presented in a specific way in a

web browser. HTML can be created any number

of ways, including via manual coding and in

graphical design programs.


20/40


HTML files are read, interpreted by your

browser, and displayed on your system. If you

want to see what HTML looks like, you can set

your browser to view source codeyoull seethings similar to word-processor coding for

virtually every characteristic of the web page

youre viewing.


21/40


Websites are collections of these pages, which

are called into your browser when you click a

link or scroll through the pages. Most

developers want more than the ability to displaypages and pages of colored text on your

computer. To make creative and sophisticated

websites possible, web browsers have become

more complicated, as have web servers.Current browsers include audio, visuals,

animations, live chats, and almost any other

feature you can imagine.


22/40


23/40


This ability to deliver content over the Web is

accomplished in one of several ways. The most

common approach involves installing

applications that talk through the server to yourbrowser. The applications require additional

ports to be opened through your firewall and

routers. Unfortunately, doing so inherently

creates security vulnerabilities.


24/40


Secure Sockets Layer and Transport Layer

Security

Secure Sockets Layer (SSL) and Transport

Layer Security (TLS) are two common protocolsused to convey information between a web

client and a server. The SSL protocol uses an

encryption scheme between the two systems.

The client initiates the session, the serverresponds, indicating that encryption is needed,

and then they negotiate an appropriate

encryption scheme.


25/40


TLS is a newer protocol that merges SSL with

other protocols to provide encryption. TLS

supports SSL connections for compatibility, but it

also allows other encryption protocols, such asTriple DES, to be used. SSL/TLS uses port 443

and TCP for connections.


26/40


HTTP/S

HTTP Secure (HTTP/S) is a protocol that is

used for secure connections between two

systems that use the Web. It protects theconnection, and all traffic between the two

systems is encrypted. HTTP/S uses SSL or TLS

for connection security, and it uses port 443 and

TCP for connections.


27/40


Vulnerabilities of Web Add-ins

The growth of the Web and demands from

users for more features has spurred the creation

of a new set of vulnerabilities that must beevaluated and managed. Increasingly, web

browsers and other web-enabled technologies

allow servers to send instructions to the client to

provide multimedia and other capabilities. Thisis creating a problem for security professionals

because these protocols offer potential

weaknesses.


28/40


ActiveXActiveXis a technology that was

implemented by Microsoft to customize controls,

icons, and other features, which increases the

usability of web-enabled systems. ActiveX runson the client. It uses a method called

Authenticode for security. Authenticode is a type

of certificate technology that allows ActiveX

components to be validated by a server.


29/40


ActiveX components are downloaded to the

client hard disk, potentially allowing additional

security breaches. Web browsers can be

configured so that they require confirmation toaccept an ActiveX control. However, many users

dont understand these confirmation messages

when they appear, and they automatically

accept the components.


30/40


Automatically accepting an ActiveX component

or control creates the opportunity for security

breaches on a client system when the control is

used because an ActiveX control containsprogramming instructions that can contain

malicious code or create vulnerabilities in a

system.


31/40


Buffer Overflows

Buffer overflows occur when an application

receives more data than its programmed to

accept. This situation can cause an applicationto terminate or to write data beyond the end of

the allocated space. Termination may leave the

system sending the data with temporary access

to privileged levels in the attacked system, whileoverwriting can cause important data to be lost.

This exploitation is usually a result of a

programming error in the development of the

software.


32/40


Common Gateway Interface

Common Gateway Interface (CGI) is an older

form of scripting that was used extensively in

early web systems. CGI scripts were used tocapture data from a user using simple forms.


33/40


CookiesCookies are text files that a browser

maintains on the users hard disk in order to

provide a persistent, customized web

experience for each visit. A cookie typicallycontains information about the user.


34/40


For example, a cookie can contain a clients

history to improve customer service. If a

bookstore wants to know your buying habits and

what types of books you last viewed at its site, itcan load this information into a cookie on your

system. The next time you return to that store,

the server can read your cookie and customize

what it presents to you.


35/40


Cookies can also be used to time-stamp a user

to limit access. A financial institution may send

your browser a cookie once youve

authenticated. The server can read the cookie todetermine when a session is expired.


36/40


Obviously, cookies are considered a risk

because they have the potential to contain your

personal information, which could get into the

wrong hands. If security is your utmost concern,the best protection is to not allow cookies to be

accepted. Almost every browser offers the

option of enabling or disabling cookies. If you

enable them, you can usually choose whether toaccept/reject all or only those from an

originating server.


37/40


Cross-site scripting (XSS)

Using a client-side scripting language, it is

possible for a neer-do-well to trick a user into

visiting their site and having code then executelocally. When this is done, it is known as cross-

site scripting. As an example, UserA may get a

message telling him that he needs to make

changes to his XYZ account, but the link in themessage is not really to the XYZ site (a phishing

ploy).


38/40


When he clicks on the link, a JavaScript routine

begins to run on his machine. Since the script is

running on UserAs system, it has his

permissions and can begin doing such things asrunning malevolent routines to send/delete/alter

data. The best protection against cross-site

scripting is to disable the running of scripts.


39/40


Input Validation

Anytime a user must supply values in a session,

validation of the data entered should be done.

Many vendors, however, have fallen prey toinput validation vulnerabilities within their code.

In some instances, empty values have been

accepted, while others have allowed privilege

escalation if certain backdoor passwords wereused.


40/40


The best protection against input validation

vulnerabilities is for developers to follow best

practices and always validate all values entered.

As an administrator, when you learn of an inputvalidation vulnerability with any application on

your system, you should immediately stop using

it until a patch has been released and installed.

Security System 1 - 14

Documents

Transcript of Security System 1 - 14