Post on 19-Dec-2015
transcript
Internet Security
INTERNET SECURITY
- Advanced
Internet Security
Advanced Security ConceptsAdvanced Security Concepts
Detailed look at the types of attacks
Advanced Explanation of Solutions and Technologies
Internet Security
Types of Attack (STRIDE)Types of Attack (STRIDE)
Spoofing Spoofing is attempting to gain access to a system by using a false identity
Tampering Tampering is the unauthorized modification of data
Repudiation Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions
Internet Security
Types of Attack (STRIDE)Types of Attack (STRIDE)
Information disclosure Information disclosure is the unwanted exposure of private data
Denial of service Denial of service is the process of making a system or application unavailable
Elevation of privilege Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application.
Internet Security
Microsoft GuideMicrosoft Guide
Internet Security
Microsoft GuideMicrosoft GuideCategory Guidelines
Input Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range.
Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.
Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.
Configuration Management Use least privileged process and service accounts. Do not store credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.
Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.
Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.
Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.
Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.
Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.
Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.
Internet Security
FBI GuideFBI Guide
BEST PRACTICES FOR ENTERPRISE NETWORK SECURITY MANAGEMENT(A.C.T.I.O.N.S)
Authentication Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.
Configuration management
Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings.
Training Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.
Incident response
Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.
Organization network
Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.
Network management
Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.
Smart procurement
Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than “bolting it on” after the fact.
Source: President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace
Internet Security
The Technological SolutionsThe Technological Solutions
Access controls Software (e.g. Challenge/Response) Hardware (e.g. Firewalls, VPNs)
Cryptography Encryption (e.g. private/public keys) Digital certificates (e.g. SSL)
Internet Security
The technologiesThe technologies
SSL (Secure Socket Layer) SSL protocol is widely used to protect
communications to and from the World Wide Web. Originally developed by Netscape Communications Corporation, SSL is built into most browsers and Web servers to provide data encryption, server authentication, message integrity, and optional client authentication.
Internet Security
The technologiesThe technologies
FirewallsFirewalls provide a perimeter defense to guard a network or its nodes against unauthorized users.
VPNs (Virtual Private Networks)VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users far beyond the reach of private networks. Encrypted VPNs carry the private network traffic on a logical connection—a secure, encrypted "tunnel" over a public network
Internet Security
Point-to-Point TunnellingPoint-to-Point Tunnelling
Virtual Private Network via PPTP
EncryptedTCP/IP Packets
Internet
Tunnel
Firewall
Windows NTServer RAS
Corporate LAN
Domain authentication
Windows NTServer RAS
Corporate LAN
Firewall
Internet Security
The technologiesThe technologies
Windows Challenge/Response does not send a password across the
network uses the Internet standard MD4 hashing
algorithm to produce a 16-byte (128-bit) hash
impossible (theoretically) to take both the hash and the algorithm and mathematically reverse the process to determine the password
the password serves as a "private key"
Internet Security
Server securityServer security
Windows Server software has strong levels of security - C2
Web service restricted to specified virtual roots e.g. WWWROOT
IP filtering e.g. port 80 only WWW Authentication
Anonymous Basic Authentication Challenge & Response
Access rights (now Active Directory) by user, by file, by directory
(now object)
Internet Security
Server securityServer security
Configuration of server is key Security tips for server
configuration, see resources at the end
Holes are always being found in server software, so keep an eye on updates
Internet Security
CryptographyCryptography
Ancient mathematical science
Algorithm strength Key length
USA Export Restrictions
Key management How do you keep keys secret Huge global scale
Internet Security
10 = 2 x 560 = 2 x 2 x 3 x 5252601 = 41 x 61 x 1012113 - 1 = 3391 x 23279 x 65993 x
1868569 x 1066818132868207 … around 40 quadrillion years to factor
a 125-digit number
Ron Rivest (1977)
FactoringFactoring
Factoring a number means finding its prime factors
In 1994, a 129 digit number was factored
Internet Security
EvolutionEvolution
Factoring the 129-digit number in 1994 required 5000 MIPS-years and used the idle time on 1600 computers around the world over an eight-month period
All predictions are out of date once they are made!
Internet Security
Symmetric CryptographySymmetric Cryptography
Clear-textinput
Clear-textoutputCipher-text
Same key is used for both Encryption and
Decryption
“One man went to mow, went to mow a meadow”
“One man went to mow, went to mow a meadow”
“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”
Encryption Decryption
Internet Security
Asymmetric CryptographyAsymmetric Cryptography
Clear-textinput
Clear-textoutputCipher-text
“One man went to mow, went to mow a meadow”
“One man went to mow, went to mow a meadow”
“jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg”
Encryption Decryption
Receivers public
key
Receivers private
key
Internet Security
Digital SignaturesDigital Signatures
Signed document
DocumentDigital
Signature
Document
Message
DigestHASH
Encrypt withPrivate Key
Digital
Signature
Internet Security
Certificate AuthoritiesCertificate Authorities
Trusted third parties Certificate contents include:
Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject
Validity timestamps Signed by Certificate Authority’s
private key X.509 defines the standards
Internet Security
Secure Channels (SSL/SET)Secure Channels (SSL/SET)
Certification Authority (e.g. Verisign/Thawte) Creates Certificate Verifies Certificate owner
Provides Client Authentication Server Authentication Encryption Non repudiation Data Integrity Message Authentication
Stops: Imposters Spies Vandals
Internet Security
Suppose Alice wants to verify Bob:
A B ”hello, I’m Alice” + random
A B “hello I’m Bob” + [Bobs Certificate]
Alice examines certificate using CA public key. Checks the user is Bob and retrieves Bob’s public key
A B “prove it”
A B random2 + { digest [random2] } B_private_key
Digital signature
Alice can verify the user is Bob by using Bob’s public key and checking for a match.
Secure Channels - Secure Channels - authenticationauthentication
Internet Security
A bad guy Klone could do:
A K ”hello, I’m Alice” + random
A K “hello I’m Bob” + [Bobs Certificate]
A K “prove it”
A K ????
Klone does not have Bob’s private key and so cannot construct a message that Alice will believe
Secure Channels - Secure Channels - authenticationauthentication
Internet Security
Alice can now send a message that only Bob can decipher
A B {Secret_Key} B_public_key
Both sides now know the Secret key and can use a symmetric cryptographic algorithm for future transmissions
A B {message X} Secret_Key
A B {message Y} Secret_Key
Lots of debate about how long a secret key should be in order to be effective.
Secure Channels - Secure Channels - encryptionencryption
Internet Security
A bad guy Sniffer could do:
A S B ”hello, I’m Alice” + random
A S B “hello I’m Bob” + [Bobs Certificate]
A S B “prove it”
A S B random2 + { digest [random2] } B_private_key
A S B {Secret_Key} B_public_key
S B {message X} Secret_Key
A S Garbled message
Sniffer is unlikely to produce a valid message - but he might get lucky !!!Alice is trusting Bob so would act upon the message
Secure Channels - Secure Channels - message auth.message auth.
Internet Security
MAC := digest[message,secret]
Secure Channels - Secure Channels - message auth.message auth.
Message Authentication Code (MAC) Calculated using digest algorithm
on message (or part of) and secret
Sniffer does not know secret: Cannot compute right value Chance of guessing is remote
Internet Security
Secure SocketsSecure Sockets
Security protocols e.g. Secure Sockets Layer (SSL) Encryption Authentication of messages Authentication of end-points i.e.client and server
TCP
IP
HTTP TelnetGopherFTP
SSL/PCT
TCP/IP - designed to operate in layers
Icon
Internet Security
SEC - SEC - Secure Electronic CommerceSecure Electronic Commerce
Satisfy customer requirements for secure payment Consumers Merchants Banks Brands
Enable electronic commerce applications
Provide interoperability
Certification authority
Cardholder
Merchant Acquirer
Electronic paymentElectronic payment
Internet Security
VirusesViruses
Digital Code Signatures (Authenticode) Provides accountability for Java applets and ActiveX
Controls
Issued by a Certificate Authority Contents include:
Certificate Authority name Certificate serial number Identity of subject: name/organization/address Public key of subject Validity timestamps
Signed by C.A. private key X.509 defines the standards
Accountability
TRUSTTRUST
Internet Security
SummarySummary
Many facets Biggest danger is internal
Not implementing or fully understanding the available technologies
Risk assessment Suitable response
Process that must evolve
Internet Security
Advanced ResourcesAdvanced Resources
‘ASP/MTS/ADSI Web Security’, Richard Harrison, 1999, Prentice Hall
Latest Microsoft Security bulletins http://www.microsoft.com/technet/security/current.asp
Microsoft IIS Security Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp
Apache Security Tips http://httpd.apache.org/docs/misc/security_tips.html
Top Ten Security Issues http://www.sans.org/topten.htm How SSL works
http://developer.netscape.com/tech/security/ssl/howitworks.html
Secure Applications Using Microsoft Technologies http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Internet Security
Alternatives - clientsAlternatives - clients
Browsers Microsoft Internet Explorer Netscape Navigator Mozilla etc...
Browser Objects
Microsoft ActiveX Java Applets
Objects
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - file systemsAlternatives - file systems
File Systems Microsoft Windows 2000+ Unix
• HP/UX• IBM AIX• Sun Solaris etc..
IBM AS/400 etc...
Internet Security
WebServer
FileSystem
Files
Programs
Web Server
DATA
Alternatives - web serversAlternatives - web servers
Web Servers Apache (TomCat) Microsoft Internet
Information Server
Oracle WebServer Sun One etc...
Internet Security
WebServerMgtFile
System
Files
Programs
Web Server
DATA
Alternatives - server extensionsAlternatives - server extensions
Programs Microsoft –
• .Net• ASP• ISAPI
Common Gateway Interface
• C, Perl, Java etc..
PHP Java Servlets JSP
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternative - filesAlternative - files
Files contain.. HTML XML .Net ASP Javascript Jscript VBScript REXX ..and any other scripting
language (you can make up your own)
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - dataAlternatives - data
Access Data via.. Microsoft
• ADO.Net• ADO (Active Data Objects)• RDS (Remote Data Services)
Java• JDBC• Jconnect (Sybase)
Database vendors’ client tools• Microsoft SQL Server (db lib,
odbc)• Microsoft Access (DAO,ole db)• Oracle (SQL*Net)• Sybase (db lib)• Others..
Internet Security
WebServer
FileSystem
Files
Programs
Server
DATA
Alternatives - data accessAlternatives - data access
Data.. Microsoft
• SqlServer• Access• Any document via MAPI, OLE-DB, etc.
Oracle 6/7 Sybase MySQL Interbase Informix Others..