CITA 310 Section 9

Securing the Web Environment

(Textbook Chapter 10)

Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge

of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user

names and passwords, other personal data Information can be gathered while it is

being transmitted Often, operating system flaws can assist

the hacker

Examining TCP/IP Hackers often take advantage of the

intricacy of TCP/IP The following are parts of the IP header

most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP

TCP-Delivering Data to Applications Important header fields

Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN

Establishing a TCP connection

Vulnerabilities of DNS Historically DNS has had security

problems BIND is the most common

implementation of DNS and some older version had serious bugs

BIND 9, the current version, has been more secure

Vulnerabilities in Operating Systems Operating systems are large and complex

which means that there are more opportunities for attack

Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available

Some attacks, such as buffer overruns, can allow the attacker to take over the computer

Vulnerabilities in Web Servers Static HTML pages pose virtually

no problem Programming environments and

databases add complexity that a hacker can exploit

Programmers often do not have time to focus on security

Vulnerabilities of E-mail Servers By design, e-mail servers are open E-mail servers can be harmed by a

series of very large e-mail messages Sending an overwhelming number of

messages at the same time can prevent valid users from accessing the server

Viruses can be sent to e-mail users Retrieving e-mail over the Internet often

involves sending your user name and password as clear text

Securing Data Transmission To secure data on a network that is

accessible to others, you need to encrypt the data

SSL is the most common method of encrypting data between a browser and Web server

Secure Shell (SSH) is a secure replacement for Telnet

Secure Sockets Layer (SSL) A digital certificate issued by a certification

authority (CA) identifies an organization The public key infrastructure (PKI) defines

the system of CAs and certificates Public key cryptography depends on two

keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the

corresponding private key which is needed to decrypt the data

Upgraded to TLS!

Establishing an SSL Connection

Using SSH for Tunneling Tunneling allows you to use an

unsecure protocol, such as POP3, through a secure connection, such as SSH

To set up tunneling Configure the SSH client so the local port is

a port between 1024 and 65535 Configure the SSH client to connect to POP3

port 110 Log in to the SSH client Direct the e-mail client to the local port and

log in to the e-mail server

Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password

In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255

Check a table of ALT values to avoid common characters

The use of the ALT key will thwart most hackers

Securing Windows There are many services that are

not needed in Windows for most Internet-based server applications

Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names

Securing E-mail You have already seen the ability

to tunnel POP3 which would prevent data from being seen

To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox

Securing the Web Server Enable the minimum features

If you don't need a programming language, do not enable it

Make sure programmers understand security issues

Implement SSL where appropriate

Securing the Web ServerApache Directories You can restrict access to

directories by using "Allow" and "Deny"

The following only allows computers with the two IP addresses to access the directory

<Directory htdocs/reports>Order Allow,DenyAllow from 10.10.10.5 192.168.0.3

</Directory>

Order Directive The Order directive, along with the Allow

and Deny directives, controls a three-pass access control system.

The first pass processes either all Allow or all Deny directives, as specified by the Order directive.

The second pass parses the rest of the directives (Deny or Allow).

The third pass applies to all requests which do not match either of the first two.

Allow,Deny First, all Allow directives are

evaluated; at least one must match, or the request is rejected.

Next, all Deny directives are evaluated. If any matches, the request is rejected.

Last, any requests which do not match an Allow or a Deny directive are denied by default.

Deny,Allow First, all Deny directives are

evaluated; if any match, the request is denied unless it also matches an Allow directive.

Any requests which do not match any Allow or Deny directives are permitted.

Authenticating Web Users Both Apache and IIS use HTTP to

enable authentication HTTP tries to access a protected

directory and fails Then it requests authentication from the

user in a dialog box Accesses directory with user information

Can be used in conjunction with SSL

HTTP Authentication Methods Basic access authentication Digest access authentication

Configuring User Authentication in IIS Four types of authenticated access

Windows integrated authentication Most secure – requires IE

Digest authentication for Windows domain servers

Works with proxy servers Requires Active Directory and IE

Basic authentication User name and password in clear text Works with IE, Netscape, and others

Passport authentication Centralized form of authentication Only available on Windows Server 2003+

User Authentication in Apache Basic authentication is most

common User names and passwords are kept

in a separate file Create password file -c creates the users file -b adds a password when creating user

htpasswd –c users mnoiahtpasswd users fpessoahtpasswd users lcamoes –b lusiades

ApacheUser Authentication Directives

Directive Description

AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName “New Product Information”

AuthType Specifies the authentication type. Example: AuthType Basic

AuthUserFile Specifies the complete path to the user authentication file.Example: AuthUserFile D:/users

AuthGroupFile Specifies the complete path to the text file that associates users with groups.

Require Defines which users in the user authentication file are allowed access to the directory. Examples:

Require user fpessoa lcamoesRequire group developers designersRequire valid-user

ApacheUser Authentication Assume you want to restrict the

htdocs/newprods directory to any user in the users file located on the D drive

<Directory htdocs/newprods>AuthName "New Product Information"AuthType BasicAuthUserFile D:/usersRequire valid-user</Directory>

Using a Firewall A firewall implements a security

policy between networks Our focus is between the Internet and

an organization's network You need to limit access, especially

from the Internet to your internal computers Restrict access to Web servers, e-mail

servers, and other related servers

Types of Filtering Packet filtering

Looks at each individual packet Based on rules, it determines whether to let it pass

through the firewall Circuit-level filtering (stateful or dynamic

filtering) Controls complete communication session, not just

individual packets Allows traffic initialized from within the organization

to return, yet restricts traffic initialized from outside Application-level

Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail

A Packet-filtering Firewall Consists of a list of acceptance and

denial rules A firewall independently filters what

comes in and what goes out It is best to start with a default policy

that denies all traffic, in and out We can reject or drop a failed packet

Drop – (best) thrown away without response Reject – ICMP message sent in response

Firewall on Linux - iptables Connections can be logged Initializing the firewall

Remove any pre-existing rules iptables --flush

Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP

At this point nothing comes in and nothing goes out

Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0

(output) -p tcp or -p udp (protocol type) -s , -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)

Allowing Access to Web Server Allow packets from any address with an

unprivileged port to the address on our server destined to port 80 The following should be on a single line

iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT

Allow packets to go out port 80 from our server to any unprivileged port at any address

iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 80 --dport 1024:65535 –j ACCEPT

Allowing Access to DNS DNS uses port 53

UDP for resolving, TCP for zone transfers

iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT

iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10

--sport 53 --dport 1024:65535 –j ACCEPT

iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT

iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10

--sport 53 --dport 1024:65535 –j ACCEPT

Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged

ports Opening unprivileged ports can be a problem

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT