Date post: | 18-Jan-2016 |
Category: |
Documents |
Upload: | clara-ward |
View: | 212 times |
Download: | 0 times |
CITA 310 Section 9
Securing the Web Environment
(Textbook Chapter 10)
Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge
of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user
names and passwords, other personal data Information can be gathered while it is
being transmitted Often, operating system flaws can assist
the hacker
Examining TCP/IP Hackers often take advantage of the
intricacy of TCP/IP The following are parts of the IP header
most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP
TCP-Delivering Data to Applications Important header fields
Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN
Establishing a TCP connection
Vulnerabilities of DNS Historically DNS has had security
problems BIND is the most common
implementation of DNS and some older version had serious bugs
BIND 9, the current version, has been more secure
Vulnerabilities in Operating Systems Operating systems are large and complex
which means that there are more opportunities for attack
Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available
Some attacks, such as buffer overruns, can allow the attacker to take over the computer
Vulnerabilities in Web Servers Static HTML pages pose virtually
no problem Programming environments and
databases add complexity that a hacker can exploit
Programmers often do not have time to focus on security
Vulnerabilities of E-mail Servers By design, e-mail servers are open E-mail servers can be harmed by a
series of very large e-mail messages Sending an overwhelming number of
messages at the same time can prevent valid users from accessing the server
Viruses can be sent to e-mail users Retrieving e-mail over the Internet often
involves sending your user name and password as clear text
Securing Data Transmission To secure data on a network that is
accessible to others, you need to encrypt the data
SSL is the most common method of encrypting data between a browser and Web server
Secure Shell (SSH) is a secure replacement for Telnet
Secure Sockets Layer (SSL) A digital certificate issued by a certification
authority (CA) identifies an organization The public key infrastructure (PKI) defines
the system of CAs and certificates Public key cryptography depends on two
keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the
corresponding private key which is needed to decrypt the data
Upgraded to TLS!
Establishing an SSL Connection
Using SSH for Tunneling Tunneling allows you to use an
unsecure protocol, such as POP3, through a secure connection, such as SSH
To set up tunneling Configure the SSH client so the local port is
a port between 1024 and 65535 Configure the SSH client to connect to POP3
port 110 Log in to the SSH client Direct the e-mail client to the local port and
log in to the e-mail server
Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password
In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common characters
The use of the ALT key will thwart most hackers
Securing Windows There are many services that are
not needed in Windows for most Internet-based server applications
Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names
Securing E-mail You have already seen the ability
to tunnel POP3 which would prevent data from being seen
To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox
Securing the Web Server Enable the minimum features
If you don't need a programming language, do not enable it
Make sure programmers understand security issues
Implement SSL where appropriate
Securing the Web ServerApache Directories You can restrict access to
directories by using "Allow" and "Deny"
The following only allows computers with the two IP addresses to access the directory
<Directory htdocs/reports>Order Allow,DenyAllow from 10.10.10.5 192.168.0.3
</Directory>
Order Directive The Order directive, along with the Allow
and Deny directives, controls a three-pass access control system.
The first pass processes either all Allow or all Deny directives, as specified by the Order directive.
The second pass parses the rest of the directives (Deny or Allow).
The third pass applies to all requests which do not match either of the first two.
Allow,Deny First, all Allow directives are
evaluated; at least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.
Deny,Allow First, all Deny directives are
evaluated; if any match, the request is denied unless it also matches an Allow directive.
Any requests which do not match any Allow or Deny directives are permitted.
Authenticating Web Users Both Apache and IIS use HTTP to
enable authentication HTTP tries to access a protected
directory and fails Then it requests authentication from the
user in a dialog box Accesses directory with user information
Can be used in conjunction with SSL
HTTP Authentication Methods Basic access authentication Digest access authentication
Configuring User Authentication in IIS Four types of authenticated access
Windows integrated authentication Most secure – requires IE
Digest authentication for Windows domain servers
Works with proxy servers Requires Active Directory and IE
Basic authentication User name and password in clear text Works with IE, Netscape, and others
Passport authentication Centralized form of authentication Only available on Windows Server 2003+
User Authentication in Apache Basic authentication is most
common User names and passwords are kept
in a separate file Create password file -c creates the users file -b adds a password when creating user
htpasswd –c users mnoiahtpasswd users fpessoahtpasswd users lcamoes –b lusiades
ApacheUser Authentication Directives
Directive Description
AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName “New Product Information”
AuthType Specifies the authentication type. Example: AuthType Basic
AuthUserFile Specifies the complete path to the user authentication file.Example: AuthUserFile D:/users
AuthGroupFile Specifies the complete path to the text file that associates users with groups.
Require Defines which users in the user authentication file are allowed access to the directory. Examples:
Require user fpessoa lcamoesRequire group developers designersRequire valid-user
ApacheUser Authentication Assume you want to restrict the
htdocs/newprods directory to any user in the users file located on the D drive
<Directory htdocs/newprods>AuthName "New Product Information"AuthType BasicAuthUserFile D:/usersRequire valid-user</Directory>
Using a Firewall A firewall implements a security
policy between networks Our focus is between the Internet and
an organization's network You need to limit access, especially
from the Internet to your internal computers Restrict access to Web servers, e-mail
servers, and other related servers
Types of Filtering Packet filtering
Looks at each individual packet Based on rules, it determines whether to let it pass
through the firewall Circuit-level filtering (stateful or dynamic
filtering) Controls complete communication session, not just
individual packets Allows traffic initialized from within the organization
to return, yet restricts traffic initialized from outside Application-level
Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail
A Packet-filtering Firewall Consists of a list of acceptance and
denial rules A firewall independently filters what
comes in and what goes out It is best to start with a default policy
that denies all traffic, in and out We can reject or drop a failed packet
Drop – (best) thrown away without response Reject – ICMP message sent in response
Firewall on Linux - iptables Connections can be logged Initializing the firewall
Remove any pre-existing rules iptables --flush
Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP
At this point nothing comes in and nothing goes out
Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0
(output) -p tcp or -p udp (protocol type) -s , -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)
Allowing Access to Web Server Allow packets from any address with an
unprivileged port to the address on our server destined to port 80 The following should be on a single line
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT
Allow packets to go out port 80 from our server to any unprivileged port at any address
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 80 --dport 1024:65535 –j ACCEPT
Allowing Access to DNS DNS uses port 53
UDP for resolving, TCP for zone transfers
iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged
ports Opening unprivileged ports can be a problem
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT