COMP3123 COMP3123 Internet SecurityInternet Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
NovemberNovember 20112011
Week 8 Communications: Week 8 Communications: Securing Web PagesSecuring Web Pages
Objectives:Objectives:Explain how HTTPS/SSL/TLS fits into the Explain how HTTPS/SSL/TLS fits into the
OSI seven layer modelOSI seven layer modelTake the necessary steps to implement an Take the necessary steps to implement an
SSL system on a www server that uses SSL system on a www server that uses EAP/TLSEAP/TLS
Apply PKI principles to produce a workable Apply PKI principles to produce a workable for protecting web pages at the client endfor protecting web pages at the client end
Reminder: TCP/IP modelReminder: TCP/IP model
TELNET FTP
TCP/TLS
SMTP HTTPhttp-s
Session layer protocols: eg Unix “sockets”, SSL
Zoom in on TCP and the upper layers…Zoom in on TCP and the upper layers…
Level 7
Level 5
Level 4
Secure Sockets and the Secure Sockets and the Session LayerSession Layer
In the early days of Unix, someone devised In the early days of Unix, someone devised the concept of a logical “socket”:the concept of a logical “socket”: protocol between application and transport layers protocol between application and transport layers
that TCP could plug in to with the help of a TCP that TCP could plug in to with the help of a TCP portport
““socket” dealt with network authentication socket” dealt with network authentication with OSI, concept evolved into the with OSI, concept evolved into the sessionsession layer layer
When Windows (application layer) first When Windows (application layer) first interfaced with TCP/IP…interfaced with TCP/IP… Session layer protocol known as WINSOCKSession layer protocol known as WINSOCK
“Session”
Secure HTTP (https) Secure HTTP (https) and the session layerand the session layer
Application layer protocols Application layer protocols communicate with TCP communicate with TCP layer through unique TCP layer through unique TCP logical ports via (optional) logical ports via (optional) session layer logonsession layer logon
Anonymous ftp, http, etc… Anonymous ftp, http, etc… bypass session layerbypass session layer no authenticationno authentication
Layer 7
Layer 4
“Session”
Secure HTTP (https) Secure HTTP (https) and the session layerand the session layer
Security can be imposed, Security can be imposed, by authenticating at the by authenticating at the “logon” layer“logon” layer username/password check is username/password check is
required before data can required before data can pass the session layer and pass the session layer and be displayed by the browserbe displayed by the browser
remote logon e.g. by remote logon e.g. by Kerberos authenticationKerberos authentication
Layer 7
Layer 4
The Trouble with HTTPThe Trouble with HTTP General Internet principle of “anyone can go General Internet principle of “anyone can go
anywhere”anywhere” On a Windows system with www access:On a Windows system with www access:
TCP can link to HTTP through “Winsock”TCP can link to HTTP through “Winsock” session layer authentication session layer authentication bypassedbypassed HTML data transferred directly to the presentation HTML data transferred directly to the presentation
and application layers for displayand application layers for display Problem (security):Problem (security):
the data is visible to anyone else on the Internet the data is visible to anyone else on the Internet who may have access to that machine and the who may have access to that machine and the data path to it!data path to it!
Secure HTTP and the user Secure HTTP and the user authentication problemauthentication problem
Even http can be set up at the Even http can be set up at the server end to require server end to require authentication at the session authentication at the session layer… data not encryptedlayer… data not encrypted
SSL protocol can require a SSL protocol can require a
username/password username/password combination before data combination before data passes through the socket passes through the socket from transport layer to from transport layer to application layer… encrypts application layer… encrypts by defaultby default
application
transport
authentication required
SSL-based AuthenticationSSL-based Authentication SSL is able to use the PKI (remember that?)SSL is able to use the PKI (remember that?) When a user first attempts to communicate When a user first attempts to communicate
with a web server over a secure connection:with a web server over a secure connection: that server will present the web browser with that server will present the web browser with
authentication dataauthentication data presented as a server certificate (remember those?)presented as a server certificate (remember those?)
» verifies that the server is who and what it claims to verifies that the server is who and what it claims to bebe
Works both ways…Works both ways… protocol: EAP/TLSprotocol: EAP/TLS server may in return request client authentication server may in return request client authentication
via username/passwordvia username/password
SSL and EncryptionSSL and Encryption Authenticating the user & server only Authenticating the user & server only
helps when the data is at its at its source helps when the data is at its at its source or destinationor destinationdata also needs to be protected in transit…data also needs to be protected in transit…
SSL working at level 5/6 also ensures SSL working at level 5/6 also ensures that it is:that it is:
» encrypted before being sentencrypted before being sent» decrypted upon receipt and prior to decrypted upon receipt and prior to
processing for displayprocessing for display
Confidentiality & IntegrityConfidentiality & Integrity Encryption of SSL responses can beEncryption of SSL responses can be
standard 40 bit RSAstandard 40 bit RSA» one time difficult to break one time difficult to break confidentialityconfidentiality
secure 128 bit RSAsecure 128 bit RSA» difficult to “crack” even nowdifficult to “crack” even now
Guarantee that the data will not be Guarantee that the data will not be modified in transit by a third partymodified in transit by a third partyintegrityintegrity therefore also maintained therefore also maintained
Is an SSL Digital Certificate Is an SSL Digital Certificate Really Necessary?Really Necessary?
Yes:Yes: for sites involved in e-commerce and therefore for sites involved in e-commerce and therefore
involving digital payment with authenticationinvolving digital payment with authentication any other business transaction in which any other business transaction in which
authentication is importantauthentication is important No:No:
if an administrator simply wants to ensure that if an administrator simply wants to ensure that data being transmitted and received by the server data being transmitted and received by the server is private and cannot be snooped by anyone is private and cannot be snooped by anyone eavesdropping on the connectioneavesdropping on the connection
In such cases, a In such cases, a self-signedself-signed certificate is certificate is sufficientsufficient
The Web of Trust (PGP)The Web of Trust (PGP)
Based on individual trust networks built Based on individual trust networks built up between individualsup between individuals
Possible to “self sign” a digital certificatePossible to “self sign” a digital certificateif someone trusts you, a self-signature may if someone trusts you, a self-signature may
be all they needbe all they needOpenPGP identiity certificates are designed OpenPGP identiity certificates are designed
to be self-signedto be self-signed
Verisign Trust SystemVerisign Trust System Web of TrustWeb of Trust
OK for academics (“good” people?)OK for academics (“good” people?)but bad” people can do businessbut bad” people can do business
Verisign system presented as an Verisign system presented as an alternativealternativedeveloped so that people could trust developed so that people could trust
strangers in business transactionsstrangers in business transactionsfinancial institutions provide the “trust”financial institutions provide the “trust”
General Tips on General Tips on Running SSLRunning SSL
Secure websites…Secure websites… designed to be as efficient as securely possibledesigned to be as efficient as securely possible
» problem: encryption/decryption is computationally problem: encryption/decryption is computationally expensive from a performance standpointexpensive from a performance standpoint
not strictly necessary to run an entire Web not strictly necessary to run an entire Web application over SSLapplication over SSL
customary for a developer tocustomary for a developer to::» find out which pages require a secure find out which pages require a secure
connection and which do notconnection and which do not» create secure and non-secure folder structures create secure and non-secure folder structures
for the respective web pagesfor the respective web pages
When to use SSLWhen to use SSL
Whenever web pages require a secure Whenever web pages require a secure connection with the server e.g.:connection with the server e.g.:login pageslogin pagespersonal information pagespersonal information pagesshopping cart checkoutsshopping cart checkoutsany pages where credit card information any pages where credit card information
could possibly be transmittedcould possibly be transmitted
HTTPSHTTPS A client-server service that runs on the Web A client-server service that runs on the Web
server (by default, on TCP port 443)server (by default, on TCP port 443) uniquely designed so it will not run on a server uniquely designed so it will not run on a server
without an installed and active server certificatewithout an installed and active server certificate Once the service has been set up, https will Once the service has been set up, https will
require users to establish an encrypted require users to establish an encrypted channel with the server channel with the server i.e. https:// i.e. https:// rather than http://rather than http://
Until the user does use https they will get an Until the user does use https they will get an error, rather than the pop up that proceeds the error, rather than the pop up that proceeds the secure web pagesecure web page
Why not use HTTPS?Why not use HTTPS? Encryption can interfere with access to data… Encryption can interfere with access to data…
(i.e. availability)(i.e. availability) an encrypted channel running https requires …an encrypted channel running https requires …
» that the user's Web browser and the Web server that the user's Web browser and the Web server BOTH support the same encryption schemeBOTH support the same encryption scheme
» And have the appropriate key(s) And have the appropriate key(s)
for example:for example:» IF an IIS Web Server is set to use default secure IF an IIS Web Server is set to use default secure
communication settingscommunication settings» THEN the client Web browser must support a THEN the client Web browser must support a
session key strength of 40 bits, or greatersession key strength of 40 bits, or greater
Accessing a Web Page Accessing a Web Page using HTTPSusing HTTPS
If the client is to request a page that needs If the client is to request a page that needs SSL:SSL: in the HTML code that will call that page, prefix the in the HTML code that will call that page, prefix the
address with address with https://https:// instead of instead of http://http:// and the and the system will do the restsystem will do the rest
Any pages which absolutely require a secure Any pages which absolutely require a secure connection should:connection should: check the protocol type associated with the page check the protocol type associated with the page
requestrequest take the appropriate action if take the appropriate action if https:https: is not specified is not specified
Browser Prompts: Web Page Browser Prompts: Web Page delivered securely using SSLdelivered securely using SSL
(depending on browser settings) A pop up (depending on browser settings) A pop up appears…appears… informs the client that they are entering a secure informs the client that they are entering a secure
client-server connectionclient-server connection pop up must be acknowledged to continuepop up must be acknowledged to continue
When page is be displayed:When page is be displayed: https:// will appear before the URLhttps:// will appear before the URL A “lock” symbol appears on the bottom left of the A “lock” symbol appears on the bottom left of the
screenscreen
““Virtual Hosts” (http)Virtual Hosts” (http) Useful technology for ISPsUseful technology for ISPs Enables many different folders/websites to be Enables many different folders/websites to be
used in conjunction with a web serverused in conjunction with a web server but all have the same IP address!!but all have the same IP address!!
Done by careful mapping with the real domain Done by careful mapping with the real domain name that corresponds to the IP addressname that corresponds to the IP address even though the folder names appear to have even though the folder names appear to have
different URLsdifferent URLs they all originate from the same domain namethey all originate from the same domain name
““Virtual Hosts” and SSLVirtual Hosts” and SSL The SSL “handshake”, where the client The SSL “handshake”, where the client
browser accepts the server certificate, must browser accepts the server certificate, must occur before the HTTP request is accessedoccur before the HTTP request is accessed i.e. at a lower OSI layer…i.e. at a lower OSI layer…
Consequences:Consequences: the request information containing a virtual host the request information containing a virtual host
name cannot be determined prior to authenticationname cannot be determined prior to authentication therefore not possible to assign multiple certificates therefore not possible to assign multiple certificates
to a single IP addressto a single IP address Using name-based virtual hosts on a secured Using name-based virtual hosts on a secured
connection is therefore problematic…connection is therefore problematic…
Virtual Hosts and SSLVirtual Hosts and SSL If all the virtual hosts on a single IP address will If all the virtual hosts on a single IP address will
need to authenticate against the same need to authenticate against the same certificate…certificate… multiple “virtual hosts” should not interfere with multiple “virtual hosts” should not interfere with
normal SSL operations on the servernormal SSL operations on the server HoweverHowever
most client browsers will compare the server's most client browsers will compare the server's domain name against the domain name listed in the domain name against the domain name listed in the certificatecertificate
if the domain names don’t match, these browsers if the domain names don’t match, these browsers will display a warning pop-up message to the clientwill display a warning pop-up message to the client
may cause unnecessary alarm at the client end!may cause unnecessary alarm at the client end!
VPNs using SSLVPNs using SSL Http-based applications and access are now Http-based applications and access are now
potentially available to anyone with a browserpotentially available to anyone with a browser browsers how available for portable devices…browsers how available for portable devices… the whole nature of keeping data secure has the whole nature of keeping data secure has
changed…changed…
SSL VPN’s developed to:SSL VPN’s developed to: complement existing SSL implementationscomplement existing SSL implementations increase the level of access control and security increase the level of access control and security address the challenge of increased risks of fraud, address the challenge of increased risks of fraud,
threats and hacks that could compromise the threats and hacks that could compromise the security of application access security of application access
The apparent contradiction The apparent contradiction of SSL VPNof SSL VPN
By now, you should understand what SSL By now, you should understand what SSL and VPN means independently, but what and VPN means independently, but what does this new phrase mean together?does this new phrase mean together?
To sum up, SSL works at OSI layers 5-7:To sum up, SSL works at OSI layers 5-7: secures data over the Internet with encryption that secures data over the Internet with encryption that
is automatically enabled in every browseris automatically enabled in every browser requires a certificate is needed for the web server, requires a certificate is needed for the web server,
but turning on SSL is relatively straightforward for but turning on SSL is relatively straightforward for an applicationan application
doesn’t work with all applications and changing doesn’t work with all applications and changing some links might be needed, but this depends some links might be needed, but this depends solely on the applicationsolely on the application
The apparent contradiction of The apparent contradiction of SSL VPNSSL VPN
Conventional VPNs, on the other hand:Conventional VPNs, on the other hand:focus around virtually connecting networksfocus around virtually connecting networksalways associated with IPSec (level 1, 2, 3)always associated with IPSec (level 1, 2, 3)
» the de-facto protocol used to encrypt the de-facto protocol used to encrypt traffic for VPN traffic for VPN
» ensure privacy of the data and a certain ensure privacy of the data and a certain level of access controllevel of access control
IPSec VPNs are used to securely connect IPSec VPNs are used to securely connect devicesdevices» across the physical networkacross the physical network» across two networksacross two networks» between two end-pointsbetween two end-points
So, how can SSL and VPN So, how can SSL and VPN work together successfully?work together successfully?
Compared to IPSec, SSL VPNs provide the Compared to IPSec, SSL VPNs provide the best technological solution to the business best technological solution to the business problem of:problem of: easily and securely connecting end users on the easily and securely connecting end users on the
move to critical corporate datamove to critical corporate data Any machine with a browser can use SSL Any machine with a browser can use SSL
VPN’sVPN’s traditional VPN needs to have a physical client traditional VPN needs to have a physical client
installed on every machine used for accessinstalled on every machine used for access SSL provides an easy to use avenue to access SSL provides an easy to use avenue to access
information, replacing the difficult to use VPN information, replacing the difficult to use VPN client/IPsecclient/IPsec
SSL, multiple machines and SSL, multiple machines and the flexible VPNthe flexible VPN
As SSL is embedded in the browser…As SSL is embedded in the browser… no need for client software!no need for client software! if users have several machines (Home, work, if users have several machines (Home, work,
client site, mobile device) they use the browser to client site, mobile device) they use the browser to connectconnect» makes life much easiermakes life much easier
Yet VPN describes secure remote access Yet VPN describes secure remote access tunnels to individual clients and servers…tunnels to individual clients and servers… at an academic level….at an academic level….
» the two concepts of VPN & SSL used together the two concepts of VPN & SSL used together seem to contradictseem to contradict
in realityin reality» present a solution to technological demands of present a solution to technological demands of
the mobile devices & secure remote accessthe mobile devices & secure remote access
SSL VPNs or IPSec VPNs? SSL VPNs or IPSec VPNs? (horses for courses)(horses for courses)
IPsec still seen as the standard for secure IPsec still seen as the standard for secure inter-office networking (i.e. where there are no inter-office networking (i.e. where there are no complications):complications): common platform of office PCscommon platform of office PCs no need to send data across complex no need to send data across complex
infrastructures or firewallsinfrastructures or firewalls As soon as the structure becomes cross-As soon as the structure becomes cross-
platform, intranetwork, across the firewall to platform, intranetwork, across the firewall to the Internet…the Internet… SSL VPN using an Internet browser is a more SSL VPN using an Internet browser is a more
effective solution than IPSeceffective solution than IPSec
Securely supporting Securely supporting Wireless UsersWireless Users
One of the big issues of the current times:One of the big issues of the current times: management want users out in “the field” to use management want users out in “the field” to use
wireless devices to communicate with basewireless devices to communicate with base IT managers worried about security…IT managers worried about security…
Hence articles like this:Hence articles like this: ““IT security is broken, so can companies stay IT security is broken, so can companies stay
safe?”safe?”» BBC business reporter writing about BBC IT BBC business reporter writing about BBC IT
networknetwork» http://www.bbc.co.uk/news/business-11793436http://www.bbc.co.uk/news/business-11793436
Wireless ProtocolsWireless Protocols
Current standards for wireless Current standards for wireless connections at lower OSI layers connections at lower OSI layers developed by the IEEE (Institute of developed by the IEEE (Institute of Electrical and Electronic Engineers) and Electrical and Electronic Engineers) and manufacturers are:manufacturers are: IEEE802.11gIEEE802.11g BluetoothBluetooth
The IP protocol is slightly changed to The IP protocol is slightly changed to cope with these standardscope with these standards
Wireless Data is Broadcast…Wireless Data is Broadcast…
source destination
lurker
lurkerlurker
VPNs use a specified route…VPNs use a specified route…
e.g. VPN shown in green
Protecting Wireless accessProtecting Wireless access Because packets are easily intercepted Because packets are easily intercepted
the data absolutely MUST be encryptedthe data absolutely MUST be encrypted In the unlikely scenario that the In the unlikely scenario that the
interceptor:interceptor:works out the encryption methodworks out the encryption methodand intercepts the encryption key…and intercepts the encryption key…data could be further safeguarded by use data could be further safeguarded by use
of VPN techniquesof VPN techniques» e.g. tunnelling and encapsulatione.g. tunnelling and encapsulation
Wireless access andWireless access and SSL VPNs SSL VPNs
Another job for SSL VPNs…Another job for SSL VPNs… allow authentication and authorization of users from anywhereallow authentication and authorization of users from anywhere ensure secure access to all resourcesensure secure access to all resources
Traditional wireless LAN modelTraditional wireless LAN model WEP (Wireless Encryption Protocol) security based on WEP (Wireless Encryption Protocol) security based on
authentication keys:authentication keys: shared by anyone accessing that wireless hubshared by anyone accessing that wireless hub
» therefore additional support steps to regularly update therefore additional support steps to regularly update and maintain securityand maintain security
More practical alternative:More practical alternative: Internet café modelInternet café model
» all wireless users in proximity of a wireless hotspot can all wireless users in proximity of a wireless hotspot can view a portalview a portal
but denied access “inside” unless they confirm authenticationbut denied access “inside” unless they confirm authentication
Wireless SSL VPNsWireless SSL VPNs In an enterprise wireless network scenario, In an enterprise wireless network scenario,
wireless users can be directed through a wireless users can be directed through a suitably configured SSL VPNsuitably configured SSL VPN but denied access to any resources until they log but denied access to any resources until they log
in for authenticationin for authentication
Provides central control of access to Provides central control of access to resources through a single gatewayresources through a single gateway whether users log in from:whether users log in from:
» a docked laptop at their deska docked laptop at their desk» an undocked laptop in a conference rooman undocked laptop in a conference room» a handheld PDA from elsewhere on the campusa handheld PDA from elsewhere on the campus
A Secure Wireless A Secure Wireless Network Scenario (1)Network Scenario (1)
The organisation establishes an array of WiFi The organisation establishes an array of WiFi access points distributed across the campusaccess points distributed across the campus wireless hubs located in multiple buildingswireless hubs located in multiple buildings
On entering range of a “hotspot”;On entering range of a “hotspot”; all wireless users may connect to the Internetall wireless users may connect to the Internet
» but no access to any internal or external (public but no access to any internal or external (public Internet) resourcesInternet) resources
» when wireless network user launches a browser, when wireless network user launches a browser, immediately redirected to a login page for immediately redirected to a login page for authentication through the SSL VPNauthentication through the SSL VPN
A Secure Wireless A Secure Wireless Scenario (2)Scenario (2)
Wireless user uses username/password for Wireless user uses username/password for authenticationauthentication
Once authenticated, software agents can Once authenticated, software agents can quickly do a background scan of user's end quickly do a background scan of user's end point device:point device:
» detect its identity and integrity:detect its identity and integrity:» check for the presence of valid software check for the presence of valid software
certificatescertificates» check up-to-dateness of antivirus software & check up-to-dateness of antivirus software &
Windows patchesWindows patches
A Secure Wireless A Secure Wireless Scenario (3)Scenario (3)
If the device meets the scan criteria:If the device meets the scan criteria: user is fully authorized user is fully authorized then presented with a portal for accessing their then presented with a portal for accessing their
network files, applications and directories based on network files, applications and directories based on their role and privilegestheir role and privileges
Otherwise the user can be automatically be:Otherwise the user can be automatically be: Either redirected to a quarantined site offering easy Either redirected to a quarantined site offering easy
self-remediation stepsself-remediation steps Or denied access to the network altogetherOr denied access to the network altogether
Security Controls Security Controls on Complex Networkson Complex Networks
Group of British security researchers Group of British security researchers and professionals coined the phraseand professionals coined the phraseInformation Security Management System Information Security Management System
(ISMS)(ISMS)British Standard for an ISMS emerged in British Standard for an ISMS emerged in
the 1990sthe 1990sBSI7799BSI7799
» over 130 information security controlsover 130 information security controls» many not technicalmany not technical» require management control of user require management control of user
behaviourbehaviour
Process-based Process-based Information Security Information Security
ISMS development process based:ISMS development process based: uses PCDAuses PCDA
» PlanPlan» DoDo» CheckCheck» ActAct
contrast with PCI-DSS check listcontrast with PCI-DSS check list ISO27001 Certification awarded to ISO27001 Certification awarded to
organisations who appropriately use the organisations who appropriately use the process model covering the 130+ controlsprocess model covering the 130+ controls
International Standard International Standard for ISMSfor ISMS
BSI 7799 evolved (2005) into an BSI 7799 evolved (2005) into an International Standard ISO27001International Standard ISO27001
Soon became popular in Japan & along Soon became popular in Japan & along Pacific RimPacific Rim
Also in some Eastern European Also in some Eastern European countriescountries» some UK interestsome UK interest» but most companies have not become but most companies have not become
certificatedcertificated» WHY???WHY???
SMEs and SMEs and Developing an ISMSDeveloping an ISMS
ISO27001 difficult for SMEsISO27001 difficult for SMEs especially information risk assessmentespecially information risk assessment yet if they could engage, could identify greatest yet if they could engage, could identify greatest
risks and reduce controlsrisks and reduce controls IASME (Information Assurance for SMEs) IASME (Information Assurance for SMEs)
developed by University of Worcester, NCC & developed by University of Worcester, NCC & experienced consultants assistance from govt experienced consultants assistance from govt funding (Technology Strategy Board)funding (Technology Strategy Board) makes risk assessment doablemakes risk assessment doable takes into account small business culturetakes into account small business culture released this year… 2011released this year… 2011
Thanks for ListeningThanks for Listening