Internet / Intranet
CIS-536

Class 5
Web Server Security
Intro Javascript


Class 5 Agenda
Web Security
Presentations
Intro JavaScript
Next Week:
More Javascript
DHTML, DOM
Forms


Practical Internet Security
Analogous to “Real-Life” Security (e.g. a Bank)
Like Software, Security Must Be Well-Designed
Implementing Security Requires Trade-Offs
Ease of Use is Affected
Business Processes are Affected
Business Culture is Affected
Affects Both Users and Employees
Security is Expensive
Time, Effort, Lost Productivity
Enforcement

Physical Security is Only Half the Story

Implementation/Enforcement is Just as Important


Security Design Issues
Know the Threats You are Protecting Against
What are the Probabilities?
What is the Cost if it Happens?
Dollars
Customer/Employee Confidence

Know Your Environment
What are the Customer/User Requirements?
What are the Budget Constraints?
What is the Culture/Attitude of Those Affected?
What is the Probability That Policies Will Be Followed
Enforced?


Security Sermon
Security is Often Mis-Used in Technology Environments
Provides Peace of Mind
Not Necessarily Real Security

Often Avoids the Real Issues
Appeases Management

Common Security Mistakes (Analogies)
Using an Expensive/High Security Safe
But Leaving the Key/Combination Where it Can Be Stolen
Leaving the Safe Unlocked

Little Professional Enforcement/Review of Procedures

Storing a Dime in a Safe
Cost of Security Exceeds Risk of Stolen Dime

High-Tech Solution Instead of Low-Tech Common Sense
E.g. Convenience Store Having a Safe vs. Nightly Bank
Deposits

Security Has Consequences on Human Perceptions
E.g. Installing a Metal Detector May Make Employees Feel
Less Secure


Security Tips
Thieves/Hackers Follow Easiest Path
One That Gives Them Most Value
One They Know About

The Environment is Key!
A Mercedes in a Lot Full of Chevys is Likely to Be Stolen First
The Same Mercedes in a Lot Full of Rolls Royces is Likely to Be
Stolen Last
Same Mercedes in an Unsecure Garage is Safer Because
Fewer Thieves Know About It

Therefore:
Know Other Likely Targets and Be Less Attractive Than
They Are
Make Your Site More Difficult to Hack Than its Worth

Don’t Publicize What Doesn’t Need to Be Public


Security Tips (2)
Does Not Guarantee No Hacking
But Reduces the Probability Significantly

Most Security Problems Come From Human
Error, Not From Intentional Hacking
Focus on Minimizing Chance of Human Error

Identify Each Risk Separately
Solutions May Vary Widely

Security is Only as Good as Your Expertise
Professional Security Requires Professional System
Administrator

Use Common Sense / Be Realistic


Internet Risks
Destruction of Data
Random
Targeted

Modification of Data
Random
Targeted
Worms/Viruses


Publication of Private/Sensitive Data
Sensitve/Embarassing Information
Confidential Information
Competitive Information
Customer Information
Keys
Information That Furthers Other Risks
E.g. Credit Card Information, Museum Floor Plan

Network Disruption
Machine Crashes / Inoperable Serving Software


Protecting Data
Machine Level
Physical Isolation
Physically Isolate Machines From Users
Protect From Theft / Natural Disasters

Users
System Administration Permissions
Remote Access

Single-Purpose vs. Multi-Purpose Server
Shared Hosting
Test vs. Production

Application Level
Server Configuration

Server’s Ability to Access Files / System Resources
Restrict Applications Running on Machine
Don’t Load Applications/Protocols You Don’t Need


Protecting Data (2)
Script Level
Who Can Modify Scripts?
Remote Access

Script’s Ability to Access Files / System Resources
Scripts Identified by File Extension or Directory?

File Level
Who Can Download Files?
Who Can Upload Files?
Exposed Directories

Communication Level
IP Address Restrictions
Password Requirements
Encryption

Metaphysical Level
Morals
The Law


Access Control Techniques
“Passive” Techniques

Don’t Publish URL’s
Always Have Default Pages – Avoid Directory Browsing
Complex Page/Directory Names

Active Techniques
Change Page/Directory Names Often
Server Filters on IP Address, Domain Name
Requiring a Name / Password
Use Non-Standard Ports

Secure (Encrypted) Transmissions
Firewalls (Proxy Servers)
Isolate LAN From General Internet


All Techniques Have Some Negatives
Passive Techniques, Non-Standard Ports
If User Guesses Correctly, They Have Full System Access
Requires Publishers to Voluntarily Follow Standards
Best for Non-Critical Security
Security Breach Does Not Disable System
Site Unlikely to Attract Hackers

IP Address / Domain Name Filters
Requires Significant Effort to Administer
Users Can’t Move Around Easily
Serious Hackers Can Defeat via Spoofing
Best For Local Intranet
Site Unlikely to Attract Serious Hackers


Encryption
Significant Overhead

Firewalls
Limits Internet Access of Those Within the Firewall


Name / Password Security
Requires All Parties to Maintain Secure
Passwords
Inconveniences Users
Difficult to Enforce
One Violation Can Compromise Entire Plan

Passed in Plain Text as Part of the URL
Serious Hackers Can Intercept It
Analogous to to credit card receipts in the trash

Web Servers Allow Unlimited Tries (Stateless)
Best Solution is a Combination of Techniques


Firewall Details
Proxy Server
Gatekeeper Between a LAN and the Internet
Acts as a Local DNS
User Requests a URL
Proxy Server Finds the Equivalent File on the LAN

Firewall

Packet-Level-Filter
Restrict Data at the Packet Level e.g. Don’t Allow FTP

Circuit Filters
Also Takes Into Account the Source and Destination of a
Packet
Maintains Some History Information

Application-Level Filters
Intercepts Transmissions and Analyzes Them to See if They
Make Sense
Requires Knowledge of the Application to be Effective


Encryption
Basic Encryption – Privacy / Confidentiality
“Scramble” a Document So Third Party Can’t Read It
What Level of Scrambling is Required?
Not Easily Reable By Human Eye
Simple Replacement Algorithm
Base64
Extremely Difficult, But Possible to Crack
E.g. passwords, “zip” encryption
“Impossible” to Crack

Authentication (Signature)
Can Be Assured That Document is From Recipient
Can Be Assured That Document Was Not Tampered With

Non-Repudiation (Contract)

Can Also Be Assured That Document Was Received Intact
Neither Can Tamper With Document

Data Integrity
Assurance That Document Was Not Corrupted


Encryption Technologies
Symmetric Key Encryption
Same Key Used For Encrypting / Decrypting
Both Parties Use Same Key
Analogy: Standard Door

Asymmetric Key Encryption (Public Key)
Each Party Has a Different Private Key
Third Key (Public Key) Required for
Encryption/Decryption
Key Held By Trusted Third-Party
Analogy: Safe Deposit Box

Message Digest Algorithms
Encrypted “Hash” Functions Used For Digital Signatures


Methods of Defeating Encryption
Brute Force
Trying All Possibilities

“Psychic” (For Human Generated Keys Only)
Person Has to Be Able to Memorize Key

Brute Force: Prioritized by Easily Memorized Keys

Cipher Attack
View The Encrypted Data and Work Back
Analogy: Cryptogram Puzzles

Cryptanalysis
Science of Breaking Algorithms
Exploit Mathematical Weaknesses in the Algorithm


How Encryption Works
Develop a mathematical function such that:
f (a,b) = c
f’ (a,c) = b
BUT f’’(b,c) = a Does Not Exist

Symmetric
f( message,key) = encrypted_message
f’ (encrypted_message, key) = message

Asymmetric
f (my_message, your_public_key) = encrypted_message
f’ (encrypted message, your_private_key) = my_message

Signature
f (signature, my_private_key) =encrypted_signature
f’ (signature, my_public_key) = signature



Internet Encryption Protocols
Public Key Encryption Requires Trusted Third Party
Certificate Authority

RSA – Rivest, Shamir, Adelman
MIT Professors – Invented Algorithms
Some are Patented

Size of Key is Important
Longer Keys are Harder to Break
Government Limits to Size of Keys
Controls on Exports

PGP – Pretty Good Privacy
Freeware Encryption

DES
56-bit Symmetric Key
Triple DES
RC2, RC4 – Uses Shorter Keys – Can Be Used For Export


Internet Encryption Protocols (2)
SET
Protocol For Passing Credit Card Information
Uses DES for Data, RSA for Keys and Credit Card Number
Includes Protocols for Authorization and Validation of Credit Card

Encrypted HTTP
S-HTTP (Secure HTTP) Commercenet

SSL – (Secure Sockets Layer) Netscape

PPP
TCP/IP Itself Cannot Be Encrypted
Login Passwords Are in Clear
PAP – (Password Authentication Protocol) Passwords Sent in Clear
CHAP (Challenge Handshake Authentication Protocol)
Password Used to Create a Response That is Passed to
Server

Key Management
Keys Must Be Kept Private or Security is Lost
Keys are Too Long For Memorization

Kerberos (MIT), (ISAKMP – Internet Security Association)


IP Level Security
Virtual Private Networks (VPNs)
Tunneling (Encapsulation)
Encrypts Data at a Point Low in the ISO Stack
Encapsulates it in Another Protocol

PPTP – Point-To-Point Tunneling Protocol
Works Over Public Networks
Only Client and Server Need to Be PPTP Aware
IP Information is encrypted and carried within another IP
packet

L2F – Layer 2 Forwarding

Requires All Routers/Servers Between Client and Server
to Support L2F

L2TP – Combination of PPTP and L2F
TACACS, RADIUS
For Dial-Up Access


Non-Encrypted Security
Change Passwords Regularly
Security Breaches are “Temporary”
Increases Effort Necessary to Break In
Analogy: Changing Locks

DHCP – IP Addresses are Temporary
Similar to Changing Passwords at IP Level
IP Addresses Dynamically Assigned

Private Network
Traffic Between Customers of ISP Does Not Pass
Through “Public” Internet
ISP Keeps Routers Secure
AT&T Strategy


Security Key Points
Use Common Sense Above All
Security is Useless if it is Not Enforceable
Once Adopted Must Be Policed / Tested / Enforced
Policing Software is Important

Automate Mundane Tasks

Security Policies Will Usually Impact
Productivity
Use Them Wisely

Two Major Aspects to Security:
Keys and Key Maintenance (e.g. Passwords)
Encryption


The Need For Client Side Scripting
Performance
Move More Processing to Client
Especially Items Requiring Faster Response
E.g. Field Validation

Usability
Make HTML More “Windows-Like”
HTML Extensions (e.g. Tab Order)
CSS Extensions (e.g. style=“cursor:hand”)
Dynamic Event Handling (e.g. onMouseOver)

Requires Scripting Language
ECMA Script – (European Computer Manufactuers
Association)
Netscape – Created Own Version: JavaScript (No Relation to
Java)
Marketing Ploy: to Capitalize on Java Popularity


Microsoft – VBScript
Windows/IIS Only
Also Support JavaScript – (Called it JScript)


JavaScript
De-Facto Standard Client-Side Scripting Language
However, Other Scripting Languages are Supported by
Servers. Add-Ons for Others.

Interpreted Language
Object-Oriented
“Full” Scripting Language
Core JavaScript – Standalone Scripting Language
No File I/O

Client-Side JavaScript – For Use in HTML Pages
Primary Use of JavaScript

Server-Side JavaScript – Perl/Java Alternative

Similar to Other Languages
C-Like Syntactic Structure
Untyped
Associative Arrays