Internet / Intranet
CIS-536
Class 5
Web Server Security
Intro Javascript
Class 5 Agenda
Web Security
Presentations
Intro JavaScript
Next Week:
More Javascript
DHTML, DOM
Forms
Practical Internet Security
Analogous to “Real-Life” Security (e.g. a Bank)
Like Software, Security Must Be Well-Designed
Implementing Security Requires Trade-Offs
Ease of Use is Affected
Business Processes are Affected
Business Culture is Affected
Affects Both Users and Employees
Security is Expensive
Time, Effort, Lost Productivity
Enforcement
Physical Security is Only Half the Story
Implementation/Enforcement is Just as Important
Security Design Issues
Know the Threats You are Protecting Against
What are the Probabilities?
What is the Cost if it Happens?
Dollars
Customer/Employee Confidence
Know Your Environment
What are the Customer/User Requirements?
What are the Budget Constraints?
What is the Culture/Attitude of Those Affected?
What is the Probability That Policies Will Be Followed
Enforced?
Security Sermon
Security is Often Mis-Used in Technology Environments
Provides Peace of Mind
Not Necessarily Real Security
Often Avoids the Real Issues
Appeases Management
Common Security Mistakes (Analogies)
Using an Expensive/High Security Safe
But Leaving the Key/Combination Where it Can Be Stolen
Leaving the Safe Unlocked
Little Professional Enforcement/Review of Procedures
Storing a Dime in a Safe
Cost of Security Exceeds Risk of Stolen Dime
High-Tech Solution Instead of Low-Tech Common Sense
E.g. Convenience Store Having a Safe vs. Nightly Bank
Deposits
Security Has Consequences on Human Perceptions
E.g. Installing a Metal Detector May Make Employees Feel
Less Secure
Security Tips
Thieves/Hackers Follow Easiest Path
One That Gives Them Most Value
One They Know About
The Environment is Key!
A Mercedes in a Lot Full of Chevys is Likely to Be Stolen First
The Same Mercedes in a Lot Full of Rolls Royces is Likely to Be
Stolen Last
Same Mercedes in an Unsecure Garage is Safer Because
Fewer Thieves Know About It
Therefore:
Know Other Likely Targets and Be Less Attractive Than
They Are
Make Your Site More Difficult to Hack Than its Worth
Don’t Publicize What Doesn’t Need to Be Public
Security Tips (2)
Does Not Guarantee No Hacking
But Reduces the Probability Significantly
Most Security Problems Come From Human
Error, Not From Intentional Hacking
Focus on Minimizing Chance of Human Error
Identify Each Risk Separately
Solutions May Vary Widely
Security is Only as Good as Your Expertise
Professional Security Requires Professional System
Administrator
Use Common Sense / Be Realistic
Internet Risks
Destruction of Data
Random
Targeted
Modification of Data
Random
Targeted
Worms/Viruses
Publication of Private/Sensitive Data
Sensitve/Embarassing Information
Confidential Information
Competitive Information
Customer Information
Keys
Information That Furthers Other Risks
E.g. Credit Card Information, Museum Floor Plan
Network Disruption
Machine Crashes / Inoperable Serving Software
Protecting Data
Machine Level
Physical Isolation
Physically Isolate Machines From Users
Protect From Theft / Natural Disasters
Users
System Administration Permissions
Remote Access
Single-Purpose vs. Multi-Purpose Server
Shared Hosting
Test vs. Production
Application Level
Server Configuration
Server’s Ability to Access Files / System Resources
Restrict Applications Running on Machine
Don’t Load Applications/Protocols You Don’t Need
Protecting Data (2)
Script Level
Who Can Modify Scripts?
Remote Access
Script’s Ability to Access Files / System Resources
Scripts Identified by File Extension or Directory?
File Level
Who Can Download Files?
Who Can Upload Files?
Exposed Directories
Communication Level
IP Address Restrictions
Password Requirements
Encryption
Metaphysical Level
Morals
The Law
Access Control Techniques
“Passive” Techniques
Don’t Publish URL’s
Always Have Default Pages – Avoid Directory Browsing
Complex Page/Directory Names
Active Techniques
Change Page/Directory Names Often
Server Filters on IP Address, Domain Name
Requiring a Name / Password
Use Non-Standard Ports
Secure (Encrypted) Transmissions
Firewalls (Proxy Servers)
Isolate LAN From General Internet
All Techniques Have Some Negatives
Passive Techniques, Non-Standard Ports
If User Guesses Correctly, They Have Full System Access
Requires Publishers to Voluntarily Follow Standards
Best for Non-Critical Security
Security Breach Does Not Disable System
Site Unlikely to Attract Hackers
IP Address / Domain Name Filters
Requires Significant Effort to Administer
Users Can’t Move Around Easily
Serious Hackers Can Defeat via Spoofing
Best For Local Intranet
Site Unlikely to Attract Serious Hackers
Encryption
Significant Overhead
Firewalls
Limits Internet Access of Those Within the Firewall
Name / Password Security
Requires All Parties to Maintain Secure
Passwords
Inconveniences Users
Difficult to Enforce
One Violation Can Compromise Entire Plan
Passed in Plain Text as Part of the URL
Serious Hackers Can Intercept It
Analogous to to credit card receipts in the trash
Web Servers Allow Unlimited Tries (Stateless)
Best Solution is a Combination of Techniques
Firewall Details
Proxy Server
Gatekeeper Between a LAN and the Internet
Acts as a Local DNS
User Requests a URL
Proxy Server Finds the Equivalent File on the LAN
Firewall
Packet-Level-Filter
Restrict Data at the Packet Level e.g. Don’t Allow FTP
Circuit Filters
Also Takes Into Account the Source and Destination of a
Packet
Maintains Some History Information
Application-Level Filters
Intercepts Transmissions and Analyzes Them to See if They
Make Sense
Requires Knowledge of the Application to be Effective
Encryption
Basic Encryption – Privacy / Confidentiality
“Scramble” a Document So Third Party Can’t Read It
What Level of Scrambling is Required?
Not Easily Reable By Human Eye
Simple Replacement Algorithm
Base64
Extremely Difficult, But Possible to Crack
E.g. passwords, “zip” encryption
“Impossible” to Crack
Authentication (Signature)
Can Be Assured That Document is From Recipient
Can Be Assured That Document Was Not Tampered With
Non-Repudiation (Contract)
Can Also Be Assured That Document Was Received Intact
Neither Can Tamper With Document
Data Integrity
Assurance That Document Was Not Corrupted
Encryption Technologies
Symmetric Key Encryption
Same Key Used For Encrypting / Decrypting
Both Parties Use Same Key
Analogy: Standard Door
Asymmetric Key Encryption (Public Key)
Each Party Has a Different Private Key
Third Key (Public Key) Required for
Encryption/Decryption
Key Held By Trusted Third-Party
Analogy: Safe Deposit Box
Message Digest Algorithms
Encrypted “Hash” Functions Used For Digital Signatures
Methods of Defeating Encryption
Brute Force
Trying All Possibilities
“Psychic” (For Human Generated Keys Only)
Person Has to Be Able to Memorize Key
Brute Force: Prioritized by Easily Memorized Keys
Cipher Attack
View The Encrypted Data and Work Back
Analogy: Cryptogram Puzzles
Cryptanalysis
Science of Breaking Algorithms
Exploit Mathematical Weaknesses in the Algorithm
How Encryption Works
Develop a mathematical function such that:
f (a,b) = c
f’ (a,c) = b
BUT f’’(b,c) = a Does Not Exist
Symmetric
f( message,key) = encrypted_message
f’ (encrypted_message, key) = message
Asymmetric
f (my_message, your_public_key) = encrypted_message
f’ (encrypted message, your_private_key) = my_message
Signature
f (signature, my_private_key) =encrypted_signature
f’ (signature, my_public_key) = signature
Internet Encryption Protocols
Public Key Encryption Requires Trusted Third Party
Certificate Authority
RSA – Rivest, Shamir, Adelman
MIT Professors – Invented Algorithms
Some are Patented
Size of Key is Important
Longer Keys are Harder to Break
Government Limits to Size of Keys
Controls on Exports
PGP – Pretty Good Privacy
Freeware Encryption
DES
56-bit Symmetric Key
Triple DES
RC2, RC4 – Uses Shorter Keys – Can Be Used For Export
Internet Encryption Protocols (2)
SET
Protocol For Passing Credit Card Information
Uses DES for Data, RSA for Keys and Credit Card Number
Includes Protocols for Authorization and Validation of Credit Card
Encrypted HTTP
S-HTTP (Secure HTTP) Commercenet
SSL – (Secure Sockets Layer) Netscape
PPP
TCP/IP Itself Cannot Be Encrypted
Login Passwords Are in Clear
PAP – (Password Authentication Protocol) Passwords Sent in Clear
CHAP (Challenge Handshake Authentication Protocol)
Password Used to Create a Response That is Passed to
Server
Key Management
Keys Must Be Kept Private or Security is Lost
Keys are Too Long For Memorization
Kerberos (MIT), (ISAKMP – Internet Security Association)
IP Level Security
Virtual Private Networks (VPNs)
Tunneling (Encapsulation)
Encrypts Data at a Point Low in the ISO Stack
Encapsulates it in Another Protocol
PPTP – Point-To-Point Tunneling Protocol
Works Over Public Networks
Only Client and Server Need to Be PPTP Aware
IP Information is encrypted and carried within another IP
packet
L2F – Layer 2 Forwarding
Requires All Routers/Servers Between Client and Server
to Support L2F
L2TP – Combination of PPTP and L2F
TACACS, RADIUS
For Dial-Up Access
Non-Encrypted Security
Change Passwords Regularly
Security Breaches are “Temporary”
Increases Effort Necessary to Break In
Analogy: Changing Locks
DHCP – IP Addresses are Temporary
Similar to Changing Passwords at IP Level
IP Addresses Dynamically Assigned
Private Network
Traffic Between Customers of ISP Does Not Pass
Through “Public” Internet
ISP Keeps Routers Secure
AT&T Strategy
Security Key Points
Use Common Sense Above All
Security is Useless if it is Not Enforceable
Once Adopted Must Be Policed / Tested / Enforced
Policing Software is Important
Automate Mundane Tasks
Security Policies Will Usually Impact
Productivity
Use Them Wisely
Two Major Aspects to Security:
Keys and Key Maintenance (e.g. Passwords)
Encryption
The Need For Client Side Scripting
Performance
Move More Processing to Client
Especially Items Requiring Faster Response
E.g. Field Validation
Usability
Make HTML More “Windows-Like”
HTML Extensions (e.g. Tab Order)
CSS Extensions (e.g. style=“cursor:hand”)
Dynamic Event Handling (e.g. onMouseOver)
Requires Scripting Language
ECMA Script – (European Computer Manufactuers
Association)
Netscape – Created Own Version: JavaScript (No Relation to
Java)
Marketing Ploy: to Capitalize on Java Popularity
Microsoft – VBScript
Windows/IIS Only
Also Support JavaScript – (Called it JScript)
JavaScript
De-Facto Standard Client-Side Scripting Language
However, Other Scripting Languages are Supported by
Servers. Add-Ons for Others.
Interpreted Language
Object-Oriented
“Full” Scripting Language
Core JavaScript – Standalone Scripting Language
No File I/O
Client-Side JavaScript – For Use in HTML Pages
Primary Use of JavaScript
Server-Side JavaScript – Perl/Java Alternative
Similar to Other Languages
C-Like Syntactic Structure
Untyped
Associative Arrays