1 / 39

INTERNET SECURITY - Advanced

INTERNET SECURITY - Advanced. Advanced Security Concepts. Detailed look at the types of attacks Advanced Explanation of Solutions and Technologies. Types of Attack (STRIDE).

savannah-holland
Télécharger la présentation

INTERNET SECURITY - Advanced

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNET SECURITY - Advanced

  2. Advanced Security Concepts • Detailed look at the types of attacks • Advanced Explanation of Solutions and Technologies

  3. Types of Attack (STRIDE) • Spoofing Spoofing is attempting to gain access to a system by using a false identity • Tampering Tampering is the unauthorized modification of data • Repudiation Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions

  4. Types of Attack (STRIDE) • Information disclosure Information disclosure is the unwanted exposure of private data • Denial of service Denial of service is the process of making a system or application unavailable • Elevation of privilege Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application.

  5. Microsoft Guide

  6. Microsoft Guide

  7. FBI Guide

  8. The Technological Solutions • Access controls • Software (e.g. Challenge/Response) • Hardware (e.g. Firewalls, VPNs) • Cryptography • Encryption (e.g. private/public keys) • Digital certificates (e.g. SSL)

  9. The technologies • SSL (Secure Socket Layer) SSL protocol is widely used to protect communications to and from the World Wide Web. Originally developed by Netscape Communications Corporation, SSL is built into most browsers and Web servers to provide data encryption, server authentication, message integrity, and optional client authentication.

  10. The technologies • FirewallsFirewalls provide a perimeter defense to guard a network or its nodes against unauthorized users. • VPNs (Virtual Private Networks)VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users far beyond the reach of private networks. Encrypted VPNs carry the private network traffic on a logical connection—a secure, encrypted "tunnel" over a public network

  11. Domain authentication Firewall Firewall Tunnel Encrypted TCP/IP Packets Windows NT Server RAS Windows NT Server RAS Corporate LAN Corporate LAN Internet Point-to-Point Tunnelling Virtual Private Network via PPTP

  12. The technologies • Windows Challenge/Response • does not send a password across the network • uses the Internet standard MD4 hashing algorithm to produce a 16-byte (128-bit) hash • impossible (theoretically) to take both the hash and the algorithm and mathematically reverse the process to determine the password • the password serves as a "private key"

  13. Server security • Windows Server software has strong levels of security - C2 • Web service restricted to specified virtual roots e.g. WWWROOT • IP filtering e.g. port 80 only • WWW Authentication • Anonymous • Basic Authentication • Challenge & Response • Access rights (now Active Directory) • by user, by file, by directory (now object)

  14. Server security • Configuration of server is key • Security tips for server configuration, see resources at the end • Holes are always being found in server software, so keep an eye on updates

  15. Cryptography • Ancient mathematical science • Algorithm strength • Key length • USA Export Restrictions • Key management • How do you keep keys secret • Huge global scale

  16. Factoring • Factoring a number means finding its prime factors 10 = 2 x 5 60 = 2 x 2 x 3 x 5 252601 = 41 x 61 x 101 2113 - 1 = 3391 x 23279 x 65993 x 1868569 x 1066818132868207 … around 40 quadrillion years to factora 125-digit number Ron Rivest (1977) In 1994, a 129 digit number was factored

  17. Evolution • Factoring the 129-digit number in 1994 required 5000 MIPS-years and used the idle time on 1600 computers around the world over an eight-month period • All predictions are out of date once they are made!

  18. Clear-textinput Clear-textoutput Cipher-text “One man went to mow, went to mow a meadow” “jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg” “One man went to mow, went to mow a meadow” Encryption Decryption Same key is used for both Encryption and Decryption Symmetric Cryptography

  19. Clear-textinput Clear-textoutput Cipher-text “One man went to mow, went to mow a meadow” “jakhdjuSIJBJISIJSjiuhw678jHUSNipwlhip0twiwouwwg” “One man went to mow, went to mow a meadow” Encryption Decryption Receivers public key Receivers private key Asymmetric Cryptography

  20. Encrypt withPrivate Key DigitalSignature MessageDigest Document HASH DigitalSignature Document Signed document Digital Signatures

  21. Certificate Authorities • Trusted third parties • Certificate contents include: • Certificate Authority name • Certificate serial number • Identity of subject: name/organization/address • Public key of subject • Validity timestamps • Signed by Certificate Authority’s private key • X.509 defines the standards

  22. Secure Channels (SSL/SET) • Certification Authority (e.g. Verisign/Thawte) • Creates Certificate • Verifies Certificate owner • Provides • Client Authentication • Server Authentication • Encryption • Non repudiation • Data Integrity • Message Authentication • Stops: • Imposters • Spies • Vandals

  23. A B ”hello, I’m Alice” + random A B “hello I’m Bob” + [Bobs Certificate] A B “prove it” Digital signature A B random2 + { digest [random2] } B_private_key Secure Channels - authentication Suppose Alice wants to verify Bob: Alice examines certificate using CA public key. Checks the user is Bob and retrieves Bob’s public key Alice can verify the user is Bob by using Bob’s public key and checking for a match.

  24. A K ”hello, I’m Alice” + random A K “hello I’m Bob” + [Bobs Certificate] A K “prove it” A K ???? Secure Channels - authentication A bad guy Klone could do: Klone does not have Bob’s private key and so cannot construct a message that Alice will believe

  25. A B {Secret_Key} B_public_key A B {message X} Secret_Key A B {message Y} Secret_Key Secure Channels - encryption Alice can now send a message that only Bob can decipher Both sides now know the Secret key and can use a symmetric cryptographic algorithm for future transmissions Lots of debate about how long a secret key should be in order to be effective.

  26. A S B ”hello, I’m Alice” + random A S B “hello I’m Bob” + [Bobs Certificate] A S B “prove it” A S B random2 + { digest [random2] } B_private_key A S B {Secret_Key} B_public_key S B {message X} Secret_Key A S Garbled message Secure Channels - message auth. A bad guy Sniffer could do: Sniffer is unlikely to produce a valid message - but he might get lucky !!! Alice is trusting Bob so would act upon the message

  27. MAC := digest[message,secret] Secure Channels - message auth. • Message Authentication Code (MAC) • Calculated using digest algorithm on message (or part of) and secret • Sniffer does not know secret: • Cannot compute right value • Chance of guessing is remote

  28. HTTP FTP Gopher Telnet SSL/PCT TCP IP Icon Secure Sockets • TCP/IP - designed to operate in layers • Security protocols e.g. Secure Sockets Layer (SSL) • Encryption • Authentication of messages • Authentication of end-points i.e.client and server

  29. Certification authority Cardholder Merchant Acquirer Electronic payment SEC - Secure Electronic Commerce • Satisfy customer requirements for secure payment • Consumers • Merchants • Banks • Brands • Enable electronic commerce applications • Provide interoperability

  30. TRUST Viruses • Accountability • Digital Code Signatures (Authenticode) • Provides accountability for Java applets and ActiveX Controls • Issued by a Certificate Authority • Contents include: • Certificate Authority name • Certificate serial number • Identity of subject: name/organization/address • Public key of subject • Validity timestamps • Signed by C.A. private key • X.509 defines the standards

  31. Summary • Many facets • Biggest danger is internal • Not implementing or fully understanding the available technologies • Risk assessment • Suitable response • Process that must evolve

  32. Advanced Resources • ‘ASP/MTS/ADSI Web Security’, Richard Harrison, 1999, Prentice Hall • Latest Microsoft Security bulletins http://www.microsoft.com/technet/security/current.asp • Microsoft IIS Security Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp • Apache Security Tips http://httpd.apache.org/docs/misc/security_tips.html • Top Ten Security Issues http://www.sans.org/topten.htm • How SSL works http://developer.netscape.com/tech/security/ssl/howitworks.html • Secure Applications Using Microsoft Technologies http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

  33. Browser • Objects • Microsoft ActiveX • Java Applets Objects Alternatives - clients • Browsers • Microsoft Internet Explorer • Netscape Navigator • Mozilla • etc...

  34. Server DATA Web Server Files Programs File System Alternatives - file systems • File Systems • Microsoft Windows 2000+ • Unix • HP/UX • IBM AIX • Sun Solaris etc.. • IBM AS/400 • etc...

  35. Web Server DATA Web Server Files Programs File System Alternatives - web servers • Web Servers • Apache (TomCat) • Microsoft Internet Information Server • Oracle WebServer • Sun One • etc...

  36. Web Server DATA Web Server Mgt Files Programs File System Alternatives - server extensions • Programs • Microsoft – • .Net • ASP • ISAPI • Common Gateway Interface • C, Perl, Java etc.. • PHP • Java Servlets • JSP

  37. Server DATA Web Server Files Programs File System Alternative - files • Files contain.. • HTML • XML • .Net • ASP • Javascript • Jscript • VBScript • REXX • ..and any other scripting language (you can make up your own)

  38. Server DATA Web Server Files Programs File System Alternatives - data • Access Data via.. • Microsoft • ADO.Net • ADO (Active Data Objects) • RDS (Remote Data Services) • Java • JDBC • Jconnect (Sybase) • Database vendors’ client tools • Microsoft SQL Server (db lib, odbc) • Microsoft Access (DAO,ole db) • Oracle (SQL*Net) • Sybase (db lib) • Others..

  39. Server DATA Web Server Files Programs File System Alternatives - data access • Data.. • Microsoft • SqlServer • Access • Any document via MAPI, OLE-DB, etc. • Oracle 6/7 • Sybase • MySQL • Interbase • Informix • Others..

More Related