Transcript Web Security

Web Security
Introduction
(Some of the slides were adapted from Oppliger’s online slides at
http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)
Chapter 1
• Internet
• WWW
• Terms:
– vulnerabilities, threats, countermeasures
• Generic security model
–
–
–
–
–
Security policy
Host security
Network security
Organizational security
Legal security
Web Security
2
Internet
• Has seen dramatic growth since 1995
• Has evolved from the collegial internetwork for researchers in the 70s and 80s
into today’s global Internet for …
– Fun
– Commercial transactions
– Education
–…
• Has seen all types of security breaches …
Web Security
3
Internet
• The Internet has become a popular target to
attack (the number of security breaches has in
fact escalated more than the growth rate of the
Internet)
• Security problems receive public attention
• Examples
– Internet Worm (e.g., Robert T. Morris, Jr. in 1988)
– Password sniffing (1994)
– IP spoofing and sequence number guessing (e.g.,
Kevin Mitnick in 1995)
– Session hijacking
– (Distributed) denial-of-service attacks (since 1996)
Web Security
4
DOS via Syn Flood
• A: the initiator; B: the destination
• TCP connection multi-step
– A: SYN to initiate
– B: SYN+ACK to respond
– C: ACK gets agreement
• Sequence numbers then
incremented for future messages
– Ensures message order
– Retransmit if lost
– Verifies party really initiated
connection
Web Security
5
Internet Protocols
Web Security
6
WWW
•
•
•
•
The Web
Based on the HTTP protocol
An application-level protocol
HTTP is a simple request/response
protocol
• Lightness and speed necessary for
distributed, collaborative, hypermedia
information systems
• A stateless protocol
Web Security
7
HTTP & History of the WWW

[HTTP 1991] The Original HTTP as defined in
1991

[HTTP 1992] Basic HTTP as defined in 1992

[HTTP 1996] RFC1945: Hypertext Transfer
Protocol -- HTTP/1.0. Informational.

[HTTP 1999] RFC2616: Hypertext Transfer
Protocol -- HTTP/1.1.

[irt.org 1998] WWW – How It All Began.

[isoc.org 2000] The Internet Society. A Brief
History of the Internet. August 4, 2000.
Web Security
8
HTTP


can be used for many tasks, such as name
servers and distributed object management
systems, through extension of its request
methods
Its data typing feature allows systems to be
built independently of the data being
transferred.
Web Security
9
Current Trends
• Web services are being designed and
deployed on the WWW.
– Centered around the XML protocol
– Example initiatives:
• MS .NET
• Sun ONE (Open Net Environment)
– Protocols:
• WSDL, SOAP, UDDI, …
Web Security
10
Web Services
Web Security
11
Some terminology
• Vulnerability
– A weakness that can be exploited
• Threat
– A circumstance, condition, or event that may violate a
system’s security by possibly exploiting the systems
vulnerabilities
• Control (or Countermeasures)
– a feature, function, tool, or mechanism that either
reduces a system’s vulnerabilities or counters its
threat(s)
Web Security
12
Sample Controls
•
•
•
•
•
•
Firewalls
VPN
SSL / TLS
S / MIME
Kerberos
…
Web Security
13
The Bigger Picture
• Security in any system, including Web
Security, encompasses many aspects.
– Policies
– Technical
• Network security
• Host security
– Non-technical
• Organizational
• Legal
Web Security
14
Policies
• High-level statements of what are allowed and
what are not allowed
• Example policy statements
– “Any access from the Internet to intranet resources
must be strongly authenticated and properly
authorized.”
– “Any classified data must be properly encrypted for
transmission.”
• Policies are enforced by the overall architectural
design and various mechanisms.
Web Security
15
Host Security
•
•
•
•
•
User authentications
Access control (to resources)
Secure storage of data
Secure processing of data
Audit trail
Web Security
16
Network Security
• The security of the underlying network is
critical to assure the security of networked
applications, including Web and other
Internet applications.
• A security breach that occurs at a lower
layer (e.g., ICMP) may result in major
problem at a higher layer (e.g., DOS
attack at the Web server).
Web Security
17
Services vs Mechanisms
• Example security services
– Authentication, confidentiality of data, data integrity,
access control, non-repudiation, …
• Example security mechanisms
–
–
–
–
–
–
–
Passwords for user authentication
Biometrics for user authentication
RSA encryption for data confidentiality
Digital signature for …
Routing control
firewalls
…
Web Security
18
Organizational Security
• Security is also a people problem.
• In fact, human behavior is still the most
important factor with regard to security and
safety.
• Human behavior may be influenced by religion,
ethics, education, or organizational security
controls.
• Organizational security controls include
directions/instructions that define legitimate
human behavior and operational procedures in
the organization.
Web Security
19
Legal Security
• As a last resort: to legally prosecute the
attacker(s)
• Need support and evidence provided by
the various security services
• Example: non-repudiation of an e-contract
Web Security
20