Transcript Source

Information security: A basis of trust in ebusiness
I. Infosec: Security, anonymity and privacy on the net
• Why be concerned?
II. Social solutions
• Security policy
III. Technical security
• SSL
• Firewalls
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
basicsec.org/Cover1.png
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Security is:
A condition in which harm does not arise, despite the
occurrence of threatening events
A set of safeguards designed to achieve that condition
Threatening events include
Natural, accidental, and intentional threats
Information security involves the procedures and
equipment needed to prevent harm to data and information
from threatening events
Clarke, R. (2001). Introduction to information security.
http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Computer security
Preventing and detecting unauthorized use of a computer
Includes security of individual computers, including OS,
security of networks to which a computer is connected
and general web security
Whitson, G. (2003). Computer security: theory, process and management.
Consortium for Computing Sciences in Colleges
A set of procedures, practices, and technologies for
protecting web servers, users, and their organizations
Security protects the user against unexpected behavior
Garfinkel and Spafford (1997). Web Security & Commerce
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
The window
of exposure
When bad stuff
happens
Schneier , B. (2000). Managed Security Monitoring:Closing the Window of
Exposure. Counterpane Security. p2
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
US CERT (2007). Quartyerly trends and analysis report.
www.uscert.gov/press_room/trendsandanalysisQ107.pdf
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
(a) Breakdown of disclosed
vulnerabilities by software
type in May 2006
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
(b) Current vulnerability
types disclosed in Webbased applications.
(Source: SecurityFocus.com)
www.computer.org/.../ 2006/v4n4&file=gei.xml
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Copyright MyCERT / NISER 2007
www.mycert.org.my/abuse-stat/2006.html
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
www.politechbot.com/docs/know.your.evilhackerdude.01100
3.jpg
www.wwltv.com/gumbo/images/MSSercurityPosters2004.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
So what happened?
In 1988, Robert Morris let a worm go
The first gateway between the Internet and
commercial ISPs in 1989 drew in the public
The development of the web browser in 1993 drew in
much more of the public and business
When children began to use the net, a variety of
groups began to pay attention to net content
When business began to look at the net as a source of
profit, the government began to look at the net
www.webexpostos.hpg.ig.com.br/imagens/ha_fam_morris.jpg
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
I. Security, anonymity and privacy on the net
Information security describes all measures taken to
prevent unauthorized use of electronic data
This unauthorized use can include disclosure, alteration,
substitution, or destruction of the data
Web vulnerabilities
Publicity for a successful exploit
Stealing sensitive or proprietary information
Gaining access to networks, databases and legacy
systems
Disrupting service
www.aitecsa.it/gate/I/img/suggestione.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Why be concerned with infosec?
Almost all computing infrastructures are vulnerable
Machines on the net at IU are probed continually
There is a need to protect the confidentiality, integrity, and
availability data
Most of net traffic travels “in the clear,” so anyone who
monitors traffic can read it
This form of “attack” is fairly easy to carry out using
freely available “packet sniffing” software
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
An interface for
packet sniffing
software
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
www.packetsniffer.net/images/ed_hex.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Infosec concepts
Terms
Short Definition
Threat
Potential loss of asset value because of
vulnerability
Attack
Realization of an attack by threat agent
against an asset
Threat Agent
The object that commits an attack, like a
Trojan horse
Vulnerability
Property of some object of system that
allows an attack
Whitson, G. (2003). Computer security: theory, process and
management. Consortium for Computing Sciences in Colleges
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Infosec concepts
Terms
Short Definition
Risk
Method of asset that estimates loss of
asset value from threat
Asset
Information and other things that has value
to organization
Safeguard
Uses security mechanisms to protect
assets from threat agent
Security
Specific technique like cryptography
Mechanisms
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
www.rand.org/publications/R/R609.1/sccs03.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
An overview of network
security
www.verisign.com/products-services/ security-services/intelligenceand-control-services/network-security/
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
I. Security, anonymity and privacy on the net
Spyware
78K apps are known to monitor and report computer user
activities without user consent
Estimated to be on 85% of computers w/ 28/machine
Sysadmins see this as a greater problem than spam
Includes:
Adware
Key loggers
Trojan horses
Stafford, T.F. (2004). Spyware: the ghost in the machine. Communications of
the AIS 14, 291-306.
guides.radified.com/magoo/guides/spyware/spyware1.gif
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Adware
Monitors browsing and sends targeted ads
Change the way browsers work by installing software to
track user activity
Key loggers
Monitors and reports keyboard activity
Trojan horses
Programs buried inside other digital objects that are
installed without the user’s awareness
Some allow remote administration of the machine
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
en.wikipedia.org/wiki/Image:Spyware_infestation.png
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Digital information can easily be compromised
Infosec involves techniques and procedures used to
protect and prevent unauthorized use of information
Threats include: interception disclosure, alteration,
substitution, or destruction of data
Ex: attack through “network sniffing” and filtering
devices that monitor the packets that move through
the net
This allows authentication packets to be intercepted
If a “root” access is sniffed out; the bad guys are in
If lightly encrypted, this is not tough for a good hacker
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Major security issues in ebusiness
Internal network security (75% of attacks are internal)
Copying/deleting files, changing code, sabotage
Lack of skill to implement and maintain security
Malicious code (in applets etc)
Reliability and performance problems
External hacking
Social engineering attacks (information warfare)
Denial of service attacks (brute force attacks)
Natural disasters, accidents, and terrorism
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Security concerns are important in ebusiness because you
want to ensure that transactions:
Are accessible only to sender and receiver (privacy confidentiality)
Have not been changed during transmission (integrity)
Can be verified by the receiver as having come from
the sender (authenticity)
The sender knows that the receiver is genuine (nonfabrication)
The sender cannot deny he or she sent it (nonrepudiation)
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
You also want to ensure that:
The system can still function effectively when security
measures are in place and downtime is minimized
(availability)
Only authorized people can access back end data
(secrecy)
There is adequate security for front-end servers, backend systems and the corporate network that connects
them
These are the concerns of information security
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Components of infosec
Theory
Cryptography
Encryption/decryption with public and private keys
Keys authenticate people when accessing a computer
over a network
They can identify someone who is being accessed and
create digital signatures
Intrusion detection and analysis
What is the nature of the exploit?
How can it be countered?
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Theory
Network security protocols
These add security to other well known protocols
SMIME allows encryption of all or part of an e-mail
They provide a basic security service
Kerberos is a general authentication service used in a
multi-server network
Process
Computer security systems are developed using a
variety of heuristic techniques that are integrated by
security experts into a security system
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Management
A computer security system needs to be managed to
insure that it works correctly
Guarantee confidentiality, integrity, availability of assets
Risk management analysis, threat trees, other techniques
to control risk to assets
Develop security policies, procedures, standards and
guidelines
Provide training, documentation and help
Prepare for disaster recovery and implement disaster
avoidance procedures
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Some applications take advantage of information security
ATMs: PINs are checked by sending encrypted
messages from the machine to the bank
Phone cards: the “stored value” is encrypted so you
can’t mess with it
Cell phones: encrypted communications protect the
users
Remote system access: encrypted communications
protect distributed business information systems
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
More applications:
Credit cards: “secure electronic transactions” protect
the transfer of credit card information
Electronic cash: public key systems have been
proposed to protect the “stored value” on smart cards
Medical records: encrypted records can be stored on a
smart card or transferred over the net
Contracts: digital signatures may gain legal standing
-----BEGIN PGP SIGNATURE----Version: 2.6.2
iQBVAwUBNsHjoqiNX5P7lAgZAQGG3QIAh8ZlL4aK/VsdqENFHzTbnYWCWE6bC4E4
u+SwL99Q3AT8wlTlteabXkpNTz4sgIiwpu5XlxW+gj4eJEDaYZ7oDA==
=vYVw
-----END PGP SIGNATURE----L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
The nature of infosec threats
Protection of internal resources from outsiders
Protection of internal resources from unauthorized
insiders
Limiting external privileges of internal users
Handling infosec threats
Auditing usage and monitoring
Separating public from internal resources
The issue is to balance business requirements against
the investment of time and money in managing risk
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
The main types of reported popular net-based attacks are
Denial of service
Prevent legitimate
users from using the
service, by flooding
a network or disrupting
connections or services
http://www.networkdictionary.com/images/dos.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
www.caida.org/analysis/security/scodos/sco-dos-ts.gif
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Threats
Phishing: attacks use social engineering and technical
subterfuge to steal consumers’ personal identity data and
financial account credentials
Social: using counterfeit web sites
Technical: planting crimeware onto PCs to steal
credentials directly, using Trojan keylogger spyware
Pharming crimeware misdirects users to fraudulent sites
or proxy servers through DNS hijacking
Antiphishing Working Group (2007).
www.antiphishing.org
US-CERT. (2007).
www.us-cert.gov/press_room/trendsandanalysisQ107.pdf
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
76,480 incidents
reported to the AntiPhishing Working
Group - Oct 1st and
Dec. 31st (60%
increase)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
103,000 reports of
phishing sites in
FY07 Q1, compared
to 16,000 in FY06 Q1
Main targets:
financial services
www.antiphishing.org/
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
I. Security, anonymity and privacy on the net
Drive-by pharming
An attacker changes the configuration of a home router
when a user visits a malicious web site
The site uses malicious javascript allowing an
attacker to log in
If the default password has not been changed the
attack is typically successful
Once logged in, the attacker can change the router’s
configuration, including DNS server settings
The router is redirected to a DNS server of the
attacker’s choice
palisade.plynt.com/images/pharming.jpg
L561: Information Systems Design for Digital Entrepreneurship
I. Security, anonymity and privacy on the net
Domain name system attack
Gaining access to the top level DNS servers
Web defacement
Accessing the server and changing page markup
Worm and virus attacks
Self-propagating automated malicious piece of code
Router attacks
Using DoS and gaining control of routing protocols
L561: Information Systems Design for Digital Entrepreneurship
Information security: A basis of trust in ecommerce
I. Infosec: Security, anonymity and privacy on the net
• Why be concerned?
II. Social solutions
• Security policy
III. Technical security
• SSL
• Firewalls
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Organizational
The importance of policy
Who should have access to the machines and data?
Who should be allowed to change the data?
What are the costs of imposing restrictions?
“A security policy is a formal statement of the rules by
which people who are given access to an organization’s
technology and information assets must abide.”
RFC 2196, Site Security Handbook
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html
www.cerner.com/public/uploadedimages/Solutions_and_Services/Technology_and_Hardware_Solutions/Technology_
Solutions/Security/security.jpg
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
Purposes of security policies
To inform people of their obligatory requirements for
protecting technology and information assets
This applies to users, staff and managers
What users can and cannot do on the components of the
system, including the type of traffic allowed on the net
To specify mechanisms through which the requirements
can be met
To provide a baseline to acquire, configure and audit
computer systems and networks for compliance with policy
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
II. Social solutions
Developing a security plan for your site
Identify what you are trying to protect
Determine from what or whom you are trying to protect it
Determine how likely the threats are
Implement measures which will protect your assets in a
cost-effective manner
Review the process continuously and make
improvements each time a weakness is found
www.digicorp-inc.com/network_pic1.jpg
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
II. Social solutions
Risk-assessment: identifying assets worth protecting and
prioritizing them
Hardware: CPUs, terminals, workstations, printers,
drives, communication lines, terminal servers, routers
Software: source, object, diagnostic and communication
programs, utilities, OS
Data: during execution, stored on-line, archived off-line,
backups, audit logs, databases, in transit
People: users, administrators, hardware maintainers
Documentation and supplies: paper, forms, media
nlcommunities.com/photos/miketemple123/images/45042/original.aspx
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
The problem: stakeholders are dependent on business IS
CRM, online data systems, company data and apps must
be available 24x7
Downtime costs are very high
~$6.5 million/hour for large financial brokerages to ~$2.6
million/hour for credit card authorization services
Industry norms: 99% service availability (< 43 hours of
unplanned, 50 hours of planned downtime per year) is
“very good” (Gartner)
Merchantz, B. (2002). Managing availability: A critical discipline for heightened
risk in the digital age. DM Review
http://www.dmreview.com/master.cfm?NavID=55&EdID=4481
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
II. Social solutions
Costs of downtime
Lost revenue
Frustrated customers do not return
Some employees will be sitting around, others will have
the value of their work reduced
Additional work for data and system recovery (overtime)
Late deliveries may trigger contract penalty clauses
Missed financial filings may result in regulatory penalties
If downtime results in a drop in share price, shareholders
may initiate a class-action suit
www.toiletology.com/images/money.gif
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
If a formal partnership where business depends the other’s
systems, then the company may be liable to the partner for
profits lost during downtime
If lack of availability results in the shipment of defective
products, it may trigger product-liability costs
Producers have to dispose of spoiled inventory
Setup costs to restart a stopped assembly line
If employees quit, hiring and training costs will increase
Repeated downtime may hurt a company’s image,
impairing consumer confidence in a particular brand
L561: Information Systems Design for Digital Entrepreneurship
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
II. Social solutions
Security policy involves tradeoffs
Services offered versus security provided:
Each service offered to users has security risks
For some the risk outweighs the benefit and you may
eliminate the service rather than try to secure it
Ease of use versus security:
Easy systems allow access to any user and uses no
passwords (no security)
Passwords make them less convenient but more secure
Device-generated one-time passwords make them more
difficult to use, but much more secure andrewburgin.co.uk/product_info.php
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
Cost of security versus risk of loss The costs of security
Monetary
Purchasing security hardware, firewall software, and
one-time password generators
Hiring consultants
Developing policies and procedures and training staff
Performance
Encryption and decryption take time
Ease of use
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
Levels of risk
Loss of privacy
The reading of information by unauthorized individuals
Loss of data
The corruption or erasure of information
Loss of service
The filling of data storage space, usage of computational
resources, and denial of network access
Each type of cost must be weighed against each type of loss
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
This illustrates
the challenges
to a strategy
of managed
availability
http://www.dmreview.com/master.cfm?NavID=55&EdID=4481
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
The components of a good security policy include:
Purchasing guidelines with required security features
Privacy policy defining reasonable expectations of privacy
Ex: monitoring of email, access to user files, keystroke
logging
Access policy specifying acceptable use for users,
operations staff, and management
Providing guidelines for external connections, data
communications, network connecting devices
Specifying required notification messages (providing
warnings about authorized usage)
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
Accountability policy defining responsibilities of users,
operations staff, and management
Specifying an audit capability, and incident handling
guidelines
What to do and who to contact if an intrusion is detected
Authentication policy: trust through a password
Setting guidelines for remote authentication
Availability statement setting expectations for the
availability of resources
Addressing redundancy and recovery issues, specifying
operating hours and maintenance down-time periods
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
IT system/network maintenance policy describing how
internal and external maintenance people are allowed to
handle and access IT
Violations reporting policy: the types that must be
reported and to whom
Providing users, staff, and management with contact
information for each type of policy violation
Guidelines on handling outside queries about security
incidents
Security procedures and related information, such as
local policies and relevant laws and regulations
L561: Information Systems Design for Digital Entrepreneurship
II. Social solutions
Conducting the security audit
Looking for:
Configuration errors
Loopholes in server code or scripts
Known vulnerabilities in system and firewall
Providing:
Advice on data that could have been exposed due to
past errors
Increase in risk and reduction of enticement to attack
Virus management and disaster recovery
L561: Information Systems Design for Digital Entrepreneurship
Information security: A basis of trust in ecommerce
I. Infosec: Security, anonymity and privacy on the net
• Why be concerned?
II. Social solutions
• Security policy
III. Technical security
• SSL
• Firewalls
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Technical security: secure sockets layer (SSL)
SSL provides a relatively secure means to encrypt and
send data over a public network
SSL 3.0 been around since March 1996: Netscape sent it to
W3C as an open and non-proprietary standard
It is supported by major server companies (Cisco,
Microsoft, Apache)
SSL offers core components needed to transmit sensitive
data securely and to the appropriate person
Client and server authentication, encryption, integrity
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
SSL uses web certificates
A 128-bit SSL security tool enables ebusiness through
secure communications
A digitally signed certificate by a Certification Authority
Identifies the CA issuing it
Names, identifies, or describes a subscriber attribute
Contains the subscriber's public key
Contains the digital signature of the CA issuing it
Provides a date range over which the certificate is valid
DomainNameCom (2003). Web Certificates: Introduction
http://www.domainnamecom.com/ certs/
www.cs.ubc.ca/local/computing/acco
unts/email_news/outlook_cert.jpg
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Web certificates use authenticated private/public key pairs
to bind a public keys to an identity
It is a computer-based record which provides
Confirmation of identity
The party receiving the information (controlling the
server) is the intended receiver
Non-interception
The user’s information will not be intercepted between
the user’s browser and the server
These assurances are necessary for all ebusiness and any
communication in which confidential data are exchanged
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
SSL uses public and secret key cryptography
Authentication begins when a client requests a connection
to an SSL server
The client sends its public key to the server, which
generates a random message and sends it back to the
client
The client uses its private key to encrypt the message
from the server and sends it back
The server decrypts the message and compares it to the
original one sent to the client
If the messages match, then the server knows that it’s
talking to the correct client
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
How SSL works
Verisign (2003). Guide to securing
your web site for business
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Once the client has been authenticated, the server sends
out the session key
This is used to encrypt and decrypt all communications
between the two machines for the duration of the session
Many secret key algorithms can be used for the session
key (Data Encryption Standard (DES), RSA’s RC4, or the
IDEA algorithm)
Most browsers support at least 40-bit RC4 encryption
Some (including Navigator 5.x and later and Internet
Explorer 5.x +) can support DES and up to 128-bit RC4
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
SSL is used in conjunction with browsers and commerce
servers to provide secure credit card transactions
An icon (and blue bar) lets you know when you are
interacting with a secure server
It slows the transaction down because of encryption,
decryption, and authentication
The security of the data is ensured when it moves from
the client to the server
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Implementing SSL in your Web server is a relatively easy
task
The basic steps include
Generating a key pair on your server
Requesting a certificate from a certification authority
Installing the certificate, and
Activating SSL on a security folder or directory
It’s not a good idea to activate SSL on all your directories
because the encryption overhead it adds can significantly
decrease your response times
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Firewalls
The purpose of a firewall is to protect critical digital data
from outside attack
It also allows legitimate users internet access
The best firewall is a standalone web server
With the move to link the server to corporate database,
this is not feasible
Types of firewalls
Packet filtering
Proxy server
www.cnc.ucr.edu/images/service_page_images/firewall.jpg
Stateful firewall system
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Simple firewall architecture
UnwiredOnline.net (2003). Support
http://www.unwiredonline.net/ support.htm
L561: Information Systems Design for Digital Entrepreneurship
Complex firewall
architecture
III. Technical security
Infinitum. (2003). Managed firewall service.
http://www.infinitum.na/products/corp/firewall.html
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Dowless and Associates. (2003). Firewalls and virtual private networks.
http://www.dowless.com/syssec/firewalls_and_virtual_private_ne.htm
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
A firewall can examine every data packet passing into or
out of the network and make decisions based on
User ID, origin, destination, content of data
It can decide to
Let the packets in or out of the network
Reject the incoming or outgoing packets
Alert the sender that the message will not be delivered
Alert the sysadmin that an attempt to violate the rules
has been made
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Background
IP (Internet protocol) has two functions: to deliver packets;
to fragment and reassemble packets
IP has a “protocol type identifier” that allows other
protocols to run on top
TCP runs on top and handles error checking and resending
but slows traffic because it is slow
Other services have their own TCP ports
Telnet --> port 23, SMTP --> port 25, HTTP --> port 80
Clients access the server through a “high” port (>1024) on
their own server
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Packet filtering firewall
Located in a router on the external border of a network
Simplest to implement
The router checks a list of rules when it receives an
internal or external request
The rules allow and restrict access based on source,
destination, type (IP protocol type, TCP, UDP port #)
Ex: Allow all SMTP email to the server --> any IP
can send email to TCP port 25
address
Ex: Block telnet requests to the server --> all requests to
TCP port 23 are blocked
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Typical rules would involve allowing traffic to all ports below
1024 used by server services and blocking access to all the
rest
Or allowing access to ports above 1024 unless used by an
internal service (ex: Microsoft’s SQL server used port
1033)
Weakness is that is allows attacks on those ports which
allow access through the firewall
It also cannot stop or detect the use of allowed ports
above 1024 for evil purposes
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Packet filtering
in action
http://www.hn.edu.cn/.../ fire/ch08_01.htm
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Proxy server firewall
A machine that is on a separate network (the DMZ) that has
direct access to the net
Client machines do not have direct access to the net
Requires special configuration of client machines so
they cannot access the net
Clients make requests of the proxy server
The proxy server checks its list of rules and if the
request is accepted, it retrieves the information and
delivers it to the client
All external unwanted traffic is kept off the local network
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
The only data that passes through the firewall is that which
is allowed by the system’s access rules
The system can’t be compromised without reconfiguring
the proxy server
Proxy servers can also cache frequently requested pages
speeding downloads
Problems
They add a layer of management and administrative
responsibility
Many new net tools and protocols (streaming media) are
not supported by proxy servers
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Proxy server
http://www.more.net/technical/netserv/servers/
microsoft/proxyadv/images/proxy-revweb.gif
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Stateful firewall systems
This is new, more secure firewall system which combines
packet filtering and proxy servers
This requires no special configuration of the client
machines
It can apply rules to allow or deny access
It analyzes network traffic that passes through because it
understands the different protocols
This is the advance: recognition of types of traffic
instead of just port #
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
They allow an unregistered network to be run behind the
firewall
This conserves IP # for the domain
They also support “virtual private networks”
This is secure communication over the net (using
encryption)
Remote users can gain encrypted access to the local
net, allowing telework
L561: Information Systems Design for Digital Entrepreneurship
III. Technical security
Doonesbury has the
last word
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
georgetoft.com/security/ wirelesssecurity.shtml
L561: Information Systems Design for Digital Entrepreneurship