1 / 45

Web Server Security

Web Server Security. Packet Sniffing Information on the Internet is exchanged in chunks of data called packets There are special programs that allow packets to be sniffed A packet sniffer will listen to all packets on the network, whether or not addressed to the local machine

berg
Download Presentation

Web Server Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Server Security Packet Sniffing • Information on the Internet is exchanged in chunks of data called packets • There are special programs that allow packets to be sniffed • A packet sniffer will listen to all packets on the network, whether or not addressed to the local machine • This allows the user of the packet sniffer to see anything and everything that is being transmitted on the local network

  2. Web Server Security For example Using a publicly available packet sniffer program called tcpdump all the packets being transmitted on our local network can be seen Prompt# tcpdump –x –n –t -q 10.0.0.7.23 > 10.0.0.2.1095: tcp1 4500 0029 dc4f 4000 ff06 8b76 0a00 0007 0a00 0002 0017 0447 60a2 1a5e 45e2 15b4 Here a conversation is taking place between two local machines with IP addresses 10.0.0.2 and 10.0.0.7

  3. IP Spoofing • IP spoofing is the act of sending a packet out with the forged IP address • When a hacker is carrying out an attach the thing he/she wants is his/her identity known • Spoofing the IP address is an easy way to hide the identity of the machine the attack is coming from • An attacker could spoof the IP to come from an IP address that does not belong to anyone or that is not currently in use • The attacker could also spoof the IP address to make the attack appear as if it were coming from an existing machine elsewhere on the Internet • Spoofing the IP address is simple. There are programs available on the Internet that allow you to manually construct the packets and send it out on the wire

  4. IP Spoofing on Solaris Edit the /etc/hosts file Save the changes and reboot Solaris# vi /etc/hosts Before spoofing: 127.0.0.1 localhost 172.23.14.8 mytesthost After: 127.0.0.1 localhost 10.0.0.5 mytesthost

  5. Web Client Security So far what we covered is Server side security. But what about the client side security Java Applets • An applet is a program that runs inside your browser • You need a java capable browser or an applet viewer to run the applet code • Applets can be considered as a partial program containing only the middle portion • The beginning and ending of the program are part of the browser or applet viewer

  6. Web Client Security To run an applet you first need the applet .class file This is the compiled bytecode generated from the Java source code <html> <Applet Code=“someapplet.class” width=“500” height “200” > Param Name=“text” value =“example”> </Applet> <html>

  7. Protecting yourself from JavaApplets It is possible to disable Java in your browser Netscape controls this features under “Preferences” Internet Explorer controls it under “Internet Options” Select “Advanced” for both browsers

  8. What happens when an applet tries to connect to another system • The most dangerous scenario with applets • No longer your firewalls protect your machines from attack • This is the primary reason to disallow applets to connect to remote systems • The applet can connect back to the machine it originated from • This will allow a hacker to determine what traffic is allowed to exit your network through your firewalls • This model of security of Java applets is called the sandbox model

  9. What happens when an applet tries to connect to another system • Applets are allowed to function as normal programs, but they must play within the sandbox • They are limited in their capabilities and are not treated as full-fledged programs • The latest Java security manager allows different sites to define different security policies, depending on the applet and its origin • Another addition to Java security model is the idea of signed applets • By signing an applet you are assured that the applet has not been modified from its original form

  10. ActiveX Security • ActiveX was developed by Microsoft and is based on their object linking and embedding (OLE) technology • ActiveX equivalent of Java Applet is called an ActiveX control • Unlike Java Applets ActiveX controls are platform dependent • This means you need to compile for every platform you expect to connect to the site • Rather than using the Applet tag you need to use the <Object> tag

  11. ActiveX Security • ActiveX controls will be digitally signed by the author of the control • The digital signature is then signed by the security mechanism for ActiveX called Authenticode • Unlike the sandbox approach in ActiveX prior to running the ActiveX control you are prompted with the name of the author who wrote and signed the code

  12. JavaScript Security • Using JS all sorts of bugs ranging from being able to send out e-mail or viewing the history file, to tracking a user online or uploading a file, have been discovered • It is possible to disable JS in your browser • Same way as the applets blocking on the browser settings • When a page is loaded sometimes new browsers are continuously opened until the browser is terminated

  13. JavaScript Security • This will eat up all your system memory and you will have no choice • This is a client-side denial-of-service attack using the standard functionality of Javascript • Another annoying script is upon loading the URL your browser window will develop a mind of its own and start to move all over the screen, and may get out of control

  14. JavaScript Security • Unlike the Java Applet or ActiveX the good thing with JS is that once you disable the JS from your browser window you can always check the script in the browser window and allow it to reload once you know the contents of the script • Unlike the Applets or ActiveX controls which use a single tag to embed something the JS has event handlers like onLoad() method which are difficult to strip as the script passes through the firewall • Netscape has added the functionality to sign the scripts very similar to the applets • Now you can choose only to run signed scripts that were singed by the author you trust

  15. Cookies What is a Cookie? • Cookie is nothing more than a data • It is not a program and is not executable • It is like you filling the form with details and sending it to the server • In a cookie the server fills the information and passes it to the client • When the client requests a web document from the server the server sends the document and some additional data • This additional data is called the cookie

  16. Cookies • Later when the client makes additional connections to the server, it will send the cookie back • It will keep the cookie for future connections • Without the cookie the server has no idea who is connecting to it • It may know which IP address the connection is from, thus which machine the client running on

  17. Cookies Example Content-type: text/html Set-Cookie: colorpref=blue <HTML> <HEAD> <TITLE> </TITLE> <HEAD> </HTML> • This is all that a server will send to the browser to store for future reference. So the next time the background will be in blue to the user • If the server specify the expiration date then that will be saved on disk when the user exist the browser • If no date is specified the cookie will be deleted upon exit

  18. Cookie Security • Since the length of the cookies are limited there is not much concern about the security attacks via cookies as they don’t execute anywhere • The only issue with the cookies is the user privacy • So the security issue is to you the user and not to the computer

  19. Encryption • Cryptography comes in many forms but the principles are the same. i.e to protect your data from eavesdropping, spying, or falling into wrong hands Example: • Lets encrypt a message using following data and standard English alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

  20. Encryption • Plain text: Meet me on the corner at midnight • Algorithm: C=P+K C is the cipher text P is the plaintext character K is the value of the key • Key: 3 • Ciphertext: Phhw ph rq wkh fruqhu dw plgqljkw The Ciphertext message is not in any recognizable readable form So you need to know the key to interpret the message

  21. Encryption • This algorithm states simply that to encrypt a plain text character (P) and generate a ciphertext character (c) we merely add to the plaintext character the value of the key (K) • Another way of looking at this example is that we are shifting the plaintext character to the right of the alphabet by three characters: X, Y, and Z will wrap around and be replaced by A, B, and C respectively

  22. Encryption O. N. P. B J A C S. Q. K R. E F D M L T. U. V. I G H L W. Z. .X Meet > Y. .

  23. Certificates • A client needs to be sure that the public key she is using corresponds to the server's private key • Similarly, the server also needs to verify that the message signature really corresponds to client's signature • If each party has a certificate which validates the other's identity, confirms the public key, and is signed by a trusted agency, then they both will be assured that they are communicating with whom they think they are. • Such a trusted agency is called a Certificate Authority, and certificates are used for authentication.

  24. Certificate Content SubjectDistinguished Name, Public Key IssuerDistinguished Name, Signature Period of Validity Not Before Date, Not After Date Administrative Information Version, Serial Number Extended Information

  25. Certificate Authority • By first verifying the information in a certificate request before granting the certificate, the Certificate Authority assures the identity of the private key owner of a key-pair. • A Certificate Authority may also issue a certificate for another Certificate Authority. • who vouches for the certificate of the top-level authority, which has no issuer? • one must exercise extra care in trusting a self-signed certificate.

  26. Certificate Authority • The wide publication of a public key by the root authority reduces the risk in trusting this key -- it would be obvious if someone else publicized a key claiming to be the authority. • Browsers are preconfigured to trust well-known certificate authorities • A number of companies, such as VeriSign have established themselves as certificate authorities. These companies provide the following services: • Verifying certificate requests • Processing certificate requests • Issuing and managing certificates

  27. Creating a Certified Authority • It is also possible to create your own Certificate Authority. • Specifications for certificates can be found at http://www.ietf.org/html.charters/pkix-charter.html (Public-Key Infrastructure (X.509) Working group in IETF)

  28. Implementing SSL • Although one might write an SSL implementation from scratch following the specification (TLS spec at http://www.ietf.org/rfc/rfc2246.txt), it is much easier to use one of the existing SSL toolkit libraries. • In addition, because of patents, it is usually necessary to license some of the cryptography libraries • http://www.openssl.org/

  29. Intrusion detection and recovery • If the security model fails, it is important to detect the intrusion as early as possible • The most important thing is to know what is happening on the network and on the machines within the network • The data contained in the logs is an excellent resource for determining what is happening at the site

  30. Audits, Logs, Accounting • Logs notify us of errors or specific application-level transactions • Audits provide more information • Used to monitor when the file is opened, read, or written to • Also can be used to monitor process and see when a process starts/ends a child process • Accounting is a means of calculating how much of the system resources are being used by each user

  31. System and Network usage monitoring • The use of web server resources should be fairly consistent • E.g. if your web site has around 1000 hits every day, and then suddenly this drops to 10 on one day, something suspicious is happening • If a user logs on and works only on weekends and then suddenly logs on on a weekday in the middle of the night, it could be an attack.

  32. Log examples • After loading the default server page 2004-11-17 15:11:32 GET / 200 0 2763 10.0.0.7:32957 hosts • After attempting to load a page that does not exist 2004-11-17 15:12:32 GET /noexist.html 404 0 404 10.0.0.7:32999 hosts • After submitting an online form whose data is processed by a CGI script 2004-11-17 15:13:32 GET /info.html 200 0 1119 10.0.0.7:32997 hosta 2004-11-17 15:13:45 POST /cgi-bin/info.pl 302 0 359 10.0.0.7:32997 hosta

  33. HTAccess • Web-based authentication denies web access to visitors who do not give a valid username and password • An access control list (ACL) is a method of limiting access to a particular portion of a Web site • For example you may want to give access to an online database only for fee paying customers • An ACL can be used to place a restriction on a single file or an entire directory, including its sub directories

  34. Format of the HTAccess file AuthUserFile mnt/web/guide/somewhere/somepath/.htpasswd AuthGroupFile /dev/null AuthName Somewhere.com's Secret Section AuthType Basic

  35. HTAccess file • The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting <URL:http://somewhere/somepath/> would be presented with an authentication request. • The .htaccess file also affects directories recursively below it. Therefore, requesting <URL:http://somewhere.com/somepath/evenmore/> would yield the same authentication request unless ~/somepath/evenmore had a .htaccess file of its own. • The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. • Notice that the AuthName in the example, "Somewhere.com's Secret Section," is used in the authentication request.

  36. Creating .htpasswd file • To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /mnt/web/guide/somewhere/somepath. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. • Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again.

  37. What is HTTPS? • Secure HTPP • Essentially an implementation of HTTP , using SSL

  38. SOAP Message • <? Xml version=’1.0’ ?> • <env:Envelope xmlns : env=http://www.w3.org/2002/06/soap-envelope> • <env: Header> • ……… • ……. SOAP Envelope, defines the overall frame work for representing the contents of the SOAP message, who will deal with the message (initermediaries) •   <env:Header> • <env:Body> mandatory, contains the payload of the message which is intended for the final SOAP reciever • …….. • </env:Body> • </env:Envelope>

  39. Kerberos • The most popular representative of secret key authentication protocols is Keberos, which was developed by MIT. • After the client and server have used Keberos to prove their identity, they can also encrypt all of their communication to ensure data confidentiality and integrity. • Keberos is commonly used in the middle tier within corporate networks. • Keberos allows a principal to prove its identity to a server without sending authentication data that might allow an attacker to subsequently impersonate the principal.

  40. Kerberos • The client application provides a secret key that is derived from a password as the basis of authentication. The secret key may potentially be stored on a hardware token (DES card) for stronger authentication and may also be derived from a public key certificate. • To use Kerberos security service, the client first sends the principal’s identity to the authentication server, which sends back a credential call a ticket-granting ticket (TGT) • The TGT has been encrypted so that only the legitimate principal who posses the correct password is able to decrypt it and use it at a future time.

  41. Token-based authentication • With token based systems the user must posses a physical token that plays some part in the authentication process, which makes this approach a lot stronger than passwords by themselves. • Tokens are expensive and complex to implement than IDs and password. Sometimes the token displays a value that must be verified by an authentication server. • Examples of tokens include CRYPTOCard and RSA SecureID.

  42. Security methods in Web Services • XML Security • WS- Security • XML Encryption • SAML Security Assertion Markup Language

  43. Points to remember when designing web servers • Authentication SSL Transport layer authentication WS-Security (Kerberos) for message based authentication • Authorisation Once the user is authenticated the next step is to find out if they are allowed to access the resource that they are requesting • Integrity IPSec guarantees integrity. Message has not been tampered on transit

  44. Points to remember when designing secure web servers • Confidentiality XML Encryption SSL/TLS, IPSec • Auditing The ability to write an audit trail is important for any security system • Administration Administrating involves managing the security policy • Availability Availability involves protecting unwanted message storms

  45. Recovering from an attack • If you abruptly kill the hacker’s connection into the machine he will suspect that you are onto him • Alternatively it is difficult to sit and see someone hacking your terminal • Depending on your time and resources you could set up a dummy machine to trick the hacker into thinking that he is still going undetected • The machine would be an identical one without any sensitive data • This will help you to track back the hacker even if he tries to masquerade

More Related