web security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web Security PowerPoint Presentation
Download Presentation
Web Security

Loading in 2 Seconds...

play fullscreen
1 / 20

Web Security - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Web Security. Introduction (Some of the slides were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm .). Chapter 1. Internet WWW Terms: vulnerabilities, threats, countermeasures Generic security model Security policy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Web Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web security

Web Security

Introduction

(Some of the slides were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)

chapter 1
Chapter 1
  • Internet
  • WWW
  • Terms:
    • vulnerabilities, threats, countermeasures
  • Generic security model
    • Security policy
    • Host security
    • Network security
    • Organizational security
    • Legal security

Web Security

internet
Internet
  • Has seen dramatic growth since 1995
  • Has evolved from the collegial inter-network for researchers in the 70s and 80s into today’s global Internet for …
    • Fun
    • Commercial transactions
    • Education
  • Has seen all types of security breaches …

Web Security

internet1
Internet
  • The Internet has become a popular target to attack (the number of security breaches has in fact escalated more than the growth rate of the Internet)
  • Security problems receive public attention
  • Examples
    • Internet Worm (e.g., Robert T. Morris, Jr. in 1988)
    • Password sniffing (1994)
    • IP spoofing and sequence number guessing (e.g., Kevin Mitnick in 1995)
    • Session hijacking
    • (Distributed) denial-of-service attacks (since 1996)

Web Security

dos via syn flood
DOS via Syn Flood
  • A: the initiator; B: the destination
  • TCP connection multi-step
    • A: SYN to initiate
    • B: SYN+ACK to respond
    • C: ACK gets agreement
  • Sequence numbers then incremented for future messages
    • Ensures message order
    • Retransmit if lost
    • Verifies party really initiated connection

Web Security

internet protocols
Internet Protocols

Web Security

slide7
WWW
  • The Web
  • Based on the HTTP protocol
  • An application-level protocol
  • HTTP is a simple request/response protocol
  • Lightness and speed necessary for distributed, collaborative, hypermedia information systems
  • A stateless protocol

Web Security

http history of the www
HTTP & History of the WWW
  • [HTTP 1991]  The Original HTTP as defined in 1991
  • [HTTP 1992]  Basic HTTP as defined in 1992
  • [HTTP 1996]  RFC1945: Hypertext Transfer Protocol -- HTTP/1.0.  Informational.
  • [HTTP 1999] RFC2616: Hypertext Transfer Protocol -- HTTP/1.1.  
  • [irt.org 1998] WWW – How It All Began.
  • [isoc.org 2000] The Internet Society.  A Brief History of the Internet.  August 4, 2000.

Web Security

slide9
HTTP
  • can be used for many tasks, such as name servers and distributed object management systems, through extension of its request methods
  • Its data typing feature allows systems to be built independently of the data being transferred.

Web Security

current trends
Current Trends
  • Web services are being designed and deployed on the WWW.
    • Centered around the XML protocol
    • Example initiatives:
      • MS .NET
      • Sun ONE (Open Net Environment)
    • Protocols:
      • WSDL, SOAP, UDDI, …

Web Security

web services
Web Services

Web Security

some terminology
Some terminology
  • Vulnerability
    • A weakness that can be exploited
  • Threat
    • A circumstance, condition, or event that may violate a system’s security by possibly exploiting the systems vulnerabilities
  • Control (or Countermeasures)
    • a feature, function, tool, or mechanism that either reduces a system’s vulnerabilities or counters its threat(s)

Web Security

sample controls
Sample Controls
  • Firewalls
  • VPN
  • SSL / TLS
  • S / MIME
  • Kerberos

Web Security

the bigger picture
The Bigger Picture
  • Security in any system, including Web Security, encompasses many aspects.
    • Policies
    • Technical
      • Network security
      • Host security
    • Non-technical
      • Organizational
      • Legal

Web Security

policies
Policies
  • High-level statements of what are allowed and what are not allowed
  • Example policy statements
    • “Any access from the Internet to intranet resources must be strongly authenticated and properly authorized.”
    • “Any classified data must be properly encrypted for transmission.”
  • Policies are enforced by the overall architectural design and various mechanisms.

Web Security

host security
Host Security
  • User authentications
  • Access control (to resources)
  • Secure storage of data
  • Secure processing of data
  • Audit trail

Web Security

network security
Network Security
  • The security of the underlying network is critical to assure the security of networked applications, including Web and other Internet applications.
  • A security breach that occurs at a lower layer (e.g., ICMP) may result in major problem at a higher layer (e.g., DOS attack at the Web server).

Web Security

services vs mechanisms
Services vs Mechanisms
  • Example security services
    • Authentication, confidentiality of data, data integrity, access control, non-repudiation, …
  • Example security mechanisms
    • Passwords for user authentication
    • Biometrics for user authentication
    • RSA encryption for data confidentiality
    • Digital signature for …
    • Routing control
    • firewalls

Web Security

organizational security
Organizational Security
  • Security is also a people problem.
  • In fact, human behavior is still the most important factor with regard to security and safety.
  • Human behavior may be influenced by religion, ethics, education, or organizational security controls.
  • Organizational security controls include directions/instructions that define legitimate human behavior and operational procedures in the organization.

Web Security

legal security
Legal Security
  • As a last resort: to legally prosecute the attacker(s)
  • Need support and evidence provided by the various security services
  • Example: non-repudiation of an e-contract

Web Security