1 / 26

20-771: Computer Security Lecture 14: Web, Firewalls

20-771: Computer Security Lecture 14: Web, Firewalls. Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002. Today’s lecture. Web Security Firewall Q&A. This Week. Read WS 14 Exam Wed 6PM. Win 2000 Security. A User User/groups

dewitt
Download Presentation

20-771: Computer Security Lecture 14: Web, Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 20-771: Computer SecurityLecture 14: Web, Firewalls Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002

  2. Today’s lecture • Web Security • Firewall • Q&A

  3. This Week • Read WS 14 Exam Wed 6PM

  4. Win 2000 Security A User User/groups Rights-e.g., delegation Active Directory DACLs for Authorization Files & Other Objects Internal Privacy : File Encryption YOU! Certs for Authentication username kerberos Services Some-other-time.. password Certs for Integrity Active Directory SACLs for Audit certificate Other Machines Web Visitor Web Site IIS – IE5 Secure Network Privacy SSL & IPSec Windows 2000 IPAAA Model User Agents DACLs File Encrypt Kerberos Authenticode SACLs Smartcard IPSec

  5. PKI works with two mechanisms • Using the CA public key to unfold [the signing] to your public key (typically, the CA signs your PK cert). • He vouches for you in a way that cannot be denied • Key compromise • Key revocation is a problem • A file or resource has access granted by the demonstration that the requestor can privately encode that the resource can publicly decode (or that the resource can publicly encode that the requestor can privately decode). • You can have MORE than one PK on a file or resource • Example was revocation list • User (not group) is a owner of a private/public key • Can let Windows Base Crypto Services or Smart Card.

  6. Our Class Client Applications Server Applications Web Client Security Web Server Security Security Assurance Applications Security Server Applications WINDOWS 2000 Proxy/Router Applications – Put in Hardware! (buy CISCO) Client Security Server Security Path Security - Physical security Proxy/Router Security - Kind of Server Host Security Whole Facility / Internet Security – Protocols/Policy/Publicity Technology The Law How To Integrity/Privacy/Authenticate/Authorize/Record Cryptography

  7. Exam • What is a security association? • What did you have to do to get encrypted email to work with a few of your classmates? • One or more of the following: • In 100 Words, Explain how file encryption works in Windows. • In 100 Words, Explain how Kerberos works and what it protects. • Analyse Windows in terms of IPAAAA in 100 words. • What does Interdomain (or across domain, or across realm) Trust Mean? • Why is a ‘memory only’ smart card a possible security problem? • Explain the DACL in 100 words. • Explain the SACL in 100 words. • How is a file authorized to a user in Windows 2000/XP in 150 words? • Summarize the chapter on X in Stein (since mid term) in two sentences.

  8. WS 9. Configuring Win NT Web Server • Know how to set one up (what to expect from IIS) • Windows 2000 is IIS 5 • Security Scanner http://security1.norton.com

  9. IIS • Microsoft Internet Information Server • Like Apache and all others Has Own Layer of Authorization and Authentication • Apache is completely separate (see .htaccess) • IIS is/can be completely integrated into the Domain • Including trust among domains • Front Page • Yet another access/authorization layer permitting authoring but no other access in domain • Careful! FP uses “.htaccess” type files peppered around the active directory giving FP access (not integrated into the ACLS!) • DO NOT APPLY GLOBAL ACCESS CHANGES ON FP DIRECTORIES WITHOUT USING FP! (You may need a special FP administration tool to re-set all the access controls).

  10. IIS • Standard HTTP Server • Can basically behave exactly like one that utilizes all the features of HTTP and related protocols (e.g., SSL, CGI, virtual hosting). • Very easy to manage (right click and look). • Since users/groups in and between domains are the same as in Active Directory, use “security” (not sharing) to set up Web Access. • Creating the user “WebServer” for the web server (p. 230 Stein) is probably still good. Note this is the creator-owner of the server and has to have local login rights.

  11. Access Rights Don’t make yourself a web author and web master – you’ll wind up being a web author!

  12. Web Access Control • Basic Access • Response to 401 • Send Base64 MIME plaintext username and password! • This is in the clear unless SSL protected! • Digest Authentication • Server sends “nonce” • Client Send MD5 password • Put digest, url, nonce inside digest to give integrity • Server checks hashed password, not the plaintext password • Replay attack fails (except for the page in question). • Kerberos (‘Windows Authentication’) // including SSL Smartcard Client • IE 5.0 and IIS5 incorporate good security together.

  13. WS 10. Web Access Control • Apache has a separate user/group system layered on top on Unix. • IIS uses the user/group access system built into the MS Windows OS. • Principles of these systems are largely universal. Always do a security check out to “tighten down” access as much as possible • Lincoln Stein is right : define special, highly limited, groups if you expose parts of your machine to the Internet.

  14. Firewalls : Big Ideas • Just a modified Gateway or Router or Server that doesn’t let every packet or message through. • Extremely important for single point of control. • Dedicated hardware (Bastion) is essential when possible • Major Distinctions • Circuit Level (ip) • Application Level (http, ftp, etc.) • Packet Filters (ip/tcp ports and machines)

  15. How to think about firewallsOSI • Data link layer • Network • Transport • Session • Presentation • Application • Application Specific Access Controls Screening Routers Proxy Servers

  16. Typical Firewall Firewall Computer Stein’s “Bastion” Inside LAN Outside LAN/WAN Physical Separation Sometimes you use a router (hardware) to direct “interesting packets” to Firewall Computer…to be forwarded if allowed. This is common for application layers, like web proxies. “Proxy Servers” are application layer firewall/filter agents. They pretend to be the destination. When and why do they work?

  17. Proxy ARP Firewall Proxy ARP Firewall Computer eth0 eth1 Inside LAN Outside LAN/WAN Proxy ARP Responds to ARP (Address Resolution Protocol) requests with it’s hardware Address … so it gets the packets. Needs two (physical) interfaces: on eth0 ARPs are all correct, but On eth1 all protected computer IP addresses get ARPed with Firewall’s Hardware Address. (an ‘inside the LAN’ Firewall) ARP: ‘broadcast what’s the hardware address for IP address n.n.n.n?’

  18. NAT Masquerading Firewalls : Look like one set of addresses from the outside and another from the Inside. Address Translation (NATs). Many machines, one address and also to hide the many Machines. (One address from outside) 192.168.*.* 10.*.*.* NATs are an RFC! www.rfc-editor.com RFC 1631 • Class A (1-126) – 17 million hosts each • Class B (128-191) – 65000 hosts • Class C (192-223) -- 256

  19. What’s a Proxy? • Needs to be defined in the protocol. • Layer and Message Structure? • IP: Source IP, Dest IP, ID, PROTOCOL, Length

  20. Windows 2000 Firewall • ISA (firewall protocol) • http://support.microsoft.com/support/kb/articles/q179/4/42.asp • Port 135, 137,138, 139 domain trust • 389, 636, 3268, 3269, 88 LDAP and Kerberos • IPSec Gateway mode is for firewalls that have to do proxy or address translation.

  21. European Union (Modern Bldgs in BackGround).

  22. InformationPrivacy • Law • Technology No matter how much you want to, you can’t get technology out of privacy or the law out of privacy

  23. Privacy (for People) • Privacy means keeping things secret • PII : Personally Identifiable Information • PI : Personal Information • Basic Tension: • Keep people safe from intrusion (bbb online) • Market people (direct marketing assn.), keep statistics important to research and operations such as medicine and hospitals • Literature : a major branch of security • Elaborate systems for anonymity

  24. Out of Common Criteria • Types of information privacy • Anonymity • Pseudonymity • Unlinkability • Unobservability • User control / info management • Notification, consent, accessibility, validation • Security protection

  25. Technological OrganizationDr. David-Olivier Jaquet-Chiffelledavid-olivier.jaquet-chiffelle@hta-bi.bfh.ch Anonymity Pseudoanonymity Unlinkability Practical Theoretical Unobservability Conditional Unconditional

  26. Legal/Technical Organization‘The Law defines its own world’ Pseudoanonymity Anonymity Technical Law Unlinkability Unobservability Conditional Unconditional

More Related