Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

FIREWALLS Chapter 11.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

A Survey Of Web Security Aviel D. Rubin Daniel E. Geer Jr. “...with an internationally connected user network and rapidly expand Web functionality, reliability.

Module 5: Configuring Access to Internal Resources.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Firewalls and Intrusion Detection Systems

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Online Security Tuesday April 8, 2003 Maxence Crossley.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Web server security Dr Jim Briggs WEBP security1.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Remote Networking Architectures

1 Enabling Secure Internet Access with ISA Server.

Course 201 – Administration, Content Inspection and SSL VPN

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

FIREWALL Mạng máy tính nâng cao-V1.

Session 11: Security with ASP.NET

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Module 11: Remote Access Fundamentals

Module 9: Fundamentals of Securing Network Communication.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Tunneling and Securing TCP Services Nathan Green.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

Internet Security and Firewall Design Chapter 32.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

1 6 Chapter 6 Implementing Security for Electronic Commerce.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

TOPIC: HTTPS (Security protocol)

Virtual Private Networks and IPSec

Chapter 5 Electronic Commerce | Security Threats - Solution

Virtual Private Network (VPN)

Enabling Secure Internet Access with TMG

Secure Sockets Layer (SSL)

Computer Data Security & Privacy

Security Issues.

Chapter 5 Electronic Commerce | Security Threats - Solution

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Chapter 27: System Security

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

Advanced Computer Networks

Computer Networks Protocols

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts to total trust of all insiders and total mistrust of outsiders, where the firewall defines the boundary.”

2 Outline Requirements vs. the current architecture constrains. Proposed solution. Security assessment of the proposed solution. Conclusion. Questions.

3 Requirements Access to the internal web server from outside of the firewall boundary. Proposed solution should not involve –changes to the firewall configuration on the network or... –changes to the firewall policies

4 Environment Firewall –“[Inside user] …can establish TCP connection to hosts outside the firewall on any port, while inbound connections are tightly restricted.” –“[Firewall] … tears down inactive connections every 15 min.” DWT (dumb Web Terminal) –“We strive to treat the DWT as “untrusted” as possible”

5 Possible of the shelf solutions Telnet or text-based browser such as Lynx –Disadvantage: HTML travels in plain text over the network No support for multimedia Tunneling protocols (IPSpec, SSLtelnet). –Disadvantage: requires advance access to the remote client browser settings and computer settings.

6 Architecture Internet DWT Proxy Authentication Server Web Server Firewall

7 Proxy PushWeb Absent DWT Web Server Firewall Control Connection Data Connection Web Request Web Reply Web Request Web Reply

8 Authentication and Security User Authentication –Hash Chaining –User has to re-enter password every 20 minutes Connection Confidentiality –HTTP over SSL - Secure Socket Layer.

9 Proxy PushWeb Absent DWT Web Server Firewall Control Connection Data Connection Web Request Web Reply Web Request Web Reply SSL Session

10 Connection Confidentiality After the user was successfully authenticated the PushWeb establishes the SSL connection to the DWT. The SSL on the Server is configured to restrict the set of ciphers supported only to those that provide USA domestic-quality encryption.

11 Security Assessment Compromise of Absent –DoS attack - not preventable –Eavesdrop on the user session - SSL prevents it. –Replay attack - SSL makes it almost impossible. –Spoofing - user must check SSL certificate. –Obtain root on PushWeb or access the internal web: data cannot be moved over control connection the same effort as from any other outside host

12 Security Assessment (Continued) Compromise of PushWeb –PushWeb has limited access rights on the network –No other services are available from the PushWeb –No user data stored on the PushWeb

13 Conclusion The solution achieved its goal: –No changes were required to the network infrastructure –The system provides “...internal Web access from sites such as terminal rooms and Internet cafes.” The system is using well tested protocols - one time password and SSL, but “… protocol composition is a very hard problem and has led to security problems in the past.”

14 Questions To overcome the firewall policy authors used PushWeb / Absent configuration. Is there any security gain in connecting through Absent machine as oppose to connecting straight through a firewall? If there is a gain, than against what type of attacks? Internet DWT SSL Web Server Firewall PushWeb Absent