Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Slides:

Advertisements

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Advertisements

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

FIREWALLS Chapter 11.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

System and Network Security Practices COEN 351 E-Commerce Security.

Chapter 12 Network Security.

Chapter 7 HARDENING SERVERS.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Security Awareness: Applying Practical Security in Your World

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Update and Discussions on Technology Initiatives TSAG Meeting 4/11/02.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Payment Card Industry (PCI) Data Security Standard

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Course 201 – Administration, Content Inspection and SSL VPN

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Chapter 6: Packet Filtering

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

Network Firewall Technologies By: David W Chadwick Implementing a Distributed Firewall By: Sotiris Ioannidis Angelos D. Keromytis Steve M. Bellovin Jonathan.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Bishop: Chapter 26 Network Security Based on notes by Prashanth Reddy Pasham.

Network Security & Accounting

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Security fundamentals Topic 10 Securing the network perimeter.

Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

Security fundamentals

NAT、DHCP、Firewall、FTP、Proxy

Computational Theory Lab.

Working at a Small-to-Medium Business or ISP – Chapter 8

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Introduction to Networking

6.6 Firewalls Packet Filter (=filtering router)

Chapter 27: System Security

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Online Learning.

Test 3 review FTP & Cybersecurity

6. Application Software Security

Implementing Firewalls

Presentation transcript:

csci5233 Computer Security1 Bishop: Chapter 27 System Security

csci5233 Computer Security2 Outline Various systems require different configurations and administration. –web server system, development system, corporate data system, … Policy System Administration –Networks –Users –Authentication –Processes –Files

csci5233 Computer Security3 Sample Network Organization (from chapter 26, net security) Mail Server Outer Firewall Mail server Internal DNS Server(internal) DNS Server(DMZ) Internet Web Server Inner Firewall Demilitarized Zone (DMZ) Intranet Corporate data subnetCustomer data subnet Development subnet Log Server

csci5233 Computer Security4 Policy Limited Services 1.Traffic filtering: All incoming web connections and all replies must pass the outer firewall. 2.Authentication: All users (administrator, developers) log in from an internal trusted server running SSH.  Only connections made through the firewall over the HTTP and HTTPS ports, and those from the internal trusted server are accepted.

csci5233 Computer Security5 Policy Limited Services (cont.) 3.No local updates: Web pages are never updated locally. New pages are downloaded through the SSH tunnel. 4.Log transmission: Log messages are transmitted to the DMZ log server only. 5.DNS query: The web server may query the DMZ DNS system for IP addresses.

csci5233 Computer Security6 Policy (cont.) Other than those services expressly mentioned above, no other network services are provided by the web server.  To prevent the web server from being used by hackers as a jumping board to launch attacks at the network or the other servers

csci5233 Computer Security7 Policy (cont.) Data generated by the web server (e.g., by a CGI script or a Java servlet) are enciphered and then written into a spooling area, which can only be retrieved by a trusted internal host using the SSH tunnel. The public key of the principal who will decipher the data must reside on the web server. Web server services must be implemented correctly.  high assurance

csci5233 Computer Security8 Networks The principle of separation of privilege: –Access to the web server should be limited even when the firewalls fail. The firewall and the SSH tunnel assures that only connections made through the firewall over the HTTP and HTTPS ports, and those from the internal trusted server are accepted. All connections from other sources should be blocked. All attempts to connect should be monitored.

csci5233 Computer Security9 Networks Questions: –Should FTP connections from the Internet be accepted by the web server? –How about TELNET connections? –How if the web server administrator wants to work from home? –Should connections from an internal host be accepted?

csci5233 Computer Security10 Users A valid assumption: The web server may be compromised. The number of user accounts on the web server should be minimal. + the least privilege principle Users –Sysadmin –User 1: A user with enough privileges to read (and serve) web pages and to write to the web server transaction area –User 2: A user who can move files from the web transaction area to the commerce transaction spooling area

csci5233 Computer Security11 Users Questions: –Should multiple system administrator accounts be created (one for each of the administrator)? –If yes, how can the actions of each of the administrators be logged (for the sake of accountability)? –What are the advantages / disadvantages?

csci5233 Computer Security12 Authentication The SSH server uses cryptographic authentication to ensure the source of the connection to the web server is the trusted internal administrative host. Other authentication methods may be used for the purpose of authentication: smart cards, biometric, one time password, etc. Authenticated external access ?

csci5233 Computer Security13 Processes Each process running in the system is a potential vulnerability. Why? The web server system should run a minimum set of processes. –Web server process: to serve web pages, –Commerce server: to support commerce operations –SSH server –Login server –Any essential OS services Unnecessary processes/services should be disabled.

csci5233 Computer Security14 Processes Issues: 1.Level of privileges assigned to each of the processes SSH server: sysadmin privileges Login server: sysadmin Web server: minimal privileges to read the web pages + privilege to invoke scripts The scripts: read web pages, write transaction data, communicate with the DBMS Commerce server: privileges to copy transaction files from the web server area to the transaction spooling area

csci5233 Computer Security15 Processes Issues: (cont.) 2.File access –File system access control lists (ACLs) should function effectively. –Be aware of chroot system call in UNIX  may be a vulnerability allowing a malicious process to have illegal access to the file system 3.Inter-process communications –Processes should be able to communicate only through known, well-defined communication channels.

csci5233 Computer Security16 Files Types of files –the web pages –Log files –Spooling area for the e-commerce transactions –Program and configuration files The system programs and configuration files will not change. They can be stored in a CD-ROM to prevent alterations.

csci5233 Computer Security17 Files Questions –Should the CGI scripts be stored on the CD- ROM? –How about the web pages? –What files must be in a hard drive? –How often the transaction data should be transferred out of the web server?

csci5233 Computer Security18 Summary The web server in the DMZ runs a minimal set of services. Unalternable media The web server process must accept connections from any host on the Internet  public connections The outer firewall can be configured to prevent DOS attacks from the Internet. Except for the web server process, the system accepts only enciphered, authenticated connections from a known, trusted host by known, trusted users  SSH connections

csci5233 Computer Security19 Summary (cont.) The web server and other servers in the DMZ run with minimal privileges. Unnecessary services and programs are removed from the system to prevent accidental running. A direct communication between the web server and the backend servers are not allowed; a spooling area or proxy server is used for the two sides to transfer data. Data collected by the web server (such as transaction files) are protected by encryption. Administrative access to the web server is only allowed via a trusted host + authentication

csci5233 Computer Security20 Next Potential Research Areas: –Network security –Web security –Wireless security –Web services security –...