Presentation is loading. Please wait.

Presentation is loading. Please wait.

CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)

Published byClara Ward Modified over 9 years ago

Similar presentations

Presentation on theme: "CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)"— Presentation transcript:

1 CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)

2 Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user names and passwords, other personal data Information can be gathered while it is being transmitted Often, operating system flaws can assist the hacker

3 Examining TCP/IP Hackers often take advantage of the intricacy of TCP/IP The following are parts of the IP header most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP

4 TCP- Delivering Data to Applications Important header fields Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN Establishing a TCP connection

5 Vulnerabilities of DNS Historically DNS has had security problems BIND is the most common implementation of DNS and some older version had serious bugs BIND 9, the current version, has been more secure

6 Vulnerabilities in Operating Systems Operating systems are large and complex which means that there are more opportunities for attack Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available Some attacks, such as buffer overruns, can allow the attacker to take over the computer

7 Vulnerabilities in Web Servers Static HTML pages pose virtually no problem Programming environments and databases add complexity that a hacker can exploit Programmers often do not have time to focus on security

8 Vulnerabilities of E-mail Servers By design, e-mail servers are open E-mail servers can be harmed by a series of very large e-mail messages Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server Viruses can be sent to e-mail users Retrieving e-mail over the Internet often involves sending your user name and password as clear text

9 Securing Data Transmission To secure data on a network that is accessible to others, you need to encrypt the data SSL is the most common method of encrypting data between a browser and Web server Secure Shell (SSH) is a secure replacement for Telnet

10 Secure Sockets Layer (SSL) A digital certificate issued by a certification authority (CA) identifies an organization The public key infrastructure (PKI) defines the system of CAs and certificates Public key cryptography depends on two keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the corresponding private key which is needed to decrypt the data Upgraded to TLS!

11 Establishing an SSL Connection

12 Using SSH for Tunneling Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH To set up tunneling Configure the SSH client so the local port is a port between 1024 and 65535 Configure the SSH client to connect to POP3 port 110 Log in to the SSH client Direct the e-mail client to the local port and log in to the e-mail server

13 Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255 Check a table of ALT values to avoid common characters The use of the ALT key will thwart most hackers

14 Securing Windows There are many services that are not needed in Windows for most Internet- based server applications Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names

15 Securing E-mail You have already seen the ability to tunnel POP3 which would prevent data from being seen To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox

16 Securing the Web Server Enable the minimum features If you don't need a programming language, do not enable it Make sure programmers understand security issues Implement SSL where appropriate

17 Securing the Web Server Apache Directories You can restrict access to directories by using "Allow" and "Deny" The following only allows computers with the two IP addresses to access the directory Order Allow,Deny Allow from 10.10.10.5 192.168.0.3

18 Order Directive The Order directive, along with the Allow and Deny directives, controls a three-pass access control system. The first pass processes either all Allow or all Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third pass applies to all requests which do not match either of the first two.

19 Allow,Deny First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.

20 Deny,Allow First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

21 Authenticating Web Users Both Apache and IIS use HTTP to enable authentication HTTP tries to access a protected directory and fails Then it requests authentication from the user in a dialog box Accesses directory with user information Can be used in conjunction with SSL

22 HTTP Authentication Methods Basic access authentication Digest access authentication

23 Configuring User Authentication in IIS Four types of authenticated access Windows integrated authentication Most secure – requires IE Digest authentication for Windows domain servers Works with proxy servers Requires Active Directory and IE Basic authentication User name and password in clear text Works with IE, Netscape, and others Passport authentication Centralized form of authentication Only available on Windows Server 2003+

24 User Authentication in Apache Basic authentication is most common User names and passwords are kept in a separate file Create password file -c creates the users file -b adds a password when creating user htpasswd –c users mnoia htpasswd users fpessoa htpasswd users lcamoes –b lusiades

25 Apache User Authentication Directives DirectiveDescription AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName “New Product Information” AuthType Specifies the authentication type. Example: AuthType Basic AuthUserFile Specifies the complete path to the user authentication file. Example: AuthUserFile D:/users AuthGroupFile Specifies the complete path to the text file that associates users with groups. Require Defines which users in the user authentication file are allowed access to the directory. Examples: Require user fpessoa lcamoes Require group developers designers Require valid-user

26 Apache User Authentication Assume you want to restrict the htdocs/newprods directory to any user in the users file located on the D drive AuthName "New Product Information" AuthType Basic AuthUserFile D:/users Require valid-user

27 Using a Firewall A firewall implements a security policy between networks Our focus is between the Internet and an organization's network You need to limit access, especially from the Internet to your internal computers Restrict access to Web servers, e-mail servers, and other related servers

28 Types of Filtering Packet filtering Looks at each individual packet Based on rules, it determines whether to let it pass through the firewall Circuit-level filtering (stateful or dynamic filtering) Controls complete communication session, not just individual packets Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside Application-level Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e- mail

29 A Packet-filtering Firewall Consists of a list of acceptance and denial rules A firewall independently filters what comes in and what goes out It is best to start with a default policy that denies all traffic, in and out We can reject or drop a failed packet Drop – (best) thrown away without response Reject – ICMP message sent in response

30 Firewall on Linux - iptables Connections can be logged Initializing the firewall Remove any pre-existing rules iptables --flush Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP At this point nothing comes in and nothing goes out

31 Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0 (output) -p tcp or -p udp (protocol type) -s, -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)

32 Allowing Access to Web Server Allow packets from any address with an unprivileged port to the address on our server destined to port 80 The following should be on a single line iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT Allow packets to go out port 80 from our server to any unprivileged port at any address iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 80 --dport 1024:65535 –j ACCEPT

33 Allowing Access to DNS DNS uses port 53 UDP for resolving, TCP for zone transfers iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10 --sport 53 --dport 1024:65535 –j ACCEPT iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 53 --dport 1024:65535 –j ACCEPT

34 Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged ports Opening unprivileged ports can be a problem iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 - -dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 - -dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

Download ppt "CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Web Server Administration Chapter 10 Securing the Web Environment.

Web Server Administration Chapter 10 Securing the Web Environment.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google