IT475 Internet Security

1
IT475Internet Security

• Session 2
• Digital CertificatesSecurity StrategiesFirewall
  Technology

2
Computerized Identification Techniques

• Password-based systems
• Physical tokens
• Biometrics
• Location
• What are different types of each?

3
Keys

• Each device has three keys
• 1. A private key that is kept secret and never
  shared. Used to sign messages
• 2. A public key that is shared. Used by others to
  verify a signature
• 3. A shared secret key that is used to encrypt
  data using a symmetric encryption algorithm
  (e.g., DES)
• Will go into more detail with cryptography lecture

4
Certificates

• A certificate is nothing more than
• Details about Bob
• Details about the certificate issuer (called the
  Certifying Authority, or CA)
• Bobs public key (or keys)
• Expiration dates
• A digest of the certificate contents
• The certificate digest is signed by the CA
• CA Certificate Authority

5
Certificate Authorities

• Internal CA operated by an organization to
  verify its own employees
• Outsourced employee CA contracted to an outside
  party
• Outsourced customer CA
• Trusted third-party CA for many individuals and
  organizations

6
Certificates

• Trust is important
• Alice and Bob must both trust the certificate
  issuer
• VeriSign, GTE, ATT
• Your companys CA
• CAs use self-signed certificates
• Also called root certificates

7
Discussion
In what various cases would digital certificates
be useful? Why?
8
X.509v3 Certificate

9
(No Transcript)
10
Certificates

• How Bob gets a certificate
• Bob generates public/private key pair
• Bob sends a certificate request (which contains
  the public key) to the CA
• CA must validate Bob is really Bob
• CA issues certificate to Bob
• Bobs software stores certificate
• Bob (or CA) make Bobs certificate publicly known

11
Certificates

• To validate that Bobs certificate is valid (and
  hence his public key is valid)
• Alice gets Bobs certificate
• Alices software performs the following
• Gets certificate of CA that signed his
  certificate
• Decrypts the certificate digest using the CAs
  public key (held in a root CA certificate)
• Takes a digest of Bobs certificate
• Compares the digests
• Checks the expiration dates in Bobs certificate

12
(No Transcript)
13
Certificates

• Servers can have certificates
• Clients can have certificates

14
Certificate Authorities

• Verisign
• http//verisign.com
• http//www.verisign.com/server/rsc/gd/secure-bus/
• Entrust
• http//www.entrust.net/
• Thawte
• http//www.thawte.com/contents.html
• Netscape Certificate Authority Program
• http//home.netscape.com/security/caprogram/

15
Certification Authorities and Server Certificates

• There are four different kinds of certificates
• Certificate Authority certificate contains a
  public key of CAs and the name of the Caor the
  name of the service being certified.
• Server certificate Has public key of the SSL
  server
• Personal certificate Contains an individuals
  name and public key
• Software Publisher certificate Certificates are
  used to sign distributed software

16
Certificate Authority Certificates

• The CA certificate contains the name and public
  key of the CA.
• Can be self signed- the certification authority
  tells you that its own key is good and you trust
  it.
• Can be cross-certified- Sign each others master
  keys.

17
Discussion

• How many of you have commerce sites or will?
  How do you plan on securing it?

18
Server Certificates

• Identifies the server and to distribute the
  servers public key. Also used to encrypt initial
  information sent to server by the client.
• SSL Certificate Format fields
• Key length of the signature
• Certificate Serial Number
• Distinguished name
• Signature Algorithm
• Subject Common Name

19
How to obtain a server certificate

• Generate an RSA public/private key pair using a
  utility program supplied by your servers vendor
• Send the public key, distinguished name, and
  common name to the CA.
• Follow the CAs certification procedure
• Wait for the CA to process your requisition
• CA will then issue a certificate
• Use another program supplied by your servers
  vendor to install the key

20
Downloading a server certificate

• Verisign allows certificates to be downloaded in
  four formats
• Code signing
• IE 3.x
• Netscape 3.x
• S/MIME format

21
Renewing a server certificate

• Authority that issues the certificate determines
  when it will expire.
• Can expire one year afterwards
• Reasons to choose one year
• The longer a certificate is used, the greater the
  chance that the private key can be compromised
• Speed of computers and knowledge of public key
  cryptography are improving rapidly
• Assures that companies that fire their webmasters
  and dont hire anybody new will be suitably
  punished before long
• Other reasons (p.141)

22
Client-Side Digital Certificates

• A digital certificate designed to certify the
  identity of an individual
• Binds a particular name to a secret key issues by
  a CA
• Benefits and uses (p. 151)
• Help eliminate anonymity
• Cookies track where youve been
• Digital certificate can be traced straight back
  to you

23
Support for Client-Side Digital Certificates

• There are four things that support client-side
  Digital Certificates
• Key Creation
• Certificate Acquisition
• Challenge/Response
• Secure Storage

24
Verisign Digital IDs

• http//digitalid.verisign.com - Can obtain a
  digital ID here
• http//digitalid.verisign.com/query.htm
• Can locate a current digital certificate here.

25
How Digital Ids work
26
(No Transcript)
27
Revoking a Digital ID

• To revoke an id, the user must provide the serial
  number, type of id, and reason for revocation.
• Reasons are listed on page 166 of the OReilly
  book

28
Verisign Class System

• Verisign was the first to offer commercial client
  certificates Class 1 and Class 2. Class 3 is now
  also available.
• The following class descriptions reflect possible
  uses of Digital IDs and do not necessarily
  represent an endorsement or recommendation by
  VeriSign of any particular application or
  purpose. Users must independently assess and
  exclusively determine the appropriateness of each
  class for any particular use.
• Class 1- Contains a persons name and email. It
  does verify the name of the person requesting and
  has a liability cap of 100.
• Class 2 - Individual Software Publisher Digital
  ID
• The Class 2 Digital ID is designed for Individual
  software publishers, that is, people who
  themselves publish software. This class of
  Digital ID provides assurance as to the identity
  of the individual publisher. Checked against
  Equifax.
• Class 3 - Commercial Software Publisher Digital
  ID
• The Class 3 Digital ID is designed for Commercial
  software publishers, that is, companies and other
  organizations that publish software. This class
  of Digital ID provides greater assurance about
  the identity of the publishing organization. This
  Digital ID is designed to represent the level of
  assurance provided today by retail channels for
  software.

29
Advantages for consumers

• A simple way to verify the authenticity of an
  organization
• The knowledge that consumers can obtain the
  organizations physical address and legally
  registered name if legal action needs to taken.

30
Advantages for businesses

• A simple way to verify an individuals email
  address without having to verify it by sending a
  piece of email.
• A way to verify an individuals identity without
  using usernames and passwords.
• A less likely way to suffer abuse through
  usernames and passwords

31

• The fact that people can authenticate themselves
  using certificates does not alone prove that they
  are who they claim to be. This only proves that
  they possess a secret key signed by a certificate
  authority.

32
Code Signing

• A technique used for signing executable programs
  with digital signatures.
• Improves the reliability of software distributed
  over the Internet
• Reduces the impact of malicious programs

33
Code Signing in Theory

• Brings assurance with two things
• Digital signature that signs the executable with
  a secret key
• Digital certificate
• View the diagram on page 170 of the OReilly book

34
How is code signing done today?

• Authenticode (Microsoft)
• JAR ( Java Archive Format)
• Extensions to PICS content rating system

35
Microsofts Authenticode

• ActiveX A system for downloading programs from
  web pages to end user computers.
• Authenticode makes software publishers
  responsible for programs that they write.

36
The Pledge

• P. 173 of the OReilly book
• Software Publishers Pledge a binding agreement
  in which the software publisher promises not to
  sign programs that contain viruses.

37
(No Transcript)
38
Signing a program

• Should be the last thing to be done before a
  release
• Should sign both the program and installer
• Syntax for signing a program
• Signcode prog ProgramFile spc credentialsfile
  pvk privateKeyFile
• E.g. signcode prog notepad.exe name notepad
  info http//www.microsoft.com - pvk classI
• NOTE Signing increases the size of a file

39
Code Signing Wizard

• Available from the MS ActiveX Software
  Developers Kit (SDK).
• http//www.microsoft.com/activex
• Steps in signing the program
• Start the wizard
• The developer signs the executable
• How to sign the program
• Validate the information
• Sign the program

40
Verifying Authenticode Signatures

• Authenticode can only be verified by programs
  developed with ActiveX
• Chktrust checks the certificate on an
  executable
• Syntax
• Chktrust -options file name
• -I
• -J
• -C
• -N

41
Code Signing URLs

• http//www.w3.org/pub/WWW/Security/Dsig/Overview.h
  tml
• An overview of the WWW Consortiums Digital
  Signatures initiative
• http//www.microsoft.com/INTDEV/security/misf8.htm
  
• Microsofts code signing home page

42
What is a firewall?

• Creates security checkpoints at the boundaries of
  private networks
• Can pass or drop communications
• Considered as border security

43
Firewalls

• Firewall
• Used to secure a network
• Features
• Logging and reporting
• Automatic alarms
• Graphical user interface
• Links
• Keeping Your Site Comfortably Secure An
  Introduction to Internet Firewalls
• http//csrc.ncsl.nist.gov/nistpubs/800-10/main.htm
  l
• Firewall Frequently Asked Questions
• http//www.clark.net/pub/mjr/pubs/fwfaq/
• General Firewall White Paper
• http//www.ntresearch.com/firewall.htm

44
Discussion

• What are some possible practical uses for
  firewalls?

45
Firewalls and Proxies

• Three types
• Packet Filtering Rejects TCP/IP packets from
  unauthorized hosts and rejects connection
  attempts to unauthorized services
• Network Address Translation (NAT) Translatse
  the IP addresses of internal hosts to hide them
  from outside monitoring
• Proxy Makes high-level application connections
  on behalf of internal hosts to completely break
  the network layer connection between internal and
  external hosts.
• Most commercial firewall software is a hybrid of
  packet filtering and proxy

46
Firewalls and Proxies

• Packet Filtering
• Software only
• Examines packets and filters them based on
  certain characteristics
• NAT
• Also known as IP Masquerading
• Hides internal IP addresses by converting all
  internal host addresses to the address of the
  firewall

47
Packet Filtering
48
Filters

• Typically follow these rules
• Drops inbound connection attempts but allowing
  outbound connection attempts to pass
• Eliminate TCP packets bound for ports that
  shouldnt be available to the Internet
• Restrict inbound access to certain IP ranges.

49
Operating System Filtering

• Can use this to control access to individual
  servers
• Provides another measure of security without the
  cost of firewalls inside your organization
• Basic OS filtering allows you to define
  acceptance criteria for each network adapter
  based on
• IP Protocol Number
• TCP Port Number
• UDP Port Number
• NOTE Win2000 supports outbound filtering NT 4.0
  does not.

50
Ports

• Pgs. 8 9 in Strebe display the default ports
  for certain services (e.g. FTP, http, Mail, etc.)
• Disallow all protocols and addresses by default,
  then allow services and hosts you wish to support

51
Firewalls and Proxies

• Proxy
• Acts as a relay between the client and server
  host
• Provides security, administrative control,
  logging of activity, web page caching
• MS Proxy Server
• http//www.microsoft.com/proxy/default.asp
• Proxy Server Comparisons
• http//www.microsoft.com/proxy/Comparisons/CompMat
  rix.asp?A4B2
• WinGate Proxy Server
• http//www.wingate.com/

52
Proxies

• With proxies, you can tell your browser the
  address of your proxy and all web requests are
  then sent to that server rather than resolving
  the IP address and establishing a connection
  directly.
• Proxies are specific for an application. E.g.
  must have a proxy software module for HTTP, FTP
  and Telnet

53
Virtual Private Networks

• Also called encrypted tunnels
• Allows you to connect two physically separated
  networks over the Internet without exposing data
• Allows users to address remote internal hosts
  directly by their hidden IP addresses.

54
Effective Border Security

• Firewalls must be dedicated primarily to the
  performance of firewall functions
• Minimize the services running on the firewalls
• Turn off all services that the server will allow
  you to shut off and set them to start manually
• Enforce a single point of control in the firewall
  policy

55
Comparing Firewalls

• Dont have to use firewalls that are the same as
  the operating system and as the network file
  servers.
• Should choose firewall based on familiarity
• Must look at
• Security
• Interface
• Enterprise functionality
• Security Features offered
• Service features

56
Methods used by companies to protect their
networks

• Filtered packet services
• Single firewall with internal public servers
• Single firewall with external public servers
• Dual firewalls or multihomed firewalls
• Enterprise firewalls
• Disconnection

57
ISP Filtered Packet Services

• Figure 1.2, p. 19
• Problems with this
• Packet filters can be exploited more easily
• Security is in the hands of a third party
• Responsibility for reliability isnt controllable
• No provision for alarming and alerting

58
Single-Firewall Approach

• Simplest complete border security solution
• One firewall and one connection to the Internet
• Page 20, Figure 1.3

59
Dual firewalls and Virtual Dual Firewalls

• Reduces the risk of having exposed public severs
• First firewall goes at your Internet connection
  and secure Web servers behind it
• Second firewall between that entwork and the
  internal network. Does not allow external
  connection attempts and hides the identity of
  internal clients

60
Enterprise Firewalls

• Share a single, centralized firewall policy among
  multiple firwealls
• Allows you to retain central control of security
  policy
• Figure 1.7, page 24

61
Disconnection

• Figure 1.8, Page 25
• Most secure way is not to connect your network to
  the Internet at all
• Benefits
• Private network is absolutely secure
• Its free
• Natural disincentive for employees to waste time
  surfing the Web randomly
• Employees hate it

62
Whats Next?

• Quiz Review
• Activities for Saturday
• Questions?