Secure Internet Services

1
Secure Internet Services

• Week 1 CS457

2
Services Provided

• When administering your network, you will be
  required to provide one or more services to the
  users.
• What is a service?
• What services would you want to provide?
• Which ones can you support securely?
• We will briefly look at major services users may
  be interested in using.

3
Secure Services

• What is a secure service?
• Service that cannot be used for anything but its
  intended purpose
• Other users cannot read or falsify transactions
  with that service
• There is no such thing as 100 secure

4
Basic Services

• If it is a network in a new small company, these
  basic services will tide you over until you
  figure things out
• WWW Access (HTTP)
• Email (SMTP)
• File Transfer (FTP)
• Remote Terminal Access (SSH)
• Hostname Lookup (DNS)

5
WWW Access Issues

• Server will be covered in Security III
• Client (Browser) partly covered in Sec I
• Browsers understand HTML, jpg, png, gif, and CSS
• Browsers can also execute JavaScript, ActiveX,
  and Java code
• These introduce problems as there can be bugs in
  the implementations and the code itself
• In addition, browsers rely on plug-ins to do
  other jobs

6
Browser Plug-Ins

• External programs to help with running programs
  to provide a better user experience
• Flash
• Adobe Acrobat

7
Email Service

• Implemented using SMTP and POP/IMAP servers
• Unix-based SMTP implementation sendmail
• Exploited in several ways
• Windows based SMTP implementation Exchange
  server
• Also exploited in several ways
• POP and IMAP servers are not secure and have
  their own issues

8
File Transfer, etc.

• Users need to download files
• Allowing anonymous access is dangerous
• SFTP is now available and is a better alternative
  to FTP
• Sometimes file sharing can also be a viable
  option
• Users also need to print to a remote printer
  this is an insecure operation

9
Remote Access

• Various reasons why users may need remote access
  to machines (e.g., grafiti2)
• Questions
• Can someone listen in on the connection?
• Can someone take over a session (session
  hijacking)
• How can users be authenticated remotely?

10
Remote Access Approaches

• Telnet simple but completely insecure
• Remote graphical interface (Microsoft) terminal
  service
• X-Windows (Unix) Citrix implementation on
  Windows
• Remote terminal access (replace telnet)
• SSH
• A VPN (encrypted network connection) over which
  Telnet can run
• Over the web GoToMyPC.com

11
Naming Services

• DNS translates name to IP and vice-versa
• DNS used by a variety of applications
• Windows 2000/2003 uses active directory along
  with DNS to locate resources
• Client communicate with active directory using
  LDAP protocol (standard protocol to access
  directory information)
• All have security issues

12
Additional Useful Services

• Authentication Services
• Take care of assigning identity to incoming
  connections
• Can occur locally or use a service across the
  network
• Unix uses NIS or Kerberos
• Windows 2003 uses Kerberos
• For dial-in service authentication, RADIUS
  protocol is being used (Windows 2003)
• http//www.microsoft.com/windowsserver2003/technol
  ogies/security/kerberos/default.mspx

13
Additional Useful Services (Cont.)

• Administrative services variety of services used
  to manage and maintain networks.
• Rarely used by casual users but very useful for
  network managers
• SNMP agents runs on any device connected to a
  network to monitor a device
• RIP and OSPF routing protocol
• ICMP network diagnostics
• NTP Network time protocol for time service

14
Other Services (Cont.)

• Database all companies have need to store and
  make data available
• Oracle, DB/2, SQL Server
• All have been known to have many vulnerabilities