Web Security - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Web Security

Description:

IP spoofing and sequence number guessing (e.g., Kevin Mitnick in 1995) Session hijacking ... include directions/instructions that define legitimate human behavior and ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 21
Provided by: andre80
Learn more at: http://sce.uhcl.edu
Category:
Tags: define | security | spoof | web

less

Transcript and Presenter's Notes

Title: Web Security


1
Web Security
  • Introduction
  • (Some of the slides were adapted from Oppligers
    online slides at http//www.ifi.unizh.ch/oppliger
    /Presentations/WWWSecurity2e/index.htm.)

2
Chapter 1
  • Internet
  • WWW
  • Terms
  • vulnerabilities, threats, countermeasures
  • Generic security model
  • Security policy
  • Host security
  • Network security
  • Organizational security
  • Legal security

3
Internet
  • Has seen dramatic growth since 1995
  • Has evolved from the collegial inter-network for
    researchers in the 70s and 80s into todays
    global Internet for
  • Fun
  • Commercial transactions
  • Education
  • Has seen all types of security breaches

4
Internet
  • The Internet has become a popular target to
    attack (the number of security breaches has in
    fact escalated more than the growth rate of the
    Internet)
  • Security problems receive public attention
  • Examples
  • Internet Worm (e.g., Robert T. Morris, Jr. in
    1988)
  • Password sniffing (1994)
  • IP spoofing and sequence number guessing (e.g.,
    Kevin Mitnick in 1995)
  • Session hijacking
  • (Distributed) denial-of-service attacks (since
    1996)

5
DOS via Syn Flood
  • A the initiator B the destination
  • TCP connection multi-step
  • A SYN to initiate
  • B SYNACK to respond
  • C ACK gets agreement
  • Sequence numbers then incremented for future
    messages
  • Ensures message order
  • Retransmit if lost
  • Verifies party really initiated connection

6
Internet Protocols
7
WWW
  • The Web
  • Based on the HTTP protocol
  • An application-level protocol
  • HTTP is a simple request/response protocol
  • Lightness and speed necessary for distributed,
    collaborative, hypermedia information systems
  • A stateless protocol

8
HTTP History of the WWW
  • HTTP 1991  The Original HTTP as defined in 1991
  • HTTP 1992  Basic HTTP as defined in 1992
  • HTTP 1996  RFC1945 Hypertext Transfer Protocol
    -- HTTP/1.0.  Informational.
  • HTTP 1999 RFC2616 Hypertext Transfer Protocol
    -- HTTP/1.1.  
  • irt.org 1998 WWW How It All Began.
  • isoc.org 2000 The Internet Society.  A Brief
    History of the Internet.  August 4, 2000.

9
HTTP
  • can be used for many tasks, such as name servers
    and distributed object management systems,
    through extension of its request methods
  • Its data typing feature allows systems to be
    built independently of the data being
    transferred.

10
Current Trends
  • Web services are being designed and deployed on
    the WWW.
  • Centered around the XML protocol
  • Example initiatives
  • MS .NET
  • Sun ONE (Open Net Environment)
  • Protocols
  • WSDL, SOAP, UDDI,

11
Web Services
12
Some terminology
  • Vulnerability
  • A weakness that can be exploited
  • Threat
  • A circumstance, condition, or event that may
    violate a systems security by possibly
    exploiting the systems vulnerabilities
  • Control (or Countermeasures)
  • a feature, function, tool, or mechanism that
    either reduces a systems vulnerabilities or
    counters its threat(s)

13
Sample Controls
  • Firewalls
  • VPN
  • SSL / TLS
  • S / MIME
  • Kerberos

14
The Bigger Picture
  • Security in any system, including Web Security,
    encompasses many aspects.
  • Policies
  • Technical
  • Network security
  • Host security
  • Non-technical
  • Organizational
  • Legal

15
Policies
  • High-level statements of what are allowed and
    what are not allowed
  • Example policy statements
  • Any access from the Internet to intranet
    resources must be strongly authenticated and
    properly authorized.
  • Any classified data must be properly encrypted
    for transmission.
  • Policies are enforced by the overall
    architectural design and various mechanisms.

16
Host Security
  • User authentications
  • Access control (to resources)
  • Secure storage of data
  • Secure processing of data
  • Audit trail

17
Network Security
  • The security of the underlying network is
    critical to assure the security of networked
    applications, including Web and other Internet
    applications.
  • A security breach that occurs at a lower layer
    (e.g., ICMP) may result in major problem at a
    higher layer (e.g., DOS attack at the Web server).

18
Services vs Mechanisms
  • Example security services
  • Authentication, confidentiality of data, data
    integrity, access control, non-repudiation,
  • Example security mechanisms
  • Passwords for user authentication
  • Biometrics for user authentication
  • RSA encryption for data confidentiality
  • Digital signature for
  • Routing control
  • firewalls

19
Organizational Security
  • Security is also a people problem.
  • In fact, human behavior is still the most
    important factor with regard to security and
    safety.
  • Human behavior may be influenced by religion,
    ethics, education, or organizational security
    controls.
  • Organizational security controls include
    directions/instructions that define legitimate
    human behavior and operational procedures in the
    organization.

20
Legal Security
  • As a last resort to legally prosecute the
    attacker(s)
  • Need support and evidence provided by the various
    security services
  • Example non-repudiation of an e-contract
Write a Comment
User Comments (0)
About PowerShow.com