20-771: Computer Security Lecture 14: Web, Firewalls - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

20-771: Computer Security Lecture 14: Web, Firewalls

Description:

Active Directory. DACLs for Authorization. Other Machines. Certs for ... keep statistics important to research and operations such as medicine and hospitals ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 27
Provided by: robertth
Category:

less

Transcript and Presenter's Notes

Title: 20-771: Computer Security Lecture 14: Web, Firewalls


1
20-771 Computer SecurityLecture 14 Web,
Firewalls
  • Robert Thibadeau
  • School of Computer Science
  • Carnegie Mellon University
  • Institute for eCommerce, Fall 2002

2
Todays lecture
  • Web Security
  • Firewall
  • QA

3
This Week
  • Read WS 14
  • Exam Wed 6PM

4
Windows 2000 IPAAA Model
User Agents
DACLs
File Encrypt
Kerberos
Authenticode
SACLs
Smartcard
IPSec
5
PKI works with two mechanisms
  • Using the CA public key to unfold the signing
    to your public key (typically, the CA signs your
    PK cert).
  • He vouches for you in a way that cannot be denied
  • Key compromise
  • Key revocation is a problem
  • A file or resource has access granted by the
    demonstration that the requestor can privately
    encode that the resource can publicly decode (or
    that the resource can publicly encode that the
    requestor can privately decode).
  • You can have MORE than one PK on a file or
    resource
  • Example was revocation list
  • User (not group) is a owner of a private/public
    key
  • Can let Windows Base Crypto Services or Smart
    Card.

6
Our Class
Server Applications
Client Applications
Web Server Security
Web Client Security
Security Server Applications WINDOWS 2000
Security Assurance Applications
Proxy/Router Applications Put in Hardware! (buy
CISCO)
Server Security
Client Security
Path Security - Physical security
Proxy/Router Security - Kind of Server
Host Security
Whole Facility / Internet Security
Protocols/Policy/Publicity
Technology
The Law
How To Integrity/Privacy/Authenticate/Authorize/Re
cord
Cryptography
7
Exam
  • What is a security association?
  • What did you have to do to get encrypted email to
    work with a few of your classmates?
  • One or more of the following
  • In 100 Words, Explain how file encryption works
    in Windows.
  • In 100 Words, Explain how Kerberos works and what
    it protects.
  • Analyse Windows in terms of IPAAAA in 100 words.
  • What does Interdomain (or across domain, or
    across realm) Trust Mean?
  • Why is a memory only smart card a possible
    security problem?
  • Explain the DACL in 100 words.
  • Explain the SACL in 100 words.
  • How is a file authorized to a user in Windows
    2000/XP in 150 words?
  • Summarize the chapter on X in Stein (since mid
    term) in two sentences.

8
WS 9. Configuring Win NT Web Server
  • Know how to set one up (what to expect from IIS)
  • Windows 2000 is IIS 5
  • Security Scanner http//security1.norton.com

9
IIS
  • Microsoft Internet Information Server
  • Like Apache and all others Has Own Layer of
    Authorization and Authentication
  • Apache is completely separate (see .htaccess)
  • IIS is/can be completely integrated into the
    Domain
  • Including trust among domains
  • Front Page
  • Yet another access/authorization layer permitting
    authoring but no other access in domain
  • Careful! FP uses .htaccess type files peppered
    around the active directory giving FP access (not
    integrated into the ACLS!)
  • DO NOT APPLY GLOBAL ACCESS CHANGES ON FP
    DIRECTORIES WITHOUT USING FP! (You may need a
    special FP administration tool to re-set all the
    access controls).

10
IIS
  • Standard HTTP Server
  • Can basically behave exactly like one that
    utilizes all the features of HTTP and related
    protocols (e.g., SSL, CGI, virtual hosting).
  • Very easy to manage (right click and look).
  • Since users/groups in and between domains are the
    same as in Active Directory, use security (not
    sharing) to set up Web Access.
  • Creating the user WebServer for the web server
    (p. 230 Stein) is probably still good. Note this
    is the creator-owner of the server and has to
    have local login rights.

11
Access Rights
Group Admin Tools Logs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Dont make yourself a web author and web master
youll wind up being a web author!
12
Web Access Control
  • Basic Access
  • Response to 401
  • Send Base64 MIME plaintext username and password!
  • This is in the clear unless SSL protected!
  • Digest Authentication
  • Server sends nonce
  • Client Send MD5 password
  • Put digest, url, nonce inside digest to give
    integrity
  • Server checks hashed password, not the plaintext
    password
  • Replay attack fails (except for the page in
    question).
  • Kerberos (Windows Authentication) // including
    SSL Smartcard Client
  • IE 5.0 and IIS5 incorporate good security
    together.

13
WS 10. Web Access Control
  • Apache has a separate user/group system layered
    on top on Unix.
  • IIS uses the user/group access system built into
    the MS Windows OS.
  • Principles of these systems are largely
    universal. Always do a security check out to
    tighten down access as much as possible
  • Lincoln Stein is right define special, highly
    limited, groups if you expose parts of your
    machine to the Internet.

14
Firewalls Big Ideas
  • Just a modified Gateway or Router or Server that
    doesnt let every packet or message through.
  • Extremely important for single point of control.
  • Dedicated hardware (Bastion) is essential when
    possible
  • Major Distinctions
  • Circuit Level (ip)
  • Application Level (http, ftp, etc.)
  • Packet Filters (ip/tcp ports and machines)

15
How to think about firewallsOSI
Screening Routers
  • Data link layer
  • Network
  • Transport
  • Session
  • Presentation
  • Application
  • Application Specific Access Controls

Proxy Servers
16
Typical Firewall
Firewall Computer Steins Bastion
Inside LAN
Outside LAN/WAN
Physical Separation
Sometimes you use a router (hardware) to direct
interesting packets to Firewall Computerto be
forwarded if allowed. This is common for
application layers, like web proxies.
Proxy Servers are application layer
firewall/filter agents. They pretend to be the
destination. When and why do they work?
17
Proxy ARP Firewall
Proxy ARP Firewall Computer
eth0
eth1
Inside LAN
Outside LAN/WAN
Proxy ARP Responds to ARP (Address Resolution
Protocol) requests with its hardware Address
so it gets the packets. Needs two (physical)
interfaces on eth0 ARPs are all correct,
but On eth1 all protected computer IP addresses
get ARPed with Firewalls Hardware Address. (an
inside the LAN Firewall) ARP broadcast
whats the hardware address for IP address
n.n.n.n?
18
NAT
  • Masquerading Firewalls Look like one set of
    addresses from the outside and another from the
    Inside.
  • Address Translation (NATs). Many machines, one
    address and also to hide the many Machines. (One
    address from outside)
  • 192.168.. 10...
  • NATs are an RFC! www.rfc-editor.com RFC 1631
  • Class A (1-126) 17 million hosts each
  • Class B (128-191) 65000 hosts
  • Class C (192-223) -- 256

19
Whats a Proxy?
  • Needs to be defined in the protocol.
  • Layer and Message Structure?
  • IP Source IP, Dest IP, ID, PROTOCOL, Length

20
Windows 2000 Firewall
  • ISA (firewall protocol)
  • http//support.microsoft.com/support/kb/articles/q
    179/4/42.asp
  • Port 135, 137,138, 139 domain trust
  • 389, 636, 3268, 3269, 88 LDAP and Kerberos
  • IPSec Gateway mode is for firewalls that have to
    do proxy or address translation.

21
European Union (Modern Bldgs in BackGround).
22
InformationPrivacy
  • Law
  • Technology

No matter how much you want to, you cant get
technology out of privacy or the law out of
privacy
23
Privacy (for People)
  • Privacy means keeping things secret
  • PII Personally Identifiable Information
  • PI Personal Information
  • Basic Tension
  • Keep people safe from intrusion (bbb online)
  • Market people (direct marketing assn.), keep
    statistics important to research and operations
    such as medicine and hospitals
  • Literature a major branch of security
  • Elaborate systems for anonymity

24
Out of Common Criteria
  • Types of information privacy
  • Anonymity
  • Pseudonymity
  • Unlinkability
  • Unobservability
  • User control / info management
  • Notification, consent, accessibility, validation
  • Security protection

25
Technological OrganizationDr. David-Olivier
Jaquet-Chiffelledavid-olivier.jaquet-chiffelle_at_ht
a-bi.bfh.ch
Anonymity
Pseudoanonymity
Unlinkability
Practical
Theoretical
Unobservability
Conditional
Unconditional
26
Legal/Technical OrganizationThe Law defines its
own world
Pseudoanonymity
Anonymity
Technical
Law
Unlinkability
Unobservability
Conditional
Unconditional
Write a Comment
User Comments (0)
About PowerShow.com