Title: 20-771: Computer Security Lecture 14: Web, Firewalls
120-771 Computer SecurityLecture 14 Web,
Firewalls
- Robert Thibadeau
- School of Computer Science
- Carnegie Mellon University
- Institute for eCommerce, Fall 2002
2Todays lecture
3This Week
4Windows 2000 IPAAA Model
User Agents
DACLs
File Encrypt
Kerberos
Authenticode
SACLs
Smartcard
IPSec
5PKI works with two mechanisms
- Using the CA public key to unfold the signing
to your public key (typically, the CA signs your
PK cert). - He vouches for you in a way that cannot be denied
- Key compromise
- Key revocation is a problem
- A file or resource has access granted by the
demonstration that the requestor can privately
encode that the resource can publicly decode (or
that the resource can publicly encode that the
requestor can privately decode). - You can have MORE than one PK on a file or
resource - Example was revocation list
- User (not group) is a owner of a private/public
key - Can let Windows Base Crypto Services or Smart
Card.
6Our Class
Server Applications
Client Applications
Web Server Security
Web Client Security
Security Server Applications WINDOWS 2000
Security Assurance Applications
Proxy/Router Applications Put in Hardware! (buy
CISCO)
Server Security
Client Security
Path Security - Physical security
Proxy/Router Security - Kind of Server
Host Security
Whole Facility / Internet Security
Protocols/Policy/Publicity
Technology
The Law
How To Integrity/Privacy/Authenticate/Authorize/Re
cord
Cryptography
7Exam
- What is a security association?
- What did you have to do to get encrypted email to
work with a few of your classmates? - One or more of the following
- In 100 Words, Explain how file encryption works
in Windows. - In 100 Words, Explain how Kerberos works and what
it protects. - Analyse Windows in terms of IPAAAA in 100 words.
- What does Interdomain (or across domain, or
across realm) Trust Mean? - Why is a memory only smart card a possible
security problem? - Explain the DACL in 100 words.
- Explain the SACL in 100 words.
- How is a file authorized to a user in Windows
2000/XP in 150 words? - Summarize the chapter on X in Stein (since mid
term) in two sentences.
8WS 9. Configuring Win NT Web Server
- Know how to set one up (what to expect from IIS)
- Windows 2000 is IIS 5
- Security Scanner http//security1.norton.com
9IIS
- Microsoft Internet Information Server
- Like Apache and all others Has Own Layer of
Authorization and Authentication - Apache is completely separate (see .htaccess)
- IIS is/can be completely integrated into the
Domain - Including trust among domains
- Front Page
- Yet another access/authorization layer permitting
authoring but no other access in domain - Careful! FP uses .htaccess type files peppered
around the active directory giving FP access (not
integrated into the ACLS!) - DO NOT APPLY GLOBAL ACCESS CHANGES ON FP
DIRECTORIES WITHOUT USING FP! (You may need a
special FP administration tool to re-set all the
access controls).
10IIS
- Standard HTTP Server
- Can basically behave exactly like one that
utilizes all the features of HTTP and related
protocols (e.g., SSL, CGI, virtual hosting). - Very easy to manage (right click and look).
- Since users/groups in and between domains are the
same as in Active Directory, use security (not
sharing) to set up Web Access. - Creating the user WebServer for the web server
(p. 230 Stein) is probably still good. Note this
is the creator-owner of the server and has to
have local login rights.
11Access Rights
Group Admin Tools Logs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Dont make yourself a web author and web master
youll wind up being a web author!
12Web Access Control
- Basic Access
- Response to 401
- Send Base64 MIME plaintext username and password!
- This is in the clear unless SSL protected!
- Digest Authentication
- Server sends nonce
- Client Send MD5 password
- Put digest, url, nonce inside digest to give
integrity - Server checks hashed password, not the plaintext
password - Replay attack fails (except for the page in
question). - Kerberos (Windows Authentication) // including
SSL Smartcard Client - IE 5.0 and IIS5 incorporate good security
together.
13WS 10. Web Access Control
- Apache has a separate user/group system layered
on top on Unix. - IIS uses the user/group access system built into
the MS Windows OS. - Principles of these systems are largely
universal. Always do a security check out to
tighten down access as much as possible - Lincoln Stein is right define special, highly
limited, groups if you expose parts of your
machine to the Internet.
14Firewalls Big Ideas
- Just a modified Gateway or Router or Server that
doesnt let every packet or message through. - Extremely important for single point of control.
- Dedicated hardware (Bastion) is essential when
possible - Major Distinctions
- Circuit Level (ip)
- Application Level (http, ftp, etc.)
- Packet Filters (ip/tcp ports and machines)
15How to think about firewallsOSI
Screening Routers
- Data link layer
- Network
- Transport
- Session
- Presentation
- Application
- Application Specific Access Controls
Proxy Servers
16Typical Firewall
Firewall Computer Steins Bastion
Inside LAN
Outside LAN/WAN
Physical Separation
Sometimes you use a router (hardware) to direct
interesting packets to Firewall Computerto be
forwarded if allowed. This is common for
application layers, like web proxies.
Proxy Servers are application layer
firewall/filter agents. They pretend to be the
destination. When and why do they work?
17Proxy ARP Firewall
Proxy ARP Firewall Computer
eth0
eth1
Inside LAN
Outside LAN/WAN
Proxy ARP Responds to ARP (Address Resolution
Protocol) requests with its hardware Address
so it gets the packets. Needs two (physical)
interfaces on eth0 ARPs are all correct,
but On eth1 all protected computer IP addresses
get ARPed with Firewalls Hardware Address. (an
inside the LAN Firewall) ARP broadcast
whats the hardware address for IP address
n.n.n.n?
18NAT
- Masquerading Firewalls Look like one set of
addresses from the outside and another from the
Inside. - Address Translation (NATs). Many machines, one
address and also to hide the many Machines. (One
address from outside) - 192.168.. 10...
- NATs are an RFC! www.rfc-editor.com RFC 1631
- Class A (1-126) 17 million hosts each
- Class B (128-191) 65000 hosts
- Class C (192-223) -- 256
19Whats a Proxy?
- Needs to be defined in the protocol.
- Layer and Message Structure?
- IP Source IP, Dest IP, ID, PROTOCOL, Length
20Windows 2000 Firewall
- ISA (firewall protocol)
- http//support.microsoft.com/support/kb/articles/q
179/4/42.asp - Port 135, 137,138, 139 domain trust
- 389, 636, 3268, 3269, 88 LDAP and Kerberos
- IPSec Gateway mode is for firewalls that have to
do proxy or address translation.
21European Union (Modern Bldgs in BackGround).
22InformationPrivacy
No matter how much you want to, you cant get
technology out of privacy or the law out of
privacy
23Privacy (for People)
- Privacy means keeping things secret
- PII Personally Identifiable Information
- PI Personal Information
- Basic Tension
- Keep people safe from intrusion (bbb online)
- Market people (direct marketing assn.), keep
statistics important to research and operations
such as medicine and hospitals - Literature a major branch of security
- Elaborate systems for anonymity
24Out of Common Criteria
- Types of information privacy
- Anonymity
- Pseudonymity
- Unlinkability
- Unobservability
- User control / info management
- Notification, consent, accessibility, validation
- Security protection
25Technological OrganizationDr. David-Olivier
Jaquet-Chiffelledavid-olivier.jaquet-chiffelle_at_ht
a-bi.bfh.ch
Anonymity
Pseudoanonymity
Unlinkability
Practical
Theoretical
Unobservability
Conditional
Unconditional
26Legal/Technical OrganizationThe Law defines its
own world
Pseudoanonymity
Anonymity
Technical
Law
Unlinkability
Unobservability
Conditional
Unconditional