20-771: computer security lecture 14: web, firewalls

Lecture 14, 20-771: Computer Security, Fall 2002 1

20-771: Computer SecurityLecture 14: Web, Firewalls

Robert Thibadeau

School of Computer Science

Carnegie Mellon University

Institute for eCommerce, Fall 2002


Today’s lecture

• Web Security

• Firewall

• Q&A


This Week

• Read WS 14

Exam Wed 6PM


Windows 2000 IPAAA ModelWin 2000 SecurityWin 2000 Security

Files & Files & Other ObjectsOther Objects

Web SiteWeb SiteIIS – IE5IIS – IE5

ServicesServicesSome-other-time..Some-other-time..

YOU!YOU!

usernameusername

passwordpassword

certificatecertificate

kerberoskerberos

Active Directory Active Directory DACLs for DACLs for

AuthorizationAuthorization

Other MachinesOther Machines

Certs for Certs for AuthenticationAuthentication

Active DirectoryActive DirectorySACLs for AuditSACLs for Audit

Secure NetworkSecure NetworkPrivacy SSL & IPSecPrivacy SSL & IPSec

A UserA UserUser/groupsUser/groupsRights-e.g., Rights-e.g., delegationdelegation

Web VisitorWeb Visitor

Internal Privacy : File Internal Privacy : File EncryptionEncryption

Certs for Certs for IntegrityIntegrity


PKI works with two mechanisms

• Using the CA public key to unfold [the signing] to your public key (typically, the CA signs your PK cert).

– He vouches for you in a way that cannot be denied

– Key compromise

» Key revocation is a problem

• A file or resource has access granted by the demonstration that the requestor can privately encode that the resource can publicly decode (or that the resource can publicly encode that the requestor can privately decode).

– You can have MORE than one PK on a file or resource

– Example was revocation list

– User (not group) is a owner of a private/public key

– Can let Windows Base Crypto Services or Smart Card.


Our Class

Whole Facility / Internet Security – Protocols/Policy/Publicity

Path Security-

Physical security

Proxy/Router Security- Kind of Server

Host Security

Server SecurityClient Security

Server ApplicationsClient Applications

Proxy/Router Applications –

Put in Hardware!

(buy CISCO)

Security Server Applications

WINDOWS 2000

Security Assurance

Applications

Web Server

Security

Web Client

Security

Technology The Law

CryptographyHow To

Integrity/Privacy/Authenticate/

Authorize/Record


Exam

• What is a security association?

• What did you have to do to get encrypted email to work with a few of your classmates?

• One or more of the following:

• In 100 Words, Explain how file encryption works in Windows.

• In 100 Words, Explain how Kerberos works and what it protects.

• Analyse Windows in terms of IPAAAA in 100 words.

• What does Interdomain (or across domain, or across realm) Trust Mean?

• Why is a ‘memory only’ smart card a possible security problem?

• Explain the DACL in 100 words.

• Explain the SACL in 100 words.

• How is a file authorized to a user in Windows 2000/XP in 150 words?

• Summarize the chapter on X in Stein (since mid term) in two sentences.


WS 9. Configuring Win NT Web Server

• Know how to set one up (what to expect from IIS)

• Windows 2000 is IIS 5

• Security Scanner http://security1.norton.com


IIS

• Microsoft Internet Information Server– Like Apache and all others Has Own Layer of

Authorization and Authentication– Apache is completely separate (see .htaccess)– IIS is/can be completely integrated into the Domain

» Including trust among domains

• Front Page– Yet another access/authorization layer permitting

authoring but no other access in domain– Careful! FP uses “.htaccess” type files peppered around

the active directory giving FP access (not integrated into the ACLS!)

– DO NOT APPLY GLOBAL ACCESS CHANGES ON FP DIRECTORIES WITHOUT USING FP! (You may need a special FP administration tool to re-set all the access controls).


IIS

• Standard HTTP Server– Can basically behave exactly like one that utilizes all the

features of HTTP and related protocols (e.g., SSL, CGI, virtual hosting).

– Very easy to manage (right click and look).

– Since users/groups in and between domains are the same as in Active Directory, use “security” (not sharing) to set up Web Access.

– Creating the user “WebServer” for the web server (p. 230 Stein) is probably still good. Note this is the creator-owner of the server and has to have local login rights.


Access RightsGroup Admin

ToolsLogs Scripts Documents

Web Masters R R RW RW

Web Developers - - RW RW

Web Authors - - R RW

Guests - - R R

Don’t make yourself a web author and web master – you’ll wind up being a web author!


Web Access Control

• Basic Access– Response to 401– Send Base64 MIME plaintext username and password!– This is in the clear unless SSL protected!

• Digest Authentication– Server sends “nonce”– Client Send MD5 password

» Put digest, url, nonce inside digest to give integrity– Server checks hashed password, not the plaintext

password– Replay attack fails (except for the page in question).

• Kerberos (‘Windows Authentication’) // including SSL Smartcard Client

• IE 5.0 and IIS5 incorporate good security together.


WS 10. Web Access Control

• Apache has a separate user/group system layered on top on Unix.

• IIS uses the user/group access system built into the MS Windows OS.

• Principles of these systems are largely universal. Always do a security check out to “tighten down” access as much as possible

– Lincoln Stein is right : define special, highly limited, groups if you expose parts of your machine to the Internet.


Firewalls : Big Ideas

• Just a modified Gateway or Router or Server that doesn’t let every packet or message through.

• Extremely important for single point of control.

• Dedicated hardware (Bastion) is essential when possible

• Major Distinctions– Circuit Level (ip)

– Application Level (http, ftp, etc.)

– Packet Filters (ip/tcp ports and machines)


How to think about firewallsOSI

• Data link layer

• Network

• Transport

• Session

• Presentation

• Application

• Application Specific Access Controls


Typical Firewall

Firewall ComputerStein’s “Bastion”

Inside LAN Outside LAN/WAN

Sometimes you use a router (hardware) to direct “interesting packets” to Firewall Computer…to be forwarded if allowed. This is common for application layers, like web proxies.

“Proxy Servers” are application layer firewall/filter agents. They pretend to be the destination.When and why do they work?

Physical Separation


Proxy ARP Firewall

Proxy ARP Firewall Computer

Inside LAN Outside LAN/WAN

Proxy ARP Responds to ARP (Address Resolution Protocol) requests with it’s hardware Address … so it gets the packets.

Needs two (physical) interfaces: on eth0 ARPs are all correct, but

On eth1 all protected computer IP addresses get ARPed with Firewall’s Hardware Address.

(an ‘inside the LAN’ Firewall)

ARP: ‘broadcast what’s the hardware address for IP address n.n.n.n?’

eth0 eth1


NAT

Masquerading Firewalls : Look like one set of addresses from the outside and another from the Inside.

Address Translation (NATs). Many machines, one address and also to hide the many Machines. (One address from outside)

192.168.*.* 10.*.*.*

NATs are an RFC! www.rfc-editor.com RFC 1631

• Class A (1-126) – 17 million hosts each

• Class B (128-191) – 65000 hosts

• Class C (192-223) -- 256


What’s a Proxy?

• Needs to be defined in the protocol.

• Layer and Message Structure?

• IP: Source IP, Dest IP, ID, PROTOCOL, Length


Windows 2000 Firewall

• ISA (firewall protocol)

• http://support.microsoft.com/support/kb/articles/q179/4/42.asp

– Port 135, 137,138, 139 domain trust

– 389, 636, 3268, 3269, 88 LDAP and Kerberos

• IPSec Gateway mode is for firewalls that have to do proxy or address translation.


European Union(Modern Bldgs in BackGround).


InformationPrivacy

•Technology •Law

No matter how much you want to, you can’t get

technology out of privacy or the law out of privacy


Privacy (for People)

• Privacy means keeping things secret

• PII : Personally Identifiable Information

• PI : Personal Information

• Basic Tension: – Keep people safe from intrusion (bbb online)

– Market people (direct marketing assn.), keep statistics important to research and operations such as medicine and hospitals

• Literature : a major branch of security– Elaborate systems for anonymity


Out of Common Criteria

• Types of information privacy– Anonymity

– Pseudonymity

– Unlinkability

– Unobservability

• User control / info management– Notification, consent, accessibility, validation

• Security protection


Technological OrganizationDr. David-Olivier Jaquet-Chiffelle

[email protected]

Anonymity

Unlinkability

Unobservability

Theoretical

Practical

Conditional Unconditional

Pseudoanonymity


Legal/Technical Organization‘The Law defines its own world’

Anonymity

Unlinkability

Unobservability

Law

Technical

Conditional Unconditional

Pseudoanonymity