20-771: computer security lecture 14: web, firewalls
DESCRIPTION
20-771: Computer Security Lecture 14: Web, Firewalls. Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002. Today’s lecture. Web Security Firewall Q&A. This Week. Read WS 14 Exam Wed 6PM. Win 2000 Security. A User User/groups - PowerPoint PPT PresentationTRANSCRIPT
Lecture 14, 20-771: Computer Security, Fall 2002 1
20-771: Computer SecurityLecture 14: Web, Firewalls
Robert Thibadeau
School of Computer Science
Carnegie Mellon University
Institute for eCommerce, Fall 2002
Lecture 14, 20-771: Computer Security, Fall 2002 2
Today’s lecture
• Web Security
• Firewall
• Q&A
Lecture 14, 20-771: Computer Security, Fall 2002 3
This Week
• Read WS 14
Exam Wed 6PM
Lecture 14, 20-771: Computer Security, Fall 2002 4
Windows 2000 IPAAA ModelWin 2000 SecurityWin 2000 Security
Files & Files & Other ObjectsOther Objects
Web SiteWeb SiteIIS – IE5IIS – IE5
ServicesServicesSome-other-time..Some-other-time..
YOU!YOU!
usernameusername
passwordpassword
certificatecertificate
kerberoskerberos
Active Directory Active Directory DACLs for DACLs for
AuthorizationAuthorization
Other MachinesOther Machines
Certs for Certs for AuthenticationAuthentication
Active DirectoryActive DirectorySACLs for AuditSACLs for Audit
Secure NetworkSecure NetworkPrivacy SSL & IPSecPrivacy SSL & IPSec
A UserA UserUser/groupsUser/groupsRights-e.g., Rights-e.g., delegationdelegation
Web VisitorWeb Visitor
Internal Privacy : File Internal Privacy : File EncryptionEncryption
Certs for Certs for IntegrityIntegrity
Lecture 14, 20-771: Computer Security, Fall 2002 5
PKI works with two mechanisms
• Using the CA public key to unfold [the signing] to your public key (typically, the CA signs your PK cert).
– He vouches for you in a way that cannot be denied
– Key compromise
» Key revocation is a problem
• A file or resource has access granted by the demonstration that the requestor can privately encode that the resource can publicly decode (or that the resource can publicly encode that the requestor can privately decode).
– You can have MORE than one PK on a file or resource
– Example was revocation list
– User (not group) is a owner of a private/public key
– Can let Windows Base Crypto Services or Smart Card.
Lecture 14, 20-771: Computer Security, Fall 2002 6
Our Class
Whole Facility / Internet Security – Protocols/Policy/Publicity
Path Security-
Physical security
Proxy/Router Security- Kind of Server
Host Security
Server SecurityClient Security
Server ApplicationsClient Applications
Proxy/Router Applications –
Put in Hardware!
(buy CISCO)
Security Server Applications
WINDOWS 2000
Security Assurance
Applications
Web Server
Security
Web Client
Security
Technology The Law
CryptographyHow To
Integrity/Privacy/Authenticate/
Authorize/Record
Lecture 14, 20-771: Computer Security, Fall 2002 7
Exam
• What is a security association?
• What did you have to do to get encrypted email to work with a few of your classmates?
• One or more of the following:
• In 100 Words, Explain how file encryption works in Windows.
• In 100 Words, Explain how Kerberos works and what it protects.
• Analyse Windows in terms of IPAAAA in 100 words.
• What does Interdomain (or across domain, or across realm) Trust Mean?
• Why is a ‘memory only’ smart card a possible security problem?
• Explain the DACL in 100 words.
• Explain the SACL in 100 words.
• How is a file authorized to a user in Windows 2000/XP in 150 words?
• Summarize the chapter on X in Stein (since mid term) in two sentences.
Lecture 14, 20-771: Computer Security, Fall 2002 8
WS 9. Configuring Win NT Web Server
• Know how to set one up (what to expect from IIS)
• Windows 2000 is IIS 5
• Security Scanner http://security1.norton.com
Lecture 14, 20-771: Computer Security, Fall 2002 9
IIS
• Microsoft Internet Information Server– Like Apache and all others Has Own Layer of
Authorization and Authentication– Apache is completely separate (see .htaccess)– IIS is/can be completely integrated into the Domain
» Including trust among domains
• Front Page– Yet another access/authorization layer permitting
authoring but no other access in domain– Careful! FP uses “.htaccess” type files peppered around
the active directory giving FP access (not integrated into the ACLS!)
– DO NOT APPLY GLOBAL ACCESS CHANGES ON FP DIRECTORIES WITHOUT USING FP! (You may need a special FP administration tool to re-set all the access controls).
Lecture 14, 20-771: Computer Security, Fall 2002 10
IIS
• Standard HTTP Server– Can basically behave exactly like one that utilizes all the
features of HTTP and related protocols (e.g., SSL, CGI, virtual hosting).
– Very easy to manage (right click and look).
– Since users/groups in and between domains are the same as in Active Directory, use “security” (not sharing) to set up Web Access.
– Creating the user “WebServer” for the web server (p. 230 Stein) is probably still good. Note this is the creator-owner of the server and has to have local login rights.
Lecture 14, 20-771: Computer Security, Fall 2002 11
Access RightsGroup Admin
ToolsLogs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Don’t make yourself a web author and web master – you’ll wind up being a web author!
Lecture 14, 20-771: Computer Security, Fall 2002 12
Web Access Control
• Basic Access– Response to 401– Send Base64 MIME plaintext username and password!– This is in the clear unless SSL protected!
• Digest Authentication– Server sends “nonce”– Client Send MD5 password
» Put digest, url, nonce inside digest to give integrity– Server checks hashed password, not the plaintext
password– Replay attack fails (except for the page in question).
• Kerberos (‘Windows Authentication’) // including SSL Smartcard Client
• IE 5.0 and IIS5 incorporate good security together.
Lecture 14, 20-771: Computer Security, Fall 2002 13
WS 10. Web Access Control
• Apache has a separate user/group system layered on top on Unix.
• IIS uses the user/group access system built into the MS Windows OS.
• Principles of these systems are largely universal. Always do a security check out to “tighten down” access as much as possible
– Lincoln Stein is right : define special, highly limited, groups if you expose parts of your machine to the Internet.
Lecture 14, 20-771: Computer Security, Fall 2002 14
Firewalls : Big Ideas
• Just a modified Gateway or Router or Server that doesn’t let every packet or message through.
• Extremely important for single point of control.
• Dedicated hardware (Bastion) is essential when possible
• Major Distinctions– Circuit Level (ip)
– Application Level (http, ftp, etc.)
– Packet Filters (ip/tcp ports and machines)
Lecture 14, 20-771: Computer Security, Fall 2002 15
How to think about firewallsOSI
• Data link layer
• Network
• Transport
• Session
• Presentation
• Application
• Application Specific Access Controls
Lecture 14, 20-771: Computer Security, Fall 2002 16
Typical Firewall
Firewall ComputerStein’s “Bastion”
Inside LAN Outside LAN/WAN
Sometimes you use a router (hardware) to direct “interesting packets” to Firewall Computer…to be forwarded if allowed. This is common for application layers, like web proxies.
“Proxy Servers” are application layer firewall/filter agents. They pretend to be the destination.When and why do they work?
Physical Separation
Lecture 14, 20-771: Computer Security, Fall 2002 17
Proxy ARP Firewall
Proxy ARP Firewall Computer
Inside LAN Outside LAN/WAN
Proxy ARP Responds to ARP (Address Resolution Protocol) requests with it’s hardware Address … so it gets the packets.
Needs two (physical) interfaces: on eth0 ARPs are all correct, but
On eth1 all protected computer IP addresses get ARPed with Firewall’s Hardware Address.
(an ‘inside the LAN’ Firewall)
ARP: ‘broadcast what’s the hardware address for IP address n.n.n.n?’
eth0 eth1
Lecture 14, 20-771: Computer Security, Fall 2002 18
NAT
Masquerading Firewalls : Look like one set of addresses from the outside and another from the Inside.
Address Translation (NATs). Many machines, one address and also to hide the many Machines. (One address from outside)
192.168.*.* 10.*.*.*
NATs are an RFC! www.rfc-editor.com RFC 1631
• Class A (1-126) – 17 million hosts each
• Class B (128-191) – 65000 hosts
• Class C (192-223) -- 256
Lecture 14, 20-771: Computer Security, Fall 2002 19
What’s a Proxy?
• Needs to be defined in the protocol.
• Layer and Message Structure?
• IP: Source IP, Dest IP, ID, PROTOCOL, Length
Lecture 14, 20-771: Computer Security, Fall 2002 20
Windows 2000 Firewall
• ISA (firewall protocol)
• http://support.microsoft.com/support/kb/articles/q179/4/42.asp
– Port 135, 137,138, 139 domain trust
– 389, 636, 3268, 3269, 88 LDAP and Kerberos
• IPSec Gateway mode is for firewalls that have to do proxy or address translation.
Lecture 14, 20-771: Computer Security, Fall 2002 21
European Union(Modern Bldgs in BackGround).
Lecture 14, 20-771: Computer Security, Fall 2002 22
InformationPrivacy
•Technology •Law
No matter how much you want to, you can’t get
technology out of privacy or the law out of privacy
Lecture 14, 20-771: Computer Security, Fall 2002 23
Privacy (for People)
• Privacy means keeping things secret
• PII : Personally Identifiable Information
• PI : Personal Information
• Basic Tension: – Keep people safe from intrusion (bbb online)
– Market people (direct marketing assn.), keep statistics important to research and operations such as medicine and hospitals
• Literature : a major branch of security– Elaborate systems for anonymity
Lecture 14, 20-771: Computer Security, Fall 2002 24
Out of Common Criteria
• Types of information privacy– Anonymity
– Pseudonymity
– Unlinkability
– Unobservability
• User control / info management– Notification, consent, accessibility, validation
• Security protection
Lecture 14, 20-771: Computer Security, Fall 2002 25
Technological OrganizationDr. David-Olivier Jaquet-Chiffelle
Anonymity
Unlinkability
Unobservability
Theoretical
Practical
Conditional Unconditional
Pseudoanonymity
Lecture 14, 20-771: Computer Security, Fall 2002 26
Legal/Technical Organization‘The Law defines its own world’
Anonymity
Unlinkability
Unobservability
Law
Technical
Conditional Unconditional
Pseudoanonymity