CS 4720
Security
CS 4720 – Web & Mobile Systems
CS 4720
The Traditional Security Model• The Firewall Approach• “Keep the good guys in and the bad guys out”
2
CS 4720
Distributed System Security
3
• “Islands of Security”
CS 4720
A Paradigm Shift without a Clutch• These models were just fine when corporations
had their own networks• If you needed in, you used a VPN• Now the open Internet is used as the main
network• How does this change the security model?• Consider this: how do you access a web
service?
4
CS 4720
A Paradigm Shift without a Clutch
5
• Firewall security happens at the network layer
• But now we need access on a per-application basis
• How can we achieve that?
CS 4720
A Paradigm Shift without a Clutch
6
• Web services are designed to penetrate firewalls, since they use port 80
• Application-level security is needed to examine:– Who is making a request– What info is being accessed– What services is being addressed
• IP based security is still needed though!
CS 4720
Application Security 101• What are some basic things you do to protect
your system at the application level?• Catch exceptions and don’t show detailed error
messages• Hide interfaces• “Don’t trust your users”• Encryption
7
CS 4720
Application Security 101
8
• Well… shoot.• Web services:
– Have publically announced interfaces!– Must return detailed exceptions to debug systems!– At some level, must trust users!
• We need security that is basically XML-aware
CS 4720
System Security
9
• Human: social engineering attacks• Physical: “steal the server itself”• Network: treat your server like a 2 year old• Operating System: the war continues• Application: just discussed• Database: protecting the data
CS 4720
XML-Aware Security• Must be able to inspect content of network
traffic• Must be able to make authorization decisions• Must be able to make authentication decisions• Must be able to verify XML as valid for this
transaction• Must also deal with confidentiality and privacy
concerns (encryption, message integrity, audit)
10
CS 4720
Web Service Security Concerns• Unauthorized Access: people view info that
they shouldn’t from a message• Unauthorized Alteration: an attacker modifies
part of a message• Man-in-the-Middle: an attacker sits in-between
two parties and views messages (or alters them) as they pass by
• Denial-of-Service: flood the service with so many messages that it can’t keep up
11
CS 4720
Network Level Security• Let’s start with the basic stuff• Firewalls
– IP Packet Filtering• Static Filtering: follow the rules and toss whatever you
see• Stateful Filtering: allow for dynamically changed rules as
requests go out from inside the firewall– Packet filtering only works on IP address… not on
the people using the IP address– Further, no idea what the payload is
12
CS 4720
Network to Application• Application-specific proxy servers
– A connection comes in to the proxy– It verifies the user and payload– Then creates a connection to the application server
• Disadvantages?
13
CS 4720
Encryption• Without going too deep into this…• There are three basic “types” of encryption
methodologies that we use on the Internet:– Symmetric– Asymmetric– Digital Signature / Certificate
• Encryption can address: authentication, confidentiality, and integrity of a message
14
CS 4720
Application Level Security• Refers to security safeguards built into a
particular application and operate independently from the network level security
• Authentication• Authorization• Integrity / Confidentiality• Non-repudiation / Auditing
15
CS 4720
Authentication• Verifying that the requester is the requester…• … and that the service is the service• This requires a mechanism of “proof of
identity”• What are some ways accomplish this?• Username / password• Signed Certificates• Kerberos
16
CS 4720
Kerberos• A third party system for authentication and
encryption• What was Kerberos?
17
CS 472018
A little closer to home• Netbadge (or more
accurately, PubCookie)
• http://www.pubcookie.org/docs/how-pubcookie-works.html
CS 4720
Authorization• Now that we know who you are, what are you
allowed to do?• Permissions• Role-based security• How does this work in a database system?• How about an operating system?
19
CS 4720
Integrity / Confidentiality• What happens if a message is:
– Captured and reused?– Captured and modified?– Monitored as is passes by in a passive manner?
• How do we verify a message hasn’t been tampered with?– Digital signature
• How do we verify it hasn’t been viewed?– Encryption
20
CS 4720
Non-repudiation / Auditing• When we’re charging to use a web service, how
do we prove you used the service so we can charge you?
• How do we track your activities?• Digitally signed logs, effectively• Also saves the certificate used to perform the
transaction (like a signature on a receipt)
21
CS 4720
XML Trust Services• XML Signatures• XML Encryption• XML Key Management and Single Sign-On• Basically the same stuff we just talked about,
but now in glorious XML!
22
CS 4720
Let’s build a secure system!• Get with your team• You have been tasked by Hortfield Incorporated
to build a secure web service system that, for a price, will return to you the answers for the next test in a given class
• Users, of course, have to pay for this service• And it has to be totally secure to keep the
honor council away• What do you do?
23
CS 4720
So… seriously, what should we do?• When you are asked to build a secure web
system, start with the six layers of security– Database– OS– Network– Application– Physical– Human
• And then go one by one…
24
CS 4720
In case of a corporate environment…• You might think that if you’re a new
programmer in a corporate environment, a lot of this is not going to be decided by you
• You’re going to be following a predetermined system spec
• However, some of you won’t be programmers• Many of you will be system architects and
system designers and the programmers will be asking YOU what to do!
25
CS 4720
From Before• We talked about a need for:
– Authentication– Authorization– Integrity / Confidentiality– Non-repudiation / Auditing
• How do we achieve these with web services?
26
CS 4720
What did this cover?• Authentication:
– Certificate authority can vouch for sender– Username and Password are part of WS-Security– Public/Private key pair
• Integrity/Confidentiality:– Signatures– Encryption– All the good stuff
27
CS 4720
Authorization?• Doesn’t take place at this “transfer” level• More with user groups in the application• Database users• File system permissions• Have a good role-based security policy
– People only have access to just enough info and nothing more
– Nothing runs as root– Privileges are given out in a very specific fashion
28
CS 4720
Non-repudiation?• Either done through text logs or a DB table
with transactions– Probably a DB table would be better
• Record the signature and important activities that the user performed
29
CS 472030
Ugh, I have to figure all this out?• If you are building your own service based on
JSON/XML and you want to secure it… yup• But if you’re doing SOAP, there’s an agreed-
upon standard• WS-Security
– Provides rules for how to handle all security for SOAP web services
– Provides schema for the XML to make all this work