Download - Web Security
![Page 1: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/1.jpg)
Web Security
Introduction
(Some of the slides were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)
![Page 2: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/2.jpg)
Web Security 2
Chapter 1
• Internet• WWW• Terms:
– vulnerabilities, threats, countermeasures
• Generic security model– Security policy– Host security– Network security– Organizational security– Legal security
![Page 3: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/3.jpg)
Web Security 3
Internet
• Has seen dramatic growth since 1995• Has evolved from the collegial inter-
network for researchers in the 70s and 80s into today’s global Internet for …– Fun– Commercial transactions– Education– …
• Has seen all types of security breaches …
![Page 4: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/4.jpg)
Web Security 4
Internet
• The Internet has become a popular target to attack (the number of security breaches has in fact escalated more than the growth rate of the Internet)
• Security problems receive public attention• Examples
– Internet Worm (e.g., Robert T. Morris, Jr. in 1988) – Password sniffing (1994) – IP spoofing and sequence number guessing (e.g.,
Kevin Mitnick in 1995) – Session hijacking – (Distributed) denial-of-service attacks (since 1996)
![Page 5: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/5.jpg)
Web Security 5
DOS via Syn Flood
• A: the initiator; B: the destination• TCP connection multi-step
– A: SYN to initiate– B: SYN+ACK to respond– C: ACK gets agreement
• Sequence numbers then incremented for future messages– Ensures message order– Retransmit if lost– Verifies party really initiated
connection
![Page 6: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/6.jpg)
Web Security 6
Internet Protocols
![Page 7: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/7.jpg)
Web Security 7
WWW
• The Web• Based on the HTTP protocol• An application-level protocol• HTTP is a simple request/response
protocol• Lightness and speed necessary for
distributed, collaborative, hypermedia information systems
• A stateless protocol
![Page 8: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/8.jpg)
Web Security 8
HTTP & History of the WWW
[HTTP 1991]
The Original HTTP as defined in 1991 [HTTP 1992] Basic HTTP as defined in 1992 [HTTP 1996] RFC1945: Hypertext Transfer
Protocol -- HTTP/1.0. Informational. [HTTP 1999] RFC2616: Hypertext Transfer
Protocol -- HTTP/1.1. [irt.org 1998] WWW – How It All Began. [isoc.org 2000] The Internet Society. A Brief
History of the Internet. August 4, 2000.
![Page 9: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/9.jpg)
Web Security 9
HTTP
can be used for many tasks, such as name servers and distributed object management systems, through extension of its request methods
Its data typing feature allows systems to be built independently of the data being transferred.
![Page 10: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/10.jpg)
Web Security 10
Current Trends
• Web services are being designed and deployed on the WWW.– Centered around the XML protocol– Example initiatives:
• MS .NET• Sun ONE (Open Net Environment)
– Protocols:• WSDL, SOAP, UDDI, …
![Page 11: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/11.jpg)
Web Security 11
Web Services
![Page 12: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/12.jpg)
Web Security 12
Some terminology
• Vulnerability– A weakness that can be exploited
• Threat– A circumstance, condition, or event that may violate a
system’s security by possibly exploiting the systems vulnerabilities
• Control (or Countermeasures)– a feature, function, tool, or mechanism that either
reduces a system’s vulnerabilities or counters its threat(s)
![Page 13: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/13.jpg)
Web Security 13
Sample Controls
• Firewalls
• VPN
• SSL / TLS
• S / MIME
• Kerberos
• …
![Page 14: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/14.jpg)
Web Security 14
The Bigger Picture
• Security in any system, including Web Security, encompasses many aspects.– Policies– Technical
• Network security• Host security
– Non-technical• Organizational• Legal
![Page 15: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/15.jpg)
Web Security 15
Policies
• High-level statements of what are allowed and what are not allowed
• Example policy statements– “Any access from the Internet to intranet resources
must be strongly authenticated and properly authorized.”
– “Any classified data must be properly encrypted for transmission.”
• Policies are enforced by the overall architectural design and various mechanisms.
![Page 16: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/16.jpg)
Web Security 16
Host Security
• User authentications
• Access control (to resources)
• Secure storage of data
• Secure processing of data
• Audit trail
![Page 17: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/17.jpg)
Web Security 17
Network Security
• The security of the underlying network is critical to assure the security of networked applications, including Web and other Internet applications.
• A security breach that occurs at a lower layer (e.g., ICMP) may result in major problem at a higher layer (e.g., DOS attack at the Web server).
![Page 18: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/18.jpg)
Web Security 18
Services vs Mechanisms
• Example security services– Authentication, confidentiality of data, data integrity,
access control, non-repudiation, …
• Example security mechanisms– Passwords for user authentication– Biometrics for user authentication– RSA encryption for data confidentiality– Digital signature for …– Routing control– firewalls– …
![Page 19: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/19.jpg)
Web Security 19
Organizational Security
• Security is also a people problem.• In fact, human behavior is still the most
important factor with regard to security and safety.
• Human behavior may be influenced by religion, ethics, education, or organizational security controls.
• Organizational security controls include directions/instructions that define legitimate human behavior and operational procedures in the organization.
![Page 20: Web Security](https://reader035.vdocuments.us/reader035/viewer/2022072013/56812ba3550346895d8fd504/html5/thumbnails/20.jpg)
Web Security 20
Legal Security
• As a last resort: to legally prosecute the attacker(s)
• Need support and evidence provided by the various security services
• Example: non-repudiation of an e-contract