Telecommunications and Network Security

• Hacking - network, system, and software
• Network Security
• Web Security
• Secure Web - SSL and SHHTP

Network Security

Firewall

Basic building-block technologies of a firewall: packet filtering (typically a piece of hardware), circuit gateways (composed of two software modules), and proxy software (or called application gateways). They can be combined, mixed, and matched. Several configurations:

• dual homed gateway (Bastion)
• screened host
• screened subnet

Packet Filtering Router

• router or computer running software at the junction
• Network Level
• read the packet header: source address, destination address, and the port of source and destination address. It does not read the data contained beyond the header.
• secure and nonintruscive
• transparent to web services
• allow or disallow sets of users, hosts, and services to pass through
• not work well with protocol that will call back from outside to inside to set up the connection, e.g. FTP & X-Windows. There is no way ahead of time which port the outside connection request will call back on.
• Bastion firewall, dual-home gateway - has two network interfaces. It protects the internal LAN by applying packet-filtering rules at the external interface, acting as a proxying gateway between the LAN and the Internet.

Circuit Gateway

• circuit gateway and application gateway are two types of software running on the gateway machine
• gateways are computers that sit between two networks. They perform some of the functions of a router
• higher level - at the operating system layer, specifically in TCP/IP network calls:
  socket ( )
  connect ( )
  bind ( )
  
• consists of two parts: client-side on workstations and relay on gateway machine. The relay software program on the gateway machine blindly copies packets between outside port and inside port opened by the client (browser).
• the relay program copies data packets back and forth between the dual ports on the gateway machine

Application Gateway

• proxy is called application gateway when used in the firewall topologies, structure and control access.
• proxy runs on the gateway machine and acts as a relay for a single service or application
• what's more it incorporates some of the application's protocols, it works for only one or a few specific services, such as Telnet, FTP, or HTTP. Other than some configuration changes, the client software remain unchanged. The application gateway is not totally transparent to user. Redirection of connection is required.
• it acts as both a server (to browser) and a client (to Web server)
• selectively filtering out characters, e.g. ";" may be harmful to a shell script containing system( )
• because of the complexity of the application gateway program. It is vulnerable to attack from outside. So it should not reside on the exposed Internet gateway. In this case, we can use a packet filtering router to fortify the security of the gateway. This kind of firewall configuration is called the screened host

For inbound traffic, it is recommended to place the Web server outside the firewall. For public service site, a screended subnet firewall is essentially the same as the screened host, except the network (screened subnet) on which the gateway resides is expanded to accommodate one or more other servers. There is also an optional inner Choke firewall (or a router) blocks all network traffic from the web server protects the hosts on the private inner network.

The integrity of the firewall should be rigorously protected, since it is the central point of access and control. Logging access requests is an effective way to monitor the security for a whole net.

Web Security

Ordinary Non- human-centric Framework

1. Defining Assets
2. Defining Risks
3. Establishing a Security Policy for the Web Service
4. Choosing the Right Security Mechanisms

Defining Assets

• identify and categorize the assets to be protected
• integrity of the sources considered as asset too
• consumer's - his data and applications, platform's OS, and network
• server's - his data and services on the Web platform, OS, and network

Defining Risks

• list a wide range of possible vulnerabilities of the information service under a wide range of variable conditions. For Web service, there are three main areas :
  • network access points (hacking)
  • OS on which client and server reside (hacking)
  • client and server programs (hacking)
• Threats
  1. "cracking" passwords
     • dictionary attack (prevented by limiting access)
     • Trojan horse
     • guessing (prevented by using meaningless password)
  2. "sniffing" passwords
     • password and info are transmitted in clear-text mode
     • tools are avaliable it is a "lowbrow" attack
     • best defense by encryption
  3. To Consumer
     • Information Leakage
       Referer header - a back pointer, the name of doc that contained the hyperlink that was selected. Leak info about the type and version of the user's browser, the structure and content of the file system on the Web browser platform, etc.
     • Content Negotiation - browser to reject hazardous info (MIME files), server usually does not implement content negotiation ACCEPT.
     • "Man in the Middle" attack - a false Web server (Web server sends digital certificate issued by Certificate Authority (CA) to the requester to authenticate themselves. For SSL, the public keys of the CAs were embedded in the browser during the software installation.)
• Web server vuluerabilities
  1. Use of common gateway interface and forms - Perl and UNIX shell can execute a wide variety of system functions so it is danger (using more safe Java language).
  2. Granting access to all
     • vulnerable to danial-of-service attack - by definition, every httpd of Web server must accept the GET method request. Compare to that of the Telnet server, which requires the user to log in successfully before any service requests are accepted.
     • sendmail must run in superuser
     • NCSA Web server can restrict the HTTP methods like:
       • disabling PUT and POST
       • only GET can be used
  3. Privileged programs
     - Web server does not need root privilege to read and serve document
     - apply the "principle of least privilege" to stop access
     
  4. Large, New, and Untested program
     • Memory Buffer Overflow, e.g., finger server used in the Internet worm
     • UNIX C Library bug, e.g., finger server used in the Internet worm
     • HTTP protocol is relatively new, e.g., HTTP is susceptible to Denial of Service (DOS) attack.
  5. Complex configuration - server scripts, CGI, forms, database integration
  6. Calling powerful viewer / helper programs - for specific MIME files, UNIX calls external helper programs, like ghostviewer and C-shell, to view / execute the contents. However, the execution of these programs endanger the integrity of the system.

Establishing a Security Policy for the Web Service

• one must examine the entire process to uncover the weakest link. The weakest link defines the security level for the entire system. So administrative threats must be taken into account.
• defines the rights and responsibilities of those who grant access to the Web server system and those who use the service
• security policy is a very specific statement about exactly who should be able to do what

Choosing the Right Security Mechanisms

• Security mechanisms can never totally eliminate all risks. They can only diminish risks to an acceptable level aims to increase confidence and trust in the systems.
• for Web includes:
  • host and network configuration tools and techniques
  • firewalls
  • secure Web Communication
  • Web application program
  • logging and monitoring
  • authentication mechanism for Web services
  • authorization mechanism for Web services
• Mechanisms for Securing
  1. Limiting access
     - tcpwrapper (to application, e.g. Telnet)
     - firewall (to entire class of computer)
     - disable all OS services that are not required
     - configuring the Web Server for Minimal Access
     • limit access to cgi-bin areas, not writable except the system admin
     • place separate services on separate servers
     • run the Web daemon as chroot
     • monitor Web server access log; scan for security breaches
     • mount the Web documents as a read-only file system. Store it in a distributed file system
  2. Monitor and log access attempts
     - improve integrity of the host
     - log files are first target for an attacker
     - automate and facilitate tools: tripwire, Computer Oracle and Password System (COPS)
     - COPS scans trojan horses by checking for changes in the permissions and sizes of system programs
     
  3. Keep informed
     - CERT
     - newsgroups, e.g. comp.sesurity.announce
• Authentication and Access Control Mechanisms. Assertion and verification together are called authentication process. Two classes of security mechanisms:
  • Authentication - who is who, password-login. There are three factors that are used in the authentication process:
    1. Knowledge - something someone knows
    2. Possession - something someone has
    3. Characteristic - something someone is
    Many authentication systems are using two-factor to verify the user. For example, to operate an ATM machine, you must own the ATM card (possession) and know the PIN (knowledge).
  • Authorization - enforces control and security policy, permits / denies users access of the files / programs
  • Conflicting paradigms: authentication and stateless. Open Stateless System - HTTP protocol is stateless, no idea of session, stream of separate, unrelated document requests
  • HTTP Basic Authentication - headers pass between the client and server provides a facility to make the authentication process.
    
    Web server verifies : WWW-Authentication header
    Browser response: Authorization header
    
    Server checks the encoded password each time it retrieves the file. The administrator places access control specifications in a central system configuration file or in a special file in each protected directory.
    
    
    • NCSA: .htaccess file
    • CERN: .htadm file
    • Netscape store both passwords and rules in a database which may in distributed file system
• Integrating other authentication protocols with the Web
  - Kerberos used by AFS and DFS stores users' passwords in a central Kerberos server
  - one-time password by challenge / response method
  - one-time password by time synchronization method
• Costs and Benefits of Authentication - greater protection is accompanied by increased cost in the form of slower server response and the need for greater server capacity

Secure Web - SSL and S-HTTP

Secure Socket Layer (SSL) and Secure HTTP (S-HTTP) provide secure Web communication. Both do not specify how the certificates and cryptopts are stored and managed. They also do not define how the cryptographic features are displayed. However, SSL and S-HTTP are different as illustrated in below diagram.

S-HTTP is HTTP specify. SSL uses secure service ports opened in the TCP Transport layer. While S-HTTP requires a rewrite / modification of the HTTP protocol, SSL requires the adapted programs to insert the SSL codes and recompile.

	SSL	S-HTTP
Session Key	SSL stores the certificates in a file on the secure server (or locally on the client machine). the client-side generates a session key and encrypts that with the server's public key if the signature of the CA is valid.	The client (browser) gets the public key from the the server. A session key is created and encrypted with the server's public key. The information will be inserted in the S-HTTP header of each secure HTML document.
Opening port	Open a Secure Socket Layer in the Transport Layer with port 443. Website supports both open and secure communications must have two servers running. One with the regular port 80 and one with the port 443.	Application level. Uses oridinary HTTP port
Protocol	Flexible - supports HTTP, Telnet, FTP, etc	Defines new extensions to HTML to permit mebedding the public key certificate and cryptopts in the document.
Handshaking	Occurs before any HTTP message. The Web client (browser) verifies that the signature of CA on the server's certificate is valid. The public key of the CA is embedded in the client-side. The server-side completes the handshake by sending a message back to the client with the encrypted session key.	Emdedded in each HTTP message. The server decrypts the session key and message sent by the client by using the server's private key. The server constructs and sends new messages to the client by using the decrypted session key.
Choice of cryptographic algorithms	All or nothing. The client must negotiate one server authentication algorithm, one private key encryption algorithm, and one message integrity algorithm or else a secure is not granted and the connection is refused. Certificates and cryptopts are stored in the SSL. The client-side SSL, on behalf of the user chooses the suite of protocols to use. The application does not have direct access to them.	Very visible and controllable by users. User negotiable / selectable
Browser	Netscape, IE	Mosaic, CommerceNet
Compatibility	Not compatiable with S-HTTP	Not compatibility with SSL
Advantages	easy to manage and set up a successful session support large number of parallel connections	each HTTP request / response is treated as individual message. This allows more flexible negotiation of security properties as well as object security for the messages. spontaneous secure Web communication
Disadvantages	incapable of finer control over the cryptographic features users cannot select a particular certificate to use not possible for each party in a transaction to receive a signed receipt	not scalable - cryptopts are associated with each hyperlink in a secure document lack of adequate cryptopts and certificate management tools

---

Message digest of this page would be sent by email separately

---

Reference:
1. Nancy J. Yeager & Robert E. McGrath (1996) Web Server Technology - The Advanced Guide for World Wide Web Information Providers, Morgan Kaufmann.
2. Robert L. Ziegler (2000) Linux Firewalls, New Riders.