20-771: Computer Security Lecture 14: Web, Firewalls

1
20-771 Computer SecurityLecture 14 Web,
Firewalls

• Robert Thibadeau
• School of Computer Science
• Carnegie Mellon University
• Institute for eCommerce, Fall 2002

2
Todays lecture

• Web Security
• Firewall
• QA

3
This Week

• Read WS 14
• Exam Wed 6PM

4
Windows 2000 IPAAA Model
User Agents
DACLs
File Encrypt
Kerberos
Authenticode
SACLs
Smartcard
IPSec
5
PKI works with two mechanisms

• Using the CA public key to unfold the signing
  to your public key (typically, the CA signs your
  PK cert).
• He vouches for you in a way that cannot be denied
• Key compromise
• Key revocation is a problem
• A file or resource has access granted by the
  demonstration that the requestor can privately
  encode that the resource can publicly decode (or
  that the resource can publicly encode that the
  requestor can privately decode).
• You can have MORE than one PK on a file or
  resource
• Example was revocation list
• User (not group) is a owner of a private/public
  key
• Can let Windows Base Crypto Services or Smart
  Card.

6
Our Class
Server Applications
Client Applications
Web Server Security
Web Client Security
Security Server Applications WINDOWS 2000
Security Assurance Applications
Proxy/Router Applications Put in Hardware! (buy
CISCO)
Server Security
Client Security
Path Security - Physical security
Proxy/Router Security - Kind of Server
Host Security
Whole Facility / Internet Security
Protocols/Policy/Publicity
Technology
The Law
How To Integrity/Privacy/Authenticate/Authorize/Re
cord
Cryptography
7
Exam

• What is a security association?
• What did you have to do to get encrypted email to
  work with a few of your classmates?
• One or more of the following
• In 100 Words, Explain how file encryption works
  in Windows.
• In 100 Words, Explain how Kerberos works and what
  it protects.
• Analyse Windows in terms of IPAAAA in 100 words.
• What does Interdomain (or across domain, or
  across realm) Trust Mean?
• Why is a memory only smart card a possible
  security problem?
• Explain the DACL in 100 words.
• Explain the SACL in 100 words.
• How is a file authorized to a user in Windows
  2000/XP in 150 words?
• Summarize the chapter on X in Stein (since mid
  term) in two sentences.

8
WS 9. Configuring Win NT Web Server

• Know how to set one up (what to expect from IIS)
• Windows 2000 is IIS 5
• Security Scanner http//security1.norton.com

9
IIS

• Microsoft Internet Information Server
• Like Apache and all others Has Own Layer of
  Authorization and Authentication
• Apache is completely separate (see .htaccess)
• IIS is/can be completely integrated into the
  Domain
• Including trust among domains
• Front Page
• Yet another access/authorization layer permitting
  authoring but no other access in domain
• Careful! FP uses .htaccess type files peppered
  around the active directory giving FP access (not
  integrated into the ACLS!)
• DO NOT APPLY GLOBAL ACCESS CHANGES ON FP
  DIRECTORIES WITHOUT USING FP! (You may need a
  special FP administration tool to re-set all the
  access controls).

10
IIS

• Standard HTTP Server
• Can basically behave exactly like one that
  utilizes all the features of HTTP and related
  protocols (e.g., SSL, CGI, virtual hosting).
• Very easy to manage (right click and look).
• Since users/groups in and between domains are the
  same as in Active Directory, use security (not
  sharing) to set up Web Access.
• Creating the user WebServer for the web server
  (p. 230 Stein) is probably still good. Note this
  is the creator-owner of the server and has to
  have local login rights.

11
Access Rights
Group Admin Tools Logs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Dont make yourself a web author and web master
youll wind up being a web author!
12
Web Access Control

• Basic Access
• Response to 401
• Send Base64 MIME plaintext username and password!
• This is in the clear unless SSL protected!
• Digest Authentication
• Server sends nonce
• Client Send MD5 password
• Put digest, url, nonce inside digest to give
  integrity
• Server checks hashed password, not the plaintext
  password
• Replay attack fails (except for the page in
  question).
• Kerberos (Windows Authentication) // including
  SSL Smartcard Client
• IE 5.0 and IIS5 incorporate good security
  together.

13
WS 10. Web Access Control

• Apache has a separate user/group system layered
  on top on Unix.
• IIS uses the user/group access system built into
  the MS Windows OS.
• Principles of these systems are largely
  universal. Always do a security check out to
  tighten down access as much as possible
• Lincoln Stein is right define special, highly
  limited, groups if you expose parts of your
  machine to the Internet.

14
Firewalls Big Ideas

• Just a modified Gateway or Router or Server that
  doesnt let every packet or message through.
• Extremely important for single point of control.
• Dedicated hardware (Bastion) is essential when
  possible
• Major Distinctions
• Circuit Level (ip)
• Application Level (http, ftp, etc.)
• Packet Filters (ip/tcp ports and machines)

15
How to think about firewallsOSI
Screening Routers

• Data link layer
• Network
• Transport
• Session
• Presentation
• Application
• Application Specific Access Controls

Proxy Servers
16
Typical Firewall
Firewall Computer Steins Bastion
Inside LAN
Outside LAN/WAN
Physical Separation
Sometimes you use a router (hardware) to direct
interesting packets to Firewall Computerto be
forwarded if allowed. This is common for
application layers, like web proxies.
Proxy Servers are application layer
firewall/filter agents. They pretend to be the
destination. When and why do they work?
17
Proxy ARP Firewall
Proxy ARP Firewall Computer
eth0
eth1
Inside LAN
Outside LAN/WAN
Proxy ARP Responds to ARP (Address Resolution
Protocol) requests with its hardware Address
so it gets the packets. Needs two (physical)
interfaces on eth0 ARPs are all correct,
but On eth1 all protected computer IP addresses
get ARPed with Firewalls Hardware Address. (an
inside the LAN Firewall) ARP broadcast
whats the hardware address for IP address
n.n.n.n?
18
NAT

• Masquerading Firewalls Look like one set of
  addresses from the outside and another from the
  Inside.
• Address Translation (NATs). Many machines, one
  address and also to hide the many Machines. (One
  address from outside)
• 192.168.. 10...
• NATs are an RFC! www.rfc-editor.com RFC 1631
• Class A (1-126) 17 million hosts each
• Class B (128-191) 65000 hosts
• Class C (192-223) -- 256

19
Whats a Proxy?

• Needs to be defined in the protocol.
• Layer and Message Structure?
• IP Source IP, Dest IP, ID, PROTOCOL, Length

20
Windows 2000 Firewall

• ISA (firewall protocol)
• http//support.microsoft.com/support/kb/articles/q
  179/4/42.asp
• Port 135, 137,138, 139 domain trust
• 389, 636, 3268, 3269, 88 LDAP and Kerberos
• IPSec Gateway mode is for firewalls that have to
  do proxy or address translation.

21
European Union (Modern Bldgs in BackGround).
22
InformationPrivacy

• Law

• Technology

No matter how much you want to, you cant get
technology out of privacy or the law out of
privacy
23
Privacy (for People)

• Privacy means keeping things secret
• PII Personally Identifiable Information
• PI Personal Information
• Basic Tension
• Keep people safe from intrusion (bbb online)
• Market people (direct marketing assn.), keep
  statistics important to research and operations
  such as medicine and hospitals
• Literature a major branch of security
• Elaborate systems for anonymity

24
Out of Common Criteria

• Types of information privacy
• Anonymity
• Pseudonymity
• Unlinkability
• Unobservability
• User control / info management
• Notification, consent, accessibility, validation
• Security protection

25
Technological OrganizationDr. David-Olivier
Jaquet-Chiffelledavid-olivier.jaquet-chiffelle_at_ht
a-bi.bfh.ch
Anonymity
Pseudoanonymity
Unlinkability
Practical
Theoretical
Unobservability
Conditional
Unconditional
26
Legal/Technical OrganizationThe Law defines its
own world
Pseudoanonymity
Anonymity
Technical
Law
Unlinkability
Unobservability
Conditional
Unconditional