Web Security

About This Presentation

Title:

Description:

Number of Views:2766

Avg rating:3.0/5.0

Slides: 21

Provided by: Andrew687

Learn more at: http://sceweb.sce.uhcl.edu

Category:

Tags: attack | denial | security | service | web

Transcript and Presenter's Notes

Title: Web Security

1
Web Security

Introduction
(Some of the slides were adapted from Oppligers
online slides at http//www.ifi.unizh.ch/oppliger
/Presentations/WWWSecurity2e/index.htm.)

2
Chapter 1

3
Internet

Has seen dramatic growth since 1995
Has evolved from the collegial inter-network for
researchers in the 70s and 80s into todays
global Internet for
Fun
Commercial transactions
Education
Has seen all types of security breaches

4
Internet

The Internet has become a popular target to
attack (the number of security breaches has in
fact escalated more than the growth rate of the
Internet)
Security problems receive public attention
Examples
Internet Worm (e.g., Robert T. Morris, Jr. in
1988)
Password sniffing (1994)
IP spoofing and sequence number guessing (e.g.,
Kevin Mitnick in 1995)
Session hijacking
(Distributed) denial-of-service attacks (since
1996)

5
DOS via Syn Flood

6
Internet Protocols
7
WWW

The Web
Based on the HTTP protocol
An application-level protocol
HTTP is a simple request/response protocol
Lightness and speed necessary for distributed,
collaborative, hypermedia information systems
A stateless protocol

8
HTTP History of the WWW

HTTP 1991 The Original HTTP as defined in 1991
HTTP 1992 Basic HTTP as defined in 1992
HTTP 1996 RFC1945 Hypertext Transfer Protocol
-- HTTP/1.0. Informational.
HTTP 1999 RFC2616 Hypertext Transfer Protocol
-- HTTP/1.1.
irt.org 1998 WWW How It All Began.
isoc.org 2000 The Internet Society. A Brief
History of the Internet. August 4, 2000.

9
HTTP

can be used for many tasks, such as name servers
and distributed object management systems,
through extension of its request methods
Its data typing feature allows systems to be
built independently of the data being
transferred.

10
Current Trends

11
Web Services
12
Some terminology

Vulnerability
A weakness that can be exploited
Threat
A circumstance, condition, or event that may
violate a systems security by possibly
exploiting the systems vulnerabilities
Control (or Countermeasures)
a feature, function, tool, or mechanism that
either reduces a systems vulnerabilities or
counters its threat(s)

13
Sample Controls

14
The Bigger Picture

15
Policies

High-level statements of what are allowed and
what are not allowed
Example policy statements
Any access from the Internet to intranet
resources must be strongly authenticated and
properly authorized.
Any classified data must be properly encrypted
for transmission.
Policies are enforced by the overall
architectural design and various mechanisms.

16
Host Security

17
Network Security

The security of the underlying network is
critical to assure the security of networked
applications, including Web and other Internet
applications.
A security breach that occurs at a lower layer
(e.g., ICMP) may result in major problem at a
higher layer (e.g., DOS attack at the Web server).

18
Services vs Mechanisms

Example security services
Authentication, confidentiality of data, data
integrity, access control, non-repudiation,
Example security mechanisms
Passwords for user authentication
Biometrics for user authentication
RSA encryption for data confidentiality
Digital signature for
Routing control
firewalls

19
Organizational Security

Security is also a people problem.
In fact, human behavior is still the most
important factor with regard to security and
safety.
Human behavior may be influenced by religion,
ethics, education, or organizational security
controls.
Organizational security controls include
directions/instructions that define legitimate
human behavior and operational procedures in the
organization.