Web Server Security Packet Sniffing Information on

Web Server Security Packet Sniffing • Information on the Internet is exchanged in chunks of data called packets • There are special programs that allow packets to be sniffed • A packet sniffer will listen to all packets on the network, whether or not addressed to the local machine • This allows the user of the packet sniffer to see anything and everything that is being transmitted on the local network 1

Web Server Security For example Using a publicly available packet sniffer program called tcpdump all the packets being transmitted on our local network can be seen Prompt# tcpdump –x –n –t -q 10. 0. 0. 7. 23 > 10. 0. 0. 2. 1095: tcp 1 4500 0029 dc 4 f 4000 ff 06 8 b 76 0 a 00 0007 0 a 00 0002 0017 0447 60 a 2 1 a 5 e 45 e 2 15 b 4 Here a conversation is taking place between two local machines with IP addresses 10. 0. 0. 2 and 10. 0. 0. 7 2

IP Spoofing • IP spoofing is the act of sending a packet out with the forged IP address • When a hacker is carrying out an attach the thing he/she wants is his/her identity known • Spoofing the IP address is an easy way to hide the identity of the machine the attack is coming from • An attacker could spoof the IP to come from an IP address that does not belong to anyone or that is not currently in use • The attacker could also spoof the IP address to make the attack appear as if it were coming from an existing machine elsewhere on the Internet • Spoofing the IP address is simple. There are programs available on the Internet that allow you to manually construct the packets and send it out on the wire 3

IP Spoofing on Solaris Edit the /etc/hosts file Save the changes and reboot Solaris# vi /etc/hosts Before spoofing: 127. 0. 0. 1 localhost 172. 23. 14. 8 mytesthost After: 127. 0. 0. 1 localhost 10. 0. 0. 5 mytesthost 4

Web Client Security So far what we covered is Server side security. But what about the client side security Java Applets • An applet is a program that runs inside your browser • You need a java capable browser or an applet viewer to run the applet code • Applets can be considered as a partial program containing only the middle portion • The beginning and ending of the program are part of the browser or applet viewer 5

Web Client Security To run an applet you first need the applet. class file This is the compiled bytecode generated from the Java source code <html> <Applet Code=“someapplet. class” width=“ 500” height “ 200” > Param Name=“text” value =“example”> </Applet> <html> 6

Protecting yourself from Java. Applets It is possible to disable Java in your browser Netscape controls this features under “Preferences” Internet Explorer controls it under “Internet Options” Select “Advanced” for both browsers 7

What happens when an applet tries to connect to another system • The most dangerous scenario with applets • No longer your firewalls protect your machines from attack • This is the primary reason to disallow applets to connect to remote systems • The applet can connect back to the machine it originated from • This will allow a hacker to determine what traffic is allowed to exit your network through your firewalls • This model of security of Java applets is called the sandbox model 8

What happens when an applet tries to connect to another system • Applets are allowed to function as normal programs, but they must play within the sandbox • They are limited in their capabilities and are not treated as full-fledged programs • The latest Java security manager allows different sites to define different security policies, depending on the applet and its origin • Another addition to Java security model is the idea of signed applets • By signing an applet you are assured that the applet has not been modified from its original form 9

Active. X Security • Active. X was developed by Microsoft and is based on their object linking and embedding (OLE) technology • Active. X equivalent of Java Applet is called an Active. X control • Unlike Java Applets Active. X controls are platform dependent • This means you need to compile for every platform you expect to connect to the site • Rather than using the Applet tag you need to use the <Object> tag 10

Active. X Security • Active. X controls will be digitally signed by the author of the control • The digital signature is then signed by the security mechanism for Active. X called Authenticode • Unlike the sandbox approach in Active. X prior to running the Active. X control you are prompted with the name of the author who wrote and signed the code 11

Java. Script Security • Using JS all sorts of bugs ranging from being able to send out e-mail or viewing the history file, to tracking a user online or uploading a file, have been discovered • It is possible to disable JS in your browser • Same way as the applets blocking on the browser settings • When a page is loaded sometimes new browsers are continuously opened until the browser is terminated 12

Java. Script Security • This will eat up all your system memory and you will have no choice • This is a client-side denial-of-service attack using the standard functionality of Javascript • Another annoying script is upon loading the URL your browser window will develop a mind of its own and start to move all over the screen, and may get out of control 13

Java. Script Security • Unlike the Java Applet or Active. X the good thing with JS is that once you disable the JS from your browser window you can always check the script in the browser window and allow it to reload once you know the contents of the script • Unlike the Applets or Active. X controls which use a single tag to embed something the JS has event handlers like on. Load() method which are difficult to strip as the script passes through the firewall • Netscape has added the functionality to sign the scripts very similar to the applets • Now you can choose only to run signed scripts that were singed by the author you trust 14

Cookies What is a Cookie? • Cookie is nothing more than a data • It is not a program and is not executable • It is like you filling the form with details and sending it to the server • In a cookie the server fills the information and passes it to the client • When the client requests a web document from the server sends the document and some additional data • This additional data is called the cookie 15

Cookies • Later when the client makes additional connections to the server, it will send the cookie back • It will keep the cookie for future connections • Without the cookie the server has no idea who is connecting to it • It may know which IP address the connection is from, thus which machine the client running on 16

Cookies Example Content-type: text/html Set-Cookie: colorpref=blue <HTML> <HEAD> <TITLE> </TITLE> <HEAD> </HTML> • This is all that a server will send to the browser to store for future reference. So the next time the background will be in blue to the user • If the server specify the expiration date then that will be saved on disk when the user exist the browser • If no date is specified the cookie will be deleted upon exit 17

Cookie Security • Since the length of the cookies are limited there is not much concern about the security attacks via cookies as they don’t execute anywhere • The only issue with the cookies is the user privacy • So the security issue is to you the user and not to the computer 18

Encryption • Cryptography comes in many forms but the principles are the same. i. e to protect your data from eavesdropping, spying, or falling into wrong hands Example: • Lets encrypt a message using following data and standard English alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ 19

Encryption • Plain text: Meet me on the corner at midnight • Algorithm: C=P+K C is the cipher text P is the plaintext character K is the value of the key • Key: 3 • Ciphertext: Phhw ph rq wkh fruqhu dw plgqljkw The Ciphertext message is not in any recognizable readable form So you need to know the key to interpret the message 20

Encryption • This algorithm states simply that to encrypt a plain text character (P) and generate a ciphertext character (c) we merely add to the plaintext character the value of the key (K) • Another way of looking at this example is that we are shifting the plaintext character to the right of the alphabet by three characters: X, Y, and Z will wrap around and be replaced by A, B, and C respectively 21

Encryption A B D E G H I M K L L O. Q. R. T. U. P. S. V. W. Z. Meet > J C F N. . X Y. . 22

Certificates • A client needs to be sure that the public key she is using corresponds to the server's private key • Similarly, the server also needs to verify that the message signature really corresponds to client's signature • If each party has a certificate which validates the other's identity, confirms the public key, and is signed by a trusted agency, then they both will be assured that they are communicating with whom they think they are. • Such a trusted agency is called a Certificate Authority, and certificates are used for authentication. 23

Certificate Content Subject Distinguished Name, Public Key Issuer Distinguished Name, Signature Period of Validity Not Before Date, Not After Date Administrative Information Version, Serial Number Extended Information 24

Certificate Authority • By first verifying the information in a certificate request before granting the certificate, the Certificate Authority assures the identity of the private key owner of a keypair. • A Certificate Authority may also issue a certificate for another Certificate Authority. • who vouches for the certificate of the top-level authority, which has no issuer? • one must exercise extra care in trusting a selfsigned certificate. 25

Certificate Authority • The wide publication of a public key by the root authority reduces the risk in trusting this key -- it would be obvious if someone else publicized a key claiming to be the authority. • Browsers are preconfigured to trust well-known certificate authorities • A number of companies, such as Veri. Sign have established themselves as certificate authorities. These companies provide the following services: – Verifying certificate requests – Processing certificate requests – Issuing and managing certificates 26

Creating a Certified Authority • It is also possible to create your own Certificate Authority. • Specifications for certificates can be found at http: //www. ietf. org/html. charters/pkixcharter. html (Public-Key Infrastructure (X. 509) Working group in IETF) 27

Implementing SSL • Although one might write an SSL implementation from scratch following the specification (TLS spec at http: //www. ietf. org/rfc 2246. txt), it is much easier to use one of the existing SSL toolkit libraries. • In addition, because of patents, it is usually necessary to license some of the cryptography libraries • http: //www. openssl. org/ 28

Intrusion detection and recovery • If the security model fails, it is important to detect the intrusion as early as possible • The most important thing is to know what is happening on the network and on the machines within the network • The data contained in the logs is an excellent resource for determining what is happening at the site 29

Audits, Logs, Accounting • Logs notify us of errors or specific applicationlevel transactions • Audits provide more information – Used to monitor when the file is opened, read, or written to – Also can be used to monitor process and see when a process starts/ends a child process • Accounting is a means of calculating how much of the system resources are being used by each user 30

System and Network usage monitoring • The use of web server resources should be fairly consistent • E. g. if your web site has around 1000 hits every day, and then suddenly this drops to 10 on one day, something suspicious is happening • If a user logs on and works only on weekends and then suddenly logs on on a weekday in the middle of the night, it could be an attack. 31

Log examples • After loading the default server page 2004 -11 -17 15: 11: 32 GET / 200 0 2763 10. 0. 0. 7: 32957 hosts • After attempting to load a page that does not exist 2004 -11 -17 15: 12: 32 GET /noexist. html 404 0 404 10. 0. 0. 7: 32999 hosts • After submitting an online form whose data is processed by a CGI script 2004 -11 -17 15: 13: 32 GET /info. html 200 0 1119 10. 0. 0. 7: 32997 hosta 2004 -11 -17 15: 13: 45 POST /cgi-bin/info. pl 302 0 359 32 10. 0. 0. 7: 32997 hosta

HTAccess • Web-based authentication denies web access to visitors who do not give a valid username and password • An access control list (ACL) is a method of limiting access to a particular portion of a Web site • For example you may want to give access to an online database only for fee paying customers • An ACL can be used to place a restriction on a single file or an entire directory, including its sub directories 33

Format of the HTAccess file Auth. User. File mnt/web/guide/somewhere/somepath/. htpasswd Auth. Group. File /dev/null Auth. Name Somewhere. com's Secret Section Auth. Type Basic 34

HTAccess file • The. htaccess file affects the directory in which it is placed, so in this example, any visitor requesting <URL: http: //somewhere/somepath/> would be presented with an authentication request. • The. htaccess file also affects directories recursively below it. Therefore, requesting <URL: http: //somewhere. com/somepath/evenmore/> would yield the same authentication request unless ~/somepath/evenmore had a. htaccess file of its own. • The first line, starting with Auth. User. File, tells the webserver where to find your username/password file. • Notice that the Auth. Name in the example, "Somewhere. com's Secret Section, " is used in the authentication request. 35

Creating. htpasswd file • To create an. htpasswd file, go to the directory you specified in Auth. User. File. In the example, this is /mnt/web/guide/somewhere/somepath. Then use the htpasswd program with the -c switch to create your. htpasswd in the current directory. • Type htpasswd -c. htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. 36

What is HTTPS? • Secure HTPP • Essentially an implementation of HTTP , using SSL 37

SOAP Message <? Xml version=’ 1. 0’ ? > • • <env: Envelope xmlns : env=http: //www. w 3. org/2002/06/soap-envelope> • <env: Header> • ……… • ……. SOAP Envelope, defines the overall frame work for representing the contents of the SOAP message, who will deal with the message (initermediaries) • <env: Header> • <env: Body> mandatory, contains the payload of the message which is intended for the final SOAP reciever • ……. . • • </env: Body> 38 • </env: Envelope>

Kerberos • The most popular representative of secret key authentication protocols is Keberos, which was developed by MIT. • After the client and server have used Keberos to prove their identity, they can also encrypt all of their communication to ensure data confidentiality and integrity. • Keberos is commonly used in the middle tier within corporate networks. • Keberos allows a principal to prove its identity to a server without sending authentication data that might allow an attacker to subsequently impersonate the principal. 39

Kerberos • The client application provides a secret key that is derived from a password as the basis of authentication. The secret key may potentially be stored on a hardware token (DES card) for stronger authentication and may also be derived from a public key certificate. • To use Kerberos security service, the client first sends the principal’s identity to the authentication server, which sends back a credential call a ticket-granting ticket (TGT) • The TGT has been encrypted so that only the legitimate principal who posses the correct password is able to decrypt it and use it at a future time. 40

Token-based authentication • With token based systems the user must posses a physical token that plays some part in the authentication process, which makes this approach a lot stronger than passwords by themselves. • Tokens are expensive and complex to implement than IDs and password. Sometimes the token displays a value that must be verified by an authentication server. • Examples of tokens include CRYPTOCard and RSA Secure. ID. 41

Security methods in Web Services • XML Security • WS- Security • XML Encryption • SAML Security Assertion Markup Language 42

Points to remember when designing web servers • Authentication SSL Transport layer authentication WS-Security (Kerberos) for message based authentication • Authorisation Once the user is authenticated the next step is to find out if they are allowed to access the resource that they are requesting • Integrity IPSec guarantees integrity. Message has not been tampered on transit 43

Points to remember when designing secure web servers • Confidentiality XML Encryption SSL/TLS, IPSec • Auditing The ability to write an audit trail is important for any security system • Administration Administrating involves managing the security policy • Availability involves protecting unwanted message storms 44

Recovering from an attack • If you abruptly kill the hacker’s connection into the machine he will suspect that you are onto him • Alternatively it is difficult to sit and see someone hacking your terminal • Depending on your time and resources you could set up a dummy machine to trick the hacker into thinking that he is still going undetected • The machine would be an identical one without any sensitive data • This will help you to track back the hacker even if he tries to masquerade 45