Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Published byLindsay Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts."— Presentation transcript:

1 Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts to total trust of all insiders and total mistrust of outsiders, where the firewall defines the boundary.”

2 2 Outline Requirements vs. the current architecture constrains. Proposed solution. Security assessment of the proposed solution. Conclusion. Questions.

3 3 Requirements Access to the internal web server from outside of the firewall boundary. Proposed solution should not involve –changes to the firewall configuration on the network or... –changes to the firewall policies

4 4 Environment Firewall –“[Inside user] …can establish TCP connection to hosts outside the firewall on any port, while inbound connections are tightly restricted.” –“[Firewall] … tears down inactive connections every 15 min.” DWT (dumb Web Terminal) –“We strive to treat the DWT as “untrusted” as possible”

5 5 Possible of the shelf solutions Telnet or text-based browser such as Lynx –Disadvantage: HTML travels in plain text over the network No support for multimedia Tunneling protocols (IPSpec, SSLtelnet). –Disadvantage: requires advance access to the remote client browser settings and computer settings.

6 6 Architecture Internet DWT Proxy Authentication Server Web Server Firewall

7 7 Proxy PushWeb Absent DWT Web Server Firewall Control Connection Data Connection Web Request Web Reply Web Request Web Reply

8 8 Authentication and Security User Authentication –Hash Chaining –User has to re-enter password every 20 minutes Connection Confidentiality –HTTP over SSL - Secure Socket Layer.

9 9 Proxy PushWeb Absent DWT Web Server Firewall Control Connection Data Connection Web Request Web Reply Web Request Web Reply SSL Session

10 10 Connection Confidentiality After the user was successfully authenticated the PushWeb establishes the SSL connection to the DWT. The SSL on the Server is configured to restrict the set of ciphers supported only to those that provide USA domestic-quality encryption.

11 11 Security Assessment Compromise of Absent –DoS attack - not preventable –Eavesdrop on the user session - SSL prevents it. –Replay attack - SSL makes it almost impossible. –Spoofing - user must check SSL certificate. –Obtain root on PushWeb or access the internal web: data cannot be moved over control connection the same effort as from any other outside host

12 12 Security Assessment (Continued) Compromise of PushWeb –PushWeb has limited access rights on the network –No other services are available from the PushWeb –No user data stored on the PushWeb

13 13 Conclusion The solution achieved its goal: –No changes were required to the network infrastructure –The system provides “...internal Web access from sites such as terminal rooms and Internet cafes.” The system is using well tested protocols - one time password and SSL, but “… protocol composition is a very hard problem and has led to security problems in the past.”

14 14 Questions To overcome the firewall policy authors used PushWeb / Absent configuration. Is there any security gain in connecting through Absent machine as oppose to connecting straight through a firewall? If there is a gain, than against what type of attacks? Internet DWT SSL Web Server Firewall PushWeb Absent

Download ppt "Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
A Survey Of Web Security Aviel D. Rubin Daniel E. Geer Jr. “...with an internationally connected user network and rapidly expand Web functionality, reliability.

A Survey Of Web Security Aviel D. Rubin Daniel E. Geer Jr. “...with an internationally connected user network and rapidly expand Web functionality, reliability.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Remote Networking Architectures

Remote Networking Architectures

Similar presentations

Ads by Google