Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security fundamentals Topic 8 Securing network applications.

Published byArthur Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "Security fundamentals Topic 8 Securing network applications."— Presentation transcript:

1 Security fundamentals Topic 8 Securing network applications

2 Agenda Network applications Web servers Web browsers FTP NNTP File sharing Databases Directory services DNS DHCP

3 Securing network applications Application layer attacks establish connections that look like legitimate network traffic at the lower layers Attacks on common network applications including: – Webs servers and browsers – Databases – Directory services – DNS and DHCP servers

4 web server security Secure the web server software – Apache® or Microsoft® IIS Secure the underlying OS Secure the web pages and web applications Authentication and encryption

5 Common web server attacks Attacks that use sample applications and administrative scripts: (installed by default) and remote administration scripts Attacks that depend on default configurations: eg directory traversal attack to gain access to OS files from default install path of C:\inetpub\wwwroot (keep web content off the system drive) Attacks that take advantage of poor web design: – Exposing admin functionality via a web page – Allowing users to send open queries against a database – Hard coding SQL SERVER paths Attacks that take advantage of software flaws: – Flaws in server code DoS attacks: – Sending HTTP commands that overwhelm the service

6 web server Software Security Install the latest security updates to mitigate vulnerabilities Disable or remove unneeded components – remove all components, modules, applications and web pages not required Remove unused application mappings – if extensions are not used, remove them Enable logging and secure the log files – set permissions on log files or move to another computer Limit the use of write, script and execute permissions so that files can't be uploaded to a folder and then run Encrypt traffic between server and clients for confidentiality – protect from eavesdropping

7 web server authentication Basic authentication: – Supported by almost all web servers and browsers – username and password transmitting in Base64 encoding (not encrypted) – Use basic authentication if the session between the web server and browser is encrypted with SSL or IPSec Digest authentication – Supported by recent versions of servers and browsers – does not send passwords over the network – Check that all browsers support digest authentication

8 web server authentication Certificate-based authentication – Part of SSL standard and supported by most browsers, requires PKI infrastructure and distribution of certificates to clients Integrated authentication – Microsoft web servers and browsers only – authenticated to web server using current logon credentials and not prompted again Forms based authentication – User enters credentials into a form on web page – access to web site controlled by a cookie that web server sends to client and client presents to server when accessing web pages – no standards

9 web server security Applications that run on a web server – Consist of multiple web pages and other components that process requests from clients – Need for application developers to apply security principles in designing and coding

10 Buffer overflows Application requests a buffer to hold temporary data, and space in RAM is allocated. Applications can write and read to and from this buffer. Buffer overflow occurs when a program tries to store more data in the buffer than it’s allocated to hold. If application runs at a low privilege level OS denies the request and error occurs. If the data is allowed to be written to the buffer it can result in web server/OS crash, damage to files, change to data, acquiring of confidential data or executing code disabling security features. Code should be written with proper error handling and secure coding such as: – Run programs as least privilege account possible – Use compilers that identify common security errors – Design the program to check all user input for validity so users cant send improper data or overly long strings

11 CGI and ASP Common Gateway Interface (CGI) – standard for transferring data from a web server to a program running on the web server, eg data input, search and retrieval services for databases – Uses any programming language Active Server Pages (ASP) – Microsoft® – For including dynamic content on web pages – Uses VBScript or JavaScript

12 Common CGI and dynamic scripting attacks Running a CGI program over and over again from multiple web browsers causing DoS by starting multiple processes Exploiting default CGI or ASP programs that ship with web server Exploiting free or popularly available CGI or ASP programs – find a flaw and create an exploit Sending invalid data to CGI or ASP program – attempt to create a buffer overflow Exploiting hidden fields in CGI programs which can be used to pass data between web pages and the client browser, could be modified before being returned to the server Using Server Side Includes (SSIs) to compromise scripts – SSIs are used to include content from a document or output from a program on a web page – if implemented incorrectly can allow an attacker to view the content of scripts or run unauthorised programs

13 Protection for CGI and ASP CGI directory requires Read and Execute permissions – do not allow write permissions Limit use of CGI and ASP Limit CGI and ASP to specific directories and set minimum permissions Run with least privileges Remove all default and sample programs Check all web applications for security vulnerabilities (www.securityfocus.com) Have CGI check the validity of all user input data – don’t rely on client side validation Disable SSIs Choose web directories carefully – don’t put web server root and OS files on the same disk Place web servers in perimeter network DMZ zone

14 Connection security Secure HTTP communications by using encryption SSL or TLS https:// SSL and TLS allow a web browser to identify a web server based on information in the web server's certificate, and to encrypt the session between the web server and the web browser. web server must be configured to accept secure connections and have a web server certificate installed

15 SSL/TLS services provided Authentication of server to client – The name in the certificate that is used by the web server must match the name of the Web Site – The client trusts the certificate if it has been issued by a CA that chains to a root that the client trusts Negotiation of a common cryptographic algorithm – Client and server agree on an encryption algorithm that they both support Authentication of the client to the server Capability to authenticate clients by using client certificates – Rarely used by public web servers Public key encryption to create a shared secret SSL/TLS use asymmetric encryption to create a shared secret which is used to symmetrically encrypt transferred data Hashing also used to prevent tampering

16 Securing web browsers Challenging because it depends on users Active content – Downloadable content that can be executed – More interactive as it runs processes on the client computer – Can be dangerous as it can be used as a tool to run malicious content Types of active content: Java® Applets, Microsoft® ActiveX controls, JavaScript, MS VBScript Java® Applets – Small self contained programs that can be run on most client browsers. Referenced from within a web page with the APPLET tag – Loads the source code which is run by the Java® Virtual Machine on the client side. – Java® programs are limited in how they interact with the OS and what parts of the OS they can access – sandboxed

17 Securing web browsers JavaScript/VBScript/PHP – Embedded inside an HTML page and read by a client browser – Exploits have been written using JavaScript that allow access to command prompt and file system – Configure the browser to selectively allow JavaScript to be enabled on chosen websites Microsoft® ActiveX: – Microsoft® technology that can interface with other programs, receive user input, provide useful services to users – Potentially dangerous as ActiveX has fewer limitations than JavaScript – Configure the browser to prompt before downloading of ActiveX controls – Monitor security sites for vulnerabilities and stay current with security updates

18 Signing active content Check for digital signatures before active content is installed User decides whether to trust the author or not Authenticode: – Microsoft® technology that checks for digital signatures before downloading ActiveX components Sun has a component that does the same task for Java® Applets User is aware that a applet or ActiveX control is about to be installed Digital signature check to verify no tampering User must decide whether the publisher is trustworthy

19 Security settings Consider centralised management of browser settings Internet Explorer Administration Kit (IEAK) – Allows you to configure multiple settings and rolling to an install package Training for users to understand what they are downloading Consider: – Restricting active content – download active content only from websites you trust – Using an online virus checker to monitor files downloaded via the browser – Configure digital certificate checking to verify identity and check integrity of downloaded active content

20 Privacy settings Controlling what user information a web site can gather while the user is connected Training for users regarding privacy issues and the corporate security policy Cookies – Allow web sites to store a small amount of data on a user’s computer. Cookies are widespread and many sites do not function correctly if cookies are not supported by the browser – Cookies can increase web site functionality or they can be used to compromise a user’s privacy – Cookies can contain authentication information – Cookies might be read by other websites to gain information about previous web sessions – Some web sites send information in cookies to third party advertising web sites

21 Privacy settings Protection – Configure privacy settings to let you decide which sites cookies are accepted from – Do not configure a web server to rely on information stored in a client’s cookies, to control access to resources – Do not store sensitive information in cookies authentication or bank account codes – Use SSL/TLS to protect the info inside cookies where appropriate

22 FTP security Two basic types of FTP servers: – Those requiring authentication (a username and password) and – Those that allow anonymous FTP (logon as anonymous and use email as password) FTP is typically unencrypted so that authentication is subject to eavesdropping Protection: – Encrypt the connection between the client and the server with IPSec or VPN – Use FTP client and server that support encryption at application layer – Secure FTP or Kerberised FTP – Anonymous unencrypted FTP is ok for public downloading only – Grant permissions to read files only – Configure FTP to provide a blind directory – users have permissions to create files but not to view or download files – a drop off point

23 NNTP security Network News Transfer Protocol NNTP does not have a built in mechanism to encrypt data transmissions so protect behind IPSec, VPN or use a news server and client that support encryption Training for users regarding disclosing confidential information

24 File sharing networks File trading programs – Illegal trade, copyright software, spread trojans No legitimate use for file trading programs on corporate networks Prohibit use of file trading programs in security policy – Prevent them from being installed – Potential liabilities from copyright violation

25 Database security Threats: – Unauthorised detection or modification of information – Unauthorised disclosure of information Vulnerabilities include: – Software bugs and flaws – Poorly designed applications – Incorrect permissions – Default configurations – SQL injection – a user submits data to a database with embedded SQL commands and data is not validated

26 Database security Thoroughly test queries – Check for correct results, the results of errors and the results of an unauthorised account running the query Use stored procedures – Don’t build queries in HTML, ASP, PHP – Use a stored procedure to prevent SQL injection Configure authenticated access – Do not allow unauthenticated connections, use strongest authentication and check the password policy Encrypt data transfers with SSL/TLS or VPN Block database ports at firewall Enable auditing and check logs

27 Directory services security Directory service stores information about user accounts, computers and application data: ADS LDAP protocol to access directory services Threats: – Unauthorised access to information including: Information about network infrastructure, servers and shared resources Confidential information – telephone numbers and payroll User credentials and cryptographic keys – Unauthorised database modification including: Changing permissions for future unauthorised access, eg Change of admin password Change user information such as pay levels

28 Directory services security Configure permissions to access directory service data Secure directory servers – Physically secure domain controllers Use encryption for LDAP communications – Secure LDAP Configure strong authentication LDAPv2 with Kerberos v4 or LDAPv3 with SASL (Simple Authentication and Security Layer) Block access to LDAP ports from Internet on the firewall

29 DNS security Threats to DNS include: – Querying DNS servers – anyone can submit queries and gather information – Performing zone transfers – an attacker can request a zone transfer and use the information to map the network – Zone update spoofing – attacker can spoof the address of the primary DNS server and send incorrect updates to the secondary DNS server – DNS spoofing – attacker can set up a DNS server that provides incorrect information to clients – Dynamic DNS record spoofing – DDNS allows clients to update DNS records with their names and IPs – attacker can use DDNS to overwrite or corrupt records – DNS cache poisoning – attackers insert incorrect information into the cache of DNS servers which then return the wrong information

30 DNS security Use split DNS design – Separate your publicly accessible DNS servers and the internal DNS servers Restrict information in DNS – Limit the amount of additional information – use a purpose built email address for SOA records Limit zone transfers – Allow zone transfers only from specific secondary servers Configure secure zone transfers – BIND9 allows for zone transfer signing Use secure dynamic updates – Authenticate the identity of computer attempting a zone transfer Use secure DNS – Clients can be sure they are using the correct DNS server Prevent cache poisoning – Ensure latest updates

31 DHCP security Threats: – Rogue DHCP server – Attacker uses an unauthorised or rogue DHCP server to allocate addresses – disruption and direction to incorrect destinations – Gathering information about the network – Most threats come from inside the network DHCP Security: – Scan for rogue DHCP servers – Configure static IP addresses for critical computers – Restrict address leases by MAC address – a lot of work – Block DHCP broadcasts from other segments

32 Lesson summary Learned about the security issues and practises for common network applications and protocol including web servers, web browsers, FTP, NNTP, file sharing, databases, directory services, DNS and DHCP.

Download ppt "Security fundamentals Topic 8 Securing network applications."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Introduction to Web Database Processing

Introduction to Web Database Processing
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si

Similar presentations

Ads by Google