Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at

Published byAlison Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at"— Presentation transcript:

1 Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.) http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm

2 Web Security2 Chapter 1 Internet WWW Terms: –vulnerabilities, threats, countermeasures Generic security model –Security policy –Host security –Network security –Organizational security –Legal security

3 Web Security3 Internet Has seen dramatic growth since 1995 Has evolved from the collegial inter- network for researchers in the 70s and 80s into today’s global Internet for … –Fun –Commercial transactions –Education –… Has seen all types of security breaches …

4 Web Security4 Internet The Internet has become a popular target to attack (the number of security breaches has in fact escalated more than the growth rate of the Internet) Security problems receive public attention Examples –Internet Worm (e.g., Robert T. Morris, Jr. in 1988) –Password sniffing (1994) –IP spoofing and sequence number guessing (e.g., Kevin Mitnick in 1995) –Session hijacking –(Distributed) denial-of-service attacks (since 1996)

5 Web Security5 DOS via Syn Flood A: the initiator; B: the destination TCP connection multi-step –A: SYN to initiate –B: SYN+ACK to respond –C: ACK gets agreement Sequence numbers then incremented for future messages –Ensures message order –Retransmit if lost –Verifies party really initiated connection

6 Web Security6 Internet Protocols

7 Web Security7 WWW The Web Based on the HTTP protocol An application-level protocol HTTP is a simple request/response protocol Lightness and speed necessary for distributed, collaborative, hypermedia information systems A stateless protocol

8 Web Security8 HTTP & History of the WWW  [HTTP 1991] The Original HTTP as defined in 1991The Original HTTP as defined in 1991  [HTTP 1992] Basic HTTP as defined in 1992Basic HTTP as defined in 1992  [HTTP 1996] RFC1945: Hypertext Transfer Protocol -- HTTP/1.0. Informational. RFC1945  [HTTP 1999] RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. RFC2616  [irt.org 1998] WWW – How It All Began.WWW – How It All Began  [isoc.org 2000] The Internet Society. A Brief History of the Internet. August 4, 2000.A Brief History of the Internet

9 Web Security9 HTTP  can be used for many tasks, such as name servers and distributed object management systems, through extension of its request methods  Its data typing feature allows systems to be built independently of the data being transferred.

10 Web Security10 Current Trends Web services are being designed and deployed on the WWW. –Centered around the XML protocol –Example initiatives: MS.NET Sun ONE (Open Net Environment) –Protocols: WSDL, SOAP, UDDI, …

11 Web Security11 Web Services

12 Web Security12 Some terminology Vulnerability –A weakness that can be exploited Threat –A circumstance, condition, or event that may violate a system’s security by possibly exploiting the systems vulnerabilities Control (or Countermeasures) –a feature, function, tool, or mechanism that either reduces a system’s vulnerabilities or counters its threat(s)

13 Web Security13 Sample Controls Firewalls VPN SSL / TLS S / MIME Kerberos …

14 Web Security14 The Bigger Picture Security in any system, including Web Security, encompasses many aspects. –Policies –Technical Network security Host security –Non-technical Organizational Legal

15 Web Security15 Policies High-level statements of what are allowed and what are not allowed Example policy statements –“Any access from the Internet to intranet resources must be strongly authenticated and properly authorized.” –“Any classified data must be properly encrypted for transmission.” Policies are enforced by the overall architectural design and various mechanisms.

16 Web Security16 Host Security User authentications Access control (to resources) Secure storage of data Secure processing of data Audit trail

17 Web Security17 Network Security The security of the underlying network is critical to assure the security of networked applications, including Web and other Internet applications. A security breach that occurs at a lower layer (e.g., ICMP) may result in major problem at a higher layer (e.g., DOS attack at the Web server).

18 Web Security18 Services vs Mechanisms Example security services –Authentication, confidentiality of data, data integrity, access control, non-repudiation, … Example security mechanisms –Passwords for user authentication –Biometrics for user authentication –RSA encryption for data confidentiality –Digital signature for … –Routing control –firewalls –…

19 Web Security19 Organizational Security Security is also a people problem. In fact, human behavior is still the most important factor with regard to security and safety. Human behavior may be influenced by religion, ethics, education, or organizational security controls. Organizational security controls include directions/instructions that define legitimate human behavior and operational procedures in the organization.

20 Web Security20 Legal Security As a last resort: to legally prosecute the attacker(s) Need support and evidence provided by the various security services Example: non-repudiation of an e-contract

Download ppt "Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at"

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
E-Business Risks Chapter Seven. E-Business Models EDI Web pages The online environment Distributed e-business and intranets Supply chain linkage Collaborative.

E-Business Risks Chapter Seven. E-Business Models EDI Web pages The online environment Distributed e-business and intranets Supply chain linkage Collaborative.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
SECURITY ISSUES IN NETWORKS WITH INTERNET ACCESS PRESENTED BY Sri Vallabh Aida Janciragic Sashidhar Reddy.

SECURITY ISSUES IN NETWORKS WITH INTERNET ACCESS PRESENTED BY Sri Vallabh Aida Janciragic Sashidhar Reddy.
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University.

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Similar presentations

Ads by Google