Securing and Sharing Files Over The Internet (Content Server Security) By Amihay Schwarz Instructor: Viktor Kulikov Software System Laboratory Department.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

.NET Remoting. .Net Remoting Replaces DCOM (Distributed Component Object Model – a proprietary Microsoft technology for communication among software components.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Security Issues and Challenges in Cloud Computing

Final Presentation WINTER 2009 – SUMMER 2009 PRESENTED BY: George Kour Hany Danial SUPERVISOR: Victor Kulikov Networked Software Systems Laboratory DEPARTMENT.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

SoftLab Project Winter 2008 Supervisor: Victor Kulikov Students: Dmitry Kanevsky Nir Lev-Ari.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

CSCI 6962: Server-side Design and Programming

Course 201 – Administration, Content Inspection and SSL VPN

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Smart Card Single Sign On with Access Gateway Enterprise Edition

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Chapter 20: Getting from the Office to the Road: VPNs BAI617.

Session 11: Security with ASP.NET

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.

Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Database Application Security Models Database Application Security Models 1.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Module 11: Securing a Microsoft ASP.NET Web Application.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

TCP/IP (Transmission Control Protocol / Internet Protocol)

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Installing TMG & Choosing a Client Type

Jim Fawcett CSE686 – Internet Programming Summer 2005

Unit 8 Network Security.

Advanced Computer Networks

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Securing and Sharing Files Over The Internet (Content Server Security) By Amihay Schwarz Instructor: Viktor Kulikov Software System Laboratory Department of Electrical Engineering Technion - Israel Institute of Technology

Motivation The fast rate of growth in information compels us to find ways to store and share our files, sometimes sensitive files, with others. The most comfort way 2day to share files is over the Internet. But the internet conceals a lot of security holes. One's sensitive information may reach unwanted hands.

The solutions in the project One can store his files on a content server. One can access his files from anywhere and anytime. One can grant permission to others to fetch his files. Only permitted persons can fetch one's files. The storing and sharing process will be secured. This project is also taking into account the commercial aspect and provides commercials solutions.

Security There are a number of overarching principles that apply in the implementation. The following summarizes these principles: Adopt the principle of least privilege. Use defense in depth. Don't trust user input. Use secure defaults. Don't rely on security by obscurity. Check at the gate. Assume external systems are insecure. Reduce surface area. Fail to a secure mode. Remember you are only as secure as your weakest link. If you don't use it, disable it.

Security The solution is making use of four key security concepts: Authentication. Positively identifying the clients of the application. Authorization. Defining what authenticated clients are allowed to see and do. Secure Communications. Ensuring that messages remain private and unaltered as they cross networks. Gate keepers. Ensuring that the network Entities can be accessed only form allowed network elements.

The three layers model

Project High Level Design The project is divided to 4 entities. Web application, that receives requests from the client and forward them to the "Brain" Application Server, that uses as the "Brain" of the solution. Mail application, that is responsible to sending mails. Data Base.

Interfaces The 4 entities communicate using the following interfaces: FileManageIfc – store file, get files, send file… UserProvisionigIfc – Register, login, Password Recovery… ServiceCredentialIfc – Serializeble class that holds the service credentials that perform the request. MailingIFC – send mail.

Technologies in use Microsoft.Net.Net Remoting.Net Web application.Net Windows application SQL-Server 2005 Active directory

.Net Remoting How does it work? The.net Remoting give us abstraction for RMI that we can use, first we need to define the remote object we want to invoke. Then we connect this object to the Remoting by the Remoting APIs. And the net abstraction does all the work.

Transport channels There are several transport channels: HttpChannel. This channel is designed to be used when you host a remote object in ASP.NET. This channel uses the HTTP protocol to send messages between the client and the server. TcpChannel. This channel is designed to be used when you host a remote object in a Microsoft Windows operating system service or other executable. This channel uses TCP sockets to send messages between the client and the server. Custom channels. A custom transport channel can use any underlying transport protocol to send messages between the client and server. For example, a custom channel may use named pipes or mail slots. I decided to use the TCPChannel because it’s the most reliable and it can be easily secure.

Code securely –The remote object binaries are located both in the Proxies and in the Application layer. In the front ends only the interface declaration binaries are located and therefore even if someone brake into the front end he will not have the implementation. Only in the back ends the remote object binaries contains the implementation.

Security A lot of effort was invested in this project in order to make it secured. One of the project goals was to assimilate Microsoft technology in security and work according to it guide lines. As stated before the solution is making use of four key security concepts: Gate keepers. Ensuring that the network Entities can be accessed only form allowed network elements. Secure Communications. Ensuring that messages remain private and unaltered as they cross networks Authentication. Positively identifying the clients of the application. Authorization. Defining what authenticated clients are allowed to see and do within the application.

Security - Content Web Site 1.Gate-keeper: Only Https transport InOut IPAllNone PortHTTPS ( TCP 443)None 2.Secure Communications TLS transport Server certificates

Security - Content Web Site cont` 3.Authentication ASP.NET authentication modes include Windows, Forms, Passport and None. The solution uses Forms authentication as authentication mode for to following reasons: Using windows or password authentication force us to provision the user to the AD or to Microsoft Password accordingly. We want the user to use the provided service for its provisioning. The authentication itself is done against the user's records in the Content Server The authentication uses basic authentication (compeering user name and password against the DB) Because we are using TLS and all the data sent to the server is encrypted working with basic authentication is allowed. User's Password is not stored explicitly on the DB. Instead a MD5 hash of the password is stored there. Even if someone breaks into the DB, he will not be able to use the stolen passwords because the FE sends to the content-server the hashed password. If the user is not active for 5 min his session will be expires and he will redirect to the login page.

Security - Content Web Site cont` 4.Authorization The user is only authorized to use the main page for manipulating his files only after his authentication. In each transaction triggered by the user the web site gets the encrypted user id from his session cookie and decrypt it - this way we can rest sure that the user real credential are used.

Security - Application server 1.Gate-keeper: only allowed services. InOut IPFront ends listMail Server IP PortTCP Secure Communications The solution uses the.net Remoting security.

Security - Application server 3. Authentication In this stage we authenticate the service that reform the action. The client authentication is done in his login phase. Each Remote method that the Application Server expose receives a ServiceCredentialsIfc argument. In it the service put his service-id and password. The Application server authenticates the service by Basic Authentication against Data Base records. 4. Authorization Service authorization –Once the service is authenticate its authorized to perform actions on the remote interface User authorization –The user is only authorized to perform actions on his files. Authorization to get others files is checked against invitations from others.

Security – Data Base 1. Gate keeper InOut IPApplication servernone PortTCP 1433none 2. Secure Communications No need because it's in internal network

Security – Data Base cont` 3. Authentication An DB user will be added. The user will be the user that is running the application server, so the authentication is done by LDAP. 4. Authorization This user will only be authorized to perform logic actions on the schema.

Application Server Class Diagram

DB Tables Relations

U.Cs Diagrams

1. Client connection negotiation

1. Client connection negotiation cont` Taken from

2. Client accessing web server

3.New Client Registration

4. Uploading files

5. Deleting files

6. Downloading a file

7. Send file download invitation

8. Download a file from a friend

Thank you.