Security fundamentals Topic 8 Securing network applications

Agenda Network applications Web servers Web browsers FTP NNTP File sharing Databases Directory services DNS DHCP

Securing network applications Application layer attacks establish connections that look like legitimate network traffic at the lower layers Attacks on common network applications including: – Webs servers and browsers – Databases – Directory services – DNS and DHCP servers

web server security Secure the web server software – Apache® or Microsoft® IIS Secure the underlying OS Secure the web pages and web applications Authentication and encryption

Common web server attacks Attacks that use sample applications and administrative scripts: (installed by default) and remote administration scripts Attacks that depend on default configurations: eg directory traversal attack to gain access to OS files from default install path of C:\inetpub\wwwroot (keep web content off the system drive) Attacks that take advantage of poor web design: – Exposing admin functionality via a web page – Allowing users to send open queries against a database – Hard coding SQL SERVER paths Attacks that take advantage of software flaws: – Flaws in server code DoS attacks: – Sending HTTP commands that overwhelm the service

web server Software Security Install the latest security updates to mitigate vulnerabilities Disable or remove unneeded components – remove all components, modules, applications and web pages not required Remove unused application mappings – if extensions are not used, remove them Enable logging and secure the log files – set permissions on log files or move to another computer Limit the use of write, script and execute permissions so that files can't be uploaded to a folder and then run Encrypt traffic between server and clients for confidentiality – protect from eavesdropping

web server authentication Basic authentication: – Supported by almost all web servers and browsers – username and password transmitting in Base64 encoding (not encrypted) – Use basic authentication if the session between the web server and browser is encrypted with SSL or IPSec Digest authentication – Supported by recent versions of servers and browsers – does not send passwords over the network – Check that all browsers support digest authentication

web server authentication Certificate-based authentication – Part of SSL standard and supported by most browsers, requires PKI infrastructure and distribution of certificates to clients Integrated authentication – Microsoft web servers and browsers only – authenticated to web server using current logon credentials and not prompted again Forms based authentication – User enters credentials into a form on web page – access to web site controlled by a cookie that web server sends to client and client presents to server when accessing web pages – no standards

web server security Applications that run on a web server – Consist of multiple web pages and other components that process requests from clients – Need for application developers to apply security principles in designing and coding

Buffer overflows Application requests a buffer to hold temporary data, and space in RAM is allocated. Applications can write and read to and from this buffer. Buffer overflow occurs when a program tries to store more data in the buffer than it’s allocated to hold. If application runs at a low privilege level OS denies the request and error occurs. If the data is allowed to be written to the buffer it can result in web server/OS crash, damage to files, change to data, acquiring of confidential data or executing code disabling security features. Code should be written with proper error handling and secure coding such as: – Run programs as least privilege account possible – Use compilers that identify common security errors – Design the program to check all user input for validity so users cant send improper data or overly long strings

CGI and ASP Common Gateway Interface (CGI) – standard for transferring data from a web server to a program running on the web server, eg data input, search and retrieval services for databases – Uses any programming language Active Server Pages (ASP) – Microsoft® – For including dynamic content on web pages – Uses VBScript or JavaScript

Common CGI and dynamic scripting attacks Running a CGI program over and over again from multiple web browsers causing DoS by starting multiple processes Exploiting default CGI or ASP programs that ship with web server Exploiting free or popularly available CGI or ASP programs – find a flaw and create an exploit Sending invalid data to CGI or ASP program – attempt to create a buffer overflow Exploiting hidden fields in CGI programs which can be used to pass data between web pages and the client browser, could be modified before being returned to the server Using Server Side Includes (SSIs) to compromise scripts – SSIs are used to include content from a document or output from a program on a web page – if implemented incorrectly can allow an attacker to view the content of scripts or run unauthorised programs

Protection for CGI and ASP CGI directory requires Read and Execute permissions – do not allow write permissions Limit use of CGI and ASP Limit CGI and ASP to specific directories and set minimum permissions Run with least privileges Remove all default and sample programs Check all web applications for security vulnerabilities ( Have CGI check the validity of all user input data – don’t rely on client side validation Disable SSIs Choose web directories carefully – don’t put web server root and OS files on the same disk Place web servers in perimeter network DMZ zone

Connection security Secure HTTP communications by using encryption SSL or TLS SSL and TLS allow a web browser to identify a web server based on information in the web server's certificate, and to encrypt the session between the web server and the web browser. web server must be configured to accept secure connections and have a web server certificate installed

SSL/TLS services provided Authentication of server to client – The name in the certificate that is used by the web server must match the name of the Web Site – The client trusts the certificate if it has been issued by a CA that chains to a root that the client trusts Negotiation of a common cryptographic algorithm – Client and server agree on an encryption algorithm that they both support Authentication of the client to the server Capability to authenticate clients by using client certificates – Rarely used by public web servers Public key encryption to create a shared secret SSL/TLS use asymmetric encryption to create a shared secret which is used to symmetrically encrypt transferred data Hashing also used to prevent tampering

Securing web browsers Challenging because it depends on users Active content – Downloadable content that can be executed – More interactive as it runs processes on the client computer – Can be dangerous as it can be used as a tool to run malicious content Types of active content: Java® Applets, Microsoft® ActiveX controls, JavaScript, MS VBScript Java® Applets – Small self contained programs that can be run on most client browsers. Referenced from within a web page with the APPLET tag – Loads the source code which is run by the Java® Virtual Machine on the client side. – Java® programs are limited in how they interact with the OS and what parts of the OS they can access – sandboxed

Securing web browsers JavaScript/VBScript/PHP – Embedded inside an HTML page and read by a client browser – Exploits have been written using JavaScript that allow access to command prompt and file system – Configure the browser to selectively allow JavaScript to be enabled on chosen websites Microsoft® ActiveX: – Microsoft® technology that can interface with other programs, receive user input, provide useful services to users – Potentially dangerous as ActiveX has fewer limitations than JavaScript – Configure the browser to prompt before downloading of ActiveX controls – Monitor security sites for vulnerabilities and stay current with security updates

Signing active content Check for digital signatures before active content is installed User decides whether to trust the author or not Authenticode: – Microsoft® technology that checks for digital signatures before downloading ActiveX components Sun has a component that does the same task for Java® Applets User is aware that a applet or ActiveX control is about to be installed Digital signature check to verify no tampering User must decide whether the publisher is trustworthy

Security settings Consider centralised management of browser settings Internet Explorer Administration Kit (IEAK) – Allows you to configure multiple settings and rolling to an install package Training for users to understand what they are downloading Consider: – Restricting active content – download active content only from websites you trust – Using an online virus checker to monitor files downloaded via the browser – Configure digital certificate checking to verify identity and check integrity of downloaded active content

Privacy settings Controlling what user information a web site can gather while the user is connected Training for users regarding privacy issues and the corporate security policy Cookies – Allow web sites to store a small amount of data on a user’s computer. Cookies are widespread and many sites do not function correctly if cookies are not supported by the browser – Cookies can increase web site functionality or they can be used to compromise a user’s privacy – Cookies can contain authentication information – Cookies might be read by other websites to gain information about previous web sessions – Some web sites send information in cookies to third party advertising web sites

Privacy settings Protection – Configure privacy settings to let you decide which sites cookies are accepted from – Do not configure a web server to rely on information stored in a client’s cookies, to control access to resources – Do not store sensitive information in cookies authentication or bank account codes – Use SSL/TLS to protect the info inside cookies where appropriate

FTP security Two basic types of FTP servers: – Those requiring authentication (a username and password) and – Those that allow anonymous FTP (logon as anonymous and use as password) FTP is typically unencrypted so that authentication is subject to eavesdropping Protection: – Encrypt the connection between the client and the server with IPSec or VPN – Use FTP client and server that support encryption at application layer – Secure FTP or Kerberised FTP – Anonymous unencrypted FTP is ok for public downloading only – Grant permissions to read files only – Configure FTP to provide a blind directory – users have permissions to create files but not to view or download files – a drop off point

NNTP security Network News Transfer Protocol NNTP does not have a built in mechanism to encrypt data transmissions so protect behind IPSec, VPN or use a news server and client that support encryption Training for users regarding disclosing confidential information

File sharing networks File trading programs – Illegal trade, copyright software, spread trojans No legitimate use for file trading programs on corporate networks Prohibit use of file trading programs in security policy – Prevent them from being installed – Potential liabilities from copyright violation

Database security Threats: – Unauthorised detection or modification of information – Unauthorised disclosure of information Vulnerabilities include: – Software bugs and flaws – Poorly designed applications – Incorrect permissions – Default configurations – SQL injection – a user submits data to a database with embedded SQL commands and data is not validated

Database security Thoroughly test queries – Check for correct results, the results of errors and the results of an unauthorised account running the query Use stored procedures – Don’t build queries in HTML, ASP, PHP – Use a stored procedure to prevent SQL injection Configure authenticated access – Do not allow unauthenticated connections, use strongest authentication and check the password policy Encrypt data transfers with SSL/TLS or VPN Block database ports at firewall Enable auditing and check logs

Directory services security Directory service stores information about user accounts, computers and application data: ADS LDAP protocol to access directory services Threats: – Unauthorised access to information including: Information about network infrastructure, servers and shared resources Confidential information – telephone numbers and payroll User credentials and cryptographic keys – Unauthorised database modification including: Changing permissions for future unauthorised access, eg Change of admin password Change user information such as pay levels

Directory services security Configure permissions to access directory service data Secure directory servers – Physically secure domain controllers Use encryption for LDAP communications – Secure LDAP Configure strong authentication LDAPv2 with Kerberos v4 or LDAPv3 with SASL (Simple Authentication and Security Layer) Block access to LDAP ports from Internet on the firewall

DNS security Threats to DNS include: – Querying DNS servers – anyone can submit queries and gather information – Performing zone transfers – an attacker can request a zone transfer and use the information to map the network – Zone update spoofing – attacker can spoof the address of the primary DNS server and send incorrect updates to the secondary DNS server – DNS spoofing – attacker can set up a DNS server that provides incorrect information to clients – Dynamic DNS record spoofing – DDNS allows clients to update DNS records with their names and IPs – attacker can use DDNS to overwrite or corrupt records – DNS cache poisoning – attackers insert incorrect information into the cache of DNS servers which then return the wrong information

DNS security Use split DNS design – Separate your publicly accessible DNS servers and the internal DNS servers Restrict information in DNS – Limit the amount of additional information – use a purpose built address for SOA records Limit zone transfers – Allow zone transfers only from specific secondary servers Configure secure zone transfers – BIND9 allows for zone transfer signing Use secure dynamic updates – Authenticate the identity of computer attempting a zone transfer Use secure DNS – Clients can be sure they are using the correct DNS server Prevent cache poisoning – Ensure latest updates

DHCP security Threats: – Rogue DHCP server – Attacker uses an unauthorised or rogue DHCP server to allocate addresses – disruption and direction to incorrect destinations – Gathering information about the network – Most threats come from inside the network DHCP Security: – Scan for rogue DHCP servers – Configure static IP addresses for critical computers – Restrict address leases by MAC address – a lot of work – Block DHCP broadcasts from other segments

Lesson summary Learned about the security issues and practises for common network applications and protocol including web servers, web browsers, FTP, NNTP, file sharing, databases, directory services, DNS and DHCP.