Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

Published byJesse Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys."— Presentation transcript:

1 CS 4720 Security CS 4720 – Web & Mobile Systems

2 CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys out” 2

3 CS 4720 Distributed System Security 3 “Islands of Security”

4 CS 4720 A Paradigm Shift without a Clutch These models were just fine when corporations had their own networks If you needed in, you used a VPN Now the open Internet is used as the main network How does this change the security model? Consider this: how do you access a web service? 4

5 CS 4720 A Paradigm Shift without a Clutch 5 Firewall security happens at the network layer But now we need access on a per-application basis How can we achieve that?

6 CS 4720 A Paradigm Shift without a Clutch 6 Web services are designed to penetrate firewalls, since they use port 80 Application-level security is needed to examine: –Who is making a request –What info is being accessed –What services is being addressed IP based security is still needed though!

7 CS 4720 Application Security 101 What are some basic things you do to protect your system at the application level? Catch exceptions and don’t show detailed error messages Hide interfaces “Don’t trust your users” Encryption 7

8 CS 4720 Application Security 101 8 Well… shoot. Web services: –Have publically announced interfaces! –Must return detailed exceptions to debug systems! –At some level, must trust users! We need security that is basically XML-aware

9 CS 4720 System Security 9 Human: social engineering attacks Physical: “steal the server itself” Network: treat your server like a 2 year old Operating System: the war continues Application: just discussed Database: protecting the data

10 CS 4720 XML-Aware Security Must be able to inspect content of network traffic Must be able to make authorization decisions Must be able to make authentication decisions Must be able to verify XML as valid for this transaction Must also deal with confidentiality and privacy concerns (encryption, message integrity, audit) 10

11 CS 4720 Web Service Security Concerns Unauthorized Access: people view info that they shouldn’t from a message Unauthorized Alteration: an attacker modifies part of a message Man-in-the-Middle: an attacker sits in-between two parties and views messages (or alters them) as they pass by Denial-of-Service: flood the service with so many messages that it can’t keep up 11

12 CS 4720 Network Level Security Let’s start with the basic stuff Firewalls –IP Packet Filtering Static Filtering: follow the rules and toss whatever you see Stateful Filtering: allow for dynamically changed rules as requests go out from inside the firewall –Packet filtering only works on IP address… not on the people using the IP address –Further, no idea what the payload is 12

13 CS 4720 Network to Application Application-specific proxy servers –A connection comes in to the proxy –It verifies the user and payload –Then creates a connection to the application server Disadvantages? 13

14 CS 4720 Encryption Without going too deep into this… There are three basic “types” of encryption methodologies that we use on the Internet: –Symmetric –Asymmetric –Digital Signature / Certificate Encryption can address: authentication, confidentiality, and integrity of a message 14

15 CS 4720 Application Level Security Refers to security safeguards built into a particular application and operate independently from the network level security Authentication Authorization Integrity / Confidentiality Non-repudiation / Auditing 15

16 CS 4720 Authentication Verifying that the requester is the requester… … and that the service is the service This requires a mechanism of “proof of identity” What are some ways accomplish this? Username / password Signed Certificates Kerberos 16

17 CS 4720 Kerberos A third party system for authentication and encryption What was Kerberos? 17

18 CS 4720 A little closer to home Netbadge (or more accurately, PubCookie) http://www.pubcoo kie.org/docs/how- pubcookie- works.htmlhttp://www.pubcoo kie.org/docs/how- pubcookie- works.html 18

19 CS 4720 Authorization Now that we know who you are, what are you allowed to do? Permissions Role-based security How does this work in a database system? How about an operating system? 19

20 CS 4720 Integrity / Confidentiality What happens if a message is: –Captured and reused? –Captured and modified? –Monitored as is passes by in a passive manner? How do we verify a message hasn’t been tampered with? –Digital signature How do we verify it hasn’t been viewed? –Encryption 20

21 CS 4720 Non-repudiation / Auditing When we’re charging to use a web service, how do we prove you used the service so we can charge you? How do we track your activities? Digitally signed logs, effectively Also saves the certificate used to perform the transaction (like a signature on a receipt) 21

22 CS 4720 XML Trust Services XML Signatures XML Encryption XML Key Management and Single Sign-On Basically the same stuff we just talked about, but now in glorious XML! 22

23 CS 4720 Let’s build a secure system! Get with your team You have been tasked by Hortfield Incorporated to build a secure web service system that, for a price, will return to you the answers for the next test in a given class Users, of course, have to pay for this service And it has to be totally secure to keep the honor council away What do you do? 23

24 CS 4720 So… seriously, what should we do? When you are asked to build a secure web system, start with the six layers of security –Database –OS –Network –Application –Physical –Human And then go one by one… 24

25 CS 4720 In case of a corporate environment… You might think that if you’re a new programmer in a corporate environment, a lot of this is not going to be decided by you You’re going to be following a predetermined system spec However, some of you won’t be programmers Many of you will be system architects and system designers and the programmers will be asking YOU what to do! 25

26 CS 4720 From Before We talked about a need for: –Authentication –Authorization –Integrity / Confidentiality –Non-repudiation / Auditing How do we achieve these with web services? 26

27 CS 4720 What did this cover? Authentication: –Certificate authority can vouch for sender –Username and Password are part of WS-Security –Public/Private key pair Integrity/Confidentiality: –Signatures –Encryption –All the good stuff 27

28 CS 4720 Authorization? Doesn’t take place at this “transfer” level More with user groups in the application Database users File system permissions Have a good role-based security policy –People only have access to just enough info and nothing more –Nothing runs as root –Privileges are given out in a very specific fashion 28

29 CS 4720 Non-repudiation? Either done through text logs or a DB table with transactions –Probably a DB table would be better Record the signature and important activities that the user performed 29

30 CS 4720 Ugh, I have to figure all this out? If you are building your own service based on JSON/XML and you want to secure it… yup But if you’re doing SOAP, there’s an agreed- upon standard WS-Security –Provides rules for how to handle all security for SOAP web services –Provides schema for the XML to make all this work 30

Download ppt "CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Web services security I

Web services security I
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google