Bài giảng Security+ Guide to Network Security Fundamentals - Chapter 6: Web Security
Summary
• Protecting basic communication systems is a key to resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a variety of attacks
• A Java applet is a separate program stored on the
Web server and downloaded onto the user’s
computer along with the HTML code
48 trang |
Chia sẻ: vutrong32 | Lượt xem: 1067 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Bài giảng Security+ Guide to Network Security Fundamentals - Chapter 6: Web Security, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 6: Web Security
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging
Protecting E-Mail Systems
• E-mail has replaced the fax machine as the primary
communication tool for businesses
• Has also become a prime target of attackers and
must be protected
How E-Mail Works
• Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages
– Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
– Post Office Protocol (POP3 for the current version)
handles incoming mail
• The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the
sendmail queue
How E-Mail Works (continued)
How E-Mail Works (continued)
• Sendmail tries to resend queued messages
periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server and
storing them on a local computer make it difficult to
manage messages from multiple computers
• Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems
– E-mail remains on the e-mail server
How E-Mail Works (continued)
• E-mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
files, pictures)
• Non-text documents must be converted into text
format before being transmitted
• Three bytes from the binary file are extracted and
converted to four text characters
E-Mail Vulnerabilities
• Several e-mail vulnerabilities can be exploited by
attackers:
– Malware
– Spam
– Hoaxes
Malware
• Because of its ubiquity, e-mail has replaced floppy
disks as the primary carrier for malware
• E-mail is the malware transport mechanism of choice
for two reasons:
– Because almost all Internet users have e-mail, it has
the broadest base for attacks
– Malware can use e-mail to propagate itself
Malware (continued)
• A worm can enter a user’s computer through an e-
mail attachment and send itself to all users listed in
the address book or attach itself as a reply to all
unread e-mail messages
• E-mail clients can be particularly susceptible to
macro viruses
– A macro is a script that records the steps a user
performs
– A macro virus uses macros to carry out malicious
functions
Malware (continued)
• Users must be educated about how malware can
enter a system through e-mail and proper policies
must be enacted to reduce risk of infection
– E-mail users should never open attachments with
these file extensions: .bat, .ade, .usf, .exe, .pif
• Antivirus software and firewall products must be
installed and properly configured to prevent malicious
code from entering the network through e-mail
• Procedures including turning off ports and eliminating
open mail relay servers must be developed and
enforced
Spam
• The amount of spam (unsolicited e-mail) that flows
across the Internet is difficult to judge
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) in late 2003
Spam (continued)
• According to a Pew memorial Trust survey, almost
half of the approximately 30 billion daily e-mail
messages are spam
• Spam is having a negative impact on e-mail users:
– 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying
Spam (continued)
• Filter e-mails at the edge of the network to prevent
spam from entering the SMTP server
• Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles,
spam and not-spam
Hoaxes
• E-mail messages that contain false warnings or
fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them
Hoaxes (continued)
• Any e-mail message that appears as though it could
not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients
E-Mail Encryption
• Two technologies used to protect e-mail messages
as they are being transported:
– Secure/Multipurpose Internet Mail Extensions
– Pretty Good Privacy
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• Protocol that adds digital signatures and encryption
to Multipurpose Internet Mail Extension (MIME)
messages
• Provides these features:
– Digital signatures – Interoperability
– Message privacy – Seamless integration
– Tamper detection
Pretty Good Privacy (PGP)
• Functions much like S/MIME by encrypting messages
using digital signatures
• A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing
anyone from seeing the contents
• First compresses the message
– Reduces patterns and enhances resistance to
cryptanalysis
• Creates a session key (a one-time-only secret key)
– This key is a number generated from random
movements of the mouse and keystrokes typed
Pretty Good Privacy (PGP)
(continued)
• Uses a passphrase to encrypt the private key on the
local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks
Pretty Good Privacy (PGP)
(continued)
Examining World Wide Web
Vulnerabilities
• Buffer overflow attacks are common ways to gain
unauthorized access to Web servers
• SMTP relay attacks allow spammers to send
thousands of e-mail messages to users
• Web programming tools provide another foothold for
Web attacks
• Dynamic content can also be used by attackers
– Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)
JavaScript
• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed,
the HTML document with the JavaScript code is
downloaded onto the user’s computer
• The Web browser then executes that code within the
browser using the Virtual Machine (VM)―a Java
interpreter
JavaScript (continued)
• Several defense mechanisms prevent JavaScript
programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities
• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
– JavaScript security is handled by restrictions within the
Web browser
JavaScript (continued)
Java Applet
• A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML
code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java applet
– Surrounds program and keeps it away from private
data and other resources on a local computer
• Java applet programs should run within a sandbox
Java Applet (continued)
Java Applet (continued)
• Two types of Java applets:
– Unsigned Java applet: program that does not come
from a trusted source
– Signed Java applet: has a digital signature proving the
program is from a trusted source and has not been
altered
• The primary defense against Java applets is using
the appropriate settings of the Web browser
Java Applet (continued)
ActiveX
• Set of technologies developed by Microsoft
• Outgrowth of two other Microsoft technologies:
– Object Linking and Embedding (OLE)
– Component Object Model (COM)
• Not a programming language but a set of rules for
how applications should share information
ActiveX (continued)
• ActiveX controls represent a specific way of
implementing ActiveX
– Can perform many of the same functions of a Java
applet, but do not run in a sandbox
– Have full access to Windows operating system
• ActiveX controls are managed through Internet
Explorer
• ActiveX controls should be set to most restricted
levels
ActiveX (continued)
Cookies
• Computer files that contains user-specific information
• Need for cookies is based on Hypertext Transfer
Protocol (HTTP)
• Instead of the Web server asking the user for this
information each time they visits that site, the Web
server stores that information in a file on the local
computer
• Attackers often target cookies because they can
contain sensitive information (usernames and other
private information)
Cookies (continued)
• Can be used to determine which Web sites you view
• First-party cookie is created from the Web site you
are currently viewing
• Some Web sites attempt to access cookies they did
not create
– If you went to www.b.org, that site might attempt to get
the cookie A-ORG from your hard drive
– Now known as a third-party cookie because it was not
created by Web site that attempts to access the cookie
Common Gateway Interface (CGI)
• Set of rules that describes how a Web server
communicates with other software on the server and
vice versa
• Commonly used to allow a Web server to display
information from a database on a Web page or for a
user to enter information through a Web form that is
deposited in a database
Common Gateway Interface (CGI)
(continued)
• CGI scripts create security risks
– Do not filter user input properly
– Can issue commands via Web URLs
• CGI security can be enhanced by:
– Properly configuring CGI
– Disabling unnecessary CGI scripts or programs
– Checking program code that uses CGI for any
vulnerabilities
8.3 Naming Conventions
• Microsoft Disk Operating System (DOS) limited
filenames to eight characters followed by a period
and a three-character extension (e.g., Filename.doc)
• Called the 8.3 naming convention
• Recent versions of Windows allow filenames to
contain up to 256 characters
• To maintain backward compatibility with DOS,
Windows automatically creates an 8.3 “alias”
filename for every long filename
8.3 Naming Conventions (continued)
• The 8.3 naming convention introduces a security
vulnerability with some Web servers
– Microsoft Internet Information Server 4.0 and other
Web servers can inherit privileges from parent
directories instead of the requested directory if the
requested directory uses a long filename
• Solution is to disable creation of the 8.3 alias by
making a change in the Windows registry database
– In doing so, older programs that do not recognize long
filenames are not able to access the files or
subdirectories
Securing Web Communications
• Most common secure connection uses the Secure
Sockets Layer/Transport Layer Security protocol
• One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
• SSL protocol developed by Netscape to securely
transmit documents over the Internet
– Uses private key to encrypt data transferred over
the SSL connection
– Version 2.0 is most widely supported version
– Personal Communications Technology (PCT),
developed by Microsoft, is similar to SSL
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• TLS protocol guarantees privacy and data integrity
between applications communicating over the
Internet
– An extension of SSL; they are often referred to as
SSL/TLS
• SSL/TLS protocol is made up of two layers
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys before
any data is transmitted
• FORTEZZA is a US government security standard
that satisfies the Defense Messaging System security
architecture
– Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and access
control to messages, components, and even systems
Secure Hypertext Transport
Protocol (HTTPS)
• One common use of SSL is to secure Web HTTP
communication between a browser and a Web server
– This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL
• Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection
between a client and a server over which any amount
of data can be sent security, HTTPS is designed to
transmit individual messages securely
Securing Instant Messaging
• Depending on the service, e-mail messages may
take several minutes to be posted to the POP3
account
• Instant messaging (IM) is a complement to e-mail
that overcomes these
– Allows sender to enter short messages that the
recipient sees and can respond to immediately
Securing Instant Messaging
(continued)
• Some tasks that you can perform with IM:
– Chat
– Images
– Sounds
– Files
– Talk
– Streaming content
Securing Instant Messaging
(continued)
• Steps to secure IM include:
– Keep the IM server within the organization’s firewall
and only permit users to send and receive messages
with trusted internal workers
– Enable IM virus scanning
– Block all IM file transfers
– Encrypt messages
Summary
• Protecting basic communication systems is a key to
resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a variety
of attacks
• A Java applet is a separate program stored on the
Web server and downloaded onto the user’s
computer along with the HTML code
Summary (continued)
• ActiveX controls present serious security concerns
because of the functions that a control can execute
• A cookie is a computer file that contains user-specific
information
• CGI is a set of rules that describe how a Web server
communicates with other software on the server
• The popularity of IM has made this a tool that many
organizations are now using with e-mail
Các file đính kèm theo tài liệu này:
- chapter6_4304.pdf