Bài giảng Security+ Guide to Network Security Fundamentals - Chapter 6: Web Security

Chapter 6: Web Security Security+ Guide to Network Security Fundamentals Second Edition Objectives • Protect e-mail systems • List World Wide Web vulnerabilities • Secure Web communications • Secure instant messaging Protecting E-Mail Systems • E-mail has replaced the fax machine as the primary communication tool for businesses • Has also become a prime target of attackers and must be protected How E-Mail Works • Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages – Simple Mail Transfer Protocol (SMTP) handles outgoing mail – Post Office Protocol (POP3 for the current version) handles incoming mail • The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue How E-Mail Works (continued) How E-Mail Works (continued) • Sendmail tries to resend queued messages periodically (about every 15 minutes) • Downloaded messages are erased from POP3 server • Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers • Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems – E-mail remains on the e-mail server How E-Mail Works (continued) • E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures) • Non-text documents must be converted into text format before being transmitted • Three bytes from the binary file are extracted and converted to four text characters E-Mail Vulnerabilities • Several e-mail vulnerabilities can be exploited by attackers: – Malware – Spam – Hoaxes Malware • Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware • E-mail is the malware transport mechanism of choice for two reasons: – Because almost all Internet users have e-mail, it has the broadest base for attacks – Malware can use e-mail to propagate itself Malware (continued) • A worm can enter a user’s computer through an e- mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages • E-mail clients can be particularly susceptible to macro viruses – A macro is a script that records the steps a user performs – A macro virus uses macros to carry out malicious functions Malware (continued) • Users must be educated about how malware can enter a system through e-mail and proper policies must be enacted to reduce risk of infection – E-mail users should never open attachments with these file extensions: .bat, .ade, .usf, .exe, .pif • Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail • Procedures including turning off ports and eliminating open mail relay servers must be developed and enforced Spam • The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge • The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003 Spam (continued) • According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam • Spam is having a negative impact on e-mail users: – 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail – 52% of users indicate spam has made them less trusting of e-mail in general – 70% of users say spam has made being online unpleasant or annoying Spam (continued) • Filter e-mails at the edge of the network to prevent spam from entering the SMTP server • Use a backlist of spammers to block any e-mail that originates from their e-mail addresses • Sophisticated e-mail filters can use Bayesian filtering – User divides e-mail messages received into two piles, spam and not-spam Hoaxes • E-mail messages that contain false warnings or fraudulent offerings • Unlike spam, are almost impossible to filter • Defense against hoaxes is to ignore them Hoaxes (continued) • Any e-mail message that appears as though it could not be true probably is not • E-mail phishing is also a growing practice • A message that falsely identifies the sender as someone else is sent to unsuspecting recipients E-Mail Encryption • Two technologies used to protect e-mail messages as they are being transported: – Secure/Multipurpose Internet Mail Extensions – Pretty Good Privacy Secure/Multipurpose Internet Mail Extensions (S/MIME) • Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages • Provides these features: – Digital signatures – Interoperability – Message privacy – Seamless integration – Tamper detection Pretty Good Privacy (PGP) • Functions much like S/MIME by encrypting messages using digital signatures • A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents • First compresses the message – Reduces patterns and enhances resistance to cryptanalysis • Creates a session key (a one-time-only secret key) – This key is a number generated from random movements of the mouse and keystrokes typed Pretty Good Privacy (PGP) (continued) • Uses a passphrase to encrypt the private key on the local computer • Passphrase: – A longer and more secure version of a password – Typically composed of multiple words – More secure against dictionary attacks Pretty Good Privacy (PGP) (continued) Examining World Wide Web Vulnerabilities • Buffer overflow attacks are common ways to gain unauthorized access to Web servers • SMTP relay attacks allow spammers to send thousands of e-mail messages to users • Web programming tools provide another foothold for Web attacks • Dynamic content can also be used by attackers – Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended) JavaScript • Popular technology used to make dynamic content • When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer • The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java interpreter JavaScript (continued) • Several defense mechanisms prevent JavaScript programs from causing serious harm: – JavaScript does not support certain capabilities – JavaScript has no networking capabilities • Other security concerns remain: – JavaScript programs can capture and send user information without the user’s knowledge or authorization – JavaScript security is handled by restrictions within the Web browser JavaScript (continued) Java Applet • A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code • Can also be made into hostile programs • Sandbox is a defense against a hostile Java applet – Surrounds program and keeps it away from private data and other resources on a local computer • Java applet programs should run within a sandbox Java Applet (continued) Java Applet (continued) • Two types of Java applets: – Unsigned Java applet: program that does not come from a trusted source – Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered • The primary defense against Java applets is using the appropriate settings of the Web browser Java Applet (continued) ActiveX • Set of technologies developed by Microsoft • Outgrowth of two other Microsoft technologies: – Object Linking and Embedding (OLE) – Component Object Model (COM) • Not a programming language but a set of rules for how applications should share information ActiveX (continued) • ActiveX controls represent a specific way of implementing ActiveX – Can perform many of the same functions of a Java applet, but do not run in a sandbox – Have full access to Windows operating system • ActiveX controls are managed through Internet Explorer • ActiveX controls should be set to most restricted levels ActiveX (continued) Cookies • Computer files that contains user-specific information • Need for cookies is based on Hypertext Transfer Protocol (HTTP) • Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer • Attackers often target cookies because they can contain sensitive information (usernames and other private information) Cookies (continued) • Can be used to determine which Web sites you view • First-party cookie is created from the Web site you are currently viewing • Some Web sites attempt to access cookies they did not create – If you went to www.b.org, that site might attempt to get the cookie A-ORG from your hard drive – Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie Common Gateway Interface (CGI) • Set of rules that describes how a Web server communicates with other software on the server and vice versa • Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database Common Gateway Interface (CGI) (continued) • CGI scripts create security risks – Do not filter user input properly – Can issue commands via Web URLs • CGI security can be enhanced by: – Properly configuring CGI – Disabling unnecessary CGI scripts or programs – Checking program code that uses CGI for any vulnerabilities 8.3 Naming Conventions • Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc) • Called the 8.3 naming convention • Recent versions of Windows allow filenames to contain up to 256 characters • To maintain backward compatibility with DOS, Windows automatically creates an 8.3 “alias” filename for every long filename 8.3 Naming Conventions (continued) • The 8.3 naming convention introduces a security vulnerability with some Web servers – Microsoft Internet Information Server 4.0 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename • Solution is to disable creation of the 8.3 alias by making a change in the Windows registry database – In doing so, older programs that do not recognize long filenames are not able to access the files or subdirectories Securing Web Communications • Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol • One implementation is the Hypertext Transport Protocol over Secure Sockets Layer Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) • SSL protocol developed by Netscape to securely transmit documents over the Internet – Uses private key to encrypt data transferred over the SSL connection – Version 2.0 is most widely supported version – Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued) • TLS protocol guarantees privacy and data integrity between applications communicating over the Internet – An extension of SSL; they are often referred to as SSL/TLS • SSL/TLS protocol is made up of two layers Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued) • TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted • FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture – Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems Secure Hypertext Transport Protocol (HTTPS) • One common use of SSL is to secure Web HTTP communication between a browser and a Web server – This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL • Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it • Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely Securing Instant Messaging • Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account • Instant messaging (IM) is a complement to e-mail that overcomes these – Allows sender to enter short messages that the recipient sees and can respond to immediately Securing Instant Messaging (continued) • Some tasks that you can perform with IM: – Chat – Images – Sounds – Files – Talk – Streaming content Securing Instant Messaging (continued) • Steps to secure IM include: – Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers – Enable IM virus scanning – Block all IM file transfers – Encrypt messages Summary • Protecting basic communication systems is a key to resisting attacks • E-mail attacks can be malware, spam, or hoaxes • Web vulnerabilities can open systems up to a variety of attacks • A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code Summary (continued) • ActiveX controls present serious security concerns because of the functions that a control can execute • A cookie is a computer file that contains user-specific information • CGI is a set of rules that describe how a Web server communicates with other software on the server • The popularity of IM has made this a tool that many organizations are now using with e-mail