Web Security. Outline

Similar documents
Page 1. Review: Firewalls. Goals for Today. Polls. Web Servers. Web Servers. CS (CS 161) Computer Security. Lecture 12

CyberP3i Course Module Series

COMPUTER NETWORK SECURITY

Chapter 7. Denial of Service Attacks

Computer Security and Privacy

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CS 356 Operating System Security. Fall 2013

CTS2134 Introduction to Networking. Module 08: Network Security

(CNS-301) Citrix NetScaler 11 Advance Implementation

CogniFit Technical Security Details

Computer Security: Principles and Practice

Chapter 4. Network Security. Part I

INNOV-09 How to Keep Hackers Out of your Web Application

CSE 565 Computer Security Fall 2018


Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CoreMax Consulting s Cyber Security Roadmap

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Chapter 9. Firewalls

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

How to perform the DDoS Testing of Web Applications

COMPUTER NETWORK SECURITY

Distributed Denial of Service

HikCentral V1.3 for Windows Hardening Guide

HikCentral V.1.1.x for Windows Hardening Guide

CS System Security 2nd-Half Semester Review

Denial of Service (DoS)

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Unit 4: Firewalls (I)

Gladiator Incident Alert

ANATOMY OF AN ATTACK!

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

How were the Credit Card Numbers Published on the Web? February 19, 2004

Securing a Web Site. Erik Evans March 2006

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Introduction. The Safe-T Solution

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Practical Assessment 0523

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

SAP NetWeaver 04 Security Guide. Network and Communication Security

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Using DNS Service for Amplification Attack

Security+ SY0-501 Study Guide Table of Contents

The Protocols that run the Internet

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

5. Execute the attack and obtain unauthorized access to the system.

What is Distributed Denial of Service (DDoS)?

CISNTWK-440. Chapter 5 Network Defenses

Citrix NetScaler Basic and Advanced Administration Bootcamp

MCSA Windows Server 2012

Why Firewalls? Firewall Characteristics

Configuring Vulnerability Assessment Devices

CompTIA Network+ Study Guide Table of Contents

Herding Cats. Carl Brothers, F5 Field Systems Engineer

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

ASA/PIX Security Appliance

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

MCSA Windows Server 2012

Ethical Hacking and Prevention

A (sample) computerized system for publishing the daily currency exchange rates

CompTIA Security+ E2C (2011 Edition) Exam.

C and C++ Secure Coding 4-day course. Syllabus

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Chapter 10: Denial-of-Services

Advanced Techniques for DDoS Mitigation and Web Application Defense

CSC Network Security

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

System Structure. Steven M. Bellovin December 14,

PROTECTING INFORMATION ASSETS NETWORK SECURITY

A policy that the user agrees to follow before being allowed to access a network.

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Field Agents* Secure Deployment Guide

PRACTICAL NETWORK DEFENSE VERSION 1

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

HUAWEI Enterprise Solution White Paper

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Deploying and Configuring VMware Unified Access Gateway. 04 DEC 2018 Unified Access Gateway 3.4

Transcription:

Security CS 161/194-1 Anthony D. Joseph November 21, 2005 s Outline Static and Dynamic Content Firewall review Adding a DMZ Secure Topologies 2 1

Polls How many people have set up a personal web server? How many people have set up a business web server? 3 s server serves up static, read-only content from file server Scales up by replicating web servers Can use DNS round-robin or load balancer 4 2

s DB Add a database server for dynamic content DB used to store per-user info or site content Also, used for authentication, read/write actions, e-commerce, Software connector to DB server Object/Java DataBase Connectivity 5 s Static content model: server uses file server for static content, templates, Dynamic content model: server uses database server to retrieve/store dynamic content Can have mixtures Ex: Storing dynamic content in FS Ex: Storing static content in DB What are the security issues? 6 3

Some Threats and Attacks Replace static content ( defacement ) Exploit vulnerability to access or servers (Distributed) Denial of Service attack Request large image or emulate complex transaction Unauthorized database access Exploit vulnerability (e.g., SQL injection) to read/write database Attack server OS or other services Exploit vulnerability to disable server 7 Replace Static Content ( Defacement ) Cracker exploits a vulnerability to gain access to or s Examples: Flaws in CGI programs Flaws in URL processing Buffer overflows Replaces web pages with their own May also access protected content 8 4

(Distributed) Denial of Service Attack Cracker performs resource exhaustion attack Overwhelm network, CPU, disk bandwidth, Examples Request large image or file POST large image or file (requires many zombies) Emulate complex transaction Typically use large number of zombies (1,000 s to 100,000 s) 9 Unauthorized Database Access Cracker exploits vulnerability in server to DB server connection to read/write database Example: Use URL or POST attack to inject SQL code Gain access to server, then connect to DB Attacks can compromise DB integrity 10 5

Attack OS or Other Services Cracker exploits vulnerability to gain access to server Many OS and service vulnerabilities Can be a stepping stone to attacking web service or accessing database 11 Stopping Some Attacks Replace static content ( defacement ) Harden server (latest patch levels, minimum services) Limit data on file server (Distributed) Denial of Service attack Add load balancer, DNS round-robin, replicated clusters, Unauthorized database access Harden server (latest patch levels, minimum services) Sanity check all arguments Attack server OS or other services Harden servers (latest patch levels, minimum services) 12 6

Problems Hard to keep servers up-to-date with patches Zero-day exploits Delays in releasing, retrieving, testing, installing patches DDoS attacks still impose load on servers Add layered defense Place firewall between and server 13 Firewall Default firewall rule: deny all Other firewall rules: allow *,*,TCP -> <web server IP>,80 allow *,*,TCP -> <web server IP>,443 Add stateful inspection rules for known attacks: Code Red, Nimda, 14 7

FW Benefits Intranet VPN Helps harden servers by blocking all but web traffic Can help with DDoS attacks by adding stateful rules (examining content) or blocking zombie IP subnets Doesn t work for all content attacks Problems? How to access Intranet (Internal LAN) and e-mail server? 15 We can add more rules Firewall Issues For access to Intranet, E-mail server, and other public servers But, what happens if one server or Intranet machine is compromised? This is the classic firewall problem: All our machines are now vulnerable! Real issue: We need to both protect public servers and Intranet Solution: Place public servers in a DMZ 16 8

DeMilitarized Zone (DMZ) Intranet DMZ Separate firewall rules for internal zone and DMZ -DMZ rules only allow web, e-mail traffic DMZ-Intranet rules only allow access to file, e-mail, remote login from DMZ No -Intranet access Should e-mail server be in intranet or DMZ? Add proxy to isolate e-mail access/storage from e-mail forwarding VPN Proxy 17 Designing a More Secure Topology Staging DB Design a more secure version of this figure Where to place firewall, DMZ, servers, proxies,? What are the rules? Intranet Login Primary DB VPN 18 9

Design 19 One Solution DMZ Staging DB -DMZ rules allow web, e-mail, VPN only DMZ-Intranet rules allow file, e-mail, staging DB, remote login access only from DMZ hosts -Intranet rules deny all VPN Proxy Intranet Staging DB Login Primary DB 20 10

Summary Public servers are vulnerable to attack OS and services Eliminate unnecessary services Apply all patches Use a DMZ to provide layered defense Place server/proxy in DMZ Place database/file/ real servers in Intranet Deny all default for -Intranet traffic 21 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback