Symmetric Encryption
The Idea:
- A cryptographic system that uses ONLY ONE key
- When John wants to send a secure message to Jane, he uses
hekey to encrypt the message. Jane then uses the same key to
decrypt it.
|
Important:
- both sender and recipient must have the same key.
|
Problem:
- How do you send the key to someone without it being intercepted.
- Not as good as Asymmetric (Public-key) Encryption.
|
Possible Solutions
- Software-based
- Hardware-based
- Freeware versus Commercial Products
- Use of Security Protocols
Use of security-oriented system administration tools
Web-Based System Security Strategies
|
Firewalls
"A mechanism used to prevent unauthorized entry
into a company's internal network" --from e-Commerce
Applications Using Oracle 8i and ...
"A system designed to prevent unauthorized
access to or from a private network. Firewalls can be implemented
in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet, especially
intranets. All messages entering or leaving the intranet pass
through the firewall, which examines each message and blocks those
that do not meet the specified security criteria." --
from www.webopedia.com
- may be SW or SW/HW combination
- may have firewall installed on its own server
(separate physical device).
- one of the best ways to restrict network to
network access.
- typically, will not protect hacking, security
violations from the local network, meaning from within the confines
of the firewall. Where you place your firewall in your
system architecture can be important!!
- SEE FIGURE 11.1 of
e-Commerce book!!!!
- Restricts capabilities
in terms of techniques can use to access the protected network
facilities (servers, etc.)
- Many configurations
of Firewalls will not allow direct socket connections through
the firewall.
- May also restrict use
of RMI (dependent on sockets), through Firewall.
- Usually can configure
so that access inbound and outbound is assymetric.
- Meaning you may restrict
access incomming to only go to port 80 (typically the web-server...HTTP
access)
- But, you may allow
any kind out outbound traffic. So, you users on the network
can do whatever they like.
- Design Warning:
Need to be careful, that
there are not systems internal to your network that do not go
through a firewall when using firewalls for a main security
option. This is a potential opening into your network
to other devices supposedly protected by a firewlall.
- Common techniques:
- IP filtering
= controls access by solely looking at information
contained in the IP header of data packets being sent to the
server.
- Circuit-level gateway
= Applies security mechanisms when a
TCP or UDP connection is established. Once the connection
has been made, packets can flow between the hosts without
further checking.
- Application Proxy
=does not look at data packets, instead
this kind of firewall sits on a separate server and will actually
look at the information being sent to it. Acts as a
kind of filter.
- Can be specific to the application at
hand and only allow certain kinds of information/requests
to be sent through it on to the back-end.
Example: IBM and other companies producs a firewall
that provides a SQL*Net proxy that when a port is opened
for SQL*Net traffic (SQL - Oracle database activities),
only SQL*Net traffic is allowed to use this port.
Terminology: Types of Firewalls
|
Screening Router
- Routes traffic pased on header information
- Implements IP filtering
|
Proxy Gateway
- Can define types of commands that can
legally pass through this kind of firewall on to the
back-end
- Simplist form of Application Proxy
Server
|
Gaurd
- This is an integration of both the
Screening Router capabilities and Proxy Gateway capabilities
|
|
SATAN
Security Analysis Tool for Auditing Networks.
- Commonly used SW tool Admins use to monitor
security capabilities of their system.
- Use to identify weaknesses in security on the
server.
- In usage-concept, like how you use Norton Anti-Virus
SW on your own personal machine.
|
Protocols
SOCKS
- Network protocol that allows hosts from
one side of SOCKS server access to devices on other side
without direct IP accessibility between them.
- A protocol for handling TCP traffic
through a proxy server. It can be used with virtually
any TCP application, including Web browsers and FTP clients.
- It provides a simple firewall because
it checks incoming and outgoing packets and hides the
IP addresses of client applications.
- Unlike many firewalls, allows outgoing
RMI calls (but, not incomming nor callbacks)
- Free: See www.socks.nec.com
- Commercial packages also available, e.g.
www.sun.com
|
SSL
Secure Socket Layers. Protocol to
setup a secure connection between a Server and Client over
which can send any amount of secure data.
- Data Encryption supported (see below)
- SSL works by using a private key to
encrypt data that's transferred over the SSL connection.
- Both Netscape Navigator and Internet
Explorer support SSL, and many Web sites use the protocol
to obtain confidential user information, such as credit
card numbers.
- By convention, Web pages that require
an SSL connection start with https: instead of http:
- Data Integrity Checking supported.
|
Secure HTTP (S-HTTP)
Protocol for transmitting data securely
over the World Wide Web.
- Whereas SSL creates a secure connection
between a client and a server, over which any amount
of data can be sent securely, S-HTTP is designed to
transmit individual messages securely.
- Not as prevalent as SSL.
|
RADIUS
Remote Authentication Dial-In User
Service
|
|
Proxy Servers
"A server that sits between a client application,
such as a Web browser, and a real server. It intercepts all requests
to the real server to see if it can fulfill the requests itself.
If not, it forwards the request to the real server. "
- Used to either provide filtering (security)
or to improve performance (fulfill requests itself rather than
forwarding....it can do this because for some short period of
time will save the results of a request to the real server and
if this request is made again will not bother the real server
but, simply return the result it has cached).
- Recall, one type of Firewall is the Application
Proxy Server (used for security).
HTTP proxy server
In particular, this kind of proxy server
controls HTTP access. May do so via port control (called
HTTP-to-port tunneling) or via CGI control (called HTTP-to-CGI
tunneling). This kind of Firewall can allow for RMI access
through a firewall.
|
Data Encryption
The concept is to Encode the data before
transmission and Decode it for prcessing at the recieving end.
Encoding is the process of translating one set of symbols to another
set. This results in the data often not being understandable
and hence secure. Decoding is the inversion process.
|
Digital Certificates
- Concept here is that a third-party, that is trusted,
acts as a certifying agency...saying this person is who they claim
to be.
- Uses encryption technology to send an encrypted
key that can be used via access to the Certifiers server to verify
the user (sender/requester of data) is who they claim to be.
- You purchase a certificate. There are different
kinds of certificate...identify data, organization, individual.
- Certificate contains information about the certificate
owner, the certifier (certifying authority), public key of certificate
owner, validity date, serial number of certificate.
- Verisign Corporation
is a leader in providing this service, they are a "certifier".
|
Authentication Servers
- Commonly based on password access or some other
form of identify/verify approach.
- More Advanced - Can implment even physical or
bio-physical input (e.g. finger-print analysis, voice-recognition,
etc).
|
Application Specific Security Products
- Example: Oracle's Advanced Security Option
(ASO) protects data and communication to and from the Oracle Database
via support of data encryption, authentication, SSL support, RADIUS
support, etc. See www.oracle.com
for more details
|
Server System Restrictions
Depending on Operating System of Server,
there are other O.S. specific options to restrict access to the
server. These are different than the above in that they were
designed not with the Internet in mind but, rather with regards
to restricting access to a particular machine (not a network or
set of devices). They tend to be simplistic, but often
there are free solutions. Here is an example:
- HTAccess (originally designed
for UNIX machines)
- Account Access (password required)
|
No External (Internet, etc) Network Access
- For the most sensitvie data, you may not even
allow ANY kind of direct access to it (even through a firewall)
from external networks.
|
|