Internet intrarnet CIS class 5

Internet / IntranetCIS-536 Class 5 Web Server Security Intro Javascript... Security SermonSecurity is Often Mis-Used in Technology Environments Provides Peace of Mind Not Necessarily Rea

Internet / Intranet

CIS-536

Class 5 Web Server Security

Intro Javascript

Practical Internet Security

Analogous to “Real-Life” Security (e.g a Bank) Like Software, Security Must Be Well-Designed Implementing Security Requires Trade-Offs

Ease of Use is Affected

Business Processes are Affected

Business Culture is Affected

Affects Both Users and Employees

Security Design Issues

Know the Threats You are Protecting Against

What are the Probabilities?

What is the Cost if it Happens?

Dollars

Customer/Employee Confidence

Know Your Environment

What are the Customer/User Requirements?

What are the Budget Constraints?

What is the Culture/Attitude of Those Affected?

What is the Probability That Policies Will Be Followed Enforced?

Security Sermon

Security is Often Mis-Used in Technology Environments

Provides Peace of Mind

Not Necessarily Real Security

Often Avoids the Real Issues

Appeases Management

Common Security Mistakes (Analogies)

Using an Expensive/High Security Safe

But Leaving the Key/Combination Where it Can Be Stolen Leaving the Safe Unlocked

Little Professional Enforcement/Review of Procedures

Storing a Dime in a Safe

Cost of Security Exceeds Risk of Stolen Dime

High-Tech Solution Instead of Low-Tech Common Sense

E.g Convenience Store Having a Safe vs Nightly Bank

Security Tips

Thieves/Hackers Follow Easiest Path

One That Gives Them Most Value

One They Know About

The Environment is Key!

A Mercedes in a Lot Full of Chevys is Likely to Be Stolen First The Same Mercedes in a Lot Full of Rolls Royces is Likely to Be Stolen Last

Same Mercedes in an Unsecure Garage is Safer Because

Fewer Thieves Know About It

Therefore:

Know Other Likely Targets and Be Less Attractive Than They Are

Make Your Site More Difficult to Hack Than its Worth

Don’t Publicize What Doesn’t Need to Be Public

Security Tips (2)

Does Not Guarantee No Hacking

But Reduces the Probability Significantly

Most Security Problems Come From Human Error, Not From Intentional Hacking

Focus on Minimizing Chance of Human Error

Identify Each Risk Separately

Solutions May Vary Widely

Security is Only as Good as Your Expertise

Professional Security Requires Professional System

Administrator

Information That Furthers Other Risks

E.g Credit Card Information, Museum Floor Plan

Network Disruption

Machine Crashes / Inoperable Serving Software

Protecting Data

Machine Level

Physical Isolation

Physically Isolate Machines From Users

Protect From Theft / Natural Disasters

Protecting Data (2)

Script Level

Who Can Modify Scripts?

Remote Access

Script’s Ability to Access Files / System Resources

Scripts Identified by File Extension or Directory?

File Level

Who Can Download Files?

Who Can Upload Files?

Access Control Techniques

“Passive” Techniques

Don’t Publish URL’s

Always Have Default Pages – Avoid Directory BrowsingComplex Page/Directory Names

Active Techniques

Change Page/Directory Names Often

Server Filters on IP Address, Domain Name

Requiring a Name / Password

Use Non-Standard Ports

Secure (Encrypted) Transmissions

Firewalls (Proxy Servers)

Isolate LAN From General Internet

All Techniques Have Some Negatives

Passive Techniques, Non-Standard Ports

If User Guesses Correctly, They Have Full System AccessRequires Publishers to Voluntarily Follow Standards

Best for Non-Critical Security

Security Breach Does Not Disable System Site Unlikely to Attract Hackers

IP Address / Domain Name Filters

Requires Significant Effort to Administer

Users Can’t Move Around Easily

Serious Hackers Can Defeat via Spoofing

Best For Local Intranet

Site Unlikely to Attract Serious Hackers

Name / Password Security

Requires All Parties to Maintain Secure

Passwords

Inconveniences Users

Difficult to Enforce

One Violation Can Compromise Entire Plan

Passed in Plain Text as Part of the URL

Serious Hackers Can Intercept It

Analogous to to credit card receipts in the trash

Web Servers Allow Unlimited Tries (Stateless)

Firewall Details

Proxy Server

Gatekeeper Between a LAN and the Internet

Acts as a Local DNS

User Requests a URL

Proxy Server Finds the Equivalent File on the LAN

Encryption

Basic Encryption – Privacy / Confidentiality

“Scramble” a Document So Third Party Can’t Read It

What Level of Scrambling is Required?

Not Easily Reable By Human Eye

Simple Replacement Algorithm Base64

Extremely Difficult, But Possible to Crack

E.g passwords, “zip” encryption

“Impossible” to Crack

Authentication (Signature)

Can Be Assured That Document is From Recipient

Can Be Assured That Document Was Not Tampered With

Non-Repudiation (Contract)

Can Also Be Assured That Document Was Received Intact

Encryption Technologies

Symmetric Key Encryption

Same Key Used For Encrypting / Decrypting

Both Parties Use Same Key

Analogy: Standard Door

Asymmetric Key Encryption (Public Key)

Each Party Has a Different Private Key

Third Key (Public Key) Required for

Encryption/Decryption

Key Held By Trusted Third-Party

Analogy: Safe Deposit Box

Message Digest Algorithms

Encrypted “Hash” Functions Used For Digital Signatures

Methods of Defeating Encryption

Brute Force

Trying All Possibilities

“Psychic” (For Human Generated Keys Only)

Person Has to Be Able to Memorize Key

Brute Force: Prioritized by Easily Memorized Keys

Cipher Attack

View The Encrypted Data and Work Back

Analogy: Cryptogram Puzzles

Cryptanalysis

Science of Breaking Algorithms

Exploit Mathematical Weaknesses in the Algorithm

How Encryption Works

Develop a mathematical function such that:

f (signature, my_private_key) =encrypted_signature

f’ (signature, my_public_key) = signature

Internet Encryption Protocols

Public Key Encryption Requires Trusted Third Party

Certificate Authority

RSA – Rivest, Shamir, Adelman

MIT Professors – Invented Algorithms

Some are Patented

Size of Key is Important

Longer Keys are Harder to Break

Government Limits to Size of Keys

Internet Encryption Protocols (2)

SET

Protocol For Passing Credit Card Information

Uses DES for Data, RSA for Keys and Credit Card Number

Includes Protocols for Authorization and Validation of Credit Card

Encrypted HTTP

S-HTTP (Secure HTTP) Commercenet

SSL – (Secure Sockets Layer) Netscape

PPP

TCP/IP Itself Cannot Be Encrypted

Login Passwords Are in Clear

PAP – (Password Authentication Protocol) Passwords Sent in Clear CHAP (Challenge Handshake Authentication Protocol)

Password Used to Create a Response That is Passed to Server

Key Management

Keys Must Be Kept Private or Security is Lost

Keys are Too Long For Memorization

Kerberos (MIT), (ISAKMP – Internet Security Association)

IP Level Security

Virtual Private Networks (VPNs)

Tunneling (Encapsulation)

Encrypts Data at a Point Low in the ISO Stack

Encapsulates it in Another Protocol

PPTP – Point-To-Point Tunneling Protocol

Works Over Public Networks

Only Client and Server Need to Be PPTP Aware

IP Information is encrypted and carried within another IP packet

L2F – Layer 2 Forwarding

Requires All Routers/Servers Between Client and Server

to Support L2F

Non-Encrypted Security

Change Passwords Regularly

Security Breaches are “Temporary”

Increases Effort Necessary to Break In

Analogy: Changing Locks

DHCP – IP Addresses are Temporary

Similar to Changing Passwords at IP Level

IP Addresses Dynamically Assigned

Private Network

Traffic Between Customers of ISP Does Not Pass

Through “Public” Internet

ISP Keeps Routers Secure

AT&T Strategy

Security Key Points

Use Common Sense Above All

Security is Useless if it is Not Enforceable

Once Adopted Must Be Policed / Tested / Enforced

Policing Software is Important

Automate Mundane Tasks

Security Policies Will Usually Impact

Productivity

Use Them Wisely

Two Major Aspects to Security:

Keys and Key Maintenance (e.g Passwords)

The Need For Client Side Scripting

Performance

Move More Processing to Client

Especially Items Requiring Faster Response

E.g Field Validation

Usability

Make HTML More “Windows-Like”

HTML Extensions (e.g Tab Order)

CSS Extensions (e.g style=“cursor:hand”) Dynamic Event Handling (e.g onMouseOver)

Requires Scripting Language

ECMA Script – (European Computer Manufactuers

De-Facto Standard Client-Side Scripting Language

However, Other Scripting Languages are Supported by Servers Add-Ons for Others

Interpreted Language

Object-Oriented

“Full” Scripting Language

Core JavaScript – Standalone Scripting Language

No File I/O

Client-Side JavaScript – For Use in HTML Pages

Primary Use of JavaScript

Server-Side JavaScript – Perl/Java Alternative

Similar to Other Languages

C-Like Syntactic Structure

JavaScript (2)

Usability

Fairly Complex Language

Web Orientation

Easiest to Look at and Modify Existing Code

Full, Complex Language

Many Ways to Achieve the Same Function

Client-Side JavaScript

Core JavaScript Language

HTML Events

Document Object Model (DOM)

Ability to Refer to the Elements of an HTML Document

Significant Differences Between Microsoft and Netscape Implementations

Especially in DOM Implementation

So, as With CSS, HTML, etc.

Know Your Target Audience / Platform

What Level of Support Will You Provide For Those Not Using Your Target Platform?

Dynamic HTML - Scripting

All Properties Can Be Set by Scripts

New Dynamic Properties: Useful for Scripting

DISABLED / ENABLED Attribute (Form Fields)

Display Property

Visibility Property

Pop-Up Boxes

Creation of New Windows

New Instance of Browser

Document Object Model

Defines Hierarchy of Objects

Each Has its Own Event Handlers

Event Bubbling

Which Event Handler Gets Events?

Name Space Definitions

Each Object in HTML Form Can Be Addressed

E.g Clicking Button Can Be Used to Change Text Value in a Specific Field of Another Window

A Caveat

Javascript is Still a Scripting Language

Not Great For Large, Complex Programs

e.g Limited Debugging

As With Perl, Powerful Features Can Also Make Bugs Difficult to Detect / Prevent

Stepping Back: Basic JavaScript

However, They Will Try to Display Text Within Tags

Therefore, Enclose All Script Within Tags as HTML

Comments

Script Processor Will Ignore HTML Comment Tags

Use // For JavaScript Comments

Newer Browsers Will Ignore All Within Tags if They Don’t Recognize the Language JavaScript is the Default

Javascript BasicsSimilar to C/Java

Case Sensitive

Case Conventions Not Always Obvious

In Most Cases Don’t Get Error Message,

Just Unexpected Result

document.write (“<H1>Hello World</H1> \n”);

document.writeln (“Hello World”);

NOTE: Output is Interpreted as HTML

Objects and Properties

Objects

Objects are Collections of Named Data

Often Called Properties or Fields

Properties

Untyped

Can be Data, Arrays, Functions, Other Objects

If Property is a Function it is Called a Method

Referenced by object.property

e.g document.myform.button

Properties Can be Dynamically Assigned to Objects

var point = new Object();

point.x = 7;

point.y = 3;

Associative Arrays

Objects and Arrays Must First Be Created

var book = new Object();

Then Can Assign Properties Without Declaration

book.chapter1 = “How To”;

Objects Not Declared are Treated as Globals

This is the Reason All Variable Should be Declared

Local – Only Defined Within the Local

Function

Global – Defined Within All

NOTE: A Local Variable Can Have Same

Some Useful Array Functions

array.concat (array1, array2, …)

Concatenates Arrays

array.join (separator)

Returns a String of All Elements of Array Separated by Separator

array.length – Returns the Number of Elements in the Array array.pop – Remove and Return the Last Element of an Array array.push – Append an Element to an Array

array.reverse – Reverses the Elements of An Array

array.shift – Removes and Returns the First Element of An Array

array.unshift – Insert an Element at the Beginning of an Array array.slice (start,end) – Return a Portion of the Array.

array.sort – Sorts an Array

array.splice – Inserts or Deletes Elements of an Array

Miscellaneous

Concatenate Strings Using +

Variables are Untyped

Automatically Converted

May Cause Unexpected Results

e.g v1 = 1 + 2 + “ classes”

v1 contains “3 classes”

But: v1 = “I took “ + 1 +2+ “classes”

v1 contains “I took 12 classes”

Arrays Identified With Brackets

E.g point[0]

Not { as with Perl

null

Special Value

arguments[] Holds the Argument Values Passed In

Arguments.length – The Number of Arguments Passed

More JavaScript

Comments are // or /* */

Strings concatenated with +

Functions Should be Declared Before Being Used

Typically Defined in <HEAD> Section

alert – Creates a Pop-Up Message Box

prompt – Prompts User for Input

Buttons - <Input Type = “Button” Value=“Click Here” onclick = “functionname()”

window.open – Opens a New Instance of Browser

In-Class Exercise

Create a JavaScript version of your test page

<SCRIPT LANGUAGE = “JavaScript”>

HTML Extensions for Forms

“Tool Tips”

TITLE Attribute on Form Tags

Label Associated With Form Entry

User Can Click On Label to Select Entry Field

<LABEL FOR=“TextID”>Enter Name: </LABEL>

<INPUT TYPE=“Text” ID=“TextID” Name=“Tname”>

Groups Controls Together (Outline Box)

<Legend> Adds Text To Outline Box

Example