1. â—¦ Intro â—¦ Client-side security â—¦ Server-side security â—¦ Complete security ? 2

  • View
    213

  • Download
    1

Embed Size (px)

DESCRIPTION

◦ The security of a web-based information system requires security controls at each tier (client, web server, database server, …). browser  web server  application/database server HTTP/HTTPS application protocol(s) or HTTP/HTTPS Figure 11.1 ◦ A web client can become an easy target. ◦ The servers are prime targets to the hackers. ◦ The communication links must be secured as well. 3

Text of 1. â—¦ Intro â—¦ Client-side security â—¦...

  • *

  • IntroClient-side securityServer-side securityComplete security ?*

  • The security of a web-based information system requires security controls at each tier (client, web server, database server, ).

    browser web server application/database serverHTTP/HTTPS application protocol(s) or HTTP/HTTPSFigure 11.1

    A web client can become an easy target.

    The servers are prime targets to the hackers.

    The communication links must be secured as well.

    *

  • A challenge to provide total security to clients

    Client devices tend to be handled by end users with varying levels of expertise.There exist multiple types of client devices.Various executables and/or email attachments may be downloaded to a networked client device.There exist various client applications, each of which requires different configurations, updates, etc.Less physical security

    *

  • User awareness

    Client configurations/updates

    anti-malware applicationsWeb browsersEmail client applications

    How far and how long would sensitive data need to be protected?

    Encryption? (key management, )MAC?Period of protection?*

  • What need to be secured?

    The server itself (physical, applications, data)The connections to the clientsThe connected clients

    A centralized location to enable security controls

    *

  • Challenges?

    A rewarding target (web presence, precious data)Various server-side technologies CGI scriptsServer APIsServer-side includesASPJSP/ServletsPhP

    *

  • Challenges? (cont.)

    Possibly high workload (many connections) Need for layered security (application layer vs network or lower layer)Configurations and updates

    *

  • Thats the goal.

    Requires the cooperation of all participants, the security of all devices and communication links.

    Data security: When and where do sensitive data need to be protected?

    Laws require corporations and organizations to implement proper measures to protect the data they process.

    *

  • *

  • *

  • *

    PII: Personally Identifiable Information Incomputing, ahypervisor, also calledvirtual machine manager(VMM), is one of manyhardware virtualizationtechniques that allow multipleoperating systems, termedguests, to run concurrently on a host computer. Incomputing,hardeningis usually the process of securing a system by reducing its surface of vulnerability. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessaryusernamesorloginsand the disabling or removal of unnecessaryservices.

    *

  • *

  • *

  • *

    PII: Personally Identifiable Information Incomputing, ahypervisor, also calledvirtual machine manager(VMM), is one of manyhardware virtualizationtechniques that allow multipleoperating systems, termedguests, to run concurrently on a host computer. Incomputing,hardeningis usually the process of securing a system by reducing its surface of vulnerability. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessaryusernamesorloginsand the disabling or removal of unnecessaryservices.

    *