CS 4720

Security

CS 4720 – Web & Mobile Systems

CS 4720

The Traditional Security Model• The Firewall Approach• “Keep the good guys in and the bad guys out”

2

CS 4720

Distributed System Security

3

• “Islands of Security”

CS 4720

A Paradigm Shift without a Clutch• These models were just fine when corporations

had their own networks• If you needed in, you used a VPN• Now the open Internet is used as the main

network• How does this change the security model?• Consider this: how do you access a web

service?

4

CS 4720

A Paradigm Shift without a Clutch

5

• Firewall security happens at the network layer

• But now we need access on a per-application basis

• How can we achieve that?

CS 4720

A Paradigm Shift without a Clutch

6

• Web services are designed to penetrate firewalls, since they use port 80

• Application-level security is needed to examine:– Who is making a request– What info is being accessed– What services is being addressed

• IP based security is still needed though!

CS 4720

Application Security 101• What are some basic things you do to protect

your system at the application level?• Catch exceptions and don’t show detailed error

messages• Hide interfaces• “Don’t trust your users”• Encryption

7

CS 4720

Application Security 101

8

• Well… shoot.• Web services:

– Have publically announced interfaces!– Must return detailed exceptions to debug systems!– At some level, must trust users!

• We need security that is basically XML-aware

CS 4720

System Security

9

• Human: social engineering attacks• Physical: “steal the server itself”• Network: treat your server like a 2 year old• Operating System: the war continues• Application: just discussed• Database: protecting the data

CS 4720

XML-Aware Security• Must be able to inspect content of network

traffic• Must be able to make authorization decisions• Must be able to make authentication decisions• Must be able to verify XML as valid for this

transaction• Must also deal with confidentiality and privacy

concerns (encryption, message integrity, audit)

10

CS 4720

Web Service Security Concerns• Unauthorized Access: people view info that

they shouldn’t from a message• Unauthorized Alteration: an attacker modifies

part of a message• Man-in-the-Middle: an attacker sits in-between

two parties and views messages (or alters them) as they pass by

• Denial-of-Service: flood the service with so many messages that it can’t keep up

11

CS 4720

Network Level Security• Let’s start with the basic stuff• Firewalls

– IP Packet Filtering• Static Filtering: follow the rules and toss whatever you

see• Stateful Filtering: allow for dynamically changed rules as

requests go out from inside the firewall– Packet filtering only works on IP address… not on

the people using the IP address– Further, no idea what the payload is

12

CS 4720

Network to Application• Application-specific proxy servers

– A connection comes in to the proxy– It verifies the user and payload– Then creates a connection to the application server

• Disadvantages?

13

CS 4720

Encryption• Without going too deep into this…• There are three basic “types” of encryption

methodologies that we use on the Internet:– Symmetric– Asymmetric– Digital Signature / Certificate

• Encryption can address: authentication, confidentiality, and integrity of a message

14

CS 4720

Application Level Security• Refers to security safeguards built into a

particular application and operate independently from the network level security

• Authentication• Authorization• Integrity / Confidentiality• Non-repudiation / Auditing

15

CS 4720

Authentication• Verifying that the requester is the requester…• … and that the service is the service• This requires a mechanism of “proof of

identity”• What are some ways accomplish this?• Username / password• Signed Certificates• Kerberos

16

CS 4720

Kerberos• A third party system for authentication and

encryption• What was Kerberos?

17

CS 472018

A little closer to home• Netbadge (or more

accurately, PubCookie)

• http://www.pubcookie.org/docs/how-pubcookie-works.html

CS 4720

Authorization• Now that we know who you are, what are you

allowed to do?• Permissions• Role-based security• How does this work in a database system?• How about an operating system?

19

CS 4720

Integrity / Confidentiality• What happens if a message is:

– Captured and reused?– Captured and modified?– Monitored as is passes by in a passive manner?

• How do we verify a message hasn’t been tampered with?– Digital signature

• How do we verify it hasn’t been viewed?– Encryption

20

CS 4720

Non-repudiation / Auditing• When we’re charging to use a web service, how

do we prove you used the service so we can charge you?

• How do we track your activities?• Digitally signed logs, effectively• Also saves the certificate used to perform the

transaction (like a signature on a receipt)

21

CS 4720

XML Trust Services• XML Signatures• XML Encryption• XML Key Management and Single Sign-On• Basically the same stuff we just talked about,

but now in glorious XML!

22

CS 4720

Let’s build a secure system!• Get with your team• You have been tasked by Hortfield Incorporated

to build a secure web service system that, for a price, will return to you the answers for the next test in a given class

• Users, of course, have to pay for this service• And it has to be totally secure to keep the

honor council away• What do you do?

23

CS 4720

So… seriously, what should we do?• When you are asked to build a secure web

system, start with the six layers of security– Database– OS– Network– Application– Physical– Human

• And then go one by one…

24

CS 4720

In case of a corporate environment…• You might think that if you’re a new

programmer in a corporate environment, a lot of this is not going to be decided by you

• You’re going to be following a predetermined system spec

• However, some of you won’t be programmers• Many of you will be system architects and

system designers and the programmers will be asking YOU what to do!

25

CS 4720

From Before• We talked about a need for:

– Authentication– Authorization– Integrity / Confidentiality– Non-repudiation / Auditing

• How do we achieve these with web services?

26

CS 4720

What did this cover?• Authentication:

– Certificate authority can vouch for sender– Username and Password are part of WS-Security– Public/Private key pair

• Integrity/Confidentiality:– Signatures– Encryption– All the good stuff

27

CS 4720

Authorization?• Doesn’t take place at this “transfer” level• More with user groups in the application• Database users• File system permissions• Have a good role-based security policy

– People only have access to just enough info and nothing more

– Nothing runs as root– Privileges are given out in a very specific fashion

28

CS 4720

Non-repudiation?• Either done through text logs or a DB table

with transactions– Probably a DB table would be better

• Record the signature and important activities that the user performed

29

CS 472030

Ugh, I have to figure all this out?• If you are building your own service based on

JSON/XML and you want to secure it… yup• But if you’re doing SOAP, there’s an agreed-

upon standard• WS-Security

– Provides rules for how to handle all security for SOAP web services

– Provides schema for the XML to make all this work