Transcript
Page 1: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

1

Page 2: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

◦ Intro◦ Client-side security◦ Server-side security◦ Complete security ?

2

Page 3: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

◦ The security of a web-based information system requires security controls at each tier (client, web server, database server, …).

browser web server application/database serverHTTP/HTTPS application protocol(s) or HTTP/HTTPS

Figure 11.1

◦ A web client can become an easy target.

◦ The servers are prime targets to the hackers.

◦ The communication links must be secured as well.

3

Page 4: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

A challenge to provide total security to clients1. Client devices tend to be handled by end users with

varying levels of expertise.2. There exist multiple types of client devices.3. Various executables and/or email attachments may be

downloaded to a networked client device.4. There exist various client applications, each of which

requires different configurations, updates, etc.5. Less physical security

4

Page 5: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

User awareness Client configurations/updates

◦ anti-malware applications◦ Web browsers◦ Email client applications

How far and how long would sensitive data need to be protected?◦ Encryption? (key management, …)◦ MAC?◦ Period of protection?

5

Page 6: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

What need to be secured?◦ The server itself (physical, applications, data)◦ The connections to the clients◦ The connected clients

A centralized location to enable security controls

6

Page 7: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

Challenges?1. A rewarding target (web presence, precious data)2. Various server-side technologies

CGI scripts Server APIs Server-side includes ASP JSP/Servlets PhP

7

Page 8: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

Challenges? (cont.)3. Possibly high workload (many connections) 4. Need for layered security (application layer vs

network or lower layer)5. Configurations and updates

8

Page 9: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

That’s the goal. Requires the cooperation of all participants,

the security of all devices and communication links.◦ Data security: When and where do sensitive data

need to be protected? Laws require corporations and organizations to

implement proper measures to protect the data they process.

9

Page 10: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

10

Page 11: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

11

Page 12: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

12

Page 13: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

13

Page 14: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

14

Page 15: 1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

15