Lecture Notes


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture Notes

  1. 1. Networking review/Firewalls <ul><li>OSI vs TCP/IP layers </li></ul><ul><li>Hosts, Hubs, Bridges, Switches, Routers, Gateways </li></ul><ul><li>Review of services and protocols </li></ul><ul><li>Firewalls </li></ul><ul><li>“ Secure” web servers </li></ul><ul><li>Risks for end-users and merchants </li></ul>
  2. 2. OSI vs TCP/IP <ul><li>Application </li></ul><ul><li>Presentation </li></ul><ul><li>Session </li></ul><ul><li>Transport </li></ul><ul><li>Network </li></ul><ul><li>Data Link </li></ul><ul><li>Physical </li></ul><ul><li>Application </li></ul><ul><li>Transport Control Protocol (TCP) </li></ul><ul><li>Internet Protocol (IP) </li></ul><ul><li>Physical (Ethernet/Token Ring…) </li></ul>
  3. 3. Review of components <ul><li>Hosts </li></ul><ul><ul><li>Considered a “node” or “end point” in the network (client/server/printer) </li></ul></ul><ul><ul><li>Processes all levels of the protocol stack </li></ul></ul><ul><li>Hubs </li></ul><ul><ul><li>acts as an “extender” - similar in effect to taking all incoming lines and twisting the wires together </li></ul></ul><ul><ul><li>Does not do any processing - acts only at the physical layer </li></ul></ul><ul><li>Bridges </li></ul><ul><ul><li>attaches two physically identical LANs together, physical layer processing </li></ul></ul><ul><ul><li>forwards only traffic which is destined for “the other side” </li></ul></ul><ul><li>Switches </li></ul><ul><ul><li>depending on level of switch complexity, anywhere from a hub to a router </li></ul></ul><ul><li>Routers </li></ul><ul><ul><li>Processing at the Network layer </li></ul></ul><ul><ul><li>Route packets between networks with potentially different lower level protocol stacks (i.e., different physical and data link layers) </li></ul></ul><ul><li>Gateways </li></ul><ul><ul><li>Processes all levels of the protocol stack </li></ul></ul><ul><ul><li>Used to connect networks with different protocol stacks </li></ul></ul>
  4. 4. Comment Port/Protocol Name # Secure Telnet 10005/tcp stel Xaserver # X Audio Server 1103/tcp xaudio kdc # Kerberos key server 750/udp kerberos whod 513/udp who # Secure SHell 22/tcp ssh # Internet Message Access 143/tcp imap usenet # Network News Transfer 119/tcp nntp # Post Office 110/tcp pop3 79/tcp finger rpcbind 111/tcp sunrpc rpcbind 111/udp sunrpc hostname # usually to sri-nic 101/tcp hostnames # BOOTP/DHCP client 68/udp bootpc # BOOTP/DHCP server 67/udp bootps mail 25/tcp smtp 23/tcp telnet 21/tcp ftp 20/tcp ftp-data
  5. 5. <ul><li>Packet filtering firewalls </li></ul><ul><ul><li>Packet filtering firewalls decide whether or not to forward packets based on their source and destination IP addresses and port numbers </li></ul></ul><ul><ul><li>Rules dictate whether or not packets should be forwarded </li></ul></ul><ul><ul><li>Typically once a connection through the firewall has been established, further packets are passed without scrutiny </li></ul></ul><ul><ul><li>Processes up to the network layer of the protocol stack </li></ul></ul><ul><ul><ul><li>(one notable exception is for FTP, which requires some application-level support) </li></ul></ul></ul><ul><ul><li>Can perform IP Masquerading </li></ul></ul>Firewalls
  6. 6. <ul><li>Proxy-based firewalls </li></ul><ul><ul><li>Proxy-based firewalls operate at the application layer of the protocol stack </li></ul></ul><ul><ul><li>Every type of application for which a connection through the firewall is requested requires that a proxy server be running on the firewall for that specific application, or the request will be denied </li></ul></ul><ul><ul><li>Allows for logging of events at the application layer, much more detailed logging than a packet-filtering firewall allows </li></ul></ul><ul><ul><li>Requires that client machines inside the firewall be configured on an application by application basis to use the proxied services of the firewall </li></ul></ul>Firewalls (continued)
  7. 7. Firewall Internet Web Server Web server on internal network
  8. 8. Firewall Internet Web Server Web server on external network (DMZ)
  9. 9. Firewall Internet Web Server Firewall Web server between two firewalls
  10. 10. What is a “secure web server”? <ul><li>To vendors, a web server which supports cryptographic protocols </li></ul><ul><li>To web surfers, a web server which will safegaurd the user’s personal information and their privacy, and which will not take control of their browser and cause it to download viruses, etc. </li></ul><ul><li>To a company running a web server, it is a server which is resistant to a determined attack over the internet or from within the company </li></ul>
  11. 11. The Web Security Problem <ul><li>Part 1 - securing the web server and the data on it </li></ul><ul><ul><li>ensure the server remains available </li></ul></ul><ul><ul><li>ensure the information isn’t modified without authorization </li></ul></ul><ul><ul><li>ensure the information isn’t distributed to unauthorized parties </li></ul></ul><ul><li>Part 2 - securing the transfer of information </li></ul><ul><ul><li>ensure that confidential transmissions cannot be read, modified, or destroyed by others </li></ul></ul><ul><li>Part 3 - securing the user’s own computer </li></ul><ul><ul><li>ensure that information downloaded from your service will not compromise the user’s system in any way, and that the downloaded information will continue to be controlled in accordance with the license agreement or copyright </li></ul></ul><ul><li>Additional concerns - in some cases we must also </li></ul><ul><ul><li>verify the identity of the user to the server </li></ul></ul><ul><ul><li>verify the identity of the server to the user </li></ul></ul><ul><ul><li>ensure adequate logging for billing, conflict resolution, “non-repudiation”, and investigation of misuse </li></ul></ul>
  12. 12. <ul><li>Well-publicized Risks for credit card holder </li></ul><ul><ul><li>credit card number may be “sniffed” in transit. Illegal charges can be placed to max out the credit limit, causing the card to be unusable by its rightful owner </li></ul></ul><ul><ul><li>credit card could be billed, but goods might never arrive - merchant site has since disappeared… </li></ul></ul><ul><li>SSL is supposed to protect the consumer… </li></ul><ul><ul><li>the consumer is already protected, in that the card holder is only liable for the first $50 of fraudulent charges (or none, depending on the credit company) </li></ul></ul><ul><ul><li>the banks are liable for the charges, unless they can prove negligence on the part of the merchant </li></ul></ul><ul><ul><li>proof of who the merchant is has already been carried out in rigorous detail, in order for the merchant to secure a merchant credit account </li></ul></ul><ul><ul><li>SSL really helps protect the merchant and the bank, not the consumer </li></ul></ul>
  13. 13. Less-well-publicized risks for the user <ul><li>information provided in transaction might be used/sold for mailing lists or other forms of solicitation </li></ul><ul><li>information regarding user’s price sensitivity might be used to selectively raise prices for the individual in the future </li></ul><ul><li>web browser might be subverted in order to glean confidentail user information directly from user’s machine </li></ul><ul><li>web browser might be subverted in order to wipe the user’s hard drive or, alternatively, silently forward contents of the hard drive to an arbitrary host on the internet </li></ul>
  14. 14. <ul><li>User might try to access merchant site and find it down or too slow, and decide to buy from a competitor </li></ul><ul><li>User might be a competitor (or robot) searching the site in order to undercut prices </li></ul><ul><li>User might be a criminal with a stolen credit card </li></ul><ul><li>If the merchant stores the credit card numbers on their computer, it could be hacked opening them up to liability </li></ul><ul><li>A hacker could break in and introduce fraudulent orders from the web server into the legacy databases </li></ul><ul><li>A hacker could reverse credit payments onto their own card once they’ve compromised the system </li></ul><ul><li>A hacker could cause orders to be messed up, shipping the wrong goods to customers </li></ul><ul><li>A hacker could lower prices below the cost to the merchant </li></ul>Less-well-publicized risks for the merchant
  15. 15. A typical online credit card transaction Internet Payment Network Internet Backbone User’s computer Order form ISP User’s bank Merchant bank Warehouse Delivery Service Online store User