outline
play

Outline Web confidentiality and privacy CSci 5271 Even web more - PDF document

Outline Web confidentiality and privacy CSci 5271 Even web more risks Introduction to Computer Security Announcements intermission Day 21: Firewalls, NATs, and IDSes Stephen McCamant Firewalls and NAT boxes University of Minnesota, Computer


  1. Outline Web confidentiality and privacy CSci 5271 Even web more risks Introduction to Computer Security Announcements intermission Day 21: Firewalls, NATs, and IDSes Stephen McCamant Firewalls and NAT boxes University of Minnesota, Computer Science & Engineering Intrusion detection systems Site perspective (A6) You need to use SSL Finally coming around to view that Protect confidentiality of authenticators more sites need to support HTTPS Passwords, session cookies, CSRF tokens Special thanks to WiFi, NSA Duty to protect some customer info If you take credit cards (of course) Personally identifying info (“identity theft”) Credit-card info (Payment Card Industry If you ask users to log in Data Security Standards) Must be protecting something, right? Health care (HIPAA), education (FERPA) Also important for users of Tor et al. Whatever customers reasonably expect Server-side encryption Adjusting client behavior HTTPS and ♣❛ss✇♦r❞ fields are basic Also consider encrypting data “at rest” hints Consider disabling autocomplete (Or, avoid storing it at all) Usability tradeoff, save users from Provides defense in depth themselves Reduce damage after another attack Finally standardized in HTML5 May be hard to truly separate keys Consider disabling caching OWASP example: public key for website Performance tradeoff ✦ backend credit card info Better not to have this on user’s disk Or proxy? You need SSL

  2. User vs. site perspective Third party content / web bugs Much tracking involves sites other than the one in the URL bar User privacy goals can be opposed to For fun, check where your cookies are site goals coming from Such as in tracking for advertisements Various levels of cooperation Browser makers can find themselves in Web bugs are typically 1x1 images used the middle only for tracking Of course, differ in institutional pressures Cookies arms race Browser fingerprinting Privacy-sensitive users like to block Combine various server or JS-visible and/or delete cookies attributes passively Sites have various reasons to retain User agent string (10 bits) Window/screen size (4.83 bits) identification Available fonts (13.9 bits) Various workarounds: Plugin verions (15.4 bits) Similar features in Flash and HTML5 Various channels related to the cache (Data from ♣❛♥♦♣t✐❝❧✐❝❦✳❡❢❢✳♦r❣ , far from Evercookie : store in ♥ places, regenerate exhaustive) if subset are deleted History stealing Browser and extension choices History of what sites you’ve visited is More aggressive privacy behavior lives not supposed to be JS-visible in extensions But, many side-channel attacks have Disabling most JavaScript (NoScript) HTTPS Everywhere (whitelist) been possible Tor Browser Bundle Query link color Default behavior is much more CSS style with external image for visited links controversial Slow-rendering timing channel Concern not to kill advertising support as Harvesting bitmaps an economic model User perception (e.g. fake CAPTCHA)

  3. Outline Misconfiguration problems (A5) Web confidentiality and privacy Default accounts Even web more risks Unneeded features Announcements intermission Framework behaviors Don’t automatically create variables from Firewalls and NAT boxes query fields Intrusion detection systems Openness tradeoffs Using vulnerable components (A9) Large web apps can use a lot of Error reporting third-part code Few benign users want to see a stack backtrace Convenient for attackers too Directory listings OWASP: two popular vulnerable Hallmark of the old days components downloaded 22m times Readable source code of scripts Hiding doesn’t work if it’s popular Doesn’t have your DB password in it, does Stay up to date on security it? announcements Clickjacking Crawling and scraping A lot of web content is free-of-charge, Fool users about what they’re clicking but proprietary on Yours in a certain context, if you view Circumvent security confirmations ads, etc. Fabricate ad interest Sites don’t want it downloaded Example techniques: automatically ( web crawling ) Frame embedding Transparency Or parsed and user for another Spoof cursor purpose ( screen scraping ) Temporal “bait and switch” High-rate or honest access detectable

  4. Outline Accidental reflected XSS in HA2 Q6 Web confidentiality and privacy Even web more risks (Perhaps with live demo) Not useful for you in the assignment Announcements intermission Will fix for next year Firewalls and NAT boxes Intrusion detection systems Note: more readings this week Research project status More details on how to set up firewalls Meetings next week at usual times Burglar alarms and “mimicry” attack on Will send out emails to confirm, prob. IDSes tomorrow Containing high-speed worms Presentations begin after Thanksgiving, Virus evolution in 2012 schedule soon Use bookmarklet for on-campus download links Outline Internet addition: middleboxes Web confidentiality and privacy Original design: middle of net is only routers Even web more risks End-to-end principle Announcements intermission Modern reality: more functionality in the network Firewalls and NAT boxes Security is one major driver Intrusion detection systems

  5. Security/connectivity tradeoff What a firewall is A lot of security risk comes from a Basically, a router that chooses not to network connection forward some traffic Attacker could be anywhere in the world Based on an a-priori policy Reducing connectivity makes security More complex architectures have multiple layers easier DMZ : area between outer and inner Connectivity demand comes from end layers, for outward-facing services users Inbound and outbound control Default: deny Most obvious firewall use: prevent Usual whitelist approach: first, block attacks from the outside everything Often also some control of insiders Then allow certain traffic Block malware-infected hosts Employees wasting time on Facebook Basic: filter packets based on headers Selling sensitive info to competitors More sophisticated: proxy traffic at a Nation-state Internet management higher level May want to log or rate-limit, not block IPv4 address scarcity Network address translation (NAT) Middlebox that rewrites addresses in Design limit of ✷ ✸✷ hosts packets Actually less for many reasons Main use: allow inside network to use Addresses becoming gradually more non-unique IP addresses scarce over a many-year scale RFC 1918: 10.*, 192.168.*, etc. Some high-profile exhaustions in 2011 While sharing one outside IP address Inside hosts not addressable from IPv6 adoption still very low, occasional outside signs of progress De-facto firewall

  6. Packet filtering rules Client and server ports TCP servers listen on well-known port Match based on: numbers Source IP address Often ❁ 1024, e.g. 22 for SSH or 80 for Source port HTTP Destination IP address Destination port Clients use a kernel-assigned random Packet flags: TCP vs. UDP , TCP ACK, etc. high port Action, e.g. allow or block Plain packet filter would need to allow Obviously limited in specificity all high-port incoming traffic Stateful filtering Circuit-level proxying In general: firewall rules depend on Firewall forwards TCP connections for previously-seen traffic inside client Key instance: allow replies to an Standard protocol: SOCKS outbound connection Supported by most web browsers See: port 23746 to port 80 Wrapper approaches for non-aware apps Allow incoming port 23746 Not much more powerful than To same inside host packet-level filtering Needed to make a NAT practical Application-level proxying Tunneling Knows about higher-level semantics Any data can be transmitted on any Long history for, e.g., email, now HTTP channel, if both sides agree most important E.g., encapsulate IP packets over SSH More knowledge allows better filtering connection decisions Compare covert channels, steganography But, more effort to set up Powerful way to subvert firewall Newer: “transparent proxy” Some legitimate uses Pretty much a man-in-the-middle

  7. Outline Basic idea: detect attacks Web confidentiality and privacy The worst attacks are the ones you Even web more risks don’t even know about Best case: stop before damage occurs Announcements intermission Marketed as “prevention” Still good: prompt response Firewalls and NAT boxes Challenge: what is an attack? Intrusion detection systems Network and host-based IDSes Signature matching Network IDS: watch packets similar to Signature is a pattern that matches firewall known bad behavior But don’t know what’s bad until you see it Typically human-curated to ensure More often implemented offline specificity Host-based IDS: look for compromised See also: anti-virus scanners process or user from within machine Anomaly detection Recall: FPs and FNs False positive: detector goes off Learn pattern of normal behavior without real attack “Not normal” is a sign of a potential False negative: attack happens without attack detection Has possibility of finding novel attacks Any detector design is a tradeoff Performance depends on normal between these (ROC curve) behavior too

Recommend


More recommend