The WWW is fundamently a clint / server application running over the internet and TCP/IP intranets.As such, the security tools and approaches discus so far are relevent to the issue of Web security.
But, as pointed out in [GARF97], the Web presents new challenges not generally appreciated in the context of computer and network security:
> The Internet is two way. Unlike traditional publishing environment, even electronic publishing system involving teletext, voice responce, or fax-back, the Web is vulnerable to attacks on the Web server over the internet.
> The Web is increasigly serving as a highly visible outlet for corporate and product information and as the platform for business transactions.Reputations can be damaged and money can be lost if the Web server are subverted.
> Although Web browsers are very easy to use, web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinary complex. This complex may s/w hide many potential security flaws. The short history of the web is filled with examples of new and upgraded systems , property installed, that are vulnerable to a varity of security attacks.
> A web server can be exploited as a laun ching pad into the corporation's or agency's entire computer complex .Once the Web server is suverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site.
> Casual and untrained(in security measures) users are common clients for Web based services.Such users are not necessarily aware of the security risks that exists and do not have the tools or knowledge to take effective countermeasures.
SOME COMMON WEB SECURITY THREATS
This table provides a summary of the types of securit threats faced in using the Web.
| | Integrity | Confidentiality | Denial of Service | Authentication |
| Threats | Modification of user data. Trojan horse browser Modification of memory. Modification of message traffic in transit. | Eavesdropping on the net. Theft of info from server. Theft of data from client. Info about n/w configuration. Info about which client talks to server. | Killing of user threads. Flooding machine with bogus requests. Filling up disc or memory. Isolating machine by DNS attacks. | Impersonation of legitimate users. Data forgery. |
| Consequences | Loss of information. Compromise of machine. Vulnerability to all other threats. | Loss of information. Loss of privacy. | Disruptive. Annoying. Prevent user from getting work done. | Misrepresentation of user. Believe that false information is valid. |
| Countermeasures | Cryptographic checksums. | Encryption, Web proxies. | Difficult to prevent. | Cryptographic techniques. |
One way to group these threats in the terms of passive and active attacks.Passive attacks include eavesdropping on network traffic b/w browser and server and gaining access to information on a web site that is supposed to be restricted.Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site.
Another way to classify Web security threats is in terms of the location of the threat: web server, Web browser, and network traffic b/w browser ans server.
From table we can easily learn the common Wev threats and way to their countermeasures.
Another relatively general-purpose solution is to implement security just above TCp.The foremost example of this approach is the Secure Socket Layer(SSL) and the follow-on Internet standard known as Transport Layer Security(TLS). At this time, their are two implementation choice.For full generally, SSL(orTLS) could be provided as part of the underlying protocol suite and theirfore be transport to applications.Alternatively, SSL can be embeded in specific packages.For example, Netscape and MS Explorer browsers come eqipped with SSL, and most Web servers have implemented the protocol.
Application-specific security servises are embeded within the particular application.The advantage of this approach is that the service can be tailored to the specific needs of a given application.In the context of Web security, an important example of this approach is Secure Electronic Transaction(SET).
DETAILED DIAGRAM ABOUT ALL THE APPROACH OF SECURITY
| HTTP | FTP | SMTP |
| TCP |
| IP/IPSec |
Network level Approach
| HTTP | FTP | SMTP |
| SSL or TLS |
| TCP |
| IP |
Transport layer Approach
| | S/MIME | PGP | SET |
| Kerberos | SMTP | HTTP |
| UDP | TCP |
| IP |
Application Level Approach
WE will discus leter on SSL TLS and SET in detail.
No comments:
Post a Comment