Internet security

Internet Security – Has no holiday!

What's to worry about?

Unfortunately, there's a lot to worry about. There are security risks that affect Web servers, the local area networks that host Web sites, and even innocent users of Web browsers.

To the end-user, Web surfing feels both safe and anonymous. It's not. Active content, such as ActiveX controls and Java applets, introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system. Finally, both end-users and Web administrators need to worry about the confidentiality of the data transmitted across the Web. The TCP/IP protocol was not designed with security in mind; hence it is vulnerable to network eavesdropping. When confidential documents are transmitted from the Web server to the browser, or when the end-user sends private information back to the server inside a fill-out form, someone may be listening in.

Overview of risks

There are basically three overlapping types of risk:

Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to:
- Steal confidential documents not intended for their eyes.
- Execute commands on the server host machine, allowing them to modify the system.
- Gain information about the Web server's host machine that will allow them to break into the system.
- Launch denial-of-service attacks, rendering the machine temporarily unusable – Discussed in Detail later
Browser-side risks, including:
- Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates an annoyance.
- The misuse of personal information knowingly or unknowingly provided by the end-user.
Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:

The network on the browser's side of the connection.
The network on the server's side of the connection (including intranets).
The end-user's Internet service provider (ISP).
The server's ISP.
Either ISPs' regional access provider.

Access restrictions

There are three types of access restriction available:

Restriction by IP address, subnet, or domain Individual documents or whole directories are protected in such a way that only browsers connecting from certain IP (Internet) addresses, IP subnets, or domains can access them.
Restriction by user name and password Documents or directories are protected so that the remote user has to provide a name and password in order to get access.
Encryption using public key cryptographyBoth the request for the document and the document itself are encrypted in such a way that the text cannot be read by anyone but the intended recipient. Public key cryptography can also be used for reliable user verification. See below.

How safe is restriction by IP address or domain name?

Restriction by IP address is secure against casual nosiness but not against a determined hacker. There are several ways around IP address restrictions. With the proper equipment and software, a hacker can "spoof" his IP address, making it seem as if he's connecting from a location different from his real one. Nor is there any guarantee that the person contacting your server from an authorized host is in fact the person you think he is. The remote host may have been broken into and is being used as a front. To be safe, IP address restriction must be combined with something that checks the identity of the user, such as a check for user name and password.

How safe is restriction by user name and password?

Restriction by user name and password also has its problems. A password is only good if it's chosen carefully. Too often users choose obvious passwords like middle names, their birthday, their office phone number, or the name of a favorite pet goldfish. These passwords can be guessed at, and WWW servers, unlike Unix login programs, don't complain after repeated unsuccessful guesses. A determined hacker can employ a password guessing program to break in by brute force. You also should be alert to the possibility of remote users sharing their user names and passwords. It is more secure to use a combination of IP address restriction and password than to use either of them alone.

What is user authentication?

User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgeable electronic signature.

A Re-look at Encryption

Encryption works by encoding the text of a message with a key. In traditional encryption systems, the same key was used for both encoding and decoding. In the new public key or asymmetric encryption systems, keys come in pairs: one key is used for encoding and another for decoding. Information on Cryptography and digital signature is available on fandsindai.com.

Securing information flow with SSL, SHTTP

These are all proposed encryption and user authentication standards for the Web. Each requires the right combination of compatible browser and server to operate, so none is yet the universal solution to the secure data transmission problem.

SSL (Secure Socket Layer) is the scheme proposed by Netscape Communications Corporation. It is a low level encryption scheme used to encrypt transactions in higher-level protocols such as HTTP, NNTP and FTP. The SSL protocol includes provisions for server authentication (verifying the server's identity to the client), encryption of data in transit, and optional client authentication (verifying the client's identity to the server). SSL is currently implemented commercially on several different browsers, including Netscape Navigator, Secure Mosaic, and Microsoft Internet Explorer

SHTTP (Secure HTTP) is the scheme proposed by CommerceNet, a coalition of businesses interested in developing the Internet for commercial uses. It is a higher level protocol that only works with the HTTP protocol, but is potentially more extensible than SSL.

Can I use Personal Certificates to Control Server Access?

SSL can also be used to verify the users' identity to the server, providing more reliable authentication than the common password-based authentication schemes. To take advantage of this system each user will have to obtain a "personal certificate" from a CA.

Users can obtain inexpensive personal certificates from VeriSign. VeriSign offers two classes of certificate. Class 1 certificates cost a mere $9.95 yearly, but provide no assurance that the user is who he or she claims to be because VeriSign performs no validation of the information submitted by the user on the application form. At most, class 1 certificates certify that the user can receive e-mail at the address provided in the application. Class 2 certificates, available for $19.95 yearly, provide a greater level of assurance. In order to obtain such a certificate, the user must provide personal identifying information that is validated by a credit bureau.

If you are running an intranet, you may wish to issue personal certificates yourself, in order to provide fine-grained access control to employees of your organization. To do this, you will need to obtain and install a certificate server. Such systems are available from Microsoft, Netscape, XCert, Entrust and GTE. Refer fandsindia.com for article on Certificate Servers

What is a Denial of Service attack?

Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests. The high-profile attacks of the week of February 6th, 2000 were primarily bandwidth attacks, and all of the targets were high-profile internet web sites. A complete description of Denial of Service attacks is available from CERT on http://www.cert.org/tech_tips/denial_of_service.html.

What is a Distributed Denial of Service attack?

A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.

How is a DDoS executed against a website?

A website DDoS is executed by flooding one or more of the site's web servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. DDoS attacks typically take advantage of several computers, which simultaneously launch hundreds of thousands of requests at the target website. In order not to be traced, the perpetrators will break into unsecured computers on the internet, hide rogue DDoS programs on them, and then use them as unwitting accomplices to anonymously launch the attack.

The author is Director, Fands Infonet, a leading company in International Recruitment and can be reached at sandeep@fandsindia.com. Statistics and related information collected from World Wide Web Consortium.