An Example

[Previous] [Next]

The following example relates to issues faced by the sales arm of a fictitious company named Exploration Air. First we'll turn our attention to the most important aspect of the solution: the information gathered during the business model phase.

The Business Model

During this stage, Exploration Air gathers information, analyzes and rates threats and risks, and applies its security policy.

Business, product, and information requirements

First, appropriate company personnel—the sponsor and clients of the project—consult and develop the following problem statement: Sales personnel do not have access to up-to-the-minute airline reservation information and therefore cannot determine what discounts to give clients and what products need to be aggressively marketed. This situation leads to lost sales opportunities, less than optimal client relations, and an inability to confirm orders.

The company comes up with the following list of requirements:

  • Sales personnel must be able to access flight schedule and planning and booking information from anywhere in the world, such as at the office, at home, or at a hotel room, at any time of the day or night.
  • Sales personnel must be able to access data from many devices in many ways, such as with a Pocket PC, a laptop, or a desktop by using a modem or a LAN connection.
  • Sales personnel will be restricted to accessing only their own sales data relating to their clients; however, they'll also be able see aggregate data (such as total bookings for Exploration Air as a whole).
  • Because risk tolerance is low, security must be very strong.
  • The sales data already exists in a Microsoft SQL Server 7 database. (Technically, this isn't a requirement; it's a situation within which company personnel work because the company is not likely to switch databases any time soon!)
  • The Information Technology (IT) department wants to be able to define authentication and authorization at various points in the application as needs change over time. For example, if in the future an offline version of the application is created, authentication and authorization will need to be performed locally (on the user's computer). (At present, the offline scenario is not a requirement, but it might become one in the future.)
  • The IT department does not want to create multiple user account databases. These can lead to support issues if a new user is added, changed, or deleted, because information must be updated in multiple places, a step that is both time-consuming and prone to errors.

Now that they have a list of business, product, and information requirements, Exploration Air personnel can look at the security threats that might be faced by an application that matches those requirements.

Threats and risks

Putting corporate sales data on the Web is a dangerous proposition. The Internet is a proving ground for hackers, and, because of weaknesses in the TCP/IP protocol, attacks can be launched virtually anonymously. (See Chapter 12, "Securing Against Attack," for more information on countering such attacks.) Let's take a look at a subset of some of the threats to the application called for by the company's business, product, and information requirements and at some of the countermeasures that can be employed to counter those threats. The threats are listed in order of risk; the most dangerous risks are listed first.

Information disclosure threat (risk level 5)

This information disclosure threat involves sales data being made available to unauthorized users such as hackers. The value of the attacked assets is presently unknown, but the value is probably high owing to the possible loss of faith by Exploration Air clients and, worse, the damage that can be done if the data is accessed and used maliciously. Based on these factors, the threat's criticality is extremely high: 10. The effort required to perform such an attack is considered low: 2. So, the risk rating of this threat is 5 (10 / 2 = 5). This is the highest risk rating calculated during the company's threat analysis sessions, and it should be addressed immediately.

Methods to use to counter this threat include the following:

  • Strong authenticating protocols to validate the user
  • Appropriate ACLs on all resources
  • Privacy of the communication channel between a valid user and the Web site, thus preventing unauthorized data snooping with technologies such as SSL/TLS or the secure version of IP, IPSec

Denial of service threat (risk level 2)

This DoS threat involves the server hosting the Web server being rendered unusable through malicious TPC/IP-level attacks, such as SYN-flooding, distributed denial of service attacks, fragment attacks, and so on. (See Chapter 12 for more information on this type of attack.) Currently, the company rates the value of the Web site at approximately $100,000. This is the cost of business lost during a one-hour Web server blackout. But the figure is inaccurate because the company has considered only how much business will be attributed to the Web site, which is currently somewhat of an unknown. The company intends to re-evaluate this value in the next 6, 12, and 24 months and update the risk document accordingly.

Company personnel determine that the Web site is somewhat critical to the business now but will certainly be mission-critical to the business in the future (within 18 to 24 months, they think), so they give the threat a criticality rating of 6. Because the ability to mount such an attack is pretty simple—there are many automated DoS tools available on the Web that require little skill to use—effort is rated at 3. The threat's overall risk rating, then, is 2.

Technologies to counter this threat are easy to choose from and well understood; one of these is a packet-filtering firewall placed before the Web server that can be configured to discard suspected TCP/IP packets.

Spoofing user identity threat (risk level 2)

This spoofing user identity threat is very common and probably applicable to most Web applications: an attacker uses an employee's password to gain access to a system. The threat's criticality is rated at 10 because the value of the assets being protected is immeasurable and there are multiple secondary threats associated with this threat:

  • The attacker gains access to confidential data (information disclosure).
  • If the attacker gains access to the administrator's password (elevation of privilege), he or she can mount many other attacks, including
    • Changing log files to cover their tracks (repudiability)
    • Shutting down the Web site (denial of service)
    • Changing the Web site's pages (integrity)

The good news is that the effort that's required to access passwords on a well-maintained Windows 2000-based Web server is nontrivial. (By "well-maintained," I mean a server whose administrator is staying abreast of security updates to the operating system and Web server.) So, the threat's effort rating is 5, which results in a risk rating of 2.

This threat can be countered by using strong authentication protocols requiring strong credentials. If you determine that passwords are too weak, either a stronger password policy can be enforced or a non-password-based scheme can be used, such as client authentication certificates perhaps using smartcards.

Integrity threat (risk level 1.66)

This integrity threat involves data being improperly modified by attackers. For example, say an attacker accesses the home page of the company's Web site (an information disclosure threat) and modifies it to contain political or defamatory messages. The implications of such an attack are probably worse than the DoS attack (hence the threat is given a criticality of 10), but the attack is harder to perform (effort is 6), so the threat's overall risk rating is 1.66.

Tools and technologies to counter this threat include

  • Data-entry validation in the server application to verify data ranges and data format validity before committing to permanent storage.
  • Performing regular backups in case of data integrity compromise. Backup policy dictates that regular backups be held off-site at a secure location.
  • Strong authentication protocols to validate the user before resources are accessed.
  • Access control mechanisms such as ACLs to limit users access to resources.
  • Audit trails to help locate what resources were accessed, when they were accessed, and by whom.
  • System integrity tools (such as Pedestal Software's Intact) to quickly verify that Web content has changed.

Information disclosure threat (risk level 1)

This information disclosure threat relates to a Web site that takes input from users; the input data is accessed as it travels from the user to the server. The value of the disclosed data is difficult to ascertain, but it's probably high owing to loss of customer faith if the confidential customer data is accessed, so criticality is rated 6. Because the effort required to mount such an attack is quite high, also a 6, the threat's overall risk rating is 1.

The technologies to counter this threat are easy to implement and commonly available; they involve encrypting the data channel between the client and the Web server. The technologies include SSL/TLS and IPSec or similar technologies.

Repudiability threat (risk level 1)

This repudiability threat involves a sales person fraudulently acquiring airline tickets for private use, which causes both loss of business and loss of income. Criticality is more minor, rated a 4, and the effort required to carry out the threat is reasonably easy, also a 4, so the overall risk rating is 1.

To help counter this threat, security policy says that all audit logs are to be analyzed regularly for suspicious activity and archived for five years. In addition, clocks on all computers are synchronized to help analyze audit logs across multiple computers. Out-of-step clocks make such analysis much harder. At present, the company does not want to use time stamping and digital signatures, but this is to be investigated later.

Elevation of privilege threat (risk level 1)

This elevation of privilege threat relates to an attacker becoming an administrator through odious means on Exploration Air's Web server. Damage could be significant because so many other attacks are possible if this attack is successful, so criticality is extreme: 10. Luckily, this attack is normally not easy to perform and requires extensive skills, so effort is also rated 10 and the threat's overall risk rating is 1.

In the case of defects in third-party components, the threat can be alleviated by keeping abreast of appropriate security updates to affected components of the Web solution. Other aspects of this threat can be offset by good administrative practices, such as strong passwords and strong access control mechanisms on resources used to store secrets such as passwords.

The Logical Model

Let's turn our attention from security for a moment to the core application that needs to be built to meet the business requirements defined earlier in this example. Obviously, company personnel need to access a database (such as SQL Server), and they need to use the Web. In this case, SQL Server is the database of choice for the company, so that's the database that will be used for the application. In addition, SQL Server is a popular database on servers running Windows 2000. The application will use the Web because it provides many access points and satisfies the following business requirements (from the list of requirements that appeared earlier in "Business, Product, and Information Requirements"):

  • Sales personnel must be able to access flight schedule and planning and booking information from anywhere in the world, such as at the office, at home, or at a hotel room, at any time of the day or night.
  • Sales personnel must be able to access data from many devices in many ways, such as with a Pocket PC, a laptop, or a desktop by using a modem or a LAN connection.

It's fair to say that virtually every Web application today follows the high-level design shown in Figure 2-4.

click to view at full size.

Figure 2-4. A common high-level design for Web applications.

In this scenario, sales personnel use a Web browser to communicate with a Web server. The Web server calls on some business logic residing in reusable components that in turn manipulate data and return results to the user. This is a very well understood model because it has been around since client/server days.

Figure 2-5 shows the logical model diagram that emerges when threats and related countermeasures are applied to the application in Figure 2-4.

As you can see, security comes into play at many points in the application's operation. These points can be categorized using the security categories introduced in Chapter 1—see "The Golden Rules (and Some Others)." The categories applicable in this case are authentication, authorization, privacy, integrity, and audit. In the physical model phase, company personnel will choose appropriate technology to address each of these security areas. One of main objectives of this book is to show which technologies are appropriate in particular areas of security and how to use those technologies to build business solutions based on Microsoft products.

click to view at full size.

Figure 2-5. Security requirements of a Web application.

The Physical Model

Now that Exploration Air has a feel for the security and business requirements of the Web application to be developed, it's time to choose some technologies. Table 2-3 outlines the relevant core security categories and some technologies that map to those categories.

Table 2-3. Applicable technologies mapped to the security categories (the "golden rules") relevant to the application in Figure 2-5.

CategoryExample Technologies
Authentication

  • Kerberos
  • Windows NT Challenge/Response
  • Basic (HTTP 1.0 Protocol)
  • Digest (HTTP 1.1 Protocol)
  • X.509 certificates
Authorization

  • Access control lists
  • Permissions (SQL Server)
  • Web access permissions (IIS)
  • Role checking (COM+)
Privacy

  • SSL/TLS
  • IPSec
  • Encrypting File System (EFS)
Integrity

  • SSL/TLS
  • IPSec
  • Packet-filtering firewall
Audit

  • Windows 2000 Security Event Logs
  • IIS Web logs
  • SQL Server logs and Profiler traces
Nonrepudiation

  • Audit logs
  • Law and policy

Various Microsoft products, as described in Table 2-4, can provide all the technologies listed in Table 2-3.

Table 2-4. Some Microsoft products and their security features.

Product or TechnologyComments
Windows 2000 Server

Windows 2000 Server includes improved network, application, and Web services, as well as increased reliability and scalability. One of the most important additions is improved security technology, such as public key infrastructure, Kerberos authentication, IP Security, and the Active Directory.

Windows 2000 also includes IPSec, which lets you set up port rules to determine which IP packets can enter which ports. It's not a replacement for a firewall, but it's a great line of defense. IPSec is covered in Chapter 3, "Windows 2000 Security Overview."

Internet Explorer 5.0 Internet Explorer 5.0 is the Web browsing technology provided in Windows 2000. Internet Explorer includes support for many security technologies, including digest and Kerberos authentication, SSL/TLS support, and Fortezza. (Fortezza is a set of cryptographic functions mandated by the U.S. federal government for sensitive but nonclassified communication.)
Internet Information Services 5 IIS 5 is the latest version of Microsoft's award-winning Web server. It includes many new security tools and technologies, including digest authentication, Kerberos authentication integration, SSL/TLS support, Fortezza support, and two new security tools: the Permissions wizard and the Server Certificate wizard.
COM+

Building on the success of COM, COM+ makes it easy for developers to create location-independent software components in virtually any programming language.

COM+ provides the component technology for the Microsoft Windows Distributed interNet Applications (Windows DNA) architecture, enabling developers to integrate Web-based and client/server applications in a single, unified architecture.

SQL Server 7 or SQL Server 2000 SQL Server provides integrated security with the Windows 2000 operating system. It supports using all available security protocols and provides authentication for each user. Permissions are discretionary and are extremely granular.
Certificate Services 2.0

Certificate Services provides customizable services for issuing and managing certificates used in security systems employing public key technologies.

The role of Certificate Services is to create a certificate authority (CA) that receives certificate requests from clients and servers, verifies the information in the request, and issues a corresponding X.509 certificate. This will all be explained in detail in Chapter 15, "An Introduction to Cryptography and Certificates in Windows 2000."

X.509 certificates X.509 certificates contain public information about a user or computer and associate a public key to the user or computer. Certificates are issued by certification authorities such as Thawte (www.thawte.com), VeriSign (www.verisign.com), or your own corporate CA using Microsoft Certificate Services; certificates are used to authenticate users and computers. SSL/TLS uses certificates for authentication purposes. See Chapter 15 for more information on certificates.
SSL/TLS SSL is a security technology developed by Concensus and Netscape, and TLS is the IETF-ratified version of SSL. SSL/TLS allows you to encrypt the channel between two points, making it tremendously difficult for a malicious user to spy on the communication.

When the details in Table 2-4 are applied to the application illustrated in Figure 2-5, the physical model solution looks like that shown in Figure 2-6.

click to view at full size.

Figure 2-6. The application's physical model solution.

Table 2-5 describes the core components of the solution.

Table 2-5. How some Microsoft products map to the physical model solution.

Product/TechnologyWhere It Fits in the Solution
Internet Explorer 5.0

Allows the user to enter username and password (or some other credentials) and send them to the Web server. The session will be conducted over an SSL/TLS connection.

Other browsers such as Pocket Internet Explorer could be used on Microsoft Windows CE devices to satisfy the businesses requirement that the application run on many devices.

Note that browsers less capable than Internet Explorer could be used, but the resulting fidelity might be somewhat reduced. Company personnel need to handle this eventuality in the solution as determined by business requirement number two.

SSL/TLS SSL/TLS will be used between the browser and the Web server when sensitive data is sent across the Internet.
Internet Information Services 5 IIS hosts a number of Active Server Pages (ASP) that call COM+ components. Most of the user interface layout is provided by ASP as it generates HTML (or dynamic HTML).
Windows 2000 Server IIS 5 runs as a service on Windows 2000 Server and leverages many of the security technologies in Windows 2000 (such as ACLs) and Windows 2000 authentication (such as Windows NT Challenge/Response authentication [NTLM] and Kerberos).
COM+ components

The COM+ components will perform most, if not all, of the business work as well as query SQL Server by using ADO.

COM+ is language-neutral, but Exploration Air will create the components using Microsoft Visual Basic 6.

ADO ADO, or Active Data Objects, provides a high-level, flexible interface to various databases such as SQL Server.
Visual Basic 6 Microsoft Visual Basic 6 is a high-level rapid application development (RAD) tool for creating applications and COM+ components. It was chosen for its speed of development and execution as well as its excellent debugging capability. Visual Basic was also chosen because it is supported by third-party companies and because it is one of the most popular development tools in the world.
SQL Server 7 or SQL Server 2000 SQL Server will store all of the corporate sales data, and, like IIS, it runs as a service on top of Windows 2000.

Internet vs. Intranet vs. Extranet

Notice that I've made little or no distinction between Internet, intranet, and extranet scenarios. Although they are differing deployment settings, the scenarios call for use of the same technologies. You can draw a security line between the situations only in that some of the threats are different; intranet scenarios have different audiences from, say, extranet scenarios and hence their threats will differ somewhat.

At this stage, the company is in a good position to build the solution. It's followed a path from a business requirements information-gathering phase through a logical model design phase to a physical model design phase informed by actual products. This process has allowed risks to be rated, prioritized, and planned for early, and it's helped the company find a better, more informed solution to the problem, thus saving time and money. However, before committing to the final product list, it's important that the personnel building the application understand in significant detail what each tool and technology being considered for deployment can do, the tradeoffs between the technologies (their pros and cons), and the implications of strategies regarding security's golden rules. Those matters are the subject of Part II of this book; Chapters 3 through 7 will describe the security capabilities and implications of using the major Microsoft products mentioned in this chapter—more specifically, Windows 2000, Internet Explorer, IIS, SQL Server, and COM+—and Chapters 8 and 9 will address authentication, authorization, privacy, integrity, auditing, and nonrepudiation.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net