October 29, Lecture 8 A TCP Digression: TCP Connections 3 way hand shake to start (syn, syn ack, ack) Identified by four values (src ip, src port, dst ip, dst port) TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED (ack) Current TCP congestion control in Linux is called CUBIC (Reno and Taho?) Note TCP provides flow control via sliding window protocol http://netsrv.csc.ncsu.edu/export/cubic-paper.pdf TCP Three Way Handshake http://www.tcpipguide.com/free/diagrams/tcpopen3way.png Complete TCP State Diagram http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf Bandwidth Delay Product http://en.wikipedia.org/wiki/Bandwidth-delay_product http://www.psc.edu/networking/projects/tcptune/ TCP Overview c:\myfiles\NetworkForensics\Chapter3_5th_Aug_2009.ppt TCP Congestion Control TCP Congestion Control 1 (available in the codes section of website 757-13congestion.pdf) TCP Congestion Control 2 http://www.cs.virginia.edu/~cs757/slidespdf/757-14-congestion2.pdf Cubic – a high speed variant to TCP CUBIC: A New TCP Friendly High Speed TCP Variant (Local Location) Comment on Wikipedia: http://en.wikipedia.org/wiki/CUBIC_TCP Streams Control Transmission Protocol sctp-introduction-wp.pdf SCTP SCTP on the Web Distributed Network Analysis Using Topas and Wireshark http://www.net.in.tum.de/fileadmin/TUM/members/muenz/documents/muenz08w ireshark.pdf ________________________________________________________________________ Securing PHP MySQL applications: Credentials to connect to the database. Pulling a secure password from the database. Use of a session id to be sure user logged in on each page. PHP an attempt to be stateful session_start() allows variable to be shared among pages Each page (just to be sure logged in) if (@$_SESSION[‘auth’] != “yes”) { header(“Location: login.php”); /* Kick user back to a login page */ exit: } Common PHP security flaws unvalidated input access control flaws session ID protection cross site scripting flaws SQL injection vulnerabilities error reporting data handling error (unencrypted transmission of sensitive data) weak configuration setting (phpinfo() to list php.ini http://articles.sitepoint.com/article/php-security-blunders/1 Cross Site Scripting http://www.cgisecurity.com/xss-faq.html Gredak and Websleuth Security in Open Source Web Content Management Systems (WCMS) See Network Forensics Directory Content Management Systems – Systems that maintain, organize, and search across information sources both structured (databases) and unstructured (documents, emails, videos, etc.) Enterprise Content Management – not only technical systems but strategies, tools processes and skills an organization needs to manage its information assets. web content management systems– support creating and publishing content structured in web formats, e.g., HTML, XHTML, XML, and PDF. Let’s users create and upload content or modify existing content. Are used to build web applications that involve extensive user interaction, e.g., blogs, online shops, community portals A tool for Web 2.0 that lets almost everyone develop applications Threats data manipulation – compromise the integrity of data managed by a WCMS (e.g. deface web site, change public data on site) accessing confidential data – access off record data in a back end server, often using SQL injection attacks. Phishing – Gather confidential information then contact users and lure them to a site (similar to the WCMS managed site) that requests addition confidential information. Code execution – exploit WCMS vulnerabilities to load files or programs containing malicious code onto a web server thus exposing clients to XSS attacks. Spam – use WCMS application vulnerability to harvest e-mail addresses or use the application’s e-mail server as a relay. DOS – plain old fashion denial-of-service to make site unavailable for monetary or other reasons. Building Blocks PHP, Java, Perl and Python HTML, XML, CSS MySQL WCMS systems (LAMP – Linux, Apache, MySql and PHP) Joomla – www.joomla.org used for 5 million sites; 140,000 registered users offer chat rooms, calendars and blogging software compoents Drupal – www.durpal.org used for many university web sites offers newsletters and podcasting components security: Both sites provide security patches, vulnerability reporting and tips on countermeasures. Both have dedicated security teams. Security Analysis in the Article: Article examines installation, parameter manipulation, XSS, SQL injection, Authentication, Spam (CAPTCHA), Malicious File Upload, Privilege Elevation (see article – Table 1 offers comparison) Both lack mechanisms to prevent malicious content upload (according to IEEE article) _______________________________________________________________________ Cloud computing (It’s been going on for some time.) Grid Computing (See http://www.gridcomputing.com/) Globus Project (Argonne National Lab – Ian Foster) LinuxDevelopersFosterGridJuly20031.ppt NASA Advanced Computing and Network Storage and the Information Power Grid (See web.math.jjay.cuny.edu NASA CIPA project Link) Sales Force.com (1999) SETI IBM effort ` Pew Internet report 69% of Americans use cloud computing in the form of web based mail NIST – security requirements for computing clouds Challenges: Offer computer and/or data analysis resources a reduced costs (e.g., accounting systems, super computers, storage and archival systems) Make resources readily available and in a secure manner Protect users’ data Conform to legal requirements Benefits: All you need is a computer with a browser? Downside of cloud computing