October 29, Lecture 8
A TCP Digression:
TCP Connections
3 way hand shake to start (syn, syn ack, ack)
Identified by four values (src ip, src port, dst ip, dst port)
TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED
(ack)
Current TCP congestion control in Linux is called CUBIC (Reno and
Taho?)
Note TCP provides flow control via sliding window protocol
http://netsrv.csc.ncsu.edu/export/cubic-paper.pdf
TCP Three Way Handshake
http://www.tcpipguide.com/free/diagrams/tcpopen3way.png
Complete TCP State Diagram
http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf
Bandwidth Delay Product
http://en.wikipedia.org/wiki/Bandwidth-delay_product
http://www.psc.edu/networking/projects/tcptune/
TCP Overview
c:\myfiles\NetworkForensics\Chapter3_5th_Aug_2009.ppt
TCP Congestion Control
TCP Congestion Control 1 (available in the codes section of website 757-13congestion.pdf)
TCP Congestion Control 2
http://www.cs.virginia.edu/~cs757/slidespdf/757-14-congestion2.pdf
Cubic – a high speed variant to TCP
CUBIC: A New TCP Friendly High Speed TCP Variant (Local Location)
Comment on Wikipedia: http://en.wikipedia.org/wiki/CUBIC_TCP
Streams Control Transmission Protocol
sctp-introduction-wp.pdf SCTP
SCTP on the Web
Distributed Network Analysis Using Topas and Wireshark
http://www.net.in.tum.de/fileadmin/TUM/members/muenz/documents/muenz08w
ireshark.pdf
________________________________________________________________________
Securing PHP MySQL applications:
Credentials to connect to the database.
Pulling a secure password from the database.
Use of a session id to be sure user logged in on each page.
PHP an attempt to be stateful
session_start() allows variable to be shared among pages
Each page (just to be sure logged in)
if (@$_SESSION[‘auth’] != “yes”)
{ header(“Location: login.php”); /* Kick user back to a login page */
exit:
}
Common PHP security flaws
unvalidated input
access control flaws
session ID protection
cross site scripting flaws
SQL injection vulnerabilities
error reporting
data handling error (unencrypted transmission of sensitive data)
weak configuration setting (phpinfo() to list php.ini
http://articles.sitepoint.com/article/php-security-blunders/1
Cross Site Scripting http://www.cgisecurity.com/xss-faq.html
Gredak and Websleuth
Security in Open Source Web Content Management Systems (WCMS)
See Network Forensics Directory
Content Management Systems – Systems that maintain, organize, and search
across information sources both structured (databases) and unstructured
(documents, emails, videos, etc.)
Enterprise Content Management – not only technical systems but strategies, tools
processes and skills an organization needs to manage its information assets.
web content management systems–
support creating and publishing content structured in web formats, e.g.,
HTML, XHTML, XML, and PDF.
Let’s users create and upload content or modify existing content.
Are used to build web applications that involve extensive user interaction,
e.g., blogs, online shops, community portals
A tool for Web 2.0 that lets almost everyone develop applications
Threats
data manipulation – compromise the integrity of data managed by a
WCMS (e.g. deface web site, change public data on site)
accessing confidential data – access off record data in a back end server,
often using SQL injection attacks.
Phishing – Gather confidential information then contact users and lure
them to a site (similar to the WCMS managed site) that requests addition
confidential information.
Code execution – exploit WCMS vulnerabilities to load files or programs
containing malicious code onto a web server thus exposing clients to XSS
attacks.
Spam – use WCMS application vulnerability to harvest e-mail addresses
or use the application’s e-mail server as a relay.
DOS – plain old fashion denial-of-service to make site unavailable for
monetary or other reasons.
Building Blocks
PHP, Java, Perl and Python
HTML, XML, CSS
MySQL
WCMS systems (LAMP – Linux, Apache, MySql and PHP)
Joomla – www.joomla.org
used for 5 million sites; 140,000 registered users
offer chat rooms, calendars and blogging software compoents
Drupal – www.durpal.org
used for many university web sites
offers newsletters and podcasting components
security: Both sites provide security patches, vulnerability reporting and
tips on countermeasures. Both have dedicated security teams.
Security Analysis in the Article:
Article examines installation, parameter manipulation, XSS, SQL
injection, Authentication, Spam (CAPTCHA), Malicious File Upload,
Privilege Elevation (see article – Table 1 offers comparison)
Both lack mechanisms to prevent malicious content upload (according to
IEEE article)
_______________________________________________________________________
Cloud computing (It’s been going on for some time.)
Grid Computing (See http://www.gridcomputing.com/)
Globus Project (Argonne National Lab – Ian Foster)
LinuxDevelopersFosterGridJuly20031.ppt
NASA Advanced Computing and Network Storage and the Information
Power Grid (See web.math.jjay.cuny.edu NASA CIPA project Link)
Sales Force.com (1999)
SETI
IBM effort
`
Pew Internet report 69% of Americans use cloud computing in the form of
web based mail
NIST – security requirements for computing clouds
Challenges:
Offer computer and/or data analysis resources a reduced costs (e.g.,
accounting systems, super computers, storage and archival systems)
Make resources readily available and in a secure manner
Protect users’ data
Conform to legal requirements
Benefits:
All you need is a computer with a browser?
Downside of cloud computing