Академический Документы
Профессиональный Документы
Культура Документы
0
TECHNICAL SPECIFICATIONS
Confidencial Bank Supervision Application
INDICE
1 THE ARCHITECTURE OF THE BSA V4 ............................................................................................... II
1.1 Description of the Architectures ........................................................................................................ II
1.2 Authentication Process...................................................................................................................... III
1.2.1 Layout 1 .................................................................................................................................... III
1.2.2 Layout 2 .................................................................................................................................... III
1.2.3 At the Operating System Level ................................................................................................ IV
1.3 Server specifications (Minimum) ..................................................................................................... IV
2 APPLICATION THREATS AND COUNTERMEASURES ................................................................... V
2.1 Sniffing ............................................................................................................................................. V
2.1.1 BSA countermeasures ............................................................................................................... V
2.2 Spoofing ........................................................................................................................................... VI
2.2.1 BSA countermeasures .............................................................................................................. VI
2.3 Session hijacking ............................................................................................................................. VI
2.3.1 BSA Countermeasures ............................................................................................................. VI
2.4 Denial-of-Service ............................................................................................................................. VI
2.4.1 BSA Countermeasures ............................................................................................................ VII
2.5 Elevation of Privilege...................................................................................................................... VII
2.5.1 BSA Countermeasures ............................................................................................................ VII
2.6 Repudiation .................................................................................................................................... VIII
2.6.1 BSA Countermeasures ........................................................................................................... VIII
2.7 SQL Injection ................................................................................................................................. VIII
2.7.1 BSA Countermeasures ........................................................................................................... VIII
3 SERVER AND NETWORK PROTECTION ........................................................................................ VIII
3.1 Spoofing ............................................................................................................................................IX
3.2 Sniffing Countermeasures .................................................................................................................IX
3.3 Session Hijack Countermeasures ......................................................................................................IX
3.4 Denial of service Countermeasures...................................................................................................IX
4 ADDITIONAL SECURITY DETAILS .....................................................................................................X
5 REFERENCES .........................................................................................................................................XI
I
Confidencial Bank Supervision Application
Users access the application from the browser over the internet. The request from the user goes
through the first firewall (perimeter firewall) that allows packets through http (80) or https (443)
port.
The login page is presented to the user who inserts the credentials. The web browser establishes a
connection with the Domain Controller (Active Directory) to verify if the credentials belong to an
internal user. If the Active Directory fails to authenticate a user is because it might be an external
user, so the web server tries to authenticate the user against the SQL server by making a connection
on the SQL port (which is allowed by the second firewall).
1.2.2 Layout 2
The Layout 2 suggests that the database and the web server will be in the LAN. The server on the
DMZ will be the ISA server. The request is received by the ISA server after passing the first
firewall.
Since ISA requires an authenticated user to allow the request to be redirected to the actual web
server, there are two approaches to allow external users to be authenticated (external users in this
particular case refer to users who are accessing the application from the internet and do not belong
to the central bank, thus are not registered on Active Directory):
1. Create one user on the ISA server and share the user and his credentials among all external
users, so that they will first input this created username and the credentials to have access to
the web server login page;
2. Avoid the use of the authentication page on ISA, by creating a default authenticated user to
communicate with ISA if the request is intended for the BSA application.
In case of an internal user who accesses the application from the internet, the same process will
occur on ISA:
1. If the solution adopted is ISA with authentication page, the user will have to authenticate in
ISA and authenticate again on the login page of BSA;
2. If the solution adopted is ISA without authentication page, the authentication will be done in
the BSA login page in connection with the Active Directory;
After the request is through ISA, if it is an internal user (Central Bank user), the BSA login page
will authenticate it on the active directory and if the user is external (not a Central Bank user) it will
be authenticated on the BSA database.
In both layouts, the connection between the web server and the database to access, read and modify
folders is done with the SMB protocol.
At the level of the web server machine, ASP.NET pages are executed within a process, or Windows
program. All Windows programs run with a specific security identity. By default, the ASP.NET
process runs under a predefined Windows identity. BSA on the other hand, configured the
application to use impersonation, thus the application executes its commands as an operating
system authenticated user.
RAM 16 GB 32 GB.
§ SSL Certification
2.1 Sniffing
Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext
passwords or configuration information. With a simple packet sniffer, an attacker can easily read all
plain text traffic. Also, attackers can crack packets encrypted by lightweight hashing algorithms and
can decipher the payload that you considered to be safe. The sniffing of packets requires a packet
sniffer in the path of the server/client communication.
2.2 Spoofing
Spoofing is a means to hide one's true identity on the network. To create a spoofed identity, an
attacker uses a fake source address that does not represent the actual address of the packet.
Spoofing may be used to hide the original source of an attack or to work around network access
control lists (ACLs) that are in place to limit host access based on source address rules.
The use of SSL, to encrypt the connection between the user and the web application;
Modification of the name of the variable that keeps the session id on the client, so that even
if the request/response is tampered, session id will not be intuitive to find.
Session expiry and redirection of users to the login page after a certain period of inactivity.
2.4 Denial-of-Service
Denial of service denies legitimate users access to a server or services. The SYN flood attack is a
common example of a network level denial of service attack. It is easy to launch and difficult to
track. The aim of the attack is to send more requests to a server than it can handle. The attack
exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the
server's pending connection queue.
No action was taken to restrict the number of simultaneous requests since Windows Server
2008 and IIS7 manage the number of simultaneous requests together.
Limit the queue length to 1000, so that above that, users will receive the information
“Service Unavailable”;
To the IT staff will be provided training to deny specific IPs known to be malicious.
Strong password policy with the option of denying to save previous passwords (a predefined
number of passwords);
2.6 Repudiation
Is the ability of users (legitimate or otherwise) to deny that they performed specific actions or
transactions. Without adequate auditing, repudiation attacks are difficult to prove.
As a countermeasure against repudiation, BSA V4 was developed with the Audit Log
transaction, helping to keep track of user’s activity;
BSA V4 has implemented type safe SQL parameters along with stored procedures. Using
SQL parameters ensures that input data is subject to type and length checks and also that
injected code is treated as literal data, not as executable statements in the database.
Filtering dangerous characters that can be used in this kind of attacks;
3.1 Spoofing
Although carefully crafted spoofed packets may never be tracked to the original sender, a
combination of filtering rules prevents spoofed packets from originating from your network,
allowing you to block obviously spoofed packets.
Countermeasures to prevent spoofing include:
Filter incoming packets that appear to come from an internal IP address at your perimeter.
Filter outgoing packets that appear to originate from an invalid local IP address.
5 REFERENCES
http://technet.microsoft.com/pt-br/library/dd569900.aspx#EKAA
http://plensconsultoria.blogspot.com/2010/05/5-identificacao-de-contra-medidas.html
http://msdn.microsoft.com/en-us/library/ff648664.aspx
http://msdn.microsoft.com/en-us/library/ee817643.aspx
http://www.red-database-security.com/whitepaper/oracle_default_ports.html
http://www.chebucto.ns.ca/~rakerman/oracle-port-table.html
http://www.rsastore.com/rsa-securid-tokens.html
http://www.tokenguard.com/RSA-SecurID-SD200.asp
http://msdn.microsoft.com/en-us/library/zdh19h94.aspx
http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx
http://msdn.microsoft.com/en-us/library/f13d73y6.aspx
http://msdn.microsoft.com/en-us/library/ms161953(SQL.105).aspx
http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/library/ff648635.aspx
http://msdn.microsoft.com/en-us/library/xa68twcb.aspx
http://technet.microsoft.com/en-us/library/cc268241.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=26137
http://www.microsoft.com/en-us/download/details.aspx?id=1330