Upload
rory
View
67
Download
0
Embed Size (px)
DESCRIPTION
教育部資通訊人才培育先導型計畫 寬頻有線教學推動聯盟中心. 第三章 安全資訊管理. 3.1 Web Security 3.2 VoIP Security 3.3 P2P Security. - PowerPoint PPT Presentation
Citation preview
3.1 Web Security
3.2 VoIP Security
3.3 P2P Securitywebsiteweb serverweb applicationweb serverweb applicationInternetVoIP (Voice over IP) VoIPP2P (peer to peer)P2PFOXYeMuleBTBitComet..P2PKiller applications: WebVoIPP2P
3.1 Web security
3.1.1 Web server
3.1.2 Web site
3.1.3 Web Application
Web SecurityWeb serverWeb ServerApache http serverMicrosoftInternet Information Services (IIS)Web site(yahoo searchgoogle search)Web ApplicationWeb Applicationroot
3.1.1 Web serverApache NCSARob McCool NCSA HTTPd 1995 Apache 0.6.220002.02.2.8 ApacheUNIXLINUXWindowsHTTPApache Apache 1997 1 Apache Apache Apache2002(Chunk Handling Vulnerability) Apache Apache
http://httpd.apache.org/
3.1.1 Web serverApache-Chunk Handling Vulnerability ():Apache web server RFC2616 HTTP 1.1 chunk-encoded data chunk-encoded HTTP requests Sun Microsystems2003Security Sun Alert Archive Reference for Year 2002Apache38(Security Vulnerability in the Way Apache Web Servers Handle Data Encoded in Chunks)Apache HTTP serverWebApache server
apachehttp://httpd.apache.org/info/security_bulletin_20020617.txt
3.1.1 Web serverApache Apache(Module) mod_cgimod_proxyApachemod_python bugbugApachemod_pythonApachePatch
https://rhn.redhat.com/errata/RHSA-2004-063.html
3.1.1 Web serverApache
log
(Access Rights)nobody Apachenobodyroot Apache
root
(Symbolic Links)
Apache
httpd.conf .htaccess options -Indexes
Apache (Nkitohttp://www.cirt.net/code/nikto.shtml)
http://www.cert.org.tw/document/column/show.php?key=83
3.1.1 Web serverMicrosoft Internet Information Services (IIS)MicrosoftWebweb IISHTTPIISFile Transfer ProtocolFTPFTPWebWebIIS HTTP(Malformed request): (http://www.microsoft.com/technet/security/bulletin/ms00-086.mspx) MicrosoftMS00-086IIS 5.0Web Server File Request Parsing IIS serverexeexeOSIIS serverexeOSIIS server (http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx) Internet Server Application Programming Interface (ISAPI) extensions ASPHTRIDQPHP extensions(Sample Applications)(http://technet.microsoft.com/en-us/library/bb687367.aspx) WebWebnewdns.exeiisadmadministrator Microsoft IIS server http://www.iis.net/default.aspx?tabid=1
3.1.1 Web serverMicrosoft 2007 Internet Information Services - (Remote Code Execution)Microsoft Internet Information ServicesURL(crafted URL requests)IISIIS
http://www.microsoft.com/technet/security/Bulletin/MS07-041.mspx
3.1.1 Web serverIIS:http://www.cert.org.tw/service/VulDB/sans_group.php?group=sans&key=iishttp://www.microsoft.com/downloads/render.aspx?displaylang=en&content=updateserviceshttp://technet.microsoft.com/en-us/wsus/default.aspxhttp://www.microsoft.com/technet/security/tools/default.mspxhttp://www.microsoft.com/technet/security/tools/hfnetchk.asp %wwwroot%/scripts ISAPI Extension IIS IIS Lockdown . http://www.microsoft.com/technet/security/tools/locktool.mspx HTTP IISHTTPHTTP URLScan Security Tool:http://www.microsoft.com/technet/security/tools/urlscan.asp :http://www.microsoft.com/technet/security/tools/urlscan.mspx
3.1.2 Web siteWeb sitesMicrosoft2006Internet Explorer-Vulnerability in Vector Markup Language Could Allow Remote Code Execution Internet Explorer VML (Vector Markup Language)
Internet Explorer
Windows Update http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
3.1.2 Web siteWeb Security
3.1.2 Web site(Adware)2001~2004AdwareYahoo toolbarGoogle toolbarAdwareAdwarehttp://www.zdnet.com.tw/news/software
3.1.2 Web sitedomain namekeyinwww.landbank.com.tw:emaillinklinklink
http://www.itis.tw/node/1545
3.1.2 Web site(Yahoo)GoogleGoogleGooglehttp://www.stopbadware.org/home http://www.itis.tw/node/603
3.1.2 Web site2007 2007
SQL injectionMicrosoft()
webWeb-Based
3.1.2 Web site(Web Threat)http://tw.trendmicro.com/tw/about/news/pr/article/20070903143452.html HTML_iFrame.CUIPJS_DLOADER.NTJIEMS04-040MS06-057 IT - Italy (44300) ES - Spain (5754) US - United States (3185) DE - Germany (1956) FR - France(1333) GB - United Kingdom (1065) NL - Netherlands(962) CA - Canada (908) CH - Switzerland(826)Web Threat
3.1.3 Web ApplicationsWeb ServerWeb ApplicationsWeb MailWeb Applicationssession cookies Cross Site Scripting (XSS) Buffer Overflows Injection (SQL Injection) Backup Web ApplicationspatchWeb Server/Applications
3.2 VoIP securityVOICE over Internet Protocol (VoIP) VoIPIP-based
VoIP IP
VoIPendpoints (VoIP Phone)control nodesgateway nodes (VoIP Gateway Router)IP-basedVoIPInternetpublic-switched telephone network (PSTN)VoIP
VoIP
3.2 VoIP securityVoIP(signaling)VoIP(encoding)(gateway control)(signaling) VoIPH.323SIP (Session Initial Protocol)H.323ITU-T1996VoIP(LAN) SIPVoIP(Multiparty Multimedia Communications)SIP (encoding & transport)(VoiceData)VoiceData(encapsulation)(real time)(decapsulation) VoiceData()(gateway control)VoIP PhonePSTNVoIP
3.2 VoIP securityInternetIP networkVoIPVoIP:
DoSAvailabilityEavesdroppingConfidentialityAlteration of Voice StreamConfidentiality and IntegrityToll FraudIntegrityRedirection of CallIntegrity and ConfidentialityAccounting Data ManipulationIntegrityCaller Identification (ID) ImpersonationIntegrityUnwanted Calls and Messages (SPIT)Availability and Integrity
VoIP
3.2 VoIP securityDoSAvailability()DoS (Denial of Service) InternetDoSVoIP VoIP Internet SIP RTP VoIPVoIPInternet TCP SYNPing of DeathVoIP VoIP() VoIP
3.2 VoIP securityEavesdroppingConfidentiality () VoIP Internet Internet VoIP VoIP (Media stream)SIP (Session Initiation Protocol) SIP( UDPTCP) VoIP(Media stream) UCP RTP (Real Time Protocol)SIP RTP(Ethereal)SIP(Uniform Resource Identifier:)
3.2 VoIP securityAlteration of Voice StreamConfidentiality and Integrity ()man-in-the-middle:
3.2 VoIP securityToll FraudIntegrity ()
replayimpersonate
3.2 VoIP securityRedirection of CallIntegrity and ConfidentialityVoIPcallercalleeRedirectioncallercalleeredirectcalleeVoIP Phoneredirectredirect()Accounting Data ManipulationIntegrityaccounting databasecall data records (CDR) CDR CDRCDR databaseCaller Identification (ID) ImpersonationIntegrityIDUnwanted Calls and Messages (SPIT)Availability and IntegritySPITSPAM over Internet telephoneVoIPvoice mail boxvoice mail box
3.2 VoIP security:
VoIP and Data Traffic
3.2 VoIP security VoIP and Data TrafficVoIPData Traffic
Configuration Server(VoIP Phone)VoIPDHCP ServerIPConfiguration ServerIPConfiguration ServerVoIP PhoneVoIP PhoneVoIP ServiceVoIP PhoneVoIP
VoIP and Data Traffic
3.2 VoIP securityVoIPAVAYA 2005 2 VoIP (VOIPSA) VoIP VOIPSA VOIPHacking Exposed VoIPVOIPVOIPSAVoIPVoIP Sniffing ToolsVoIP Scanning and Enumeration ToolsVoIP Packet Creation and Flooding ToolsVoIP Fuzzing ToolsVoIP Signaling Manipulation ToolsVoIP Media Manipulation ToolsMiscellaneous ToolsTool Tutorials and Presentations
http://www.voipsa.org/Resources/tools.php
3.3 P2P securityP2PP2PP2Ppeer P2PServerServer
P2P:-(Server)P2P(node)(index)eMuleezPeerKuroFoxyP2P
-P2PP2PserverBitTorrent with DHT
P2P
3.3 P2P securityP2P
P2PP2PP2P..P2P
P2PP2P
3.3 P2P securityP2P
P2PP2PP2Phttp://www.zdnet.com.tw/news/software/0,2000085678,20116793,00.htm
3.3 P2P securityP2P
Anti-VirusAnti-Spyhttp://www.dk101.com/Discuz/archiver/?tid-18800.html
3.3 P2P securityP2P(Skype)Anti-Virus Anti-SpyIDSP2Phttp://www.zdnet.com.tw/news/software/0,2000085678,20102142,00.htm
3.3 P2P securityP2PP2PP2PP2PP2P
P2PTrust P2PP2Ppeers
P2PTrust()Reputation Trust ComputingTrust P2P
Web SecurityWeb serverWeb siteWeb ApplicationsWeb ServerWeb siteWeb ApplicationsWeb ApplicationsVoIPVOIPSAVoIPVoIPP2PP2PP2P
NSAhttp://www.nsa.gov/snac/downloads_all.cfm.VoIP-NEWShttp://www.voip-news.com:80/.VOIPSAhttp://www.voipsa.org/.OWASPhttp://www.owasp.org/index.php/Main_Page.Apache server project, http://httpd.apache.org/.RED HAT NETWORK, https://rhn.redhat.com/.IIS.net, http://www.iis.net/default.aspx?tabid=1.http://www.cert.org/advisories/CA-2002-17.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-66-234302-1TechNet Security Center, http://www.microsoft.com/technet/security/default.mspx.http://www.cert.org.tw/http://ics.stpi.org.tw/http://www.isecutech.com.tw/http://www.itis.tw/ Meier, J.D., Web application security engineering, IEEE Security & Privacy Magazine, Volume 4, Issue 4, July-Aug. 2006 Page(s):16 24.Butcher, D.; Xiangyang Li; Jinhua Guo;, Security Challenge and Defense in VoIP Infrastructures, IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, 2007.Wesley Chou,Strategies to Keep Your VoIP Network Secure, IT Professional, Volume 9, Issue 5, Sept.-Oct. 2007 Page(s):42 46.Song, S.; Hwang, K.; Zhou, R.; Kwok, Y.-K., Trusted P2P Transactions with Fuzzy Reputation Aggregation, Internet Computing, IEEE Volume 9, Issue 6, Nov.-Dec. 2005 Page(s):24 34.Park, J.S.; An, G.; Chandra, D.;, Trusted P2P computing environments with role-based access control, IET Information Security, Volume 1, Issue 1, March 2007 Page(s):27 35.Song, S.; Hwang, K.; Zhou, R.; Kwok, Y.-K.;, Trusted P2P transactions with fuzzy reputation aggregation, IEEE Internet Computing, Volume 9, Issue 6, Nov.-Dec. 2005 Page(s):24 34.