Under the Supervision of Ms. Renu Dalal Submitted by:
Gaurav Sharma : 00110102713 Harshvardhan : 00910102713 Gaurav Singh : 06410102713
B. Tech. CSE 4 th Year Ambedkar Institute of Advanced Communication Technologies Technologies & Research GGSIPU, New Delhi
Abstract Websites & Web Based Applications are prone to security risks. And so are any networks to which web servers are connected. Security is a vital aspect for providing a reliable service on the web. Website security is achieved by a number of network protocols at all tiers, for which encryption and key generation algorithms are essential to protect data integrity and confidentiality in transit. Primarily, we are to develop a Cloud-deployed web application which will be secured using firewalls, authentication measures, data encryption and intrusion detection systems. Secondly, we will perform penetration testing on the developed web application as part of routine security audit. We will use current vulnerability analytic tools to demonstrate various security features of our Website.
Introduction An increasing penetration of Web Services has enticed attackers which has made Web Services prone to various attacks. A set of strong security algorithms are needed to provide identity authentication and confidentiality [1]. The Security Algorithms need to be strong enough so that they cannot be exploited using even the most advanced computers in a feasible time frame. The basic principles of information security apply to provide a reliable and secure Web Service, which are
Authentication - Implemented by using Secured Protocols and algorithms for generating a private logged link between user and the system. Confidentiality - Implemented by using encryption of traffic at Transport and Application layers. Maintaining integrity of data. Availability of the service at all times is very important as more and more activities are utilising the World Wide Web
Most organisations rely on an ongoing, iterative process of Risk Management to assess threats, vulnerabilities to manage risk while striking a balance between cost and effectiveness of countermeasures to protect the organisation’s information resources. Penetration Testing is an important element of the Risk Management process. A Penetration Test is an attempt to evaluate the security of an IT infrastructure by safely
trying to exploit vulnerabilities. These vulnerabilities may exist in operating s ystems, service and application flaws, improper configurations, or risky end-user behaviour. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies.
Functional Requirements
The proposed Security Algorithms, Protocols and firewall must support the following functions: A Secured & JavaScript enabled browser must be used by the users (Chrome, Firefox etc.). User must be authenticated using secured private connection with an Anti-bot verification feature. Intrusion Detection is the main chain-link to prevent. The IP Address of the user must be verified & monitored for unusual behavior like spoofing, redirecting etc. The Website's Firewall must reserve some ports on the target system. IP address will be blacklisted, reports must be sent to both Admin and user & a quick solution must be availed. Security measures must be taken so that it does not affect the website's responsiveness, flexibility & interaction.
Background The following keywords have been frequently used in our analysis of the website: Authentication : A security measure designed to verify the identity of a transmission, user, user device, entity, or data. [3] Back Door: Hidden software or hardware mechanism used to get around security controls. Firewall: Hardware or software that permits only authorized users to enter, and logs attempted intrusions. [2] Malicious Code: Any type of software capable of performing an unauthorized process on an information system.
Phishing: Impersonating a legitimate entity to illegally acquire information via email, phone calls, voicemail, or text messaging. Spoofing: Impersonating another person or computer, usually by providing a false email name, URL, domain name server, or IP address. Spyware: Software that collects information without the user's informed consent. Audit: A process conducted by qualified, independent auditors to review and examine records and activities to verify compliance with applicable requirements resulting in a formal report that could require corrective action. [2] Botnet: A group of computers that have the same bot installed, that can communicate with and control each other, and are usually used for malicious activities (create and send spam email, propagate malicious software, or other cyber-attack).
Technology Used For Developing the Website, JSP will be used along with the interaction of Java Servlets to ensure secured, worm-free environment. Java Programming will be used to code the Authentication Algorithms and it will be embedded to a Java Server Page (JSP). JSP uses Java Programming so is easily portable. It also offers higher performance than other server side pages like CGI, Perl. We will be using several software (SQL Injector, Metasploit, w3af etc.) and tools (pen test-tools etc.) for penetration testing of our website, checking the strength of its stronghold.
References 1. William Stallings, Cryptography and network security: principles and
practices (2006), Pearson Education India. 2. M.T. Dlamini, J.H.P. Eloff, M.M. Eloff, Information security: The moving target (2009), Computers & Security (Vol. 28, Issues 3-4) 3. Lori M. Kaufman, Data Security in the World of Cloud Computing (2009), IEEE Security & Privacy (Vol.7, Issue 4)