ESP Technical Overview1

7/30/2019 ESP Technical Overview1

1/22

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Sponsored by the U.S. Department of Defense

2000 by Carnegie Mellon University



ESP Technical Overview

Marty Lindner

September 2000


2/22




2

Agenda

What is ESP

Goals of the ESP

ESP Technology Overview


3/22




3

What is the ESP

Extranet forSecurityProfessional


4/22




4

What is the ESP

From a users perspective the ESP is a

web site that is used by a group of

people sharing a common interest orneed


5/22




5

What is the ESP

From an IT professionals perspective the

ESP is a secure web environment created

by using Commercial Off The Shelf (COTS) products

Good Programming Practices

Strict network policies enforced by multiple

firewalls and intrusion detection systems Automated intrusion detection software

developed for the ESP environment


6/22




6

What is the ESP

A set of collaboration

tools used thru a

common web interface Mail Tool Calendar Tool

Document

Collaboration Tool

Document Library


7/22 2000 by Carnegie Mellon University



7

Goals of the ESP

Minimal cost to the end users

Provide a mechanism for sharing

FOUO/SBU information over the publicinternet

Maintain the highest level of security





8

ESP Technology Overview


9/22





10

End User Workstation

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

To: George

Marty

From: Steve





11

End User Workstation

One of the ESP goals is to minimize the

cost to the end user

The only end user requirement is a webbrowser that supports U.S. domestic

encryption (128 bits)





12

The Internet

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

To: George

Marty

From: Steve





13

The Internet

The ESP technology makes one

assumption about the Internet You can not trust it!

To overcome this lack of trust, the ESP

uses the Secure Socket Layer (SSL)

protocol and X.509 certificates to

provide authenticity, integrity andconfidentiality www.ietf.org\rfc\rfc2246.txt





14

SSL Security

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

SSL provides a

secure path through

the Internet

To: George

Marty

From: Steve





15

Firewall Strategy

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

Multiple inline

firewalls create

more complex maze

for intruders to

navigateTo: George

Marty

From: Steve





16

Firewall Strategy

Multiple firewalls randomly inserted

into the network topology Sidewinder 5.0

www.securecomputing.com

Guardian www.netguard.com

Cisco Secure PIX Firewall www.cisco.com

Linux IPchains www.linuxdocs.org


17/22




17

Network Monitoring

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

Passive network

monitoring tools

assist and automate

the intrusion

detection processTo: George

Marty

From: Steve


18/22




18

Network Monitoring

Several passive network monitoring

agents are used to detect signs of

intrusion Real Secure 3.2

www.iss.net

Snort 1.6.3 www.snort.org


19/22




19

Web Server Security

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

The middleware

enhances security by

incorporating

additional

authentication

techniquesTo: George

Marty

From: Steve


20/22




20

Web Server Security

System is dedicated to web services only No additional services offered Software

Hardened Windows NT 4.0 www.microsoft.com

Tripwire system integrity software 2.2.1 www.tripwire.com

Netscape Enterprise Server 3.63 home.netscape.com

Cold Fusion Server 4.5.1 www.alliare.com


21/22




21

Database Security

Workstation

Database Servers

Firewall

Firewall

Router

Web Servers

The Internet

The database only

responds to

authenticated

requests from the

Web serversTo: George

Marty

From: Steve


22/22




22

Database Security

Database servers only except

communications from an authenticated

IPsec session www.ietf.org\rfc\rfc2401.txt

ESP Technical Overview1

Documents

Transcript of ESP Technical Overview1