Chapter 5 - Communication Security: Web Based Services

Abstract

This chapter deals with Web-based security with an emphasis on Web security, FTP-based security, and LDAP-based security. Web-based services are commonly vulnerable to threats and exploitation. Maintaining a secure Web server means ensuring that all scripts and Web applications deployed on the Web server are free from Trojans, backdoors, or other malicious code. Digital certificates can be used to sign the code and to authenticate that the code has not been tampered with and that it is indeed the identical file distributed by its creator. A major problem with code signing is that you must rely on a third party for checking authenticity. Another part of Internet-based security that should be considered is FTP-based traffic. FTP authentication is sent as cleartext, making it easy for someone with a packet sniffer to view usernames and passwords. Sniffing is a type of passive attack that allows hackers to eavesdrop on the network, capture passwords, and use them for a possible password cracking attack. Directory services are used to store and retrieve information about objects, which are managed by the service. LDAP is a protocol that enables clients to access information within a directory service, allowing the directory to be searched and objects to be added, modified, and deleted. LDAP is vulnerable to various security threats, including spoofing of directory services and attacks against the databases that provide the directory services.