Absent: Secure Remote Access to an Internal Web Server

Absent: Secure Remote Access to an Internal Web Server
Avi Rubin, AT&T Labs-Research
Wednesday, March 29, 2000
Scribe: Steve Bauer

Abstract

Absent is a system for secure remote access to the internal web from outside. It addresses the problem of secure remote access to a site's internal web server from outside the firewall. The goal is to give authorized users access to sensitive information, while protecting the information from others. We implemented our solution using a one-time password scheme for client authentication and SSL for confidentiality. Our main design considerations were security, performance, ease of use, availability, and scale. We were further constrained by the desire to leave our firewall and local infrastructure unchanged.

Aviel D. Rubin is a Principal Technical Staff Member at AT&T Labs -- Research in the secure systems research department, and an Adjunct Professor of Computer Science at New York University, where he teaches cryptography and computer security.

Scribe Notes

Motivation

Previous System Setup:

[Internal Net]  <--->  |||FIREWALL||| <---> [External Internet]
      |                                          |
      |                                          |
   Internal                                    External 
   Web                                         Web
   Site                                        Site 

- the main web page resolves to two different computers
depending on where the request is coming from
- the firewall is a packet based firewall
- given this outside authorized users have no means to 
get to the internal web site from outside the firewall

Other approaches to solving this problem:
- use securenet key to telnet inside, however this does
not provide browser access and has other problems as well
- VPN solution, however this violates the assumption of
coming from a dumb terminal and existing solutions don't
have source code available to verify security.

ABSENT Solution

[Auth Server]    [Pushweb]  ||| Firewall |||  [Absent]   [Client]

[Web Server] 

-Pushweb and Absent together act as a proxy

Use:

1) Before leaving the internal web site, a user initializes
password 
2) Once outside, user authenticates by use of one time passwords
OPIE scheme used. (OPIE was explained but I left this explanation
out of the notes.  It is a one time password scheme though.) 
3) Once authenticated an entry is created in a user table on pushweb 
that contains a user key
4) All URL passed to the user are rewritten so that the contain
a MAC code 
5) When a request for a internal page comes it is passed
from Absent to pushweb.  It contains the
rewritten URL, then the MAC of the URL is compared against the
MAC calculated from the user key and the requested URL.  If
it matches then the page is returned.  All URLs in the page 
are appropriately rewritten as well.

- the key only allows users to request pages for 45 minutes
after they log in.  This limits the exposure and security problems.


Threat analysis:
If Absent (computer outside the firewall) is compromised 
- dos possible
- can get pushweb to open data connections
- cannot read SSL traffic
- cannot issue valid web requests
- attacker does see secret MAC key used by absent
Recovery: generate new MAC key, reboot server

If pushweb is compromised
- unlimited access to internal web
- basically they are in real trouble
Precautions: -appropriate ones basically

Other notes:
- don't cache directives set on all web content so it doesn't
remain sitting in browser caches
- No SSL access to inside content since no SSL over SSL possible
- ease of use is an issue because users reportedly hate onetime
password hassle

Code available at 
http://www.research.att.com/projects/absent

Demonstrate of system was a success

Questions:
- Various threat models were discussed including the danger
of losing the one time password sheet.  ("The lost wallet attack.")
- Discussion of a malicious web browser.  Basically nothing
that can be done about that.
- Discussion of using Java script to calculate one time password
based on initial password.  Not a good idea though really.

Brought to you by the MIT LCS Applied Security Reading Group