Absent is a system for secure remote access to the internal web from outside. It addresses the problem of secure remote access to a site's internal web server from outside the firewall. The goal is to give authorized users access to sensitive information, while protecting the information from others. We implemented our solution using a one-time password scheme for client authentication and SSL for confidentiality. Our main design considerations were security, performance, ease of use, availability, and scale. We were further constrained by the desire to leave our firewall and local infrastructure unchanged.
Aviel D. Rubin is a Principal Technical Staff Member at AT&T Labs -- Research in the secure systems research department, and an Adjunct Professor of Computer Science at New York University, where he teaches cryptography and computer security.
Previous System Setup: [Internal Net] <---> |||FIREWALL||| <---> [External Internet] | | | | Internal External Web Web Site Site - the main web page resolves to two different computers depending on where the request is coming from - the firewall is a packet based firewall - given this outside authorized users have no means to get to the internal web site from outside the firewall Other approaches to solving this problem: - use securenet key to telnet inside, however this does not provide browser access and has other problems as well - VPN solution, however this violates the assumption of coming from a dumb terminal and existing solutions don't have source code available to verify security. ABSENT Solution [Auth Server] [Pushweb] ||| Firewall ||| [Absent] [Client] [Web Server] -Pushweb and Absent together act as a proxy Use: 1) Before leaving the internal web site, a user initializes password 2) Once outside, user authenticates by use of one time passwords OPIE scheme used. (OPIE was explained but I left this explanation out of the notes. It is a one time password scheme though.) 3) Once authenticated an entry is created in a user table on pushweb that contains a user key 4) All URL passed to the user are rewritten so that the contain a MAC code 5) When a request for a internal page comes it is passed from Absent to pushweb. It contains the rewritten URL, then the MAC of the URL is compared against the MAC calculated from the user key and the requested URL. If it matches then the page is returned. All URLs in the page are appropriately rewritten as well. - the key only allows users to request pages for 45 minutes after they log in. This limits the exposure and security problems. Threat analysis: If Absent (computer outside the firewall) is compromised - dos possible - can get pushweb to open data connections - cannot read SSL traffic - cannot issue valid web requests - attacker does see secret MAC key used by absent Recovery: generate new MAC key, reboot server If pushweb is compromised - unlimited access to internal web - basically they are in real trouble Precautions: -appropriate ones basically Other notes: - don't cache directives set on all web content so it doesn't remain sitting in browser caches - No SSL access to inside content since no SSL over SSL possible - ease of use is an issue because users reportedly hate onetime password hassle Code available at http://www.research.att.com/projects/absent Demonstrate of system was a success Questions: - Various threat models were discussed including the danger of losing the one time password sheet. ("The lost wallet attack.") - Discussion of a malicious web browser. Basically nothing that can be done about that. - Discussion of using Java script to calculate one time password based on initial password. Not a good idea though really.