The application layer is the seventh layer In the Open Systems Interconnection (OSI) communications model and it is the closest layer to the end user . The application layer allows application program to communicate effectively with other application programs in a network. Succinctly, it provides communication services to the various software applications.
These services include:
- Ensuring proper identification of communication partners;
- Authenticating either the message sender and/or receiver;
- Deciding whether sufficient network/communication resources exist;
- Synchronizing both communication protocols and data syntax rules;
- Ensuring a two-way agreement about error recovery procedures, data integrity and privacy.
Confidential information lies directly within an application thereby making it alluring for potential attackers who plan to reach their goals. This unpredictability makes application-layer attacks very challenging to defend. Moreover, several attacks that may be launched to threaten the integrity of information flow through an application. Some known threats are:
1. Web Attacks:
The internet presents an opportunity for exciting methods of sharing information on one hand, and a gateway for harmful misuse on the other hand. Securing the Web requires a fine balance between security and accessibility. One of the most prominent web application attacks is the execution of malicious active content. Users who download active content, such as the ActiveX controls and java applets that deliver dynamic content on websites, from untrusted sources can unknowingly open up backdoors to lethal attacks from viruses and worms on their systems.
2. Email Attacks:
Insecure server connections, where “http://” is used rather than “https://”, send unencrypted information through the mail server and the computer. Similarly, the SMTP, POP and IMAP protocols all leave user names and passwords unencrypted and open to eavesdropping from intruders listening to information carried between a PC and the email provider’s computer.
3. Information Sniffing and Eavesdropping:
Many applications transmit network packets in plain text that can be easily sniffed for sensitive information. Very sophisticated password auditing tools have also been used to determine passwords for poorly protected systems after users experience a number of failed logins within a short time period.
4. DNS Attack (DNS Spoofing/Cache Poisoning):
Spoofing is a means to hide one’s true identity on a network. Attacker can direct internet users to harmful web servers by altering the method that changes domain names to numbered IP addresses. Users are then struck with adware that can debilitate their systems whenever the deliberate misdirection to these sites occurs.
5. Instant Message Attacks:
The attractiveness of IM as a communication tool brings unwanted exposure to viruses, identity theft, firewall tunneling, data leaks and spim (spam from instant messaging). These can be disastrous if they are not adequately guarded against.
There is no single solution that may be employed to minimize the risks to the application-layer. However, many progressive methods have been developed to maintain control, confidentiality and integrity of application data and to lessen network damage in the case of intrusion. Some known technological solutions are:
1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS):
These cryptographic protocols ensure secure communications on the Web. Both SSL and TLS (its slightly improved successor) operate as a new protocol layer inserted in the stack above the Internet TCP protocol and below other application protocols like HTTP, SMPT, FTP and TELNET. They are most often used in providing extra security to HTTP communications by forming HTTTPS. This is especially paramount for securing client-server sessions, like e-commerce, by authenticating such communications using specially encrypted private keys for such communications. Certification authority allows only the legitimate user’s server to decrypt the secret key with warning signs like message authentication code (MAC) present to detect any hacker’s attempt to alter the sent data.
2. Secure/Multipurpose Internet Mail Extensions (S/MIME):
Secure messaging systems must account for writer-to-reader protection when messages go through multiple network connections or unknown application-level mail gateway systems. S/MIME uses the Cryptographic Message Syntax (CMS) specification for encapsulating data structures and procedures. CMS adds this cryptographic security service using digital signatures and object encryption in securing electronic mail. The structure created also becomes a MIME body that is transmitted with the mail and provides authentication, non-repudiation, message integrity, and message confidentiality (all hallmarks of security). Improved versions of S/MIME also provide enhanced services including signed receipts and security labels.
3. Web-Based Secure Mail:
This substitutes a mail hub instead of a client in performing critical security functions. Communication between the hub and user is protected by standard SSL/TLS while the hub performs digital signatures, encryption, decryption and signature verification for the user. The necessary software to execute this id downloaded from the server supporting the mail hub. Web-based secure mail allows users to transmit mail with standard web browsers and integrates the email function with the surrounding application environment.
4. Pretty Good Privacy (PGP):
PGP is similar to S/MIME. It also uses existing cryptographic algorithms (RSA, IDEA, and MD5) to support secrecy, digital signatures, key management, and data compression. PGP is a useful method of protecting informal emails communication through the internet but is inappropriate for broader mail needs like e-commerce.
5. Secure HTTP (S-HTTP):
S-HTTP is a superset of HTTP that performs like SSL/TLS. It is a security extension to HTTP that provides entity authentication, integrity and confidentiality (using encryption) with the option of non-repudiation (from digital signatures). S-HTTP allows the client to send a certificate to authenticate the user (whereas in SSL/TLS, only the server can be verified); it also supports a variety of cryptographic systems, key infrastructures, and cryptographic formats. S-HTTP has generally been displaced by SSL/TLS.
In addition to these solutions, a number of lower layer technologies, including IPSec and application layer firewalls, serve as auxiliary support for providing security to the application layer.
WCS Security Consulting Services assists organizations by conducting a comprehensive risk assessment to determine the threats to their applications. WCS assists organizations to be proactive in minimizing the risks within applications by integrating security techniques and processes into the organization’s application development process to minimize risks to its information assets. This will allow organizations to become compliant with regulations and mandates such as the Payment Card Industry (PCI DSS and PA DSS) requirements.