Web Server Administration Chapter 10 Securing the Web Environment Overview  Identify threats and vulnerabilities  Secure data transmission  Secure the operating system  Secure server applications Overview  Authenticate Web users  Use a firewall  Use a proxy server  Use intrusion detection software Identifying Threats and Vulnerabilities   Focus is on threats from the Internet Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data    Data can be credit card numbers, user names and passwords, other personal data Information can be gathered while it is being transmitted Often, operating system flaws can assist the hacker Examining TCP/IP   Hackers often take advantage of the intricacy of TCP/IP The following are parts of the IP header most relevant to security      Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP TCPDelivering Data to Applications Important header fields      Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN Establishing a TCP connection Vulnerabilities of DNS  Historically DNS has had security problems  BIND is the most common implementation of DNS and some older version had serious bugs  BIND 9, the current version, has been more secure Vulnerabilities in Operating Systems    Operating systems are large and complex which means that there are more opportunities for attack Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available Some attacks, such as buffer overruns, can allow the attacker to take over the computer Vulnerabilities in Web servers  Static HTML pages pose virtually no problem  Programming environments and databases add complexity that a hacker can exploit  Programmers often not have time to focus on security Vulnerabilities of E-mail Servers      By design, e-mail servers are open E-mail servers can be harmed by a series of very large e-mail messages Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server Viruses can be sent to e-mail users Retrieving e-mail over the Internet often involves sending your user name and password as clear text Using a Firewall  A firewall implements a security policy between networks   Our focus is between the Internet and an organization's network You need to limit access, especially from the Internet to your internal computers  Restrict access to Web servers, e-mail servers, and other related servers Types of Filtering  Packet filtering    Circuit-level filtering (stateful or dynamic filtering)    Looks at each individual packet Based on rules, it determines whether to let it pass through the firewall Controls complete communication session, not just individual packets Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside Application-level  Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail A Packet-filtering Firewall     Consists of a list of acceptance and denial rules A firewall independently filters what comes in and what goes out It is best to start with a default policy that denies all traffic, in and out We can reject or drop a failed packet   Drop – (best) thrown away without response Reject – ICMP message sent in response Firewall on Linux - iptables  Connections can be logged  Initializing the firewall    Remove any pre-existing rules  iptables flush Set default policy to drop packets  iptables policy INPUT DROP  iptables policy OUTPUT DROP At this point nothing comes in and nothing goes out Describing the Packets to Accept        -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0 (output) -p tcp or -p udp (protocol type) -s , -d (source, destination address) sport, dport (source, destination port) -j ACCEPT (this is a good rule) Allowing Access to Web Server  Allow packets from any address with an unprivileged port to the address on our server destined to port 80  The following should be on a single line iptables –A INPUT –i eth0 –p tcp sport 1024:65535 –d 192.168.1.10 dport 80 –j ACCEPT  Allow packets to go out port 80 from our server to any unprivileged port at any address iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 sport 80 dport 1024:65535 –j ACCEPT Allowing Access to DNS  DNS uses port 53  UDP for resolving, TCP for zone transfers iptables –A INPUT –i eth0 –p udp sport 1024:65535 –d 192.168.1.10 dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10 sport 53 dport 1024:65535 –j ACCEPT iptables –A INPUT –i eth0 –p tcp sport 1024:65535 –d 192.168.1.10 dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 sport 53 dport 1024:65535 –j ACCEPT Allowing Access to FTP   Port 21 for data, port 20 for control Data is transferred through unprivileged ports  Opening unprivileged ports can be a problem iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 21 dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 20 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 20 dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 1024:65535 dport 1024:65535 -j ACCEPT Using a Proxy Server    A proxy server delivers content on behalf of a user or server application Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP Forward proxy servers isolate users from the Internet   Users contact proxy server which gets Web page Reverse proxy servers isolate Web server environment from the Internet  When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server Using Intrusion Detection Software  Intrusion detection is designed to show you that your defenses have been penetrated  With Microsoft ISA Server, it only detects specific types of intrusion  In Linux, Tripwire tracks changes to files Tripwire    Tripwire allows you to set policies that allow you to monitor any changes to the files on the system Tripwire can detect file additions, file deletions, and changes to existing files By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change Tripwire    After installing Tripwire, you configure the policy file to determine which files to monitor A default list of files is included but it will take time to refine the list A report can be produced to find out which files have been added, changed, and deleted  Usually, it runs automatically at night Intrusion Detection in ISA Server        The following intrusions are tracked Windows out-of-band (WinNuke)–A specific type of Denialof-Service attack Land–A spoofed packet is sent with the SYN flag set so that the source address is the same as the destination address, which is the address of the server The server can then try to connect to itself and crash Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet When the remote computer does not respond to the RST flag, this is called an IP half scan In normal situations, the TCP connection is closed with a packet containing a FIN flag UDP bomb –A UDP packet with an illegal configuration Port scan –You determine the threshold for the number of ports that are scanned (checked) before an alert is issued Summary      Every computer connected to the Internet represents a potential target for attack Hackers can gather data and modify systems SSL can secure data transmission Keep each server to a single purpose such as Web server or e-mail Keep applications and services to a minimum Summary     User authentication controls access to one or more Web server directories Firewalls control access policies between networks A proxy server delivers content on behalf of a user or server application Intrusion detection software identifies intrusions but typically does not prevent them ... especially from the Internet to your internal computers  Restrict access to Web servers, e-mail servers, and other related servers Types of Filtering  Packet filtering    Circuit-level filtering... often not have time to focus on security Vulnerabilities of E-mail Servers      By design, e-mail servers are open E-mail servers can be harmed by a series of very large e-mail messages Sending... data transmission  Secure the operating system  Secure server applications Overview  Authenticate Web users  Use a firewall  Use a proxy server  Use intrusion detection software Identifying