Web Server Administration Chapter 10 Securing the Web Environment.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

CCNA – Network Fundamentals
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Web Server Administration TEC 236 Securing the Web Environment.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Overview: Identify the Internet protocols and standards Identify common vulnerabilities and countermeasures Identify specific IIS/WWW/FTP concerns Identify.
Web Server Administration Chapter 10 Securing the Web Environment.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
CHAPTER 9 Sniffing.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Security fundamentals Topic 10 Securing the network perimeter.
CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
Web Server Administration Chapter 10 Securing the Web Environment.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Web Server Administration Chapter 6 Configuring a Web Server.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Application layer tcp/ip
Instructor Materials Chapter 5 Providing Network Services
Working at a Small-to-Medium Business or ISP – Chapter 8
FIREWALL configuration in linux
Securing the Network Perimeter with ISA 2004
Chapter 4: Security Baselines
Setting Up Firewall using Netfilter and Iptables
Configuring Internet-related services
Firewalls By conventional definition, a firewall is a partition made
AbbottLink™ - IP Address Overview
Chapter 7 Network Applications
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Web Server Administration Chapter 10 Securing the Web Environment

Overview Identify threats and vulnerabilities Secure data transmission Secure the operating system Secure server applications

Overview Authenticate Web users Use a firewall Use a proxy server Use intrusion detection software

Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user names and passwords, other personal data Information can be gathered while it is being transmitted Often, operating system flaws can assist the hacker

Examining TCP/IP Hackers often take advantage of the intricacy of TCP/IP The following are parts of the IP header most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP

TCP- Delivering Data to Applications Important header fields Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN Establishing a TCP connection

Vulnerabilities of DNS Historically DNS has had security problems BIND is the most common implementation of DNS and some older version had serious bugs BIND 9, the current version, has been more secure

Vulnerabilities in Operating Systems Operating systems are large and complex which means that there are more opportunities for attack Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available Some attacks, such as buffer overruns, can allow the attacker to take over the computer

Vulnerabilities in Web servers Static HTML pages pose virtually no problem Programming environments and databases add complexity that a hacker can exploit Programmers often do not have time to focus on security

Vulnerabilities of Servers By design, servers are open servers can be harmed by a series of very large messages Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server Viruses can be sent to users Retrieving over the Internet often involves sending your user name and password as clear text

Securing Data Transmission To secure data on a network that is accessible to others, you need to encrypt the data SSL is the most common method of encrypting data between a browser and Web server Secure Shell (SSH) is a secure replacement for Telnet

Secure Sockets Layer (SSL) A digital certificate issued by a certification authority (CA) identifies an organization The public key infrastructure (PKI) defines the system of CAs and certificates Public key cryptography depends on two keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the corresponding private key which is needed to decrypt the data

Establishing an SSL Connection

Using SSH for Tunneling Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH To set up tunneling Configure the SSH client so the local port is (or another port between 1024 and 65535) Configure the SSH client to connect to POP3 port 110 Log in to the SSH client Direct the client to port 5555 and log in to the server

Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255 Check a table of ALT values to avoid common characters The use of the ALT key will thwart most hackers

Securing Windows There are many services that are not needed in Windows for most Internet-based server applications Alerter Computer browser DHCP client DNS client Messenger Server Workstation Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names

Securing Linux As with Windows, make sure that you only run daemons (services) that you need Generally, daemons are disabled by default The command netstat -l gives you a list of daemons that are running Use chkconfig to enable and disable daemons chkconfig imap on would enable imap

Securing You have already seen the ability to tunnel POP3 which would prevent data from being seen Exchange 2000 can also use SSL for the protocols it uses To prevent someone from sending large messages until the disk is full, set a size limit for each mailbox

Securing the Web Server Enable the minimum features If you don't need a programming language, do not enable it Make sure programmers understand security issues Implement SSL where appropriate

Securing the Web Server Apache Directories You can restrict access to directories by using "allow" and "deny" The following only allows computers with the two IP addresses to access the directory order allow, deny allow from deny from all

Securing the Web Server- IIS The URLScan utility blocks potentially harmful page requests The IIS Lockdown utility has templates to ensure that you only enable what you need Change NTFS permissions in \inetpub\wwwroot from Everyone Full Control to Everyone Execute In IIS 5, delete \samples \IISHelp and \MSADC folders Delete extensions you do not use, such as.htr,.idc,.stm, and others

Authenticating Web Users Both Apache and IIS use HTTP to enable authentication HTTP tries to access a protected directory and fails Then it requests authentication from the user in a dialog box Accesses directory with user information Used in conjunction with SSL

Configuring User Authentication in IIS Four types of authenticated access Windows integrated authentication Most secure – requires IE Digest authentication for Windows domain servers Works with proxy servers Requires Active Directory and IE Basic authentication User name and password in clear text Works with IE, Netscape, and others Passport authentication Centralized form of authentication Only available on Windows Server 2003

User Authentication in Apache Basic authentication is most common User names and passwords are kept in a separate file Create password file -c creates the users file -b adds a password when creating user htpasswd –c users mnoia htpasswd users fpessoa htpasswd users lcamoes –b lusiades

Apache User Authentication Directives DirectiveDescription AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName Internal Product Information AuthType Specifies the authentication type. Digest not supported so use Basic. Example: AuthType Basic AuthUserFile Specifies the complete path to the user authentication file. Example: AuthUserFile /var/www/users AuthGroupFile Specifies the complete path to the text file that associates users with groups. require Defines which users in the user authentication file are allowed access to the directory. Examples: require user fpessoa lcamoes require group developers designers require valid-user

Apache User Authentication Assume you want to restrict the /newprods directory to any user in the users file AuthName "New Product Information" AuthType Basic AuthUserFile /var/www/users require valid-user

Using a Firewall A firewall implements a security policy between networks Our focus is between the Internet and an organization's network You need to limit access, especially from the Internet to your internal computers Restrict access to Web servers, servers, and other related servers

Types of Filtering Packet filtering Looks at each individual packet Based on rules, it determines whether to let it pass through the firewall Circuit-level filtering (stateful or dynamic filtering) Controls complete communication session, not just individual packets Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside Application-level Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e- mail

A Packet-filtering Firewall Consists of a list of acceptance and denial rules A firewall independently filters what comes in and what goes out It is best to start with a default policy that denies all traffic, in and out We can reject or drop a failed packet Drop – (best) thrown away without response Reject – ICMP message sent in response

Firewall on Linux - iptables Connections can be logged Initializing the firewall Remove any pre-existing rules iptables --flush Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP At this point nothing comes in and nothing goes out

Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0 (output) -p tcp or -p udp (protocol type) -s, -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)

Allowing Access to Web Server Allow packets from any address with an unprivileged port to the address on our server destined to port 80 The following should be on a single line iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d dport 80 –j ACCEPT Allow packets to go out port 80 from our server to any unprivileged port at any address iptables –A OUTPUT –o eth0 –p tcp –s sport 80 --dport 1024:65535 –j ACCEPT

Allowing Access to DNS DNS uses port 53 UDP for resolving, TCP for zone transfers iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s sport 53 --dport 1024:65535 –j ACCEPT iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –s sport 53 --dport 1024:65535 –j ACCEPT

Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged ports Opening unprivileged ports can be a problem iptables -A INPUT -i eth0 -p tcp --sport 1024: d dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s sport dport 1024: j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024: d dport 20 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s sport dport 1024: j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024: d dport 1024: j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s sport 1024: dport 1024: j ACCEPT

Using a Proxy Server A proxy server delivers content on behalf of a user or server application Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP Forward proxy servers isolate users from the Internet Users contact proxy server which gets Web page Reverse proxy servers isolate Web server environment from the Internet When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server

Using Intrusion Detection Software Intrusion detection is designed to show you that your defenses have been penetrated With Microsoft ISA Server, it only detects specific types of intrusion In Linux, Tripwire tracks changes to files

Tripwire Tripwire allows you to set policies that allow you to monitor any changes to the files on the system Tripwire can detect file additions, file deletions, and changes to existing files By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change

Tripwire After installing Tripwire, you configure the policy file to determine which files to monitor A default list of files is included but it will take time to refine the list A report can be produced to find out which files have been added, changed, and deleted Usually, it runs automatically at night

Intrusion Detection in ISA Server The following intrusions are tracked Windows out-of-band (WinNuke)–A specific type of Denial-of- Service attack Land–A spoofed packet is sent with the SYN flag set so that the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash. Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash. IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag. UDP bomb –A UDP packet with an illegal configuration. Port scan –You determine the threshold for the number of ports that are scanned (checked) before an alert is issued.

Summary Every computer connected to the Internet represents a potential target for attack Hackers can gather data and modify systems SSL can secure data transmission Keep each server to a single purpose such as Web server or Keep applications and services to a minimum

Summary User authentication controls access to one or more Web server directories Firewalls control access policies between networks A proxy server delivers content on behalf of a user or server application Intrusion detection software identifies intrusions but typically does not prevent them