1 Unix Web servers and Firewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein

2 Unix Server (..continue..)  Monitor the integrity of System Files and Binaries  Back up Your System

3 Monitor the integrity of Systems Files and Binaries  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy..sys and.wi n

4 Back up the system  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup. Tar is a Unix command

5 Server Security Checklist (1)  Have you installed all security-related patches?  Have you disabled all unnecessary services?  Have you run a security scanner on your system? (lab 10)  Does the server do double duty as a user workstation?  Do the Web server’s file permissions reasonable? From administrator’s viewpoint

6 Server Security Checklist (2)  Is the Web server running as root? (/)  Is the Web server running any unnecessary features?  Have you established the limit of users?  Do you monitor system and web pages logs?  Do you monitor the integrity of the host?  Do you backup your system?

7 Summary on Unix Web servers  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..) Learnt last week

8 Web servers & Firewall - Overview  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise? This week

9 Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules

10 What is a firewall? - 長城 ( 防人牆 ) from

11 Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htmedtech.floyd.edu/ ~lnewby/feudal_japan.htm

12 What is a firewall?  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.

13 The location of a firewall  All traffic must go through the proxy server ( firewall as well ) which then decides to accept or reject the traffic.

14 Two basic Firewall Systems There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.

15 Dual-home gateway firewall  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features) block

16 Screen-hosted gateway  A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.  It ensures that the packets from the Internet can reach the well secured proxy which then examines the data. In fact, there is no effective difference between dual- home and screen-host

17 Notes about firewall  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, , FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.

18 Select a firewall system (1)  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.

19 Select a firewall system (2)  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.

20 Select a firewall system (3)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)routingnode

21 Products ProductFeature AltaVista Uses a combination of packet filters, application level proxies and circuit-level BorderWare A Unix-only system for both application-level and packet-level CyberGuard Unix to support packet filtering, application and circuit-level. Eagle Uses application and circuit level proxy and is available for NT and Unix machines Firewall-1 Packet filtering an stateful inspection for NT and Unix Gauntlet Available a a software-only package or as a turnkey combination. No need to memorise

22 How to configure a firewall? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1.How to allow people within your organisation to safely browse the Web; 2.How to make your organisation’s public web available to the rest of the world?

23 A simple example – packet filter – IE and FTP Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) ActionSrcPortDestPortFlagsComment Block * **** Block all Allow [internal user] **80* Browse outside (iexplorer – outgoing) Allow * 80**ACK ie- Incoming Allow [internal user] **21* ftp - outgoing Allow * 21**ACK ftp - incoming important

24 Explanation  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.

25 Another simple example – block IE and allow FTP Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. ActionSrcPortDestPortFlagsComment Block * **** Block all Allow [internal user] **21* ftp - outgoing Allow * 21**ACK ftp - incoming important

26 Picture – Gopher protocol is blocked, the table is in the Proxy 26

27 A simple example – application level – outgoing, linux environment  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts * #rules for the http/gopher gateway http-gw: permit-hosts * No need to memorise, step by step, but have to understand

28 Explanation  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts *, any at this network.)

29 Incoming Web access  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.

30 Judas – combine Proxy and Web server  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy. Not a good idea

31 The Sacrificial Lamb  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server. Access by outsiders

32 The Private Affair Server  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information. Filter all first

33 The Doubly Fortified Server  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)

34 Running a reverse Web proxy  The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.  Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.  It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.

35 Flow of Information – Bastion (firewall)

36 Hybrid Server  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.

37 Hybrid approach – Bastion (firewall here)

38 Summary  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, ) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.

39 Next Week Policy and Law