Central Web Services at Fermilab Presented by Jim Fromm October 27,2006.

Slides:

Advertisements

Similar presentations

Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting

Advertisements

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

System and Network Security Practices COEN 351 E-Commerce Security.

Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

Chapter 8: Web Server Hardware and Software. Electronic Commerce, Seventh Annual Edition2 Web Server Basics The main job of a Web server computer is to.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

APACHE SERVER By Innovationframes.com »

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Linux Operations and Administration

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (

Anthony Atkins Digital Library and Archives VirginiaTech ETD Technology for Implementers Presented March 22, 2001 at the 4th International.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

Securing Microsoft® Exchange Server 2010

1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Apache Web Server v. 2.2 Reference Manual Chapter 1 Compiling and Installing.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Network Monitoring System for the UNIX Lab Bradley Kita Capstone Project Mentor: Dr C. David Shaffer Fall 2004/Spring 2005.

Using Novell GroupWise ® 6 Monitor Duane Kuehne Software Engineer Novell, Inc. Danita Zanre Senior Consultant NSC Sysop,

Fermilab Distributed Monitoring System (NGOP) Progress Report J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.

2  Supervisor : MENG Sreymom  SNA 2012_Group4  Group Member  CHAN SaratYUN Sinot  PRING SithaPOV Sopheap  CHUT MattaTHAN Vibol  LON SichoeumBEN.

A Networked Machine Management System 16, 1999.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

01/13/051 Cheap, Easy Virtual Hosts for Web-Based Services Richard L. Goerwitz III.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Web Server Administration Chapter 6 Configuring a Web Server.

BZUPAGES.COM WEB SERVER PRESENTED TO: SIR AHMAD KAREEM.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

COMPUTER SECURITY Ashesi University College Benson Wachira Julateh Mulbah.

9/21/04 James Gallagher Server Installation and Testing: Hands-on ● Install the CGI server with the HDF and FreeForm handlers ● Link data so the server.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Apache web server Quick overview.

Unix System Administration

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

PLANNING A SECURE BASELINE INSTALLATION

APACHE WEB SERVER.

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Central Web Services at Fermilab Presented by Jim Fromm October 27,2006

Presentation Overview Why we have a central web farm Configuration of farm Hardware Software Automated tools for administration Monitoring of web farm Log processing Futures

Why a Central Webserver Farm? Eliminate experiments from worrying about configuration/maintaining their own web server Keep on top of security issues Maintain up-to-date versions of apache/perl/python etc Maintain valid ssl certs Leverage our expertise to provide basic consulting for cgi scripts, web page development etc.. The web managers are responsible ultimately, but if they ask nice… Manage file system space (AFS has a quota mechanism, we keep track of when an area is getting full).

Overview of Central Webserver Farm 5 Computers – 1 Load balancing switch. 84 vhosts (and rising fast) 53 Additional web areas (conferences, projects, computing…) 1300 Web Content Managers Web hits/year: > 220 million Staff: Basically 0.5 of one person right now.

Hardware Configuration Alteon www01www02www03 www04 (cgi) www05 (cgi) AFS

Hardware Configuration - Details Alteon Load Balancing Switch Configuration allows for traffic to be directed depending on type. CGI scripts only executable on www04/05. Alteon AD3 switch, 8x 100Base-T ports with a single GigE uplink Web Servers Sun Netra X1 AFS file system

Alteon Configuration 51: , enabled, name www05-vhosts, weight 1, timeout 10 mins, maxcon backup none, inter 2, retry 4, restr 8 remote disabled, proxy enabled, submac disabled handle URL cookie: disabled exclusionary string matching: disabled 1: any 2: /cgi-bin 7:.php real ports: http: vport http, group 11 HTTP Application: urlslb virtual server: 4, , enabled http: vport 8875, group 11 virtual server: 4, , enabled http: vport http, group 11 HTTP Application: urlslb virtual server: 5, , enabled https: vport https, group 12 virtual server: 4, , enabled 4443: vport https, group 99, pbind sslid

Software Apache v1_3 Mid-range plans to upgrade to v2_0 as security requires. Perl Python PHP Wiki support on Plone server (on separate set of servers outside of the webfarm)

Automated Tools No way we can keep on top of everything the old fashioned way. Tools (perl scripts mostly) written to automate routine tasks Create vhosts Symlink check Password check File perms check File space check

Automated Tools(cont) Symlink check Run 1x week Check for symlinks to areas that are sharing data that should not be shared Check for symlinks pointing to non-existent data Check for circular links Sends to web admin team

Automated Tools (cont) Permission check 1x per week Scan for vulnerable cgi scripts, weak permissions on files and directories This can be any variation that leave security holes or fit the profile of known exploits:  wide read-access permissions to area where passwords are stored  write-access to cgi area  wide read-access permissions to top level directories

Automated Tools(cont) Passwords (1x week) Password files, although encrypted, should not be shared algorithm is not particularly smart: looks for variations on the word "PASSWORD" in file name and reports these if file permissions or locations are problematic

Web Server Monitoring NGOP (FNAL developed monitoring system) remotely monitors and alerts on the following: Ping of Alteon switch Ping of each web host machine Ping of each web server IP address Fetch pages for each web server and virtual host Fetching pages for commonly used services (telephone,stock) and checking correct results Verifying that the httpd for each server is running on at least one webserver host

Web Server Monitoring (cont) Verifying that "fs examine" succeeds on the main web volume for each server (/afs/fnal/files/expwww/*), and any specific other volumes associated with it Watching each webserver's error log on each web host, and reporting important error messages (i.e. "out of memory") Generally an error will cut a helpdesk ticket, and page the primary.

Log Processingwith Urchin Urchin v5 This product provides accurate web site analytics which supplies the executives, marketers, webmasters, and the web designers at your firm with the vital up-to-date information they need to make informed business decisions. Blah blah blah. Recently taken over by google. Mixed opinions about the product…

Urchin (cont) Urchin likes to just stop processing without notification. Lots of pretty pictures and gizmos. Overkill for what we need, but if you are running an e- commerce business…. We bought Urchin to remove dependence on a home grown log processing package that was very difficult to maintain. Urchin is easier to maintain when it works.

Security Requirements Run Nessus Scans 2x year. Nessus comes with a library of known exploits scanning profiles. Scan various newsgroups looking for announcements. Rely on our security team to alert us. Follow defined baseline of apache webservers developed at Fermilab.

Future Plans We are looking to upgrade to using the Cisco load balancer switch SunFire V240 servers Considered moving to Linux, but… Not confident of support model. Great for general purpose farms, not as confident for server level service. Lot’s of work to convert. Software installs, possibly broken cgi scripts etc… Apache 2.0 Conscious of user communities in content management systems. CMS are hot items.

Thanks for your attention! That’s all One more thing before I go….

GO CARDS!!!!