Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Published byTracy Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren."— Presentation transcript:

1 Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren

2 Overview Vulnerabilities General Security Solutions Network Architecture Security Solutions

3 Vulnerabilities The Risks The Numbers

4 Vulnerabilities: The Risks Web Servers are often more vulnerable than other systems because they are meant to be accessed. Forms, scripts, and dynamic content compound the problem by granting higher levels of access to the system Web Servers are a high visibility target

5 Vulnerabilities: The Risks (con’t) Data interceptions is a seen as a “Network Problem” not necessarily a “Web Server Problem” Servers and workstations often have web services running by default Wide spread use of Windows and Linux makes them easy targets

6 Vulnerabilities: The Numbers 54% of all attacks on OAR systems have targeted Web Servers (since 2000) 64% of those attacks have been successful (since 2000) Note: These figures only include what was officially reported

7 General Security Solutions – The Big Three 1)Disable Unused Services & Plug-ins 2)System Patches 3)Router Filters & Firewalls

8 General Security Solutions – Other Really Good Things To Do 4) Security Policies 5) Enforce Strong Passwords 6) Server Logs 7) Preventing Data Interception 8) Script Security

9 1) Disable Unused Services & Plug-ins Turn off unnecessary web services Disable FTP Disable server-side includes Any other services that are not needed on the web server (ex. tftp, sendmail, gopher, finger, cgi scripts, ODBC drivers, etc..) Removed sample files installed by default

10 2) System Patches Patch system regularly Use automation tools when possible (rpm) Use patch version checking tools (http://grc.com/pw/patchwork.htm)http://grc.com/pw/patchwork.htm Get patches from a secure location (NOAA’s security ftp site) Patch both OS and Web Server Software

11 3) Router Filters and Firewalls Restrict access to TCP/IP ports (by filtering at the router, using wrappers, etc) Use Stateful Firewalls that can filter on both source and destination Log server access at the firewall (more about logging below) Packet content filtering (advanced firewalls that examine every packet – will significantly impact transfer rates)

12 4) Security Policies Increase level of security awareness among users and content providers Serve as requirements for procurement of future technical solutions Allow for action following violations All OAR sites have a Security Plan with rules of behavior for the system

13 5) Enforce Strong Passwords DOC Password Policy (https://www.csp.noaa.gov)https://www.csp.noaa.gov –Enforce changing passwords every 90 days –Passwords must have at least 8 characters –Passwords must always have at least one non- alphanumeric character Use a password crack tool to audit user passwords (check with supervisors first!)

14 6) Server Logs Keep access logs Check logs on a regular basis Store logs in a secure place –Hackers like to delete logs to cover their tracks –Store log files on a separate server, in hard copy, or burn them to a CD as they are created

15 7) Preventing Data Interception Use Secure Sockets Layer (SSL) to encrypt data where necessary Free SSL protocols are available (http://www.apache-ssl.org/)http://www.apache-ssl.org/ Use authentication only when necessary Only authenticate to the NEMS LDAP when using SSL.

16 8) Script Security Never write Shell scripts in CGI! Perl and php are generally the best to use Use well supported libraries (they allow for higher portability and are generally well patched) Use the current version of the interpreter or compiler (they have better security warnings) Go to Ann Keane’s presentation tomorrow at 10:45!

17 Network Architecture Security Solutions DMZ’s (De-Militarize Zones) Development Servers Site Mirroring

18 DMZ’s - Method Basic Design –Design your network with a firewall between your systems and the outside world ( more restrictive filter set) –Add a second firewall level outside of your existing firewall (less restrictive filter set) –The area between the two firewalls is your DMZ Put your external web servers in the DMZ

19 DMZ’s - Benefits Protects your systems with a more restrictive filter set without inhibiting access to your Web Server Protects your Web Server with a less restrictive filter set (which is better than leaving it in the open) Protects your Network should your Web Server be broken into

20 Development Servers Extension of the DMZ idea Method –Put a Development Server on the interior network –Users only update the Development Server –The Development Server replicates its changes to the external Web Server on a regular basis The Development Server decreases the impact of hacks on the Web Server (it doesn’t prevent them)

21 Site Mirroring Duplicate production site on multiple servers Method –Can be done simply through DNS –Can also be done with a load balancer to increase performance of the site If one server gets hacked then it can be shut down without impacting the web site

22 Wrap Up Vulnerabilities –More than half of all attacks are on Web Servers because they are high risk, high visibility targets We can protect our systems through: Network Architecture Solutions DMZ’s Development Servers Site Mirroring General Security Principles Patching Disabling Services Installing firewalls

23 Additional Information NOAA Security Page – https://www.csp.noaa.gov https://www.csp.noaa.gov WWW Security FAQ – http://www.w3.org/Security/faq/wwwsf.html http://www.w3.org/Security/faq/wwwsf.html Apache Security Tips – http://httpd.apache.org/docs/misc/security_tips.html http://httpd.apache.org/docs/misc/security_tips.html

Download ppt "Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 12 Network Security.

Chapter 12 Network Security.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Similar presentations

Ads by Google