Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Unix Web servers and Firewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Unix Web servers and Firewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein."— Presentation transcript:

1 1 Unix Web servers and Firewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein

2 2 Unix Server (..continue..)  Monitor the integrity of System Files and Binaries  Back up Your System

3 3 Monitor the integrity of Systems Files and Binaries  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy..sys and.wi n

4 4 Back up the system  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup. Tar is a Unix command

5 5 Server Security Checklist (1)  Have you installed all security-related patches?  Have you disabled all unnecessary services?  Have you run a security scanner on your system? (lab 10)  Does the server do double duty as a user workstation?  Do the Web server’s file permissions reasonable? From administrator’s viewpoint

6 6 Server Security Checklist (2)  Is the Web server running as root? (/)  Is the Web server running any unnecessary features?  Have you established the limit of users?  Do you monitor system and web pages logs?  Do you monitor the integrity of the host?  Do you backup your system?

7 7 Summary on Unix Web servers  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..) Learnt last week

8 8 Web servers & Firewall - Overview  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise? This week

9 9 Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules

10 10 What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm

11 11 Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htmedtech.floyd.edu/ ~lnewby/feudal_japan.htm

12 12 What is a firewall?  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.

13 13 The location of a firewall  All traffic must go through the proxy server ( firewall as well ) which then decides to accept or reject the traffic.

14 14 Two basic Firewall Systems There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.

15 15 Dual-home gateway firewall  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features) block

16 16 Screen-hosted gateway  A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.  It ensures that the packets from the Internet can reach the well secured proxy which then examines the data. In fact, there is no effective difference between dual- home and screen-host

17 17 Notes about firewall  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.

18 18 Select a firewall system (1)  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.

19 19 Select a firewall system (2)  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.

20 20 Select a firewall system (3)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)routingnode

21 21 Products ProductFeature AltaVista Uses a combination of packet filters, application level proxies and circuit-level BorderWare A Unix-only system for both application-level and packet-level CyberGuard Unix to support packet filtering, application and circuit-level. Eagle Uses application and circuit level proxy and is available for NT and Unix machines Firewall-1 Packet filtering an stateful inspection for NT and Unix Gauntlet Available a a software-only package or as a turnkey combination. No need to memorise

22 22 How to configure a firewall? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1.How to allow people within your organisation to safely browse the Web; 2.How to make your organisation’s public web available to the rest of the world?

23 23 A simple example – packet filter – IE and FTP Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) ActionSrcPortDestPortFlagsComment Block * **** Block all Allow [internal user] **80* Browse outside (iexplorer – outgoing) Allow * 80**ACK ie- Incoming Allow [internal user] **21* ftp - outgoing Allow * 21**ACK ftp - incoming important

24 24 Explanation  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.

25 25 Another simple example – block IE and allow FTP Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. ActionSrcPortDestPortFlagsComment Block * **** Block all Allow [internal user] **21* ftp - outgoing Allow * 21**ACK ftp - incoming important

26 26 Picture – Gopher protocol is blocked, the table is in the Proxy 26

27 27 A simple example – application level – outgoing, linux environment  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56 #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts 189.45.56.* #rules for the http/gopher gateway http-gw: permit-hosts 189.45.56.* No need to memorise, step by step, but have to understand

28 28 Explanation  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)

29 29 Incoming Web access  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.

30 30 Judas – combine Proxy and Web server  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy. Not a good idea

31 31 The Sacrificial Lamb  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server. Access by outsiders

32 32 The Private Affair Server  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information. Filter all first

33 33 The Doubly Fortified Server  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)

34 34 Running a reverse Web proxy  The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.  Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.  It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.

35 35 Flow of Information – Bastion (firewall)

36 36 Hybrid Server  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.

37 37 Hybrid approach – Bastion (firewall here)

38 38 Summary  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.

39 39 Next Week Policy and Law

Download ppt "1 Unix Web servers and Firewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google