Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Server Administration Chapter 10 Securing the Web Environment.

Published byShon Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Server Administration Chapter 10 Securing the Web Environment."— Presentation transcript:

1 Web Server Administration Chapter 10 Securing the Web Environment

2 Overview Identify threats and vulnerabilities Secure data transmission Secure the operating system Secure server applications

3 Overview Authenticate Web users Use a firewall Use a proxy server Use intrusion detection software

4 Identifying Threats and Vulnerabilities Hackers vs Crackers vs Attackers Focus is on threats from the Internet connection Where attack Computer system itself – OS or app sometimes at fault Transmission of the data Why attack Challenge of penetrating a system Challenge of vandalizing it To gather data - credit card numbers, user names and passwords, other personal data

5 Examining TCP/IP TCP/IP designed for communication not security. Hackers can take advantage of the intricacy of TCP/IP Applications assume packets are correct and accept them blindly from the specific port. IP header parts most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP

6 TCP-Delivering Data to Applications Important header fields Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN Establishing a standard TCP connection

7 Connection Vulnerabilities SYN flood – attacker manipulates header to cause this. UDP protocol is connectionless (DNS) and can be used to attack a system ICMP protocol controls communication and reports status (responds to PING). Attacker can probe these messages to find ways to attack.

8 Vulnerabilities of DNS Historically DNS has had security problems BIND -most common DNS older version had serious bugs BIND 9, the current version, has been more secure https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

9 Vulnerabilities in Operating Systems large and complex software more opportunities for attack Systems personnel is busy Not maintaining updates Not installing patches Common OS attack buffer overruns-allow the attacker to take over the computer

10 Vulnerabilities in Web servers Static HTML pages -no problem Databases – create vulnerability Programming – create vulnerability Programmers over-worked No time to focus on security Security is an after- thought Security is handled when attacker attacks

11 Vulnerabilities in Web servers Databases Placement of connection string Not filtering and validating data sent from client. Programming User authentication Stored as plain text Transmitted as plain text

12 Vulnerabilities of E-mail Servers E-mail servers are open by design E-mail servers can be overflowed by a series of very large e-mail messages E-mail can get denial of service if an overwhelming number of messages are sent at the same time Viruses can be sent to e-mail users User authentication done in plain text when Retrieving e-mail over the Internet

13 Securing Data Transmission Encrypt transmitted data SSL – Secure Socket layer Used between client and web server SSH - Secure Shell Secure telnet Secure FTP

14 Secure Sockets Layer (SSL) Digital certificate issued by a certification authority (CA) identifies an organization CA can be a third party (e-commerce) Public key infrastructure (PKI) defines the system of CAs and certificates Public key cryptography depends on two keys Public key Shared with everyone Encrypted data to send to server Client encrypts session key (clients private key) with message Private key – kept by owner of the public key needed to decrypt the data

15 Establishing an SSL Connection

16 Using SSH for Tunneling Tunneling - use an unsecure protocol, such as POP3, through a secure connection, such as SSH To set up tunneling Configure the SSH client so the local port is 55555 (or another port between 1024 and 65535) Configure the SSH client to connect to POP3 port 110 Log in to the SSH client Direct the e-mail client to port 5555 and log in to the e-mail server

17 Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255 Check a table of ALT values to avoid common characters The use of the ALT key will thwart most hackers

18 Securing Linux Only run daemons (services) that you need Generally, daemons are disabled by default list of daemons that are running netstat -l Use chkconfig to enable and disable daemons chkconfig imap on - enables imap Get list of services turned on at boot up chkconfig - - list

19 Securing FTP and telnet Linux - SSH – allows you to do the same functions as telnet but using a secure environment Windows – PuTTY is a SSH client Linux – sftp (secure ftp) Windows – psftp (PuTTY sftp)

20 Securing E-mail SSH tunnel for POP3 which would prevent data from being seen Limit mailbox size - To prevent someone from sending large e-mail messages until the disk is full

21 Securing the Web Server Enable the minimum features If you don't need a programming language, do not enable it Make sure programmers understand security issues Implement SSL where appropriate

22 Securing Apache Directories Httpd directory entries: You can restrict access to directories by using "allow" and "deny" Allows only 2 ip addresses to access directory order allow, deny allow from 10.10.10.5 192.168.0.3 deny from all Denies any client from evildoers.org access directory order deny, allow allow from all deny from evilDovers.org

23 Authenticating Web Users Apache uses HTTP to enable authentication HTTP tries to access a protected directory and fails Then it requests authentication from the user in a dialog box My CSCI323 discussion of HTTP AuthenticationCSCI323 More documentation: Comprehensive Guide to.htaccessComprehensive Guide to.htaccess Used in conjunction with SSL User authentication pair is encrypted for transfer

24 User Authentication in Apache Use httpd.conf file for server in general Can create a pair to protect certain directories: HTTP authentication User names and passwords are kept in a separate file Create.htaccess in directory to protect Create password file (.htpasswd) -c creates a new.htpasswd file htpasswd –c.htpasswd zimmer1 (need to type in password when prompted)

25 Apache User Authentication Directives DirectiveDescription AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName Internal Product Information AuthType Specifies the authentication type, use Basic. Example: AuthType Basic AuthUserFile Specifies the complete path to the user authentication file (.htpasswd) Example: AuthUserFile /var/www/users AuthGroupFile Specifies the complete path to the text file that associates users with groups. require Defines which users in the user authentication file are allowed access to the directory. Examples: require user zimmer1 zimmer2 require group developers designers require valid-user

26 Apache User Authentication Assume you want to restrict the /newprods directory to any user in the users file AuthName "New Product Information" AuthType Basic AuthUserFile /var/www/users require valid-user

27 Break Using csci323 web server Within public_html Create a directory: csci325 Create a simple webpage: csci325_secure.html Using the notes: CSCI323 HTTP AuthCSCI323 HTTP Auth secure the csci325 directory Check your security: Class pageClass page 27

28 Using a Firewall A firewall implements a security policy between networks Our focus is between the Internet and an organization's network You need to limit access, especially from the Internet to your internal computers Restrict access to Web servers, e-mail servers, and other related servers

29 Types of Filtering Packet filtering Looks at each individual packet Based on rules, it determines whether to let it pass through the firewall Circuit-level filtering (stateful or dynamic filtering) Controls complete communication session, not just individual packets Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside Application-level Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e- mail

30 A Packet-filtering Firewall Consists of a list of acceptance and denial rules A firewall independently filters what comes in and what goes out It is best to start with a default policy that denies all traffic, in and out We can reject or drop a failed packet Drop – (best) thrown away without response Reject – ICMP message sent in response

31 Firewall on Linux - iptables Connections can be logged Initializing the firewall Remove any pre-existing rules iptables --flush Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP At this point nothing comes in and nothing goes out

32 Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0 (output) -p tcp or -p udp (protocol type) -s, -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)

33 Allowing Access to Web Server Allow packets from any address with an unprivileged port to the address on our server destined to port 80 The following should be on a single line iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT Allow packets to go out port 80 from our server to any unprivileged port at any address iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 80 --dport 1024:65535 –j ACCEPT

34 Allowing Access to DNS DNS uses port 53 UDP for resolving, TCP for zone transfers iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10 --sport 53 --dport 1024:65535 –j ACCEPT iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 53 --dport 1024:65535 –j ACCEPT

35 Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged ports Opening unprivileged ports can be a problem iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 - -dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 - -dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

36 Using a Proxy Server A proxy server delivers content on behalf of a user or server application Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP Forward proxy servers isolate users from the Internet Users contact proxy server which gets Web page Reverse proxy servers isolate Web server environment from the Internet When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server

37 Using Intrusion Detection Software Intrusion detection is designed to show you that your defenses have been penetrated With Microsoft ISA Server, it only detects specific types of intrusion In Linux, Tripwire tracks changes to files

38 Tripwire Tripwire allows you to set policies that allow you to monitor any changes to the files on the system Tripwire can detect file additions, file deletions, and changes to existing files By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change

39 Tripwire After installing Tripwire, you configure the policy file to determine which files to monitor A default list of files is included but it will take time to refine the list A report can be produced to find out which files have been added, changed, and deleted Usually, it runs automatically at night

40 Summary Every computer connected to the Internet represents a potential target for attack Hackers can gather data and modify systems SSL can secure data transmission Keep each server to a single purpose such as Web server or e-mail Keep applications and services to a minimum

41 Summary User authentication controls access to one or more Web server directories Firewalls control access policies between networks A proxy server delivers content on behalf of a user or server application Intrusion detection software identifies intrusions but typically does not prevent them

Download ppt "Web Server Administration Chapter 10 Securing the Web Environment."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
CCNA – Network Fundamentals

CCNA – Network Fundamentals
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Web Server Administration Chapter 10 Securing the Web Environment.

Web Server Administration Chapter 10 Securing the Web Environment.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Web Server Administration

Web Server Administration
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.

Similar presentations

Ads by Google