Server Site Security - PowerPoint PPT Presentation

Server site security l.jpg
Download
1 / 17

Server Site Security Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein Overview Why are Web sites Vulnerable? (“vulnerable” means that it is easily attacked) Common questions about web site security Steps to create a secure web site Introduction

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Server Site Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Server site security l.jpg

Y K Choi

Server Site Security

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein


Overview l.jpg

Overview

  • Why are Web sites Vulnerable? (“vulnerable” means that it is easily attacked)

  • Common questions about web site security

  • Steps to create a secure web site

Y K Choi


Introduction l.jpg

Introduction

Installing a Web server such as Linux is very simple. All you need to do is to load the software and configure the parameters.

However, if your server is connected to the Internet, hackers, customers, employees might visit your site to learn more about it. It might be a target for attack.

Sites that have been attacked (vandalized) past year are

  • US Department of Justice

  • CIA

  • Microsoft

  • US Air Force

  • Republic of Indonesia

  • British Labour Party

examples

Y K Choi


Why are web sites invulnerable the following are the causes l.jpg

There are bugs in software

System software is incorrectly configured

The server hardware is not secure

Networks are not secure (sniffer you learnt in the lab.)

Remote authoring and administration tools (such as legion you have learnt in lab.)

Insider threats are overlooked

Denial of service (DOS) threats are ignored

Lack of security policy – such as keep log, change passwrod

Why are Web sites invulnerable?The following are the causes

8 reasons

Y K Choi


Bugs in system software l.jpg

Bugs in system software

  • This is an obvious cause.

  • Even a simple software might cause a disaster if the bug causes “back doors” for the hacker to crack the system or load the unauthorised information.

  • Please note that if there is a bug in the application, it simply crashes the application or produces incorrect data.

  • If the bug occurs to the server, it loses more, even the whole oragnisation’s information.

Use software Engineering to thoroughly test your software.

Y K Choi


The known holes l.jpg

The known holes

Don’t memorise

  • Unix web server: 1.0-1.5a allows remote users to execute Unix commands with server’s privileges

  • Apache: 1.0-1.1.1 allows remote users to execute Unix commands with server’s privileges, remote users can obtain directory listings

  • Windows NT web servers: allows remote users to execute NT commands with server’s privileges.

Y K Choi


The known holes7 l.jpg

The known holes

  • Microsoft IIS: 1.0 allows remote users to execute NT commands with server’s privileges

  • Microsoft IIS: 1.0-3.0 allows remote users to obtain CGI script contents

  • CGI scripts and server extension: 1.0-1.2 allows remote users to execute Unix commands with server’s privileges.

Y K Choi


System software is incorrectly configured l.jpg

System Software is incorrectly configured

  • Even there is no bug in the server, a web server is still insecure if the operating system, underlying networks and other servers are incorrectly configured.

  • In the Linux system, a common mis-configuration is the file permissions. (read write execute rwx). If a file is mis-configured to have a write permission, it allows others to modify the content.

The fix is to change to read only

Y K Choi


Secure hardware l.jpg

Secure hardware

  • The server is physically insecure.

  • The server is located in a unlocked computer room.

  • The telephone lines are insecure.

  • Some can reboot the server with a floppy disk.

(you can create a bootable floppy disk for later use.)

Y K Choi


Network is insecure l.jpg

Network is insecure

You learnt the use of capture utility

  • It is very easy to use sniffer such as packet boy, Ethereal (learnt in the lab.) to intercept messages.

  • This means that Web documents, e-mails and interactive login sessions are all vulnerable (easily damaged) to eavesdropping (attack)

  • The user’s names and passwords can be intercepted as well.

  • A cracker simply uses sniffer to steal information.

Y K Choi


Remote authoring administration tools l.jpg

Remote Authoring & Administration Tools

Legion is an example

  • Sometimes, the administer will not sit in front of the server to modify the configuration, examine the log files and tune the performance factors, but might be in a remote location over the Internet.

  • This information might be intercepted by cracker if a remote authoring tool has HOLES.

Check log files

Y K Choi


Insider threats are overlooked l.jpg

Insider threats are overlooked

  • Most people look at computer crimes from outsiders, a few look at it the threats from the insiders.

  • Intranets servers needs attention about internal users.

Intranet is quite secure

Employees, not loyal!

Y K Choi


Security policy l.jpg

Security Policy

If there is no security policy, you are not sure whether your site is secure.

It is a list of what is and is not permissible.

For example, in the lab, you are not allowed to install illegal software.

Note that a security system consists of:

Technology, Policy and Law

Policy: Change your password every two months

Y K Choi


Common questions about web server security l.jpg

Common questions about web server security

  • Which operating system is most secure: It is Macintosh OS, as it does not have a command interpreter. AS400, the proprietary product, is more secure.

  • Unix and XP: Both have their share of security problems.

  • Will a firewall system makes a web server more secure: By itself, it will not, in fact, it may make it less. If the server is configured well, there is no need to use a firewall system.

Y K Choi


Steps to secure a web site there are 7 steps l.jpg

Steps to secure a web site – there are 7 steps

  • Secure the operating system and web server – use and install the vendor’s security related patches and remove unnecessary services.

  • Monitor the server for suspicious activity – please note that some attacks are less obvious.

  • Set the proper access to confidential documents – use SSL capable servers

SSL encrypts the message

Y K Choi


Steps to secure a web site l.jpg

Steps to secure a web site

  • Write safe CGI scripts – even there is a secure network and server, if we don’t have a safe CGI script, there might be holes in the server

  • Set up safe remote authoring and administrative facilities

  • Protect the LAN against the web server. Don’t make the Web server by the cracker to attack other more critical servers.

  • Keep a security list.

Y K Choi


Summary l.jpg

Summary

  • There many reasons why Web sites are vulnerable:

    • software bug,

    • mis-configuration,

    • insecure network,

    • lack of policy,

    • use incorrect remote tool

  • 7 steps to make the server most secure

Try to avoid them

Y K Choi


  • Login