1 / 27

Web Server Technologies Part III: Security & Future Musings

Web Server Technologies Part III: Security & Future Musings. Joe Lima Director of Product Development Port80 Software, Inc. jlima@port80software.com. Web Server Technologies | Part III: Security & Future Musings. Tutorial Content. Web security Core security concepts

calla
Download Presentation

Web Server Technologies Part III: Security & Future Musings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Server Technologies Part III: Security & Future Musings Joe LimaDirector of Product Development Port80 Software, Inc. jlima@port80software.com

  2. Web Server Technologies | Part III: Security & Future Musings Tutorial Content • Web security • Core security concepts • Network security (packets and addresses) • Host security (hardening) • Application security (sanitizing input) • Transaction security (SSL) • Web applications as software applications: implications, predictions, open issues

  3. Web Server Technologies | Part III: Security & Future Musings Core Security Concepts • Types of attacks • Understanding serious attack strategies • Reconnaissance as an attack prelude • Security in depth strategy • Principle of least access • The need for threat assessment

  4. Web Server Technologies | Part III: Security & Future Musings A Brief Taxonomy of Attack Types Virus – Program that appends itself to existing program and attempts self-propagation Worm – Standalone self-propagating program that carries out malicious action of some type Trojan Horse – Program that executes malicious code under cover of some benign functionality Denial of Service (DoS) – Deliberate use of a program’s or machine’s resources sufficient to deny others its legitimate use Spoofing – Assumption of a false identity (email, IP), often used in conjunction with other attacks Bug exploitation – Use of known (unpatched) vulnerabilities to carry out malicious actions

  5. Web Server Technologies | Part III: Security & Future Musings Attack Strategies The goals of a serious attacker are oriented toward extracting maximum advantage from an attack • Privilege escalation leading ideally to root, superuser, or administrator access • The use of rootkits • Leaving a backdoor – a means of reentry that bypasses the need to hack their way back in • Stealth – removing all traces of the machine having been compromised in order to continue exploiting it directly, or as a platform for attacking other machines • Log file alterations • Using a service to cover up a rootkit

  6. Web Server Technologies | Part III: Security & Future Musings Attack Reconnaissance Information gathering is often the prelude to a well-planned attack • Much key data is often publicly available • IP addresses, admin user names, network topologies and usage patterns, etc. • Human engineering a major factor • Casual sharing of sensitive data increases likelihood it will fall into wrong hands • A variety of manual and automated techniques for sniffing out software details • Packet sniffers • Stack scanners • HTTP (and other) fingerprinters

  7. Web Server Technologies | Part III: Security & Future Musings Security in Depth Strategy • Partly a buzzword invented to sell security stuff • Also an important principle for planning and designing enterprise security • Aim for multiple layers of security that support and reinforce one another • Succeeding layers both back up preceding ones if they fail, and also make it less likely they will, by taking some of the burden off and allowing for greater functional specialization • Firewall, anti-virus, IDS, IPS, application firewall, etc. • Possibility of going too far if management burden reduces efficient enforcement of policies

  8. Web Server Technologies | Part III: Security & Future Musings Principle of Least Access In the case of Web server security, it applies at multiple levels: • The file system of the physical Web server • Tightest possible ACLs • The HTTP service itself • Restrict by IP and auth where possible • All other services running on the same box (file transfer & sharing, remote admin) • Shut down as many ports & services as possible • The network in which the Web server lives • As few firewall holes and logins as possible • Information about Web operations in general • Inside attacks cost five times as much as outsider attacks; risks of info leakage very high

  9. Web Server Technologies | Part III: Security & Future Musings The Need for Threat Assessment • Security-functionality trade off can make attainable levels of security impractical • Productively of supported employees likely to suffer as things are locked down tighter • Central importance of human factors severely increases costs of enforcement • Minimizing human factor issues can require major business process reengineering • Security in depth strategy can drive up hardware, software and services bills • In practice, all these costs must be balanced against: • Likelihood of the threat • Business value of the target

  10. Web Server Technologies | Part III: Security & Future Musings Network Security • Packet level vulnerabilities • Exposure: passwords and form data • IP spoofing • Network DoS attacks • SYN floods, ICMP floods • Countermeasures: Firewalls and Proxies • Packet filtering firewalls permit access control based on IP and Port (service) • Located on routers, firewalls can protect entire subnets • Proxies can add complete isolation of internal hosts, but sometimes at the cost of function • Additional enhancements include stateful packet inspection firewalls, intrusion detection, and most recently intrusion prevention systems.

  11. Web Server Technologies | Part III: Security & Future Musings Host Security • Server hardening is vital to Web server security, and highly platform-specific • Subscribing to (and regularly reading) both generic and platform-specific vulnerability and update notifications is essential • www.cert.org and similar, but more specialized sites and lists • Assuming the box is (mostly) dedicated to HTTP (as it should be), much of host hardening will consist of hardening the Web server itself • For this, use a good, comprehensive security checklist when building or auditing a Web server box, for example…

  12. Web Server Technologies | Part III: Security & Future Musings An IIS Security Checklist Use the Security Configuration and Analysis Tool to deploy a good security template • Hisecweb.inf as a minimal baseline • Use web_secure.inf from SystemExperts if possible Use IPSec Admin Tool (or ipsecpol.exe) to set up port/packet filtering for “defense in depth” • Lock down the Kerberos (port 88) exception (KBA 254728) If possible, disable NetBIOS over TCP/IP, and unbind file-and-print sharing. Set appropriate ACLs on both virtual and physical directories (including root directory) • Unlike Everyone, Authenticated Users includes IUSR but disallows NULL and Guest-only connections

  13. Web Server Technologies | Part III: Security & Future Musings Brett Hill’s Recommended ACLs

  14. Web Server Technologies | Part III: Security & Future Musings An IIS Security Checklist, cont. Set appropriate log file ACLs • Probably don’t need to give Everyone anything here If your proxy/firewall configuration supports this, restrict connections to its internal (NAT) IP • Depends on whether or not source address is forwarded • IPSec can be used in same way as first line of defense Remove unused script mappings! • Better still, use IISLockDown to map them to 404.dll

  15. Web Server Technologies | Part III: Security & Future Musings An IIS Security Checklist, cont. Other checklist items… • Remove sample apps installed by IIS • IISSamples, IISHelp, MSADC • Enforce Form field and query string input sanitization • A developer responsibility, but try to enforce it • Disable parent paths • Home Directory >> Configuration >> App Options • Disable IP Address in Content-Location (KBA 218180) • Locate Web content on a non-system drive • Run MS Baseline Security Analyzer • Run IISLockDown and URLScan 2.5! • Kills many birds with one stone • Spend the time and effort to tune URLScan.ini

  16. Web Server Technologies | Part III: Security & Future Musings Application Security The price of being an HTTP server is being open, at a minimum, to inbound HTTP connections • Web servers are often looked on as toeholds for attacking other boxes and services • Particularly when hosting dynamic Web applications, numerous vulnerabilities exist via the URL, query string and postfield data • Buffer overflows, code injection, worm attacks • User input sanitization is essential but probably not reasonably left entirely to developers • Hence an entirely new product category • Web application firewalls • Web security gateways

  17. Web Server Technologies | Part III: Security & Future Musings Transaction Security Concerns security of the message exchanged between client and server Four basic tasks • Privacy • Integrity • Authentication • Non-repudiation All of these are requirements for secure transactions generally, but present special challenges for Web transactions

  18. Web Server Technologies | Part III: Security & Future Musings Transaction Security, cont. Privacy • Only the sender and the recipient of a message can read its contents • No one else must be able to see or use this data as it is being transmitted • SSL’s end-to-end encryption is the solution Integrity • Detection of any change in message contents between its being sent and its being received • When such changes occur, the transaction must stop and provide a way to recover • Message digests like MD5 are used within SSL to assure integrity of the connection

  19. Web Server Technologies | Part III: Security & Future Musings Transaction Security, cont. Authentication • The assurance that all parties to a transaction are who they claim to be • Server authentication is usually provided over SSL using certificates signed by a C.A. • Client authentication is usually provided by login credentials, but could also use C.A. Non-Repudiation • A guarantee that the party to a transaction cannot later falsely claim not to have participated in that transaction • Digital signatures (with message digest) best solution but, in practice, login credentials often relied upon

  20. Web Server Technologies | Part III: Security & Future Musings Transaction Security, cont. SSL in a nutshell • A different service, a different port (443) • End-to-end encryption of the transaction • Adds a handshake to the TCP/IP socket • Negotiation of security parameters • Authentication requirements • Selection of cipher suites (and strength) • Exchange of digital certificates • Generation of shared secrets and session keys • Quick restart of cached sessions if required • All data is then transferred within the socket that has been secured using these agreed upon parameters

  21. Web Server Technologies | Part III: Security & Future Musings Transaction Security, cont. SSL uses two kinds of encryption: Symmetric and Asymmetric • Symmetric Encryption involves exchanging one (private) key used both to encrypt and decrypt • Because it is very fast, SSL uses symmetric encryption for the session keys that encrypt and decrypt the actual message contents • Privacy depends on the key being kept secret, which limits it to keys negotiated during the handshake • Since strong authentication and non-repudiation depend on publicly exchangeable keys, symmetric is not suited for them

  22. Web Server Technologies | Part III: Security & Future Musings Transaction Security, cont. • Asymmetric (or Public Key) Encryption involves generating a private/public key combination and publishing this for others to use • What is encrypted with one of these can only be decrypted with the other • Usually the sender uses the recipient’s public key to encrypt, and the recipient uses its own matching private key to decrypt • Method used by SSL for certificate-based authentication • Since overhead is significant, only used to establish a secure connection and exchange the symmetric key • Encryption with private key is also possible, and used for signing digital signatures • Key management requires Cert Authorities and ideally a Public Key Infrastructure (PKI)

  23. Web Server Technologies | Part III: Security & Future Musings Transaction Security Pictured Symmetric This is clear text Bf$tladk&kl)eil.,mvl#d;ai This is clear text Private Session Key Private Session Key Sender Secure Transmission Recipient This is clear text Bf$tladk&kl)eil.,mvl#d;ai This is clear text Asymmetric Recipient’s Public Key Recipient’s Private Key

  24. Web Server Technologies | Part III: Security & Future Musings Looking Ahead (or, Joe of in Left Field) “The most fundamental specification of Web architecture ...is that of the Universal Resource Identifier, or URI.” – Tim Berners-Lee The importance to the Web architecture of a single universal information space, accessed by any means • Emerging Web services via XML and related technologies (WSDL, SOAP) as a prelude to full-blown machine-to-machine “Semantic Web” of the future (RDF, CC/PP) • Universal access via PC, NC, PDA, TV, etc., realizing an old dream – the network is everything, the clients are everywhere

  25. Web Server Technologies | Part III: Security & Future Musings Looking Ahead (or, Joe of in Left Field) A “Web of Trust” Metadata plus keys = a web of keys and signed documents • Mechanical agents finally start to reach their potential • Mechanically legible semantic assertions (T.B-L.): • This document has value 3 on the "crazy" scale of this rating scheme. • Believe an assertion of this form signed with this key. • I wish to buy one of these at this price. • I am happy to give my credit card number to anyone whom this key says is in this group.

  26. Web Server Technologies | Part III: Security & Future Musings Looking Ahead (or, Joe of in Left Field) Metadata + PKI + distributed agents • Identity management will be a major application of these converging technologies (Max Templeton) • An increasing need for human agents to manage aspects of identity that will be increasingly expressed as shareable (and valuable) data in universal space • Big Brother OR Decentering of the Subject!? Tim Berners-Lee’s “Things my agent needs to know about me” • What may people know about me? • What do I need to know about them? • What am I prepared to pay for? • What will I allow myself to do?

  27. Web Server Technologies | Part III: Security & Future Musings About Port80 Software • Solutions for Microsoft IIS Web Servers • Port80 software exposes control to server-side functionality for developers, and streamlines tasks for administrators: • Increase security by locking down what info you broadcast and blocking intruders with ServerMask and ServerDefender • Protect your intellectual property by preventing hotlinking with LinkDeny • Improve performance: compress pages and manage cache controls for faster load time and bandwidth savings with CacheRight, httpZip, and ZipEnable • Upgrade Web development tools: Negotiate content based on device, language, or other parameters with PageXchanger, and tighten code with w3compiler. • Visit us online @ www.port80software.com

More Related