1 / 65

Web Services

Web Services. Chapter 21. Understand the terminology of the WWW. Understand web clients (browsers). Understand web servers. Understand client and server security issues. Understand web performance issues. Chapter Goals. What is the World Wide Web (WWW)?

linore
Download Presentation

Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Chapter 21

  2. Understand the terminology of the WWW. • Understand web clients (browsers). • Understand web servers. • Understand client and server security issues. • Understand web performance issues. Chapter Goals

  3. What is the World Wide Web (WWW)? • The World Wide Web is a client-server based application originally developed to distribute documentation. • Researchers at various locations, notably the National Center for Supercomputer Applications at the University of Illinois, extended the original design to include the distribution of a wide variety of media including • graphics, • audio, • video, • small applications or applets. Web Services

  4. WWW clients, known as browsers, make requests from WWW servers and display the results in the form of a page. •  Pages and other resources are referenced using a universal resource locator (URL). • The format of a URL is a resource type tag, followed by the name of the system holding the resource, followed by the path to the resource that may include option flags and other data. • Web pages are written in HyperText Markup Language (HTML). • A single web page may include text, graphics and other elements from one or more servers. • HTML and the format of other page elements are standardized allowing a given web page to be rendered and viewed on a wide variety of web browsers. • Web pages can also include forms and buttons. These allow data to be entered into the page via the web browser and communicated back to the web server. Web Services

  5. Web Clients • Administrating WWW clients is primarily a matter of keeping up to date with browser and page content development. • At present, leading browsers are undergoing rapid development. • New versions of some browsers are available as frequently as every few weeks. • New page content in the form of new media data types are continually being developed. • Not all media types are directly viewable by a given browser and not all pages follow the HTML specifications closely enough to be properly rendered by all browsers. • Additional software may be needed to view certain content types such as video , animated pictures and menus. • Such additions to the browser come in two flavors: • (1) extensions to the browser program itself, often called plug-ins, or • (2) separate applications started under the browser’s control, known as helper applications. Web Services

  6. Plug-ins • Plug-ins can be categorized into two major groups based on the application-programming interface (API) they use. • One group is designed for Microsoft’s Internet Explorer API, and the other group is based on the Netscape API. • Most browsers, such as Mozilla, Opera, Konquerer, use the Netscape API and are able to make use of plug-ins designed for that API. • Plug-ins are further categorized by processor architecture and operating system like other application software. • As one would expect, the widest selection of plug-ins for various media types is for Internet Explorer on Microsoft Windows on Intel processors. • Fewer plug-in choices are available for Mac OS X and Linux and very few plug-ins are available for other UNIX variants. Web Services

  7. Helpers • Helper applications are standalone programs that the browser runs to display content in formats not supported by the browser itself or a plug-in. • A typical helper is Real’s RealPlayer audio and video player. • When a user clicks on a link to a RealPlayer video clip, the browser starts the player and passes along the URL or downloads the video clip and passes the filename of the clip to the player depending on how the clip is specified on the page. • The system administrator needs to be aware of the media types his users will need to view. • Macromedia’s Flash animation player plug-in and Real’s RealPlayer audio and video player are two typical additions to the base web browser that are widely used to display content found on many web sites. • Some sites offer less common media types such as VRML or other 3D images, Window’s media player audio or video, Quicktime video, and others. Web Services

  8. Client Security Issues • Web browsers present several security problems revolving around the issues raised by “active content”. • Active content is a program or script that is downloaded as part of a web page and used to provide active features such as animated menus, special page rendering effects, error checking in forms and other features. • Most web browsers have the JavaScript scripting language built in. • Additionally, most browsers include a Java interpreter either built-in or as a plug-in. • Some plug-ins such as the Macromedia Flash player interpret active content and can be considered similar to a scripting language in terms of their programmability. • Internet Explorer on Windows systems adds the capability of both Windows scripting and executable applets known as ActiveX. Web Services

  9. Client Security Issues • The range of mischief an executable applet or script could potentially cause is large. • Web browsers, Java, JavaScript interpreters and other content viewers are designed with this in mind and combat the problem in varying ways. However, bugs in these tools have appeared over time and continue to appear making the display of active content a risky activity. • Fortunately, most browsers allow the user to optionally turn off the execution of Java applets, JavaScript programs and other active content. • Turning these off will disable certain interactive features of some web pages. • The desirability of turning these features off to gain additional security must be weighed against the requirements of the applications the user has and the web pages they need to view. Web Services

  10. Client Security Issues • Bugs in the browser itself constitute another common problem. • Browsers are complex, often including their own Java virtual machine as well as internal versions of ftp and other network tools. • System managers at sites concerned about security should continually monitor the browser vendor Web pages for updates that address security problems. WARNING: There are numerous security vulnerabilities associated with downloaded applets and scripts on Microsoft Windows platforms that can affect the security of other systems on a network. These include the unintended installation of malicious software that may examine or disrupt network traffic or adversely effect the operation of servers and other networked systems. Security conscious sites need to consider not only the security of their servers, but also the risks involved in their choice of client platforms and software. Web Services

  11. Client Security Issues • Another client security issue is referring page information. • Many web browsers pass along the URL of the page they came from to the web server of the next page they load. • This is done to help web sites track how people get to their site. However any information encoded in the URL is passed along as well. • Such additional data may include information believed to be secure if the browser moves from a secure page to an unsecured page. • Many Web sites avoid this problem by “wiping the browser’s feet” via directing the browser to a blank or unrevealing page after requesting secure information. • By default, many browsers will alert users to this problem by posting an alert message when the user moves from a secure page to an unsecured page. Web Services

  12. Client Security Issues • Modern browsers are capable of storing small pieces of information from Web sites such as a password or usage history. • These bits of information are known as “cookies.” • The security preferences dialog box allows those concerned about cookies to disable them or have the browser announce the delivery of a cookie from the Web site. • Turning off cookies will disable password memory and history features of some Web sites. • The decision to turn off cookies depends on the user’s concerns about her privacy and the Web pages she views most often. Web Services

  13. Web Servers • Installing and configuring a Web server is a much more involved process than configuring a web browser. • A Web server is a very complex daemon with numerous features that are controlled by several configuration files. • Web servers not only access files containing web pages, graphics and other media types for distribution to clients, they can also assemble pages from more than one file, run CGI applications, and negotiate secure communications. • Security and performance issues are near the top of the list when choosing, installing and configuring any web server. Web Services

  14. Choosing a Web Server • Choosing a web server involves an evaluation of several related factors. • Security – Web servers that serve web pages on the Internet face an extremely hostile environment. • They are the point of attack for persons interested in entering a system, stealing data or simply defacing web pages. • Web servers must properly handle a wide range of input data without fail. • Programs run via the web server such via the Common Gateway Interface (CGI) must likewise deal with possibly malicious input data and explicit attempts to exploit them. Web Services

  15. Choosing a Web Server • Performance – Serving web pages is often a highly I/O intensive task. • Many web page are constructed “on the fly” from the output of programs or as the result of a database query. • The performance of a web site is dependant on the performance of all the components that feed into the web pages being served. • Included in this is the performance of the system the web server resides on, the network it is connected to and the data storage facility being used. Web Services

  16. Choosing a Web Server • Availability – Some web servers are available for only one operating system platform. • Some CGI programs, database interconnections and other data sources are available for only selected platforms. • A careful inventory of the desired CGI programs and data sources is helpful in reducing the range of choices to those where the needed software is available. • Viewed another way, if a specific platform has already been selected, a review of the web servers, CGI programs, etc. that are available for the selected platform can help guide the development of the web site. Web Services

  17. Choosing a Web Server WARNING: Based on a long string of security problems, culminating in the infamous Code Red and Nimda worms, many organizations have moved away from Microsoft’s Internet Information Server (IIS) web server. Moving away from IIS is also the recommendation of the Gartner Group. Web Services

  18. Apache • The most widely used web server on the Internet, Apache, is available for all UNIX variants and Windows NT and later. • Many UNIX variants such as Red Hat Linux, Mac OS X and Solaris ship Apache as part of the operating system distribution. • For those that do not, Apache is freely available in source code form from http://www.apache.org/ • Aside from its wide acceptance, Apache offers a comprehensive suite of configuration options and features found on many other web servers. Web Services

  19. Server Add-ons • If a web server were all that was needed to set up a web site, life would be pretty easy for the system administrator and web master. However, the typical web server is extendable via several methods. • Common Gateway Interface (CGI) – The most common route to extending the functionality of the web server is via CGI. • Web pages can refer to CGI programs and data from forms can be passed to them. • Web pages can be created on the fly by CGI programs that send data via the web server directly to the client web browser. • CGI programs might be Perl scripts, Python scripts, or even compiled binaries. Web Services

  20. Server Add-ons • Application Servers – Tools such as Zope and php provide templates for building web pages. • These templates form an entry point into a scripting language and access to databases easing the development of dynamically created web pages. • Modules – Analogous to web browser plug-ins, modules extend the web server by directly adding functions. • Like web browser plug-ins, modules are specific to a particular web server and match that web server’s API. • Status reporting, performance enhancements such as a built-in Perl interpreter, encryption utilities, and even URL spelling correction are some of the modules that are available for the Apache web server. Web Services

  21. Web Server Installation • Apache is available in both binary form from some vendors and in source code form for all systems. • While a binary distribution saves time, it does not offer the level of control that building from sources offers. • To prepare for an installation from source code, make an inventory of the Apache modules that the web site will require. • Also, check that the needed build tools are available. Web Services

  22. Web Server Installation • Apache is built using the “configure and make” procedure common for many open source packages. • Like other packages that use the configure utility, typing “configure --help” will produce a list of all of the available option flags. • Additional modules not found in the base Apache distribution may require additional work. • For example, adding mod_ssl, to provide secure web connections requires that the OpenSSL package be installed first and that an environment variable, SSL_BASE, containing the path to OpenSSL be set when Apache is configured. Web Services

  23. Web Server Configuration • Current versions of the Apache web server are configured via a series of directives kept in a plain text file, httpd.conf. • The Apache server distribution includes a set of samples files that the system administrator can modify. • Over 100 configuration options can be applied to control the behavior of the Apache Web server. • Directives in the configuration files are case insensitive, but arguments to directives are often case sensitive. • Long directives can be extended by placing a backslash at the end of the line as a continuation character. • Lines beginning with a pound sign (#) are considered comments. • A few of the most basic options to be examined upon setting up a new Web server are examined in the next section. Web Services

  24. Basic Apache Directives • At a minimum, the system administrator will want to modify the User, Group, ServerAdmin, ServerRoot, ServerName and DocumentRoot lines to reflect the local site. • The User and Group lines specify the user id and group id that the Web server will operate under once started. • The ServerAdmin is an e-mail address to which the server can send problem reports. • The ServerRoot specifies the installation directory for the server. • The ServerName is the name of the server returns to clients. • The DocumentRoot directive sets the base for the default web page for the web server. Web Services

  25. Basic Apache Directives • The Alias lines may also require updating to reflect the location of icons and other local files. • The Alias lines allow Web page designers to use shortened names for resources such as icons instead of specifying full paths. UserDir WWW Alias /icons/ /usr/local/http/icons/ ScriptAlias /cgi-bin/ /usr/local/http/cgi-bin/ • Besides making Web page construction easier by providing short names for icons and CGI programs, these directives allow access to users’ Web pages. Web Services

  26. Basic Apache Directives • The UserDir line specifies the subdirectory each user can create in his home directory to hold Web pages. • This directory, WWW in the example, is mapped to the user’s username as follows. • A user whose username is bob has his WWW directory mapped to http://www.astro-corp.com/ ~bob. • By default, the Apache Web server will display the index.html file in that directory, or a directory listing if the index.html file is not found. • This indexing behavior can be controlled by a set of directives, IndexIgnore, IndexOptions, and IndexOrderDefault. • IndexOptions in particular has numerous options. Web Services

  27. Basic Apache Directives • A new installation of Apache may also require changing the <Directory> directives to indicate where the server should look for documents to serve and for CGI programs. • For example, if the server is installed in /usr/local/apache with the documents and CGI programs in directories under that directory, the following <Directory > line may be necessary. <Directory /usr/local/apache/htdocs> Web Services

  28. NOTE: The “user” and “group” directives in the httpd.conf file have significant security implications. The “nobody” user is used to severely limit the access privileges the web server has in order to limit what an attacker might be able to access via the web server. These directives also specify the default user under which any CGI program is run. Limiting the privileges that a CGI program has access to is an important step in making the CGI program secure. Web Services

  29. Server Modules • One of the more useful features found in the Apache web server is the use of modules to extend the base server functionality. • These modules provide such services as web server status monitoring, encrypted connections, URL rewriting and adding native versions of CGI tools such as Perl. • For modules that are built as part of the standard Apache build, activating them is a matter of calling the directive associated with the module. • For example, here are the lines required to activate the mod_status module that allows the administrator to query the web server for status information. <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from .astro.com </Location> Web Services

  30. Server Modules • The Location directive describes the “page” that is used to view that status information, while SetHandler specifies the server-status entry to the mod_status module. • The triple of Order, Deny and Allow directives controls access to this “page” limiting it to only hosts within the specified domain. • If the server’s name were www.astro.com the URL used to access this page would be, http://www.astro.com/server-status/ Web Services

  31. Mod_ssl • A more complex module to configure is mod_ssl. • This module provides the encryption used for secure web pages. • Before using ssl, a certificate to be used in the authentication of the server will need to be purchased from a certification authority such as Thawte or generated and signed locally. • The locally generated certificates, also called self signed certificates, will be flagged by web browsers and require the user to acknowledge them before viewing the web site. • The web browser can authenticate certificates purchased from a certificate authority without any user interaction.  Web Services

  32. Mod_ssl • Next, several directives will need to added to the Apache configuration file to enable ssl and specify the content to be accessed using an encrypted connection. • Here is an example that enables ssl using high quality encryption and specifies content to use the encrypted connection. SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLVerifyClient none SSLCACertificateFile conf/ssl.crt/ca.crt <Location /secure/area> SSLVerifyClient require SSLVerifyDepth 1 </Location> Web Services

  33. Mod_ssl • The ssl module has 22 directives and provides fine control over the security of the connection. • The effort required to obtain a certificate and configure secure web connections is well worth it. • Secure web connections form the basis of many other applications. • Two examples are web-based e-mail and web based remote system management. • The end-to-end encryption supplied by SSL is especially important when remote users are utilizing potentially insecure networks such as wireless networks, or network connections offered at conferences or hotels. Web Services

  34. Mime types • Web servers can serve an almost limitless range of file formats. • The mime.types file includes the mapping from a mime type to a file extension. • The most common types are provided in the sample file provided with the Apache distribution. Web Services

  35. Server Security Considerations • Web servers present a difficult security challenge. • They must be widely accessible to be useful, but tightly controlled to prevent security breaches. • They must be tolerant of any requests submitted to them, including requests specifically constructed to • gain unauthorized access to files or • to exploit bugs in • modules, • application servers, • CGI programs or • the web server itself. Web Services

  36. Ports 80 and 443 • By default a web server listens on port 80 for plaintext requests and port 443 for SSL connections. • These are well-known ports and will be examined by attackers. • The port a web server listens on can be changed via the server configuration file, however this will cause web browsers to be unable to connect to the server unless the port number is included in the URL specification. • For example, if the web server on www.astro.com were set to listen on port 8000, the URL for the server’s default page would be : http://www.astro.com:8000 •  WARNING: Changing the port a web server listens for requests on does not improve the security of the server. An attacker can locate the web server by scanning all of the ports open on the system. Web Services

  37. File Access Control • The control files which determine the Web server’s function as well as the log files it produces should not be accessible to the user ID the Web server runs under. • Individuals attempting to gain unauthorized access are thwarted to the extent that they cannot obtain information about the Web server’s configuration and function. • One way to tightly control access is to set the default Apache access rule to deny, and open up only those directories that contain content to be distributed. • For example, the httpd.conf directives shown below set the default access to deny and open up access to user web directories and a system default web page area. Web Services

  38. File Access Control # Set default access to deny <Directory /> Order Deny,Allow Deny from all </Directory> # Allow access to user’s web directories <Directory /usr/users/*/WWW> Order Deny,Allow Allow from all </Directory> # Allow access to the system web directory <Directory /usr/local/httpd/WWW> Order Deny,Allow Allow from all </Directory> Web Services

  39. File Access Control • In addition to the access controls found in the web server configuration files, many web servers provide access control for individual user directories by means of control files found in those directories. • Apache uses a file called “.htaccess” which contains directives specifying access. • For example, one could restrict access to a particular directory to a specific domain by placing this in the .htaccess file in the directory to be protected. deny from all allow from .bio.purdue.edu • In a .htaccess file, the options are assumed to apply to the directory the .htaccess resides in and explicit <Directory> directives like those used in the httpd.conf file are not needed. • The access directives can include IP address ranges and references to password databases if desired. Web Services

  40. Server Side Includes • Web server options under which Web pages include other files and execute programs should be carefully scrutinized for potential access to files not intended for distribution. • In particular, server side includes (SSI) should be used cautiously. • By default, enabling SSI allows users to execute arbitrary programs as part of an include directive. • The possible damage this can cause can be limited by using the suexec facility to run the referenced program in a controlled manner with privileges limited to that of the owner of the HTML file. • A still more restrictive and secure approach is to allow files to be included, but disallow execution. • This is accomplished by using the IncludesNOEXEC directive instead of the Includes directive when specifying the options allowed for a specific directory in httpd.conf. Web Services

  41. Server Side Includes • Below is an example showing how to apply this directive to a specific directory. <Directory /web/docs/ssi> Options IncludesNOEXEC </Directory> Web Services

  42. CGI • CGI programs are among the biggest potential dangers to Web server security. • These programs are run based on a URL passed to the Web server by a client. • In normal operations this URL comes from a form or page. However, the URL provided to a CGI program can be given to the Web server by other means and can be carefully constructed to exercise bugs in the CGI program itself. • For example, one of the most common attacks against a web server is via the phf CGI program. • The phf program is not included with recent versions of Apache, but was present in earlier versions. • Due to poor design, phf could be easily subverted. • To disable this CGI program, remove it from the cgi-bin directory specified in the web server configuration file. Web Services

  43. CGI • As a general rule, any unused CGI program should be removed from the cgi-bin directory. • CGI programs must be carefully constructed to avert potential problems resulting from the input passed to them. • One successful method is to use the “tainted” variable facility found in the Perl scripting language. • If other languages are used, care must be taken to ensure that all possible input characters are properly handled, including shell metacharacters, quotes, asterisks, and braces. • Administrators must also be alert to the well-known problem of very large input strings designed to overwrite small input buffers. • Security conscious sites should carefully audit CGI programs before putting them into operation. Web Services

  44. CGI • WARNING: The mod_perl module for the Apache web server does not provide any security advantages over a standalone CGI program written in Perl. While it does offer a substantial performance improvement, CGI programs making use of mod_perl need to be as carefully audited as standalone CGI programs. • Similarly, the sysadmin should disallow user executable CGI programs. • Like the executable server side includes mentioned earlier, user executable CGI opens a Pandora’s box of possible vulnerabilities. • Limit CGI programs to a controlled directory and carefully audit any CGI programs for security vulnerabilities. • If it is necessary to run a CGI under the UID of a user other than the web server, a wrapper such as suexec or CGIWrap can be used. • The wrapper limits the damage an attacker can cause by exploiting a poorly written CGI program. • Wrappers are often needed when a CGI program makes use of data that is accessible only to a particular UID. Web Services

  45. CGI • Some alternative approaches to standalone CGI programs are application servers such as PHP, and ZOPE. • These tools provide a standardized CGI interface designed specifically to avoid problems found in input from web pages. • These tools also provide for rapid development of dynamic pages used in a growing number of web applications. • PHP is also available as an Apache module giving better performance than that of a standalone CGI program. • WARNING: While providing a more standardized way of using CGI, tools like ph and zope are not without problems. Application servers can contain bugs that make vulnerable to attack like any other CGI program or module. • For example, all versions of PHP prior to version 4.1.2 were found to have a buffer overflow that can be exploited to gain elevated privileges. • A privilege elevation problem was also found in ZOPE versions prior to version 2.2.1 beta 1 Web Services

  46. Unintended Web Servers • The pervasiveness of web browsers has made them a common interface tool for a variety of devices and services beyond the web page. • This unfortunately means that there may be unsecured web servers hiding in obscure parts of a network waiting to be exploited. • Some of these unintended web servers include the following. • Solaris’s AnswerBook2 – AnswerBook2 is web based and it installs and uses a web server (dwhttpd) running on port 8888. • Because AnswerBook2 is a web server, it does not need to be installed on every system, a central server can be used. • However, it represents another possible avenue of access to a system and should not be enabled unless needed. Web Services

  47. Unintended Web Servers • The administrator can stop and start the AnswerBook2 web server with the following commands. /usr/lib/ab2/lib/ab2admin –o stop /usr/lib/ab2/lib/ab2admin –o start • To disable the AnswerBook2 web server from starting at boot time, the ab2mgr init script needs to be removed from the /etc/rc2.d directory. rm /etc/rc2.d/S96ab2mgr  • Linuxconf – The popular linux system administration GUI, linuxconf, is available via the web on port 98. It is a well-known port and will be scanned for by attackers. • On Red Hat Linux, web access to linuxconf can be disabled using ntsysv, or “chkconfig linuxconf off”. Web Services

  48. Unintended Web Servers • Printers – Popular printers from Hewlett-Packard, Epson and others come with a built-in web server that can be used to configure the printer when it is installed. • While these web servers often have a password protection scheme in place for their settings, the default passwords are widely known. • At a minimum, network accessible printers should have their configuration password changed and any their firmware patched with the current set of patches available from the vendor. • Security conscious sites may want to go further and disable remote configuration of network accessible printers as per the printer vendors’ documentation. Web Services

  49. Unintended Web Servers • Routers, switches and other network devices – Network infrastructure devices often also contain embedded web servers. • As with printers, these devices need at a minimum to have their default passwords changed. • Security conscious sites should consider disabling remote configuration of these devices as well. Web Services

  50. Unintended Web Servers • Personal File Sharing – Web servers running on user’s PC’s can pop up on a network like weeds. • On Windows 2000 and later editions, the personal file sharing option includes a web server. • Unfortunately, this web server is the infamous IIS in disguise and in the default installation, without any of the numerous patches needed to secure it from attack. • Controlling this problem is difficult. A combination of actively scanning one’s own network and a firm policy regarding servers run on personal computers is needed to combat the problem. • Where possible, these web servers should be shutdown and users directed to use a common web server where security can more readily be maintained. Web Services

More Related