Web Server Technologies Part III: Security & Future Musings
Download as PPT, PDF1 like599 views
The document discusses web server security, covering core concepts, types of attacks, and strategies for safeguarding against them. It emphasizes the importance of application and transaction security, detailing practices such as user input sanitization and SSL for secure communications. The latter sections speculate on the future of web technology, including the progression towards a 'semantic web' and identity management challenges.
![Web Server Technologies Part III: Security & Future Musings Joe Lima Director of Product Development Port80 Software, Inc. [email_address]](https://image.slidesharecdn.com/cdocumentsandsettingssmccolloughmydocumentswebservertechiiippt-090414184058-phpapp02/85/Web-Server-Technologies-Part-III-Security-Future-Musings-1-320.jpg)
Web Server Technologies Part III: Security & Future Musings
- 1. Web Server Technologies Part III: Security & Future Musings Joe Lima Director of Product Development Port80 Software, Inc. [email_address]
- 2. Tutorial Content Web Server Technologies | Part III: Security & Future Musings Web security Core security concepts Network security (packets and addresses) Host security (hardening) Application security (sanitizing input) Transaction security (SSL) Web applications as software applications: implications, predictions, open issues
- 3. Core Security Concepts Web Server Technologies | Part III: Security & Future Musings Types of attacks Understanding serious attack strategies Reconnaissance as an attack prelude Security in depth strategy Principle of least access The need for threat assessment
- 4. A Brief Taxonomy of Attack Types Web Server Technologies | Part III: Security & Future Musings Virus – Program that appends itself to existing program and attempts self-propagation Worm – Standalone self-propagating program that carries out malicious action of some type Trojan Horse – Program that executes malicious code under cover of some benign functionality Denial of Service (DoS) – Deliberate use of a program’s or machine’s resources sufficient to deny others its legitimate use Spoofing – Assumption of a false identity (email, IP), often used in conjunction with other attacks Bug exploitation – Use of known (unpatched) vulnerabilities to carry out malicious actions
- 5. Attack Strategies Web Server Technologies | Part III: Security & Future Musings The goals of a serious attacker are oriented toward extracting maximum advantage from an attack Privilege escalation leading ideally to root, superuser, or administrator access The use of rootkits Leaving a backdoor – a means of reentry that bypasses the need to hack their way back in Stealth – removing all traces of the machine having been compromised in order to continue exploiting it directly, or as a platform for attacking other machines Log file alterations Using a service to cover up a rootkit
- 6. Attack Reconnaissance Web Server Technologies | Part III: Security & Future Musings Information gathering is often the prelude to a well-planned attack Much key data is often publicly available IP addresses, admin user names, network topologies and usage patterns, etc. Human engineering a major factor Casual sharing of sensitive data increases likelihood it will fall into wrong hands A variety of manual and automated techniques for sniffing out software details Packet sniffers Stack scanners HTTP (and other) fingerprinters
- 7. Security in Depth Strategy Web Server Technologies | Part III: Security & Future Musings Partly a buzzword invented to sell security stuff Also an important principle for planning and designing enterprise security Aim for multiple layers of security that support and reinforce one another Succeeding layers both back up preceding ones if they fail, and also make it less likely they will, by taking some of the burden off and allowing for greater functional specialization Firewall, anti-virus, IDS, IPS, application firewall, etc. Possibility of going too far if management burden reduces efficient enforcement of policies
- 8. Principle of Least Access Web Server Technologies | Part III: Security & Future Musings In the case of Web server security, it applies at multiple levels: The file system of the physical Web server Tightest possible ACLs The HTTP service itself Restrict by IP and auth where possible All other services running on the same box (file transfer & sharing, remote admin) Shut down as many ports & services as possible The network in which the Web server lives As few firewall holes and logins as possible Information about Web operations in general Inside attacks cost five times as much as outsider attacks; risks of info leakage very high
- 9. The Need for Threat Assessment Web Server Technologies | Part III: Security & Future Musings Security-functionality trade off can make attainable levels of security impractical Productively of supported employees likely to suffer as things are locked down tighter Central importance of human factors severely increases costs of enforcement Minimizing human factor issues can require major business process reengineering Security in depth strategy can drive up hardware, software and services bills In practice, all these costs must be balanced against: Likelihood of the threat Business value of the target
- 10. Network Security Web Server Technologies | Part III: Security & Future Musings Packet level vulnerabilities Exposure: passwords and form data IP spoofing Network DoS attacks SYN floods, ICMP floods Countermeasures: Firewalls and Proxies Packet filtering firewalls permit access control based on IP and Port (service) Located on routers, firewalls can protect entire subnets Proxies can add complete isolation of internal hosts, but sometimes at the cost of function Additional enhancements include stateful packet inspection firewalls, intrusion detection, and most recently intrusion prevention systems.
- 11. Host Security Web Server Technologies | Part III: Security & Future Musings Server hardening is vital to Web server security, and highly platform-specific Subscribing to (and regularly reading) both generic and platform-specific vulnerability and update notifications is essential www.cert.org and similar, but more specialized sites and lists Assuming the box is (mostly) dedicated to HTTP (as it should be), much of host hardening will consist of hardening the Web server itself For this, use a good, comprehensive security checklist when building or auditing a Web server box, for example…
- 12. An IIS Security Checklist Web Server Technologies | Part III: Security & Future Musings Use the Security Configuration and Analysis Tool to deploy a good security template Hisecweb.inf as a minimal baseline Use web_secure.inf from SystemExperts if possible Use IPSec Admin Tool (or ipsecpol.exe) to set up port/packet filtering for “defense in depth” Lock down the Kerberos (port 88) exception (KBA 254728) If possible, disable NetBIOS over TCP/IP, and unbind file-and-print sharing. Set appropriate ACLs on both virtual and physical directories (including root directory) Unlike Everyone, Authenticated Users includes IUSR but disallows NULL and Guest-only connections
- 13. Brett Hill’s Recommended ACLs Web Server Technologies | Part III: Security & Future Musings
- 14. An IIS Security Checklist, cont. Web Server Technologies | Part III: Security & Future Musings Set appropriate log file ACLs Probably don’t need to give Everyone anything here If your proxy/firewall configuration supports this, restrict connections to its internal (NAT) IP Depends on whether or not source address is forwarded IPSec can be used in same way as first line of defense Remove unused script mappings! Better still, use IISLockDown to map them to 404.dll
- 15. An IIS Security Checklist, cont. Web Server Technologies | Part III: Security & Future Musings Other checklist items… Remove sample apps installed by IIS IISSamples, IISHelp, MSADC Enforce Form field and query string input sanitization A developer responsibility, but try to enforce it Disable parent paths Home Directory >> Configuration >> App Options Disable IP Address in Content-Location (KBA 218180) Locate Web content on a non-system drive Run MS Baseline Security Analyzer Run IISLockDown and URLScan 2.5! Kills many birds with one stone Spend the time and effort to tune URLScan.ini
- 16. Application Security Web Server Technologies | Part III: Security & Future Musings The price of being an HTTP server is being open, at a minimum, to inbound HTTP connections Web servers are often looked on as toeholds for attacking other boxes and services Particularly when hosting dynamic Web applications, numerous vulnerabilities exist via the URL, query string and postfield data Buffer overflows, code injection, worm attacks User input sanitization is essential but probably not reasonably left entirely to developers Hence an entirely new product category Web application firewalls Web security gateways
- 17. Transaction Security Web Server Technologies | Part III: Security & Future Musings Concerns security of the message exchanged between client and server Four basic tasks Privacy Integrity Authentication Non-repudiation All of these are requirements for secure transactions generally, but present special challenges for Web transactions
- 18. Transaction Security, cont. Web Server Technologies | Part III: Security & Future Musings Privacy Only the sender and the recipient of a message can read its contents No one else must be able to see or use this data as it is being transmitted SSL’s end-to-end encryption is the solution Integrity Detection of any change in message contents between its being sent and its being received When such changes occur, the transaction must stop and provide a way to recover Message digests like MD5 are used within SSL to assure integrity of the connection
- 19. Transaction Security, cont. Web Server Technologies | Part III: Security & Future Musings Authentication The assurance that all parties to a transaction are who they claim to be Server authentication is usually provided over SSL using certificates signed by a C.A. Client authentication is usually provided by login credentials, but could also use C.A. Non-Repudiation A guarantee that the party to a transaction cannot later falsely claim not to have participated in that transaction Digital signatures (with message digest) best solution but, in practice, login credentials often relied upon
- 20. Transaction Security, cont. Web Server Technologies | Part III: Security & Future Musings SSL in a nutshell A different service, a different port (443) End-to-end encryption of the transaction Adds a handshake to the TCP/IP socket Negotiation of security parameters Authentication requirements Selection of cipher suites (and strength) Exchange of digital certificates Generation of shared secrets and session keys Quick restart of cached sessions if required All data is then transferred within the socket that has been secured using these agreed upon parameters
- 21. Transaction Security, cont. Web Server Technologies | Part III: Security & Future Musings SSL uses two kinds of encryption: Symmetric and Asymmetric Symmetric Encryption involves exchanging one (private) key used both to encrypt and decrypt Because it is very fast, SSL uses symmetric encryption for the session keys that encrypt and decrypt the actual message contents Privacy depends on the key being kept secret, which limits it to keys negotiated during the handshake Since strong authentication and non-repudiation depend on publicly exchangeable keys, symmetric is not suited for them
- 22. Transaction Security, cont. Web Server Technologies | Part III: Security & Future Musings Asymmetric (or Public Key ) Encryption involves generating a private/public key combination and publishing this for others to use What is encrypted with one of these can only be decrypted with the other Usually the sender uses the recipient’s public key to encrypt, and the recipient uses its own matching private key to decrypt Method used by SSL for certificate-based authentication Since overhead is significant, only used to establish a secure connection and exchange the symmetric key Encryption with private key is also possible, and used for signing digital signatures Key management requires Cert Authorities and ideally a Public Key Infrastructure (PKI)
- 23. Transaction Security Pictured Web Server Technologies | Part III: Security & Future Musings This is clear text Bf$tladk&kl)eil.,mvl#d;ai This is clear text This is clear text Bf$tladk&kl)eil.,mvl#d;ai This is clear text Recipient’s Public Key Recipient’s Private Key Private Session Key Private Session Key Secure Transmission Recipient Sender Symmetric Asymmetric
- 24. Looking Ahead (or, Joe of in Left Field) Web Server Technologies | Part III: Security & Future Musings “ The most fundamental specification of Web architecture ...is that of the Universal Resource Identifier, or URI.” – Tim Berners-Lee The importance to the Web architecture of a single universal information space, accessed by any means Emerging Web services via XML and related technologies (WSDL, SOAP) as a prelude to full-blown machine-to-machine “Semantic Web” of the future (RDF, CC/PP) Universal access via PC, NC, PDA, TV, etc., realizing an old dream – the network is everything, the clients are everywhere
- 25. Looking Ahead (or, Joe of in Left Field) Web Server Technologies | Part III: Security & Future Musings A “Web of Trust” Metadata plus keys = a web of keys and signed documents Mechanical agents finally start to reach their potential Mechanically legible semantic assertions (T.B-L.): This document has value 3 on the " crazy" scale of this rating scheme. Believe an assertion of this form signed with this key. I wish to buy one of these at this price. I am happy to give my credit card number to anyone whom this key says is in this group.
- 26. Looking Ahead (or, Joe of in Left Field) Web Server Technologies | Part III: Security & Future Musings Metadata + PKI + distributed agents Identity management will be a major application of these converging technologies (Max Templeton) An increasing need for human agents to manage aspects of identity that will be increasingly expressed as shareable (and valuable ) data in universal space Big Brother OR Decentering of the Subject!? Tim Berners-Lee’s “Things my agent needs to know about me” What may people know about me? What do I need to know about them? What am I prepared to pay for? What will I allow myself to do?
- 27. About Port80 Software Web Server Technologies | Part III: Security & Future Musings Solutions for Microsoft IIS Web Servers Port80 software exposes control to server-side functionality for developers, and streamlines tasks for administrators: Increase security by locking down what info you broadcast and blocking intruders with ServerMask and ServerDefender Protect your intellectual property by preventing hotlinking with LinkDeny Improve performance : compress pages and manage cache controls for faster load time and bandwidth savings with CacheRight, httpZip, and ZipEnable Upgrade Web development tools : Negotiate content based on device, language, or other parameters with PageXchanger, and tighten code with w3compiler. Visit us online @ www.port80software.com