Docstoc

WebServerTechIIIPPT

Document Sample
WebServerTechIIIPPT Powered By Docstoc
					Web Server Technologies
Part III: Security & Future Musings




                                                             Joe Lima
                                      Director of Product Development
                                                 Port80 Software, Inc.
                                            jlima@port80software.com
                                 Web Server Technologies | Part III: Security & Future Musings




Tutorial Content



   •   Web security
        – Core security concepts
        – Network security (packets and addresses)
        – Host security (hardening)
        – Application security (sanitizing input)
        – Transaction security (SSL)

   •   Web applications as software applications: implications,
       predictions, open issues
                                  Web Server Technologies | Part III: Security & Future Musings




Core Security Concepts




   –   Types of attacks
   –   Understanding serious attack strategies
   –   Reconnaissance as an attack prelude
   –   Security in depth strategy
   –   Principle of least access
   –   The need for threat assessment
                                                   Web Server Technologies | Part III: Security & Future Musings




           A Brief Taxonomy of Attack Types



Virus – Program that appends itself to existing         Spoofing – Assumption of a false identity
    program and attempts self-propagation                    (email, IP), often used in conjunction with
                                                             other attacks
Worm – Standalone self-propagating program
    that carries out malicious action of some           Bug exploitation – Use of known
    type                                                     (unpatched) vulnerabilities to carry out
                                                             malicious actions
Trojan Horse – Program that executes
    malicious code under cover of some benign
    functionality


Denial of Service (DoS) – Deliberate use
    of a program’s or machine’s resources
    sufficient to deny others its legitimate use
                                      Web Server Technologies | Part III: Security & Future Musings




   Attack Strategies



The goals of a serious attacker are oriented toward extracting maximum
  advantage from an attack

    • Privilege escalation leading ideally to root, superuser, or
      administrator access
         – The use of rootkits
    • Leaving a backdoor – a means of reentry that bypasses the need to
      hack their way back in
    • Stealth – removing all traces of the machine having been
      compromised in order to continue exploiting it directly, or as a platform
      for attacking other machines
         – Log file alterations
         – Using a service to cover up a rootkit
                                        Web Server Technologies | Part III: Security & Future Musings




  Attack Reconnaissance


Information gathering is often the prelude to a well-planned attack
     • Much key data is often publicly available
          – IP addresses, admin user names, network topologies and usage
             patterns, etc.
     • Human engineering a major factor
          – Casual sharing of sensitive data increases likelihood it will fall into
             wrong hands
     • A variety of manual and automated techniques for sniffing out software
       details
          – Packet sniffers
          – Stack scanners
          – HTTP (and other) fingerprinters
                               Web Server Technologies | Part III: Security & Future Musings




Security in Depth Strategy


              – Partly a buzzword invented to sell security stuff

              – Also an important principle for planning and designing
                enterprise security
                  • Aim for multiple layers of security that support and
                    reinforce one another
                  • Succeeding layers both back up preceding ones if they
                    fail, and also make it less likely they will, by taking
                    some of the burden off and allowing for greater
                    functional specialization
                  • Firewall, anti-virus, IDS, IPS, application firewall, etc.
                  • Possibility of going too far if management burden
                    reduces efficient enforcement of policies
                                      Web Server Technologies | Part III: Security & Future Musings




  Principle of Least Access


In the case of Web server security, it applies at multiple levels:

     • The file system of the physical Web server
          – Tightest possible ACLs
     • The HTTP service itself
          – Restrict by IP and auth where possible
     • All other services running on the same box (file transfer & sharing,
       remote admin)
          – Shut down as many ports & services as possible
     • The network in which the Web server lives
          – As few firewall holes and logins as possible
     • Information about Web operations in general
          – Inside attacks cost five times as much as outsider attacks; risks of
             info leakage very high
                                   Web Server Technologies | Part III: Security & Future Musings




 The Need for Threat Assessment



– Security-functionality trade off can make attainable levels of security
  impractical
    • Productively of supported employees likely to suffer as things are locked
       down tighter
– Central importance of human factors severely increases costs of enforcement
    • Minimizing human factor issues can require major business process
       reengineering
– Security in depth strategy can drive up hardware, software and services bills
– In practice, all these costs must be balanced against:
    • Likelihood of the threat
    • Business value of the target
                                        Web Server Technologies | Part III: Security & Future Musings




      Network Security


– Packet level vulnerabilities
   • Exposure: passwords and form data
   • IP spoofing
   • Network DoS attacks
        – SYN floods, ICMP floods
– Countermeasures: Firewalls and Proxies
   • Packet filtering firewalls permit access control based on IP and Port
     (service)
   • Located on routers, firewalls can protect entire subnets
   • Proxies can add complete isolation of internal hosts, but sometimes at the
     cost of function
   • Additional enhancements include stateful packet inspection firewalls,
     intrusion detection, and most recently intrusion prevention systems.
                                       Web Server Technologies | Part III: Security & Future Musings




   Host Security




– Server hardening is vital to Web server security, and highly platform-specific

– Subscribing to (and regularly reading) both generic and platform-specific
  vulnerability and update notifications is essential
    • www.cert.org and similar, but more specialized sites and lists

– Assuming the box is (mostly) dedicated to HTTP (as it should be), much of
  host hardening will consist of hardening the Web server itself
    • For this, use a good, comprehensive security checklist when building or
      auditing a Web server box, for example…
                                          Web Server Technologies | Part III: Security & Future Musings




 An IIS Security Checklist



Use the Security Configuration and Analysis Tool to deploy a good security template
          • Hisecweb.inf as a minimal baseline
          • Use web_secure.inf from SystemExperts if possible

Use IPSec Admin Tool (or ipsecpol.exe) to set up port/packet filtering for “defense in depth”
          • Lock down the Kerberos (port 88) exception (KBA 254728)

If possible, disable NetBIOS over TCP/IP, and unbind file-and-print sharing.

Set appropriate ACLs on both virtual and physical directories (including root directory)
           • Unlike Everyone, Authenticated Users includes IUSR but disallows NULL and
              Guest-only connections
                                                    Web Server Technologies | Part III: Security & Future Musings




Brett Hill’s Recommended ACLs

    Executables (.exe, .dll)                          Authenticated Users (X)

                                                      Administrators (Full Control)

                                                      System (Full Control)

                                                      Web Anonymous Users (Deny Write)

    Script files (.asp, .php, .plx, .pl)              Authenticated Users (R)

                                                      Administrators (Full Control)

                                                      System (Full Control)

                                                      Web Anonymous Users (Deny Write)

    Include files (.inc, .shtm, .shtml)               Authenticated Users (R)

                                                      Administrators (Full Control)

                                                      System (Full Control)

                                                      Web Anonymous Users (Deny Write)

    Static content files (.txt, .gif, .jpg, .htm)     Authenticated Users (R)

                                                      Administrators (Full Control)

                                                      System (Full Control)

                                                      Web Anonymous Users (Deny Write)
                                       Web Server Technologies | Part III: Security & Future Musings




 An IIS Security Checklist, cont.



Set appropriate log file ACLs
     – Probably don’t need to give Everyone anything here

If your proxy/firewall configuration supports this, restrict connections to its internal
     (NAT) IP
      – Depends on whether or not source address is forwarded
      – IPSec can be used in same way as first line of defense

Remove unused script mappings!
   – Better still, use IISLockDown to map them to 404.dll
                                       Web Server Technologies | Part III: Security & Future Musings




     An IIS Security Checklist, cont.


Other checklist items…
    – Remove sample apps installed by IIS
         • IISSamples, IISHelp, MSADC
    – Enforce Form field and query string input sanitization
         • A developer responsibility, but try to enforce it
    – Disable parent paths
         • Home Directory >> Configuration >> App Options
    – Disable IP Address in Content-Location (KBA 218180)
    – Locate Web content on a non-system drive
    – Run MS Baseline Security Analyzer
    – Run IISLockDown and URLScan 2.5!
         • Kills many birds with one stone
         • Spend the time and effort to tune URLScan.ini
                                         Web Server Technologies | Part III: Security & Future Musings




     Application Security


The price of being an HTTP server is being open, at a minimum, to inbound
  HTTP connections
    • Web servers are often looked on as toeholds for attacking other boxes
       and services
    • Particularly when hosting dynamic Web applications, numerous
       vulnerabilities exist via the URL, query string and postfield data
          – Buffer overflows, code injection, worm attacks
    • User input sanitization is essential but probably not reasonably left entirely
       to developers
    • Hence an entirely new product category
          – Web application firewalls
          – Web security gateways
                                          Web Server Technologies | Part III: Security & Future Musings




      Transaction Security



Concerns security of the message exchanged
  between client and server

Four basic tasks
     • Privacy
     • Integrity
     • Authentication
     • Non-repudiation

All of these are requirements for secure
    transactions generally, but present special
    challenges for Web transactions
                                          Web Server Technologies | Part III: Security & Future Musings




      Transaction Security, cont.


Privacy
     • Only the sender and the recipient of a message can read its contents
     • No one else must be able to see or use this data as it is being transmitted
     • SSL’s end-to-end encryption is the solution

Integrity
     • Detection of any change in message contents between its being sent and
        its being received
     • When such changes occur, the transaction must stop and provide a way
        to recover
     • Message digests like MD5 are used within SSL to assure integrity of the
        connection
                                         Web Server Technologies | Part III: Security & Future Musings




     Transaction Security, cont.


Authentication
    • The assurance that all parties to a transaction are who they claim to be
    • Server authentication is usually provided over SSL using certificates
      signed by a C.A.
    • Client authentication is usually provided by login credentials, but could
      also use C.A.

Non-Repudiation
    • A guarantee that the party to a transaction cannot later falsely claim not to
      have participated in that transaction
    • Digital signatures (with message digest) best solution but, in practice,
      login credentials often relied upon
                                          Web Server Technologies | Part III: Security & Future Musings




       Transaction Security, cont.


SSL in a nutshell
    • A different service, a different port (443)
    • End-to-end encryption of the transaction
    • Adds a handshake to the TCP/IP socket
          – Negotiation of security parameters
               » Authentication requirements
               » Selection of cipher suites (and strength)
               » Exchange of digital certificates
               » Generation of shared secrets and session keys
               » Quick restart of cached sessions if required
    • All data is then transferred within the socket that has been secured using
       these agreed upon parameters
                                      Web Server Technologies | Part III: Security & Future Musings




    Transaction Security, cont.



SSL uses two kinds of encryption: Symmetric and Asymmetric

    • Symmetric Encryption involves exchanging one (private) key used
      both to encrypt and decrypt
        – Because it is very fast, SSL uses symmetric encryption for the
           session keys that encrypt and decrypt the actual message
           contents
        – Privacy depends on the key being kept secret, which limits it to
           keys negotiated during the handshake
        – Since strong authentication and non-repudiation depend on
           publicly exchangeable keys, symmetric is not suited for them
                                       Web Server Technologies | Part III: Security & Future Musings




     Transaction Security, cont.



– Asymmetric (or Public Key) Encryption involves generating a private/public
  key combination and publishing this for others to use
    • What is encrypted with one of these can only be decrypted with the other
    • Usually the sender uses the recipient’s public key to encrypt, and the
      recipient uses its own matching private key to decrypt
         – Method used by SSL for certificate-based authentication
         – Since overhead is significant, only used to establish a secure
            connection and exchange the symmetric key
    • Encryption with private key is also possible, and used for signing digital
      signatures
    • Key management requires Cert Authorities and ideally a Public Key
      Infrastructure (PKI)
                                         Web Server Technologies | Part III: Security & Future Musings




            Transaction Security Pictured


Symmetric
              This is                       Bf$tla                                   This is
              clear                         dk&kl)                                   clear
              text                          eil.,mv                                  text
                                            l#d;ai

                            Private                             Private
                          Session Key                         Session Key




             Sender                        Secure                                  Recipient
                                        Transmission




              This is                       Bf$tla                                   This is
              clear                         dk&kl)                                   clear
              text                          eil.,mv                                  text
                                            l#d;ai

Asymmetric                Recipient’s                          Recipient’s
                          Public Key                           Private Key
                                            Web Server Technologies | Part III: Security & Future Musings




        Looking Ahead (or, Joe of in Left Field)


“The most fundamental specification of Web architecture ...is that of the Universal
   Resource Identifier, or URI.” – Tim Berners-Lee


The importance to the Web architecture of a single universal
  information space, accessed by any means

          • Emerging Web services via XML and related technologies (WSDL,
            SOAP) as a prelude to full-blown machine-to-machine “Semantic
            Web” of the future (RDF, CC/PP)
          • Universal access via PC, NC, PDA, TV, etc., realizing an old dream –
            the network is everything, the clients are everywhere
                                             Web Server Technologies | Part III: Security & Future Musings




         Looking Ahead (or, Joe of in Left Field)


A “Web of Trust”
    Metadata plus keys = a web of keys and signed documents

         • Mechanical agents finally start to reach their potential
         • Mechanically legible semantic assertions (T.B-L.):

              –   This document has value 3 on the "crazy" scale of this rating scheme.
              –   Believe an assertion of this form signed with this key.
              –   I wish to buy one of these at this price.
              –   I am happy to give my credit card number to anyone whom this key
                  says is in this group.
                                        Web Server Technologies | Part III: Security & Future Musings




      Looking Ahead (or, Joe of in Left Field)


Metadata + PKI + distributed agents
    – Identity management will be a major application of these converging
       technologies (Max Templeton)
         • An increasing need for human agents to manage aspects of identity that
           will be increasingly expressed as shareable (and valuable) data in
           universal space
         • Big Brother OR Decentering of the Subject!?

Tim Berners-Lee’s “Things my agent needs to know about me”
    – What may people know about me?
    – What do I need to know about them?
    – What am I prepared to pay for?
    – What will I allow myself to do?
                                                               Web Server Technologies | Part III: Security & Future Musings




              About Port80 Software


Solutions for Microsoft IIS Web Servers
Port80 software exposes control to server-side functionality
for developers, and streamlines tasks for administrators:


• Increase security by locking down what info you
broadcast and blocking intruders with ServerMask and
ServerDefender

• Protect your intellectual property by preventing
hotlinking with LinkDeny

• Improve performance: compress pages and manage
cache controls for faster load time and bandwidth savings
with CacheRight, httpZip, and ZipEnable

• Upgrade Web development tools: Negotiate content
based on device, language, or other parameters with
PageXchanger, and tighten code with w3compiler.

Visit us online @ www.port80software.com

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:8
posted:3/5/2010
language:English
pages:27