Docstoc

Web Security - PowerPoint Presen

Document Sample
Web Security - PowerPoint Presen Powered By Docstoc
					Web Infrastructure Security

Using Linux as a Tool to Eliminate
     Security Vulnerabilities
                     Agenda

• Market Problems
• Top 10 Internet Security Vulnerabilities
  per SANS Institute
  – And how to plug security holes
• Using Linux to Secure Web
  Infrastructure
  – A virtually “cracker proof” Linux OS
  – Protection for both the applications and the operating
    system
• Summary
                 Market Problems

• $45 billion of lost e-commerce revenues
  for companies due to “hacking” in
  1999*
• Online security of Dot com’s and regular
  businesses is a BIG CONCERN
• DDoS attacks are a serious threat
• Internet infrastructure needs 99.999%
  uptime

*PriceWaterhouseCoopers
Top Ten Security Vulnerabilities
 According to SANS (System Administration, Networking, and Security) Institute



     Vulnerability                                     To Dos:
                                         • Use the latest release:
• 1. DNS/BIND
                                            8.2.2 patch level 5
                                         • Run BIND as unprivileged
                                           user “dns” in a “chroot
                                           prison.”
• 2. CGI Programs
                                         • Remove Samples
                                         • Remove unsafe and
                                           unnecessary scripts
                                         • Run Apache as unprivileged
                                           user in a chroot prison.
Cont.
• 3. RPC               • 3. Don’t run if you don’t
                         have to.
                       • 4. Don’t use it if don’t
• 4. Microsoft IIS       have to.


• 5. Sendmail buffer   • 5. Replace with Qmail.
                         Qmail has never been
  overflows              cracked.
                       • StackGuard protects
                         against buffer overflows.
                       • Qmail is run in a chroot
                         prison as a non-privileged
                         user.
• 6. Sadmind and       • 6. Don’t run if you don’t
  Mountd                 have to.
Cont.


• 7. NFS global file sharing   • 7. Don’t run NFS on Web
                                 servers.

• 8. User ID esp. root         • 8. System accounts are not
                                 able to login (set to
                                 /bin/false)
                               • It is up to users to set good
                                 passwords. Include a
                                 password cracker on the
                                 machine to verify good
                                 passwords.
• 9. IMAP and POP overflows    • 9. Use Qmail. It’s never
                                 been cracked.
• 10. Default SNMP settings    • 10. Don’t run SNMP on
                                 your Web servers.
    Overview of a Secure Server
         Operating System

•   Server Application Protection
•   Stack Smashing Prevention
•   Middleware Library protection
•   Various security items not covered
    –   Removing system user accounts, etc.

•   Non-Executable Stack Area
•   Auditing software
  Server Application Protection

• Turn off setuid binaries
• Run “out of box” Firewall, a variation of
  IP Chains that gives the protection of a
  firewall to every server
• Force a root login on single user mode.
• Restrict system utilities to user “root”
  only
• Place named in chroot prison
   Stack Smashing Prevention

• Replace C Compiler GCC compiler
• Stop Stack Smashing attacks by adding
  a termination string or canary word.
• Halt attempted operations and logs
  intrusion attempts
• Every compiled app should be
  protected.
  Middleware Library protection

• Protect against as yet unidentified
  exploits.
• Watch the library calls for buffer
  overruns.
• Protect applications that users install,
  even RPMs.
• Do not allow overrun of stack or stack
  smashing attacks.
Various Security Enhancements

• Place applications like qmail and Apache
  Web Server in a chroot prison.
• Turn off all unnecessary daemons
• Turn off telnet and ftp and force secure
  protocols like SSH (WUFTP is available
  in our vHost products)
• Turn off world readable to some
  directories and files.
   Non-Executable Stack Area

• Non-executable stack area.
• Restricted links in /tmp
• Privileged IP aliases. Protects users on
  virtual hosts only root has additional
  access.
• Restrict user behavior in /proc
         Auditing Software

• Notify users in case of stealth port
  scans.
• Detect attempts at buffer overflows
• Detect CGI attacks
• Detect SMB probes
• Detect OS fingerprinting attempts
         Security Summary

• Close the security exploits that exist
• Pro-actively prevent new security
  exploits
• Minimize your exposure so even an
  exploit can only hurt one application
  and not your whole server
• Notify systems administrators of
  unusual behavior
Scalability             Why Linux?
Reliability,
and Security

                                            Ideal
                 Unix        Linux




                        NT


          High Cost                  Low Cost
                         Why Linux?

• Additional benefits of Linux for the
  corporate market
•   Because the source code is open, security patches can be implemented
    much more rapidly than in closed-proprietary software

•   Because the source code is open, bugs can be fixed quickly and easily
    without having to wait for proprietary vendors to issue fixes on a
    schedule that suits them more than their customers.

•   Because the source code is open, groups of companies can collaborate
    on software problems and issues without being concerned about an
    anti-trust lawsuit.

•   Linux programs can be installed on practically any machine— including
    older, outdated computers—and offer business owners a degree of
    flexibility they wouldn't find with other operating systems.
                              Why Linux?

• Did you know…
  – Linux server shipments grew 190% from 1997-98
    and another 140% from 1998-99*
  – Currently 40% of all internet servers are running on
    Linux*
  – Over 2000 different applications currently run on or
    are being ported over to Linux, including applications
    from over half of the major e-commerce software
    vendors**




 *IDC **Investors Business Daily
             Some Useful URLs

•   http://bastille-linux.sourceforge.net
•   www.snort.org
•   www.netsaint.org
•   http://www.tripwire.com/products/linux.cfm?
•   http://www.openwall.com/linux/README
•   http://www.bell-labs.com/org/11356/libsafe.html
•   http://www.lids.org/
•   www.stackguard.org