Chapter 10 Securing the Web Environment

At a Glance

Instructors notes
Chapter Objectives Instructor Notes Discussion Topics Quick Quizzes Key Terms

CHAPTER OBJECTIVES
Identify threats and vulnerabilities Secure data transmission Secure the operating system Secure server applications Authenticate Web users Use a firewall Use a proxy server Use intrusion detection software

INSTRUCTOR NOTES
Identifying Threats and Vulnerabilities Our focus is on threats from the Internet. Hackers sometimes want the challenge of penetrating a system and vandalizing it other times they are after data. Data can be credit card numbers, user names and passwords, other personal data. Information can be gathered while it is being transmitted. Often, operating system flaws can assist the hacker. Hackers often take advantage of the intricacy of TCP/IP to comprise a system. The following are parts of the IP header most relevant to security: Source address Destination address Packet identification flags, fragment offset Total length Protocol TCP, UDP, ICMP TCP is the most commonly used of the transport protocols. TCP is used to deliver data to applications such as Web servers and e-mail servers. Important header fields for TCP: Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN Vulnerabilities of DNS Historically DNS has had security problems. BIND is the most common implementation of DNS and some older version had serious bugs. BIND 9, the current version, has been more secure. Vulnerabilities in operating systems Operating systems are large an complex which means that there are more opportunities for attack. Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available. Some attacks, such as buffer overruns, can allow the attacker to take over the computer. Vulnerabilities in Web servers Static HTML pages pose virtually no problem. Programming environments and databases add complexity that a hacker can exploit. Programmers often do not have time to focus on security. Vulnerabilities of e-mail servers By design, e-mail servers are open. E-mail servers can be harmed by a series of very large e-mail messages. Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server. Viruses can be sent to e-mail users. Retrieving e-mail over Internet often involves sending your user name and password as clear text which is a security risk.

Securing Data Transmission To secure data on a network that is accessible to others, you need to encrypt the data. SSL is the most common method of encrypting data between a browser and Web server. Secure Shell (SSH) is a secure replacement for Telnet. With Secure Sockets Layer (SSL), a digital certificate issued by a certification authority (CA), identifies an organization. The public key infrastructure (PKI) defines the system of CAs and certificates. Public key cryptography depends on two keys: A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the corresponding private key which is needed to decrypt the data. Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH. To set up tunneling, configure SSH client so local port is 55555 (or another port between 1024 and 65535). Configure SSH client to connect to POP3 port 110. Log in to SSH client. Direct e-mail client to port 5555 and log in to email server. Securing the operating system There are a number of things you can do to make the server more secure. First, use the server for only necessary tasks. That is, avoid using it to browse, get e-mail, etc. These things can introduce viruses. Minimize user accounts. Disable services that are not needed. Make sure that you have a secure password. In addition to using upper case, lower case numbers and symbols, hold down the ALT key and enter a number (on the numeric keypad) from 1 to 255. Make sure to check a table of ALT values to avoid common characters. The use of the ALT key will thwart most hackers. Securing Windows There are many services that are not needed in Windows for most Internet-based server applications such as Alerter, Computer browser, DHCP client, DNS client, Messenger, Server, and Workstation. Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names. Securing Linux As with Windows, make sure that you only run daemons (services) that you need. Generally, daemons are disabled by default. The command netstat l gives you a list of daemons that are running. Use chkconfig to enable and disable daemons. chkconfig imap on would enable imap Securing e-mail You have already seen the ability to tunnel POP3 which would prevent data from being seen. Exchange 2000 can also use SSL for the protocols it uses. To prevent someone from sending large e-mail messages until the disk is full, set a size limit to mail box.

Securing the Web server Enable the minimum features available on your Web server. If you don't need a programming language, do not enable it. Make sure programmers understand security issues. Implement SSL where appropriate. Securing IIS URLScan utility blocks potentially harmful page requests. IIS Lockdown utility has templates to ensure that you only enable what you need. Change NTFS permissions in \inetpub\wwwroot from Everyone Full Control to Everyone Execute. In IIS 5, delete \samples \IISHelp and \MSADC folders. Delete extensions you do not use, such as .htr, .idc, .stm, and others

QUICK QUIZ
1. 2. 3. 4. True/False. A back door represents an alternate, hidden Web site. Answer: False. True/False. The source port is part of the TCP header. Answer: True The protocol designation is part of what header? Answer: IP If the client continues to send packets with the SYN flag set but never acknowledges it, the server suffers what kind of attack? Answer: SYN flood. 5. What is the most common method of securing data transmission is? Answer: SSL

Authenticating Web Users Both Apache and IIS use HTTP to enable authentication. HTTP tries to access protected directory and fails so it requests authentication from user in dialog box. Configuring User Authentication in IIS There are four types of authenticated access: Windows integrated authentication - Most secure requires IE Digest authentication for Windows domain servers - works with proxy servers Requires Active Directory and IE Basic Authentication - User name and password in clear text Works with IE, Netscape, and others Passport authentication - Centralized form of authentication Only available on Windows Server 2003 For user authentication in Apache, basic authentication is most common. User names and password kept in separate file. Using a firewall A firewall implements a security policy between networks. Our focus is between the Internet and an organization's network. You need to limit access, especially from the Internet to your internal computers. You want to restrict access to Web server, e-mail server, and other related servers.

Types of filtering Packet filtering - Looks at each individual packet Based on rules it determines whether to let it pass through the firewall Circuit-level filtering (stateful or dynamic filtering) Controls complete communication session, not just individual packet Allows traffic initialized from within organization to return, yet restrict traffic initialized from outside Application-level - Instead of transferring packet, it sets up a separate connection to totally isolate applications such as Web and e-mail A Packet-filtering firewall consists of a list of acceptance and denial rules. A firewall independently filters what comes in and what goes out. It is best to start with a default policy that denies all traffic, in and out. We can reject or drop a failed packet Drop (best) thrown away without response Reject ICMP message sent in response A popular firewall on Linux is called iptables. To initialize the firewall, you remove any pre-existing rules with: iptables --flush Set default policy to drop packets with: iptables --policy INPUT DROP iptables --policy OUTPUT DROP At this point nothing comes in and nothing goes out The following describes the syntax for describing the packets to accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or o eth0 (output) -p tcp or -p udp (protocol type) -s , -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule) Some examples of iptables Allowing Access to Web Server Allow packets from any address with an unprivileged port to the address on our server destined to port 80 The following should be on a single line
iptables A INPUT i eth0 p tcp --sport 1024:65535 d 192.168.1.10 --dport 80 j ACCEPT

Allow packets to go out port 80 from our server to any unprivileged port at any address
iptables A OUTPUT o eth0 p tcp s 192.168.1.10 --sport 80 --dport 1024:65535 j ACCEPT

Allowing Access to DNS DNS uses port 53 UDP for resolving, TCP for zone transfers iptables A INPUT i eth0 p udp --sport 1024:65535 d 192.168.1.10 --dport 53 j ACCEPT

iptables A OUTPUT o eth0 p udp s 192.168.1.10 --sport 53 --dport 1024:65535 j ACCEPT iptables A INPUT i eth0 p tcp --sport 1024:65535 d 192.168.1.10 --dport 53 j ACCEPT iptables A OUTPUT o eth0 p tcp s 192.168.1.10 --sport 53 --dport 1024:65535 j ACCEPT Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged ports Opening unprivileged ports can be a problem
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

Using a proxy server A proxy server delivers content on behalf of a user or server application. Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP. Forward proxy servers isolate users from the Internet. Users contact proxy server which gets Web page. Reverse proxy servers isolate Web server environment from the Internet. When Web page is requested from the Internet, the proxy server retrieves the page from the internal server. Using Intrusion Detection Software Intrusion detection is designed to show you that your defenses have been penetrated With Microsoft ISA Server, it only detects specific types of intrusion. In Linux, Tripwire tracks changes to files. Intrusion Detection in ISA Server The following intrusions are tracked: Windows out-of-band (WinNuke)A specific type of Denial-of-Service attack LandA spoofed packet is sent with the SYN flag set so that the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash. Ping of death The server receives ICMP packets that include large files attachments, which can cause a server to crash. IP half scan If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag. UDP bomb A UDP packet with an illegal configuration Port scan You determine the threshold for number of ports that are scanned (checked) before an alert is issued.

QUICK QUIZ
1. True/False. You filter packets based on three types: IP, TCP, and UDP. Answer: False 2. True/False. Although you can disable many services from a Windows server, if you disable the server service, the server will malfunction. 3. SSL encrypts what kind of packets? Answer: TCP 4. What is the most secure Web authentication method used in Windows? Answer: Windows integrated authentication 5. To isolate your Web server from the Internet, what kind of proxy server would you use? Answer: reverse or reversing.

Discussion Topics
1. What are some of the viruses, worms, and other forms of computer penetration that you have heard of lately? 2. Under what circumstances would you use the various Windows authentication methods 3. Compare and contrast the use of a firewall and the use of a proxy server.

Key Terms
application-level filter A filter that enables a firewall to recognize that the Web or email application, for example, serves as a termination point for traffic between the internal network and the Internet. Instead of simply transferring a packet destined for an internal Web server, using an application-level filter opens separate connections between the firewall and the internal server to better control the flow of data. authentication The process of determining a users true identity. back door A hidden access point to allow for significant control of your system. buffer overrun When a program accepts more data than it anticipated receiving. Under certain circumstances, buffer overruns can cause the system to stop or allow the attacker to execute code on the server. Also known as a buffer overflow. circuit-level filtering A type of packet filtering that controls the complete communication session, as opposed to individual packets. Also known as stateful filtering. demilitarized zone (DMZ) In a firewall configuration, a protected network containing the Internet servers such as the e-mail, Web, and FTP servers. These servers are protected from both the Internet and the internal network. firewall Software that implements an access control policy between networks. When you want to keep the attackers out, but let legitimate users in, you typically filter IP packets between two networks. packet filtering A practice where a server examines each packet individually and accepts or rejects the packet based on specified rules. port address translation (PAT) Translates user ports (program interface) from computers on an internal network to a port on an interface connected to the Internet. This allows multiple users to share a single IP address on the Internet. private key An algorithm kept securely on the server that is used to decrypt data. It is also used to encrypt data if the recipient has the same private key. public key An algorithm used to encrypt data that can only be decrypted by the corresponding private key. public key infrastructure (PKI) A system of public key encryption using digital certificates from Certificate Authorities that verify and authenticate the validity of each party involved in an electronic transaction defines the system of CAs and certificates. reverse (or reversing) proxy server A server designed to isolate your Web server environment from the Internet. Instead of your DNS pointing to your Web servers IP address, it points to the IP address of your proxy server. When an Internet user requests a Web page, the proxy server retrieves the page from an internal server, and then sends it back to the user. Secure Shell (SSH) A protocol that creates a secure connection between two computers. You use it as a replacement for Telnet and to transmit insecure protocols such as POP3. Secure Sockets Layer (SSL) A technology that allows for encrypted communication between Web server and browser, thereby increasing the security of a Web site. synchronization (SYN) flood An attack where many connections are requested, but none is completed, thereby overloading the server.