Web Server Technologies

1
Web Server Technologies Part III Security
Future Musings
Joe LimaDirector of Product Development Port80
Software, Inc. jlima_at_port80software.com
2
Web Server Technologies Part III Security
Future Musings
Tutorial Content

• Web security
• Core security concepts
• Network security (packets and addresses)
• Host security (hardening)
• Application security (sanitizing input)
• Transaction security (SSL)
• Web applications as software applications
  implications, predictions, open issues

3
Web Server Technologies Part III Security
Future Musings
Core Security Concepts

• Types of attacks
• Understanding serious attack strategies
• Reconnaissance as an attack prelude
• Security in depth strategy
• Principle of least access
• The need for threat assessment

4
Web Server Technologies Part III Security
Future Musings
A Brief Taxonomy of Attack Types
Virus Program that appends itself to existing
program and attempts self-propagation Worm
Standalone self-propagating program that carries
out malicious action of some type Trojan Horse
Program that executes malicious code under cover
of some benign functionality Denial of Service
(DoS) Deliberate use of a programs or
machines resources sufficient to deny others its
legitimate use
Spoofing Assumption of a false identity (email,
IP), often used in conjunction with other
attacks Bug exploitation Use of known
(unpatched) vulnerabilities to carry out
malicious actions
5
Web Server Technologies Part III Security
Future Musings
Attack Strategies

• The goals of a serious attacker are oriented
  toward extracting maximum advantage from an
  attack
• Privilege escalation leading ideally to root,
  superuser, or administrator access
• The use of rootkits
• Leaving a backdoor a means of reentry that
  bypasses the need to hack their way back in
• Stealth removing all traces of the machine
  having been compromised in order to continue
  exploiting it directly, or as a platform for
  attacking other machines
• Log file alterations
• Using a service to cover up a rootkit

6
Web Server Technologies Part III Security
Future Musings
Attack Reconnaissance

• Information gathering is often the prelude to a
  well-planned attack
• Much key data is often publicly available
• IP addresses, admin user names, network
  topologies and usage patterns, etc.
• Human engineering a major factor
• Casual sharing of sensitive data increases
  likelihood it will fall into wrong hands
• A variety of manual and automated techniques for
  sniffing out software details
• Packet sniffers
• Stack scanners
• HTTP (and other) fingerprinters

7
Web Server Technologies Part III Security
Future Musings
Security in Depth Strategy

• Partly a buzzword invented to sell security stuff
• Also an important principle for planning and
  designing enterprise security
• Aim for multiple layers of security that support
  and reinforce one another
• Succeeding layers both back up preceding ones if
  they fail, and also make it less likely they
  will, by taking some of the burden off and
  allowing for greater functional specialization
• Firewall, anti-virus, IDS, IPS, application
  firewall, etc.
• Possibility of going too far if management burden
  reduces efficient enforcement of policies

8
Web Server Technologies Part III Security
Future Musings
Principle of Least Access

• In the case of Web server security, it applies at
  multiple levels
• The file system of the physical Web server
• Tightest possible ACLs
• The HTTP service itself
• Restrict by IP and auth where possible
• All other services running on the same box (file
  transfer sharing, remote admin)
• Shut down as many ports services as possible
• The network in which the Web server lives
• As few firewall holes and logins as possible
• Information about Web operations in general
• Inside attacks cost five times as much as
  outsider attacks risks of info leakage very high

9
Web Server Technologies Part III Security
Future Musings
The Need for Threat Assessment

• Security-functionality trade off can make
  attainable levels of security impractical
• Productively of supported employees likely to
  suffer as things are locked down tighter
• Central importance of human factors severely
  increases costs of enforcement
• Minimizing human factor issues can require major
  business process reengineering
• Security in depth strategy can drive up hardware,
  software and services bills
• In practice, all these costs must be balanced
  against
• Likelihood of the threat
• Business value of the target

10
Web Server Technologies Part III Security
Future Musings
Network Security

• Packet level vulnerabilities
• Exposure passwords and form data
• IP spoofing
• Network DoS attacks
• SYN floods, ICMP floods
• Countermeasures Firewalls and Proxies
• Packet filtering firewalls permit access control
  based on IP and Port (service)
• Located on routers, firewalls can protect entire
  subnets
• Proxies can add complete isolation of internal
  hosts, but sometimes at the cost of function
• Additional enhancements include stateful packet
  inspection firewalls, intrusion detection, and
  most recently intrusion prevention systems.

11
Web Server Technologies Part III Security
Future Musings
Host Security

• Server hardening is vital to Web server security,
  and highly platform-specific
• Subscribing to (and regularly reading) both
  generic and platform-specific vulnerability and
  update notifications is essential
• www.cert.org and similar, but more specialized
  sites and lists
• Assuming the box is (mostly) dedicated to HTTP
  (as it should be), much of host hardening will
  consist of hardening the Web server itself
• For this, use a good, comprehensive security
  checklist when building or auditing a Web server
  box, for example

12
Web Server Technologies Part III Security
Future Musings
An IIS Security Checklist

• Use the Security Configuration and Analysis Tool
  to deploy a good security template
• Hisecweb.inf as a minimal baseline
• Use web_secure.inf from SystemExperts if possible
• Use IPSec Admin Tool (or ipsecpol.exe) to set up
  port/packet filtering for defense in depth
• Lock down the Kerberos (port 88) exception (KBA
  254728)
• If possible, disable NetBIOS over TCP/IP, and
  unbind file-and-print sharing.
• Set appropriate ACLs on both virtual and physical
  directories (including root directory)
• Unlike Everyone, Authenticated Users includes
  IUSR but disallows NULL and Guest-only connections

13
Web Server Technologies Part III Security
Future Musings
Brett Hills Recommended ACLs
14
Web Server Technologies Part III Security
Future Musings
An IIS Security Checklist, cont.

• Set appropriate log file ACLs
• Probably dont need to give Everyone anything
  here
• If your proxy/firewall configuration supports
  this, restrict connections to its internal (NAT)
  IP
• Depends on whether or not source address is
  forwarded
• IPSec can be used in same way as first line of
  defense
• Remove unused script mappings!
• Better still, use IISLockDown to map them to
  404.dll

15
Web Server Technologies Part III Security
Future Musings
An IIS Security Checklist, cont.

• Other checklist items
• Remove sample apps installed by IIS
• IISSamples, IISHelp, MSADC
• Enforce Form field and query string input
  sanitization
• A developer responsibility, but try to enforce it
• Disable parent paths
• Home Directory gtgt Configuration gtgt App Options
• Disable IP Address in Content-Location (KBA
  218180)
• Locate Web content on a non-system drive
• Run MS Baseline Security Analyzer
• Run IISLockDown and URLScan 2.5!
• Kills many birds with one stone
• Spend the time and effort to tune URLScan.ini

16
Web Server Technologies Part III Security
Future Musings
Application Security

• The price of being an HTTP server is being open,
  at a minimum, to inbound HTTP connections
• Web servers are often looked on as toeholds for
  attacking other boxes and services
• Particularly when hosting dynamic Web
  applications, numerous vulnerabilities exist via
  the URL, query string and postfield data
• Buffer overflows, code injection, worm attacks
• User input sanitization is essential but probably
  not reasonably left entirely to developers
• Hence an entirely new product category
• Web application firewalls
• Web security gateways

17
Web Server Technologies Part III Security
Future Musings
Transaction Security

• Concerns security of the message exchanged
  between client and server
• Four basic tasks
• Privacy
• Integrity
• Authentication
• Non-repudiation
• All of these are requirements for secure
  transactions generally, but present special
  challenges for Web transactions

18
Web Server Technologies Part III Security
Future Musings
Transaction Security, cont.

• Privacy
• Only the sender and the recipient of a message
  can read its contents
• No one else must be able to see or use this data
  as it is being transmitted
• SSLs end-to-end encryption is the solution
• Integrity
• Detection of any change in message contents
  between its being sent and its being received
• When such changes occur, the transaction must
  stop and provide a way to recover
• Message digests like MD5 are used within SSL to
  assure integrity of the connection

19
Web Server Technologies Part III Security
Future Musings
Transaction Security, cont.

• Authentication
• The assurance that all parties to a transaction
  are who they claim to be
• Server authentication is usually provided over
  SSL using certificates signed by a C.A.
• Client authentication is usually provided by
  login credentials, but could also use C.A.
• Non-Repudiation
• A guarantee that the party to a transaction
  cannot later falsely claim not to have
  participated in that transaction
• Digital signatures (with message digest) best
  solution but, in practice, login credentials
  often relied upon

20
Web Server Technologies Part III Security
Future Musings
Transaction Security, cont.

• SSL in a nutshell
• A different service, a different port (443)
• End-to-end encryption of the transaction
• Adds a handshake to the TCP/IP socket
• Negotiation of security parameters
• Authentication requirements
• Selection of cipher suites (and strength)
• Exchange of digital certificates
• Generation of shared secrets and session keys
• Quick restart of cached sessions if required
• All data is then transferred within the socket
  that has been secured using these agreed upon
  parameters

21
Web Server Technologies Part III Security
Future Musings
Transaction Security, cont.

• SSL uses two kinds of encryption Symmetric and
  Asymmetric
• Symmetric Encryption involves exchanging one
  (private) key used both to encrypt and decrypt
• Because it is very fast, SSL uses symmetric
  encryption for the session keys that encrypt and
  decrypt the actual message contents
• Privacy depends on the key being kept secret,
  which limits it to keys negotiated during the
  handshake
• Since strong authentication and non-repudiation
  depend on publicly exchangeable keys, symmetric
  is not suited for them

22
Web Server Technologies Part III Security
Future Musings
Transaction Security, cont.

• Asymmetric (or Public Key) Encryption involves
  generating a private/public key combination and
  publishing this for others to use
• What is encrypted with one of these can only be
  decrypted with the other
• Usually the sender uses the recipients public
  key to encrypt, and the recipient uses its own
  matching private key to decrypt
• Method used by SSL for certificate-based
  authentication
• Since overhead is significant, only used to
  establish a secure connection and exchange the
  symmetric key
• Encryption with private key is also possible, and
  used for signing digital signatures
• Key management requires Cert Authorities and
  ideally a Public Key Infrastructure (PKI)

23
Web Server Technologies Part III Security
Future Musings
Transaction Security Pictured
Symmetric
This is clear text
Bftladkkl)eil.,mvldai
This is clear text
Private Session Key
Private Session Key
Secure Transmission
Recipient
Sender
This is clear text
Bftladkkl)eil.,mvldai
This is clear text
Asymmetric
Recipients Public Key
Recipients Private Key
24
Web Server Technologies Part III Security
Future Musings
Looking Ahead (or, Joe of in Left Field)

• The most fundamental specification of Web
  architecture ...is that of the Universal Resource
  Identifier, or URI. Tim Berners-Lee
• The importance to the Web architecture of a
  single universal information space, accessed by
  any means
• Emerging Web services via XML and related
  technologies (WSDL, SOAP) as a prelude to
  full-blown machine-to-machine Semantic Web of
  the future (RDF, CC/PP)
• Universal access via PC, NC, PDA, TV, etc.,
  realizing an old dream the network is
  everything, the clients are everywhere

25
Web Server Technologies Part III Security
Future Musings
Looking Ahead (or, Joe of in Left Field)

• A Web of Trust
• Metadata plus keys a web of keys and signed
  documents
• Mechanical agents finally start to reach their
  potential
• Mechanically legible semantic assertions
  (T.B-L.)
• This document has value 3 on the "crazy" scale of
  this rating scheme.
• Believe an assertion of this form signed with
  this key.
• I wish to buy one of these at this price.
• I am happy to give my credit card number to
  anyone whom this key says is in this group.

26
Web Server Technologies Part III Security
Future Musings
Looking Ahead (or, Joe of in Left Field)

• Metadata PKI distributed agents
• Identity management will be a major application
  of these converging technologies (Max Templeton)
• An increasing need for human agents to manage
  aspects of identity that will be increasingly
  expressed as shareable (and valuable) data in
  universal space
• Big Brother OR Decentering of the Subject!?
• Tim Berners-Lees Things my agent needs to know
  about me
• What may people know about me?
• What do I need to know about them?
• What am I prepared to pay for?
• What will I allow myself to do?

27
Web Server Technologies Part III Security
Future Musings
About Port80 Software

• Solutions for Microsoft IIS Web Servers
• Port80 software exposes control to server-side
  functionality for developers, and streamlines
  tasks for administrators
• Increase security by locking down what info you
  broadcast and blocking intruders with ServerMask
  and ServerDefender
• Protect your intellectual property by preventing
  hotlinking with LinkDeny
• Improve performance compress pages and manage
  cache controls for faster load time and bandwidth
  savings with CacheRight, httpZip, and ZipEnable
• Upgrade Web development tools Negotiate content
  based on device, language, or other parameters
  with PageXchanger, and tighten code with
  w3compiler.
• Visit us online _at_ www.port80software.com