Part III: Security & Future Musings

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

103 εμφανίσεις

Web Server Technologies

Part III: Security & Future Musings

Joe Lima

Director of Product Development

Port80 Software, Inc.

jlima@port80software.com

Tutorial Content

Web Server Technologies |
Part III: Security & Future Musings


Web security


Core security concepts


Network security (packets and addresses)


Host security (hardening)


Application security (sanitizing input)


Transaction security (SSL)



Web applications as software applications: implications,
predictions, open issues

Core Security Concepts

Web Server Technologies |
Part III: Security & Future Musings


Types of attacks


Understanding serious attack strategies


Reconnaissance as an attack prelude


Security in depth strategy


Principle of least access


The need for threat assessment

A Brief Taxonomy of Attack Types

Web Server Technologies |
Part III: Security & Future Musings

Virus



Program that appends itself to existing
program and attempts self
-
propagation


Worm



Standalone self
-
propagating program
that carries out malicious action of some
type


Trojan Horse



Program that executes
malicious code under cover of some benign
functionality


Denial of Service (DoS)



Deliberate use
of a program’s or machine’s resources
sufficient to deny others its legitimate use

Spoofing



Assumption of a false identity
(email, IP), often used in conjunction with
other attacks


Bug exploitation



Use of known
(unpatched) vulnerabilities to carry out
malicious actions


Attack Strategies

Web Server Technologies |
Part III: Security & Future Musings

The goals of a serious attacker are oriented toward extracting maximum
advantage from an attack



Privilege escalation

leading ideally to root, superuser, or
administrator access


The use of rootkits


Leaving a
backdoor



a means of reentry that bypasses the need to
hack their way back in


Stealth



removing all traces of the machine having been
compromised in order to continue exploiting it directly, or as a platform
for attacking other machines


Log file alterations


Using a service to cover up a rootkit

Attack Reconnaissance

Web Server Technologies |
Part III: Security & Future Musings

Information gathering is often the prelude to a well
-
planned attack


Much key data is often publicly available


IP addresses, admin user names, network topologies and usage
patterns, etc.


Human engineering a major factor


Casual sharing of sensitive data increases likelihood it will fall into
wrong hands


A variety of manual and automated techniques for sniffing out software
details


Packet sniffers


Stack scanners


HTTP (and other) fingerprinters


Security in Depth Strategy

Web Server Technologies |
Part III: Security & Future Musings


Partly a buzzword invented to sell security stuff



Also an important principle for planning and designing
enterprise security


Aim for multiple layers of security that support and
reinforce one another


Succeeding layers both back up preceding ones if they
fail, and also make it less likely they will, by taking
some of the burden off and allowing for greater
functional specialization


Firewall, anti
-
virus, IDS, IPS, application firewall, etc.


Possibility of going too far if management burden
reduces efficient enforcement of policies

Principle of Least Access

Web Server Technologies |
Part III: Security & Future Musings

In the case of Web server security, it applies at multiple levels:



The file system of the physical Web server


Tightest possible ACLs


The HTTP service itself


Restrict by IP and auth where possible


All other services running on the same box (file transfer & sharing,
remote admin)


Shut down as many ports & services as possible


The network in which the Web server lives


As few firewall holes and logins as possible


Information about Web operations in general


Inside attacks cost five times as much as outsider attacks; risks of
info leakage very high

The Need for Threat Assessment

Web Server Technologies |
Part III: Security & Future Musings


Security
-
functionality trade off can make attainable levels of security
impractical


Productively of supported employees likely to suffer as things are locked
down tighter


Central importance of human factors severely increases costs of enforcement


Minimizing human factor issues can require major business process
reengineering


Security in depth strategy can drive up hardware, software and services bills


In practice, all these costs must be balanced against:


Likelihood of the threat


Business value of the target

Network Security

Web Server Technologies |
Part III: Security & Future Musings


Packet level vulnerabilities


Exposure: passwords and form data


IP spoofing


Network DoS attacks


SYN floods, ICMP floods


Countermeasures: Firewalls and Proxies


Packet filtering firewalls permit access control based on IP and Port
(service)


Located on routers, firewalls can protect entire subnets


Proxies can add complete isolation of internal hosts, but sometimes at the
cost of function


Additional enhancements include stateful packet inspection firewalls,
intrusion detection, and most recently intrusion prevention systems.

Host Security

Web Server Technologies |
Part III: Security & Future Musings


Server hardening is vital to Web server security, and highly platform
-
specific



Subscribing to (and regularly reading) both generic and platform
-
specific
vulnerability and update notifications is essential


www.cert.org and similar, but more specialized sites and lists



Assuming the box is (mostly) dedicated to HTTP (as it
should

be), much of
host hardening will consist of hardening the Web server itself


For this, use a good, comprehensive security checklist when building or
auditing a Web server box, for example…

An IIS Security Checklist

Web Server Technologies |
Part III: Security & Future Musings

Use the Security Configuration and Analysis Tool to deploy a good security template


Hisecweb.inf as a minimal baseline


Use web_secure.inf from SystemExperts if possible


Use IPSec Admin Tool (or ipsecpol.exe) to set up port/packet filtering for “defense in depth”


Lock down the Kerberos (port 88) exception (KBA 254728)


If possible, disable NetBIOS over TCP/IP, and unbind file
-
and
-
print sharing.


Set appropriate ACLs on
both

virtual
and

physical directories (including root directory)


Unlike Everyone, Authenticated Users includes IUSR but
disallows
NULL and
Guest
-
only connections

Brett Hill’s Recommended ACLs

Web Server Technologies |
Part III: Security & Future Musings

An IIS Security Checklist, cont.

Web Server Technologies |
Part III: Security & Future Musings

Set appropriate log file ACLs


Probably don’t need to give Everyone anything here


If your proxy/firewall configuration supports this, restrict connections to its internal
(NAT) IP


Depends on whether or not source address is forwarded


IPSec can be used in same way as first line of defense


Remove unused script mappings!


Better still, use IISLockDown to map them to 404.dll



An IIS Security Checklist, cont.

Web Server Technologies |
Part III: Security & Future Musings

Other checklist items…


Remove sample apps installed by IIS


IISSamples, IISHelp, MSADC


Enforce Form field and query string input sanitization


A developer responsibility, but try to enforce it


Disable parent paths


Home Directory >> Configuration >> App Options


Disable IP Address in Content
-
Location (KBA 218180)


Locate Web content on a non
-
system drive


Run MS Baseline Security Analyzer


Run IISLockDown and URLScan 2.5!


Kills many birds with one stone


Spend the time and effort to tune URLScan.ini

Application Security

Web Server Technologies |
Part III: Security & Future Musings

The price of being an HTTP server is being open, at a minimum, to inbound
HTTP connections


Web servers are often looked on as toeholds for attacking other boxes
and services


Particularly when hosting dynamic Web applications, numerous
vulnerabilities exist via the URL, query string and postfield data


Buffer overflows, code injection, worm attacks


User input sanitization is essential but probably not reasonably left entirely
to developers


Hence an entirely new product category


Web application firewalls


Web security gateways

Transaction Security

Web Server Technologies |
Part III: Security & Future Musings

Concerns security of the message exchanged
between client and server


Four basic tasks


Privacy


Integrity


Authentication


Non
-
repudiation


All of these are requirements for secure
transactions generally, but present special
challenges for Web transactions

Transaction Security, cont.

Web Server Technologies |
Part III: Security & Future Musings

Privacy


Only the sender and the recipient of a message can read its contents


No one else must be able to see or use this data
as it is being transmitted


SSL’s end
-
to
-
end encryption is the solution


Integrity


Detection of any change in message contents between its being sent and
its being received


When such changes occur, the transaction must stop and provide a way
to recover


Message digests like MD5 are used within SSL to assure integrity of the
connection


Transaction Security, cont.

Web Server Technologies |
Part III: Security & Future Musings

Authentication


The assurance that all parties to a transaction are who they claim to be


Server authentication is usually provided over SSL using certificates
signed by a C.A.


Client authentication is usually provided by login credentials, but could
also use C.A.


Non
-
Repudiation


A guarantee that the party to a transaction cannot later falsely claim not to
have participated in that transaction


Digital signatures (with message digest) best solution but, in practice,
login credentials often relied upon

Transaction Security, cont.

Web Server Technologies |
Part III: Security & Future Musings

SSL in a nutshell


A different service, a different port (443)


End
-
to
-
end encryption of the transaction


Adds a handshake to the TCP/IP socket


Negotiation of security parameters

»
Authentication requirements

»
Selection of cipher suites (and strength)

»
Exchange of digital certificates

»
Generation of shared secrets and session keys

»
Quick restart of cached sessions if required


All data is then transferred within the socket that has been secured using
these agreed upon parameters

Transaction Security, cont.

Web Server Technologies |
Part III: Security & Future Musings

SSL uses two kinds of encryption:
Symmetric

and
Asymmetric



Symmetric Encryption

involves exchanging one (private) key used
both to encrypt and decrypt


Because it is very fast, SSL uses symmetric encryption for the
session keys that encrypt and decrypt the actual message
contents


Privacy depends on the key being kept secret, which limits it to
keys negotiated during the handshake


Since strong authentication and non
-
repudiation depend on
publicly exchangeable keys, symmetric is not suited for them

Transaction Security, cont.

Web Server Technologies |
Part III: Security & Future Musings


Asymmetric

(or
Public Key
)
Encryption

involves generating a private/public
key combination and publishing this for others to use


What is encrypted with one of these can only be decrypted with the other


Usually the sender uses the recipient’s public key to encrypt, and the
recipient uses its own matching private key to decrypt


Method used by SSL for certificate
-
based authentication


Since overhead is significant, only used to establish a secure
connection and exchange the symmetric key


Encryption with private key is also possible, and used for signing digital
signatures


Key management requires Cert Authorities and ideally a Public Key
Infrastructure (PKI)

Transaction Security Pictured

Web Server Technologies |
Part III: Security & Future Musings

This is
clear
text

Bf$tla
dk&kl)
eil.,mv
l#d;ai

This is
clear
text


This is
clear
text

Bf$tla
dk&kl)
eil.,mv
l#d;ai

This is
clear
text


Recipient’s

Public Key

Recipient’s

Private Key

Private

Session Key

Private

Session Key

Secure

Transmission

Recipient

Sender

Symmetric

Asymmetric

Looking Ahead (or, Joe of in Left Field)

Web Server Technologies |
Part III: Security & Future Musings

“The most fundamental specification of Web architecture ...is that of the Universal
Resource Identifier, or URI.”



Tim Berners
-
Lee


The importance to the Web architecture of a single universal
information space, accessed by any means



Emerging Web services via XML and related technologies (WSDL,
SOAP) as a prelude to full
-
blown machine
-
to
-
machine “Semantic
Web” of the future (RDF, CC/PP)


Universal access via PC, NC, PDA, TV, etc., realizing an old dream


the network is everything, the clients are everywhere

Looking Ahead (or, Joe of in Left Field)

Web Server Technologies |
Part III: Security & Future Musings

A “Web of Trust”

Metadata plus keys = a web of keys and signed documents



Mechanical agents finally start to reach their potential


Mechanically legible semantic assertions (T.B
-
L.):



This
document has value
3

on the "
crazy"

scale of
this
rating scheme.


Believe an assertion of this form signed with
this
key.


I

wish to buy one of
these
at
this

price.


I

am happy to give my credit card number to anyone whom
this
key
says is in
this
group.

Looking Ahead (or, Joe of in Left Field)

Web Server Technologies |
Part III: Security & Future Musings

Metadata + PKI + distributed agents


Identity management will be a major application of these converging
technologies (Max Templeton)


An increasing need for human agents to manage aspects of identity that
will be increasingly expressed as shareable (and
valuable
) data in
universal space


Big Brother OR Decentering of the Subject!?


Tim Berners
-
Lee’s “Things my agent needs to know about me”


What may people know about me?


What do I need to know about them?


What am I prepared to pay for?


What will I allow myself to do?


About Port80 Software

Web Server Technologies |
Part III: Security & Future Musings

Solutions for Microsoft IIS Web Servers

Port80 software exposes control to server
-
side functionality
for developers, and streamlines tasks for administrators:




Increase security

by locking down what info you
broadcast and blocking intruders with ServerMask and
ServerDefender




Protect your intellectual property

by preventing
hotlinking with LinkDeny




Improve performance
: compress pages and manage
cache controls for faster load time and bandwidth savings
with CacheRight, httpZip, and ZipEnable




Upgrade Web development tools
: Negotiate content
based on device, language, or other parameters with
PageXchanger, and tighten code with w3compiler.


Visit us online @ www.port80software.com