Case Studies for Securing Intranet and Internet Web Servers

Rex di Bona, Com Net Solutions

NEXT

Different Styles of Web Servers

• Confidential Web Site
  • Internal - Usually proprietary information
  • No public browsing permitted
  • Areas may be password protected (private areas)
• Public Web Site
  • Publicly available Information
  • Public browsing, but no public upload
  • No private areas
• Provider Web Site
  • Publicly available Information
  • Public browsing, and public upload
  • No private areas

Attack Profiles:

Security Strategies

• Hardened Server
  • Prohibit all non-essential functions
  • Apply all security patches
  • Baseline and check server
• Filtered Requests
  • Check all requests for validity
  • allows server to run on non-standard (insecure) port
  • filtering program runs on standard and non-standard ports
  • filtering program can run on firewall
• Firewall Protected
  • Web server is placed behind firewall
  • Filter is run on firewall
  • Only locally firewall generated requests are seen by server

Example Configurations

Corporate Web Site

• Internal and external servers.
• Single machine.
• Combined with firewall machine.
• Web proxy to allow external users some internal access.
• Filter external requests.

Education Web Site

• Control over internally generated requests (for both internal and external servers).
• Filtering of requests for unsuitable material.
• Before Platform for Internet Content Selection (PICS).

ISP Web Site

• Pages for both advertising and clients.
• Users can not install CGI scripts, only pages.
• Server machine is hardened.

Conclusion

• Security is possible through appropriate techniques.
• There are different types of web servers.
• Different web servers require different approaches to security.