Transcript Lecture 11 - Personal Web Server

Unix Web servers and
Firewall
PP 200 and P387 to
411 – Web Security by
Lincoln D. Stein
1
Unix Server (..continue..)
Monitor the integrity of System
Files and Binaries
Back up Your System
2
.sys
and
.wi
n
Monitor the integrity of Systems Files
and Binaries
 It is to monitor whether the files have been
modified by intruders.
 The approach is to run a program that
generates fingerprint of each ESSENTAIL
files. (such as the md5sum (md5 checksum))
 Compare the files a few days later and see
whether any discrepancy.
3
Back up the system
 This is common to any system administrators
to perform regular backups of essential files.
 tar program is a common utility to perform
backup.
Tar is a
Unix
command
4
Server Security Checklist (1)
Have you installed all security-related patches?
Have you disabled all unnecessary services?
Have you run a security scanner on your system?
(lab 10)
Does the server do double duty as a user
workstation?
Do the Web server’s file permissions reasonable?
From
administrator’s
viewpoint
5
Server Security Checklist (2)
Is the Web server running as root? (/)
Is the Web server running any unnecessary
features?
Have you established the limit of users?
Do you monitor system and web pages logs?
Do you monitor the integrity of the host?
Do you backup your system?
6
Summary on Unix Web servers
 To harden a Unix Web server as
many as possible (patch, disable
features….)
 To properly configure the Web server
(reduce number of users,
file/directory access rights…)
 To Monitor the logs (error log and
system log, might run fingerprint)
 To backup your files (use tar
command..)
Learnt
last
week
7
Web servers & Firewall - Overview
 What is a firewall?
This
week
 How to select a firewall?
 How to configure a firewall?
 Automatic proxy configuration for browsers?
 Examining firewall logs for signs of server
compromise?
8
Two firewalls with the Internet –
restrict some incoming and outgoing traffic based on rules
9
What is a firewall? - 長城 (防人牆)
from http://ljq.free163.net/shgc/wlcc.htm
10
Waterwall – prevent enemy, protect castle
from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
11
What is a firewall?
 In a traditional LAN
system, all workstations
can access the Internet
with a result of equal
attack from the outside.
 Just one of the weakest
host will break the system.
 The firewall addresses this
problem by using a special
configurable machine
between the outside world
and internal machines to
control the traffic.
12
The location of a firewall
 All traffic must
go through the
proxy server
(firewall as well )
which then
decides to accept
or reject the
traffic.
13
Two basic Firewall Systems
There are two basic implementations for firewalls.
 Dual home gateway firewall, the gateway machine
has two network interface cards each of them is
connected to the LAN (inter network) and the
Internet (Outer network)
 Screened-host gateway uses a router to forward all
the traffic from/to the outer and inner networks.
14
Dual-home gateway firewall
 By default, the two
networks are isolated.
 However, there is a
need to communicate
between the inner
and outer networks
through the
specialised programs
called proxy (or
proxies, many
programs with
firewall features)
block
15
Screen-hosted gateway
 A network router is
used to control access
to the inner network.
The router restricts
communication
between the outer and
inner networks.
 It ensures that the
packets from the
Internet can reach the
well secured proxy
which then examines
the data.
In fact, there is no effective
difference between dualhome and screen-host
16
Notes about firewall
 Many companies use firewall systems that are not
strictly firewalls. They are used to block dangerous
traffic only.
 The essence of a firewall system is to allow or deny
passage to network traffic. They are application
level for particular communications protocols, such
as HTTP, e-mail, FTP (You need to configure the
rule)
 For example, if you decided to block all active X,
you then program the proxy to check the contents of
all HTML and block those that have active X.
17
Select a firewall system (1)
 Because of the large number of competing
firewall vendors, it can be difficult to choose.
Below is a check list.
Operating system: Firewall products are available
that run on both Unix (linux) or Windows XP
systems. Neither has advantages over others. If
you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-mail,
HTTP, NNTP telnet etc, but some might not
handle SNMP or Real Audio etc. Choose those
that can satisfy your need.
18
Select a firewall system (2)
 Filter types:Network filters based on application
level proxies gives the programmers control over
what passes across the firewall. Network filters
based on circuit-level proxies have better
performance such as IP packet-filtering system.
 Logging: A firewall performs exhaustive logging
with tools to analyse the log and summarise the log.
 Administration: Some firewalls are configured with
graphical user interfaces, others use text only.
19
Select a firewall system (3)
 Simplicity: Good firewall systems are simple. The
proxies are small and easy to understand.
 Tunneling: Some firewall systems provide the
ability to setup up an encrypting tunnel across the
Internet in order to securely connect two networks.
(Tunneling is the transmission of data intended for use only
within a private, usually corporate network through the
Internet in such a way that the routing nodes in the Internet
are unaware that the transmission is part of a private
network. VPN is an example.)
20
No need to
memorise
Product
Products
Feature
AltaVista
Uses a combination of packet filters, application
level proxies and circuit-level
BorderWare
A Unix-only system for both application-level and
packet-level
CyberGuard
Unix to support packet filtering, application and
circuit-level.
Eagle
Uses application and circuit level proxy and is
available for NT and Unix machines
Firewall-1
Packet filtering an stateful inspection for NT and
Unix
Gauntlet
Available a a software-only package or as a
turnkey combination.
21
How to configure a firewall?
As there are many commercial products with
different commands and approaches, here, we
would use a table for describing the routing
information and is independent on any products.
Outgoing web access
1. How to allow people within your organisation
to safely browse the Web;
2. How to make your organisation’s public web
available to the rest of the world?
22
A simple example – packet filter – IE and FTP
important
Assume that you need to provide filter exceptions
for outgoing connections to the HTTP (port 80)
and FTP (port 21) and the data sent back in
response to those connections. (RULE)
Action
Src
Port
Dest
Port
Flags Comment
Block
*
*
*
*
*
Block all
Allow
[internal
user]
*
*
80
*
Browse outside
(iexplorer –
outgoing)
Allow
*
80
*
*
ACK
ie- Incoming
Allow
[internal
user]
*
*
21
*
ftp - outgoing
Allow
*
21
*
*
ACK
ftp - incoming
23
Explanation
 The first column indicates whether it is allowed or
blocked that traffic.
 The second and third columns indicate which
traffic shows from the source. Here port number is
specified as well.
 The fourth and fifth columns indicate that outgoing
(destination) traffic. Again, port number is
specified as well.
 Flags indicates whether it is an
 acknowledgement.
24
Another simple example – block IE and
allow FTP
important
Assume that you need to provide filter exceptions
for outgoing connections to the FTP (port 21) and
the data sent back in response to those
connections. We simply block all traffic expect
FTP.
Action
Src
Port
Dest
Port
Flags Comment
Block
*
*
*
*
*
Block all
Allow
[internal
user]
*
*
21
*
ftp - outgoing
Allow
*
21
*
*
ACK
ftp - incoming
25
Picture – Gopher protocol is blocked, the table is in the Proxy
26
A simple example – application level –
outgoing, linux environment
 If the firewall uses application level proxy to provide Internet access, we
need to enable separate proxies for each of the protocols commonly used
on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a
Class C network at 189.45.56
#rules for the FTP gateway
ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt
ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: deny-hosts unknown
ftp-gw: permit-hosts 189.45.56.*
#rules for the http/gopher gateway
http-gw: permit-hosts 189.45.56.*
No need
to
memorise
, step by
step, but
have to
understand
27
Explanation
 The first six lines of this file set up defaults for
the FTP proxy.
 The line containing deny-host prohibits the use of
the proxy by any machine without a domain
name system entry (here unknown)
 The line containing permit-host allows any hosts
in the internal network to use the proxy. Others
are prohibited by default. (here, permit-hosts
193.49.189.*, any at this network.)
28
Incoming Web access
 Once we solve the problem of outgoing Web
services, we need to consider the incoming Web
access.
 There are many possibilities (web server with
proxy, web server inside the LAN, web server
outside the LAN.) Here, we introduce:
– Judas server – Proxy and Web server
– Sacrificial Lamb – Web server outside firewall
– Private Affairs – Web server inside the firewall
– Doubly Fortified Server - use multi-level of proxy to
separate networks.
29
Judas – combine Proxy and Web
server
 It is not a good
idea to combine
proxy and web
server together.
 It is because Web
server cannot be
trusted to be bug
free.
 Any security
holes will
degrade the
proxy.
Not a
good
idea
30
The Sacrificial Lamb
 The safest place for
a public web server
is outside the
firewall. It is
intended to public
use.
 Because
communication
between LAN and
the public web
server is restricted, it
is difficult to use file
sharing or remote
login to update the
material in the web
server.
Access
by
outsiders
31
The Private Affair Server
 If the Web server
is not intended to
be publicly
available, all best
location is behind
the firewall.
 It maintains
confidential or
sensitive
information.
Filter
all first
32
The Doubly Fortified Server
 If you consider your web server contains
highly confidential information, you
should place it out of the Internet with a
multiple level firewalls. (You have to set
up a private firewall system.)
33
Running a reverse Web proxy
 The primary mission of firewall proxies is to allow
people inside the organisation to make outgoing
connections to servers on the Internet.
 Their desk-top software connects to a proxy on the
firewall; it relays the request to the Internet server
and forwards the server's response back.
 It is also possible to use application-level proxies in
the reverse direction to grant people on the Internet
controlled access to a Web server.
34
Flow of Information – Bastion (firewall)
35
Hybrid Server
 The hybrid approach is to combine two
together. One on an external scarified lamb
server; one on the firewall.
 In this configuration, an internal server is
maintained behind the firewall and kept
completely inaccessible from the outside
world.
36
Hybrid approach – Bastion (firewall here)
37
Summary
 Firewall is to filter the unwanted traffic
 It is to limit the Incoming and outgoing
traffic as well.
 Criteria to select a firewall
 Configure a firewall – application level
(IE, e-mail) or packet level (IP or TCP)
 Incoming web access – Judas server,
Sacrificial lamb, Private affair, Doubly
fortified server, reverse web proxy etc.
38
Next Week
Policy and Law
39